Info Security

Subscribe to Info Security  feed
Updated: 54 min 59 sec ago

NSA Warns Windows Users to Upgrade, STAT

Thu, 06/06/2019 - 16:49
NSA Warns Windows Users to Upgrade, STAT

Microsoft Windows administrators and users are being urged by the National Security Agency (NSA) to verify that they are using a patched and updated system in order to protect against cyber-threats.

In a June 4 advisory, the NSA referenced recent warnings by Microsoft of a potentially 'wormable' remote code execution vulnerability (CVE-2019-0708), dubbed “BlueKeep,” that could spread across the internet without user interaction.

Despite Microsoft having issued a patch, the NSA said that potentially millions of users remain vulnerable.

“We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw...in Remote Desktop Services (RDS) on legacy versions of the Windows® operating system,” the advisory stated.

“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”

While newer versions of Windows are reportedly protected against this vulnerability, several versions remain at risk if not patched, including: Windows XP, Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.

In a May 14 blog post, Microsoft noted that it has not yet observed any exploitation of this vulnerability, though there is a high likelihood that “malicious actors will write an exploit for this vulnerability and incorporate it into their malware.” However, an anonymous researcher has already published a proof-of-concept (PoC).

“Businesses who fail to heed the NSA's warning ignore it at their peril. Anyone looking for evidence to justify patching or moving off of legacy systems need only look at the damage left in the wake of NotPetya and WannaCry,” said Rick Holland, CISO, vice president of strategy at Digital Shadows.

“Maersk's financial statements clearly show the potential costs of 'wormable' vulnerabilities. In the short term, businesses should isolate the systems that must run legacy software. More strategically, companies must have a plan to retire unsupported systems, even if it takes several years.”

Categories: Cyber Risk News

Australian Police Collect 9K+ Docs in ABC Raid

Thu, 06/06/2019 - 16:32
Australian Police Collect 9K+ Docs in ABC Raid

Outrage over the Australian Federal Police (AFP) raid at the Australian Broadcasting Corporation (ABC) continues to mount as a question of national security versus freedom of the press plays out between journalists and law enforcement.

In response to allegations that ABC had published classified information related to stories reported in 2017, the AFP raided ABC’s headquarters in Sydney and seized several documents, according to John Lyons, executive editor at ABC news, who was allowed in the room as several police officers combed through thousands of emails.

“They have downloaded 9,214 documents. I counted them,” Lyons told ABC news in a live interview. “They have set up a huge screen and they are going through email by email. It’s quite extraordinary. I’ve never seen an assault on the media as savage as this one I’ve seen on ABC.”

“The AFP have the power now to be going through those documents and essentially deleting anything they want. They can change material,” said Lyons who live-tweeted events as they unfolded.

The news is the second raid on members of the press in Australia in less than 24 hours. Combined with the recently passed Assistance and Access Bill, also known as the anti-encryption law, these raids are especially troubling. “Australia is heading down a path that leads to its citizens not being able to speak freely nor privately,” said Paul Bischoff, privacy advocate with Comparitech.com.

“When members of the press are targeted by their own governments, it's important for journalists to step up their cybersecurity and protect sources. If you cannot depend on the law to protect press freedoms, then journalists must take care to secure their communications, notes, drafts, data, documents and other materials. Most importantly, they need to encrypt their phones and laptops, connect to reputable virtual private networks (VPNs) and use secure communication channels with end-to-end encryption.”

Categories: Cyber Risk News

Australian Police Collect 9K+ Docs in ABC Raid

Thu, 06/06/2019 - 16:32
Australian Police Collect 9K+ Docs in ABC Raid

Outrage over the Australian Federal Police (AFP) raid at the Australian Broadcasting Corporation (ABC) continues to mount as a question of national security versus freedom of the press playing out between journalists and law enforcement.

In response to allegations that ABC had published classified information related to stories reported in 2017, the AFP raided ABC’s headquarters in Sydney and seized several documents, according to John Lyons, executive editor at ABC news, who was allowed in the room as several police officers combed through thousands of emails.

“They have downloaded 9,214 documents. I counted them,” Lyons told ABC news in a live interview. “They have set up a huge screen and they are going through email by email. It’s quite extraordinary. I’ve never seen an assault on the media as savage as this one I’ve seen on ABC.”

“The AFP have the power now to be going through those documents and essentially deleting anything they want. They can change material,” said Lyons who live-tweeted events as they unfolded.

The news is the second raid on members of the press in Australia in less than 24 hours. Combined with the recently passed Assistance and Access Bill, also known as the anti-encryption law, these raids are especially troubling. “Australia is heading down a path that leads to its citizens not being able to speak freely nor privately,” said Paul Bischoff, privacy advocate with Comparitech.com.

“When members of the press are targeted by their own governments, it's important for journalists to step up their cybersecurity and protect sources. If you cannot depend on the law to protect press freedoms, then journalists must take care to secure their communications, notes, drafts, data, documents and other materials. Most importantly, they need to encrypt their phones and laptops, connect to reputable virtual private networks (VPNs) and use secure communication channels with end-to-end encryption.”

