InfoSec Island

Four Ways to Protect Your Backups from Ransomware Attacks

InfoSec Island - Wed, 11/22/2017 - 9:52am

Backups are a last defense and control from having to pay ransom for encrypted data, but they need protection also.This year ransomware has been rampant targeting every industry. Two highlight attacks, WannaCry and NotPetya, have caused, in excess, hundreds of millions in losses. Naturally, cybercriminals continue to rapidly increase ransomware attacks as they are effective.

Good Backups and Effective Recovery

Proactive, not reactive, organizations have choices when it comes to ransomware. The most reliable defense against ransomware continues to be good backups and well-tested restore processes. Companies that regularly back up their data and are able to quickly detect a ransomware attack have the opportunity to restore and minimize disruption.

In some less common cases, we see wiper malware like NotPetya imitating Petya ransomware delivering a similar ransom message. In this case, the victims are not able to recover their data even with paying a ransom, which makes the ability to restore from good backups even more critical.

Clever Attackers Target Backups

Because good backups are so effective, attackers, including nation-state agents, behind ransomware are now targeting the backup processes and tools themselves. Several forms of ransomware, such as WannaCry and the newer variant of CryptoLocker, delete the shadow volume copies created by Microsoft’s Windows OS. Shadow copies are an easy method Microsoft Windows offers for easy recovery. On Macs, attackers targeted backups from the outset. Researchers discovered deficient functions in the first Mac ransomware back in 2015 that targeted disks used by the Mac OS X’s automated backup process called Time Machine.

The scheme is straightforward: Encrypt the backup to cut off organizational control over ransomware and they are likely to pay the ransom. Cybercriminals are increasing their efforts and aim to destroy the backups as well.  Here are four recommendations to help organizations safe guard their backups against ransomware attempts.

One: Develop visibility into your backup process

The more quickly an organization can discover a ransomware attack, the better chances that business can avoid significant corruption of data. Data from the backup process can serve as an early warning of ransomware infections. Your backup log will show signs of a program that instantly encrypts data. Incremental backups will abruptly “blow up” as each file is effectively changed, and the encrypted files cannot be compressed or deduplicated.

Monitoring essential metrics like capacity utilization from the backups everyday will help organizations detect when ransomware has infiltrated an internal system and minimize the damage from the attack.

Two: Be wary using network file servers and online sharing services

Network file servers are easy to use and always available, which are two characteristics why network-accessible “home” directories are a well-liked method to centralize data and simplify backup. Yet, when presented with ransomware, this data architecture holds several critical security weaknesses. Many ransomware programs encrypt connected drives, so the target’s home directory would also be encrypted. Any server that runs on a commonly targeted and vulnerable operating system like Windows could also be infected; thus, every user’s data would be encrypted.

Any organization with a network file server must continuously back up the data to a separate system or service, and test the systems restore functionality introduced with ransomware specifically.

Cloud file services are also vulnerable to ransomware. A highlight example is the 2015 Children in Film ransomware attack. Children in Film, a business providing information for child actors and their parents, used the cloud extensively including a common cloud drive. According to KrebsOnSecurity, in less than 30 minutes after an employee clicked on a malicious email link, over four thousand files in the cloud were encrypted. Thankfully, the business’s backup provider was able to restore all of their files, but it took upwards of a week to do so.

Subject to whether the cloud service delivered incremental backups or easily managed file histories, recovery of data in the cloud could pose more difficult than an on-premises server.

Three: Test your recovery processes frequently

Backups are worthless unless you have the ability to recover both reliably and quickly. Organizations can have backups but still be forced to pay the ransom, because the backup schedule failed to perform backups with sufficient granularity, or they were not backing up the intended data. For example, Montgomery County, Alabama was forced to pay a ransom to retrieve their $5 million in data as a result of difficulties with their backup files unrelated to the ransomware.

Part of testing the recovery process is determining the window of data loss. Organizations that do an entire backup every week can potentially lose up to a week of data should it need to recover after its last backup. Performing daily or hourly backups significantly increases the level of protection. More granular backups and detecting ransomware events as early as possible are both key to preventing loss.

Four: Understand your solution options

If ransomware can access backup images directly, it will be almost impossible to prevent the attack from encrypting corporate backups. For that reason, a backup system engineered to abstract the backup data will stop ransomware in its tracks from encrypting historical data.

The process of separating backups from your standard operating environment and ensuring the process doesn’t run on a general-purpose server and operating system, can harden backups against attack. Backup systems running on the most targeted operating system, Microsoft Windows, are prone to attack and are much more difficult to protect from ransomware.

