Endpoint Security , Internet of Things Security
Presented by BlackBerry 60 minutesAs companies look for new ways to drive internal efficiencies and improve workflows for their staff, many are turning to digital transformation in the workplace.
This may mean a single application that, based on data extracted by IoT sensors, will guide you to a free parking space as you arrive at work. As you then walk into the office you will be directed to a free workspace, meaning that every day you will collaborate with different colleagues, rather than always being sat with the same team.
You will be able to book your meeting room and control heating, lighting and comms - all from your smartphone. However, with any advancement in technology or process, we inevitably see an increase in threat surface and attack vectors, both against users and the technology itself.
In this webinar we will discuss:
How digital transformation and IoT will drive the workplace of the future; Understand the elevated threat surface created by digital transformation; Keys to successful mitigation of these threats and how best to prepare.A phishing attack on Wednesday targeted at least 2,700 banking institutions of various sizes in the U.S. and around the world, explains Aaron Higbee, CTO and co-founder of Cofense, which detected the attack.
Cofense's discovery of the shift in behavior of the Necurs botnet is unlikely to be related to the imminent ATM jackpotting attack for which the FBI has issued a warning, Higbee says in an interview with Information Security Media Group. But the global phishing campaign could be the prelude to some sort of broader attack, he adds.
"If I was a cybercriminal who had an interest in doing one of these large ATM jackpotting schemes, one of the foundational things that I would have to do first is have a list of compromised banks, and that would give me access to account numbers and maybe even the ability to alter the withdrawal limit," Higbee says.
In this interview (see audio link below photo), Higbee also discusses:
Details of the behavioral shift of the Necurs botnet to focus on phishing financial institutions; The unique attributes of this phishing attack; Preventive measures that banks should deploy.Higbee is the co-founder and CTO of Cofense, formerly known as PhishMe. He previously co-founded Intrepidus Group and served as principal consultant for McAfee's Foundstone division.
SANTIAGO, Chile (AP) — U.S. Defense Secretary Jim Mattis and his Chilean counterpart have signed an agreement pledging closer cooperation in combating cyber threats.
Mattis and Defense Minister Alberto Espina held a signing ceremony Thursday after meeting to discuss a range of security issues, including military exercises and cooperation in science and technology. Cyber defense is a topic of growing interest throughout the Western Hemisphere. Banco de Chile, one of the country's biggest commercial banks, has said a hacking operation robbed it of $10 million in June.
Santiago was the fourth stop for Mattis on a tour of South America that began in Brasilia on Sunday. He also visited Rio de Janeiro and Buenos Aires and is scheduled to hold talks in Bogota, Colombia, on Friday.
Facebook this week announced the winners of its 2018 Internet Defense Prize. Three teams earned a total of $200,000 this year for innovative defensive security and privacy research.
In the past years, Facebook awarded only one team a prize of $100,000 as part of the initiative. In 2016, the winning team presented research focusing on post-quantum security for TLS, and last year’s winners demonstrated a novel technique of detecting credential spear-phishing attacks in enterprise environments.
Facebook says this year’s submissions were of very high quality so the social media giant has decided to reward three teams instead of just one.
The first prize, $100,000 as in the previous years, was won by a team from imec-DistriNet at Belgian university KU Leuven. Their paper, titled “Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies,” describes methods that browsers can employ to prevent cross-site attacks and third-party tracking via cookies.
It’s worth mentioning that a different team of researchers from KU Leuven has been credited for discovering the recently disclosed Foreshadow speculative execution vulnerabilities affecting Intel processors.
Second place, a team from Brigham Young University, earned $60,000 for a paper titled “The Secure Socket API: TLS as an Operating System Service.” The research focuses on a prototype implementation that makes it easier for app developers to use cryptography.
“We believe safe-by-default libraries and frameworks are an important foundation for more secure software,” Facebook said.
Third place, a group from the Chinese University of Hong Kong and Sangfor Technologies, earned $40,000 for “Vetting Single Sign-On SDK Implementations via Symbolic Reasoning.”