Categories: Cyber Risk News

#Infosec19: Mitigating Risks and Managing Third Party Threats

Thu, 06/06/2019 - 14:41
#Infosec19: Mitigating Risks and Managing Third Party Threats

Speaking at Infosecurity Europe 2019 on 'Effective Steps to Reduce Third Party Risk,' Scott W. Coleman, director of product management at Owl Cyber Defense, said that the average number of connections to a facility is 583. “Most are legitimate, but how many are appropriate” he asked.

He said that there are “vendors and companies and entities who need access to your plant, enterprise or base” and while many have a good reason to have access, you need to be sure that they are not presenting a risk that you don’t need.

Coleman recommended determining what you need to protect, which connectors and disaster recovery systems you need to protect, and which vendor service level agreements you need to maintain “but be subversive on what needs to have access.”

He encouraged companies to focus on the following when evaluating a third party: which products and services require access; which companies have a higher level of personnel turnover; who have been involved in breaches themselves “as a lot of the time, a company has a third party connecting” so depending on their level of cybersecurity.

Looking at strategies for mitigation, Coleman asked if many people will know who the 583 people are, and what access they have if you have a good handle on what they are doing? “Understand and measure what they are doing as it is hard to protect against them,” he said.

Next, he recommended looking at what value and risk is presented and added to you by third party access, and apply resources to the highest risk and which assets are being touched. He said you should seek to reduce your footprint and the number of things you focus your resources on, and apply this posture to things the third parties affect.

“The bottom line is segmenting and least privilege,” he said. “The biggest problem is coming in laterally and if you put in segmentation and proper privilege, prevent movement and what all have access to. “

He said that the final way to mitigate is to use a zero trust approach, and the problem is that “trust but verify” is hard to achieve in practise. “The problem is when you take your eye off it, you no longer have the trust factor.”

He concluded by pointing to the Department of Homeland Security’s strategies for mitigating risk for third parties. These are recommend as:

  • Reduce/eliminate connections in/out the network
  • Convert two-way connections to one-way out of the plant
  • Convert two-way connections to one-way into the plant
  • Secure remaining two-way connections
Categories: Cyber Risk News

#Infosec19: MITRE ATT&CK Framework Effective in Defending CNI

Thu, 06/06/2019 - 14:10
#Infosec19: MITRE ATT&CK Framework Effective in Defending CNI

Speaking at Infosecurity Europe 2019 Andrew Habibi-Parker, director – professional services, EMEA & APJ at LogRhythm, explored security risks surrounding critical national infrastructure (CNI) and outlined why the MITRE ATT&CK Framework can be pivotal in defending and protecting critical infrastructures.

Habibi-Parker explained that there are some critical elements of national infrastructure such as assets, facilities, systems and networks which, in the event of a compromise, can be targeted by attackers to effect the integrity or delivery of essential services, resulting in significant impact on national security, national defense or the functioning of the state.

He said the “UK Government’s cyber strategy and NIS Directive is playing a key role in helping improve cybersecurity in UK CNI organizations” but added that the rapid emergence of new vulnerabilities and malicious actors’ smarter tactics make it “impossible to completely secure CNI networks and systems.” A focus on reducing detection and response times is therefore crucial, Habibi-Parker explained, and that’s where the MITRE ATT&CK Framework can be very effective.

That’s because MITRE ATT&CK “uses real world intelligence on the TTPs used by APT groups.” It’s a great way to validate and improve your detection, incident handling and continuous monitoring capabilities, Habibi-Parlker said.

However, Habibi-Parker was quick to point out that MITRE ATT&CK is not “a replacement for cybersecurity best practices” nor is it a list of fully-achievable objectives. It may also not be the right choice for an organization that does not have a SOC, he added, and “implementing monitoring of endpoints and behavioral analytics is critical to success.”

Categories: Cyber Risk News

#Infosec19: Passwords Are Here to Stay, Warns Troy Hunt

Thu, 06/06/2019 - 13:29
#Infosec19: Passwords Are Here to Stay, Warns Troy Hunt

Five years from today there will be more passwords in use than at present – despite their inherent security failings – according to HaveBeenPwned founder Troy Hunt. 

Presenting the Infosecurity Hall of Fame Annual Lecture on the last day of Infosecurity Europe today, Hunt sought to dispel some common misconceptions about cybersecurity.

HaveIBeenPwned started as a “fun project” back in 2013 and the free site now has over 7.8bn compromised accounts listed, which users can check to see if they have been breached.

Unfortunately, passwords are here to stay despite the emergence of solutions like multi-factor authentication which are far more secure, Hunt warned.

“They may be good technical solutions … but every single person in this room knows how to use a password, as bad as it is security wise,” he argued.

This usability will always trump security concerns, but organizations can and should make log-ins more robust by enhancing passwords with password managers and U2F keys, he added.

The dark web is often blamed for providing a platform for cyber-criminals to trade such credentials online, but the surface web is also a major offender, Hunt claimed.

He showed a screenshot of a single Twitter account which posted MEGA links to the notorious “Collection” combo lists, publicly exposing billions of unique emails and passwords, for example.

