Rechercher dans les flux d'actualités



Filtrer par auteur :
     |     
Rechercher un terme :


  Alien Vault - How Malware Sandboxes and SIEMs Work in Tandem to Effectively Detect Malware
Rohan Viegas of VMRay explains some of the key factors IT security teams should consider when evaluating a malware analysis sandbox and whether it’s a good fit for their existing SIEM environment. He then outlines how VMRay Analyzer complements and enhances the capabilities of AlienVault’s flagship platform, USM Anywhere. For IT security organizations, malware threats and attacks continue to play a prominent role in the threat landscape. According to Verizon’s 2018 Data Breach Investigations Report: Of the 2,216 data breaches that were studied by participating security vendors, 30% involved malware. Six types of malware (ransomware, C2, RAM scraper, backdoor, etc.) were among the top 20 varieties of action used in the data breaches covered in the study. Ransomware, used primarily to commit financial crimes, is now involved in more than 40% of malware attacks. Malware attacks can be completed in minutes. However, due primarily to poor detection, an intrusion may not be discovered for weeks or months, potentially causing damage all the while. “Full-featured SIEM, Looking for the Right Malware Sandbox” When selecting an automated malware analysis sandbox to address these challenges, IT security teams should not only compare the side-by-side capabilities of different vendor products. They should also weigh how a particular sandbox will interact with their existing SIEM platform and the extent to which a product’s strengths (or its weaknesses) are utilized across the managed security ecosystem. Below are some key points to consider. The sandbox’s detection efficacy. Malware today is designed to recognize when it is running inside an analysis environment and to stall or exit in the sandbox, thereby evading detection altogether or inhibiting the analysis by not fully revealing its behavior. This leaves blind spots in the analysis results, which can then be carried over to the SIEM. A key quality to look for in a sandbox is its ability to reliably conceal itself from the samples being analyzed so the malware can fully execute, giving you comprehensive visibility into the threat. The quality of Threat Intelligence that can be shared. Another consideration is what types of threat information can be ingested by your SIEM and made available across your security environment. Important IOCs include severity scores, suspicious behaviors, network activity, dropped files etc. You also need to consider how complete that information is. Full visibility into malware behavior is essential for generating quality threat intelligence. For instance, if you discover a malicious file, the analysis results should detail all the places it tried to reach out to, all the bad files it tried to create, and all the registry keys it tried to touch or modify. How can the Threat Intelligence be used once your analysis results are handed off to your SIEM? Can the data be easily monitored? Correlated with other data sources? What actions can you take with this information? To build on the prior example, if your sandbox identifies a new malicious file that has reached out to an unfamiliar and presumably bad IP address, can you search your entire infrastructure for systems that have also accessed that address? Rising to the Challenge For organizations that have USM Anywhere or another comprehensive SIEM platform in place, adding VMRay Analyzer to the managed security environment addresses these core challenges, strengthening the ability to detect and respond to malware threats, attacks and vulnerabilities more quickly and effectively. Unlike traditional malware sandbox solutions, VMRay Analyzer runs solely in the hypervisor layer and does not modify a single bit in the analysis environment. The sandbox remains completely invisible to the malware sample and can transparently monitor all aspects of the malware’s behavior, without triggering the evasion techniques that thwart detection and analysis in other sandboxes. In turn, analysis results provide complete and detailed visibility VMRay Analyzer’s Intelligent Monitoring engine, for example works much like an auto-zoom lens on a camera, adjusting to find the optimal level of monitoring. This allows analysts to distinguish between legitimate operations performed by the OS and trusted applications and unusual or malicious activities performed by the monitored sample. The result is to ensure security teams don’t miss any critical information while also delivering results that are precise and noise-free, with minimal false positives. Once VMRay malware analysis results are ingested by the SIEM, using VMRay’s REST API interface, that information gains wider use and greater value. It can be monitored, searched, correlated with other data sources, and shared with security devices, such as firewalls and endpoint protection system. It can also be investigated and acted upon. In addition, VMRay also has an out-of-the-box SIEM integration by publishing analysis alerts in Syslog/CEF format. These customizable syslog messages are generated when critical events occur. Here are some of the ways VMRay Analyzer makes SIEM environments, such as USM Anywhere, more efficient, useful and comprehensive. Ensures timely analysis and detection of zero day and polymorphic threats—as well as known threats—and translates that information into actionable intelligence. Automatically propagates analysis results (including sample details, severity scores, IOCs, network activity and YARA rule matches) to the SIEM’s centralized environment. Improves the productivity and effectiveness of analysts and incident responders by providing all the information they need and only the information they need to analyze and respond to malware threats, vulnerabilities and attacks. Eliminates the productivity-killing noise and false positives that many sandboxes generate, while also ensuring irrelevant information is not pumped into the SIEM environment. Continually adds to the malware-related threat intelligence that is made available to the SIEM. Sandboxes and SIEMs work in tandem to effectively detect malware or respond to a security breach. Choosing an evasion-resistant sandbox that generates precise, actionable Threat Intelligence ensures that you will have a good fit with your existing SIEM environment.       

Le 2018-12-27


  Alien Vault - The Dangers of Free VPNs
If you use a free VPN, then you have to wonder how your provider earns money to cover their own costs. The answer often involves advertising, but it can also be through far more sinister means. Running a VPN service costs a significant amount of money. There are setup costs, infrastructure costs, labor and other running costs. The companies behind these services generally want to make a profit as well. Why are free VPNs a problem? It really depends on your use case, but in general, VPNs are used to enhance both the online privacy and security of those who use one. Privacy and security tend to involve trust, which becomes especially important when we consider VPNs. To understand this properly, we have to take a step back and examine how VPNs protect their users. The most common analogy is that a VPN provides an encrypted tunnel between the VPN client on a user’s device and the VPN server. This tunnel essentially means that no other party can see the connections and data you are transferring between your device and the exit server. Your ISP, the government and other snoopers will be able to see that you are sending encrypted data through a VPN, but they won’t be able to see what it is. If someone is examining the traffic between the exit server and the website you are visiting, they will be able to see that someone from the VPN’s server is connecting to the site, but they won’t know where the connection originates from. In this way, a VPN’s encrypted tunnel protects users and their information from outside parties like hackers and governments, and also allows users to get around geo-restrictions by making it seem like their connection is coming from another place. The point is that the VPN provider is the one that keeps you safe by letting you use their encrypted tunnel. Since all of your data goes through the provider, you need to find one that you can trust. If you can’t trust your provider, how can you know that your data is being kept secure and private? What can a VPN provider see? Technically, VPN providers have the capacity to see everything you do while connected. If it really wanted to, a VPN company could see what videos you watched, read emails you send, or monitor your search history. Thankfully, reputable providers don’t do this. A good provider shouldn’t take any logs of your activity, which means that although they could theoretically access your data, they discard it instead. These “no-log” companies don’t keep copies of your data, so even if they get subpoenaed by a government agency, they have no data that they can hand over. VPN providers may take different types of logs, so you need to be careful when reading the fine print of any potential provider. These logs can include your traffic, DNS requests, timestamps, bandwidth and IP address. It will depend on your use case, but if you want your VPN to provide the highest level of privacy, then you will want to choose one that records no logs at all. How do you know if a VPN provider keep logs? Most VPN providers will state on their websites whether or not they take logs, and if so, what kind. If the privacy policy doesn’t state the logging policy, or they make their logging process unclear, it’s best to assume the worst. No-log policies can be a huge selling point of many VPNs, so if a company doesn’t make their practice clear, it’s best to assume that they do keep logs in some form. How can you trust a VPN provider’s claims? At the end of the day, you can never really be 100 percent sure. The closest we can get is if a VPN provider was served a warrant or subpoena and was unable to give any data because they simply don’t have it. Even so, a provider may change their practices after a the court order has been carried out. While this may seem disheartening, the reality is that we don’t really need 100 percent confidence. For most situations, 99.99 percent is more than enough. You just need to find a VPN provider that you can trust enough for the activities that you intend to conduct over their service. There are a range of things that you will need to consider when evaluating whether a VPN provider is trustworthy enough for your intended uses. First, you will want to see that their website looks reputable. If everything checks out, you will want to go through their privacy policy and legal statements to ensure that everything is legitimate. Then you will want to do some background research to see if the company has been involved in any dodgy practices, and whether its users are generally happy with the service. NordVPN recently became the first provider to undergo a voluntary third-party audit of its zero-logs policy. Other providers like ExpressVPN have had their servers seized by police, but the servers contained no information of use thanks to no-logs policies. If you do a thorough search and it doesn’t bring up any red flags, then you can probably trust the VPN provider’s claims. This is because most established providers aren’t willing to sacrifice their long term revenue by doing something unscrupulous. They have a vested interest in keeping their users around and attracting more in the future, because keeping the business reputable will be worth more in the long run. Can you trust free VPNs? Paid VPNs can be dodgy, but free VPNs are even more of a minefield. From loading malware onto your computer to selling your data to third parties, there are countless dangers. This list narrows some of the offerings down a bit, but there are still many complications to consider. When it comes to free VPNs, the relationship between the provider and the user is different to that of a paid VPN. The user isn’t paying the provider any money, so the provider doesn’t have to do much to keep the user happy. How bad a service will be tends to depend on the VPN provider’s business model: Advertising Some free VPN companies make their money through advertising. This can range from showing banner ads to users, such as Psiphon, to those like Hotspot shield, which the Center for Democracy and Technology alleged tracks users and hijacks web requests. Many free VPNs insert advertisements into your web browser, and these ads can place tracking cookies on your device to monitor your browsing. If a VPN provider places ads in their app, it’s far from ideal, but it’s also hard to criticize a service for trying to monetize itself in some way. If a provider is actively tracking its users, this spells much bigger problems, particularly for those with privacy and security concerns. Although Hotspot Shield claims that it doesn’t collect “information that allows us to trace Internet usage on Hotspot Shield back to individual users”, VPN users are better off avoiding services that track them. Malware distribution Some free applications may look like they are offering an excellent service, when they are actually an underhanded way for hackers to install malware. It can be hard to know for sure whether an app does this, so it’s always best to be prudent when downloading software. In an academic study, numerous VPNs were run through a host of different virus scanners. Some free VPN apps such as Betternet and OKVPN tested positive for malicious activity in many of these tests. Those looking for a new VPN should err on the safe side and stay away from any free VPN that looks like it might be used to infect their devices. Botnets One of the most alarming VPN controversies of the last few years was when the popular service Hola was taken advantage of to form a botnet. Due to how the service operates, the bandwidth of Hola users was leveraged in an attack on 8chan. Obviously, no one wants their devices to be part of a botnet that attacks other individuals or organizations. This is just another instance shows how users need to be careful when dealing with free VPNs. As a free offering to attract users to a premium VPN service Some VPN providers offer a free service as a way to draw new users toward their paid services. These vary in quality, but they can often be more legitimate than the free VPNs that rely on other business models. Free tier services like Hide.me and Windscribe aren’t necessarily bad, but they are much more limited than paid VPNs. Research VPN Gate is operated by the University of Tsukuba using volunteer resources. The university runs it as an experiment, but anyone can use it or operate a node to contribute to the network. As an experiment, its service is pretty restricted, but it’s also less likely that a university would be using the network for any illicit activity. If a VPN’s free, it’s probably not fast Trust issues aren’t the only problems that come with free VPNs. They also tend to be slow and have other service limitations. It’s an old cliche, but with VPNs, you really get what you pay for. On free plans, the providers are hardly rolling out the red carpet, so users will have to put up with subpar service. Free VPNs often have fewer servers, which can force users to connect to those in less-than-ideal locations. This can make the speed much slower. In addition, some free VPN servers have heavy congestion, which can make connections stall to a near standstill. Other providers may force free users to wait in queues so that they don’t clog up the network. A lot of VPNs also have bandwidth limits that restrict the speeds that free users can access. Many have data caps as well, which tend to be between 512MB and 2GB. This amount of data won’t get most people too far. A few hours of heavy browsing could easily eat up the cap and watching videos will drain it much faster. What can you use free VPNs for? Now that you understand a little bit about how free VPNs work and their various business models, we can talk about their limitations. As we have just discussed, free VPNs tend to operate in ways that really restrict their use. These range from those that simply can’t be trusted and should be avoided at all costs, to those which have very low data caps or bandwidth limits. If you absolutely require privacy and performance, you will need to go with a paid provider that is well-regarded. In saying that, there can be circumstances where a free VPN will help you without putting you in serious danger. These include if you need to spoof your location temporarily, or if you need to get around internet restrictions. Again, you need to make sure that you aren’t engaging in risky or illegal behavior if you are using a free VPN. Most of them are simply far too unreliable. If you are going to use a free VPN, please make sure that you do your research and find a reliable provider that suits your needs. Using an untrustworthy provider can give you far more trouble than accessing the internet without one. What shouldn’t you use free VPNs for? In an ideal world, you wouldn’t use a free VPN at all, because the services are far too limited. Despite this, there are a lot of people who simply don’t have the money or don’t want to pay a few dollars each month for a reliable service. Anyone who does use a free VPN needs to be aware of their issues and be incredibly careful with how they use it. They absolutely must not engage in any illegal behavior, nor anything that requires a high degree of security or anonymity. As we discussed earlier, a VPN provider has the capacity to access all of the data that goes through their service. When the service is being provided to you for free, the provider doesn’t have much of an incentive to provide you with a reputable service. If you can’t trust the provider to give you a high-level of service, then you can’t trust them to be responsible for your privacy and security. Everything on the internet should be free One of the key issues isn’t with VPN technology itself, but with our attitudes to technology services in general. Many people have grown up in the internet age and become accustomed to free content, products and services. This is generally supported by advertising and other means. These funding models have provided opportunities for the poor to access all kinds of media and technology that traditional payment models would have locked them out of. It’s hard to deny that this has been a good thing in many ways, but it has also had some unfortunate results. The overwhelming amount of free stuff in our lives has left many of us unwilling to pay for things which we would have in the past. With many products and services, such an attitude doesn’t cause problems. With VPNs, it can be a big issue. If you really care about your privacy and security, your best course of action is to stay far away from free VPNs, because they simply don’t provide a service you can trust.       

Le 2018-12-24


  Alien Vault - Letâ€'s Chat: Healthcare Threats and Whoâ€'s Attacking
Healthcare is under fire and there’s no sign of the burn slowing. Look, it’s no secret that hackers have been targeting hospitals and other healthcare providers for several years — and probably no surprise that healthcare is one of the top target industries for cybercrime in 2018. In the US alone, in fact, more than 270 data breaches affecting nearly 12 million individuals were submitted to the U.S. HHS Office for Civil Rights breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more. Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself. So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating. One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.   SamSam attackers are known to: Gain remote access through traditional attacks, such as JBoss exploits Deploy web-shells Connect to RDP over HTTP tunnels such as ReGeorg Run batch scripts to deploy the ransomware over machines SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading it off in the AlienVault Open Threat Exchange (OTX), our community of 100,000 users who contribute information on threat intelligence which is also curated by AlienVault Labs.   You can also get more details from the AlienVault blog post “SamSam Ransomware Targeted Attacks Continue.”  And, you can find detailed recommendations for preparing for SamSam and other, related attacks from HHS, FBI and US-CERT. Wait! There’s More. Here’s an overview of the trending threats AlienVault Labs has identified for 2018.   What We’re Seeing How to Learn More Other, opportunistic ransomware threats for criminal gain  . . . The most commonly seen threat to the healthcare in 2018 remains opportunistic. This is typically ransomware that targets anyone who happens to be vulnerable. And, it continues to cause an outsized amount of damage to the industry. Some examples of the most damaging will likely trigger your memory: WannaCry Indicators, GrandCrab Ransomware, VSSDestroy Ransomware   Defray ransomware Off-the-shelf ransomware used to target the healthcare sector GandCrab ransomware puts the pinch on victims VSSDestroy ransomware WannaCry indicators Fallout exploit kit releases the Kraken ransomware on Its victims   Targeted threats for criminal gain . . . There are a number of organized criminals who have moved to targeting healthcare providers with  targeted ransomware due to the criticality of continued operation. One example is the SamSam ransomware.   SamSam ransomware campaigns SamSam — the evolution continues netting over $325,000 in 4 weeks SamSam ransomware SamSam: the doctor will see you, after he Pays the ransom   Targeted threats for espionage that are led by organized crime . . . Threat actors are committing  corporate espionage for criminal gain — for example, by gaining insight into drug trials to inform investment decisions. Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia Powerful threat actor Wild Neutron returns for economic espionage FIN4 group is hacking the street More information from the FIN4 group attacking public companies Parasite HTTP RAT cooks up a stew of stealthy tricks   Targeted threats for espionage, let by nation states . . . Whilst rare, there are some threat actors that commit espionage against the healthcare sector to provide assistance to state-owned companies or to retrieve the healthcare data of high-profile individuals. Network health: advanced cyber threats to the medical & life sciences industries Tropic Troopers new strategy Intrusions affecting multiple victims across multiple sectors Wekby attacks use DNS for C2 Indian organizations targeted in Suckfly attacks Black Vine: Formidable cyberespionage group   Want more information?  There are a number of organizations, such as Healthcare-ISAC, that can provide additional information on threats seen within the healthcare sector. For any queries regarding this report, please contact labs@alienvault.com.       

Le 2018-12-20


  Alien Vault - Network Penetration Testing
What is Penetration Testing? Penetration testing, often called “pen testing” is one of several techniques used to verify cybersecurity posture and provide a level of assurance to the organization that its cyber defenses are functional. It’s a way of testing defenses against an adversary who mimics a cyber-criminal actor. First Rule of Network Penetration Testing: Make sure you have a signed contract to perform the services of a pen tester, including a statement of work, and a detailed scope for the engagement. Failure to follow this advice could result in civil and/or criminal legal action being taken against you. It should be noted that many compliance and regulatory requirements, including the General Data Protection Regulation (GDPR) require an organization to undertake regular testing to evaluate the effectiveness of organizational security controls. It stands to reason that the further an adversary can penetrate into your organization and retrieve sensitive and/or confidential information, the more evident the business case for improving your cyber security posture becomes. The technique of cyber security pen testing is not without controversy. Detractors of pen testing as a cybersecurity test identify the techniques used by professional pen testers as generally reserved for sophisticated cyber criminals or nation state actors. The argument then is pen testing does not mimic the “every day” cybersecurity threat faced by the organization based upon the level of risk tolerance. Although that argument runs right up against the evolution of and increasing sophistication of cyber-criminal attacks, an organization may not have the financial or IT resources to deal with the outcomes or recommendations of the pen test. In fact, a pen test can be a demoralizing experience for the organization’s already stressed IT resources and potentially document risks the organization would rather not have illuminated. Simply put, a pen test requires a basic level of cyber hygiene and organizational readiness – there has to be organizational will to mitigate the “findings” of the pen test. If the organization has not instituted basic cyber security controls as prescribed by UK Cyber Security Essentials or the CIS top five security controls, then money invested in a pen test may be quite wasteful. In short, If the organization has not: 1.     Secured the internet connection with a firewall 2.     Secured organizational devices and software 3.     Controlled access to organizational data and services 4.     Protected organizational endpoints from viruses and other malware 5.     Made sure organizational devices and software are up to date Then the pen test will not go well for your organization and an adversary will have a field day. Penetration Testing Tools There is a myriad of pen testing tools available with the majority being open source. The profession of Pen Tester is linked to professional certifications such as Certified Ethical Hacker, CompTIA Pen Test+ and Offensive Security Certified Professional (OSCP), and an extensive SANS curriculum all built around pen testing and use of popular tools is available. Here is a list of common pen testing tools (OK, my favorite tools!) pen testers will unleash on an organization. Many folks in the business of professional pen testing have their own preferences and/or professional software is also available. Common Network Penetration Testing Tools Nmap – Free! Network scanner and enumerator, supported by a massive community and extensible with a great deal of scripting capability. The Metasploit Framework available on Kali Linux – Free! Many special purpose pen testing tools, password crackers as well as wireless security tools. I would say this is an accepted industry standard. Zap – Free! An older attack proxy framework used to evaluate website and web application security. I like it and find it easy to use as I am not skilled enough to use something like Burp Suite against a website. Nessus – Not free. This software does require professional licensing to use as a professional pen tester, but it is an excellent vulnerability scanner. (Another one I recommend is Outpost 24.) Maltego Community Edition – Free! This does not do any pen testing but it is my go-to-documentation tool for network mapping and domain enumeration. Mostly a cyber threat intel platform but to make the pretty pictures it’s a lot more automated than Microsoft Visio. As a professional pen-tester you are only as good as your Google-Fu. Depending on the nature of your engagement, websites like Shodan, ExploitDB, or even searching for “Default Password for <insert make> <model number> device” will yield sources of information which may provide useful. It’s also surprising how frequently reverse IP lookups and domain name registration information is necessary to conduct the pen test. Website Penetration Testing This is really a subset of network penetration testing and is firmly (at least in my opinion) in the realm of software developer meets adversary. Websites are complex layers of software which usually connect to a “back-end” database. The database is potentially filled with customer or employee information which a cyber-criminal would like to steal & sell and/or destroy with ransomware. Thousands of hours of developer time may have gone into the creation of customer facing websites and they may even have access to credit card payment information. No matter what the database contains it needs to be defended and it is through any number of techniques a cyber-criminal can gain unauthorized access. Although a scanner like Burp Suit or ZAP can detect many of the OWASP 10 common vulnerabilities, a skilled web application pen tester can target the website’s API(s) to perhaps coax information from the site which should not be revealed. Because websites are intensely linked to the organization’s online brand and may be a primary source of revenue, many organizations insist on a web application pen test before a site goes live. Penetration Testing Report In most cases this is called the “dread” pen testing report. For most organizations who thought they had a decent security posture, this report usually suggests a lot more can or needs to be done. What makes for a good report is a list of the most impactful, readily achievable, and least expensive to implement solutions to the discovered shortcomings. The best pen test report also identifies items which the organization is doing well in addition to items the organization needs to improve upon to allow for some solace as the mountain of work to do is revealed. One of the most powerful metrics and a significant boost to organizational compliance is to use the pen test report as a road map for key IT projects, process or technology implementations in the next year. The first pen test the organization receives sets the need for future improvement. The second pen test report should have measurable improvements. If there has been no improvement between the two it may be time to consider a radical course of improvement before your organization is targeted by a real cyber-criminal adversary.       

Le 2018-12-19


  Alien Vault - AlienVault Monthly Product Roundup October / November 2018
At AWS re:Invent recently, I spoke to several booth visitors who asked, “What’s new with AlienVault?” It was exciting to talk through some of the improvements we’ve made over the last year and see their eyes widen as the list went on. As our customers know, we regularly introduce new features to USM Anywhere and USM Central to help teams detect and respond to the latest threats. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum. Let’s take a look at the highlights from our October and November releases: Mac OS Support for the AlienVault Agent In July, we announced the addition of endpoint detection and response (EDR) capabilities to USM Anywhere, enabled by the AlienVault Agent. The AlienVault Agent is an osquery-based endpoint agent that provides system-level security, including file integrity monitoring and host intrusion detection (HIDS). Over the last few months, we’ve listened carefully to customer input to guide our continued improvement of the AlienVault Agent, leading us to improve filtering rules for better control over data consumption and make a number of additional enhancements. In November, we addressed a top customer request with the addition of Mac OS support for the AlienVault Agent. Now, USM Anywhere customers can use the AlienVault Agent for continuous threat detection and file integrity monitoring (FIM) on their Linux, Windows, and Mac hosts. AlienVault Agent Queries as Response Actions USM Anywhere accelerates incident response with the ability to orchestrate response actions directly from an alarm. With just a few clicks, you can take an immediate, one-time action or create a rule to make sure that action happens automatically going forward. (Check out examples of automated incident response in action in this blog post.) To enhance your ability to respond swiftly and efficiently to potential threats, we’ve added a new response action to trigger AlienVault Agent queries. Like our other response actions, you can find this option directly from the detail view of an alarm or as part of an orchestration rule. Launch AlienVault Agent Queries from Agents Page In addition to the response action listed above, you can now trigger AlienVault Agent queries from the Agents page by clicking the “Run Agent Query” button. You can run queries against a single asset or all assets that have the AlienVault Agent installed. Asset Group Enhancements for the AlienVault Agent Asset Groups help USM Anywhere users group similar assets for specific purposes. For example, you might want to assign assets to the PCI DSS  asset group to keep track of the assets in scope of your CDE. We’ve added a new “Assets with Agents” dynamic asset group containing all assets that have the AlienVault Agent deployed. We’ve also expanded asset group functionality by adding the ability to assign AlienVault Agent profiles to asset groups. You can do this by selecting the “Assign Agent Profile” option from the Actions menu for a specific asset group. Improved Ability to View Suppressed Alarms We’ve improved the filtering options available on the Alarms page to support the display of only suppressed alarms. This change has no effect the default Alarms view, which does not include suppressed alarms. Certificate Upload for TLS-Encrypted Syslog In addition to the digital certificate provided through USM Anywhere, customers can now upload their own server certificate and CA certificate to enable the SSL connection for TLS-encrypted syslog transport. Certificates can be uploaded from a new Settings tab in the Syslog App configuration page located at Data