“This work takes a critical look at the implementation of single sign-on code. Single sign-on provides a partial solution to the internet’s over-reliance on passwords. This code is widely used, and ensuring its safety has direct implications for user safety online,” Facebook explained.
Last week, Facebook announced that it had awarded a total of more than $800,000 as part of its Secure the Internet Grants, which the company unveiled in January. Facebook has prepared a total of $1 million for original defensive research, offering grants of up to $100,000 per proposal.
Researchers and several major tech companies this week disclosed the details of three new speculative execution side-channel vulnerabilities affecting Intel processors.
The flaws, tracked as Foreshadow and L1 Terminal Fault (L1TF), are CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).
A piece of malware installed on a system can exploit the flaws to gain access to potentially sensitive data stored in supposedly protected memory.
Industry professionals have commented on various aspects of Foreshadow/L1TF, including its impact on various types of systems, difficulty of exploitation, and performance issues introduced by mitigations.
And the feedback begins…
Tod Beardsley, research director, Rapid7:
“The L1TF / Foreshadow vulnerability announced today should be of particular interest to enterprises which run virtual computers in a shared hosting environments. Customers of this kind of cloud computing service should keep an eye out for communications from their hosting providers, which will tell them if they need to do anything special with their guest operating systems. In many cases, hosting providers already provide a reasonable mitigation by ensuring that virtual machines run by different customers are isolated from each other, and don't intermingle different processes on the same CPU core.
So, while it's likely that virtual machine users need to update their own guest operating systems, they should be rolling out security patches routinely anyway. If you're a VM customer and haven't yet heard anything from your provider, a call to their tech support is in order to make sure they're aware of the issue, since the host operating systems need to be updated as well.
All that said, home users generally do not need to worry too much about these issues; all of these speculative execution bugs are pretty exotic, and unlikely to be used against individual end users anytime soon. Cryptojacking and ransom-based malware are still pretty effective mechanisms that criminals employ to extract money out of victims, so they don't need to go to the trouble of setting up and executing a complicated attack using Foreshadow.”
Ken Spinner, VP of Field Engineering, Varonis:
“Cloud providers of virtual servers are more susceptible than on-premises networks in this instance because that's the most likely place you'd have one physical server housing dozens of virtual machines run by different companies. If the vulnerability could be successfully exploited, attackers could hit the jackpot. However, a data centre could hold literally hundreds of thousands of servers and potentially millions of VMs. Hackers would be conducting an unfocused attack, rather than focusing on exploiting a target organisation. It would be a shot in the dark.
These vulnerabilities are the latest in a long line of exploits. While the approaches change, the goal often stays the same – to grab your company’s data. To complicate matters, most companies are dealing with hybrid data stores with some of their data on-premises and some in the cloud, which creates challenges and potential risk from a security and data governance standpoint. Never assume your data is safe in the cloud. If your cloud environment isn’t secure, your data won’t just be in danger of being exposed to your entire organisation – it could be accessible to hackers or even the world.”
Roi Panai, Senior Engineering Manager for Research at Mimecast and Director of Research at Solebit:
“The rising number of hardware vulnerabilities should concern us, the defenders, since these kind of exploits are much more difficult to patch and thus very difficult to be protected.
Following other Intel CPU vulnerabilities such as "Melt-Down", Foreshadow proves that protecting an essential data (i.e. kernel space) with strong confidentiality and integrity security methods is not enough.
The attack exploits instructions execution cache methods designed for processing optimization in order to extract information from privileged locations using different methods (i.e. covert-channel). Together with "Foreshadow-NG" variations, these kind of attacks proved to be very effective against "isolated" sections by exposing cached physical memory data which is widely used by virtual entities for example, giving the attacker full information about running virtual machines which was considered to be unreachable before.
Some strong and important modules, such as optimization processes, may compromise other security methods leaving some holes for attackers to be exploited, thus proving that the trade-off between security and advanced processing might be dangerous.”
Heather Paunet, Vice President of Product Management, Untangle:
“Foreshadow allows hackers to read the enclave memory without penetrating the enclave from the outside. This essentially allows hackers to make a shadow copy of the data and place it in a different unprotected location, causing speculative execution to revert all data to the new unprotected location. While this new vulnerability can be critically damaging to a device, the researchers and Intel have worked together to release patches to fix the underlying issues.