That’s not all: YouTube is awash with “hundreds” of how-to videos, detailing the simple steps budding cyber-criminals can take to launch SQLi attacks, credential stuffing and more, Hunt claimed.

Some of those he played on stage appeared to be voiced by teens, highlighting another misconception about cybercrime: that it tends to be the work of hardened, organized gangs.

One former law enforcer was quoted following the TalkTalk attack as suggesting it was the work of “Russian Islamic cyber jihadis,” for example. In reality, the breach, which cost the telco £77m, was mainly down to a 17-year-old boy.

“The damage [kids] can do is massive. So many children have access to this [hacking] information that anyone can use it without knowing the problems it can cause,” he argued. “We’ve got to do more to set kids back on the right path.”

The National Crime Agency’s Cyber Choices campaign highlights the scale of the problem, and the need to raise awareness among parents of what their kids may be up to.

Categories: Cyber Risk News

#Infosec19: “We Can Build Safe 5G Networks Irrespective of Supplier” – NCSC

Thu, 06/06/2019 - 13:19
#Infosec19: “We Can Build Safe 5G Networks Irrespective of Supplier” – NCSC

Governments and industry need to “focus on fixes, not fear,” and work out how to build safer 5G networks rather than obsessing about national security concerns leveled at suppliers, according to the National Cyber Security Centre (NCSC).

NCSC boss, Ciaran Martin, told attendees on day three of Infosecurity Europe this morning that the next generation of network infrastructure can be architected in a way that mitigates risks posed by vendors.

Referring to a tabloid headline which claimed Huawei could theoretically turn off all the household appliances in UK smart homes if allowed to build 5G, he argued: “We don’t have to build 5G networks that way and I’d argue we shouldn’t.”

Martin added: “We have to get 5G network security right, and that is a much bigger issue than the national identity of suppliers.

“It would be a real shame if we allowed fear back into cybersecurity. People need to understand the risks, and we, as experts, need to understand and explain how network security can be [implemented] to give a satisfactory level of assurance.”

The UK government has worked hard over the past few years to move from a fear-based approach to cybersecurity to a pragmatic one, he claimed.

Part of the journey towards a more mature approach to cybersecurity means promoting pragmatic ways to tackle threats rather than glamorizing attacks.

“Cybersecurity is not something we should be scared of and not something we should scare people about,” argued Martin. “The first step is to understand that and the diversity of it and [not promote] cybersecurity as a big technical ball of risk that non-technical people can’t understand.”

To help in this, the NCSC has produced a “five questions for boards” document, so that business leaders are better equipped to discuss issues in-depth with CISOs.

“You don’t all have to be cyber experts, but you need to know how to talk to cyber experts,” Martin added.

Quick wins could be had from focusing on improving baseline security, he added, claiming that the notorious state-sponsored Cloudhopper attackers managed to infect some victims using a 19-year-old virus because they were running outdated systems and flat networks.

Martin concluded on a note of optimism, claiming that, unlike the start of the digital revolution 20 years ago, industry experts can see a lot of what’s coming down the road. By working “seriously, dispassionately and transparently,” progress can be made to eradicate structural vulnerabilities, he argued.

Categories: Cyber Risk News

#Infosec19: DNS Rebinding Attacks Could Hit Billions of IoT Devices

Thu, 06/06/2019 - 13:12
#Infosec19: DNS Rebinding Attacks Could Hit Billions of IoT Devices

DNS rebinding attacks are a real threat that could hit the billions of internet of things (IoT) devices in people’s homes, according to Craig Young, principal security researcher at Tripwire.

Young was speaking in the Geek Street Theatre on day three of the Infosecurity Conference at London’s Kensington Olympia.

During the session, Young explained the impact of the threat – which turns a victim’s browser into a proxy for attacking private networks – within IoT. “Over the years, I have found countless vulnerabilities in IoT products,” he said.

This is partly because IoT often uses HTTP, which is vulnerable to DNS rebinding. In the future, the consequences could be significant: Rebinding also opens new doors for botnets, according to Young.

“The problem is, defenders seem to discount this as a real threat, but in the future, someone might want to create a botnet and there will be more hosts to target,” he said.

During his research, Young found devices including the Google Home smart speaker were vulnerable to DNS rebinding attacks. “I was able to ask the Google Home to give me IP addresses of nearby access points so I could tell where devices were,” he explained.

Another class of devices vulnerable to DNS rebinding are IoT units using standards-based web services access protocol SOAP. “You can use this to steal data, disable devices and brick them,” he said.

Young said vulnerable IoT devices included the Belkin Wemo smart outlet and the Sonos connected speaker – the latter of which allowed him to play false content and rename or reset the device.

In order to prevent DNS rebinding attacks, Young advises mitigation at the DNS layer, segmenting networks, using the NoScript extension for Firefox or “various adblockers.”

At the same time, Young said: “Devices and everything else should be using HTTPS – which is not affected by DNS rebinding. All apps need authentication: Even if it’s a home network, it should have some kind of credential mechanism.”

Categories: Cyber Risk News

#Infosec19 Dark Web Sales Offer Network Access for $10,000

Thu, 06/06/2019 - 12:05
#Infosec19 Dark Web Sales Offer Network Access for $10,000

Access to FTSE 100 and Fortune 500 corporate networks has increased on the dark web.