Le 2018-12-17


  Alien Vault - Things I Hearted this Year 2018
It’s hard to believe the whole year has gone past and I’ve been hearting things nearly every week since it began. I’d like to sum up 2018, so I started to look through all the posts from every week and I realised it was a mammoth task. There have been 40 “Things I hearted” blog posts this year, each with an average of 10 stories. And that doesn’t include the dozens of other stories that didn’t make the cut every week. Suffice to say, it’s been a very busy year as far as information security is concerned. Which could mean that business is very good. Or it could just mean that business is as usual, we’re just getting better at covering the stories. In YouTube fashion, I decided to do a video rewind of some of the notable stories of the year (minus Will Smith and the big budget) Conspiracy videos aside, let’s have a recap of an assortment of stories that were hearted over the course of the year. January 12th Edition Toy Firm VTech Fined Over Data Breach VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children. Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest. Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security. FTC fines VTech toy firm over data breach | SC Magazine FTC Fines IoT Toy Vendor VTech for Privacy Breach | eWeek After breach exposing millions of parents and kids, toymaker VTech handed a $650K fine by FTC | Techcrunch March 9th Edition SAML, SSO Many Vulnerabilities SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password. Sounds like a lot of fun. Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | DUO March 30th Edition Investigating Lateral Movement Paths with ATA Even when you do your best to protect your sensitive users, and your admins have complex passwords that they change frequently, their machines are hardened, and their data is stored securely, attackers can still use lateral movement paths to access sensitive accounts. In lateral movement attacks, the attacker takes advantage of instances when sensitive users log into a machine where a non-sensitive user has local rights. Attackers can then move laterally, accessing the less sensitive user and then moving across the computer to gain credentials for the sensitive user. Investigating lateral movement paths with ATA | Microsoft May 18th Edition Hacking the Hackers A hacker has breached Securus, the company that helps cops track phones across the US. You'd think that if you were a company that collected all sorts of phone data, and location tracking, and work with law enforcement, you'd be a bit more careful in how you store the data. Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records. Hacker breaches securus, the company that helps cops track phones across the US | Motherboard Service meant to monitor inmates' calls could track you, too. | NYTimes June 1st Edition Your Data Looking at your data this week, Brian Krebs flips the lid on why your location data is no longer private. "The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of these consumer privacy debacles, many are left wondering who’s responsible for policing these industries? How exactly did we get to this point? What prospects are there for changes to address this national privacy crisis at the legislative and regulatory levels?" Why Is Your Location Data No Longer Private? | Krebs On Security But wait, there's a plot twist. Tired of all these companies profiting off your data? Well, maybe you can try what this guy did and make some money yourself by directly selling your data. This Guy Is Selling All His Facebook Data on eBay | Motherboard July 6th Edition 10 Things To Know Before Getting Into Cybersecurity You may know Kevin Beaumont as @GossiTheDog on twitter. He won the 2018 EU blogger awards for best tweeter. But apparently, he's a man of more talents than just twits, he also blogs, and has put together a good list of 10 things you should know if you're considering getting into cybersecurity.   10 things to know before getting into cyber security| Double Pulsar Related, if you're looking to break into security, then you'll want to know which locations offer the best salaries (US-based). Cybersecurity spotlight 2018: Where are the highest paying jobs? | Indeed Blog August 31st Edition Probably The Best Tech Keynote in the World I’ll be honest, up until a couple of weeks ago, I hadn’t heard of James Mickens who is a professor at Harvard University. I watched his keynote presentation at Usenix, and haven’t been this entertained and captivated by a technology talk in … well, never. It’s well worth carving out 50 minutes out of your day to watch his keynote entitled, Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models October 5th Edition Bupa Fined £175k International health insurance business Bupa has been fined £175,000 after a staffer tried to sell more than half a million customers' personal information on the dark web. The miscreant was able to access Bupa's CRM system SWAN, which holds records on 1.5 million people, generate and send bulk data reports on 547,000 Bupa Global customers to his personal email account. The information – which included names, dates of birth, email addresses, nationalities and administrative info on the policy, but not medical details – was then found for sale on AlphaBay Market before it was shut down last year. Health insurer Bupa fined £175k after staffer tried to sell customer data on dark web souk | The Register November 30th Edition The $1M SIM Swap A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal roughly $1 million in cryptocurrency. SIM-swapping 21-year-old scores $1 million by hijacking a phone | ZDNet       

Le 2018-12-14


  Alien Vault - The REAL 2019 Cyber Security Predictions
It’s December, which means it’s time to get those 2019 cyber predictions going. While there are many well-informed, and some not-so-well informed opinions out there, I’ve dug through the cyber underground, I’ve climbed data mountains, and delved to the depths of the dark web to seek out what is really happening. Having spilt coffee, redbull, and tears, I am proud to present the soft underbelly of the cyber security industry, and what the future will hold. You’re welcome. Jayson Street will be exposed as a secret agent charged with obtaining DNA samples of as many hackers as possible. Close inspection will reveal Jayson stealing a strand of hair every time he offers an “awkward hug”. Having been outed, he will go on to start a podcast called, “The word on the Street” HaveIBeenPwned will be purchased by FireEye. Troy Hunt will take the money and move to New Zealand where he’ll setup another website called “YesYouArePwned” with Kim dot com. Bug Bounty and vulnerability disclosure pioneer Katie Moussouris will have no less than 10 instances a month of bug bounties being mansplained to her. At least 2 a month will try to prove her wrong by citing papers, without realising she authored them. Richard Bejtlich will tell the world how it’s actually Papua New Guinea that is responsible for the majority of APT’s. He’ll admit that China was initially blamed as an internal joke that went a bit too far. Jeff Moss will look in disgust at what he has created. In a fit of rage he’ll punch the ground, pull his hair yelling, “I’ve created a monster!” and cancel DEF CON. This will create a domino effect as all other conferences will come collapsing, leaving no security conferences active by the end of the year. SwiftOnSecurity is unmasked as being The Grugq who would have gotten away with it, if it weren’t for those meddling kids. Stuck in traffic YouTuber Wolf Goerlich will finally take a different route into work and realise traffic ain’t all that bad. As a result YouTube suspends his account, declaring the title misleading. Which is a polite way of saying ‘fake news’. Investigative journalist Brian Krebs may unofficially be many companies' IDS, but in 2019 he’ll take it to new heights while launching his own subscription-only service called B-KIDS (Brian Krebs IDS)  which companies can use to get the heads up if they’re going to be outed. Reunions will become common, as professionals grow bored of corporate life. L0pht Hacking Industries will furiously lobby the US government, while over in Europe the Eurotrash Security podcast will regroup and take the show on the road once again. Marcus Hutchins reveals he was never really arrested by the FBI. Claims he just wanted a bit of “me time” and thought this would be the best way. (ISC)2 will cease offering the CISSP certification, stating that there is now a global surplus of security professionals and the number needs to be reduced. Independent analyst Kelly Shortridge reveals the magic that goes into magic quadrants, waves and other analyst firms methodologies. Confidence in analyst firms will take a dip as a result. Kelly will then sell the rights to the movie, The Big Short(ridge) Award-winning blogger and podcaster Graham Cluley will go through the whole of 2019 without winning a single award. Mega breaches will have reached the tipping point and GDPR will have been found ineffective. In a last ditch effort, companies that offer affected customers a year's credit monitoring will no longer be deemed sufficient. Rather companies will be forced to create whole new identities for affected individuals, complete with backstories, like witness protection programs do. Finally, world governments will see the error of their ways and stop trying to backdoor crypto. Have a happy 2019 folks!       

Le 2018-12-13


  Alien Vault - New AlienVault and AT&T Cybersecurity Consulting Solution for Cyber Risk and Compliance Management
Let’s face it, managing cyber risk and compliance is hard. Many organizations struggle to gain the visibility needed to truly understand their overall cyber risks. They also struggle to maintain that visibility as they take on digital business transformation and new cloud computing initiatives. It’s no easy task for organizations to continually align their security priorities to changes in the regulatory landscape, their IT environment, and an always-shifting threat landscape, especially for organizations with limited IT resources. That’s why we are excited to announce a new solution to help organizations of any size to help reduce their cyber risks and simplify their journey to work toward compliance. Together, AT&T Cybersecurity Consulting and AlienVault, an AT&T Company, are bringing together the people, process, and technology in one unified solution to help organizations improve cyber risk and compliance management. In doing so, we’re making it simple and fast for organizations to consolidate their requirements and to accelerate their security and compliance goals. Download the solution brief to learn more. “Managing cyber risk and compliance requires an ongoing review of your IT assets and data, security practices, and personnel — and no single security tool provides that holistic visibility,” said Russell Spitler, SVP of Product for AlienVault, an AT&T company, “With a unified solution from AT&T Cybersecurity Consulting and AlienVault, we can help organizations to reduce the complexity and cost of having to juggle multiple products and vendors.” This solution addresses many of the most challenging aspects of meaningful risk reduction (i.e. you are actually making progress in reducing risks, not simply “managing risks,”) and maintaining continuous compliance. The solution includes: risk assessment, scanning and remediation vulnerability assessment, employee cybersecurity awareness training,  continuous network monitoring for the latest threats, and reporting for compliance as well as for internal policy. It is ideal for organizations that are getting started with or want to accelerate their efforts for PCI DSS or HIPAA, but also for non-compliance organizations that are looking to evaluate and improve their cyber risk posture quickly and efficiently. Unlike other solutions for cyber risk and compliance that are often oversized and do not adapt to an organization’s existing security model, AlienVault and AT&T Cybersecurity Consulting offer flexible options that allow any organization to tailor-fit a solution to their unique environment, business goals, and budget. The solutions include: Risk-based Cyber Posture Assessment led by AT&T Cybersecurity Consultants ASV-provided External Vulnerability Scanning Services from AT&T Consulting Services AlienVault USM Anywhere - a unified platform for threat detection and response AT&T Cybersecurity IQ Training - cybersecurity user training and assessments For more details on the products and services included in this solution, read the solution brief here > Following AT&T Business’ acquisition of AlienVault in August, this offering is the first to combine the phenomenal threat detection and incident response capabilities of AlienVault USM Anywhere and AlienVault Labs Threat Intelligence with the world-class expertise of AT&T Cybersecurity Consulting. “It’s no secret that cybercrime has become its own industry, giving criminals access to a battery of tools for targeting victims,” said Marcus Bragg, Chief Operating Officer of AlienVault. “For the IT and security professionals who are defending against this, point solutions are no longer enough. They need all the support they can get, and that means people, process, and technology — access to security experts who can share their knowledge and experience, recommendations for best practices, and a unified platform that ties everything together, including the most up-to-date threat intelligence for threat detection and response. That’s what the future looks like in our fight against cybercrime.”   This solution is available from AlienVault and AT&T Business, so new and current customers can easily purchase the solution that works for them. To learn more about this and other cybersecurity solutions from AlienVault and AT&T, contact us to get started. To learn more about the offering, download the solution brief.       

Le 2018-12-12


  Alien Vault - A HIPAA Compliance Checklist
Five steps to ensuring the protection of patient data and ongoing risk management. Maintaining security and compliance with HIPAA, the Health Insurance Portability and Accountability Act, is growing ever more challenging. The networks that house protected health information (PHI or ePHI) are becoming larger and more complex — especially as organizations move data to the cloud. At the same time, security professionals are faced with an evolving threat landscape of increasingly sophisticated threat actors and methods of attack. For example, 2018 threat intelligence research by AlienVault Labs reports a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from health care providers and other similar entities who must protect and keep assets, systems, and networks continuously operating. One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. To help address these security challenges and ensure adherence to compliance mandates, security and IT professionals should consider how people, processes, and technology can be used together to create a holistic IT security compliance program that simplifies preparation, auditing and reporting, as well as ongoing security risk management and breach monitoring and response. Here’s a five-step HIPAA compliance checklist to get started. Certification and Ongoing HIPAA Compliance HIPAA sets the standard for protecting sensitive patient data. Any entity that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was adopted to promote the “meaningful use of health information technology” and address the privacy and security concerns associated with the electronic transmission of health information. Although there is no standard or implementation specification that requires a covered entity to “certify” compliance, the evaluation standard § 164.308(a)(8) requires covered entities to perform ongoing technical and non-technical evaluations that establish the extent to which their security policies and procedures meet the security requirements. Evaluations can be performed and documented internally or by an external organization that provides evaluation or “certification” services. However, HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Step 1: Start with a comprehensive risk assessment and gap analysis Your compliance strategy should start with a solid foundation, which is why the first step in your journey to HIPAA compliance should be a readiness assessment that includes a comprehensive risk and compliance analysis of your electronic health record (EHR) environment. This assessment is often best done by a third party with expertise in healthcare security and compliance, as HIPAA regulations can be confusing and cumbersome. Using a third party with the necessary expertise will ensure you don’t miss or misunderstand the required regulations, and it will save you time as they will likely have a HIPAA checklist to reference.  Your consultant can perform an initial evaluation of your entire security program to determine its adherence to HIPAA regulations and the level of readiness to proceed with the “certification” process. It’s worth noting that the OCR does not actually “certify” HIPAA compliance (see side bar), however there are organizations outside of the OCR that do provide “certification” services, and many organizations take advantage of these certification services to prove compliance. As a result of the evaluation, your consultant should provide a comprehensive report that may include such things as: Your organization’s current security and compliance posture compared to the requirements established by the OCR Audit Protocol (including the HIPAA Privacy Rule, Security Rule and the Breach Notification Rule). Prioritized recommendations for risk remediation. A road map outlining the steps and initiatives to achieve compliance and “certification”. According to the OCR, organizations that have aligned their security programs to the National Institute for Standards and Technology (NIST) Cybersecurity Framework may find it helpful as a starting place to identify potential gaps in their compliance with the HIPAA Security Rule. Addressing these gaps can bolster compliance with the Security Rule and improve the organization’s ability to secure ePHI and other critical information and business processes. Read how NIST “maps” to the HIPAA Security Rule in the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. Step 2: Remediate identified risks and address compliance gaps Once you’ve identified your organization’s risks, take immediate steps to address the gaps within your security program. Again, a consultant who has practical experience in healthcare security will be very useful in providing strategic guidance, as well as advice on risk mitigation. Many organizations use the same consultant who performed their initial risk assessment. Your consultant may develop specific programs, policies, standards, and procedures, as well as support or help implement key security practices and controls. For example, they may assist in prioritizing vulnerabilities and make recommendations for remediation in your EHR environment. Or, they may provide pre-packaged employee security awareness training that meets HIPAA guidelines, such as educating employees on security risks and running them through attack scenarios. Make use of security technology to help you more quickly address the gaps in your compliance program — and consider platforms versus point solutions, giving you the ability to address multiple issues at once. Also, look for solutions that address both on-premises and multi-cloud environments as HIPAA regulations apply to both (see Guidance on HIPAA & Cloud Computing).  For example, look for such use cases as the automation of asset discovery and the ability to categorize those assets into HIPAA groups for easy management and reporting. Those same solutions may also perform vulnerability assessments, automate the prioritization of vulnerabilities for mitigation, and integrate with ticketing solutions to ensure the most critical are being remediated while overall risks are mitigated. Step 3: Take advantage of automated compliance reporting The evaluation standard of HIPAA requires covered entities to perform and document ongoing technical and non-technical evaluations to establish the extent to which their security policies and procedures meet the security requirements. Simplify and speed this process by taking advantage of automated compliance reporting. Look for solutions with predefined report templates for HIPAA, as well as other key regulations such as PCI DSS, NIST CSF, and ISO 27001. Consider ease-of-use, such as being able to define groups of assets — for example, a HIPAA group that includes sensitive assets connected to patient data or protected data. How easy it is to view, export, and customize the reports? What percentage of regulation coverage is included in predefined reporting? Most solutions do not cover all the requirements defined by the HIPAA Audit Protocol, but they will give you a jump on your HIPAA checklist. Many security management platforms also include additional predefined event reports, such as reports by data source and data source type, helping to make daily compliance monitoring and reporting activities more efficient. Also, look for an intuitive and flexible interface that allows you to quickly search and analyze your security data, as well as the ability to create and save custom views and export them as executive-ready reports. Finally, solutions that provide centralized visibility of your cloud and on-premises assets, vulnerabilities, threats, and log data from firewalls and other security tools are key to giving you the most complete and contextual data set for maintaining and documenting continuous compliance. Step 4: Implement Monitoring and Breach Notification Protocols The Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and business associates to provide notifications if they experience a breach that involves unsecured protected health information. Security management platforms can help to simplify and automate monitoring for breaches on your network, ensuring you are able to more quickly detect and contain a breach, as well as provide the required notifications. As more organizations in healthcare are migrating data and applications to the cloud, make sure the technology you’re choosing offers advanced threat detection across both on-premises and multi-cloud environments. Simplify compliance management by choosing a solution that combines an array of essential security capabilities in one platform. These may include, but are not limited to: asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, endpoint detection and response, SIEM event correlation, file integrity monitoring (FIM), and log management. By combining these use cases in a single dashboard, you are better able to quickly identify, analyze, and respond to emerging threats that target your EHR environment. Intelligence it key to threat detection and incident response, so consider vendors who have in-house research teams as well as access to external threat intelligence communities and other sources that can provide insight into the latest global threats and vulnerabilities — and in particular, those that are specific to healthcare. However, intelligence without context will create lot of distracting “noise” for your team. So, check that the solution goes beyond just providing intelligence to incorporating it directly into your dashboard, including providing recommendations on how to respond to identified threats. With this intelligence and guidance at your fingertips, you can react quickly to the latest tactics, techniques, and procedures used by threat actors. And, you are assured of an always-up-to-date and optimally performing security monitoring solution. Need more info on how to respond to a breach? See the HHS Quick Response Checklist. Step 5: Continuously evaluate and manage risk Whether you are managing ongoing HIPAA compliance internally or are using an external organization, avoid last-minute scrambling for annual evaluations and audits by employing a year-round risk management program. Such a program requires having real-time visibility of your environment, including system component installations, changes in network topology, firewall information, and product upgrades. Use a unified platform to gain this visibility and enable monitoring in a central location (opposed to various point solutions). Here are a few examples of where a platform would be helpful for continuous risk and compliance management: Manage assets and risks Examples: Use automated asset discovery for on-premises and cloud environments and then create asset groups such as business critical assets or HIPAA assets for ongoing monitoring, management and reporting. Identify systems with known vulnerabilities and use correlation rules to detect threats. Monitor access control; data security; information protection, processes and procedures; and protective technology Examples: Monitor for successful and failed logon events to assets. Monitor for communications with known malicious IP addresses or use file integrity monitoring (FIM) to detect, assess and report on changes to system binaries, and content locations. Schedule vulnerability scans, automate assessments, and plan for mitigation. Review events and detected incidents. Detect anomalies and events; and ensure continuous security monitoring and detection processes Examples: Aggregate events from across on-premises and multi-cloud environments. Classify threats based on their risk level. Monitor for stolen credentials, malware-based compromises such as communication to a known command and control (C&C) server, anomalous user and admin activities, file integrity, and vulnerabilities. Automate event and incident analysis; mitigation Example: Automate forensics tasks to be executed in response to a detected threat and simplify forensics investigations with filters, search and reporting capabilities for event and log data. Automate actions to contain threats, such as isolating systems from the network. Automated reporting Use out-of-the box reporting to document that you’ve made an accurate assessment of the risks and vulnerabilities to the confidentiality, integrity and availability of all electronic PHI — and to quickly show the status of technical controls that align to HIPAA or other regulations. Maintaining adherence to HIPAA is no small feat considering the dozens of criteria that are considered in the HIPAA Audit Checklist. Attempting to manage your compliance program manually and without the help of expert healthcare security consultants will not only take up massive amounts of time, it could result in your team missing an essential component of the regulation, or worse yet, enduring a breach that compromises patient data or takes down the network. However, with the right mix of people, processes and technology, it’s not an impossible to stay on top of compliance management while ensuring your network is secure and patient data protected year-round. HIPAA Regulations HIPAA Privacy Rule: This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and health care providers who conduct the standard healthcare transactions electronically.  HIPAA Security Rule: This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164 (e-PHI). HIPAA Breach and Notification Rule: The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.       

Le 2018-12-11


  Alien Vault - Who Would You Hire in Your SOC?
I got curious about what kind of people are most desired in a Security Operations Center (SOC). I wondered how accepting InfoSec blue teamers would be to having a team member with a great attitude and system administration or network management skills, versus someone with deep InfoSec knowledge and skills. So I did a poll on Twitter to learn more.  After reviewing the Twitter poll results and the very insightful comments, I was even more curious about how SOC hiring decisions are made. Luckily, one of my Twitter pals reached out via DM and indicated he is a SOC hiring manager! And he’d be happy to have a call with me to give me the scoop on what he looks for when hiring for his SOC as long as he remained anonymous!  While I can’t name him, I can tell you he has 20+ years of experience in the InfoSec industry and is in the process of building his second SOC. The first team he built had about 25 people, was focused on infrastructure rather than cloud, and encompassed both SOC and GRC. The team he is building out now is focused on outsourcing (MSSP), which is a different story entirely. Here are his insights: Age is a Number He made the excellent point that the terms "junior" and "senior"  SOC analysts relate more to experience in a SOC vs the person's age. Older folks doing a career transformation might well be considered “junior" and someone in their 20’s who has had a home lab and network might have years of useful experience and be considered “senior”. A Balanced SOC Team The best team mixes some senior folks with junior people. A lot of SOC work is a *grind* with eyes always on the glass. Whereas junior folks can be quite happy to do that for a few years, some more senior folks may want to get into other roles than the front line of defense. In addition, your first job in InfoSec may be a stepping stone to where you want to get. You might want to be a malware researcher, but starting as a blue team defender is an excellent way to learn more about malware. Mainly Cloudy Times are changing – whereas deep skills on particular hardware, like a specific firewall, may have been important in the past, now SOC hiring managers tend to me more cloud oriented. They’re looking for a blend of skills, including DevOps, SecOps, scripting, cloud instrumentation and understanding of cloud infrastructure. Hiring managers are looking for nimble applicants with a flexible skill set. For example, to be good in a SOC job today, you will likely need to know how to monitor application logs as well as traditional security controls. Advice for Students Don’t be afraid to get your hands on tech. Classes are one thing – but also build yourself a home lab. Show some enthusiasm and initiative. Be flexible – avoid just knowing a few specific tech tools. Network! (More to come on that). Advice for Curmudgeons If you’ve “seen it all” – you might appear grumpy. Grumpiness is OK, as long as you work with and support the junior folks. The SOC team isn’t a great place for a grump who wants to just be left alone. Toxic people are not welcome on a SOC team, no matter what skills they may have. Important Tech Checklist for SOC Coding / scripting Understanding of network stack and knowing things like how routing, VLANs and ACLs work Machine Learning / Automation (at least take some free courses for awareness) Core security controls Cloud technology infrastructure Can a Red Teamer Be Good in a SOC? Sure, if they want to be on the Blue Team. They typically have the right skill set. However, Red Teamers live to find and exploit weaknesses. Red Teamers don’t always have to follow rules. Blue Team is defense in depth. Blue Teamers have to follow rules. Career Networking On social, Twitter is great. LinkedIn can be useful too. There are local meetup groups all over that are free to attend. You can hear talks and meet other people in the industry without having to travel to attend an expensive conference. Here's the Poll and Some Excellent Comments and Observations:  In a SOC, would you rather hire a person new to infosec w good attitude & great sys admin / network mgt skills or a curmudeon with badass infosec knowledge & proven track record in SOC. Comments on rationale appreciated. — Kate Brew (@securitybrew) November 25, 2018 The best part was the comments! Here are a few excerpts to demonstrate the common threads.  A Good Attitude Is Clearly Appreciated Good attitude every time. Much easier to train technical skills than people skills. — Chris (@church_of_chris) November 25, 2018 Aren't we seeing this play out now? There r 2 many opptys in the market for ppl to stay and be treated like crap. People will leave. We are seeing burnout up the wazzoo, ppl leaving, ppl afraid of making a mistake, let alone a suggestion. Hire the noob Train, train, train them — javascript jesus is watching you! (@ravici) November 25, 2018 Hard to say without knowing what the responsibilities would be, but generally I'd take the good attitude. People who are hungry and driven can learn the skills they lack, but it's harder to get someone to unlearn being jaded and negative, and spreading that vibe to everyone else. — ��l̶u̶0̷ (@blu0x30) November 25, 2018 In Defense of Curmudgeons   Dark humour is not the same as a bad attitude and burnout can heal — Heidi ������ (@winter_heidi) November 25, 2018 I feel like in tech (not sure about infosec) curmudgeon is a euphemism for "straight-up jerk". But I'd easily take someone competent over someone who's not, provided they're *just* a little grumpy. — Vanessa McHale (@vamchale) November 25, 2018  No Love for Toxic People! A SOC has to work closely together. A curmudgeon stops the communication flow. — Nasty Woman Voter (@sforslev) November 25, 2018 Yet if a curmudgeon doesn’t have the soft-skills necessary to navigate conflict, challenges etc & instead they utilize FUD (fear, uncertainty & doubt) as their professional strategy - no matter how badass their infosec knowledge is - they kill the positive vibe of the SOC & org — Kyle F. Kennedy (@Kyle_F_Kennedy) November 25, 2018 years ago we hired the most brilliant system admin I've ever worked with, but he had 0 people skills and started to make it a toxic work env he was so bad working with others people were on the verge of quitting to not have to deal with him, i'd lean towards good attitude. — Space Force Panda (@TrashPandaFTW) November 25, 2018 I’d rather invest time in developing potential than repairing damage from a curmudgeon. That said, it depends on the mission and cultural context. Theoretically, the mission (and culture) might force acceptance of the trade-offs that come with a highly-capable curmudgeon. — <script›alert('chrᎥs cɑlνert');‹/script› (@securedaemon) November 26, 2018 SOC Needs a Team / Balance I'm the curmudgeon, and I balance the 5 neophytes. It's a good ratio - for a Red Team. I suspect the ratio would work differently on the blue side, coming from there. Company culture also plays a role in quantifying these ratios, I think. — Abe Snowman - Yeti Vigilante ☃️ (@AbeSnowman) November 26, 2018 I’d hire either. It would also depend on the current makeup of the team. If you have a bunch of info sec people with out sys/net admin chops then the new blood will be good. If it’s the other way then the curmudgeon would be good. Cross pollination is good. — Michael Fourdraine (@mfourdraine) November 25, 2018 One curmudgeon to five enthusiasts - and a good manager over them all. — John (@JohnDCosby) November 25, 2018 Regardless if they are in a SOC or not. Challenging concepts & ideas is healthy. Conflict can be good for orgs as it encourages open-mindedness & helps avoid the tendency toward group thinking (which could become bully thinking) that many organizations fall prey to. — Kyle F. Kennedy (@Kyle_F_Kennedy) November 25, 2018 Conclusion I really appreciated the insights I got from the Twitter poll and speaking with my Twitter pal who is a SOC hiring manager. I hope this info is helpful to folks looking to move into Blue Team. Here’s another blog with career and networking advice.         

