- Details
- Category: Security News
Anti-Malware , Risk Management , Technology
How Does SentinelOne's Ransomware Guarantee Stack Up? Protection: Up to $1,000 Per Endpoint - Subject to Terms and Conditions
Everyone fears ransomware. The file-encrypting malware is a time-wasting nightmare, at best, even for well-prepared administrators or users. Many anti-malware products also routinely fail to detect and block recent ransomware variants.
See Also: Hide & Sneak: Defeat Threat Actors Lurking within Your SSL Traffic
But help could be to hand: SentinelOne, an endpoint protection vendor, is seeking to stoke confidence in its security product by offering to pay a victim's ransom if its endpoint security product should fail to block the initial infection or effect-related remediation.
The guarantee program is spearheaded by Jeremiah Grossman, who formerly served as Yahoo's CISO and who also founded application security firm WhiteHat Security. Grossman joined SentinelOne as chief of security strategy in June, and while the new scheme might seem like a dicey gambit, the program is structured in such a way as to hedge the company's losses, should its product fail.
This isn't the first time Grossman has sought to put his money where his mouth is. At WhiteHat, he pioneered a guarantee program focused on web application security. It also worked well, at least from the standpoint that WhiteHat reports that it never received a related claim. Grossman has also been asserting for years that the security industry is the only sector in the world in which vendors have no liability when their products don't perform as advertised, resulting in an epic mismatch of vendors' and customers' interests.
"It's a $75 billion industry that functions like a garage sale," Grossman tells me. "All sales are final for every product in security you buy. We do not accept this in any other industry that I'm aware of."
The Devil in the Details?
SentinelOne's program offers to reimburse customers up to $1,000 per infected endpoint, or up to $1 million in total. But there are many conditions, and the guarantee isn't free. In fact, the whole thing reads more like a mini cyber insurance policy.
To obtain the related coverage, Grossman says clients will pay a surcharge of between 5 to 10 percent of the per-seat cost of their SentinelOne license, which varies according to the vagaries of software license subscription negotiations. At least in the information security space, volume discounts are also quite common.
The SentinelOne guarantee is also contingent on customers configuring their software and computers in certain ways. For example, organizations must have Windows Volume Shadow Copy Service enabled, which allows machines to be rolled back and restored.
That's where another of SentinelOne's conditions comes in: The guarantee isn't that you won't be infected, but rather that the payment covers the cost of a ransom demand if the computers can't be remediated.
"It is about remediation," says Peter Stelzhammer of AV Comparatives, an anti-virus testing organization based in Austria. "You can nearly always remediate, especially if shadow copy is turned on."
But ransomware authors have known that shadow copies can wreck their chances of obtaining a ransom, and they often disable it. Indeed, Grossman says nearly all ransomware families from the past six months meddle with shadow copies. But because legitimate third-party software never touches shadow copies, SentinelOne views any such meddling as a sign that ransomware may be on a machine and blocks related processes.
Of course, the security software might still fail to stop the ransomware. "We do expect to make some payouts here and there," Grossman says. "It's going to be a statistical fact."
But even compensating victims has benefits for SentinelOne, Grossman says. If the company has to pay $1,000 for an infected endpoint, for example, its research and development team can incorporate what it learned from that failure to improve the product. "For us - a weird way to look at it - it's R&D. We just paid $1,000 to help protect all of our customers," he says.
The guarantee also stipulates that if ransomware gets detected on a system - but for some reason doesn't get blocked - then customers must take action. In particular, the terms and conditions require that a threat be added to a blacklist within an hour of a user receiving an alert. But as Simon Edwards, founder of the anti-virus testing organization SE Labs in London, says, "this might not be realistic."
Edwards says if a non-technical user comes across such a warning, for example over the weekend, the person may not be able to reach someone who has the admin rights to edit the blacklist. Grossman says that's a good point, but tells me that the product itself will also allow any user to submit a report on something suspicious.
SentinelOne's Safeguard: Insurance
When weighing the pros and cons of this offer, keep in mind that SentinelOne only reimburses organizations for the cost of a ransom if remediation fails, and it won't immediately bail victims out. That means a potential victim would still need to have cash - or bitcoins - on hand to pay the ransom and recover their data, if they decide that this is their best course of action. Of course, the merits and ethics of paying ransoms continues to be debated.
Grossman says that from a business standpoint, SentinelOne has safeguarded the business - in the event that compensation gets out of hand - by taking out its own insurance policy to cover the cost of claims. "It's a liability equation," he says.