According to research by Bromium and the University of Surrey, presented at Infosecurity Europe, four in ten dark net vendors are selling targeted hacking services aimed at FTSE 100 and Fortune 500 businesses, while there has been a 20% rise in the number of dark net listings in the last three years, specifically “with a direct potential to harm the enterprise.”

The most heavily targeted industries were identified as banking (34%), ecommerce (20%), healthcare (15%), and education (12%). Also, with threats tailored to specific industries or organizations outnumber off-the-shelf varieties by a ratio of 2:1.

“Almost every vendor offered us tailored versions of malware as a way of targeting specific companies or industries,” said Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey. “The more targeted the attack, the higher the cost, with prices rising even further when it involved high-value targets like banks. The most expensive piece of malware found was designed to target ATMs and retailed for approximately $1,500.”

Access to corporate networks is sold openly; 60% of vendors approached by researchers offered access to more than ten business networks each and 70% of dark net vendors engaged invited researchers to talk on encrypted messaging applications, like Telegram, to take conversations beyond the reach of law enforcement.

Speaking to Infosecurity, Bromium president and co-founder Ian Pratt said that dark web “stores” are often just a “shop window” to sell services, and most transactions usually take place over encrypted communication channels like Signal and Telegram.

“The dark web is not an index, but a bunch of sites separate from the regular web,” Pratt said. He also said that access to networks is commonly sold for around $10,000, but it is not too hard to determine what a company uses. “Also it is not even zero-days, it is bypassing detection-based systems,” he said.

Pratt also said that many cyber-criminals now have separate supply chains to provide language services, and tailored malware for the attack. One example is the Emotet banking Trojan, which is often used as an initial dropper for the initial malware infection, and then command and control access is sold, while the payload scrapes the credentials while the Trojan is re-used for cryptojacking.

Aside from access to financial services and e-commerce, healthcare information was targeted by 15% of actors. Pratt explained that commonly, the information is held for ransom and if the ransom is not paid, the details are released.

“The methods for providing access varied considerably,” Dr. McGuire explained. “Some involved stolen remote access credentials that are for sale for as little as $2, others involve backdoor access or the use of malware. Illicit remote access tools appear to be most popular – we were offered Remote Access Trojans at least five times more often than keyloggers.

“Enterprises, researchers, and law enforcement must continue to study the dark net to get a deeper understanding of the adversaries that we are dealing with, and better prepare ourselves for counteracting the effects of a growing cybercrime economy.”

Categories: Cyber Risk News

Tennessee Valley Authority Isn't Compliant with Federal Directives

Wed, 06/05/2019 - 17:41
Tennessee Valley Authority Isn't Compliant with Federal Directives

The Tennessee Valley Authority (TVA) inspector general has reported that 115 TVA registered domains were found not meeting the Department of Homeland Security (DHS) standards for cybersecurity during an audit earlier this year. A memo published by the TVA Inspector General's Office on May 29, 2019, reported that internal auditors also found that encryption requirements were inadequate on 20 TVA websites. 

The review was part of an annual audit plan to ensure that the TVA was compliant with two federal directives that require website and email security controls. These controls had to comply with the Office of Management and Budget’s (OMB) memorandum M-15-13, Policy to Require Secure Connections across Federal Websites and Web Services, and DHS's binding operational directive (BOD) 18-01, Enhance Email and Web Security, regarding website and email security practices.

According to David Wheeler, the assistant inspector general for audits and evaluations, the TVA was found not to be compliant with OMB A-15-13 and DHS BOD 18-01. "In addition, we found that TVA's web site inventory was incomplete." These findings were formally communicated to TVA management on March 26, 2019.

The fieldwork for the audit was carried out from November 2018 to March 2019.  The team obtained and reviewed TVA's website inventory from the TVA's cybersecurity personnel and compared it to the population of identified publicly accessible websites, according to the memo from Wheeler. Internet domain listings were also collected. These findings were then scanned using tools to determine compliance with OMB A-15-13 and DHS BOD 18-01 requirements. Out of 116 domains, 115 did not meet requirements, with encryption requirements inadequate on 20 out of 55 TVA websites. 

This left TVA emails and websites open to attacks, such as phishing. Research by IRONSCALES found that secure email gateways (SEG) failed to 99.5% of all nontrivial email spoofing attacks. A two-year analysis of more than 100,000 verified email spoofing attacks found that the most common spoofing techniques included sender name impersonations and domain look-alike attacks, bypassing SEG technology on a regular basis. 

In his memo, Wheeler recommended that email security policies for domains needed to be updated to meet requirements, reviewing them on a periodic basis for compliance. He also wrote: "Update websites that were not compliant with OMB M-15-13 and DHS BOD-18-01 requirements, and review on a periodic basis for compliance" as well as review website inventory.

TVA management agreed with the audit findings and recommendations in this report, according to the memo. 

