Enterprises are spending more than $16 million – each – per year on detection-based security, thanks to surging hidden costs.
More specifically, initial, upfront licensing and deployment investment in security-detection tools like antivirus is dwarfed by the cost of human skills and effort to manage and assess the millions of alerts and false-positive threat intelligence generated, according to new analysis.
A survey from Bromium, which polled 500 CISOs from global enterprises, found that organizations invest about $345,300 per year on these kinds of tools, yet the average annual cost to maintain detect-to-protect endpoint security spirals to more than $16,714,186 per enterprise because of hidden human costs.
The solutions that organizations are spending money on up front vary and include: advanced threat detection (annual spend $159,220); next-generation and traditional antivirus (annual spend $44,200); whitelisting and blacklisting ($29,540 annual spend); and detonation environments ($112,340 annual spend).
However, labor costs are soaring as a direct result of detection-based technology failures: security operation center (SOC) teams receive more than 1 million alerts every year, but 75% are false positives; SOC teams thus spend 413,920 hours per year triaging alerts, an additional 2,448 hours rebuilding compromised machines, and 780 hours on emergency patching. All together, that’s 417,148 hours per year, resulting in an annual labor cost of $16,368,886 per enterprise
“Detection requires a patient zero – someone must get owned and then protection begins. Yet, because of this, rebuilds are unavoidable; false positives balloon; triage becomes more complex and emergency patching is increasingly disruptive,” said Gregory Webb, CEO, Bromium. “It’s no surprise that 63% of the CISOs we surveyed said they’re worried about alert fatigue. Our customers tell us their SOC teams are drowning in alerts, many of which are false positives, and they are spending millions to address them.”
Aside from the expected upfront expenditures, during evaluations CISOs need to be asking questions that uncover the hidden costs, such as:
- Where are most of the attacks happening?
- Are advanced threats getting through current defenses?
- Is employee productivity negatively impacted by current security measures?
- How many alerts are being generated? Of those, how many are false positives?
- Is it likely that machines will still become compromised and need to be rebuilt?
“Meanwhile, advanced malware is still getting through because cybercriminals are focusing on the weak spots, like email attachments, phishing links, and downloads,” Webb said. “This is why organizations must consider the total cost of ownership when making security investments rather than just following the detect-to-fail crowd.”
A new method of covert channel data exchange has been uncovered. It uses a well-known and widely implemented public key certificates standard (X.509), which is a hallmark of both TLS and SSL IP implementations for securing web communications.
According to Jason Reaves, threat research principal engineer at Fidelis Security, there’s a flaw in the way the certificates are exchanged, which could allow them to be hijacked for command-and-control (CnC) communication. The process also ends up bypassing common security measures.
Reaves created a proof of concept (PoC) that shows a malicious binary being transferred over TLS negotiation traffic to simulate a threat actor transferring the Mimikatz data-extraction malware to an already compromised system.
Essentially, certificates are exchanged during the TLS handshake, before the secure connection is made. By placing arbitrary binary data into the certificates themselves, Reaves uncovered a system that could be used to send or receive data from both a client and a server perspective. Meanwhile, the data transferred via X.509 extensions may bypass detection methods that do not inspect certificate values. As he explained in an analysis:
X.509 certificates have many fields where strings can be stored...The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse...takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself.
When it comes to mitigation and detection, the PoC uses self-signed certificates, so blocking self-signed certificates at the perimeter could be a useful protection mechanism for these attacks. Another possibility for signaturing is checking for executables in certificates.
While no exploit has yet been seen in the wild, the widespread use of these certificates means that many organizations are potentially open to this new data transfer method, which in and of itself is not all that unusual.
“Using covert channels to move data across a network is not new…Appending data to ICMP, for example, was proposed as a means to transfer data back in 2005, with citations pointed to publications from 1997,” Reaves said. “Indeed, one of the earliest mentions of practical covert channel use comes in a government publication from 1993. Researchers continue to find novel ways to abuse protocols and RFC implementations to achieve difficult-to-detect data transfer methods.”
Every NHS Trust has failed to meet the recommended data security standards, a parliamentary committee has heard.
NHS Digital deputy chief executive Rob Shaw told a Public Accounts Committee hearing that his agency had completed 200 on-site assessments, and no Trusts had managed to meet the recommendations set out by Fiona Caldicott.