While Foreshadow is threatening, exploiting those vulnerabilities in practice is very difficult. However, there are certain scenarios that may warrant immediate action and concern. Data centers and cloud providers with highly virtualized environments are particularly at risk. Administrators must be vigilant to ensure that all environments take advantage of the latest available patches on an ongoing basis. Intel is working with some of its partners to address this scenario which could impact performance and resource utilization.
One key takeaway from the Foreshadow announcement is that Intel is working with both the research community as well as the security community at large, expanding its bug bounty program. Industry partnerships with researchers and wider security community are critical. Closed-source companies are sometimes reluctant to embrace these partnerships when compared to open-source companies, so it's a positive step overall to see more collaboration. Cybersecurity changes in real time, so vendors, researchers and the community must continue to work together to stay one step ahead of potential exploit vectors to head off future attacks.”
Abhishek Iyer, Technical Marketing Manager, Demisto:
“There are a few menacing projections that we can draw from the Foreshadow vulnerability, and these projections are not new. Firstly, a base exploitation technique like L1TF can lead to many derivative attack methods, each affecting a separate user base in different ways. The variants of L1TF that have been discovered so far affect isolated systems, virtualized systems, and cloud-hosted systems on multi-tenant environments. While the microcode updates and OS patches supplied so far can stop these attacks, the likelihood of other attack derivatives that bypass these safeguards is real and present.
The other interesting pattern to note is how attackers piggyback on computing advancements and exploit the fact that there’s often a lag between performance improvements and corresponding security improvements. The Intel SGX brought an innovation to market – the Abort Page Semantics that allowed increased performance through speculative execution while thwarting Spectre and Meltdown attacks – but the Foreshadow (L1TF) attack explicitly misused that innovation and resulted in the minor performance hit that comes with microcodes and patches. This balance between improving performance and maintaining security is something that organizations will continue to explore gingerly with attackers waiting in the sidelines.”
Jeff Ready, CEO, Scale Computing:
“The design flaw in Intel chips has left Windows and Linux systems vulnerable. Any device or services connected to the chips is essentially left at risk – especially after the latest flaw that was revealed – Foreshadow. The main focus is working in real time to identify the issues and look at what needs to be patched. Performance impacts will be seen across the industry. Systems that utilize software defined storage via a mid-layer filesystem will likely experience the most impact. Many software-defined storage solutions, which use a mid-layer filesystem will likely have a much larger performance impact as a result of these fixes. After the patches and fixes roll out, we will be able to see the true extent of the impact.”
Setu Kulkarni, VP of corporate strategy, WhiteHat Security:
“Unlike application security vulnerabilities where the remediation/mitigation is increasingly ‘centralized’ with cloud-based, multi-tenant systems, the same cannot be said about chip vulnerabilities. It’s getting to be a zero-sum game, as infosecurity teams are dealing with an increasing variety of security issues... the more they protect, the more there is to protect. There is a revolution waiting to happen in the way security teams will respond to the increasing variety and volume of security challenges – and it’s going to be based in automation, data science and shifting from ‘what we need to protect’ to ‘who we need to protect.’
The universal backward compatibility for the internet may also be subject to future change. Just as old versions of TLS and SSL can never be secure again, Foreshadow’s use of speculative execution has the potential capacity to break down the barriers between virtual machines – which may also impact cloud service providers and eHosting. The demand for speed of web page loading may yet prove our undoing, and the web may see an adjustment of expectations in the name of security rather than expedience.”
Bill Conner, CEO, SonicWall:
“Once again, relentless researchers are demonstrating that cyber criminals can use the very architecture of processor chips to gain access to sensitive and often highly valued information. Like its predecessors Meltdown and Spectre, Foreshadow is attacking processor, memory and cache functions to extract sought after information. Once gained, side-channels can then be used to ‘pick locks’ within highly secured personal computers or even third-party clouds undetected.
This class of attack is something that will not dissipate. Instead, attackers will only seek to benefit from the plethora of malware strains available to them and which they can formulate like malware cocktails to divert outdated technologies, security standards and tactics.”