Le 2018-12-10


  Alien Vault - Things I Hearted This Week, 7th December 2018
It’s December, so you’re either on holiday, wishing you were on holiday, or hoping the next security article you read isn’t related to predictions. Well, I can’t help you with the holidays, but I can promise there will be no predictions here. It’s just good old-fashioned news of the juiciest news that made my heart flutter US Postal Service Ah, the good old USPS was running a weakness that allowed anyone who has an account to view details of around 60 million users, and in some cases modify the account details on their behalf. Luckily, a security researcher spotted the error about a year ago and notified USPS. Unluckily, the USPS didn’t respond to the researcher or fix the issue. Luckily, the researcher reached out to little known cyber-reporter by the name of Brian Krebs who contacted USPS and lo-behold a miracle happened and the issue was fixed in 48 hours! USPS Site Exposed Data on 60 Million Users | Krebs on Security This raises the question as to is there anything lesser-known researchers who don’t have the public profile of Brian Krebs can do to help companies fix issues outside of a formally defined bug bounty program? Back in September, Troy Hunt posted on the very topic on the effectiveness of publicly shaming bad security. And not to say I agree with shaming companies, but when you look at instances like USPS, you do wonder if there is a better way. The Effectiveness of Publicly Shaming Bad Security | Troy Hunt GCHQ Reveals it Doesn't Always Tell Firms if Their Software is Vulnerable to Cyber Attacks In other words, spy agency keeps secrets. There are four reasons given as to why GCHQ may not disclose flaws, being: There is no way to fix it The product is no longer supported The product is so poorly designed it can never be secure There is an overriding intelligence requirement that cannot be fulfilled in any other way I particularly like number 4 as the catch-all clause. You could say there’s an overriding intelligence requirement to almost anything, and refuse to release any details under secrecy laws. I’m not necessarily bashing GCHQ, governments have been known for stockpiling exploits. They have a particular mission and objective, and this is how they go about fulfilling it. However, it does mean companies should not rely solely on GCHQ or other government agencies for their threat intelligence. Rather, building its own capabilities and threat sharing channels remain necessary. GCHQ reveals it doesn't always tell firms if their software is vulnerable to cyber attacks. | Sky News Scamming the Scammers I don’t think there are many stories more satisfying than when scammers get taken for a ride. This time courtesy of Hacker Fantastic who got contacted by the famous singer Rhianna out of the blue to help her get some money. Scamming the scammers | Medium, Hacker Fantastic ENISA Releases Online NIS Directive Tool ENISA released an interactive tool showing the relevant national laws and regulations, and per sector and subsector the national authorities supervising the NIS Directive. It’s pretty cool. NIS Directive Tool | ENISA Open

Le 2018-12-07


  Alien Vault - Password Stealers Arenâ€'t Letting up Any Time Soon
Password security has always been a challenge. Brute force attacks are constantly getting more powerful, but they aren’t the only threat you have to worry about. A range of password stealing malware continues to grow in popularity. One example, Agent Tesla, has seen its detection rate grow 100% in just three months, according to data from LastLine. Despite this rapid growth, Agent Tesla is far from the most popular. That title goes to Pony, which represents 39% of the total password stealer detections, according to Blueliv’s 2018 report, The Credential Theft Ecosystem. LokiPWS and KeyBase trailed Pony at 28% and 16%, respectively. These password stealers are each capable of stealing credentials and other information from a wide variety of programs. Each is unique with its own techniques for delivery and a range of features that hackers can use to mount attacks. Despite the differences, each of these programs can have severe impacts on their victims. The negative impacts can range from having all of the money stolen from an individual’s accounts, to the theft of a company’s intellectual property. The key features of some of the most common password stealers are listed below: Agent Tesla Like most password stealers, Agent Tesla can access a wide variety of your information, ranging from your credentials to your keystrokes. It can even take screenshots and videos from your device’s camera. Agent Tesla targets a number of major programs, including web browsers, email clients, FTP applications and other commonly used software. Once Agent Tesla has been installed on a target’s computer, it can also be used to download other malware. This feature allows threat actors to intensify their attacks and make them even more devastating. Its pricing shows that the malware industry hasn’t been left behind in the X-as-a-service boom, because it is available as part of a plan that starts from $15 per month. This price includes all the 24/7 support someone might need to assist them in their criminal endeavors. Of course, payments are made in Bitcoin. Despite running what must have been an incredibly profitable business, Agent Tesla’s creators have recently posted an update stating it will crack down on illegal use of the program. Under its terms of service, it declares that the software must only be used within the law, but features such as anti-antivirus throw these intentions into question. Due to the recent media attention that Agent Tesla has received, the developers will strip some of its more questionable features, such as anti-antivirus and webcam capture. They also claim to be banning those who are using the program maliciously. Only time will tell whether the creators are sincere, or if this is merely an attempt to keep the authorities from knocking down their doors. Pony Pony is currently the most popular password stealer, but it’s certainly not new. In the past, it has been used to control a number of enormous botnets, which by 2013 had already stolen more than two million credential sets. In 2014, it involved into a series of attacks that stole $200,000 worth of cryptocurrencies, as well as 700,000 sets of credentials. In recent years, Pony has seen prominence as a loader alongside other malware, such as CryptoWall and Angler. These programs, a type of ransomware and an exploit kit, respectively, help attackers launch even more devastating assaults. LokiPWS As the second most commonly encountered password stealer, LokiPWS has been involved in a significant number of attacks. It can be purchased from a range of illicit marketplaces for between $200 and $400, depending on the desired functionality. LokiPWS is comprised of a loader, a password stealer and a wallet stealer, which makes it useful in a variety of attacks. TrickBot TrickBot was originally a banking trojan, but has since been updated to steal other credentials as well. This malware is modular and continues to have new features added by its developers. The coding for the newest components isn’t as clean as the earlier parts, but if it continues to be refined, we could see TrickBot used in a greater number of password stealing scams. Common Attack Vectors   Attackers can load password stealers to their target’s systems in the same ways as most malware. These include social engineering, fake Adobe flash and other program updates, drive-by downloads, and through “free” online software. The following are some of the most common techniques that we see associated with password stealers: Social Engineering Social engineering (a.k.a. phishing) is one of the most prominent methods that hackers use to load password stealers onto their victims’ computers. They commonly use convincing emails to trick the recipients into downloading an attachment. The level of sophistication in the email will depend on the attacker’s game plan. Some may send highly-tailored emails to a select group of people in the hopes of convincing a large percentage to download the attachment. Others may put less effort into each email, but send them to a much greater number of people. The rate of success won’t be anywhere near as high, but this technique allows them to attempt to manipulate a much larger group of people. The attachments can take many forms, including RTF files, PDF files, PUB files, DOC and DOCX files, XLS files, EXE files, images and more. It is common for the malware to be disguised as seemingly legitimate invoices and other important documentation. These tricks can easily fool users into unwittingly granting access to the password stealer. A recent campaign has been taking advantage of vulnerabilities to spread both LokiPWS and Agent Tesla. The target is tricked into downloading a DOCX file, which in turn downloads an RTF file. This technique takes advantage of both a Microsoft Office remote code execution flaw, as well as a memory handling bug, in order to help slip the malware past antivirus software.        TrickBot is often hidden in Excel files. In these attacks, the user is told that the document was created with an older version of the program, and that they need to “enable content” in order to access the file. Clicking this button runs the macros, which kicks off the malicious code and begins the TrickBot download. Agent Tesla even has a customizable “Fake Message” option. This allows an attacker to tailor a pop-up that convinces the target to install the malware. This feature makes it simple to create a legitimate-looking dialogue box that might say something like “This program needs to be updated before it can launch. Update now?” Users will often click to run the update without even thinking about it. Something so simple can end up having dramatic effects, because of course, the program isn’t actually being updated. What’s really going on is that Agent Tesla is tricking the user into letting it install itself.          Attacks Launched from USBs Malware like Agent Tesla can also be preconfigured to run from a USB stick. This gives attackers more imaginative ways to upload their malware onto a target’s computers. One example involves threat actors leaving a bunch of malware-riddled USBs in an employee car park in the hope that some curious workers will pick them up and plug them into their office computers. When the USB is plugged in, Agent Tesla loads to the computer and can begin logging everything that the user does. Getting Past Your Computer’s Defenses Computers and networks have a range of defenses that help keep the bulk of malware at bay. These aren’t perfect, because the landscape of cyber threats is constantly evolving. This makes it much more challenging to prevent cutting-edge attacks. Agent Tesla has a wide variety of configuration options that enable threat actors to customize how they launch their attack to bypass defenses. With just a few clicks in an easy-to-use settings menu, an attacker can choose whether to disable the target’s Task Manager, how it will get past anti-analysis tools, whether it will launch automatically after rebooting, and much more. The Agent Tesla website used to feature support that gave tips on getting around defenses, including advice on how to hide the malware in other files, and how to trick security tools. The website may have claimed that the software was only designed for monitoring personal computers, but all of this auxiliary information hints at other intentions. How Do Password Stealers Take Your Credentials? Once a password stealer has made its way onto the target’s systems, it starts getting to work. There is some variance in how each of these programs function, but many of the core elements and features are the same. Keyloggers Keyloggers are some of the most commonly used tools for stealing credentials and other information that may be useful to attackers. They can be set up to record every keystroke that the target makes, sending the data back to the attacker. Of course, whenever the target types their usernames and passwords, this information goes straight into the attacker’s hands. Clipboard access Many password stealers can also access the data that is being stored in your clipboard. Clipboards aren’t a secure part of your computer, and the information that is stored in them can be accessed by all active processes, which means that malware can also take this information. This is somewhat worrying for those whose password manager uses the clipboard, but the majority of these programs tend to erase the data straight away. If you ever have to manually copy a password, it’s probably best to clear the clipboard after you have finished pasting. Screenshots It’s also common for password stealers to take screenshots of their target’s activity. This helps attackers keep track of what their victims are doing and enables them to log even more of their information. Videos Some password stealers can hijack a device’s camera and take pictures or video. This allows threat actors to build up an even greater profile of information on their victims. Which Programs Do Password Stealers Target? Most of the common password stealers can take credentials and other information from a wide variety of applications. These include common web browsers like Chrome, Safari, Microsoft Edge and Opera, FTP programs like FileZilla and WinSCP, email clients like Outlook, and many more. Some of these password stealers are set up to access data from more than one hundred commonly used programs. How Does This Information Get Sent Back to the Threat Actor? Once password stealers get their hands on your valuable data, they send it back to the attacker. The information is surreptitiously sent to a server, and then either to the attacker’s email or a dashboard. These dashboards vary in complexity, but some provide an impressive array of organization that makes it easy for threat actors to keep track of a large number of victims. As an example, Agent Tesla’s dashboard shows the progress of attacks against each of its targets. Menus clearly show the keystrokes, screenshots, passwords and other data that has been collected. Once an attacker has this data, they can either sell it in bulk, use it to steal from you, or use it to mount further attacks and penetrate your systems more deeply. How Can Password Stealers Impact Organizations and Individuals? Passwords are one of the most important systems that we have for controlling access to our data. Now that we conduct significant parts of our work and personal lives online, this makes them gateways to incredible amounts of our information. Password stealers can easily grant access to many aspects of our lives and businesses, and the impacts can be disastrous and wide-reaching. At a personal level, password stealers can enable threat actors to withdraw money from your bank account, hijack your social media or even commit complete identity theft. Organizations also face significant threats, because password stealers have the potential to give a threat actor complete access. Once an attacker is inside a company’s systems, they can copy its intellectual property, steal its data, lock up its information with ransomware, or even attempt extortion. The results can be as broad as an attacker’s imagination. Staying Safe from Password Stealers As you can see, password stealers represent a significant threat. Unfortunately, there is no surefire way to completely guard yourself and your organization. Despite this, following security best practices will reduce the risks to an acceptable level, especially if adequate staff training is part of the process. Individuals and employees need to be aware of the risks and only open attachments if they are certain that they are legitimate. It’s important to encourage a workplace culture where employees feel comfortable to check with IT whenever they are unsure of a potential security issue. Implementing two-factor authentication is another crucial mitigator. If an authentication process requires a token, biometric input, an authenticator app or an SMS code in addition to the user password, it can make it significantly more difficult to break into the systems. Password stealers can grant absolute access to our online worlds, so it’s important to be vigilant against them. While there are some programs that claim to be able to remove them, like all things in cybersecurity, it is much less costly to focus on prevention.       

Le 2018-12-06


  Alien Vault - Protecting the Wrong Things
Businesses rely on technology more today than they ever have in the past. In fact, many business models are built entirely around a technology which, if disrupted, could spell ruin. A traditional business with a brick and mortar presence is probably better-placed to withstand an extensive online disruption or outage. For example, if a bank’s online system or mobile app is unavailable, it has other options to fall back on – even if it does involve customers physically having to walk into branches to deposit cheques. But those examples are rare, and even the most traditional of businesses are embracing the digital revolution at a rapid pace, vaporizing physical assets in the process. One only has to look at their smartphone and see how many physical items it has replaced, from maps, to flashlights, to cameras. So, it’s important that the digital infrastructure that underpins the modern world is resilient. The ‘A’ in the security CIA of ‘Confidentiality, Integrity and Availability’ helped professionals focus on business continuity planning, and disaster recovery. But have we been focusing on the wrong things? Earthquake Resilient Buildings Recently a building surveyor was explaining to me the concept of earthquake-resilient buildings. He highlighted an important point that in most countries, building code objectives are mapped to collapse resilience, not to damage. The analogy is akin to a car which has designated crumple zones to absorb the brunt of the force during an accident. In other words, resilience in buildings and vehicles is all about saving lives - not the building or the vehicle. Which makes me wonder whether businesses have focused on building resilience into the wrong parts. Is the industry focused more on saving the building or the vehicle at the expense of lives? Broadly speaking, while lives are not literally at risk, (although with IoT making its way into every facet of life including medical devices, the risk does increase), there is a lot of personal information that companies are in possession of which slips through the radar of most planning sessions. The response often summed up as, “let’s offer free credit monitoring for a year for our affected customers.” In the building analogy, it’s the equivalent of, “Sorry your building collapsed and everyone died during the earthquake. Here’s a year’s coupon to stay in a local hotel.” Crown Jewels Companies are pretty good at protecting their own crown jewels. But they’re often limited in what they do for their customers. One of the reasons is that the emphasis is put on the wrong type of information. PCI DSS is a well-meaning standard, but forced companies to focus on protecting payment card data. The problem with this approach is that card data is pretty much a commodity. It naturally ages, and new cards need to be issued as a matter of course. A breach simply accelerates the process. The point being that payment cards have natural resilience built into them. That’s not to say that when cards are breached there isn’t a cost associated. It’s to avoid bearing the burden of these costs that card issuers rallied to have PCI DSS implemented, with the threats of big penalties to any company that was beached. This in turn forced companies to disproportionately invest into protecting card numbers over actual customer information. Protecting the buildings at the expense of its inhabitants. Regulations like GDPR are a step in the right direction with its focus on protecting the privacy of individuals. However, it too wields a big stick with the threat of massive fines. So, companies will do what they can to protect their businesses. Retrofitting protection The evolution of many companies mean that protection is often retrofitted under the guise of compliance. But there is a significant difference between retrofitting to prevent business damage, and retrofitting to prevent the entire business collapsing. We need to shift the way we think of information and the controls we put in place that can not only withstand the metaphoric cyber earthquake, but also protect its customers. The first part of this is for businesses to understand what aspects of its digital infrastructure are   commodities or standard offerings that can be swapped out or replaced relatively easily, versus custom-designed and individual data that is irreplaceable. For this, the best place to start is the beginning. Design decisions need to be thought out better and not rely on decisions made from years gone by, when the digital landscape was a different place. Haroon Meer probably said it best when he described customer data as being toxic. It has its benefits, but companies should be prepared to wear hazmat suits when dealing with it. This includes not using personal information for trivial functions. For example, does every online registration require a user’s personal information such as date of birth? If not, then why capture it? Similarly, should the user’s email ID be used as their userID? As email has become more important for users, so has the risk of it being targeted. Maybe the data can be captured, but alternative methods used to protect it. Similar to how many companies choose to tokenize card data? Maybe your favourite pizza shop doesn’t need to store your address in all its databases, a tokenized version can suffice. So, if it does get breached, not only are the customer details protected, but business can continue with minimal disruption - allowing true resilience against such events. After all, what’s the point in protecting all your buildings if there’s no-one left to inhabit them?       

Le 2018-12-05


  Alien Vault - Is Cybersecurity Insurance on Your Holiday Shopping List?
Three simple steps to protecting your small business Continued news reports of large-scale data breaches and the steady increase of cyber fraud like spam calls, identity fraud and unauthorized account access should be enough to scare anyone. So-called nation-state hackers attempting to infiltrate government entities and universities, massive data breaches, and new Ransomware threats are constantly in the headlines. So why doesn’t this encourage more small business owners to take cybersecurity more seriously? Many small businesses are currently going digital and moving data, applications and services to the cloud. In fact, the most innovative small businesses have embraced digital transformation as an integral part of their growth plans. This evolution makes their business more vulnerable to a lurking hacker. And perhaps too trustingly, many small business owners think that because of their size, they are not a target. Hackers don’t discriminate. Malware doesn’t discriminate.  Everyone is a target, and in fact, hackers see the data that small businesses have as a gateway to attacking larger businesses. And Malware essentially looks for open doors (i.e. unpatched machines) to infect. As we look to the start of a new year, there is no better time to assess your business’s cybersecurity posture – or in some cases start from scratch – to ensure you are prepared and can respond to cyberattacks. Here are a few affordable and simple recommendations that can improve your cybersecurity posture and help protect your business from the inevitability of a cyberattack in 2019: Stay Aware: The simplest thing you can do is to stay current on trends and threats affecting small businesses. We’ve seen unprecedented levels of attacks on small business in 2018, especially with Ransomware (where your device is essentially taken hostage for a fee). It’s essential to understand the types of attacks that could put your business at risk as well as the current cybersecurity landscape. Visit AT&T Cyber Aware for the latest news, information to report fraud associated with your AT&T Business account. Hire a consultant: A consultant can take a holistic look at your business, identify the gaps and help you understand how to improve your cybersecurity posture. While some see consultants as an added expense, their role is essential for small businesses that don’t have an IT or cybersecurity expert on staff. A consultant can help you develop and implement a plan for monitoring for threats, incident response and remediation that’s within your budget. Buy Cyber Insurance:  Cybersecurity insurance isn’t new. Large enterprises have had a cybersecurity insurance policy in place for decades now. However, 2019 is going to be the first year that it’s accessible and affordable to businesses of all sizes. For AT&T Business customers, this is made possible through policies, underwritten by CNA, with Lockton Affinity serving as the insurance broker.   A recent Ponemon Institute Report found that in 2017, cyberattacks cost small and medium-sized businesses an average of $2,235,000. That’s a staggering number that will only continue to increase as hackers become more sophisticated and continue to target the most vulnerable. My advice to small business owners – as you’re thinking about your holiday shopping list, add cyber insurance to that list to give yourself peace of mind. We know small businesses are focused on what they do best, and cybersecurity isn’t always top of mind. Let’s bring it to the top of the list for next year. Anne Chow, President – National Business, AT&T Business       

Le 2018-12-04


  Alien Vault - Award-winning Quarter Caps a Phenomenal Year
We’ve had a lot to celebrate this year. AlienVault, now an AT&T company, has received many awards, including three this quarter. In October, USM Anywhere was named the 2018 Cloud Security Solution of the Year after receiving the most votes in the industry. This recognition validates our SaaS-driven deployment model that integrates critical security capabilities into a unified platform enabling faster threat detection and response across cloud and on-premises environments. Here’s a photo of Sophia Anastasi, AlienVault UK Partner Account Manager, accepting the award at Computing Security’s awards ceremony. Our channel team is also receiving industry accolades. Last Thursday night at the Channelnomics Innovation Awards ceremony in New York City, Mike LaPeters, Vice President of Global Channels, accepted the award for Security Partner Program of the Year in North America. In October, Mike was selected as a winner of the 2018 Channel Futures Circle of Excellence Awards for his vision, innovation and advocacy of the indirect channel in helping AlienVault solution providers create business value for their customers. On AlienVault receiving these awards, Mike said, “Both of these awards are a testament to our focus on enablement. We help participants in the AlienVault Partner Program to create new opportunities for business growth, expansion and profitability powered by AlienVault USM.” With 2018 coming to close, we are excited to see what the new year brings as we continue to deliver phenomenal security products to our customers and solution providers.       

Le 2018-12-03


  Alien Vault - Things I Hearted this Week - 30th Nov 2018
Last week I was off attending IRISSCON in Dublin and so there was no update, and this week I’ve been at the SAN EU security awareness summit - so while I have been hearting things for the last two weeks, I’ve not had a chance to put them down. I don’t want to miss two weeks in a row - so I’ll give you a quick download and hopefully normal service will resume next week! Chat app Knuddels fined €20k under GDPR regulation The chat platform violated GDPR regulation by storing passwords in clear text and for this reason, the regulator imposed its first penalty under the privacy regulation. Chat app Knuddels fined €20k under GDPR regulation | Security Affairs IOC Origins Richard Bejtlich gives a historical view into the origins of IoC’s The Origin of the Term Indicators of Compromise (IOCs) | TaoSecurity The spread of low-credibility content by social bots The massive spread of digital misinformation has been identified as a major threat to democracies. Communication, cognitive, social, and computer scientists are studying the complex causes for the viral diffusion of misinformation, while online platforms are beginning to deploy countermeasures. Little systematic, data-based evidence has been published to guide these efforts. Here we analyze 14 million messages spreading 400 thousand articles on Twitter during ten months in 2016 and 2017. We find evidence that social bots played a disproportionate role in spreading articles from low-credibility sources. The spread of low-credibility content by social bots | Nature.com The $1M SIM Swap A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal roughly $1 million in cryptocurrency. SIM-swapping 21-year-old scores $1 million by hijacking a phone | ZDNet A day in the life of a trickbot hunter Nice writeup! Day in the life of a researcher: Finding a wave of Trickbot malspam | SANS Crypto hacking If you maintain any software libraries that deal with cryptocurrency wallet private key, there's a huge incentive for hackers to compromise your library's dependencies, and dependencies of dependencies. That's what happened with this npm package I don’t know what to say | GitHub Get SaaSy The NCSC's new SaaS security collection provides a lightweight approach for determining the security of any SaaS application. The collection also includes security reviews of the 12 most asked-about SaaS services used across UK government. SaaS security - surely it's simple? | NCSC Today's Deep Learning "AI" Is Machine Learning Not Magic Well, if AI isn’t magic, I should update my Uncybered browser plugin! Today's Deep Learning "AI" Is Machine Learning Not Magic | Forbes Chinese Ramp up AI When I read stories like this, my worry that machines will take over human jobs subsides. In this story, Chinese cities have rolled out AI-powered facial recognition technology to identify jaywalkers (because I’m sure they’ve solved every other crime out there). The results… well, can you say dystopian? AI Mistakes Bus-Side Ad for Famous CEO, Charges Her With Jaywalking | CX Live I hope to be this petty some day Zuckerberg told Facebook execs to stop using iPhone after Tim Cook privacy comments | Apple Insider Although, is it as petty as 50 Cent? 50 Cent buys 200 tickets to Ja Rule concert to keep seats empty in ongoing feud | CBS news Other stories of interest I still miss my headphone jack, and I want it back | Fast Company AWS has released some free training | AWS Regular Exercise May Keep Your Body 30 Years ‘Younger’ | NY Times The Next Data Mine Is Your Bedroom | The Atlantic The Wartime Spies Who Used Knitting as an Espionage Tool | Atlas Obscura       

Le 2018-11-30


  Alien Vault - IAM and Common Abuses in AWS
This is the first of a 4 part blog series on security issues and monitoring in AWS. Identity and Access Management (IAM) in AWS is basically a roles and permissions management platform. You can create users and associate policies with those users. And once those users are established you get set of keys (access key and a secret key), which allow you to then interact with an AWS account. So, it's kind of like having a card key into the data center, and if you get into the data center, you have physical access to assets and you can do a bunch of things - in the AWS world there is no physical access to a data center therefore you can create keys and an API and you can interact with the API to do the same things that you would do in a physical environment, like physically racking servers in a data center. Common IAM risks are associated with folks getting a hold of, for example, a set of keys that have some policy associated with them that enables an attacker to get into the environment and do some potentially risky stuff. Following are a couple examples: EC2 instance creation or deletion. This is fairly common and relatively easy to do compared with the other examples. If somebody gets a hold of a set of keys  that allows them to create EC2 instances in your AWS account, that’s the first thing they're going do. There are a lot of bots out there looking for this access, and if a bot finds a set of keys that allows it to start interfacing with EC2, it's going to spin up a bunch of instances - likely to start mining cryptocurrency. This actually happened to Tesla, a pretty good sized company with quite a few resources to allocate to securing their infrastructure. There are many examples in the news about keys getting published to GitHub inadvertently, and there are bots out there scraping GitHub looking for access keys and the second they find them they’re in your AWS account seeing what they can do. Another scenario is roles that do automated things, like take RDS snapshots or EBS snapshots. The attacker might abuse the automated process to back up various resources like EBS or an RDS database. If an attacker gets access to that role or the keys associated with it and takes snapshots of these resources, they can deploy a new RDS database based on the snapshot. And when they do that they get to reset the passwords associated with the database. So now they've got access to all of your data without actually having to have the passwords required on the RDS instance. It's the same thing with the EBS (Elastic Block Store) snapshot. If somebody is able to take a snapshot, basically of a hard drive in AWS, they can launch a new instance connected to that block store and do some interesting things with it. For example, assuming they’re able to create an SSH key pair in your account, they could launch a new instance from the snapshot and assign their key pair to the instance, giving them full access to the data of the original instance. If they can’t create SSH keys in your account, they might try to mount the snapshot to an existing instance they can already access. Basically this is a crafty way to work around credential control and access control. This is a technique that's been used to actually exfiltrate data out of AWS, just by taking snapshots.   The last example is account hijacking. One story that got some headlines a while back involved attackers getting full control of an AWS account through a set of keys. The account was compromised so thoroughly that trust in the service was eroded to the point that the company went out of business – an extreme scenario, but if someone gets that level of access in your AWS account, you can pretty well expect that they're going to hold it for ransom. There are other risks, like S3 bucket exposure risks, that are much easier to take advantage of. The good news is that Amazon has recently added 4 new options that allow the account owner to set a default access setting for all of an account's S3 buckets. The new settings override existing or newly created bucket-level ACLs (access control lists) and policies. We’re not highlighting S3 bucket exposure risks above because there were too many to choose from. In my search for specific data exfiltration issues that have occurred with S3, I came across this GitHub Repo where the well-known public breaches are organized by date. You'll find 25 different instances of actual breaches where somebody had leaked data from a publicly exposed S3 bucket. It works as follows: Say somebody creates an S3 bucket, where they’ve got some process running that’s capturing some data and writing the information to a file in the bucket. Then somebody else comes along later and makes that bucket publicly readable. Or, the bucket was initially set up as publicly readable and nobody noticed it. This kind of thing happens all the time, and there are adversaries out there just scanning S3 looking for publicly accessible buckets. And once they find the buckets they just scrape the data in them and figure out what treasures they've got later. They don't even care what they’re downloading.    It’s a simple thing for them to carry out. It doesn't require a super sophisticated attack vector. We'll dig further into AWS security risks and what to do about them in the next blog of this series.       