The national data guardian for health and care set out 10 data security standards, confirmed by the government in July 2017.
These include accreditation to the government-backed Cyber Essentials Plus scheme, which aims to improve baseline security with a series of best practice steps organizations can take. Unlike the regular Cyber Essentials scheme it requires a third-party assessment.
The requirements include basic steps to help mitigate the risk of phishing, hacking, password-guessing and more. It covers five technical control areas: firewalls; secure configuration; access controls; malware protection; and patch management.
However, Shaw suggested that even this was too high a standard for the NHS Trusts that were assessed.
“The amount of effort it takes from NHS providers in such a complex estate to reach the Cyber Essentials Plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar,” he told the committee. “So some of them have failed purely on patching which is what the vulnerability was around WannaCry.”
The committee was holding an inquiry into the ransomware outbreak which is said to have led to an estimated 19,000 cancelled appointments and operations. It could have been wholly prevented if NHS organizations had patched the Windows vulnerability they were told to two months earlier.
Neil Haskins, director of advisory services at pen testing firm IOActive, described the news as “shocking.”
“Unfortunately, the NHS is more used to treating the symptoms of its patients, rather than causes of disease, and the same could be said for its approach to cybersecurity. In almost all cases in cybersecurity, however, by the time symptoms appear, it is too late,” he told Infosecurity.
“In the wake of WannaCry, if you were waiting for a life-saving operation, it may have been cancelled. If you were in a car crash, the ambulance may have been diverted 40 miles away. Forget your run-of-the-mill breach, where data and trust is all that’s lost. WannaCry was a genuine loss-of-life cyber-event, all because Windows 7 wasn’t patched. Is that acceptable for an organization, trusted with the care and well-being of you and your loved ones?”
He argued that the NHS and other organizations need to move away from a tick-box approach to cybersecurity to one where vulnerabilities are continuously being spotted and mitigated.
“Cyber and information security is not an IT issue, it’s a business one. As such, the NHS should absolutely be focused on having skilled experts providing actionable intelligence, enabling them to make business decisions based on risk, impact and likelihood,” Haskins concluded.
“Action should be taken on this advice, driven from the top down.”
An alleged British hacker has won a legal appeal against extradition to the US.
Lauri Love, 33, from Stradishall, Suffolk, was arrested back in 2013 under the Computer Misuse Act on suspicion of hacking the FBI, NASA, and the Federal Reserve, among other targets.
In September 2016 a judge at Westminster Magistrates' Court ruled that Love should be extradited to the US and two months later home secretary Amber Rudd signed the order, despite a letter from MPs sent to Barack Obama requesting he halt the process.
Love has Asperger’s syndrome and depression, and his lawyers argued that he was at “high risk” of killing himself if sent to the US to face charges.
He could face a sentence of up to 99 years behind bars if found guilty.
On Monday, judges at the High Court in London agreed, ruling that an extradition would be “oppressive by reason of his physical and mental condition.”
“We accept that the evidence shows that the fact of extradition would bring on severe depression, and that Mr Love would probably be determined to commit suicide, here or in America," they said, according to the BBC.
Lord chief justice Lord Burnett and Mr justice Ouseley apparently claimed that the CPS — which had been arguing for Love’s extradition — should now be working with the US authorities, because of the “gravity of the allegations in this case, and the harm done to the victims.”
Love is alleged to have stolen troves of data from various US agencies in 2012 and 2013.
His case is reminiscent of fellow Asperger’s sufferer Gary McKinnon, who fought a long and ultimately successful campaign against extradition to the US after then-home secretary Theresa May stepped in to claim such a move would be “incompatible with Mr McKinnon's human rights.”
Love’s ordeal is far from over, however, with the US authorities given a fortnight to request an appeal hearing at the UK Supreme Court.
Nearly three-quarters of global firms fell short of adequate cyber-readiness, despite the majority ranking online threats as the number one risk to their business, according to Hiscox.
The insurer’s Cyber Readiness Report 2018 used interviews with a representative sample of 4000 organizations in the US, UK, Germany, Spain and the Netherlands to assess their cybersecurity strategy and the quality of its execution.
The annual report found that only 11% scored highly enough in both areas to be ranked as cybersecurity “experts,” while 16% achieved expert status in either strategy or execution, but not both.
