Speaking at a SecureData event in London, CTO Etienne Greeff identified the three pillars of active defense.
He listed these as: observe the landscape, understand where your vulnerabilities are and detect attacks and where you can be compromised. However, he warned that there is “no point in doing them if you are not doing them consistently.”
On the subject of addressing security issues, Greeff said that “keeping machines up-to-date is difficult,” as is dealing with vulnerabilities, and attacks “make it extremely hard to be good guys fighting bad guys.”
He said that to deal with the challenges, as defenders, “we need to understand the threat landscape and what attackers are targeting,” as well as understand offensive actions, vulnerabilities, our attack surface and what is out there.
The attack surface is where the “most gain is made” Greeff stated, pointing out that unlike the threat landscape, the attack surface is under your control and offers a bigger opportunity to focus your security spending.
Greeff said that there is too much focus on “things that are trivial” as often threat intelligence is “not as useful as you think” – too often, small a proportion of intelligence is malicious. “We focus too much on the enemy and not on ourselves, and we need to understand the network and learn from it.”
Looking at how to have a better defense, Greeff said that this is achieved by working in a “meticulous and consistent way” by collecting data and correlating it to make sense of it. Then using it so you know what it contains and what you need to act upon, and “then analyze the data to know what to do, and measure it.”
He concluded by saying that “all of you will have a security issue” at some point, and knowing how to deal with an attack and learn from an assault will aid you. He said: “We face overwhelming odds and security is not an easy task and we complicate it with interconnected systems and face a sophisticated adversary – but focus on knowing yourself, your attack surface and behaviors and vulnerabilities.”
A popular Content Management System (CMS) software version is soon set to be retired, potentially exposing hundreds of thousands of companies to the risk of digital skimming attacks.
However, with end of support set to land in June 2020, there will be new opportunities for attackers to compromise these websites to access sensitive customer data.
All eyes will be on the groups using the infamous Magecart skimming code to harvest card details as they are entered into e-commerce website payment pages.
“It’s no secret that a CMS without support will develop vulnerabilities. Eventually, these lead to a compromised website — which cripples any e-commerce business,” explained Sucuri’s Art Martori.
“When you consider the popularity of the Magento e-commerce platform, it’s easy to see how their announcement of the Magento 1 end of life could leave a significant portion of e-commerce retailers scrambling for new solutions.”
They have already compromised an estimated hundreds of thousands of sites and millions of users, possibly many more.
Hackers have even sought to exploit misconfigured Amazon Web Services (AWS) S3 buckets to implant the code onto more sites.
Sucuri recommended web application firewalls (WAFs) as a useful way to protect end-of-life platforms like Magento 1 while potentially easing the pain of migration.
The Saudi Arabian government recruited two former Twitter employees to spy on prominent critics of the regime, a new US complaint has alleged.
Prosecutors claimed in the newly released court documents that US citizen Ahmad Abouammo and Saudi Ali Alzabarah accessed personal information in over 6000 Twitter accounts back in 2015.
These included government critic and noted journalist, Omar Abdulaziz, who has over one million followers and was close to Washington Post columnist Jamal Khashoggi — who was murdered in the Saudi consulate in Istanbul last year, despite being a US citizen.
Although the duo’s jobs did not require access to user information, they were able to look up email addresses and even associated IP addresses, giving the Saudi government information on where the users were geographically located.
Abouammo was a media partnership manager for Twitter’s Middle East region, while Alzabarah was a site reliability engineer. Their intermediary is said to have been a Saudi named Ahmed Almutairi, who worked as a social media adviser to the royal family.
Reports suggest that the Saudi Crown Prince Mohammed bin Salman, implicated in the Khashoggi murder, is linked to the plot.
The complaint also alleged that the two defendants were paid handsomely for their efforts, in designer watches and tens of thousands of dollars placed into secret bank accounts.
After Alzabarah allegedly admitted to his boss that he had been spying on Twitter users, he was escorted out of the office. However, he is said to have flown to Saudi Arabia the next day with his family and not returned.
Twitter released a statement thanking the FBI and Department of Justice for their support with the investigation, and claiming that it limits access to sensitive account info “to a limited group of trained and vetted employees.”
“We recognize the lengths bad actors will go to to try and undermine our service,” it noted. “We understand the incredible risks faced by many who use Twitter to share their perspectives with the world and to hold those in power accountable.”
Global IT security skills shortages have now surpassed four million, according to (ISC)2.
The certifications organization compiled its latest Cybersecurity Workforce Study from interviews with over 3200 security professionals around the world.