Le 2018-11-29


  Alien Vault - Security Orchestration, Automation and Response (SOAR) - The Pinnacle For Cognitive Cybersecurity
The cognitive tools/technologies of machine learning (ML) and artificial intelligence (AI) are impacting the cybersecurity ecosystem in a variety of ways. Applied AI machine learning and natural language processing are being used in cybersecurity by both the private and public sectors to bolster situational awareness and enhance protection from cyber threats. The algorithmic enablers that make ML and AI pinnacles of cybersecurity are automation and orchestration.  Last year, the research and analyst firm Gartner created a term called SOAR. It stands for Security Orchestration, Automation and Response. A key element of SOAR has been the automation and orchestration elements. An excellent analysis of the impact of automation was provided by Stan Engelbrecht in his column in Security Week called The Evolution of SOAR Platforms.  Stan noted “as SOAR platforms evolve, they are requiring less experience from users. Vendors embed security expertise into the products, in the form of pre-built playbooks, guided investigation workflows, and automated alert prioritization.  Automation and orchestration features have also reached a level of sophistication where they can be integrated into an existing security framework without relying on users to know exactly what should be automated.” Indeed, SOAR and corollary cybersecurity automation technologies combined with ML and AI tools can be viewed as a strong framework for mitigating evolving threats. AI and ML have emerged into new paradigms for automation in cybersecurity. They enable predictive analytics to draw statistical inferences to mitigate threats with fewer resources. In a cybersecurity context, AI and ML can provide a faster means to identify new attacks, draw statistical inferences and push that information to endpoint security platforms. Three significant factors are heightening their risk:   1) Skilled Worker Shortage: It is widely noted that the cybersecurity industry is facing major skilled worker shortages. According to data published on Cyberseek, U.S. employers in the private and public sectors posted an estimated 313,735 job openings for cybersecurity workers between September 2017 and August 2018. That's in addition to the 715,000-plus cybersecurity workers already employed. It is not just a U.S. problem, but a global problem and the demand for skilled workers to address the growing prevalence and sophistication of cyber-threats is growing exponentially. 2) Expanding Digital Connectivity: The expanding connectivity of the Internet of Things (IoT) has greatly increased cyber vulnerabilities. IoT refers to the general idea of devices and equipment that are readable, recognizable, locatable, addressable, and/or controllable via the internet. This includes everything from home appliances, wearable technology and cars. Gartner predicts that there may be nearly 26 billion networked devices on the IoT by 2020.  The numbers of devices provide a larger attack surface with more targets for cyber criminals and makes defending networks and endpoints even more difficult. 3) Sophistication of Adversaries: Cybersecurity criminals are using machine learning techniques to discover vulnerabilities on their targets and to automate their own attacks (with increasing success). They often share tools available on the Dark Web and hacker attacks are now faster, more calculating, and more lethal. The threat actors are many and varied including nation states, criminal enterprises, and hacktivists.     The three factors I highlighted are not the only ones forcing the need for automation and orchestration tools, but they are prevailing ones. To keep up with cyber-threats and help level the playing field against attackers, companies and governments need to evaluate and assimilate many of the automation and orchestration tools that hackers employ and integrate them into their own Security Automation and Orchestration (SOAR) platforms and security information and event management (SIEM) platforms. They should implement these tools and technologies under a comprehensive risk management strategy. Security automation and orchestration of applications should be commensurate and grow with derived benefits (and adversarial risks) from AI and ML. These technologies can provide for more efficient decision-making by prioritizing and acting on data, especially across larger networks and supply chains with many users and variables. The automation and orchestration tool chest can now utilize horizon scanning technologies, filter through alerts, use predictive analytics, facilitate identity management, coordinate incident response (audits and alerts), use self-repairing software and patch management, and employ forensics and diagnostics after an attack.  Automation and orchestration can be valuable in enhancing existing cybersecurity architecture such as preventive security controls, including firewalls, application security and intrusion prevention systems (IPSs). Perhaps most importantly, automation and orchestration can provide a more rapid response capability across a multitude of security components and tools whether they are located in the Cloud or in onsite data centers. The faster a CISO can identify and address a threat or breach, the better the likely outcome. Combating machine-driven hacker threats requires being proactive by constantly updating and testing cybersecurity capabilities. Using ML automation platforms to recognize and predict anomalies associated with the data-base of behavioral patterns of malicious threats can be an indispensable layer in an integrated cyber-defense. For the public sector, automation, combined with ML and AI, is an emerging and future cybersecurity pathway, especially for industrial systems and critical infrastructure. DARPA is investing for the Department of Defense (DoD) in developing these capabilities for the warfighter.  DARPA announced a multi-year investment of more than $2 billion in new and existing programs called the “AI Next” campaign. DARPA’s website notes that “key areas of the campaign includes automating critical DoD business processes, such as security clearance vetting or accrediting software systems for operational deployment; improving the robustness and reliability of AI systems; enhancing the security and resiliency of ML and AI technologies; reducing power, data, and performance inefficiencies; and pioneering the next generation of AI algorithms and applications, such as “explainability” and “common sense reasoning.”   For domestic federal security, the Department of Homeland Security (DHS) has deployed an automated cyber surveillance system that monitors federal internet traffic for malicious intrusions and provides near real-time identification and detection of malicious activity called EINSTEIN. This system is continually being upgraded. Einstein is only one element of DHS’s use of automation. DHS’s newly created Cybersecurity and Infrastructure Security Agency (CISA) will be using cognitive automation for cyber, collaboration and communication capabilities in many areas of its defined mission: Proactive Cyber Protection CISA's National Cybersecurity and Communications Integration Center (NCCIC) provides 24x7 cyber situational awareness, analysis, incident response and cyber defense capabilities to the Federal government; state, local, tribal and territorial governments; the private sector and international partners. CISA provides cybersecurity tools, incident response services and assessment capabilities to safeguard the ‘.gov’ networks that support the essential operations of partner departments and agencies. Infrastructure Resilience CISA coordinates security and resilience efforts using trusted partnerships across the private and public sectors, and delivers training, technical assistance, and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide. CISA provides consolidated all-hazards risk analysis for U.S. critical infrastructure through the National Risk Management Center. Emergency Communications CISA enhances public safety interoperable communications at all levels of government, providing training, coordination, tools and guidance to help partners across the country develop their emergency communications capabilities. Working with stakeholders across the country, CISA conducts extensive, nationwide outreach to support and promote the ability of emergency response providers and relevant government officials to continue to communicate in the event of natural disasters, acts of terrorism, and other man-made disasters. Cybersecurity Ventures predicts that cybercrime will cost the world $6 trillion annually by 2021. That is a scary scenario. It is important that both government and industry are investing together in automation and orchestration to harness productivity and to especially address cyber-threats. It will take a vibrant partnership to help meet the threats. With every passing year, cyber criminals become more sophisticated and adept in their cyber-attacks. In view of a lack of skilled workers, expanding digital connectivity, and the growing sophistication of adversaries, automation and orchestration are key elements for a viable cybersecurity posture.   Ultimately, incorporating these elements will become a cybersecurity imperative in an AI and ML guided world.       

Le 2018-11-29


  Alien Vault - AlienVault Delivers Phenomenal Cloud Security for AWS Customers
Viva Las Vegas! We aliens have landed at AWS re:Invent 2018 (Booth #1506), bringing phenomenal threat detection, response, and compliance to the AWS cloud. As I gear up for a full day of live product demos, I thought I’d take a moment to highlight some of the ways in which AlienVault is delivering phenomenal security to our customers’ AWS environments and beyond. We’re monitoring more AWS services than ever, giving you deeper security visibility of your AWS infrastructure. In 2018, we’ve expanded the number of AWS services that USM Anywhere monitors to include Amazon GuardDuty, Amazon Macie, AWS Application Load Balancer, Amazon Redshift, AWS Lambda invocations, AWS Web Application Firewall, and Amazon API Gateway. This is in addition to the other services we monitor and alert on, including AWS CloudTrail, Amazon S3 access logs, Amazon ELB access logs, Amazon VPC flow logs, AWS Config, Amazon CloudFront, and Amazon CloudWatch. Expanding our AWS threat coverage continues to be a priority for us as more and more customers undergo digital transformations and begin to leverage cloud services and applications to run their businesses. USM Anywhere continuously and automatically monitors AWS infrastructure for threats and anomalous behaviors, assesses your AWS environment for vulnerabilities and configuration errors, and simplifies logging and reporting—all from one cloud-hosted platform. What’s more, USM Anywhere centralizes security monitoring across AWS, multi-cloud, hybrid, and on-premises networks, including SaaS applications like Office 365 and G Suite, ensuring continuous coverage even as you migrate workloads and data from the network to the cloud and helping to eliminate security blind spots. This single-pane-of-glass approach alleviates the need to invest in multiple, siloed security monitoring tools for clouds, networks, and data centers, as John Chesser, Director of Cybersecurity Solutions at DataPath, a certified AlienVault MSSP, pointed out. “There's time, money, resources that are impacted by having to use the multitude of products out there. With USM Anywhere, I've got it all." We’re keeping your defenses current with continuous AWS-specific threat intelligence. As part of the continuous threat intelligence subscription built into USM Anywhere, the AlienVault Labs Security Research team maintains an AWS-specific correlation rule set. Threat actors are increasingly targeting insecure cloud accounts to access exposed data or set up cryptojacking operations. Once an attacker has gained access to your AWS account, their actions and behaviors may be unique or specific to the environment, such as programmatically spinning up new services. It’s not enough to rely on traditional threat intelligence, which focuses on network threats rather than cloud-specific attacks. That’s why the AlienVault Labs Security Research Team curates AWS-specific threat intelligence, researching and analyzing millions of security events every day using a combination of machine learning, human analysis, and the community-sourced threat data of the AlienVault Open Threat Exchange (OTX) and its 100,000+ global participants. Here are a few examples of AWS-specific correlation rules added in 2018: The password associated with an administrator of a Windows instance was retrieved through the AWS console, which may indicate compromised credentials An EC2 instance in your AWS environment is querying a domain name associated with a known command and control server The machine is behaving in a way that deviates from the established baseline; it has no history of sending this much traffic, suggesting it might be compromised A request for temporary security credentials has been followed by the removal of multiple API Keys, a technique malicious actors use to maintain persistence and prevent the owner of the AWS account from regaining access A new AWS user account is deleting multiple user accounts in a short period of time, which could be malicious attackers trying to disrupt incident response efforts The automatic and continuous threat intelligence updates from the AlienVault Labs Security Research Team enables USM Anywhere customers to keep up with the latest cloud security threats with minimal effort. As John Chesser noted, “Ultimately, with that integration of the threat intelligence, I haven't had to take information from a third party and try to integrate that. I'm not having to jump to some other product to do it. It's all there together.” We’re adding another layer of AWS threat detection with the AlienVault Agent. Earlier this year, AlienVault announced the addition of the AlienVault Agent, a lightweight endpoint agent based on osquery that enables endpoint detection and response (EDR) capabilities in USM Anywhere. When deployed to endpoints within an AWS environment, the AlienVault Agent provides host-based intrusion detection and file integrity monitoring capabilities that are not possible through CloudTrail. Whereas CloudTrail provides visibility into activity that occurs at the management level, such as when someone creates a file in an S3 Bucket or spins up a new service, the Agent can reveal system-level information such as which users are logging in, which files are being created, and which modifications and configurations are being modified. This helps USM Anywhere detect activity like persistence by malware and attackers. In combination, CloudTrail monitoring and the AlienVault Agent provide a multi-layered approach to threat detection in USM Anywhere. For example, let’s look at how USM Anywhere helps users detect cryptojacking. Often, an attacker will use compromised AWS credentials to gain access to an AWS environment and begin to consume your resources for cryptomining activities. USM Anywhere detects this activity through CloudTrail event logs. However, another common cryptomining attack method comes with a sneaky twist that’s much more difficult to detect. Instead of spinning up new resources that can be detected through CloudTrail monitoring, an attacker might compromise existing instances within an AWS environment, perhaps through a web vulnerability or SSH. While CloudTrail can’t provide visibility of what’s happening on the system itself, the AlienVault Agent can still detect these exploits with its endpoint visibility. We work hard to provide powerful cloud security for AWS environments, and our customers reap the benefits. For Jason Harper, CEO and Founder of CeloPay, a payment processing technology company whose offering is built entirely in AWS, using USM Anywhere has been a game-changer. “I am thrilled with USM Anywhere,” Harper said. “The platform’s centralized log management consolidates and parses CeloPay’s millions of data points to provide full security visibility, which has reduced our PCI DSS compliance reporting time from eight weeks or more to one week.” Overall, it’s been a great year for AWS security with USM Anywhere, and I’m proud to share the work we’ve done to help keep your AWS environments secure. Join us at AWS re:Invent #1506 this week to learn more about how AlienVault secures customers' AWS environments. Read more: Learn more about Celopay’s experience with USM Anywhere in this case study Watch the AWS security webinar featuring CeloPay Learn about PCI DSS Compliance on AWS with USM Anywhere Read the Whitepaper: Best Practices for AWS Security Check out our AWS Security solution brief       

Le 2018-11-29


  Alien Vault - Letâ€'s Talk about Segregation of Duties
Segregation of duties is a fundamental information security practice. In simple terms, it means you split out important tasks between two or more people. This prevents one person getting drunk on all the power they wield, and also prevents one person from making a mistake that can have undesired consequences. One of the best examples of segregation of duties can be seen in movies when it comes to launching nuclear missiles. The system relies on two people on opposite sides of the console to put in and turn their keys at the same time. This segregation or separation of duties ensures that one person can’t launch a nuclear missile on their own. Segregation of duties works best when there is a clearly defined function and where there is some physical separation. For example, in a call centre or a banking app, a low junior administrator may be able to authorise payments up to $500, but anything above that would need supervisors’ approval. The junior admin can enter in the details, and send it off to the supervisor who can then approve or decline it. But in many cases, the broader application can sometimes have some flaws. In one of my first jobs in IT Security, our team had implemented a process for separating duties whenever a new HSM key (key change ceremony) needed to be loaded. I worked in the team that would have half the password to complete this task, and another team would hold the other half. Much like the end of the film Bulletproof Monk; I even had my half of the password tattooed on my back – I still don’t know what it says to this day. Once a project was underway, it meant I’d have to travel across the country to the data centre with my half of the password in order to change the key with the help of a colleague. The only problem with that is - have you ever worked on a project? It’s never on time - always delayed. And datacenters are COLD! So here I was sat in a datacenter with this other guy who was about 50, but was clearly experienced in these projects as he was sitting under a blanket he’d brought, reading his book and munching on some snacks. What’s wrong with this scenario? Other than the fact I didn’t have a blanket or snacks - that we’ve travelled from different parts of the country, with half of a password, only to be sat together for hours. Invalidating all the expensive measures taken to segregate the two halves of the password. Even worse, I had no idea what I was doing or how to do it. I was told the documentation was up to date and easy to follow - but documentation being up to date is one of the biggest lies our team told. So, I ended up having to ask my colleague to help me out -  which inevitably meant I gave him my half of the password and asked him to enter it… yeah, separation of duties kind of fell apart right there. Having said that, those were simpler times, there was no bring your own device, and there certainly wasn’t anything hosted in the cloud. Many times when organisations adopt cloud apps, they overlook segregating duties, or defining job functions for role-based access control (RBAC). So, it ends up with an all-or-nothing approach. Which works fine if all employees are trustworthy, and never make a mistake. Unfortunately, it’s all too easy to make a mistake. When a single contractor is able to inadvertently leak the personal details of all employees in the database, one has to consider whether one person should have the power to do that, or if the access should be segregated. Similarly, if a rogue trader can make investments and harm a bank, one needs to question why the systems were setup in a manner to allow them to carry out such trades with little oversight. Or allowing developers to accidentally push code to production environments with one click… Recently a French cinema chain were tricked by an email in a business email compromise (BEC) scam which resulted in the CFO making payments of $21M to the fraudsters. The question shouldn’t be why the CFO allowed themselves to be tricked, but why did the systems allow the CFO to make such large payments without any checks and balances in place? While a host of technologies can help in these situations, a bit of forethought with proper separation and accountability can go a long way. Did these people learn nothing from Bulletproof Monk? Seriously, you should watch that movie – it’s got a lot going on.       

Le 2018-11-29


  Alien Vault - Is the Internet of Things Threatening Your Companyâ€'s Security?
The internet of things (IoT) is changing nearly every industry. Smart devices that can collect and process data, and even make decisions based on that data, though artificial intelligence promises to disrupt business as we know it for years to come. However, there are some legitimate concerns. The more connected devices your company has, the more potential vulnerabilities are out there. As business owners we want to be able to access the data we collect through the IoT, but we also need to be able to protect that data, and we bear the responsibility for keeping that data secure. This, like many areas of business, is a time for brutal honesty. If you have vulnerabilities, you need to fix them. You don’t want to be part of the headlines about companies who acted too late or not at all. Your security must adapt to the IoT, and it needs to do so now. Is the internet of things threatening your company’s security? There are a few questions you will need to ask yourself and your IT department to truly determine the answer: How do I know? Most experts agree that the weakness in any network is the devices that make up the IoT. For example, if you have smart light bulbs in your home, they are likely controlled by a hub which not only provides you with more flexibility in controlling them, but also provides security so they do not become a weak point in your network. This is why an intrusion detection system (IDS) is so important. Technologies from companies like AlienVault allow you to monitor for threats and even give you advice on how to prevent harm from them. Remember there is more than one area of vulnerability in any system. Cloud-based IDS, network IDS, and host-based IDS, along with file integrity management systems, are all essential parts of your strategy. These alerts tell you there is an attack and can even reveal threats to you, which allows you to put remediation and prevention strategies in place. But what are the threats you should be aware of? What are the threats? Why don’t we have houses that are completely smart and controlled by IoT devices? What about our cars? Part of the reason is that a hacker with the right tools could potentially take over control of a house or even a connected car from the owner or driver. For example, the Bangladesh National Bank lost $81 million due to an IoT-based attack. What are these types of attacks? There are actually several, and they mirror other types of cyberattacks. Distributed Denial of Service (DDoS): Chrysler/Jeep was vulnerable to this type of attack. Essentially, control of devices or a system is taken by a hacker. Sometimes this comes with ransomware, where the owner or user has to pay to get that control back. Malware: IoT devices can be used by an attacker to spread malware, sometimes to more than one device. Botnets: A botnet is a network of computers that are infected and used to perform malicious attacks like the fridge that was sending SPAM emails. We hear about these types of attacks in the news on a regular basis, and unfortunately as security evolves and gets better, hackers innovate as well, finding new ways to get past security measures. They are always searching for vulnerabilities, so you and your business must be just as vigilant as they are. What preventative actions can I take? The risks are clearly out there. Just knowing there is an attack and the types of attacks is not enough, however. You also need to know how to prevent them. This is a multipronged answer, but there are some simple, general steps any business can implement to prevent all but the most determined of attacks or at least slow them down. Buy the Right Devices Whether they are for your home or your business, purchasing the right devices in the first place, ones with good security ratings, is probably the most important step. Do they plug into a controller or have a controller of their own? What level of security does it and the device itself have? This means doing some research beyond the hype on the product or company website. Look at other online review sites, scroll through forums and groups about security, and simply just ask IT security professionals who you know or who work for you. Change Passwords from Defaults and Use Strong Ones This may be something that seems obvious, but the number of times that an IT professional can walk into a business or someone’s home and open a device or network with a default password is amazing. Even more frequently, passwords are simple to guess or are just extremely weak. This is perhaps the most frequently vulnerable area of any system, yet it is easily prevented. You can use a password-generator program like LastPass or even iCloud keychain if you are a Mac user, and the program will remember your passwords for you. There’s no reason not to have strong passwords and change them often. Hire the Right People This may be the most important point of all. Encryption, comprehensive security solutions and all of the above actions depend on people, both those who know how to implement them and the employees who use them. Hire the right IT people. A degree matters in many fields, and IT is one of them. Hire someone with a degree in information systems and security, and if they have been in the workforce for a while, look at continuing education and how up-to-date they are on the latest techniques and technology. Educate your employees: There should be regular classes company-wide on what the latest IoT devices are, how they are vulnerable, and how employees play a role in protecting themselves and the company. Address issues right away. If you have a personnel issue or find that someone is out of compliance with your policies, take corrective action immediately. Your security is only as strong as its weakest link, and often that is the person in front of the computer. Anyone who has access to your network is a key player in IoT security. They can bypass many of your safety measures unintentionally. HR plays a big role in this process from the hiring to the training of employees, vendors, and contractors. The IoT is a wonderful tool in the right hands and a dangerous weapon in the hands of others. Make sure that your company security is not threatened by being vigilant, knowing the threats that are out there, taking preventative action, and hiring the right people to help.       

Le 2018-11-29


  Alien Vault - Things I Hearted this Week - 16th November 2018
Collecting stories over the course of the week is always fun. You start reading one story, and before you know it you’re down the rabbit hole of technology, security, and privacy reading up papers on how scientists want to embed IoT devices in giraffes necks. Fear not, I am here to strip away the mundane and irrelevant and bring you only the best in news, designed to make your heart flutter. Why Google consuming DeepMind Health is scaring privacy experts Google’s decision to bring DeepMind Health, the medical unit of the AI-powered company it acquired four years ago, closer to the mothership may leave 1.6 million NHS patients with “zero control” over where their personal data goes, experts say – while an independent body set up to oversee the protection of such data has been broken up. While there’s not denying that there are huge benefits to be gained from better aggregation and analysis, but by whom, with what oversight, and where does it end? Why Google consuming DeepMind Health is scaring privacy experts | Wired In related Google news, the company has published its first quarterly transparency report with stats on the security of the Android ecosystem. Android ecosystem security | Google On a side note, maybe we give big data analytics too much credit sometimes. User Behavior Analytics Could Find a Home in the OT World of the IIoT UBA has been around in data-centric IT for at least four years, but it has never become industry-standard primarily because in the real world, user behavior in IT is so varied and complex that UBA often creates more false alarms than useful ones. In IT, UBA has often failed to find the dangerous needle in the immense haystack of user behavior. But user behavior in process-centric OT is much simpler: OT systems run the plant, and scripted user activity is nowhere near as varied as in IT, with its multiple endpoints and inputs, email browsing, multipart software stacks, etc. User Behavior Analytics Could Find a Home in the OT World of the IIoT | Dark Reading IT-to-OT Solutions That Can Bolster Security in the IIoT | Dark reading Busting SIM Swappers and SIM Swap Myths SIM swapping attacks primarily target individuals who are visibly active in the cryptocurrency space. This includes people who run or work at cryptocurrency-focused companies; those who participate as speakers at public conferences centered around Blockchain and cryptocurrency technologies; and those who like to talk openly on social media about their crypto investments. REACT Lieutenant John Rose said in addition to or in lieu of stealing cryptocurrency, some SIM swappers will relieve victims of highly prized social media account names (also known as “OG accounts“) — usually short usernames that can convey an aura of prestige or the illusion of an early adopter on a given social network. OG accounts typically can be resold for thousands of dollars. Busting SIM Swappers and SIM Swap Myths | Krebs on Security The deep, dark reach of the magecart group For at least four years, a distributed, sophisticated network of cybercrime groups known collectively as Magecart has been compromising ecommerce sites small and large, as well as payment processors,installing web skimmers to steal confidential information, and raking in a fortune by selling pilfered card numbers on the underground, largely without any repercussions. Although security researchers have been tracking some of the groups since 2015, only recently has the Magecart name begun to ring out, as some elements of the group have hit major targets, including Ticketmaster and Newegg, drawing the attention of several law enforcement agencies and heightened interest in the research community. The deep, dark reach of the magecart group | Decipher Fake news 'to get worse' by 2020 election Krikorian, a computer scientist who previously held senior positions at Uber and Twitter, acknowledged social media companies like Facebook are taking steps to increase transparency. But he said their business models, driven by revenue and engagement, do not incentivize solutions for fighting fake news, and the problem wouldn't fix itself by the next U.S. presidential election. Fake news 'to get worse' by 2020 election unless social media firms act, DNC tech chief says | CNBC DOD prepares endpoint cybersecurity strategy as mobility booms In the end, will it come back to the endpoint? As the use of mobile devices and services pervades the lives of civilians and military personnel alike, the Department of Defense is taking a more endpoint-driven approach to how it secures its networks, developing a forthcoming enterprise cybersecurity strategy focused specifically around the gadgets people use. DOD CIO Dana Deasy said, “One of the things I keep stressing is we have to step up and face the reality about the world around us becoming more and more mobile, each and every day.” And it’s getting to a point where DOD must begin to embrace mobility, even if it means added security challenges. DOD prepares endpoint cybersecurity strategy as mobility booms | Fedscoop The rise of multivector DDoS attacks A really good post on DDoS trends, and the rise of multivector DDoS attacks, which shouldn’t come as a complete surprise to most; but seeing this analysis helps quantify it all The rise of multivector DDoS attacks | Cloudflare Six month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution So, the ICO does have some teeth after all. A motor industry employee has been sentenced to six months in prison in the first prosecution to be brought by the Information Commissioner’s Office (ICO) under legislation which carries a potential prison sentence. Mustafa Kasim, who worked for accident repair firm Nationwide Accident Repair Services (NARS), accessed thousands of  customer records containing personal data without permission, using his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs, known as Audatex. He continued to do this after he started a new job at a different car repair organisation which used the same software system.  The records contained customers’ names, phone numbers, vehicle and accident information. Six month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution | ICO Clickjacking on Google MyAccount Worth 7,500$ A nice writeup by a researcher who found a clickjacking bug on Google. My favourite was the timeline at the end: Aug 11 : Report to Google Aug 15 : Google Staff Ask Detail Aug 15 : Adding Detail Aug 21 : Google Can’t Prove Bug Aug 21 : Give them Video to PoC Aug 28 : Google Ask About Attack Scenario Aug 28 : Give the Attack Scenario Sep 11 : Nice Catch! Sep 25 : Bounty 7,500$ Sep 25 : I Cry. Clickjacking on Google MyAccount Worth 7,500$ | Apapedulimu Other things I liked this week Why I Dislike Applying “Game-ification” To Goal-Oriented | Paul Jorgensen The future of data storage isn’t on the cloud - it’s on the ‘edge’ | Independent Mysterious Re-Routing of Google Traffic Could Have Been an Attack, or Just a Glitch | Gizmondo System error: Japan cybersecurity minister admits he has never used a computer | Guardian       