Yet the cyber-threat is well understood: two-thirds of respondents claimed it’s their top business risk, alongside fraud
Perhaps unsurprisingly, large firms and those that spend more on security were judged to be the best prepared.
Some 21% of large companies ranked as cyber experts, versus only 7% of small firms, while cyber-experts spend twice as much on IT as those that failed the test ($19.8m versus $9.9m) and devote a higher proportion to cybersecurity (12.6% versus 9.9%).
The good news is that spending is on the rise, with 59% of respondents planning to increase their outlay on security.
Almost half (45%) of those polled claimed to have suffered at least one attack over the previous 12 months, and 66% of them were hit twice or more, with financial services, energy, telecoms and government sectors the biggest targets.
The average cost across all respondents of these attacks was only $229,000, although this rose to up to $20m for individual UK and German firms and $25m for their US counterparts.
Nick Hammond, lead advisor for financial services at World Wide Technology, argued that the report should be a reminder to those in the financial sector of the difficulty of getting security right.
“This kind of protection is all the more necessary this year, in the wake of new regulations such as MiFID II, PSD2 and GDPR. Unlike older rules that only required yearly tick-box compliance exercises, these new regulations require continued assurance of critical applications,” he added.
“But with the complexity of existing IT systems, which have been built with different and sometimes opposing metrics over the years, this is easier said than done. This web of opaque interdependencies is creating problems for cyber security. Without a clear view of how the system is plumbed together, there can be knock-on effects downstream when one application is prevented from sharing data with another system or user.”
Held at Grosvenor House, 1200 people attended the celebration, hosted by Maggie Philbin OBE, CEO of TeenTech and keynoted by Baroness Martha Lane-Fox.
Ten women were shortlisted in the Security Champion of the Year category, of which Emily Briggs was victorious. Other contenders were:
- Rebecca Angwin, IBM
- Kiran Bhagotra, ProtectBox
- Naina Bhattacharya, Deloitte
- Emily Biggs, Digital Shadows
- Helena Fearon, Auto Trader
- Jane Frankland, Cyber Security Capital
- Emma Leith, BP
- Lesley Marjoribanks, RBS
- Zuzana Skrinarova, Yoox Net-a-Porter Group
- Elisabetta Zaccaria, Secure Chorus
Over the next couple of weeks, Infosecurity will be running a mini interview series, featuring each of the security champion shortlisted contestants.
Today, we feature Emily Biggs, winner of the Women in IT Awards security champion category.
Infosecurity Magazine: How did it feel to win the security category at the Women in IT awards?
Emily Biggs: Surprised more than anything. Although we are in a minority, there are a huge number of fantastic women working in this space and it really is a privilege to be recognized amongst them.
IM: What do you think gave you advantage over the others shortlisted?
EB: My role is to shape the Digital Shadows SearchLight product, so I would think that its success was a big part of the decision.
IM: What was your route into cybersecurity?
EB: I studied computer science at university and started my career as a developer and architect. I had the fantastic opportunity to join Digital Shadows just as it was starting out.
IM: If you weren’t an infosec professional, what would be your dream job?
EB:I always wanted to be a marine biologist when I was younger, but I get terrible sea sickness!
IM: What’s the best thing about your job?
EB: Working at a small company where what I do every day makes a real difference to our customers and the success of our business.
IM: If you could give your 21-year-old self just one piece of career advice, what would it be?
EB: Don’t think twice about joining a start-up – succeed or otherwise you will learn more than you can imagine.
IM: What’s your biggest professional regret?
EB: No longer coding every day. I love my role and I wouldn’t change my decisions to get to this point, but there is something extremely rewarding about developing algorithms and physically writing software.
IM: Who do you really admire in the industry?
EB: Baroness Martha Lane Fox gave a really inspiring key note speech at the awards ceremony and her contribution to gender equality within technology has been immense.
IM: If you could change one thing about the information security sector, what would it be?
EB: Although cheesy, given the context of these awards, I do think equality and diversity really needs to change within our sector. The fact that our sector is so homogeneous actually stops us being as effective as we could be in achieving our goals.
IM: What’s your guilty pleasure?
EB: Tequila! Although I'm 7months pregnant so that is off the table for a while.
IM: What’s your take on the women in information security conversation…Are you fed up of talking about it? Or do we need to talk about it more?