Categories: Cyber Risk News

UK Hasn't Made Sufficient Progress in National Security Strategy

Wed, 06/05/2019 - 17:31
UK Hasn't Made Sufficient Progress in National Security Strategy

The Public Accounts Committe has found that the UK government has not made sufficient progress on developing long-term objectives for the National Security Strategy.

According to the announcement made today, a weak evidence base and a lack of a business case for the National Cyber Security Programme made it difficult for the Cabinet Office to assess whether it will meet all its objectives by 2021.

The National Cyber Security Centre (NCSC) has dealt with over 1100 cybersecurity incidents since it was established in October 2016. CSC chair Meg Hillier says that the UK will need to protect itself against risks created by more and more services going online, but there is concern that consumers do not know how well they are protected: "We welcome the National Cyber Security Strategy but are concerned that the program designed to deliver it is insufficient," she explained. 

"As it currently stands, the strategy is not supported by the robust evidence the department needs to make informed decisions and accurately measure progress. On top of this, neither the strategy or the program were grounded in business cases – despite being allocated £1.9bn funding.

"Looking longer term, we are disappointed that the department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy."

Since 2011, the Cabinet Office has managed two five-year national cybersecurity strategies. According to the report, it is beginning to make progress in meeting the strategic outcomes of the current one, the 2016–2021 National Cyber Security Strategy, after a poor start.

But the report has also found that as well as a weak evidence base, it is also unclear whether the money allocated at the start of the program was the right amount, making it more difficult to judge value for money. 

A third (£169m) of the program’s planned funding for the first two years was either transferred or loaned to support other government national security priorities, such as counterterrorism activities, according to the Public Accounts Committee. Some £69m of this funding will not be returned to the program, which seems at odds with the government’s claim that cybersecurity is a priority.

The recommendations made include the Cabinet Office ensuring another long-term coordinated approach to cybersecurity is put in place in advance of the current one, which finishes in March 2021. Further, it has suggested that a business case should be produced. 

The CSC has asked the Cabinet Office to write to it by November 2019, setting out what progress it is making in using evidence-based decisions in prioritizing cybersecurity work. This includes plans for undertaking robust "lessons learned" exercise.

It is also expected that the Cabinet Office will publish its costed plan for the strategy in autumn 2019. 

Categories: Cyber Risk News

UK Hasn't Made Sufficient Progress for National Security Strategy

Wed, 06/05/2019 - 17:31
UK Hasn't Made Sufficient Progress for National Security Strategy

The Commons Select Committee (CSC) has found that the UK government has not made sufficient progress on developing long-term objectives for the National Security Strategy.

According to the announcement made today by the CSC, a weak evidence base and a lack of a business case for the National Cyber Security Programme made it difficult for the Cabinet Office to assess whether it will meet all its objectives by 2021.

The National Cyber Security Centre (NCSC) has dealt with over 1,100 cybersecurity incidents since it was established in October 2016. CSC chair Meg Hillier says that the UK will need to protect itself against risks created by more and more services going online, but there is concern that consumers do not know how well they are protected: "We welcome the National Cyber Security Strategy but are concerned that the program designed to deliver it is insufficient," she explained. 

"As it currently stands, the strategy is not supported by the robust evidence the department needs to make informed decisions and accurately measure progress. On top of this, neither the strategy or the program were grounded in business cases – despite being allocated £1.9 billion funding.

"Looking longer term, we are disappointed that the department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy."

Since 2011, the Cabinet Office has managed two five-year national cybersecurity strategies. According to the report, it is beginning to make progress in meeting the strategic outcomes of the current one, the 2016–2021 National Cyber Security Strategy, after a poor start.

But the report has also found that as well as a weak evidence base, it is also unclear whether the money allocated at the start of the program was the right amount, making it more difficult to judge value for money. 

A third (£169 million) of the program’s planned funding for the first two years was either transferred or loaned to support other government national security priorities, such as counterterrorism activities, according to the CSC. Some £69 million of this funding will not be returned to the program, which seems at odds with the government’s claim that cybersecurity is a priority.

The recommendations made by the CSC include the Cabinet Office ensuring another long-term coordinated approach to cybersecurity is put in place in advance of the current one, which finishes in March 2021. Further, it has suggested that a business case should be produced. 

The CSC has asked the Cabinet Office to write to it by November 2019, setting out what progress it is making in using evidence-based decisions in prioritizing cybersecurity work. This includes plans for undertaking robust "lessons learned" exercise.

It is also expected that the Cabinet Office will publish its costed plan for the strategy in autumn 2019. 

Categories: Cyber Risk News

SentinelOne Secures $120 Million Series D Funding

Wed, 06/05/2019 - 17:09
SentinelOne Secures $120 Million Series D Funding

SentinelOne has raised $120 million in Series D funding, bringing its total funding to over $230 million. 

According to the press release, the funding will be used to accelerate the company's "rapid displacement of legacy and next-gen competitors" in endpoint, cloud and internet of things (IoT) protection. It is led by Insight Partners, with participation from Samsung Venture Investment Corp., NextEquity and previous investors, including Third Point Ventures, Redpoint Ventures, Granite Hill and Data Collective (DCVC), among others. 