Le 2018-11-29


  Alien Vault - Defending Against Zero-Day Attacks with AlienVault USM Anywhere
Introduction Recently, an AlienVault customer reached out to ask how AlienVault handles the detection of  zero-day attacks, which are exploits against previously unknown vulnerabilities. In this blog, I shed light on how we approach this. Modern security products rely on some definition of threats, whether that definition is as specific as a signature that identifies a unique strain of malware or as general as a behavior pattern that threat actors employ broadly across different strains of malware. The challenge of security is keeping those definitions up to date as attacks emerge and evolve in the wild every single day. Most organizations outside of the Fortune 500 do not have the resources to tackle this challenge on their own.  There are a few approaches to this challenge of staying ahead of the always-shifting threat landscape and new zero-day attacks. One is to discover vulnerabilities before threat actors discover them and figure out how to exploit them. Another is to identify the active exploit in the wild early and to quickly update your defenses immediately to detect and respond to it. AlienVault uses both of these approaches to keep our customer environments secure in the face of zero-day attacks. Let’s take a deeper look at how. Early Access to New Vulnerability Information One way to stay ahead of emerging threats is to know about the vulnerability before threat actors have an opportunity to exploit it. As soon as a new software vulnerability or security flaw becomes public knowledge, threat actors go to work, taking advantage of the time it takes for security vendors to update their tools and for security teams to then identify and patch their vulnerabilities. That’s why it’s a security best practice for software researchers to inform security vendors of new threats and vulnerabilities before they announce them to the general public. For example, AlienVault participates in Microsoft’s Microsoft Active Protections Program (MAPP). Through this program, AlienVault Labs receives early access to new vulnerability information for Microsoft and Adobe products before Microsoft publishes it in its monthly security update. This allows us to update the defenses in USM Anywhere ahead of a public announcement, giving our customers a headstart in identifying and remediating the vulnerabilities in their environments. Discovering Zero-Day Attacks as they Emerge in the Wild Of course, the “good guys” are not always the first to discover new vulnerabilities.  All too often, threat actors find and exploit vulnerabilities before vendors have the opportunity to discover and release patches for them. Thus, zero-day vulnerabilities are often discovered after they’ve been exploited in a successful zero-day attack. That’s why it’s important to have a constant watchful eye on the global threat landscape as well as the ability to operationalize new threat information as soon as it becomes available. The Power of the Global Threat Intelligence Community AlienVault has a couple of strategies here.  First, AlienVault USM Anywhere is unique in its ability to detect zero-day attacks thanks to its direct integration with the Open Threat Exchange (OTX), the world’s largest open threat intelligence sharing community. The global OTX community of over 100,000 security researchers and practitioners contribute 19 million pieces of threat data daily, and they often alert the community within the initial minutes or hours of discovering an attack in the wild. This threat data is available to any OTX user to consume in their security tools. For AlienVault USM Anywhere users, OTX threat data is integrated and ready to use in the platform. Users can subscribe to any OTX Pulse to enable security alerting on the indicators of compromise (IOCs) published within that pulse. Users can also subscribe to email notifications to stay aware of specific attacks, threat actors, or malware families as they evolve. AlienVault Labs Security Research Team In addition to the community-powered threat data shared in OTX, USM Anywhere receives continuous and automatic threat intelligence from the  AlienVault Labs Security Research Team. This team works on behalf of all USM Anywhere customers, monitoring the global threat landscape daily, analyzing threats with a combination of human and machine intelligence, and curating the threat intelligence that is delivered continuously and automatically to USM Anywhere. AlienVault Threat Intelligence is ready to use and is written to proactively detect higher-level activities, patterns, and behaviors to effectively automate threat hunting activities across customer environments. Behavioral-Based Detection Detecting threats based on IOCs like file hashes and IP addresses enables security teams to identify emerging attacks quickly and with higher confidence. Yet, alone, IOCs are fairly volatile as threat actors can alter them very quickly, easily, and even automatically. Less volatile are the tactics, techniques, and procedures (TTPs) that threat actors use (and reuse) to carry out attacks. Think of these as the recipe for the attack - it’s the high level tasks they perform at each stage of attack.  These steps are often the same for different malware or campaigns, so identifying them is more effective than focusing on other methods of detection. For example, consider a network attack.  The initial network intrusion may be done using a brand new, unidentified vulnerability.  But, once the threat actor gains access to the system she attacked, her recipe calls for downloading tools needed to move laterally in the network and extract data.  These tools can be identified when they are downloaded or when they communicate on the network.  These tools are independent of the initial zero-day vulnerability that was exploited in order to gain access, so we can still detect the threat by detecting other tools used in the attack. To do this, AlienVault Labs uses machine learning algorithms to extract threat characteristics and clusters to identify known and unknown threats. These "clusters" are based on observed network behavior, OS interactions, and more. The algorithms further analyze these clusters to identify anomalous behavior. The AlienVault Labs team uses this information to codify the tactics, techniques, and procedures, which are packaged as correlation rules and delivered continuously to USM Anywhere as part of the threat intelligence subscription. Using this strategy, AlienVault was able to detect and block "ALPC zero day" months before it was actually identified in the wild and an IOC was written for it.  This exploit is designed to take advantage of an API vulnerability in the Windows task “SchRpcSetSecurity” that controls the ALPC (Advanced Local Procedure call) interface allowing local users to obtain SYSTEM privileges. AlienVault Labs detected this privilege escalation technique with generic detection mechanisms that are resilient to a changing attack vector. In other words, they came up with a way to detect this type of privilege escalation that is independent of the exploit it is wrapped in.  So any attack, even a zero day, that uses this technique is effectively identified by AlienVault. Another example is the well-known Apache Struts vulnerability.  When it was first released, there was no defense against the attack.  However, once it got onto a system, it leveraged a Webshell to communicate back to its masters.  AlienVault USM Anywhere was already able to detect this Webshell because it was used by other attackers in previous campaigns as part of their TTPs. Summary In this blog post, I’ve outlined a few of the techniques that AlienVault leverages to detect emerging and evolving threats, including zero-day attacks. To quickly summarize: Early access to new vulnerability information allows us to update the vulnerability signatures in USM Anywhere ahead of public release. OTX acts as an early warning system of experts around the world, and they are bolstered by our internal threat team to quickly find and analyze new attacks. Advanced detection techniques like identification of behaviors and TTPs means AlienVault can detect many zero-day attacks even if the IOCs change frequently. See the table below for some examples of how these efforts have resulted in early detection of several different recent threats by USM Anywhere. Vulnerabilities and Zero-day Attack Examples that USM Anywhere Defends Against       

Le 2018-11-29


  Alien Vault - Top 10 PCI DSS Compliance Pitfalls
Despite the fact that PCI DSS has been in effect for over a decade, and most merchants are achieving compliance, some of the world’s largest retailers have been hit by to data breaches. The sad truth is that achieving compliance doesn’t guarantee data protection, even for large organizations. For example, more than five million credit card numbers were stolen in 2018 hacks of two major retailers.  Earlier this year, I hosted a webcast with Jacques Lucas from Terra Verde (one of our partners) covering challenges and best practices for achieving and maintaining compliance with PCI DSS. In his role as a QSA, Jacques has "seen it all" in terms of what commonly causes stumbling blocks for organizations on their compliance journey, which he summarized in a slide covering the Top 10 Pitfalls for PCI DSS Compliance. As a follow-on from the webcast, I wanted to dive into that area further to provide tips and best practices to help companies address those Top 10 Pitfalls for PCI-DSS.  1. Improper scoping The PCI DSS standard defines the scope of the cardholder data environment (CDE) as all of the systems, people, processes, and technologies that handle cardholder data. A common misconception is to overlook the systems that support and secure the CDE, and fail to include them in scope. Specifically, any systems involved in managing the security of in-scope systems are also considered in-scope, and need to be secured and monitored. Some examples include: IAM servers; Domain controllers; Key Management servers, Firewalls/IDS/IPS systems; Log management/SIEM systems; AV Management servers and more. Pro-tip: Segmentation and monitoring are the two critical success factors in avoiding the pitfalls associated with improper scoping. Isolate in-scope assets from the rest of your environment with granular network segmentation and access control policies. Additionally, monitor all access activity to validate compliance and respond to emerging risks. 2. Failing to patch systems regularly PCI DSS requirement 6 outlines the need to patch systems on a regular basis. Additionally, it specifies that critical security patches must be installed within a month of their release. The challenge is that patching processes can be very disruptive, and even well-established companies can easily fall behind. For example, in one high profile breach it took the company more than four months to identify an unpatched vulnerability that provided a foothold for their devastating data breach. Pro-tip: Identifying unpatched assets and applications is a must. Be sure you schedule regular vulnerability assessment scans and prioritize patching and remediation procedures for your in-scope systems. Monitor your in- scope systems with a combination of security controls including host-based and network-based IDS, file integrity monitoring, and SIEM event correlation. 3. Failing to audit access to cardholder data PCI DSS requirement 8 outlines how to secure access to cardholder data, specifically requiring two-factor authentication for remote access to all in-scope systems. While many organizations have implemented two-factor authentication, they often fail to audit this access to verify that these controls are working as expected. In fact, SecurityMetrics reports that insecure remote access was the largest single origin of compromise being used in more than 39% of investigated breaches against merchants. Pro-tip: Implement two-factor authentication on all of your CDE assets. Schedule periodic audits against these assets, to verify that controls are working properly. Additionally, enable monitoring on all CDE assets to capture a baseline. Finally, configure your SIEM to trigger alarms for all activity that falls outside this baseline so you can respond quickly to potential threats.

Le 2018-11-29


  Alien Vault - New Vice President of Asia Pacific Graham Pearson Joins the Alien Nation
Today, we are happy to share that Graham Pearson has been appointed Vice President of Asia Pacific (APAC) for AlienVault, an AT&T company. In this role, Graham will lead our operations and sales strategy in the region. He is excited about joining AlienVault and providing APAC companies with the unified security management approach they need in moving to the cloud and keeping up with today’s evolving threats. “Joining AlienVault is a huge opportunity for me; it’s the right time and they have the right product at the right price for enabling fast, effective threat detection and response.” With more than 30 years of sales experience in the IT industry, 22 of those in cybersecurity, Graham has worked with Fortune 500 companies and fast growing start-ups. Most recently, he was Vice President for Okta, an identity management company, in APAC. In four years, he grew Okta’s Australian office from one employee to 50, supporting 400+ customers in the sales territory. Graham’s experience includes sales leadership roles for Oracle’s Security and Identity Management solution and Security Business Unit within the Fusion Middleware space. He also held various sales positions at CA Technologies and Websense for security products. When Graham is not working, he enjoys spending time with his wife and two kids, ages 17 and 13. Here’s more about Graham’s journey to AlienVault! Here’s a picture of Graham with his wife, Leila, while vacationing in Las Vegas.       

Le 2018-11-29


  Alien Vault - Things I Hearted this Week, 9th Nov 2018
Another week, another trove of articles I read so that I could bring you only the best. Because that’s just the kind of person I am. You’re welcome. A SOCless detection team I can’t remember if I shared this article a few months back, and I’m too lazy to go take a look - but it’s worth revisiting. We don’t talk about threat detection and response without mentioning a SOC in the same breath. But a SOC is just one mechanism to facilitate the desired outcome. What if we could achieve the same result, but without a SOC? A SOCless detection team at Netflix | Linkedin Related Threat Detection Is A Multi-Stage Process | Gartner blogs Hey there! How much are you worth? Have you ever stopped to think just how much your life is worth? I mean really think about it. For instance, let’s say you wanted to sell everything you have – your house, your car, your job, your private life, photos and home movies from your childhood, your accounts on various social media, your medical history and so on – how much would you ask for it all? Hey there! How much are you worth? | Securelist US Cyber Command starts uploading foreign APT malware to VirusTotal I think this is a good move, the more sharing, the better for defensive security right? Of course there are always caveats and scenarios where one would not share, but broadly speaking I hope more companies and government departments jump on board. The Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM), set in motion a new initiative through which the DOD would share malware samples it discovered on its networks with the broader cybersecurity community.The CNMF kicked off this new project by creating an account on VirusTotal, an online file scanning service that also doubles as an online malware repository, and by uploading two malware samples. US Cyber Command starts uploading foreign APT malware to VirusTotal | ZDNet You're Going To Get Breached -- So How Should You Respond? We live in an age in which the rate of technological advancement is unparalleled. But of course, with new technologies come new security vulnerabilities. The best example being the imminent arrival of 5G and the rise of connected devices, which alone already present numerous vulnerabilities. According to Ponemon Institute's 2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report, 52% of organizations are not confident their current anti-virus software will protect them from ransomware. Even with the rise of artificial intelligence in cybersecurity and enhanced defensive software capabilities, hackers have shown themselves to be consistently one step ahead. With this in mind, businesses need to stop asking, “Will I be hacked?” and instead tackle the inevitable question, “When will I be hacked?” You're Going To Get Breached -- So How Should You Respond? | Forbes Destroy Logs, Hide Attacks Apparently hacker groups are increasingly turning to log file destruction and other destructive methods as a means to hide their tracks. Nothing really new here. I remember once messing up a change as a young secops admin, and erased the logs to cover up my mistake. But that’s a story for another time. Hackers are increasingly destroying logs to hide attacks | ZDNet Finding Gold in the Threat Intelligence Rush Threat intelligence feeds, sold for hundreds of thousands of dollars per year, are marketed on a specific premise: If an entity is seen acting maliciously in one place, it can be expected in others. But is that always true? Finding Gold in the Threat Intelligence Rush | Dark Reading DJI plugs security flaws that could have enabled access to users’ data and drone images If exploited, the vulnerability would have given an attacker full access to a user’s account and the information within it, including video footage and photos taken by their drone’s as well as flight paths, GPS locations and other confidential data, without the user being aware of any intrusion. Alexa, what’s the best way to burn a drone? DJI plugs security flaws that could have enabled access to users’ data and drone images | HelpNetSecurity Oracle’s VirtualBox vulnerability leaked by disgruntled researcher An independent researcher who was disgruntled with traditional bug bounty methods took it upon himself to leak the details of an exploit in Oracle’s Virtual Box without first informing Oracle. Sergey Zelenyuk discovered a flaw that would allow him to escape from the virtual environment of the guest machine to reach the Ring 3 privilege layer used for running code from most user programs with the least privileges. Oracle’s VirtualBox vulnerability leaked by disgruntled researcher | SC Magazine Other stories and articles I found interesting this week Retail focus is key to Alibaba’s new London datacentre | Computer Weekly What it takes to be a ‘Chief Data Officer’ in 2018 | IT Pro Portal How Amazon Makes Money: Amazon Business Model in a Nutshell | FourweekMBA       

Le 2018-11-29


  Alien Vault - The Many Ways your Phone Communicates
Are you familiar with all the ways that your smart phone communicates?  The other evening, at dinner, I was describing to a friend how the VPN software I use on my phone masks my location when I am on the internet.  Sometimes, am in Helsinki, and other times, I may be in another part of the world.  My friend asked “how expensive are your data charges for all the texts you receive while you are masquerading around the globe?”  I realized that she was unfamiliar with all the ways that a smart phone communicates.  Others at the table were also curious. You have probably heard about how the smart phone in your pocket is more powerful than the computer that powered the Apollo Space missions.  Not only is your phone computationally more powerful, but it can also communicate across more conduits, most of which did not exist back in those early days of space exploration.  These technologies are separate and distinct. Here are some non-technical explanations that we, as InfoSec professionals, should share with our friends and family about how a phone communicates: Text messages rely on a cell number in order to function.  This is controlled by the Subscriber Identity Module (the SIM card), which resides in the phone.  Your SIM card holds your cell phone number.  Anyone who can access your SIM card can make phone calls under your identity, and sadly, leave you holding the bill.  This s why it is very important to report a lost phone to your cell phone provider.  It does not matter if your phone is password protected.  The SIM card can be used in any similar unlocked phone to make phone calls.  Internet and other data connections are governed by your IP address.  The phone relies on information from the SIM card to determine the carrier, but it does not use the same signal pathway as a text message.  That is why using a VPN does not result in international text charges.  You can connect to any Wi-Fi in absence of a SIM card.  The Wi-Fi Signal does not need a phone number or a carrier to communicate.  It is relying on the Wi-Fi provider to complete its connection.  Of course, you cannot receive text messages without a SIM card, even on Wi-Fi.  Usually, your phone will often remind you that there is no SIM card installed. Recently, 75% of Americans experienced a test of the “Presidential Alert” system.  Even if your phone was in silent mode, the alert triggered the klaxon-level alarm on the device.  This raised some speculation by none other than the comically adorable John McAfee about the presence of an “E911” chip on the phone.  Bruce Schneier commented that, “This is, of course, ridiculous. I don't even know what an E911 chip is. And -- honestly -- if the NSA wanted in your phone, they would be a lot more subtle than this.” Remember that there are also both Bluetooth and Near Field Communication (NFC) capabilities on your phone. These are usually used in conjunction with the other communication features. For example, you can connect to your Bluetooth in your automobile and then use the phone to make a phone call.  Although Bluetooth and NFC possess very short-range capabilities, they are yet another method by which your phone communicates to an external entity.  The smart phone is truly a remarkable technological achievement. I wonder if most folks who own a smart phone have ever considered the various ways that these devices communicate, and one has to wonder how much they communicate without our knowledge or permission.  Excuse me while I go and put my phone in the refrigerator.        

Le 2018-11-06


  Alien Vault - Financial Data and Analysis Predictions for 2019
https://pixabay.com/en/analytics-google-data-visits-page-3680198/Paste The use of big data and data from the internet of things (IoT) is changing business so rapidly it is hard to predict what is next, and financial analytics are certainly no exception. While the need for financial analysts continues to rise, the way analysts performs their day-to-day functions is evolving. More data than ever before is put into the evaluation of company financials, market analysis, and investment predictions. A company’s decision to issue bonds, split stock, or even initiate stock buyback options is much more informed than ever before. So where is data and financial analytics taking us in 2019? Here is a closer look: Advanced Analytics and Data Science https://www.gartner.com/ngw/globalassets/en/information-technology/documents/insights/100-data-and-analytics-predictions.pdf Data and analytics are more pervasive than ever in nearly every enterprise. They are increasingly the key to nearly every process a business engages in. These statistics tell the story best: Deep neural networks or deep learning is in 80 percent of data scientists’ toolboxes. By 2020 more than 40 percent of data science tasks will be automated. Nearly 50 percent of analytics queries are done via natural language queries (voice) or are auto-generated. In large part, this is due to wider adoption of artificial intelligence options. What this means for business and the future of analytics is simply this: by the end of 2019, 10 percent of IT hires will be writing scripts for bot interactions. In fact, according to the McKinsey Global Institute, despite the growth of both data and the use of artificial intelligence to analyze it, most companies are “only capturing a fraction of their potential value in terms of revenue and profit gains.” Their weaknesses, ones that can be solved with proper data and analytics, are many. Here are a few: Inefficient matching of supply and demand. Many companies are not taking advantage of analytics that can predict with amazing accuracy seasonal demand and annual lulls. Prevalence of underutilized assets. Many businesses have assets that sit idle or employees and departments duplicating tasks, something easily determined by honest analytics. Dependence on demographic data rather than more efficient behavioral data. Behavioral data says a lot more about both clients and employees, and is much easier to use. Over the next year, more companies will become dependent on analytics, and those companies who do not adapt will be three times more likely to fail. The Blockchain, Predictive Analytics, and Security What role does the blockchain play in all of this? The key is this: the blockchain security system is based on a shared ledger, a much more transparent way of saving data. Predictive analytics — essentially the ability to predict the future with some accuracy — requires a lot of data and until recently, a lot of specialized training. This is because data scientists are a new breed and help determine what data is appropriate for the predictive model. The more data produced, the more accurate the prediction. Thousands or sometimes even millions of points of data are needed. This data analytics is directly related to real-time decision making, and predictive analytics leads to goal setting and future business planning. These are all things business analysts learn through coursework and on-the-job training and understanding. Blockchain, because of the shared computing power it uses, can use natural language processing to determine the defining boundaries of the data to be analyzed. As mentioned above, more natural language queries than ever before will be posed, and blockchain has the ability to bring the power of artificial intelligence to even the smallest of businesses. Along with this power comes the security of blockchain and the stability of the data created (a complex discussion in and of itself). Multiple Expansion and a Bullish Market https://www.cnbc.com/2018/09/04/credit-suisse-releases-bullish-2019-stock-market-target.html From  this financial analysis, Credit Suisse has given us our first financial predictions for 2019: it is going to be a bullish year, with annual gains of around 11.4 percent. That could mean that the Fed’s recent decisions to raise rates could be right on. Why? Because according to artificial intelligence, the next recession in the U.S. is expected to begin in 2019 according to the San Diego based company Intensity. What is this artificial intelligence method, and how does it compare to its human counterparts? The company’s forecasting “engine” relies on continual model updating, much like data scientists depend on analyzing the latest data. In fact, the company is comprised of data scientists, statisticians, and PhDs. The engine takes real-time data and feeds it into several different models, which it combines to make predictions that vary with real-time conditions. You can look at the latest prediction here, which says that a recession is 82 percent likely in the next 12 months and sets the likelihood over 50 percent in March of 2019. As 2019 approaches, this kind of data, fed into artificial intelligence and deep learning models, will impact how more companies than ever do business. While we can’t take the human factor out of the equation, it seems we are becoming more and more predictable — or the machines are just getting better at it. But as always, predictions, even those with supporting data, can be wrong. All we can do ist work with the data and have an advantage on the predictions being right.       

Le 2018-11-05


  Alien Vault - Things I Hearted this Week, 2nd Nov 2018
It’s November already, where has the year gone? I can almost still remember typing out the words for the year’s first ‘Things I hearted’ blog back in January. Re-reading it now, it feels as if not much has changed, big messes, breaches, an in-fighting seemed like the usual for the year. I was speaking with my colleague Chris Doman a couple of days ago, and he did point out that 2018 overall has largely been better because we haven’t seen any large scale attack like WannaCry. He did pause and then add “yet” - so I suppose you could say we’ve improved because this year has caused less havoc than last year? Let’s chalk risk reduction down to a win and get on with it. IBM Acquired Red Hat A few weeks ago, prior to the announcement of the acquisition, IBM came up in discussion with a few friends and one of them said that IBM is one of those companies that everyone has heard of, but hardly anyone knows what they exactly do outside of a few services they use. As the cool kids say, this may have been a statement designed to “throw shade” (young and hip people, please correct me if I’ve used the term incorrectly - I already embarrass my children enough by misusing lingo), but the fact is that the statement is rather true, only because most people are still trying to work out why IBM would shell out 33.4 Instagrams for Red Hat. IBM acquires Red Hat, but what does that mean? | 451 Research blog Why IBM bought Red Hat: It's all open source cloud, all the time | ZDNet 6 Things to Know About IBM's $34B Acquisition of Red Hat | CMS Wire IBMs old playbook | Stratechery The Supply Chain I won’t give any more air time to that ridiculous ‘grain of rice’ Bloomberg story. However, it did give everyone time to pause and think about the supply-chain and how fragile it is. It’s easy to overlook the reliance businesses have on partners and their security. Dan Goodin took a peek behind the curtain of this shady practice and wrote on two supply-chain attacks. Two new supply-chain attacks come to light in less than a week | Ars Technica Would you Compromise Privacy for $850m? Under pressure from Mark Zuckerberg and Sheryl Sandberg to monetize WhatsApp, Brian Acton pushed back as Facebook questioned the encryption he'd helped build and laid the groundwork to show targeted ads and facilitate commercial messaging. Acton also walked away from Facebook a year before his final tranche of stock grants vested. “It was like, okay, well, you want to do these things I don’t want to do,” Acton says. “It’s better if I get out of your way. And I did.” It was perhaps the most expensive moral stand in history. Acton took a screenshot of the stock price on his way out the door—the decision cost him $850 million. WhatsApp Cofounder Brian Acton Gives The Inside Story On #DeleteFacebook And Why He Left $850 Million Behind | Forbes On the topic of money for ads We posed as 100 Senators to run ads on Facebook. Facebook approved all of them. | Vice On the other side of privacy. Tim Cook blasts 'weaponisation' of personal data and praises GDPR | BBC What are Everyone’s Kids Doing at School? Another one to be filed under “what were they thinking?” - both the developers, and to be honest, do schools really need to share every minor detail via an online portal? What happened to good old-fashioned parent-teacher meetings? Remini, a smartphone app that launched in 2013, aims to provide parents and educators with a social network to follow a child’s progress throughout school and their early life, documenting important milestones and letting parents share images with their child’s school. But Remini exposed these, and the personal information of its users to the internet writ large, thanks to an API that let anyone pull the data without any sort of authentication. The data included email addresses, phone numbers, and the documented moments of the children as well as their profile photos, according to a researcher who discovered the issue. 'Remini' App Used by Schools Left Personal Info Open to the World | Motherboard Pakistani Bank Has Millions Taken Apparently Bank Islami Pakistan was subject to a massive attack where many customers reported seeing transactions on their cards abroad. It’s alleged that attackers were able to breach the data centre of the bank and sold the customer details. I found this interesting because Pakistani businesses probably have had lesser worries in the past. But as organisations such as banks go through a digital transformation, they are opening themselves up to a much broader range of threats. Something, they probably haven’t accounted for. It’s not too dissimilar to what we see in other parts of the world, where companies such as small or medium businesses didn’t used to get attacked as often, but now it’s pretty much a daily part of life. Bank Islami Comes Under Biggest Cyber Attack of Pakistan’s History | Daily Punch Explain TLS Easily A good way to explain TLS to someone. The Illustrated TLS Connection | @XargsNotBombs How to Choose Which Conference to Attend There’s no way to say this nicely, but there are just too many security conferences in the world today. I think it would be a good idea to try to emulate Tom Hanks from “The Terminal”, but instead of living in an airport, see if one can spend a whole year or half a year only going to conferences. Actually, that sounds like a terrible idea, don’t try it. But what makes a conference worth attending or not? I found a good post by Valerie Lyons which may help you decide. Conference trick: how to choose worthwhile security and privacy events – and which to avoid | BH Consulting       

Le 2018-11-02


  Alien Vault - Cybersecurity & Formula 1 Racing - Itâ€'s a Profession
This is perspective from one of our MSSP partners, CyberHat. Formula 1 is a serious business.  It takes years of expertise and practical foot work to design, build and operate a winning Formula 1 team.  It's easy to think that success depends on the car and the technology.  But in reality, a cutting edge engine in the best car in the world can’t win a race alone. Without an expert driver and a highly experienced and dedicated support team, you just can’t finish first. When it comes to Cybersecurity everyone wants to win the race of protecting their assets and detecting and responding to threats to mitigate risk.  Most organizations today will invest heavily in cyber security technology, buying it, integrating it and implementing into the organization, yet very few will focus on the teams driving the technology, supporting and utilizing it. It’s a simple belief that if you get a good enough car, you don’t need to be a good driver, when the reality is exactly the opposite – if you’re a good enough driver, you can get a lot out of pretty much every car.  Today, more and more companies are looking for fully encompassing cyber security solutions and are gradually consolidating in to Security Operation Centers (SOC)s to help manage their security issues and this is a smart move. SOCs are where Cybersecurity teams detect, analyze and respond to threats on an organization.  Their core task is to use the tools and skills at hand in order to provide the organization with an ongoing, relevant and professional security posture.  Yet in the current cybersecurity landscape not all SOCs were created equal. It is important to understand what components are imperative for a SOC to be most effective.  Formula 1 fact: The best Formula 1 Pit Crew can refuel and change a tire in just 3 seconds. They are the best in their field and they are dedicated to a strong set of processes.  This is true for the SOC team as well.  High expertise and seamless teamwork are important to effectively curtail the dangers of cyber-attacks and navigate the cyber field safely and in a timely manner.  Many SOCs might have dedicated Tier 1/2 analysts, who can change tires and refuel seamlessly on the usual runbook procedures for many common or predictable cyber threats, but they are not experts in managing larger scale incidents like a blown gasket or jammed piston which entails the response of more experienced Mechanical Team or in Cyber Tier 3/4 Analysts. These are highly trained specialized professionals with in-depth experience that are able to tackle complex unusual incidences and attacks under severe time pressure. For example, sometimes cyber-attacks cannot be detected, deflected or blocked before they begin.  Then it is the SOCs responsibility to contain and protect as well as investigate and conduct a meticulous analysis for preventing similar incidences, through a dedicated Forensics Team.  The Forensics Team of a SOC is dedicated to evaluating necessary damage repair and implementing novel  or near realtime responses. The core trade for a professional is the old saying – “practice makes perfect”, it’s a simple question of constantly getting your hands dirty with the nitty gritty work, repeatedly executing complex tasks in as versatile an environment as possible, is the only way to become a professional and the only way to stay one. Not all security issues are as dramatic as a direct attack but are measured in how “ready” your organization is for the when scenarios.  In the race to being secure, organizations many times fail to properly calibrate or stay up to date with internal components - whether it is infrastructure or personnel.  A dedicated SOC has an Onboarding Team that ensures that specific security and IT elements like Security Incident Event Management or SIEMs are properly configured and calibrated and that employees are properly trained to understand, analyze and act in response output. Just like a Formula 1 team, when a SOC has a solid, strong and professional Cybersecurity team, the synergy in the teamwork ensures optimal performance and protection within the dynamic and complex cybersecurity world.   Professionalism is the key to effectively curtailing the dangers of cyber-attacks.  Ensuring a complete, professional and experienced team is what turns an ordinary team into a winning team. As it is said "The whole is only as good as the sum of its parts". Register for our webinar on Thursday, November 8th at 1pm CST to learn more about how profesional SOC are designed, built and operates.          