The number of unfilled positions now stands at 4.07 million professionals, up from 2.93 million this time last year. This includes 561,000 in North America and a staggering 2.6 million shortfall in APAC.
The shortage of skilled workers in the industry in Europe has soared by more than 100% over the same period, from 142,000 to 291,000.
The report estimated the current global workforce at 2.93 million, including 289,000 in the UK and 805,000 in the US.
Nearly two-thirds (65%) of responding organizations reported a shortage of cybersecurity staff, with a lack of skilled or experienced security personnel their number one workplace concern (36%).
(ISC)2 claimed the global security workforce needs to increase by a staggering 145% to cope with a surge in hiring demand. In Europe, this has come particularly in smaller companies with one-99 employees, as well as those with over 500 employees.
Unsurprisingly, over half (51%) of cybersecurity professionals said their organization is at moderate or extreme risk due to staff shortages.
The report pointed to four key strategies to help organizations tackle such shortages. These include in-house training and development and setting applicant qualification requirements at the right level to ensure as wide a net as possible is cast.
(ISC)2 also stressed the need to attract new workers from other professions, or recent graduates with tangential degrees, as well as seasoned professionals from consulting and contracting sectors. Finally, organizations should look to strengthen from within by cross-training existing IT professionals where appropriate.
A new study has found that more than half of organizations believe detecting insider threats is harder following migration to the cloud.
The 2020 Insider Threat Report published today found that a lack of visibility into anomalous activity, especially in the cloud, and manual SIEM workloads have increased the risk of insider threats for organizations and prevent many from detecting and stopping data exfiltration.
The annual report was produced with the support of Gurucul by Cybersecurity Insiders, the 400,000-member community of information security professionals, to explore how organizations are responding to evolving security threats.
Key findings are that 58% of organizations consider their monitoring, detecting, and response to insider threats somewhat effective or worse, and 53% believe that detecting insider attacks has become significantly to somewhat harder since migrating to the cloud.
Nearly half of the companies surveyed for the report admitted that they are unable to remediate insider threats until after data loss has occurred.
Although 68% of organizations indicated that they felt vulnerable to insider attacks, 17% admitted having no visibility whatsoever into user behavior within core applications.
The most popular method for monitoring user behavior within core applications was via server logs, which were used by 46% of companies surveyed for the report. In-app audit systems/features were used by 31%, and 33% said that they had conducted user-activity monitoring.
The majority of organizations—87%—found it moderately difficult to very difficult to determine the actual damage of an insider attack, though the most common estimate, given by half of the organizations surveyed, was that an insider attack would cost less than $100,000.
As for identifying the sources of threats, 63% of organizations think that privileged IT users pose the biggest insider security risk.
“Insider threats are not limited to employees. They extend to contractors, supply chain partners, service providers and account compromise attacks that can abuse access to an organization’s assets both on-premise and in the cloud,” said Craig Cooper, COO of Gurucul.
“Lack of visibility and legacy SIEM deployments put companies at risk. Insider threat programs that monitor the behavior of users and devices to detect when they deviate from their baselines using security analytics can provide unmatched detection, risk-based controls and automation.”
The excuses made by companies that have suffered a data breach are being parodied online by a new website, whose creator is unknown.
"Why the f*ck was I breached?" uses algorithms to generate a slew of entertaining excuses that attempt to explain how data came to be exposed.
Excuses that appear on the site include "Anonymous collective used that other vulnerability we were going to patch next Tuesday to make a mess," "Russians used an open window in the server room to transfer 7 petabytes of data," and "Teenagers used nefarious techniques to do something, but we aren't quite sure what it is."
Along with each excuse comes an assurance that no further breaches will occur because the company has taken some kind of action that even a cybersecurity novice can see will be totally ineffective at preventing a similar incident from occurring.
Preventative actions that appear on the site include "We have since worked with law enforcement," "We have since copy-pasted a security policy we found on Google," and "We have since watched the movie Hacker 8 times back to back."
The site opens with the statement: "Did you just lose 100m customer SSNs because your root password was 'password,' you set an S3 bucket to public, or you didn't patch a well-known vulnerability for 8 months? Is the media and government chewing you out because of it? Worry not! Our free excuse generator will help you develop an air-tight breach statement in no time!"
Users can then scroll down to view an auto-generated breach excuse. To make the next excuse appear, users must click a button that reads "Equifax already f*cking used that one."
While the site was clearly created for comic effect, by mocking the often vague information disclosed by companies following a data breach it flags the salient issue of how cybersecurity is approached and implemented.