The company's patented behavorial artificial intelligence (AI) provides real-time prevention and ActiveEDR in the edge and the cloud. It does this through a cloud-native platform with no reliance on connectivity or updates. 

“We’ve built a team and technology to disrupt and broaden the endpoint space: as the network perimeter is drastically changing, so does the notion of the endpoint,” said Tomer Weingarten, CEO and co-founder of SentinelOne. “Endpoints are everywhere today, from classic laptops and desktops to workloads in the cloud and the data center and all IoT devices – the network edge is the real perimeter. 

"We were the first to unify EPP [endpoint protection platform] and EDR [endpoint detection and response] – prevention, detection, response and hunting – in a single autonomous agent; we were the first to stand behind our product with a cyber warranty; now we are the first to take AI-based device protection to the edge, covering IoT endpoints and workloads in the cloud."

SentinelOne said in its press release that it is the fastest growing endpoint security company on the market, achieving 217% year-over-year (YoY) growth in annual recurring revenue and 140% YoY growth in Fortune 500 bookings. Teddie Wardi, managing director at Insight Partners, said that endpoint security is at a "fascinating point of maturity...Attack methods grow more advanced by the day and customers demand innovative, autonomous technology to stay one step ahead." 

"We recognize SentinelOne’s strong leadership team and vision to be unique in the market," he continued, "as evidenced through the company’s explosive growth and highly differentiated business model from its peer cybersecurity companies.”

“As an investor, SentinelOne’s combination of best-in-class EPP and EDR functionality is a magnet for engagement, but it’s the company’s ability to foresee the future of the endpoint market that attracted us as a technology partner,” said a representative from Samsung. “Extending tech stacks beyond EPP and EDR to include IoT is the clear next step, and we look forward to collaborating with SentinelOne on its groundbreaking work in this area.”

Categories: Cyber Risk News

#Infosec19: Identify and Protect your Very Attacked People

Wed, 06/05/2019 - 13:32
#Infosec19: Identify and Protect your Very Attacked People

Identify and protect your “very attacked people” (VAP) as attackers look for high value targets.

Speaking at Infosecurity Europe in London, Paul Down, senior director of Proofpoint said that when attackers look to get information or money, a year ago they would do a mass email campaign and use automated bots. However this year they are not, and instead of emailing “info@” addresses, campaigns are now more well researched and targeted.

Down said that VAPs are typically “high value executives” such as the CEO who do not have high levels of account privilege, but do have access to financial information. Meanwhile a “high access user” has sign off on accounts and information, and a target for value or information for the attacker. 

The top 20 email addresses for a VAP are typically led by a PR manager, as they are very public and listed on every website. “They go for PR@, or accounts@, or sales@ as they have a wide distribution list, and we typically see a 40% click rate on threats delivered to untrained people, so why not do mass email to info@ as many will see it,” he said.

Down said that the CEO is “a lot less targeted” but be more likely sent a business email compromise email or banking Trojan. “The attackers are not looking to compromise the endpoint or perimeter, but target a person,” he said. 

Pointing at their State of Phish research, Down said that 30-40% of respondents knew what phishing is, and people aged 22-37 (millennials) are more likely to click.

Research also showed that people in commercial positions (19%) are more likely to fail at detecting a phishing email, followed by purchasing (14%), communication (13%) and sales (13%).

Down concluded by saying that a focus on “people-centric risk reduction” will enable you to determine your level of risk in the organization, identify your VARs and high risk people. 

“Think on changing behavior and risks,” he said, explaining that simulated phishing exercises can be sourced for free and if a user fails, reply with an exercise that states “you shouldn’t click that, it was a simulated phish, we will send you some training now” as they will not remember the email the following week.

“Once an employee is phished and trained, they become the last line of defense and the best format to report phishes that do come through.”

Categories: Cyber Risk News

#Infosec19 Identify and Protect your Very Attacked People

Wed, 06/05/2019 - 13:32
#Infosec19 Identify and Protect your Very Attacked People

Identify and protect your “very attacked people” (VAP) as attackers look for high value targets.

Speaking at Infosecurity Europe in London, Paul Down, senior director of Proofpoint said that when attackers look to get information or money, a year ago they would do a mass email campaign and use automated bots. However this year they are not, and instead of emailing “info@” addresses, campaigns are now more well researched and targeted.

Down said that VAPs are typically “high value executives” such as the CEO who do not have high levels of account privilege, but do have access to financial information. Meanwhile a “high access user” has sign off on accounts and information, and a target for value or information for the attacker. 

The top 20 email addresses for a VAP are typically led by a PR manager, as they are very public and listed on every website. “They go for PR@, or accounts@, or sales@ as they have a wide distribution list, and we typically see a 40% click rate on threats delivered to untrained people, so why not do mass email to info@ as many will see it,” he said.

Down said that the CEO is “a lot less targeted” but be more likely sent a business email compromise email or banking Trojan. “The attackers are not looking to compromise the endpoint or perimeter, but target a person,” he said. 

Pointing at their State of Phish research, Down said that 30-40% of respondents knew what phishing is, and people aged 22-37 (millennials) are more likely to click.

Research also showed that people in commercial positions (19%) are more likely to fail at detecting a phishing email, followed by purchasing (14%), communication (13%) and sales (13%).