Le 2018-11-01


  Alien Vault - Itâ€'s the Season of Lists - Time for a Meaningful Risk List
I attended the Cybersecurity Summit in Phoenix recently and presented on the topic of minimizing risk. There were some great conversations around the value of risk management within the cyber threat landscape. Here are some of my musings from the event. We are now at the forefront of a world of digital transformation. Beyond being a buzz word digital is part and parcel of our daily lives today.  According to the World Economic Forum report earlier this year, cyber-attacks and date theft/fraud bubbled up to number two and three of the top five threats in terms of likelihood of occurrence and cyber risks intensified. With the scale of attacks today, along with the ingrained expectation that you’re either an organization that has been breached or you’re going to be, there is a lot of chatter about investments being made in cybersecurity technologies and how breaches still happen. Prevention is now being balanced with detection and response. Given this, the focus has turned to the need for cyber to be addressed as a business challenge and measurement of risk is key. Before you go ahead with a cybersecurity investment plan for 2019, consider answering the questions below. • What are your top 5 cyber risks based on priority? • Can you describe the actual loss impact in business terms for each of your top 5 risks? • How are these cyber risk impacts aligned to your risk appetite? •Are you truly reporting on cyber risks or is it compliance driven with reporting on control effectiveness?  • Have you considered how you plan to deal with the current risks, emerging risks and treat these risks on an ongoing basis? A common business edict is: “If we can measure it, we can manage it.”  In the security space, the term GRC (Governance, Risk and Compliance) is common, but typically most organizations have been driven by the compliance focus. Spending has been primarily compliance driven, and along the way, too many risk assessments have been conducted with a checklist approach. As you plan for the 2019 cybersecurity budget, here are four handy tips to consider that can help cut to the core of cyber risk management. 1. Risk counts, but don’t just be counting Counting all the risks – as an end – is just a part of thorough risk identification. The question is not, in any case, how many risks you can think up, but what is relevant to your business, i.e. what exactly the key vulnerabilities are in achieving your business objectives. 2. Ongoing debate of Qualitative versus Quantitative The key here is structured versus abstract. You must be able to measure the risk and quantify it. However, if your organization is going the qualitative route, keep in mind you must back the risk with data to differentiate the levels of risk.  After you have conducted a meaningful risk assessment to identify the inherent risks faced because of the business you do, the next step will be to understand what Risk Mitigation strategies are required, with what priority, invoking what resources. 3. Continuous Cyber Risk Monitoring Cyber risk presents a moving target as organizations undergo major transformations by accelerating cloud adoption, increasing digital transformation investments, and advancing data analytics sophistication. As these transformations continuously grow the digital footprint, they outpace the security protections companies have in place. 4. Know your Risk Appetite Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing; and getting close to secure is elusive. The current level of controls for security and privacy that are effective in reducing cyber risk to an acceptable level today will inevitably become inadequate in the future – even sooner than many may realize. It is a truism that different types of risk require different types of defensive strategies. A more specific idea is that defensive measures should be proportionate in cost to the potential harm that may be suffered through a data breach and the likelihood of that breach occurring.  The key is to balance risk versus reward. Conclusion Risk management is at a fascinating point in its evolution. It is now recognized to be not only fundamental to an organizations financial stability and regulatory compliance, but also an essential part of the cybersecurity strategy. Defining the best security measures can be difficult because each organization has different goals, requirements, and tolerance for risk.  All organizations need to assess what they have in place today, review where they want to be in the future, and build a roadmap that will help them reduce their risk as their business expands. How are you able to identify and address new risks quickly while you deliver new technologies? Would love to hear successful techniques and insights on your partnership with finance, operations, and the businesses as we move to the risk function of the future?       

Le 2018-10-31


  Alien Vault - AlienVault Open Threat Exchange Hits Major Milestone with 100,000 Participants
Today, I’m excited to announce that AlienVault® Open Threat Exchange® (OTX™) has grown to 100,000 global participants, representing 36% percent year-over-year growth. AlienVault OTX, launched in 2012, is the world’s first free threat intelligence community that enables real-time collaboration between security researchers and IT security practitioners from around the world. Every day, participants  from more than 140 countries contribute 19 million pieces of threat data to the community. OTX enables companies and government agencies to gather and share relevant, timely, and accurate information about new or ongoing cyber-attacks and threats as quickly as possible to avoid major breaches (or minimize the damage from an attack). As Russell Spitler, SVP of Product for AlienVault, an AT&T company,  explains, “Attackers rely on isolation - they benefit when defenders don’t talk to each other. We can’t be everywhere at once, but they can learn from each others’ experience. With the growth in OTX membership, we all benefit from the diversity of threat intelligence from an even wider variety of participants.” To provide big-picture perspective on the billions of security artifacts contributed to OTX this year, AlienVault Security Advocate Javvad Malik and Threat Engineer Chris Doman have created the OTX Trends Report for 2018 Q1 and Q2. Like the 2017 report, this analysis reveals trends across exploits, malware, and threat actors, including top-ten rankings of the most seen exploits and adversaries recorded in vendor reports. The analysis reveals changes in the threat landscape, including a shift in the most reported exploits. For example, this year’s report reveals a rise in server exploits, as well as marking the first time an exploit targeting IoT devices (GPON Routers) has made the list of most-seen exploits. Encouragingly, the OTX Trends Report shows an uptick in information sharing across the InfoSec industry, including a plethora of independent research sharing on Twitter. According to the report, “As more companies and researchers look at ways to share threat data, we see more usable and useful information flow into OTX. This openness and collaboration has resulted not only in organisations being able to defend themselves better - but increasing circles of trust within the industry where actual threat intelligence is being shared more openly. A trend that we have seen grow over the years.” The sheer volume of security events included in the OTX Trends Report reflects the importance of keeping up with the latest threat intelligence. Without threat sharing, malicious actors can easily reuse effective exploits and pivot their attacks from target to target. A campaign affecting the UK legal industry can be repurposed for bankers in the United States, while security researchers operating in silos start from scratch each time. For example, the OTX Trends Report shows that the most commonly reported exploit, CVE-2017-11882, has been reused widely. By joining OTX, participants can strengthen their defenses and share real-time information about emerging threats, attack methods, and malicious actors. The diversity of OTX participants representing different countries, industries, and organization sizes provides every community member with more comprehensive set of data, enabling better threat detection. Beyond participant-contributed threat indicators, the OTX community also benefits from the robust threat data provided by AlienVault’s broad network of OTX partners, including Intel, Microsoft MAPP, Cyber Threat Alliance, QiHoo360, Telefonica, Hewlett-Packard Enterprise, and more. OTX partner contributions enrich the threat intelligence data available within the community and support the analytics available to OTX participants. This collaboration across the InfoSec industry provides added assurance that participants have the information they need to detect the latest threats as they emerge. In addition, OTX can serve as a STIX / TAXII provider and platform, enabling ISACs and other threat intelligence providers to share their curated threat intelligence through STIX/TAXII to their devices or to their customers. AlienVault has made it easier than ever to leverage OTX data to detect and respond to threats in your own environment.  Earlier this year, we introduced OTX Endpoint Security™, a free service in OTX that allows anyone to quickly identify threats by scanning their critical endpoints. OTX participants can use the osquery-based AlienVault Agent to scan their endpoints for the presence of known indicators of compromise catalogued in OTX. For example, when a major attack like Petya or WannaCry occurs, OTX participants can run queries against the latest threat data in OTX pulses to find out if their endpoints have been compromised, without requiring additional security products. OTX Endpoint Security is available to all registered OTX participants at no cost. For users of AlienVault USM Anywhere™, OTX provides even deeper benefits. AlienVault USM Anywhere consumes OTX threat data in multiple ways, enabling busy security teams to detect and respond to the latest global threats as they emerge, without extra cost or effort. As Lee Thomas Hagen, Strategic Consulting, Dataprise, Inc. explains, "With AlienVault we have been able to reduce lag times by not having to invest into specialized research for which we rely on AlienVault Security Labs and OTX." The AlienVault Labs Security Research Team consumes OTX threat data, applying machine learning and human analysis to validate and expand on the threat scenarios. The team uses this intelligence to curate and deliver continuous threat intelligence updates to USM Anywhere. USM Anywhere users can subscribe to OTX threat data and use it directly for correlation with any connected data source. Whether integrated directly with USM Anywhere or synchronized with your other security products through the OTX DirectConnect API, emerging threat data from OTX can help your team keep up with the ever-changing threat landscape. According to Christian B. Caldarone, Information Security Officer at Deutsche Post Dialog Solutions GmbH, "AlienVault USM is very effective in detecting real security threats, as their OTX integrated threat intelligence has a very good reputation in the industry. Thanks to its being open to others too, other heavyweight champions like the Bro security monitor can integrate the OTX feed too (yes and this is done by many security people out there). This says more than words." Additional Resources: Read the OTX Trends Report for 2018 Q1 and Q2 Join the AlienVault Open Threat Exchange today New! Free Threat Hunting Service from AlienVault – OTX Endpoint Security™ Learn more about threat intelligence in USM Anywhere Take USM Anywhere for a test drive in the online demo       

Le 2018-10-30


  Alien Vault - Spicing up the MSSP World
We love conducting  surveys at conferences. Not only do we gain insights from some of the smartest people in attendance, but we get a few extra minutes to mingle and get to know them better. So, while we were at SpiceWorld in Austin this year, we sought to capture thoughts on outsourcing security. Of the attendees, 380 participated in our survey to bring us the following insights. How Much is Outsourced? The first question was to establish a baseline as to how current security operations programs are currently sourced. A majority, at 60 percent, run security operations completely in-house. On the other side of the spectrum, a shade under 5 percent of participants’ companies completely outsource security operations. The remaining participants outsource some aspects of their security operations with most keeping the majority of functions in-house. Attitudes Towards Outsourcing The question that then arises is how participants felt about outsourcing security operations as a whole. Just over a quarter, 26 percent, believed that security should never be outsourced. However, 41 percent believed that security operations should be outsourced as much as possible, as long as the service provider is good. Perhaps the key point here is the caveat being the quality of the service provider. Companies looking to outsource any aspect of its security operations should vet potential providers and assured  that the provider is fulfilling its part of the deal. Gaining that assurance can take many forms. At a simple level it could be unplugging a server and waiting to see how long it takes for the provider to notice. Alternatively, at the risk of sounding like Jeremiah Grossman, the right incentives are needed here. Be that in the form of the vendor providing some warranty, or even insurance. Another aspect which we did not go into were some of the drivers that lead to companies outsourcing. The skills gap is an important discussion point. Many companies don’t have the right staff, or the right number of staff internally to fulfill the increasing needs. According to the 2018 (ISC)2 Cybersecurity Workforce Study, there is a shortage of nearly 3 million  cybersecurity professionals. Another factor could be that many security operations tools, technologies, and processes have become increasingly standardised over the years. This standardisation allows companies to outsource certain aspects of security operations in a relatively commoditised manner. Budgets In an attempt to get an indication as to the direction the market is heading, we sought to understand budgets and future spending trends. The majority of participants believe that the return on investment is justified when outsourcing security. This should not be surprising for most security operations tasks that have good economies of scale.  Furthermore, both in-house and outsourced security operations budgets are largely looking to increase. For in house-security operations, 33 percent reported a planned increase in budget over the coming year, and 25 percent are looking to spend more on outsourcing security operations.   Conclusion In a short survey with a limited audience set, it is difficult to draw hard and definitive conclusions, but it does provide some good indicators that are worth exploring. Compared to a few years ago, there appears to be greater acceptance and adoption of managed security partners to handle security operations. This trend looks to increase with a combination of factors including a skills shortage, standardisation of security operations technologies and processes, and an increased level of confidence in the services and monetary value offered by service providers.       

Le 2018-10-29


  Alien Vault - Things I Hearted this Week, 26th October 2018
Wordpress Wants to Erase its Past I was just flexing my clickbait title muscles with the heading here. But according to a talk at DerbyCon, the WordPress security team stated its biggest battle is not against hackers but its own users, millions of which continue to run sites on older versions of the CMS, and who regularly fail to apply updates to the CMS core, plugins, or themes. WordPress team working on "wiping older versions from existence on the internet" | ZDNet The Penalties Keep Rolling in Looks like the regulators have recently seen the Arnie classic, Pumping Iron, as they flex their muscles to penalise companies for lax security. First up, supermarket giant Morrisons has been told by the Court of Appeal that it is liable for the actions of a malicious insider who breached data on 100,000 employees, setting up a potential hefty class action pay-out. Morrisons Loses Insider Breach Liability Appeal | InfoSecurity Magazine In other news, Facebook has been fined £500,000 by the UK's data protection watchdog for its role in the Cambridge Analytica data scandal. The Information Commissioner's Office (ICO) said Facebook had let a "serious breach" of the law take place. The fine is the maximum allowed under the old data protection rules that applied before GDPR took effect in May. Facebook fined £500,000 for Cambridge Analytica scandal | BBC Breaches at 32,000 feet Cathay Pacific has admitted that personal data on up to 9.4 million passengers, including their passport numbers, has been accessed by unauthorised personnel in the latest security screw-up to hit the airline industry. Cathay Pacific hack: Personal data of up to 9.4 million airline passengers laid bare | The Register British Airways still encountering turbulence following its hack in September has revealed a further 185,000 customer details could have been compromised! British Airways reveals a further 185,000 users affected in September data hack | City AM Fool Me Once Children’s Hospital of Philadelphia has reported two data breaches that occurred in August and September of 2018. The hospital on August 24 discovered that hacker had accessed a physician’s email account on August 23 via a phishing attack. A second breach found on September 6 revealed unauthorized access to an additional email account on August 29. Children’s Hospital of Philadelphia victimized twice by phishing attacks | Health Data Management Some Notes for Journalists About Cybersecurity The recent Bloomberg article about Chinese hacking motherboards is a great opportunity to talk about problems with journalism. Journalism is about telling the truth, not a close approximation of the truth,  but the true truth. They don't do a good job at this in cybersecurity. Some notes for journalists about cybersecurity | Errata Security CVE-2018–8414: A Case Study in Responsible Disclosure Vulnerability management and responsible disclosure can be a tricky tightrope to walk at times. But this writeup by Matt Nelson on the process he recently went through is really insightful. CVE-2018–8414: A Case Study in Responsible Disclosure | Medium, Matt Nelson What Does it Take to be a CISO? How do people working in a Chief Information Security Officer (CISO) position or its equivalent view cybersecurity? Which problems do they face? To learn the answers to those questions, Kaspersky Lab surveyed 250 security directors from around the world. What it takes to be a CISO: Success and leadership in corporate IT security | Kaspersky The Hunting Cycle and Measuring Success This is an older article I came across, but the principles are worthwhile going over again. The Hunting Cycle and Measuring Success | Finding Bad Other Things I Liked This Week The Wildly Unregulated Practice of Undercover Cops Friending People on Facebook | The Root Compassionate—Yet Candid—Code Reviews | YouTube, April Wensel       

Le 2018-10-26


  Alien Vault - Why Spending More On Security Isnâ€'t The Answer
Volume 8 of the AT&T Cyber Insights report looked into whether organizations who are investing more in cybersecurity are achieving better outcomes than those who aren’t. The outcome of the research was a resounding no. On the surface, this may seem counter-productive. After all, how many CISO’s have you ever heard complain about having too much security? However, if we look at the trend as an inverted U, or the law of diminishing returns, when you overdo something, you eventually stop seeing benefits, and may even see losses. Getting the Porridge just Right Much like Goldilocks, the question that arises is how much security is just right? Former Director of the Enterprise Security Practice at 451 Research, Wendy Nather, wanted to establish The Real Cost of Security. In her research,  security professionals provided a wide range of responses as to what security technologies are needed, with the majority of the respondents being able to trim down their list to around 10. The pricing of these 10 technologies varied greatly depending on a number of factors such as vendor, mode of deployment, whether it was open source, and so on - the price range varied anywhere from $225,000 to $1.46m in the first year, including technology and staff. Expense in Depth For many companies, especially those with small or mid-sized security teams, managing 10 or more individual security products can be challenging. Former Forrester analyst Rick Holland coined the phrase ‘expense in depth’. That is where many companies will use the defense in depth concept to justify the need for more security products. The problem with this approach is that it can lead to buying too many technologies which don’t complement each other, which inevitably results in a multi-layered approach that provides minimal return on investment. This leads us to a bit of an impasse. A variety of security controls are needed to provide adequate coverage. But too many security products lead to an increase in expense not just to procure, but to manage, which can lead to security shelfware. More Capability in Fewer Products In order to avoid some of these pitfalls, companies, especially ones with small to mid-sized security teams, should look to invest in fewer products that offer greater functionality. The good news is that many security technologies have become standardised and no longer need to be acquired or deployed individually. For example, vulnerability scanning is largely a standardised function. While some scanners may perform better than others - by and large, you can point it to your assets and receive an expected output. So, the question companies should ask, what benefits are being gained by running vulnerability scanning as a separate service with a standalone technology? Compare this to a platform which offers several security functions of which vulnerability scanning is one. The same could be said for anti-virus, or IDS, or SIEM’s. The value in running any of these as dedicated standalone services is diminishing. Take the example of your smartphone. It has replaced many devices such as a pager, phone, camera, even a flashlight, into one device. One could argue that a standalone dedicated camera, or flashlight is a superior product, which may be true, but it comes with the overhead of additional batteries, and carrying those devices around. Getting a Helping Hand In addition to reducing the number of disparate security products, companies can also take advantage of managed security providers that can complement their teams’ security capabilities. This can be a good approach to offload non-critical monitoring tasks, so that the in-house security team can focus solely on protecting the crown jewels within the organisation. One of the additional benefits of this approach is that it takes the process of choosing the right technology away, too. The MSSP will monitor logs and alert you if there is something that warrants further investigation. Think of it like your energy provider. You may not know how your provider is generating electricity, maybe it’s burning coal, or using wind-farms, solar energy, or some other option, the end result is the same - you receive a consistent supply of electricity coming into your home. Insurance The third leg of the stool could be cyber insurance. This is perhaps of more importance for smaller companies wanting to do business with large enterprises which may insist on cyber insurance in the event of an incident or a breach. As companies rely more and more on their digital infrastructure, any disruption has greater impact on the bottom line. Ransomware can grind businesses to a halt, and leak of sensitive documents can have far-reaching consequences such as damaging critical business relationships. Managing the Risk Ultimately, cybersecurity boils down to managing risk. As Todd Waskelis, AVP at AT&T cybersecurity solutions said, “It’s not about the number of dollars an organisation spends that leads to them reducing risk. It’s whether you have approached this from a business perspective and you have a risk management program that will not go stale.” Having a business-focused risk management plan doesn’t mean having all of the best security technologies in place. Sometimes it means having enough of the right security technologies in place, having the right partners, and even transferring some of the risk via cyber insurance. Considerations for your security strategy: Consolidate your security tools Outsource functions to an MSSP Offshore some risks via Cyber-insurance       

Le 2018-10-24


  Alien Vault - How to Defend Your IoT Devices from IoT Botnets
The Internet of Things (IoT) is changing how the world works. Machine to machine (M2M) communication simply makes for faster, more timely, and transparent connections, thereby saving us a lot of time and money. This means that your doctor no longer has to wait a few hours to receive your heart monitor readings when it automatically transmits such information to your doctor’s computer or tablet. It’s much easier for manufacturers and retailers to keep track of inventory when they receive real-time updates on remaining supplies. At home, you’ll never forget to write something on your shopping list when your smart refrigerator updates that list for you.   In the hands of the right people, the IoT has great potential to improve quality of life. But some people have found a way to exploit the IoT for their own gain. They do this through the IoT botnet. What is an IoT botnet? To answer this, we first have to define what the IoT and botnet are. The IoT is simply the wireless interconnection of devices (things) through the Internet. It basically means that devices such as phones, refrigerators, and heart monitors have a “switch” that lets them connect to the Internet. On the other hand, a botnet is simply a network of computers infected with malicious software and controlled as a group without the owners' knowledge. These computers are then used to perform tasks like sending spam emails. Now, if we put those two together, we’ll have a network of computers and other devices (things) connected through the Internet infected with malicious software being controlled without the owners’ knowledge. An IoT botnet is, therefore, much more intrusive and dangerous than a regular botnet. An example of IoT botnet attacks includes the large botnet network discovered when a fridge was caught spreading spam emails. Another example was Mirai botnet which was used to perform DDoS attacks on French hosting firm OVH. A final example involved the enslavement of 18,000 Huawei devices in one day! So, how can you defend your IoT devices from an IoT botnet? Well, I’ve got some bad news and good news for you. The bad news: IoT devices and cybersecurity aren’t necessarily a match made in heaven. This is because IoT devices are designed to be open to the Internet (and, therefore, to anyone who can access their connection). The good news: you can improve your IoT devices’ security yourself by trying the following steps. 1. Do your research Before you buy any IoT device for your home or company, do a little digging online. See if your prospective purchase has built-in security features. Look for any exploits and vulnerabilities that may become concerns in the future. Don’t just rely on the product’s Official Site. Trawl through forums (like Reddit) for user reviews on the product. These reviews come with invaluable information from first-hand users. 2. Change default passwords into strong ones Another way you can secure your IoT device is by making sure you’re the one managing and controlling it. You should retain the power to activate and deactivate your device as well as deciding when your device goes on and offline. The manufacturer should be prevented from operating the device without your authorization. This means retaining proper user identification and authorization by changing your IoT device’s default password. Doing this prevents just anyone (whether manufacturer or hacker) from taking over as the device administrator. Finally, practice strong password habits. This involves not only formulating long phrases but also sprinkling in upper case letters, numbers, and symbols (if allowed). You can also use a password generator to make strong passwords for you. Strong passwords ensure that your IoT devices are well-protected from Brute Force attacks. Also, consider changing your IoT devices’ passwords on a regular basis to make sure no one ever gets a bead on them. 3. Separate your IoT device network You may want to create a separate network solely for your IoT devices. This prevents attackers from gaining access to all the data-filled devices on the same network. Use a third-party firewall or other intrusion prevention system. A firewall prevents unwanted data from entering your network if no request from any of your connected devices was made for that unwanted data. Utilize your router’s built-in security features to gain first-line protection for all the devices in that network. 4. Disable unused features These unused features, like Universal Plug and Play (UPnP), make it easier to connect with other players on the Internet when you game on your console. The problem is hackers from outside your network can detect your devices by exploiting certain vulnerabilities in the protocol. This is why you should turn off these features when not in use. 5. Use comprehensive security software You may notice a commonality when inspecting botnet attacks -- they often exploit vulnerabilities in devices relying on default software. While your IoT devices might come with built-in security right out of the box, these default security features are often weaker compared to third-party security software. One software your home or enterprise should never be without is a VPN. Simply put, a VPN works to protect your IoT devices from botnet in two ways: It hides your true IP address which makes it harder for hackers to target your IoT devices. It encrypts your online data thereby preventing anyone who has actually infiltrated your network reading and utilizing your data stream. While it may be impossible to secure every single IoT device you have with a VPN (since some devices simply aren’t compatible with a VPN), there is a way around this problem: install a VPN on your router. That way, all the devices connected to your router gains the protection offered by the VPN. Do note that you’ll have to get the best VPN services you can afford and avoid free VPNs as some of them have been known to sell users’ spare bandwidth which resulted in these bandwidths being used for a botnet.  6. Keep your device’s software, hardware, and firmware up to date This may be old news but there’s a reason it’s repeated. This is because updates for a manufacturer’s product often includes security updates that they just discovered. Hackers will often make attacks during the time between the release of these security updates and when users actually update their device. If you don’t install updates when they become available, you’re inadvertently running the risk of having your device being targeted for an attack. Securing your IoT devices relies mainly on your own actions The current environment makes defending the IoT against botnet a personal task for each user in the absence of further developments on the issue. Users have to take some time getting to know the manufacturer of the IoT devices they want to purchase. Separating IoT devices and computers into different networks can help prevent a catastrophic compromise of the whole network in case one device is infected by botnet malware. Disabling unused features also help prevent such devices from being found by hackers outside the network. Built-in default settings and security features have to be changed and bolstered with third-party security software that provides added layers of protection. And remember to immediately install updates when they become available ensures that all hardware, software, and firmware remain air-tight in their defenses.       