Ultimately, organizations must seek to detect ransomware attacks early with monitoring or anti-malware measures, use of purpose-built systems for separation between backup data and a potentially compromised system, and continuously tested backup and restore processes to ensure data is effectively protected. This approach will preserve backups from ransomware attacks and reduce the risk of losing data in the event of an infection. 

About the author: Rod Mathews is the SVP & GM, Data Protection Business for Barracuda. He directs strategic product direction and development for all data protection offerings, including Barracuda's backup and archiving products and is also responsible for Barracuda’s cloud operations team and infrastructure.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Shadow IT: The Invisible Network

InfoSec Island - Tue, 11/14/2017 - 7:02am

The term “shadow IT” is used in information security circles to describe the “invisible network” that user applications create within your network infrastructure. Some of these applications are helpful and breed more efficiency while others are an unwanted workplace distraction. However, all bypass your local IT security, governance and compliance mechanisms.

The development of application policies and monitoring technology have lagged far behind in comparison to the use of cloud-based business services, as researchers note in SkyHigh’s Cloud Adoption and Risk Report. It states, “The primary platform for software applications today is not a hard drive; it’s a web browser. Software delivered over the Internet, referred to as the cloud, is not just changing how people listen to music, rent movies, and share photos. It’s also transforming how business is conducted.” Recent studies show that businesses that follow this trend of migrating operations to the cloud actually increased productivity by nearly 20 percent above those who did not.

Shifting to a new security model before we determine the rules  

Traditional security thinking and products have focused solely on keeping the network and those within it safe from outside threats, and auditing information from users, devices and alerts. The application revolution is now pushing beyond the traditional network boundaries and into the cloud for security teams, before establishing acceptable-use policies and new auditing and compliance parameters. However, it is much more efficient to lay the auditing and policy groundwork first and then allow security operations to adapt to this new element of application awareness.

Why does application awareness change security operations so drastically? Because it:

  • Emphasizes outgoing (as opposed to incoming) communication
  • Requires relating users and devices to the applications (which older tools can’t perform)
  • Shifts the focus away from signature detection and into analytics and policy
  • Requires creating network and device use policy and implementing a means to track and measure it
  • Requires pulling logs from cloud services

Despite the security implications, there are important governance challenges when developing new application policies. While the discussion of implementing application awareness is mostly technical, the way employees use applications can also be deeply personal. Making a decision to allow or block Facebook, Twitter, Dropbox, Bit torrent, Tor and personal Gmail accounts touches a human factor that goes beyond merely stopping viruses and preventing breaches. Yet, allowing such applications (especially Tor) can increase the level of risk exponentially – even beyond the threats posed by many viruses.

Changing direction to a different point of view – the insider threat

Security follows business, and business is rapidly putting its information in the cloud. Most newer security products have evolved to focus both on what is entering the network and what is leaving the network. However, the shadow IT system often circumvents corporate monitoring and security measures, and allows corporate data to flow outside the organization into the public cloud without proper oversight or control.

Replacing the thread-bare notion that threats could only come into our systems from the outside is an ever-growing (and different) point of view that’s being complemented with products/devices that also monitor outgoing communications. Until recently, this capability has been limited to security interests in data loss prevention, policy filtering and compromised system detection.

Cloud Access Security Brokers (CASBs) are one type of outgoing protection for the network, and it does provide more visibility into network flows. It does add the burden of analysts having to sort through vast quantities of data. One Gartner analyst commented that the competitive forces currently amongst the CASB market providers “is a consequence of newness that limits the consistency and richness of the service they can provide.” He continued, “Data without action is kind of useless. Data has to be automatable so your team can solve the problem and move on to bigger projects.”

At this point, the point of view must pivot to gain vision into both the external threat and the internal or insider threat. The focus here is on your employees and their careless and maybe malicious behavior on network-connected devices. While some workers feel entitled to check social media or personal email applications at work, it is crucial that an organization develop smart and enforceable “acceptable-use” policies, along with regular, relevant training for all workers. This area of governance has lagged far behind the technological solutions; however, it is no less of an important piece of the visibility puzzle.

What about solid, consistent governance?

Governance is all about identifying risk and deciding what is acceptable. What is the risk of non-approved applications in a current enterprise environment? SkyHigh wrote a solid white paper on what they see as the risk in their Q4 2016 Cloud Adoption Risk Report (PDF). It should be noted that this report is biased in terms of the threat, but it does, at a minimum, provide a high-level explanation of the risk.