EB: I have always thought of myself simply as a person in technology doing the best I can at whatever opportunity is in front of me but unfortunately the stats on gender equality within our sector are hard to argue with. For that reason alone, I do think equality and diversity still needs to be part of the conversation for our industry to be as successful as it can be. In my mind, the defining attributes of anyone within the workplace should be their effectiveness in their role not their gender, race, disability or sexual orientation. Hopefully one day that is the only conversation that needs to be had.
Bio: Emily joined Digital Shadows at its inception 6 years ago and developed its core product, SearchLight, growing the company’s development team. She now oversees all product strategy for the company. Emily specializes in architecting enterprise-level critical systems, particularly in the big data risk intelligence domain. She previously worked at BAE Systems Detica as lead developer, technical project manager, and technical architect. She holds a degree in computer science from Oxford University.
A new Adobe Flash zero-day vulnerability (CVE-2018-4878) has been spotted being exploited in the wild.
The vulnerability exists in Adobe Flash Player 184.108.40.206 and earlier versions; successful exploitation could allow an attacker to take control of the affected system.
The actors are using a malicious document or spreadsheet with an embedded SWF file. Once the document is opened and the exploitation successfully launched, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea.
FireEye also said that the actor behind the attack appears to be a North Korean group known as TEMP.Reaper – a group that typically targets South Korean government, military and defense-industrial entities. Cisco calls the group Group 123.
“We have observed TEMP.Reaper operators directly interacting with their command-and-control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang,” FireEye researchers said in an analysis. “The STAR-KP network is operated as a joint venture between the North Korean Government's Post and Telecommunications Corporation and Thailand-based Loxley Pacific.”
FireEye’s preliminary analysis indicates that the actors are exploiting the vulnerability to distribute the DOGCALL malware to South Korean victims; Cisco calls the malware ROKRAT. In any case it’s a remote administration tool (RAT), which contains a wiper as one of its modules and is mainly focused on espionage and data exfiltration.
The wiper is a new trick for TEMP.Reaper/Group 123. “In the past year, FireEye iSIGHT Intelligence has discovered newly developed wiper malware being deployed by TEMP.Reaper, which we detect as RUHAPPY,” said FireEye. “While we have observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks, we have not thus far observed TEMP.Reaper use their wiper malware actively against any targets.”
Adobe plans to release a fix for the issue this week.
The espionage campaign against Winter Olympics targets has widened its net, with several second-stage implants providing attackers with top-tier spyware capabilities and the ability to achieve permanent persistence on victim machines.
McAfee's Advanced Threat Research (ATR) recently released a report describing a fileless attack targeting organizations involved with the Pyeongchang Olympics. The gambit used a targeted spear-phishing email with a malicious document attached, which was sent to 333 victim organizations. Once executed, the document paved the way for a basic PowerShell implant that established a channel to the attacker’s server to gather system-level data and that employed image steganography techniques to hide.
“What was not determined at that time was what occurred after the attacker gained access to the victim’s system,” McAfee researchers said.
McAfee ATR has now discovered that additional implants are being used as a second-stage payload in the Olympics-related attacks, used to gain persistence for continued data exfiltration and for targeted access: Gold Dragon, Brave Prince, Ghost419, and Running Rat, all named for phrases found in their code.
“The implants covered in this research establish a permanent presence on the victim’s system once the PowerShell implant is executed,” McAfee said. “The implants are delivered as a second stage once the attacker gains an initial foothold using file-less malware. Some of the implants will maintain their persistence only if Hangul Word, which is specific to South Korea, is running.”
The Gold Dragon Korean-language implant was first seen on Christmas Eve.
“The Gold Dragon malware appears to have expanded capabilities for profiling a target’s system and sending the results to a control server,” McAfee said. “[It] acts as a reconnaissance tool and downloader for subsequent payloads of the malware infection and payload chain. Apart from downloading and executing binaries from the control server, Gold Dragon generates a key to encrypt data that the implant obtains from the system.”
Brave Prince meanwhile gathers detailed logs about the victim’s configuration, contents of the hard drive, registry, scheduled tasks, running processes and more; Ghost419 is also a system reconnaissance malware and shares code with Gold Dragon. Stealing keystrokes is the main function of RunningRat; however, it contains code for more extensive functionality, including copying the clipboard, deleting files, compressing files, clearing event logs, shutting down the machine and much more. It’s unclear how the additional code could be executed.