Le 2018-10-24


  Alien Vault - Things I Hearted this Week, 19th October 2018
It’s been another eventful week in the world of cyber security. So let’s just jump right into it. NCSC has Been Busy NCSC collaborated with Australia, Canada, New Zealand, UK, and the USA to give us a report that highlights which publicly-available tools criminals are using to aid their cyber crimes. Joint report on publicly available hacking tools | NCSC The agency also commented on how it keeps criminals at bay by stopping on average 10 attacks on the government per week. NCSC also published its Annual Review 2018 - the story of the second year of operations at the National Cyber Security Centre. Targeting Crypto Currencies It is estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534 million in crypto was stolen. Targeted attacks on crypto exchanges resulted in a loss of $882 million | HelpNet Security Twitter Publishes Data on Iranian and Russian Troll Farms In an attempt to try and be more proactive in dealing with misinformation campaigns, Twitter has published its Elections Integrity dataset which includes attempted manipulation, including malicious automated accounts and spam. In other words it’s attempting to out - Iranian and Russian troll farms. Twitter’s focus is on a healthy public conversation | Twitter In light of this, it’s worth also revisiting this article by Mustafa Al-Bassam in which he researched UK intelligence doing the same thing targeting civilians in Iran. British Spies Used a URL Shortener to Honeypot Arab Spring Dissidents | Motherboard Equifax Engineer Sentenced An Equifax engineer gets eight months for earning $75,000 from insider trading. He figured out he was building a web portal for a breach involving Equifax, which turned out to be the 2017 breach, and so decided to ride the stock drop. Equifax engineer who designed breach portal gets 8 months of house arrest for insider trading | ZDNet Mind the Skills Gap (ISC)2 has released its 2018 global cyber security workforce study and it looks like the cyber security skills gap has widened to 3 million. It’s worth bearing in mind that estimating the skills gap isn’t an easy task. You have to look into the types of organisations, the tools in place, the risk appetite, economic, political, environmental factors, a whole bunch of things. You need a pretty deep methodology (don’t get me started on survey methodologies) to accurately assess the skills gap - so, a survey of 1500 individuals won’t necessarily be completely accurate, but serves as a good discussion point to start from. Global cyber security skills gap widens to three million | IT PRo Cybersecurity workforce study 2018 | (ISC)2 On the topic of the skills gap, there are plenty of free resources for learning available these days. Check out this awesome list: 190 Universities just launched 600 Free Online Courses. Here’s the full list | Medium / Dhawal Shah GitHub Announcements When Microsoft acquired GitHub, many speculated this was the end of the site. However, on the contrary, a series of new features and enhancements shows GitHub ploughing forward in leaps and bounds. Future of Software: Developers at the center of the universe | GitHub California to Change State Law for Connected Devices In a bid to strengthen cyber security, California passed a state law requiring all manufacturers of internet connected devices to improve their security features. By 2020, in order to sell their products in California, manufacturers will need to ensure that devices such as home routers have a unique pre-programed password or an enforced user authentication process as part of the set up. Default passwords such as ‘password’ or ‘default’ will be deemed weak and in breach of the state law. A great initiative, but part of me feels like it’s a bit premature. California just became the first state with an Internet of Things cybersecurity law | The Verge Why tech companies need to reinvent themselves every three to four years Former Cisco CEO John Chambers says doing the same thing, even if it’s the “right thing,” for too long is dangerous. Why tech companies need to reinvent themselves every three to four years | Recode The CumEx Files investigation Finally, a long, but fascinating read into a huge, months-long investigation that involved the cooperation of dozens of international partners to uncover how some of the wealthiest have swindled European taxpayers of billions. The CumEx files | cumex files       

Le 2018-10-24


  Alien Vault - AT&T Business Summit 2018 - First Impressions and Recap
From the 25th to the 28th of September 2018, I had the opportunity to attend the AT&T Business Summit in Dallas. I walked away with a whole new perspective on AT&T business, what a conference could be like, and the Dallas Cowboys. The Future is Here The show floor at the summit was small when compared to some of the mega-conferences like RSA. But what it lacked in volume, it more than made up for in quality and variety of technologies.on display across different industry verticals. There were robots that could fold your laundry, or take you on an augmented reality tour of a factory. We were even introduced to “Pepper” a cute interactive robot. Pepper's a fan of @gwenstefani, too! Check out those dance moves. #ATTBizSummit @ATTBusiness pic.twitter.com/MX5ntUsrj2 — Sarita Rao (@saritasayso) September 27, 2018 There were a lot of other embedded technologies on display, like portable medical devices, which can be operated by anyone to provide details to a doctor. Or, IoT technology embedded within trucks that can send a whole host of data to allow effective fleet management. Some of the broad themes from the technology were on display, and the topics discussed on stage included IoT, smart cities, 5G, and software defining of most things. Day 1 Video Recap Hitting High Notes with the Keynotes Showcasing technology aside, conferences can be defined by the quality of speakers and talks that are given. AT&T Business did not disappoint, with some great discussions and presentations by the likes of Malcolm Gladwell, Anderson Cooper, Thaddeus Arroyo, Barmak Meftah, Queen Latifah, Reese Witherspoon, and Tony Blair, to name a few. Power panel - Anderson Cooper, Doug Parker, Meg Whitman, Thaddeus Arroyo...Disruption is Coming for EVERYONE! #ATTBizSummit #transformation pic.twitter.com/SM9lu0xxkG — Anne Chow (@TheAnneChow) November 1, 2017 “Security isn’t a technology problem. We need to view security as a business problem” Barmak Meftah, President AT&T Cybersecurity Solutions & CEO @alienvault #AttBizSummit @ATTBusiness pic.twitter.com/8IwA6QFQ3g — Susan Torrey (@smtorrey) September 26, 2018 A brief history of the ATM per @Gladwell. 30 years to mass adoption! #banking #fintech #ATTBizSummit pic.twitter.com/g0qFieGt1o — Evan Kirstel at @InterSystems #GlobalSummit18 (@evankirstel) September 27, 2018 Tip of the day. Even when things get rough Queen Latifah’s advice is to make time for yourself. @IAMQUEENLATIFAH #ATTBizSummit #IoT #WomeninTech #EmergingTech #cybersecurity #SDN #Healthcare #5G #ATTInfluencer pic.twitter.com/kEGnOfjYjf — Peggy Smedley (@ConnectedWMag) September 28, 2018 "It's incumbent on us as business leaders to do better." "We're 50% of the population, we should be there 50% of the time." Reese Witherspoon at the #ATTBizSummit #WomenInTech pic.twitter.com/BHKyxW1KXX — Kayne McGladrey has been to the UK (@kaynemcgladrey) September 27, 2018 Just because the keynotes were great and featured celebrities, it doesn’t mean the other talks were any less impactful. Some talks that particularly stuck out in my mind included a panel with Kayne Mcgladrey and Derek Scheid who discussed what the future of the SOC (Security Operations Centre) looks like and what companies should do. A particular quote that stuck out for me from the discussion was around the importance of an actual action plan, and how companies can sometimes get fixated on pulling in all the information they can without much thought as to what would happen next. I believe it was Derek who said, “You shouldn't be proud of what you know. You should be proud of what you do.” I was also invited to moderate a panel entitled “The best way to predict the future is to invent it”. It featured AlienVault CTO Roger Thornton, Chief Scientist Jaime Blasco, Terra Verde’s Ed Vasko, and Looker CSO Ryan Gurney. Lively panel discussion w @alienvault’s @J4vv4D @jaimeblascob & CTO Roger Thornton, MSSP Ed Vasko @ Terra Verde and USM customer Ryan Gurney @ Looker “the best way to predict the future is to invent it.” pic.twitter.com/NGwgar38DL — Susan Torrey (@smtorrey) September 27, 2018 It was a great panel from where I learnt a lot. Ryan, in particular, had some great anecdotes on being the CSO. Recalling that when he joined his current job, he had no office, so had to make do by sitting at a desk in the hallway. The benefit of which he claims is that he was ableto meet and know nearly all the staff as they had to walk by him. He believes that knowing staff and understanding them is the key to good security within a company. Day 2 Video Recap Alien Invasion AlienVault was fully embraced and welcomed with open arms at the summit. I certainly made a few new friends, and there was no shortage of attendees sporting flashing green AlienVault sunglasses, or Alien masks. However, perhaps the biggest achievements in the battle to win the hearts and minds, were at the concerts, where Billy Idol, and Gwen Stefani both donned the AlienVault sunglasses. If that isn’t the sign of a hugely successful event… then I don’t know what is.       

Le 2018-10-24


  Alien Vault - Security Travel Tips
In honor of NCSAM, we decided to ask the Twitter community for security travel tips, to help us be more safe when travelling. Here's the original Tweet: Want some AlienVault swag? Send us your top tip for #security while traveling by October 8 for potential inclusion in an upcoming blog. Of the tips we include in the blog, we’ll randomly select 3 people to win an AlienVault swag bag! #securityawareness @J4vv4D @securitybrew pic.twitter.com/1XvzKnMbMv — AlienVault, an AT&T company (@alienvault) October 3, 2018 We got some neat answers.  1. Use a screen protector on an airplane or while working in public 2. Buy Freeze Fraud bags to store your laptop in while out of your hotel room. Tamper evident bags give you peace of mind your hardware hasn't been tampered with. — Jake Williams (@MalwareJake) October 4, 2018 For the love of everything confidential: privacy screens for phone, tablet, phablet, laptop, etc! Flights to DC make for the best shoulder surfing! — Glenn it's S��CTOBER �� (@NTKramer) October 4, 2018 Know your threat model. Not everyone needs a burner phone, burner laptop, and 7 proxies. Know the trust boundaries, and mitigate the issues that make sense for you. — Willa (@willasaywhat) October 4, 2018 Dont do work. Your work existed before you and wont end cuz you disapeared for a week or less. Smart companies and CEOs always have backup for critical employees. No matter how secure you can try to be... if you are targeted they will get you while you are traveling. — 9656B73F0889AC044EB47F452C059A6C (@SGFja2Vy) October 4, 2018 Avoid beig an obvious target by studying the area well enough to not need a map upon arrival. Carry the bare minimum hardware & files - if a device is lost/stolen/damaged, better for it to be a stripped down chromebook than your main PC. — Josh Gibbs (@quizzicaljosh) October 4, 2018 dedicated travel phone, vpn, and don't eat at restaurants that aren't busy — Space Force Panda (@TrashPandaFTW) October 4, 2018 Use an EVDO solution along with VPN such as a Verizon USB 4G LTE device and VPN. This prevents the unencrypted WiFi traffic to a hotspot AP and also encrypts your 4G LtE traffic. While you can use a hotspot and vpn, your initial traffic over that hotspot is all unencrypted. — John Alves (@CyberLowdown) October 4, 2018 Do not download sensitive information in a hotel business center. — lazyMalware (@LazyMalware) October 4, 2018 And there was a technology to investigate: Keezel — EmmaB247 (@EmmaB247) October 4, 2018 Stay safer while travelling! Thanks for all the suggestions from the Twitter community.        

Le 2018-10-24


  Alien Vault - Things I Hearted this Week, 12th October 2018
What is a Vulnerability? The part that most people don’t seem to understand enough is that an attack only matters if something is at stake. A transaction of some sort needs to occur, otherwise it doesn’t matter if someone performs the particular attack against you. When is a vulnerability not a vulnerability? | Medium, Tanya Janca An Analysis of CVE-2018-0824 While we’re on the topic of vulnerabilities, I’ve said it before, but one of the best things that has come out from bug bounty programs is the writeups that sometimes follow which detail the thought process and the steps taken. Similarly, it’s always insightful to see when security researchers not only create an exploit, but also spend some time analysing its patch and writing up how it works. Marshalling to SYSTEM - An analysis of CVE-2018-0824 | Code White Sec Visualising Your Threat Models Do you struggle finding the right tool for threat model diagramming? Well, this may be the one for you, if your requirements match the ones of Michael where the app had to: Support DFD and attack trees Enjoyable and easy to us Free and cross platform Not web or ‘cloud’ based Draw.IO for threat modeling | Michael Riksen Brutal Blogging: Go for the Jugular Ever wondered whether you should get into blogging? Ever started to write a blog but run out of ideas? Ever wonder why your blog post gets no love? Well, fear not, because Kate Brew brings to you all these answers and more in her great DerbyCon 2018 talk Brutal blogging: Go for the jugular | Youtube Blockchain Eating its Greens? Walmart Inc., in a letter to be issued Monday to suppliers, will require its direct suppliers of lettuce, spinach and other greens to join its food-tracking blockchain by Jan. 31. The retailer also will mandate that farmers, logistics firms and business partners of these suppliers join the blockchain by Sept. 30, 2019. Walmart Requires Lettuce, Spinach Suppliers to Join Blockchain | Wall Street Journal Do you Know What You’re Building? Across the technology industry, rank-and-file employees are demanding greater insight into how their companies are deploying the technology that they built. At Google, Amazon, Microsoft and Salesforce, as well as at tech start-ups, engineers and technologists are increasingly asking whether the products they are working on are being used for surveillance in places like China or for military projects in the United States or elsewhere. Tech Workers Now Want to Know: What Are We Building This For? | The New York Times Why Logic Errors Are So Hard to Catch The fact that a relatively simple flaw allowed an anonymous hacker to compromise 50 million Facebook accounts serves as a powerful reminder: When hackers, professional or amateur, find business logic errors, as defined by CWE 840, the exploitation can be incredibly damaging. The worst part is that finding logic errors can't be solved with automated tools alone. The best advice on how to avoid logic errors comes from Aristotle: "Knowing yourself is the beginning of all wisdom." Lessons Learned from the Facebook Breach: Why Logic Errors Are So Hard to Catch | Dark Reading What NOT to do When Researchers Notify you of a Breach A  short but useful reminder what not to do when a researcher tries to contact you about a potential security issue. TL;DR - try to be nice. What NOT to do when researchers notify you of a breach | Cyberwar news Argos Doesn’t Take Care of IT What happens when scammers target the wrong company? More specifically what happens when a social engineer tries to scam a company named, ‘the anti-social engineer’? Argos Doesn’t Take Care of IT | The antisocial engineer Amazon AI Scrapped for Being Biased Against Women Apparently Amazon has scrapped an internal project that was trying to use AI to vet jobs after the software consistently downgraded female candidates. I don’t know, sounds like a case of shooting the messenger. What about the developers? Surely the AI inherited the biases from somewhere. Simply scrapping the AI won’t necessarily fix the issue. Amazon reportedly scraps internal AI recruiting tool that was biased against women | The Verge Random Stories I Enjoyed This Week How New York City Tells the Story of Its Open Data Work | Gov tech America Is Losing Its Edge for Startups | CityLab The battle for the Home | Stratechery       

Le 2018-10-24


  Alien Vault - AlienVault Product Roundup ? the Latest Updates!
September was another busy month for product development at AlienVault, an AT&T Company.  We are excited that the AlienVault Agent is getting great traction with our USM Anywhere user base, and we are continuing to add feature enhancements to the Agent. You can keep up with all of our regular product releases by reading the release notes in the AlienVault Product Forum. Here are the highlights from our September releases.ea Enhancements to the AlienVault Agent! Coming off the successful introduction of the USM Anywhere EDR functionality enabled by the AlienVault Agent, we are excited to announce more improvements to the Agent.  The feedback from our users on the Agent has been great thus far, and in September we added more filtering capabilities, designed to give users more control over what types of data the agent is collecting.  You can now apply regular filtering rules to Agent events, giving you the flexibility you need over what data you collect.  We will continue to add feature enhancements to the Agent in the coming months.   The USM Anywhere API is here! Following up to our API release in USM Central, which has been very popular with our MSSPs, we are happy to announce the introduction of the API in USM Anywhere.  Available for Standard and Premium Edition customers of USM Anywhere, you can now extract alarms and events from USM Anywhere to help you with independent workflows.  This is the first major step towards a full set of API functionality build out in USM Anywhere. Enhancements to the AlienApp for ConnectWise Building on its initial release, the AlienApp for ConnectWise now works with on premises deployments of ConnectWise Manage. Service management teams that use on premises deployments of ConnectWise Manage can now leverage automated service ticket creation from USM Anywhere for alarms and vulnerabilities, as well as the synchronization of asset information. Defects and Optimizing the UX In addition to these new capabilities, the team has rolled out enhancements to the user interface and has addressed multiple defects and inefficiencies. Make sure to read the product release notes for all the details. USM Central Highlights Following on the introduction of the API in August, we are pleased to announce the availability of additional API endpoints that allow customers and partners to retrieve vulnerabilities, deployment information, and configuration issues for connected USM Anywhere instances.  This continues the build out of the USM Central API, and stay tuned as we continue to add more API endpoints in the coming months. Threat Intelligence Highlights It’s been a typically active month for the AlienVault Labs Security Research team, curating the threat intelligence for USM as well as writing content on new & emerging threats.  As a reminder, USM receives continuously updated correlation rules and endpoint queries to detect & respond not only the latest signatures but also higher-level attack tools, tactics, and procedures – all curated by the human intelligence of the AlienVault Labs Security Research Team, bolstered by AlienVault’s machine intelligence. The AlienVault Labs team publishes a weekly threat intelligence newsletter, keeping you informed of the threats they are researching and delivering as actionable threat intelligence automatically to the USM platform. Read the AlienVault Threat Intelligence newsletters here. In addition, here are some recent blogs from the Labs Team, which highlights their recent research: Malware Analysis using Osquery Part 2 Off-the-shelf RATs Targeting Pakistan Malware Analysis using Osquery Part 1       

Le 2018-10-24


  Alien Vault - Time to Cover your Selfie Camera
I am reading an excellent book named “Cringeworthy:  A Theory of Awkardness”, which examines exactly as the title describes, awkward situations and how to deal with them.  I love reading non-fiction books that are not InfoSec related.  There is so much to learn out there about so many topics.  Sometimes, however, I am led back to my InfoSec passion (or, perhaps it’s an illness). In the book, author Melissa Dahl mentions two companies that are working on some fascinating software that can read human emotions via facial expressions.  This is a compelling development in technology, reaching beyond facial recognition. Facial recognition, you may recall has had some of its own challenges to overcome. Of course, emotional recognition software would not be useful for authentication, as there are only seven emotions.  To review, they are happiness, sadness, fear, anger, surprise, contempt, and disgust.  As you read this, are your inner InfoSec senses perking up?  They should be. Part of the way that emotions can be identified are through micro expressions. Micro expressions detect subtle changes in a face, but they happen so fast that it requires specialized training for the human eye to detect them.  Those trained in micro expression recognition can detect, along with the seven emotions, other traits, such as a person’s level of deception.  While there are not many folks trained in micro expression recognition, a computer may be programmed to respond with alarming accuracy and speed.  Rather than thinking that computerized emotion recognition could be used in a court of law (probably inadmissible as evidence, much like a polygraph), or during an interrogation (also of questionable usefulness), think of the economics of the technology. One way in which this new technology may be used is to gauge a person’s response when viewing something on the screen.  Using this technology, an advertiser could change what is presented based on the person’s response.  You seemed to retreat a bit when you were shown the large automobile.  Let’s pop an advertisement of the fuel-efficient hybrid.  You enjoyed the flowers that popped up on your birthday? Let’s pop some chocolate onto the screen with a savings coupon. The privacy concerns of such a technology have led me to place a piece of electrical tape over the front-facing camera on my phone.  I was never a big selfie person to begin with, and this technology is certainly enough to cure me of any urge to have that camera exposed.  Remember, the camera and microphone on your electronic devices are software controlled, so unless you carefully examined that end user license agreement, you may have already given camera control over to one of your applications.  Like many others, I have had my laptop camera covered for years. When we think about how our emotions may be manipulated by these powerful little handheld devices, it becomes a scarier proposition that our emotions can be interpreted as we look at the screen. Does this technology have a place in society?  Perhaps it could be used in a hospital emergency room to expedite triage of the most severely ill or injured, or perhaps it can be used for training exercises for law enforcement to determine the level of an individual’s anger during a sensitive interpersonal exchange? My cynical side, however, is more certain that this technology will be used merely to boost sales of the corporations who use it.  There are definitely beneficial uses for this technology, although, if my camera were uncovered right now, the software could only interpret my expression as a mix of sadness and contempt.       

Le 2018-10-24


  Alien Vault - 5 Steps to Maximize Your Financial Data Protection
A series of high-profile data breaches in 2017 made it clear that it's becoming more difficult to protect your and your customer's sensitive information from nefarious agents. As businesses expand, they develop and implement security policies that help protect their sensitive information from outsiders. Still, business growth means more computers, more laptops and more mobile phones—and more network endpoints means more security vulnerabilities and more opportunities for a small oversight to turn into a major data breach. Financial data breaches can spell disaster, especially for small businesses that have fewer resources to allocate toward proactive security measures and fraud prevention. To help out, we've outlined five steps that you can take to maximize your financial data protection in 2018. Take Inventory of Your Sensitive Financial Data The first step to effective financial data protection is to identify the data that is more important to protect. Your full assessment should answer the following questions: What data do I need to secure? What computers, servers, laptops, networks, or other devices is the information stored on? What devices can be used to access the data? What roles/titles will have permission to view the data? The best way to start enhancing data security is by restricting access. Isolate or segregate the data onto the fewest number of devices possible, and make it accessible to the fewest number of people. Conduct thorough background checks and ask for references when hiring employees that will come into contact with financial data. Implement Effective Password Controls Passwords are an important security measure used to prevent unauthorized users from accessing company laptops, e-mail accounts and other resources that could contain sensitive financial information. Password controls are a set of imposed guidelines for how your staff should set up the passwords that they use to access your sensitive data. Typical password controls include: Ensuring that passwords are long enough and that they contain a mixture of upper and lower-case letters, numbers and symbols. As passwords get longer, they become exponentially harder to hack by brute force. Hackers use all kinds of tricks to try and guess passwords—writing software that guesses dictionary words or combinations of words from the dictionary, or that guesses birth dates formatted in different ways. Passwords should be 10-12 characters long. Ensuring that passwords are changed on a regular basis, at least every 90 days for passwords used to access sensitive financial data. Ensuring that each individual user is assigned one username and password, and that login credentials are never shared. Protect Your Network with a Firewall Companies storing and transmitting financial data on an internal network should implement a firewall. A firewall is a hardware or software security device that monitors all incoming and outgoing network traffic and uses predefined security guidelines to determine whether it should be allowed or blocked. Firewalls establish a barrier between your trusted internal network and unauthorized external actors that might try to access or attack it. You may want to hire a cyber security expert who can help customize your firewall to your unique circumstances and advise you on how to address other potential network security threats. Look Out for Phishing Scams Sometimes, fraudsters don't have to gain access to your systems using technological means to attack your company financially. E-mail phishing scams can fool your unsuspecting employees in the worst ways—entering their login information into a fake portal, or opening a malicious program that steals sensitive information from their inbox, copies their contact list, and forwards malicious e-mails to others. Employees need to be educated about the most current fraud and phishing scams and how to avoid them. They should be instructed only to access sensitive data from a secured network, using their company device, and only through the prescribed channels—never by clicking a link in a newly received e-mail. Employees should never open unexpected e-mail attachments, and should report all suspicious e-mails to the company's IT department. Use Data Encryption Encryption is the translation of stored data into a secret code, ensuring that only someone with the encryption key can decrypt the data and use it for its intended purpose. Encrypting stored data acts as an insurance policy in case the data is ever lost or stolen. If a hacker or thief gets their hands on properly encrypted data, chances are they still won't be able to access any meaningful information that can be used to harm you, your company, or your customers. You can also use encryption to reduce the vulnerability of network endpoints like computers and mobile phones. Mobile phones should be encrypted, and you should be able to wipe them remotely in case one is ever lost or stolen. Encryption can be used to encode the data on a computer hard drive, preventing anyone from reading it who doesn't have access to the encryption key. Summary Organizations can maximize their financial data protection by implementing the right proactive policies and procedures, even without a large investment in security measures. Organizations should start by taking an inventory of their financial data, understanding how it is stored and accessed, and restricting that access exclusively to those who need it. Implementing stringent password controls and investing in network security devices like a firewall can significantly reduce the risk of a data breach. Further, employees should be trained to avoid unknown links and e-mail attachments, and report any suspected phishing scams to your IT department. Finally, stored financial data can be further secured through encryption, reducing the likelihood that the data could be used for harm even if it were stolen.       

Le 2018-10-24


  Alien Vault - The Importance of Patch Management
With each passing year, our world becomes more and more digital. Our social interactions and personal data as well as many of our jobs are based primarily on the internet. Although this shift has come with great benefits, it’s also opened us up to a heightened threat of cyber terrorism. 2017 saw some of the most devastating high-profile attacks in history, opening the eyes of business of all sizes to the importance of stronger security. With no end to cybercrime in sight, the best defense is to be better prepared. There are various practices that can be applied to achieve this, and implementing a patch management system is one of them. In its most basic sense, patching is the process of repairing IT system vulnerabilities that are discovered after the infrastructure components have been released on the market. These patches can apply to a variety of system components, including operating systems, servers, routers, desktops, emails, client info, office suites, mobile devices, firewalls and more. Depending on a company’s information system design, the method of patch management may differ slightly. Failure to follow adequate patch management procedures greatly increases the risk of falling victim to a devastating attack. In the second quarter of 2017, we saw a global ransomware hack the systems of over 150 countries and hundreds of organizations all as a result of poor patch management. These unattended vulnerabilities in IT infrastructure open companies up to numerous security challenges, the top five being: Absence of proper coordination of security measures taken by the operations department and the IT department. Inability to keep up with regulatory standards. Failure to develop an automated security channel. Inability to protect systems from malware, DDoS attacks and hacktivism. Failure to upgrade the existing software and applications to improve the system security. Outsourced patch management For many companies, the reason behind their failure to properly patch vulnerabilities is the simple fact that it’s difficult. The process is time-consuming and, depending on the size of a company, there could be numerous vulnerabilities opening simultaneously. Outsourcing patch management to a more qualified company can relieve IT teams of that immense burden and prevent potentially fatal neglect. Additionally, outsourced IT companies have the advantage of economies of scale and can spend the necessary time required for testing updates before updating client systems. Automated patch management Automation is a trending feature in technology this year, including patch management. With this method, a cloud-based automation system is able to regularly scan and apply patches to software and systems of any kind regardless of location. This reduces the need for ongoing management of the patching system itself, meaning even the most limited IT teams can stay up-to-date with security. Furthermore, as automation allows for patches to be applied 24/7, the downloading and installation processes won't disrupt a work day, and the potential for human error while installing patches is removed. Whichever route you choose, the importance of the matter stays the same. While hackers have made it clear they don’t discriminate against company size or industry, preventive measures are necessary for everyone. With a strong patch management system in place, the occurrence of a vulnerability can be immediately rectified by way of consistent monitoring of the system and a patch released at the right time. This quick action plan can make all the difference in protecting yourself from a “Zero Day Attack,” which is an exploit that occurs before a patch is available. Though it may sound like an unlikely occurrence, 85 percent of exploits have had a patch available for more than one year and 74 percent of organizations take 3 months to apply a patch, according to industry leader Mark Hurd. The risk of not recognizing and reporting a vulnerability in time is too great a risk to take. With the imminent risk of cyber-attacks, it’s critical to assemble a plan against the potential vulnerabilities that put your information at risk, particularly with SMBs. Smaller organizations have become increasingly targeted for their tendency to discover security breaches late and because of their generally limited cybersecurity resources. In fact, Small Business Trends reports that the percentage of cyber-attacks targeting small organizations rose from 15 to 43 percent of total attacks between 2011 and 2015. Both automation and outsourcing serve as solid solutions to key concerns companies have about the sheer number of patches required and the manpower needed to support them. Regardless of size or speciality, new technologies are making patch management implementation more cost-effective and simpler for everyone. Make the decision to prevent your potential downfall and organize your patch management plan today.       