Getting Off the Ground With Security Orchestration, Automation, and Response
When interacting with companies that are considering purchasing a security orchestration, automation, and response (SOAR) solution, I often hear them express the concern that their current incident response program is not mature enough for them to make the leap to implementing a comprehensive platform, complete with automation and orchestration. When there is little to no foundation in place, the task of getting started seems overwhelming, especially if no one on your team has experience with incident response or security orchestration solutions.
While it’s true that you don’t want to just add automation to inefficient processes and call it a day, it’s a mistake to get further entrenched in the old ways of handling security incidents if those ways are no longer good enough. If you know you want to improve your security operations, but don’t know where to start, here are a few steps that can help get you ready for a SOAR platform.
Take Stock of Your Current Operations
Two organizations might describe themselves as not having an incident response program, but mean totally different things. With or without a SOAR or incident response platform, every organization has some way of managing security incidents, even if they may involve a lot of improvisation and ad hoc processes.
When preparing to implement a SOAR platform, take the time to talk to the stakeholders in your organization to understand the current processes and how effective (or ineffective) they are. This should include an inventory of tools; for instance, what is your existing infrastructure for IT and InfoSec? Do you have any tools for data enrichment? Once you understand what tools you already have, you can map them to an incident response lifecycle—such as the one outlined by NIST 800-61r2—and identify where your gaps are.
Next, take a look at what incident response processes or playbooks your organization is following. How does the SOC collaborate internally, and with other teams such as IT and data privacy groups? How do you maintain compliance with legal and regulatory obligations during incident response? How does your team currently manage common security incidents like phishing or malware?
If any metrics are available, review them for insight into what is working well and where improvements can be made. For example, do you know how long it takes to detect and respond to security alerts? What activities are taking up too much of your security analysts’ time? If there are no formal metrics available, ask security analysts and managers for their assessments.
Figure Out What Features are Most Important to You, and Which Platforms Offer Them
There are many different SOAR offerings on the market, so to narrow the parameters of your choices, take some time to identify the capabilities that are most important. What do you want to automate initially? What problems are most pressing for your security team? Do you have recurring incidents, data siloes, or process bottlenecks? Your analysts can help answer these questions.
Each platform will emphasize different aspects of security operations. Broken down into general categories, these features might include:
● Alert management, which helps SOCs sort, evaluate, and close the steady stream of security alerts that come in from SIEM and other source systems.
● Triage, which helps analysts make decisions by gathering contextual information from internal and external sources, such as threat intelligence and previous incident records.
● Incident response, which encompasses playbooks, task management, link analysis, and other features that support effective and repeatable response workflows.
● Reporting and analytics, which includes the ability to automate or schedule reporting, generate detailed SOC metrics, and tailor dashboards to the different roles that use the system.
● Compliance and tracking, such as audit trails, chain of custody, and templates for common compliance reports.
Case management, which may include support for collaboration between investigators and other teams, case folders for related incidents, guided investigation workflows, and evidence management.
Try Sketching Out a Playbook
To get a detailed sense of how you will use a SOAR platform, sketch out a playbook for one of your most important use cases. Then, identify where you think automation and orchestration can be used to enhance the steps. You can easily find online examples of playbooks from vendors or industry bodies, which should give you a sense of what steps to include. Evaluating your current processes and interviewing your analysts, as I’ve recommended, will provide more valuable information, including common or important use-cases. Try starting with a use case that you think will be typical in your security environment, such as a phishing attempt, suspected data breach, or malware infection.
If you have no formal incident response program, implementing a SOAR solution, incident response platform, or any other major security tool can be challenging. But after taking the steps I’ve described here, you will have a better sense of where you are now, where you need to go, and most importantly, how you can get there.
Cyberwarfare / Nation-state attacks , Data Breach , Fraud Management & Cybercrime
Presidential Order Loosens Restrictions On Use Of Cyber Weapons(jeremy_kirk) • August 17, 2018 Then President-elect Donald Trump meets President Barack Obama in the White House on Nov. 10, 2016.U.S. President Donald Trump signed a presidential order on Wednesday that revokes a set of Obama-era guidelines for offensive cyber operations, the Wall Street Journal reports.