To date, SentinelOne has published a press release with details about the guarantee program. But will SentinelOne reveal if it has to pay a claim? Grossman says that's a good question, and that he'd like SentinelOne to publish an end-of-the-year summary on any payouts the company has made, together with details on related circumstances.
"We suffer this credibility crisis where no one really believes what we do, [and] that this [software] is going to work," Grossman says. "I think security vendors should stand by the marketing claims of their products."
- Details
- Category: Security News
Breach Preparedness , Data Breach , Info Sharing
After Years Without an Official Coordinator, One Organization Will Get Grant Support
Karen DeSalvo, M.D., national coordinator for health ITThe Department of Health and Human Services will soon issue up to $1.75 million in grants to give a boost to just one organization that will take a lead role in cyber threat information sharing. A top priority of the ramped-up effort to help fight cyberattacks in the healthcare sector is to keep smaller organizations better informed of the latest risks.
See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016
"Establishing robust threat information sharing infrastructure and capability within the healthcare and public health sector is crucial to the privacy and security of health information, which is foundational to the digital health system," said Karen DeSalvo, M.D., who heads HHS' Office of the National Coordinator for Health IT. "This coordinated resource will focus on sharing the most up-to-date threat information across the health and public health sectors and will better equip health systems to identify potential threats and further protect electronic health information."
The grants will support one information and sharing analysis organization, or ISAO, that has bi-directional capability to improve the exchange of cyber threat information with HHS and throughout the healthcare sector.
At least two cyber threat information sharing organizations - the National Health Information Sharing and Analysis Center, or NH-ISAC, and the Healthcare Information Trust Alliance - already serve the healthcare sector. Some observers, however, say efforts by both of these organizations so far have come up short when it comes to keeping smaller organizations well-informed.
NH-ISAC tells Information Security Media Group it plans to apply for the funding. It remains unclear whether HITRUST plans to apply.
Other Candidates?
While the HHS funding opportunity is open only to organizations that already have an infrastructure and provide cyber information sharing, some observers say NH-ISAC and HITRUST aren't the only potential candidates to compete for the grants.
"This is a government grant, so any not-for-profit can throw its hat in the ring and vie for the grant," says Mac McMillan, CEO of the security consulting firm CynergisTek. "The encouraging thing is that the NH-ISAC has been re-energized of late under [new president] Denise Anderson's leadership, and with the support of College of Healthcare Information Management Executives and other key healthcare organizations, it appears to be on course to join its counterparts in finance and other sectors where the ISAC is a real asset," he says.
"You'll find that whoever gets this grant will be required to develop a system to reach all sectors within healthcare by the government who always has its eye on the smaller provider, not just the big players who frankly can do this for themselves if they wanted to."
Many areas in cyber threat information sharing need improvement in the healthcare sector, McMillan contends. That includes, for example, "having an effective clearinghouse for where the information comes from and is vetted, having an effective mechanism or mechanisms for dissemination, formal cross-entity collaboration processes, etc."
An ONC spokesman tells ISMG: "We encourage every eligible organization to submit applications after which [HHS] will review them to select an ISAO for the healthcare and public health sector."
How Grants Will Be Awarded
ONC and the HHS Office of the Assistant Secretary for Preparedness and Response on July 25 announced two cooperative agreement funding opportunities. The combined funding for an ISAO in the first year will be worth $250,000, but the grant could be renewed for up to five years. ASPR and ONC are issuing separate funding opportunity announcements with scopes of work specific to each funding source, HHS notes. August 25 is the deadline to apply for the funding.
The development of an ISAO for healthcare was called for by the Obama administration under an executive order signed into law in February 2015, as well as in the Cybersecurity Information Sharing Act signed into law last November.
HHS says the grant funding will help expand the "bi-directional information sharing" and outreach of a currently functioning organization to include HHS and the entire public healthcare and healthcare sector. The grants, however, are "not intended to fund the awardee's entire operation," HHS says.
The organization receiving the grants will:
Provide cybersecurity information and education on cyber threats affecting the healthcare and public health sector; Expand outreach and education activities to ensure that information about cybersecurity awareness is available to the entire healthcare and public health sector; Equip stakeholders to take action in response to cyber threat information: Facilitate information sharing widely within the healthcare and public health sector, regardless of the size of the organization.Potential Contenders
The NH-ISAC has already been working with HHS and others in the healthcare sector in sharing cyber information, notes Anderson, its new president. "The NH-ISAC recognizes the need for the healthcare and public health sector to receive information and education about threats more broadly as some of the smaller sector stakeholders are the most vulnerable. Many of our board members believe it is their mission to help out the more vulnerable organizations within the sector and that a rising tide floats all boats."