The site aims particular criticism at Equifax, which exposed the personal information of 147 million people in July 2017. Although staggering in size, this breach is paltry when compared to the breaches that affected 3 billion Yahoo users in 2013 and 500 million Marriott customers between 2014 and 2018.
The Social Security information of thousands of drivers has been exposed following a data breach at the California Department of Motor Vehicles that went unnoticed for four years.
Information relating to 3,200 people issued with driver's licenses was inadvertently leaked to federal agencies, including the U.S. Department of Homeland Security.
A total of seven agencies were able to access the data, including district attorneys in San Diego and Santa Clara counties, the Small Business Administration, and the Internal Revenue Service.
According to the Los Angeles Times, some data exposed by the DMV was accessed as part of investigations into criminal activity or compliance with tax laws.
DMV spokesperson Anita Gore stated that no information had been accessed by or shared with private individuals as a result of the breach.
The DMV restricted access to the data shortly after discovering the breach on August 2, 2019.
“Protection of personal information is important to DMV, and we have taken additional steps to correct this error, protect this information and reaffirm our serious commitment to protect the privacy rights of all license holders,” Gore said.
“That’s why DMV immediately began correcting the access error following a legal compliance review, ensured that no additional confidential information was disclosed to these entities, and has implemented several additional layers of review.”
Customers of the DMV were informed of the breach by letter. In it, Albert C. Hwang, chief privacy officer at the DMV, wrote: “We sent this letter and the attached notice to you based on having, in the past, shared your Social Security information in error.”
California state law requires customers to be notified of any unauthorized acquisition of computerized data that compromises the confidentiality of personal information.
News of the breach come just months after a state audit in March found “significant deficiencies” in DMV operations, including technology and staffing problems and poor management practices.
The audit found that the department's computer system was relying on programming language dating to the 1950s and that some parts of the department’s operating structure hadn’t been updated since 1990.
The DMV has also been criticized for soul-crushingly long waiting times, with some Californians reporting queues that lasted nearly six hours.
Facebook has revealed yet another incident where third-party developers may have been allowed too much access to user data.
In this case, names, profile pictures and other information relating to members of Facebook groups may have been accessed improperly by as many as 100 developer ‘partners’ of the social network.
“We know at least 11 partners accessed group members’ information in the last 60 days,” said Facebook director of developer platforms and programs, Konstantinos Papamiltiadis.
“Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted.”
The snafu relates to a Groups API that Facebook restricted as part of its efforts in April last year to clamp down on data sharing with third parties, in the wake of the Cambridge Analytica scandal.
“Before April 2018, group admins could authorize an app for a group, which gave the app developer access to information in the group,” said Papamiltiadis.
“As part of the changes to the Groups API after April 2018, if an admin authorized this access, that app would only get information, such as the group’s name, the number of users, and the content of posts. For an app to access additional information such as name and profile picture in connection with group activity, group members had to opt-in.”
Unfortunately, the social network subsequently discovered that some apps/developers retained access to this additional information “for longer than intended.”
These have now been removed as part of Facebook’s efforts to improve transparency and accountability following its record $5bn settlement with the FTC.
In September this year it announced the suspension of tens of thousands of apps from hundreds of developers for potential abuse of policy, such as improperly sharing user data.
The internet is awash with politically themed malware, used in everything from ransomware to remote access trojans (RATs), according to new research from Cisco Talos.
The security firm’s study began with analysis of a regular-looking malicious spam campaign which used an executable named “trump.exe.”
Taking this as a jumping off point, the research team found a wide range of similarly themed threats that “was almost a microcosm of what we see in the threat landscape daily.”
These included Donald Trump-themed ransomware, and separate Trump and Vladimir Putin-themed locker malware. Interestingly, one of these threats offered no way for hackers to monetize their efforts.
Cisco also found numerous politically themed RAT campaigns, including Neshta, which used Kim Jong Un, and an NjRAT campaign that used an image of Putin — the same one used as an icon for the “Papa-Putin.exe” executable.
Some RATs were found using booby-trapped files purporting to contain political content as a lure, such as the Word document “12 things Trump should know about North Korea.doc,” which was used to spread the Konni RAT.
An Excel spreadsheet titled “Trump_administration_economic_indicators_on_China_investments.xls” contained malicious macros leading to infection by the well-known PoisonIvy RAT, often used in nation state attacks.
Other tools featuring political iconography included a Trump crypter, injectors referencing Barack Obama and Putin, and a Putin-themed malware loader.