See Also: Dismantling Bot Armies With Behavioral Biometrics
The move was made without fanfare and was described by anonymous administration officials speaking to the publication. The move is intended to loosen restrictions on U.S. use of cyber weapons against adversaries, the Journal reports.
The policy change may satisfy critics who contend the U.S. should be able to move faster and more aggressively in response to cyber attacks. But it also could raise questions as to whether such actions could further aggravate adversaries and cause an escalation of activity.
"I think the decision will inevitably escalate an already tense situation amongst nation states," says Ilia Kolochenko, CEO of the computer security firm High-Tech Bridge. "Following the US example, many other countries may consider this option, virtually declaring cyber war on each other."
Trump has spoken of strengthening U.S. defenses, including its cyber capabilities. But his administration has come under increasing pressure after intelligence agencies concluded Russia waged an extensive hacking campaign to interfere with the 2016 presidential election.
U.S. officials maintain that Russia is continuing with election-related interference activities ahead of the midterm elections, due to take place on Nov. 6.
The old rules, Presidential Policy Directive 20 (PPD-20), were classified. But the material was among the documents leaked by former NSA contractor Edward Snowden and published by The Guardian in June 2013.
The directive broadly outlines a cautious approach for offensive and defensive actions that are likely to result in "significant consequences." Any of those kinds of operations require approval by the president. The directive also describes the flow of approvals that should be followed for "emergency cyber actions."
In most cases, countries that either will experience effects from a U.S. cyber action or be the base for U.S. systems that launch an operation should be informed unless ordered by the president.
Offensive actions should only be initiated in response to persistent malicious cyber activity if "network defense or law enforcement measures are insufficient or cannot be put in place in time to mitigate the malicious cyber activity."
The directive also says the offensive response should be limited to "the minimum action required to mitigate the activity."
The most famous offensive cyber operation to become publicly known involved the malware known as Stuxnet (see Report: Obama Ordered Stuxnet Assault).
Suspected to be a joint operation between the U.S. and Israel, Stuxnet infected industrial control systems used to control uranium centrifuges that were part of Iran's nuclear program. The malware was designed to send commands that damaged the centrifuges.
By all measures, Stuxnet was a successful operation. But the U.S. has grappled with how to respond to offensive cyber actions directed against it.
After it became clear Russia was targeting the U.S. presidential election, Vice President Joe Biden vowed in October 2016 that the U.S. would use its cyber capabilities to send President Vladimir Putin a "message."
"He'll know it," Mr. Biden told NBC's Meet the Press. "And it will be at the time of our choosing. And under the circumstances that have the greatest impact."
U.S. Vice President Joe Biden appears on Meet the Press on Oct. 16, 2016.But it's unclear if any action was undertaken. The decision is fraught with difficulty: impairing an adversary might draw a far worse response.
With Russia, for example, the U.S. and U.K warned in April that the country had methodically worked to gain footholds in routers, switches, firewalls and network intrusion detection systems (see US, UK: Russian Hackers Deeply Embedded in Routers, Switches).
At the time, Jeanette Manfra, the U.S. National Protection and Programs Directorate's assistant secretary for cybersecurity and communications, said Russia's activities threaten "the very integrity of our cyber ecosystem."
Trump's administration had acknowledged the intensifying dangers in cyberspace. Vice President Mike Pence said on July 31 that that "America's digital infrastructure is under constant cyberattack."
"Our cyber adversaries also seek to infiltrate our critical infrastructure, including our electrical grid, power stations, so that in some future conflict they might have the opportunity to shut down the nerve center of American energy and our national life," Pence said in remarks at the Alexander Hamilton U.S. Custom House in New York.
Pence said that the administration had allocated an additional $1.2 billion for cyber defence and requested another $15 billion for cybersecurity. The administration is also seeking to create a new agency within the Department of Homeland Security called the Cybersecurity and Infrastructure Security Agency.
In December, the House of Representatives passed the legislation, H.R. 3359. Pence called on the Senate to approve the legislation before year's end.