HITRUST, which already is a federally recognized ISAO in the healthcare sector, says in a statement provided to ISMG: "We have published numerous progress reports on the effectiveness of cyber information sharing within the healthcare industry and the efforts HITRUST, through our Cyber Threat Xchange [service], has taken and has planned to undertake to address and advance cyber information sharing in the industry. With that said, there is always room for more to be done."
The HHS grants are trying to make it more affordable for smaller public health and private healthcare entities to tap into cyber information sharing services, HITRUST notes. The organization claims that it already provides a cyber threat information exchange service "free of charge" to any healthcare or public health organization that wishes to join its ISAO.
Threat Info Sharing Lacking
Harris Health System, which was awarded a one-year, $150,000 HHS grant to help identify ways to share cyber threat information, will release its final report from that study by Sept. 30, says Jeffrey Vinson, CISO at the system.
The organization briefed HHS in March on some of the preliminary results of the first part of its study. "We discovered the healthcare sector wants to be able to share cyber threat information but doesn't currently have a way to do it, which isn't shocking," he says.
Vinson says he's not certain whether Harris will apply for the latest grant opportunity, "but given our knowledge and work in this area it would make sense if we did apply for a new grant."
Bolstering cyber information sharing in the healthcare sector is critical, Vinson says. "Cyber threat information is extremely important to the healthcare sector and public health because the industry lags behind the other industries when it comes to robust cybersecurity, and last year healthcare was under heavy attack," he says.
"Not many of us in the healthcare sector even understand how these organizations were breached, so we have no idea how to better protect ourselves from these attacks."
- Details
- Category: Security News
ID & Access Management , Risk Management , Technology
Google Project Zero's Tavis Ormandy Found the Flaw
Password managers are a wise way to manage large volumes of login credentials in a safe way. The applications generate strong passwords for new web services and securely store them. But if a password manager has software vulnerabilities, it could mean all accounts could be compromised.
See Also: Protecting Your Assets Across Applications, Services and Tiers
After dropping hints on Twitter, Google Project Zero's Tavis Ormandy revealed the details of what he portrays as a severe vulnerability in the LastPass password manager. LastPass, however, has released a patch.
Cracking a password manager is extremely useful for an attacker because it immediately provides access to a number of websites and services. Ormandy's first warnings came on July 26 via Twitter: "Are people really using this LastPass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap." In a follow up tweet, he wrote: "Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise."
Firefox Add-On
Ormandy's research focused on the Firefox add-on for LastPass. LastPass has different add-ons for various browsers, which interact with the "vault" application, which is used for securely storing passwords.
The vulnerability Ormandy identified allows an attacker to communicate with the add-on through malicious code, he claimed in an advisory. For a successful exploit, a victim would have to be tricked into visiting a malicious website.
"An attacker can create and delete files, execute script, steal all passwords, log victims into their own LastPass account so that they can steal anything new saved there, etc, etc.," Ormandy wrote.
LastPass did not respond to Information Security Media Group's repeated requests for comment. But the company posted a blog on July 27 acknowledging the vulnerability and saying it has now been patched. It's not clear whether attackers had actually used the vulnerability before Ormandy's disclosure.
LastPass has pushed an update to Firefox browsers version 4.0 or later. The update can also be obtained here; the up-to-date version is 4.1.21a.
Ormandy says he donated the bug bounty he received from LastPass to Amnesty International, according to his advisory.
Other Issues for LastPass
The attention around Ormandy's latest find caused another security researcher to disclose another issue he found in LastPass. That vulnerability was fixed about a year ago, according to LastPass, which addressed that issue in the same advisory in which it discussed Ormandy's finding.
Mathias Karlsson found a URL parsing bug that affected all browsers using LastPass. LastPass autofills passwords for domains which it has stored credentials. Karlsson found that by tweaking a URL, LastPass would regurgitate credentials for domains that a user wasn't actually visiting.
LastPass, which fixed the problem within a day, rewarded Karlsson with $1,000, according to his blog post.
In January, research showed that a relatively simple phishing attack allegedly could potentially undermine LastPass. Sean Cassidy, CTO of Praesido, published information on an attack he nicknamed LostPass.