“With the discovery of these implants, we now have a better understanding of the scope of this operation,” researchers said. Gold Dragon, Brave Prince, Ghost419 and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics.”
McAfee said that a North Korean threat actor is likely behind the attacks.
Octoly, a Paris-based brand marketing company, has inadvertently revealed the contact information and personal details of 12,000 social media stars.
Octoly supplies the online celebs with beauty products and merchandise from the marketing firm’s industry clients, which include household names like Dior, Estée Lauder, Lancôme and Blizzard Entertainment. UpGuard's Cyber Risk Team discovered that the company had a misconfigured cloud storage bucket that made public a raft of information about these influential "creators" – mostly Instagram, Twitter and YouTube personalities.
The information includes real names, addresses, phone numbers, email addresses – including those specified for use with PayPal – and birth dates. Also exposed were authentication tokens that could be used to take over accounts and thousands of hashed user passwords, which, if decrypted, could lead to password reuse attacks against various online accounts belonging to creators, the usernames for which are also in the repository.
The names of 600 brands that use Octoly’s services were included as well.
The Amazon Web Services S3 cloud storage database (now closed) also includes 12,000 Deep Social reports, which have been generated for each individual creator registered with Octoly. These reports provide highly detailed and specific analysis of creators’ online influence, down to the ages, interests and locations of followers, as well as which brands are most appealing to them – corporate intelligence that could be damaging if made available to competitors.
“The potential for identity theft, password reuse attacks and account takeovers of affected creators, launched by malicious actors, is considerable,” the UpGuard team said in a blog. “This cloud leak raises the specific prospect of established, largely female internet personalities facing harassment or misuse of their actual personal details in their real lives.”
It also “invites the danger of gruesome ‘swatting’ attacks on their homes,” the researchers added. Swatting is a harassment tactic where someone hoaxes an emergency services dispatcher or 911 operator to send police or an emergency service response team to another person's address.
Octoly faces potentially significant business damage as a result of this leak.
“The public disclosure of the deep analytical work Octoly provides for brands certainly constitutes a damaging leak of information that could be used by competitors and unsavory online marketers,” UpGuard said. “The publication of the brands using Octoly’s services also introduces the specter of third-party vendor risk, in which external partners can leak damaging internal information shared out of necessity…The essence of third-party vendor risk is that an external entity can, by the very nature of modern data sharing, expose other enterprises to risks they would not otherwise invite.”
The National Cyber Security Centre (NCSC) has today released the results of its Active Cyber Defence (ACD) initiative, which was launched one year ago.
The technology, which is free at the point of use, improves defense against threats by blocking fake emails, removing phishing attacks and stopping public sector systems veering onto malicious servers.
As detailed in the report Active Cyber Defence - One Year On, since the inception of the ACD, UK share of visible global phishing attacks has dropped from 5.3% (June 2016) to 3.1% (Nov 2017), with 121,479 phishing sites hosted in the UK removed.
What’s more, takedown availability times for sites spoofing government brands came down from 42 hours to 10 hours and there was a drop of scam emails from bogus ‘@gov.uk’.
There have been more than one million security scans and seven million security tests carried out on public sector websites, with an average of 4.5 million malicious emails blocked per month from reaching users.
“Through the National Cyber Security Centre, the UK has taken a unique approach that is bold and interventionalist, aiming to make the UK an unattractive target to criminals or nation states,” said Dr Ian Levy, technical director of the NCSC.
“The ACD program intends to increase our cyber adversaries’ risk and reduces their return on investment to protect the majority of people in the UK from cyber-attacks.
“The results we have published today are positive, but there is a lot more work to be done. The successes we have had in our first year will cause attackers to change their behavior and we will need to adapt.”
Bob Rudis, chief data scientist at Rapid7, said that the design and labor behind the NCSC’s ACD initiatives – along with the inaugural published results – are nothing short of incredible.
“The NCSC has proved that with collaboration and appropriate support, it is possible to implement foundational cybersecurity monitoring, configuration, and reporting that fundamentally changes the economics for opportunistic/commodity attackers.
“This ‘active defense’ experiment by the NCSC – if adopted by other countries and even other large organizations – could radically change the attacker/defender landscape.”