Le 2018-10-24


  Alien Vault - People and Passwords
In today's world, the Internet is a vast place filled with websites, services, and other content. Most content along with computers and other technology requires a password. The number of passwords a person has to know continues to grow. While it’s safe to say we use passwords to keep our accounts confidential, they can also be very frustrating and inconvenient to create and remember. The outcome is the use of simple, common passwords, same password on different accounts, and habits such as writing passwords. Weak passwords are common For example, reports from Techspot.com, Fortune.com, and USAToday.com show, that in 2017, passwords like 123456 and football were two of the top ten most used passwords. Why are such passwords still being used? They are easy to remember.  People will often add weak passwords into simple variations where the alpha and number (numeric) strings combined with special characters. For instance, Football and 123456 become Football123456!, a memorable yet easily guessed password.  Current practices require complex passwords   Various companies have released their own best practices. Symantec’s how-to article, for instance, states a secure password is at least eight characters in length, has an uppercase, lowercase, and a number. Take [Football] for example. You can replace the “o” for a “0” and “a” for “@” resulting in F00tb@ll. Here, the updated password meets most policies enforced by many web applications such as Google and Outlook. It has an uppercase (F), a lowercase (tball), a number (00), a special character (@), and meets a minimum length of eight characters. Microsoft, however, takes this a step further in some of their guidelines. They state it must not be in the dictionary or incorporate the name of a person or computer. Guidelines such as those in place, demand a complex password. For example, W#T24.ro5*&F is complex yet painful to memorize.  There is a problem with difficult passwords People, out of convenience and frustration, will try to circumvent the password policies mentioned. This becomes more prevalent as the policies get stricter. It is hard enough to remember a password like W#T24.ro5*&F. By the time you’ve memorized it, the time has come to change it and you can’t repeat the last 8 passwords. So what do people do? They add or change one or two characters (i.e. W#T24.ro5*&F turns into W#T24.ro5*&F1 or W#T24.ro5*&F123 and F00tb@ll turns into F00tb@ll123 or F00tb@ll321).  While password expiration policies are arguably a best practice, they are not common outside an enterprise environment. Many websites, such as banks, do not require you to change your password regularly and those that do, might not have a decent policy on repeating passwords. This leads to the same or similar passwords used across accounts. The same password for different accounts is dangerous Research by LastPass states 59% of people use the same password and 47% apply the same even for work. Notably, the reuse of passwords stems from frustration and convenience. Sure, it's easier to remember one password for everything or variations of the base password, but not advised. To clarify, if an account gets compromised, it puts your other accounts at risk.  Using Passphrases is better  We have a hard time remembering many passwords and more so when they have to change often. Similar to starting a different job and learning coworkers' names. Then you find out 60 days later that everybody is being replaced and you now need to remember a different collection of names. It's difficult. For starters, use a passphrase that includes numbers. A passphrase is a password in usage but is longer for added security. For example, 2Cats3DogsRunFar is an easy to remember passphrase. It is a 16-character alpha-numerical password. Why add a number, aren't four or five words enough? No, because modern toolkits can crack a passphrase with four to five words. Adding a number (not just at the beginning or end), or even a space will strengthen the password while keeping it easy to memorize. NIST 800-63-3 supports the use of passphrases. Encourages users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization. What about password managers? At the same time, we cannot use this passphrase for other accounts. Instead, use a password manager which will accommodate for having a different password for each account. A password manager is a tool or service that will store your passwords for later use. An example of a common password manager is your browser. I will point out it is not recommended to use your browser's password manager. Some password managers offer free or inexpensive versions. LastPass and RoboForms to name a couple; EverKey, Keeper, and DashLane are pay-to-use. Be responsible with your passwords All things considered, having the best passwords does not mean you are 100% immune. Password hashes are stored and anything stored can be stolen. Strong passphrases make it more difficult for a malicious actor. You can use password managers to store passwords but this itself can be risky. For example, browser password managers do not require multi-factor authentication. Remember not use words or dates that can be guessed via social engineering. If a website such as a bank, offers mutli-factor authentication then enable it. Overall, passwords can be a nuisance but dealing with compromised accounts can be much worse.        

Le 2018-09-17


  Alien Vault - Things I Hearted this Week, 14th September 2018
With everything that keeps going on in the world of security, and the world at large, most eyes were focused on Tim Cook as he and his merry men took to the stage and announce the latest and greatest in Apple technology. There didn’t seem to be anything totally mind-blowing on the phone end. Just looked to be more bigger, faster, and powerful versions of the iPhones at eye-watering prices. The Apple watch now has a built-in FDA-approved ECG heart monitor. Which is pretty cool as an early-warning system that a stroke is imminent - I assume to allow you to take some smart HDR selfies, apply the correct filters, and post to Instagram before you collapse. But enough about that, let’s get down to business. British Airways Breached BA suffered a rather large breach which included payment information (including CVV) and personal details. While the investigation is ongoing, some security experts believe the breach was caused due to malicious code being injected into one of the external scripts in its payment systems. British Airways hack: Infosec experts finger third-party scripts on payment pages | The Register As an affected customer, I accept that companies get breached. But the advice seemed pretty poor. British Airways breached | J4vv4D Boards need to get more technical - NCSC The government is calling on business leaders to take responsibility for their organisations’ cyber security, as the threat from nation state hackers and cyber criminal gangs continues to rise. Ciaran Martin, head of NCSC believes that cybersecurity is a mainstream business risk and that corporate leaders need to understand what threats are out there, and what are the most effective ways of managing the risks. They need to understand cyber risk in the same way they understand financial risk, or health and safety risk. NCSC issues new advice for business leaders as Ciaran Martin admits previous guidance was “unhelpful” | New Statesman Hunting in O365 logs Cloud is great, but sometimes making sense of the logs can be a pain. If you’re struggling with O365 logs, then this document could be really useful. Detailed properties in the Office 365 audit log | Microsoft GCHQ data collection violated human rights, Strasbourg court rules GCHQ’s methods in carrying out bulk interception of online communications violated privacy and failed to provide sufficient surveillance safeguards, the European court of human rights has ruled in a test case judgment. But the Strasbourg court found that GCHQ’s regime for sharing sensitive digital intelligence with foreign governments was not illegal. It is the first major challenge to the legality of UK intelligence agencies intercepting private communications in bulk, following Edward Snowden’s whistleblowing revelations. GCHQ data collection violated human rights, Strasbourg court rules | The Guardian A Mega hack! Cloud storage service Mega.nz has announced that users that installed their Chrome browser extension may have had their passwords compromised. A malicious version of the browser extension was uploaded to the Chrome web store to gain access to user’s logins to Amazon, Microsoft, Github, and Google. MEGA Chrome Extension Hacked To Steal Login Credentials and CryptoCurrency | Bleeping computer The Effectiveness of Publicly Shaming Bad Security Is publicly shaming a company a good idea? Personally, I’ve tended to steer away from it - I don’t feel like it’s a very constructive approach. But when there’s data to prove otherwise (albeit we aren’t talking in the scientific sense), then one may need to reconsider. There are ample examples of companies that have fixed their security issues after being publicly shamed - as my favourite blogger from down under, Troy Hunt shares in his blog post. These are all good examples, but it’s not too far away from digital pitchforks and mobs going after institutes over a simple misunderstanding. The Effectiveness of Publicly Shaming Bad Security | Troy Hunt On the topic of shaming, I would recommend the book, “So, you’ve been publicly shamed” by Jon Ronson. FDA to Ramp Up Medical Device Cybersecurity Scrutiny The Food and Drug Administration should increase its scrutiny of the cybersecurity of networked medical devices before they're approved to be marketed, a new government watchdog agency report says. FDA says it will carry out the report's recommendations. The Department of Health and Human Services' Office of Inspector General's report recommends that FDA better integrate the review of cybersecurity in the agency's processes for premarket assessments of medical devices. About time! FDA to Ramp Up Medical Device Cybersecurity Scrutiny | Data Breach Today Hacking Tesla’s keyless entry With about $600 worth of equipment, it is possible to wirelessly read signals from a nearby Tesla owner’s fob. Less than two seconds of computation yields the fob’s cryptographic key, allowing the theft of the associated car without a trace. Hackers can steal a Tesla Model S in seconds by cloning its key fob | Wired Researchers Show Off Method for Hacking Tesla’s Keyless Entry, So Turn on Two-Factor Authentication | Gizmondo       

Le 2018-09-14


  Alien Vault - Explain Cryptojacking to Me
Last year, I wrote that ransomware was the summer anthem of 2017. At the time, it seemed impossible that the onslaught of global ransomware attacks like WannaCry and NotPetya would ever wane. But, I should have known better. Every summertime anthem eventually gets overplayed. This year, cryptojacking took over the airwaves, fueled by volatile global cryptocurrency markets. In the first half of 2018, detected cryptojacking attacks increased 141%, outpacing ransomware attacks. In this blog post, I’ll address cryptojacking: what it is, how it works, how to detect it, and why you should be tuning into this type of threat. What is Cryptojacking? Crytojacking definition: Cryptojacking is the act of using another’s computational resources without their knowledge or permission for cryptomining activities. By cryptojacking mobile devices, laptops, and servers, attackers effectively steal the CPU of your device to mine for cryptocurrencies like Bitcoin and Monero. Whereas traditional malware attacks target sensitive data that can be exploited for financial gain, like social security numbers and credit card information, cybercriminals that launch cryptojacking campaigns are more interested in your device’s computing power than your own personal data. To understand why, it’s helpful to consider the economics of cryptocurrency mining. Mining for cryptocurrencies like Bitcoin and Monero takes some serious computing resources to solve the complex algorithms used to discover new coins. These resources are not cheap, as anyone who pays their organization’s AWS bill or data center utility bill can attest to. So, in order for cryptocurrency mining to be profitable and worthwhile, the market value of the cryptocurrency must be higher than the cost of mining it – that is, unless you can eliminate the resource costs altogether by stealing others’ resources to do the mining for you. That’s exactly what cryptojacking attacks aim to do, to silently turn millions of devices into cryptomining bots, enabling cybercriminals to turn a profit without all the effort and uncertainty of collecting a ransom. Often, cryptojacking attacks are designed to evade detection by traditional antivirus tools so that they can quietly run in the background of the machine. Does this mean that all cryptomining activity is malicious? Well, it depends on who you ask. Cryptomining vs. Cryptojacking As the cryptocurrency markets have gained value and become more mainstream in recent years, we’ve seen a digital gold rush to cryptomine for new Bitcoin, and more recently, Monero. What began with early adopters and hobbyists building home rigs to mine for new coins has now given way to an entire economy of mining as a service, cryptoming server farms, and even cryptomining cafes. In this sense, cryptomining is, more or less, considered a legal and legitimate activity, one that could be further legitimized by a rumored $12 Billion Bitman IPO. Yet, the lines between cryptomining and cryptojacking are blurry. For example, the cryptomining “startup” Coinhive has positioned its technology as an alternative way to monetize a website, instead of by serving ads or charging a subscription. According to the website, the folks behind Coinhive, “dream about it as an alternative to micropayments, artificial wait time in online games, intrusive ads and dubious marketing tactics.” Yet at the same time, Coinhive has been one of the most common culprits found in cryptojacking attacks this year. In fact, one recent report analyzed cryptojacking sites and found that nearly 50,000 websites were running cryptocurrency malware, Coinhive among them. Recent Coinhive victims include the Los Angeles Times, Politifact.com, and both AOL and Google’s Ad Networks. Further blurring the lines, Coinhive has been heavily criticized for its handling of (or lack thereof) abuse complaints. As a result of the dramatic rise in cryptojacking attacks this year, many in the infosec community have come to consider all cryptominers as malware. And, browser developers have started to introduce browser extensions to block cryptomining activities, such as No Coin. This “trust-no-miner” sentiment is strong in the infosec community. According to our own AlienVault research, only 8% of cybersecurity professionals would consent to their computer being used for cryptomining in exchange for accessing content on a website, although slightly larger group of altruists (38%) would consent if that cryptomining activity benefited a charity. So, while legitimate cryptomining activities will likely continue to grow as the cryptocurrency markets evolve with investments in large-scale operations, it’s unlikely that cryptomining as a form of micropayment will gain mass adoption any time soon. Cryptojacking – What’s at Stake? While a cryptojacking attack might not be as acutely devastating as a ransomware attack, it can cause serious damage to your business. Here’s a list of possible impact a cryptojacking attack can have: A slow-loading website: When an attacker exploits a website vulnerability by injecting a cryptomining tool like Coinhive, it can slow down page load time, driving away your visitors, users, or shoppers. Some attacks intentionally add a delay so that they can use more resources while the user waits for the page to load, as seen in the attack against Starbucks’ WiFi network in Buenos Aires cafes. High resource costs: If cryptominers persist in your infrastructure, you might unknowingly be footing a higher data center utility bill or cloud services provider bill. Think of it like this: If ransomware were grand theft auto, cryptojacking would be more akin to someone siphoning the gas from your tank little by little. You might not notice it right away, but your more frequent stops at the gas pump would eventually add up. That’s not all. Running CPU and GPU higher for a longer time can accelerate the wear and tear on your hardware, shortening its lifecycle and increasing your hardware costs. Data loss: No one wants to wake up to an egregious bill from your cloud services provider because an attacker spun up infinite resources overnight for cryptomining. While many security and IT teams have put in place auto-scaling limits to safeguard against this, some cryptojacking attacks are designed to start deleting existing cloud services when that limit is met. Security breach: Attackers are becoming increasingly efficient in their maldoings by packaging multiple attack modules and payloads into a single campaign. A malware campaign might drop a cryptominer packaged alongside a keylogger, backdoor, and other tools and techniques. If you detect cryptomining activities in your environment, don’t assume that the attackers’ intentions are single threaded. Opportunist attackers seeking financial gain will try to maximize their profits, whether by stealing your resources, your data, or both, if you let them. Explain How Cryptojacking Attacks Work Cryptojacking attacks take on multiple forms in the wild, often packaged with other modern attack modules found in various malware and ransomware attacks. Here are three common ways we see cryptojacking attacks unfold in the wild: Browser-based Cryptojacking Attacks In this common type of cryptojacking attack, an attacker injects a cryptominer into a compromised website, ad platform, or browser extension, often by exploiting cross-site scripting (XSS) vulnerabilities. This enables the cryptominer to use a device’s resources whenever the user browses the website, plays an ad, or installs the malicious browser extension. However, some attacks have been known to persist by launching a separate “pop under” window that hides behind the taskbar clock and continues to mine after the user exits the website. Because this type of cryptojacking attack doesn’t download or install any payload to the device, not every antivirus solution is able to protect against it. So, it’s important to ask your vendor specifically how it detects and blocks browser-based cryptomining activity. Using ad blockers, pop-up blockers, or even disabling JavaScript can add extra layers of cryptojacking protection. When it comes to your own website, know your vulnerabilities and patch, patch, patch. Vulnerabilities like Drupal CVE-2018-7600 and more recently, CVE-2018-7602 are common exploits for cryptojacking attacks. Cryptojacking the Public Cloud Public cloud environments provide near-infinite computing resources for an attacker bent on cryptomining. Once an attacker has infiltrated your public cloud environment, they can silently siphon your resources and perhaps delete or flood logs to cover their tracks. Or, more aggressively and with sufficient privileges, the attacker may spin up resources rapidly and programatically while deleting other user accounts in an attempt to lock you out of your account to disrupt the cryptojacking. Modern attacks against cloud infrastructure use bots to look for easy targets like unsecure servers or account credentials shared in Github. Practicing good cloud security hygiene across your organization is the best first defense to avoid becoming an easy target and an unfortunate headline. Here are a few good resources on cloud security best practices: 11 Simple Yet Important Tips to Secure AWS AlienVault Best Practices for AWS Security AWS Security Best Practices (Amazon) Introduction to Azure Security (Microsoft) Advanced Fileless Malware Attacks Fileless malware attacks are on the rise this year, and many of the campaigns we’ve observed in the wild include a cryptominer payload. Fileless attacks take advantage of PowerShell, Windows Management Instrumentation (WMI), and other common IT admin tools in order to evade detection by traditional antivirus and signature-based detection tools. For example, the AlienVault Labs Security Research Team recently analyzed MassMiner, noting that it uses PowerShell to download the cryptominer onto infected hosts. As I mentioned above, advanced fileless attacks are increasingly packaged with multiple tools, modules, and payloads into a single campaign. Detecting modern fileless attacks requires advanced threat hunting capabilities that go well beyond perimeter and endpoint protection tools. You must be able to identify new and evolving tools, tactics, and procedures (TTPs) that attackers employ for exploitation, installation, lateral movement, persistence, and exfiltration. Unless you have dedicated resources to research the latest TTPs found in the wild, hunt for threats, and analyze all the security data from across your environment, it can be a challenge to stay at pace with these types of emerging attacks. How AlienVault USM Anywhere Detects Cryptojacking As you can see, there’s no single way that a cryptojacking attack unfolds in the wild. These types of attacks evolve quickly and target critical infrastructure across cloud and on-premises environments. Fortunately, USM Anywhere delivers the capabilities needed to detect and respond quickly to the latest cryptojacking attacks. In order to detect and defend against cryptojacking attacks, it’s crucial to have visibility of your entire IT environment. USM Anywhere detects modern threats anywhere they appear across your public cloud infrastructure (AWS, Azure); SaaS / cloud apps (Office 365, Oka, G Suite); physical and virtualized on-premises; endpoints (Windows, Linux) on and off the network; even the dark web. To keep you at pace with the latest cryptojacking attacks without draining your security resources, USM Anywhere automates security monitoring and threat hunting activities. For example, to detect cryptojacking attacks against your AWS cloud infrastructure, USM Anywhere detects and correlates events like: AWS temporary security credentials with long duration New user starting a high number of instances New user account deleting multiple users Multiple instances being started or shut down programmatically CloudTrail trails deleted On endpoints and across your network, USM Anywhere detects and correlates indicators of a cryptojacking attack, including anomalous or suspicious behaviors by normal processes and services. Examples include: RDP (remote desktop protocol) Session Hijack using tscon.exe Reverse PowerShell use A SSH process created a tunnel between two hosts Suspicious command executed by a listening process (JBoss, ElasticSearch, Jenkins) Windows User Account Control (UAC) Bypass activity detected A Docker container recently launched is involved in cryptomining activities. Installation of Malicious Chrome Extension This list of TTPs is continuously and automatically updated in USM Anywhere through the threat intelligence service from the AlienVault Labs Security Research Team. This team uses machine learning capabilities, human intelligence, and the 20 million IOCs shared daily in the Open Threat Exchange (OTX) to identify emerging and evolving TTPs, which they curate and write into actionable correlation rules, endpoint queries, and more. As a result, you get alerts on real high-priority threats as well as response guidance and integrated incident response capabilities – all from a single cloud platform. There’s much more to discover about USM Anywhere. Start your free 14-day trial to test drive USM Anywhere and see for yourself the powerful threat detection and incident response capabilities built into the unified platform.       

Le 2018-09-11


  Alien Vault - VLAN Hopping and Mitigation
We’ll start with a few concepts: VLAN A VLAN is used to share the physical network while creating virtual segmentations to divide specific groups. For example, a host on VLAN 1 is separated from any host on VLAN 2. Any packets sent between VLANs must go through a router or other layer 3 devices. Security is one of the many reasons network administrators configure VLANs. However, with an exploit known as 'VLAN Hopping', an attacker is able to bypass these security implementations. Learn more about network segmentation and VLANs here. VLAN Hopping This type of exploit allows an attacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform said exploit. In this article, I will go through the two primary methods of VLAN hopping, known as 'switched spoofing', and 'double tagging'. I will then discuss mitigation techniques. Switched Network It is crucial we understand how switches operate if we would like to find and exploit their vulnerabilities. We are not necessarily exploiting the device itself, but rather the protocols and configurations instructing how they operate. On a switch, a port is either configured as an access port or a trunking port. An access port is typically used when connecting a host to a switch. With the implementation of VLANs, each access port is assigned to only one VLAN. A trunking port is used when connecting two switches or a switch and a router together. Trunking ports allow for traffic from multiple VLANs. A trunk port can be configured manually or created dynamically using Dynamic Trunking Protocol (DTP). DTP is a Cisco proprietary protocol where one use is to dynamically establish a trunk link between two switches. Switched Spoofing VLAN Attack An attacker acts as a switch in order to trick a legitimate switch into creating a trunking link between them. As mentioned before, packets from any VLAN are allowed to pass through a trunking link. Once the trunk link is established, the attacker then has access to traffic from any VLAN. This exploit is only successful when the legitimate switch is configured to negotiate a trunk. This occurs when an interface is configured with either "dynamic desirable", "dynamic auto" or "trunk" mode. If the target switch has one of those modes configured, the attacker then can generate a DTP message from their computer and a trunk link can be formed. Double Tagging Double tagging occurs when an attacker adds and modifies tags on an Ethernet frame to allow the sending of packets through any VLAN. This attack takes advantage of how many switches process tags. Most switches will only remove the outer tag and forward the frame to all native VLAN ports. With that said, this exploit is only successful if the attacker belongs to the native VLAN of the trunk link. Another important point is, this attack is strictly one way as it is impossible to encapsulate the return packet. VLAN Hopping Exploit Scenario 1 - Switch Spoofing Attack In this scenario there exists the attacker, a switch, and the target server. The attacker is attached to the switch on interface FastEthernet 0/12 and the target server is attached to the switch on interface FastEthernet 0/11 and is a part of VLAN 2. Take a look at the following topology. Once you are familiar with the topology, take a look at a few of the configurations set for the switch: interface FastEthernet0/11 switchport mode access switchport mode nonegotiate switchport access vlan 2 ! interface FastEthernet0/12 switchport mode dynamic auto Hopefully, you can see the configuration issue with interface fa0/12. This port is set to accept incoming negotiations to determine whether the port is for access or trunking. Which means an attacker is able to perform a Switch Spooking attack. Once the attacker connects to the port they can then send a DTP message and a trunking link will be established. An attacker can use the program Yersinia to craft and send a DTP message. Yersinia is a penetration testing framework built to attack many protocols that reside on layer 2. It comes pre-installed with kali Linux and has an easy to use graphical user interface (GUI). Yersinia Homepage - http://www.yersinia.net/ To launch Yersinia:      yersinia -G Here is a quick look at the GUI:  Now to send a DTP message is as simple as the following 4 steps:   click "Launch attack" click the tab "DTP" click "enable trunking" click "ok" Yersinia will the send out a DTP message and within a few seconds, a trunking link will be established. In our scenario, the attacker will then have access to all traffic flowing through VLAN 2 and can directly attack without going through any layer 3 devices. Scenario 2 - Double Tagging Attack In this scenario, there exists an attacker, 2 switches, and a target server. The attacker is attached to switch 1. Switch 1 is attached to switch 2 and finally, our target is attached to switch 2. Take a look at the following topology. Once you are familiar with the topology, take a look at a few of the configurations set for switch 1. interface FastEthernet0/12  switchport mode access  switchport nonegotiate  switchport access vlan 1 ! interface FastEthernet0/11  switchport trunk encapsulation dot1q  switchport mode trunk  switchport nonegotiate  switchport trunk native vlan 1 From these configurations, we see that an attacker would be unable to perform a switch spoofing attack. However, we see that the attacker belongs to the native VLAN of the trunk port. Which means this topology is vulnerable to a Double Tagging attack. An attacker can use the program Scapy, to create the specially crafted frames needed for processing this attack. Scapy is a Python program created to manipulate packets. Scapy Homepage - https://scapy.net/ Scapy Documentation - http://scapy.readthedocs.io/en/latest/usage.html Start Scapy:       sudo ./scapy Using the sendp() function to craft a packet: >>>sendp(Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=2)/IP(dst='<destination IP', src='<source IP>')/ICMP()) This will generate a double 802.1q encapsulated packet for the target on VLAN 2. Take a look at the following topology to view how the switches manage this frame. From the picture, we can see that switch 1 reads and removes only the outside tag. It checks that the host is part of the stated VLAN and forwards the packet to all native VLAN ports (VLAN 1). Switch 2 then receives the packet with only one header left. It assumes the frame belongs to the stated VLAN on this tag (VLAN 2) and forwards to all ports configured for VLAN 2. The target then receives the packet sent by the attacker. VLAN = HOPPED. Due to the nature of this attack, it is strictly one way. Please also note that this attack may not work on new switches as documented here.  Mitigation for VLAN Hopping Switched Spoofing To prevent a Switched Spoofing attack, there are a few steps you should take:   Do not configure any access points with either of the following modes: "dynamic desirable", "dynamic auto", or "trunk". Manually configure access ports and disable DTP on all access ports. switchport mode access switchport mode nonegotiate Manually configure all trunk ports and disable DTP on all trunk ports. switchport mode trunk switchport mode nonegotiate Shutdown all interfaces that are not currently in use. Double Tagging To prevent a Double Tagging attack, keep the native VLAN of all trunk ports different from user VLANs. Final Note Switches were not built for security. However, it is important to utilize security measures at every level. If you are to take the time to segment your network, make sure it is done properly and securely. Be diligent when configuring your network.       

Le 2018-09-10


admin