Cassidy showed that notifications displayed by LastPass could be spoofed, which could trick people into giving away their login credentials or a one-time passcode, according to his presentation given at the Shmoocon hacking conference.
As a result, LastPass changed how it displays notifications, including sending warnings of login attempts from a new location if they have two-factor authentication enabled, the company wrote in January.
- Details
- Category: Security News
As a report surfaced July 29 that the campaign of presidential nominee Hillary Clinton was hacked, the Democratic Congressional Campaign Committee confirmed that it was breached shortly after the Democratic National Committee announced that it, too, had been hacked.
See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016
The Clinton campaign said that intruders had gained access to an analytics program used by the campaign and maintained by the Democratic National Committee, but it said that it did not believe that the campaign's own internal computer systems had been compromised, according to the New York Times.
News service Reuters, citing people familiar with the matter, reported that Clinton's campaign was hacked as part of a broad cyberattack on Democratic Party institutions. The New York Times reported the Clinton campaign hack appears to have originated from Russia's intelligence services.
The U.S. Department of Justice national security division is investigating whether the attacks on Democratic political organizations threatened U.S. security, sources familiar with the matter said, Reuters reports. The involvement of the Justice Department's national security division is a sign that the Obama administration has concluded that the hacking was state sponsored, individuals with knowledge of the investigation told the news service.
Meanwhile, DCCC spokeswoman Meredith Kelly said in a statement issued July 29 confirming its breach: "Based on the information we have to date, we've been advised by investigators that this is similar to other recent incidents, including the DNC breach. We are cooperating with the federal law enforcement with respect to their ongoing investigation."
Broad Attack on Democrats?
The breach at the DCCC, which raises money for Democratic House candidates, may have been launched by Russian hackers who also attacked Democratic National Committee, according to several news reports, quoting unnamed sources. The Washington Post reports that the FBI is treating the DNC and DCC breaches as a single investigation.
At a White House briefing held after the revelation of the DCCC breach but before word of the Clinton campaign hack, White House Deputy Press Secretary Eric Schultz said of the investigations of the DNC and DCCC attacks: "So if there are connected events that they would look at, that would be part of their investigation. Obviously, we expect that investigation to be thorough and deliberate and look at all the facts ... and to where they lead."
But Schultz would not say whether Russians were behind the attacks. "There's sort of a usual list of suspects when it comes to malicious cyber activity, so they're looking at those suspects," he said. "But at this point, they don't have any public confirmation to announce at this time."
Cybersecurity firm FireEye compiled a report on the DCCC hack that claims a Russia-based hacking group called APT 28 is the likely culprit, according to the website Morning Consult. Hackers targeted information on DCCC donors, FireEye claims.
Report: Hackers Redirected Traffic to Fake Website
The FireEye investigation revealed that the hackers created a website called Act Blues, which is similar to the DCCC's Act Blue domain, redirecting traffic to the fake one, CNBC reports. The hackers didn't steal money but might have collected information on donors for future illicit use. The hack lasted from at least June 19 to June 27, according to FireEye.
The FBI is trying to determine whether emails obtained in the DNC hack are the same ones that were leaked on the website of the anti-secrecy group WikiLeaks, the Washington Post reports. The DNC's leaked emails, which allegedly show bias by committee officials against unsuccessful presidential candidate Bernie Sanders, forced the resignation of DNC Chairwoman Debbie Wasserman Schultz (see Leaked DNC Emails Show Lax Cybersecurity).
A spokesman for Russia's embassy in Washington denied Russian involvement in the DNS and DCC hacks, according to several news media reports.
- Details
- Category: Security News
In a preview of his keynote address at Information Security Media Group's New York Fraud and Breach Prevention Summit Global Cyber Alliance CEO Phil Reitinger explains why today's approach to cyber risk management is stuck in the "Bronze Age" with practitioners acting more like "witch doctors" than scientists.
In this latest ISMG Security Report (click on player beneath image to listen), you'll also hear:
The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our July 26 and July 29 reports, which respectively analyze how the U.S. might retaliate against Moscow if Russia indeed hacked Democratic Party computers, and what the Democratic Party platform has to say about privacy and cybersecurity. The next ISMG Security Report will be posted Friday, Aug. 5.
Theme music for the ISMG Security Report by Ithaca Audio under the Creative Commons license.
More Articles …
Page 3474 of 3546