Down concluded by saying that a focus on “people-centric risk reduction” will enable you to determine your level of risk in the organization, identify your VARs and high risk people. 

“Think on changing behavior and risks,” he said, explaining that simulated phishing exercises can be sourced for free and if a user fails, reply with an exercise that states “you shouldn’t click that, it was a simulated phish, we will send you some training now” as they will not remember the email the following week.

“Once an employee is phished and trained, they become the last line of defense and the best format to report phishes that do come through.”

Categories: Cyber Risk News

#Infosec19 Identify and Protect your Very Attacked People

Wed, 06/05/2019 - 13:32
#Infosec19 Identify and Protect your Very Attacked People

Identify and protect your “very attacked people” (VAP) as attackers look for high value targets.

Speaking at Infosecurity Europe in London, Paul down, senior director of Proofpoint said that when attackers look to get information or money, a year ago they would do a mass email campaign and use automated bots. However this year they are not, and instead of emailing “info@” addresses, campaigns are now more well researched and targeted.

Down said that VAPs are typically “high value executives” such as the CEO who do not have high levels of account privilege, but do have access to financial information. Meanwhile a “high access user” has sign off on accounts and information, and a target for value or information for the attacker. 

The top 20 email addresses for a VAP are typically led by a PR manager, as they are very public and listed on every website. “They go for PR@, or accounts@, or sales@ as they have a wide distribution list, and we typically see a 40% click rate on threats delivered to untrained people, so why not do mass email to info@ as many will see it,” he said.

Down said that the CEO is “a lot less targeted” but be more likely sent a business email compromise email or banking Trojan. “The attackers are not looking to compromise the endpoint or perimeter, but target a person,” he said. 

Pointing at their State of Phish research, Down said that 30-40% of respondents knew what phishing is, and people aged 22-37 (millennials) are more likely to click.

Research also showed that people in commercial positions (19%) are more likely to fail at detecting a phishing email, followed by purchasing (14%), communication (13%) and sales (13%).

Down concluded by saying that a focus on “people centric risk reduction” will enable you to determine your level of risk in the organization, identify your VARs and high risk people. 

“Think on changing behavior and risks,” he said, explaining that simulated phishing exercises can be sourced for free and if a user fails, reply with an exercise that states “you shouldn’t click that, it was a simulated phish, we will send you some training now” as they will not remember the email the following week.

“Once an employee is phished and trained, they become the last line of defense and the best format to report phishes that do come through.”

Categories: Cyber Risk News

#Infosec19: Complex Legacy IT Problems Can't Be Solved with Simple Solutions

Wed, 06/05/2019 - 13:00
#Infosec19: Complex Legacy IT Problems Can't Be Solved with Simple Solutions

“Complex problems cannot be solved with simple solutions.” These were the words of Bobby Ford, VP & Global CISO at Unilever, speaking at Infosecurity Europe 2019.

Ford said that the complex challenge of the security risks posed by legacy systems exists in all industries.

He added that a big part of the problem is that we cannot simply decommission legacy IT systems because they support “some critical business processes, and because of that, we can’t just get rid of them.”

“Our systems are ageing and our ability to replace them is slowing down. As these systems age, the threat increases for them. We can’t update the systems fast enough to stay in front of the threat.”

If you look back at some of the biggest recent cyber-attacks, Ford continued, you will see that legacy systems were at the heart of most of them.

“It’s a complex problem and it’s not going away anytime soon,” he said. “These legacy IT systems equate to business risk, and it’s important that we understand that when we are talking about patching we are talking about business risk. Business risk isn’t a system going down; business risk is an inability to ship a product, business risk is saying ‘I can’t manufacture goods,’ business risk is being unable to invoice a customer.”

So when we talk about dealing with the risk of legacy IT systems, it’s important we do so in business risk language, Ford said, and solving the problem comes down to having “engaging conversations with our business partners to understand our most critical business systems.

“We can’t define what’s most critical, only the business can define what’s most critical.”

To conclude, Ford explained that the key to succeeding with dealing with the risks surrounding legacy systems is prioritization. “I’ve said this my entire career; if we are going to be successful as professional security risk managers, we have to be able to prioritize. We cannot do everything and we can’t secure all systems. We have to work with the business to identity the most critical systems, and then try to secure them.”

Categories: Cyber Risk News

#Infosec19: Former Lloyd’s CEO Says Collaboration is Key to Future of Cyber Insurance

Wed, 06/05/2019 - 12:55
#Infosec19: Former Lloyd’s CEO Says Collaboration is Key to Future of Cyber Insurance

Insurers must collaborate more closely with each other and technology firms to improve their understanding of cyber risk and better serve their customers, the former CEO of Lloyd’s of London has argued.

Speaking at Infosecurity Europe today, Inga Beale, explained that cybersecurity-related risk is one of the biggest rising risks facing global businesses, but also the one they arguably know least about.

“We’re trying as a sector to start collaborating together, with governments and with technology pioneers to gather data on all the incidents out there … to understand the scenarios in order to get pricing right,” she explained. “Insurance can be a wonderful way to mitigate risk.”