Cisco also discovered a range of political software “ranging from the absurd to the disturbing,” including a “Dancing Hillary” game and a “Trump's Cyber Security Firewall” tool.
“As this investigation has exposed, adversaries will go to any lengths and use anything they deem advantageous, from pop culture to political references — everything is fair game,” it concluded. “This is applicable not only to the adversaries delivering malware, but also the miscreants writing tools for adversaries to leverage including crypters, injectors and loaders.”
Drones could become a major network security threat from 2020, forcing organization to guard the airspace around their buildings, security researchers have warned.
Small unmanned aerial vehicles (UAVs) will increasingly evolve from novelty items to “ubiquitous business tools” over the coming years, explained defense contractor Booz Allen Hamilton in a new 2020 Cyber Threat Trends Outlook report.
However, as they do, cyber-criminals may also look to take advantage by flying them close to target networks and/or landing them in concealed locations such as on roofs. In this way, a UAV could be fitted with a Wi-Fi Pineapple and used as a rogue access point to harvest credentials, perform man-in-the-middle attacks against employees and carry out network reconnaissance, the report warned.
IoT devices such as smart light bulbs, or even wireless mice could also be targeted.
“Drones equipped with specially fitted hardware and software may also be used to install malicious malware on systems or disrupt system’s operations, particularly devices that are vulnerable to exploitation of wireless protocols like Bluetooth and ZigBee,” the report claimed.
“The requirement for both the attacker and the drone to be in proximity to a target (e.g., Bluetooth has an estimated maximum range of 300 feet) will limit the frequency with which drone-based attacks will be used, but the threat nonetheless remains real.”
To mitigate the threat, Booz Allen Hamilton urged organizations to consider training physical security staff to spot drones, installing jamming signals and treating their airspace as an extension of the corporate attack surface.
“For small office/home office wireless networks, operators may consider mitigations commonly used to address war-driving attacks, such as turning off the wireless network when not in use, updating administrator passwords on routers regularly, and using security measures such as wireless traffic encryption and firewalls,” it added.
Elsewhere in its report, the IT consulting giant warned of a growing risk to satellite infrastructure, connected cars, the upcoming Tokyo Olympics and digital elections.
There is a sense of failure among security practitioners, believing that they cannot keep up with attacks, and this has created a sense of irrational fear.
Speaking at the Tenable Edge conference in London, Tenable CEO Amit Yoran said that this “sense learnedness” has led people to reassess their perception of risk. Rather than zero-days, which he said were often overhyped, he argued that two other things are actually more important to focus on: system hygiene and user challenges.
Acknowledging that user problems are harder to solve, Yoran focused on security hygiene, saying that “sophisticated adversaries take advantage of known vulnerabilities as 60% of breaches are caused by known vulnerabilities to which patches are available” but often not applied.
He said that in the last two years, the NSA “has not responded to a breach that involved a zero-day exploit” and this has led to irrational fears and news on what we are concerned about, when breaches are often “the result of bad hygiene and stuff we know about and can fix.”
Yoran said that knowing your level of risk is imperative, as boards and CEOs do not ask about sandboxing, exploiting files “and which form of AI or ML you’re using to detect logins,” but are asking simple questions such as “how vulnerable are we and what is our level of risk?”
He concluded: “Those are the questions business leaders are asking, and it is imperative for the future of vulnerability management as it is a system of record for the understanding of risk.”
Californian security-event management company Sumo Logic has acquired JASK Labs, Inc.
JASK makes security information and event management (SIEM) software and is best known for its flagship product, JASK Autonomous Security Operations Center (ASOC), which collects and analyzes data from any source, including endpoint data, network data, and applications in the cloud.
Sumo Logic, which had its own SIEM prior to the acquisition, has rebranded the JASK solution as Sumo Logic ASOC.
Since it was founded in Austin, Texas, in 2015, JASK has raised nearly $40M from investors like Battery Ventures, Dell Technologies Capital, TenEleven Ventures, and Kleiner Perkins.
“The team at JASK set out to fundamentally disrupt traditional security solutions that are no longer meeting the needs of modern security teams,” said Greg Martin, CEO of JASK.
“Over the past five years, we’ve worked with customers and experts on the front lines of this disruption to uncover what will truly have an impact on improving the performance of security analysts that have been mired with alert fatigue. We’re excited to bring together our collective security DNA and joint customers and partners to create a powerful security intelligence solution that provides a cloud-native best-in-class modern SOC and analytics solution.”