Lloyd’s is leading the way on this front, by hiring cybersecurity experts of its own to analyze anonymized data to uncover insights. It now accounts for around a quarter of global cyber insurance sold today, Beale claimed.

The data itself needs to cover a broad sweep of areas, not just technical information but also things like staff training, which is a “big factor” insurers take into account when drawing up premiums, she continued.

More generally, Beale bemoaned a persistent communications challenge between CISOs and board members. Although boardroom complacency about the cyber threat has largely disappeared: “Most of the time we don’t understand what’s being said,” she argued.

This can lead to board members asking the wrong questions because they “don’t want to appear dumb” and security leaders answering questions that haven’t been asked, Beale added.

“We need a feeling of trust and safety that it’s genuinely OK to have a conversation about what the board members don’t understand and what the experts think are the biggest risks,” she said. “Because board members hate it if risk isn’t under control.”

A tactic employed by Lloyd’s to tackle this challenge is to have one or two tech experts on the board, although diversity in terms of members’ backgrounds is also important, Beale argued. Similarly, CISOs should help by dropping the technical talk and engaging on a personal level.

“Just having a list of metrics or dashboards is probably not the most helpful to a board,” she added.

“It’s curiosity, conversations and exploring everything, and never being happy with the status quo [that’s most important]. You need the intervention of the human mind.”

Categories: Cyber Risk News

#Infosec19: Security Must Support Digital Transformation & Enable the Business

Wed, 06/05/2019 - 12:32
#Infosec19: Security Must Support Digital Transformation & Enable the Business

At Infosecurity Europe 2019 Ewa Pilat, global CISO at Jaguar Land Rover, explored how the security function can and must support and enable the business through a process of digital transformation.

Pilat explained that digital transformation can mean different things to different organizations, but that as security professionals, “we need to understand it properly in order to provide support in digital transformation.”

Pilat added that the key to doing that is learning lessons from existing examples, pointing to the “older brother” of traditional IT. “Traditional IT, as we know, exists in many different organizations. We must make sure we provide security in a simple way, without complex policies – we should provide innovation because this is something that we can motivate businesses with.”

She said the industry should not work in siloes and should not focus on security as a separate part of the business. Referring to collaboration, she added: “We must put more effort into educating our business so as to make our colleagues feels more responsible for security and to involve them in the security topics we are covering.”

To conclude, Pilat highlighted six key pieces of advice for security functions looking to support their organization through a process of digital transformation. These were:

  • Recognize scale and complexity
  • Ensure top management support
  • Embed security in the creation of ideas
  • Educate and make the business understand security implications
  • Demonstrate the value added to the business
  • Do not allow creation of shadow security
Categories: Cyber Risk News

#Infosec19: Smart Home Ads Could Threaten Democracy

Wed, 06/05/2019 - 12:19
#Infosec19: Smart Home Ads Could Threaten Democracy

The emergence of the smart home is set to usher in a new era of highly targeted, personalized political advertising which could undermine faith in democracy if left unchecked, a leading commentator has warned.

Speaking on the second day of Infosecurity Europe this morning, bestselling author, Jamie Bartlett, argued that many key challenges facing society stem from the incompatibility of established “rules, regulations, systems, norms and behaviors” with digital progress.

“Whether it’s Russian bots, untraceable cryptocurrency or election manipulation, many of the problems are due to the fact the old rules don’t work anymore,” he said.

The Cambridge Analytica scandal offers a glimpse into the future of elections, where small groups of swing voters are profiled and micro-targeted by personalized ads. In this way, elections will increasingly be fought in private, removing legitimacy and allowing the losers to question the results, Bartlett warned.

“Elections become an art of data science and subtle nudges …. the risk is that people stop trusting in elections,” he added. “I guarantee that had the Clinton side won [the US Presidential election], the Trump team would have said the same thing … ‘you cheated’.”

Unfortunately, the “connections craze” typified by the proliferation of smart home devices will only accelerate the challenges facing election regulators, as devices become part of the “matrix” that works to target individuals with political messaging.

Bartlett claimed data science companies could crunch information generated by smart home devices like fridges, allowing them to more accurately profile users for targeting.

For example, they could predict when a voter usually eats dinner, and therefore is likely to be most hungry/irritable – potentially making them more susceptible to messages from politicians with robust opinions on crime or immigration, he suggested.

“The question becomes how can you effectively run an election people trust when [voters are faced with] dynamic content coming through the smart fridge?” said Bartlett. “The problem is that the [election] regulators can’t monitor what people are sharing, what ads they’re seeing.”

The answer is “not beyond the wit of man,” but will require the creation of “clever software” to publicize all the targeted ads currently viewed privately by individual voters, so they can be analyzed and scrutinized, he concluded.

Bartlett also argued that cybercrime will become increasingly automated in the future as tools like AutoSploit allow hackers to launch indiscriminate attacks against businesses of all sizes.

“This means that any vulnerability will be found and exploited in the future,” he warned. “This is why your job is so critical. The closer technology gets to people’s lives, the more it matters to them that it’s secure.”

Categories: Cyber Risk News

Pages