Ramin Sayar, president and CEO of Sumo Logic, said: “Security in the modern world is moving from a human-scale problem to a machine-scale problem.
“Customers are looking for a new approach to help them overcome the pain and complexity around an increasingly perimeter-less world. The JASK team are experts in helping customers navigate this new world. By aligning our efforts as a single team, we are able to democratize security intelligence for all.”
Commenting on how the acquisition will affect the SIEM market, Nir Polak, co-founder and CEO of Exabeam, said: "Based on how rarely we see JASK or Sumo Logic compete against us for business, I can’t envision their combined company making any significant headway in the next-gen SIEM market.
“When you multiply a fraction by another fraction, you get an even smaller fraction. I don’t think this merger will be the force multiplier either company is hoping for.”
Nunavut, Canada's largest and most northerly territory, is working hard to recover from a ransomware attack that struck over the weekend.
The sophisticated cyber-assault was launched on the sparsely populated territory's government network at approximately 4:00 am on Saturday morning, resulting in the swift encryption of multiple Word documents and PDF files.
Users trying to access the infected government network were confronted with a ransom note that read: "Your network has been penetrated. All files . . . have been encrypted with a strong algorithm . . . we exclusively have decryption software for your situation."
The threat actors behind the attack instructed users to download an encrypted browser and visit a specific URL within the next 21 days. Users were told that the sooner they pay, the lower the price they will be charged to recover their encrypted files.
In an attempt to contain the attack, the government shut down parts of its network, leaving many government employees unable to access their email or voicemail. All government services requiring access to electronic information were impacted by the attack, with the exception of Qulliq Energy Corporation.
"The nature of the government is we're a centralized organization, so it has impacted the file servers of different departments and it's impacted some of our communities as well," Nunavut's director of information, communications, and technology, Martin Joy, told CBC News.
The ransomware is believed to have been triggered when an employee working late on Friday night clicked a link in a malicious email or web advertisement. Joy said the ransomware appeared to be DoppelPaymer, which Nunavut's security systems hadn't been trained to detect.
In a statement released yesterday, the Nunavut government wrote that "there is no concern at this time with the loss of personal information or privacy breaches."
Contingency plans have been implemented to ensure uninterrupted services to the local community, and the government stated that it "expects the majority of files will be restored, using existing up-to-date back-ups."
Minister of Community and Government Services Lorne Kusugak said in a statement in the legislature Monday that it would be at least a week before services were restored.
Speculating on why threat actors might have targeted Nunavut, Emsisoft’s Brett Callow commented: "US entities are on very high alert, bolstering their IT, and so are less likely to be compromised. Because of this, big game hunters are increasingly looking for opportunities in other countries."
Community safety organization Neighbourhood Watch has established a cyber-safety initiative to help Brits protect themselves and their families from online crime.
Formed in response to the rising level of cybercrime, the new scheme aims to teach communities about the risks associated with going online while also gathering data on which regions of the UK are most vulnerable to cyber-threats.
According to a survey of 14,000 Neighbourhood Watch members carried out by the watch in conjunction with Avast, 20% have been victims of cybercrime, while 38% know someone else who has become a victim of cybercrime.
Researchers found a general lack of confidence in talking about cybercrime experiences within the community, and some gaps in understanding around the best methods of online protection.
In terms of financial impact, over a third (36%) lost money, and of them, 29% lost more than £1,000. The majority of these crimes were kept secret by the victims, with only 30% reporting the incident to the police.
"Neighbourhood Watch is about making sure that fewer people feel afraid, vulnerable or isolated in the place where they live, and in recent years that means helping members learn how to protect themselves, and their local community, against cybercrime has become a key priority," said John Hayward-Cripps, CEO of Neighbourhood Watch.
"This may surprise some people who think Neighbourhood Watch is solely focused on physical crime prevention. Our members recognize that the threat of cybercrime is very real, and they tell us that there is a definite need for simple advice and resources, so they feel better equipped to defend themselves against it and advise others."
Avast’s support will include a training and accreditation scheme for local Neighbourhood Watch representatives, local informative events, downloadable guides and resources, and ongoing sharing of information about relevant emerging threats.
"Neighbourhood Watch community leads, who often represent people and places that are most at risk of cyber threats, are increasingly asking for help following feedback from local members who have experienced scams or security incidents themselves or know someone who has. We are delighted to provide our support by working with them to deliver a cybersecurity accreditation programme with training courses to help members become more confident and knowledgeable in supporting their community cybersecurity requirements," said Peter Turner, senior vice president, Consumer Security, Avast.