The above report prominently noted that email/phishing is the number one vector of attack, while web-based malware downloads are rarer by comparison. Buried deep in the SkyHigh study was the reason that we need to effectively capture application usage: while greater than 60 percent of organizations surveyed had a cloud use policy, almost all of that particular group lacked the needed enforcement capability. Roughly two-thirds of services that employees attempt to access are allowed based on policy settings, but most enterprises are still struggling to enforce blocking policies for the one-third in the remaining category that were deemed inappropriate for corporate use due to their high risk.

The ideal standard of control through enforcement is complicated even with a CASB in place, by security “silos,” and a struggle to consistently enforce polices across multiple cloud-based systems. Major violations still occur despite policies, such as: authorized users misusing cloud-based data, accessing data they shouldn’t be, synching data with uncontrolled PCs, and leaving data in “open shares,” in addition to authorized users having access despite termination or expiration. In short, before using a CASB you can implement use knowledge passively with other tools.

Implementing a means to passively detect applications and tracking that activity to the user and device is an essential aspect to governance and risk management. Shadow IT is the term most related to the risk associated with the threat that application awareness addresses, as opposed to the much more arduous task of drafting and implementing policies that could be controversial with fellow staff members.

About the Author: Chris Jordan is CEO of College Park, Maryland-based Fluency , a pioneer in Security Automation and Orchestration.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

4 Questions Businesses Must Ask Before Moving Identity into the Cloud

InfoSec Island - Wed, 11/08/2017 - 5:50am

The cloud has transformed the way we work and it will continue to do so for the foreseeable future. While the cloud provides a lot of convenience for employees and benefits for companies in terms of cost savings, speed to value and simplicity, it also brings new challenges for businesses. When coupled with the fact that Gartner predicts 90 percent of enterprises will be managing hybrid IT infrastructures encompassing both cloud and on-premises solutions by 2020, the challenge becomes increasingly more complex.

As is the case with any significant technology initiative, moving infrastructure to the cloud requires forethought and preparation to be successful. For many enterprises, a cloud-first IT strategy means a chance to focus on the core drivers of the business versus managing technology solutions. As these enterprises consider a cloud-first approach, they will undoubtedly be moving their IT infrastructure and security to the cloud. And identity will not be left behind.

The big question for many IT and security operations departments is: can you move your identity governance solution to the cloud? And then, perhaps more importantly, should you? The answers to these questions will vary from company to company and are dependent on the needs of the business and the current structure of the identity program.

As such, here are 4 questions every organization must ask to determine if moving identity into the cloud is the right move for their business:

  • Have you already moved any infrastructure to the cloud?

While many business applications are relatively easy to use as a service, transferring a complex identity management program into the cloud can be more challenging to implement. If your organization is already using infrastructure-as-a-service (e.g. Amazon Web Services or Microsoft Azure) then you’re likely ready to move forward with implementing a cloud-based identity governance program. However, if you haven’t experimented with moving mission-critical apps into the cloud, you should carefully consider whether your organization is prepared before making the leap. 

  • How flexible is your organization?

Regardless of how it is deployed, an effective identity governance solution must provide complete visibility across all of your on-premises and cloud applications. This visibility provides the foundation required to build policies and controls essential for compliance and security.For organizations that don’t have the time or expertise to create custom identity policies or compliant processes from scratch, cloud-based solutions can make successful deployments more attainable. However, if your organization has rigid requirements about how identity management must be configured and deployed, it may be more of a challenge to move to a cloud-based solution.

  • Do you have limited resources?

Deploying an identity governance solution can be both time- and resource-intensive, and effective identity programs require a blend of people, processes and technology to be successful. The cloud is a great option for businesses with limited resources because it doesn’t involve hardware or infrastructure upgrades, making it faster and more cost-effective than on-premise solutions. Cloud-based identity is also great for organizations with smaller IT teams or those without as much specific expertise in the space.

  • How well do you understand your governance needs?

Identity governance is more than just modifying who has access to what. Effective identity governance must also answer the questions of should this user have access, what kind of access are they entitled to, and what can they do with that access. And while identity governance can be simple to use, what happens behind the scenes can be very complex. This is important to understand because SaaS-based identity governance is not as customizable as an on-premise solution. So, if your identity needs are fairly straight forward, the cloud might be for you, but if your organization requires more complexity and customization, on-premise might still be the best solution.

Whether you’re moving from an on-premise identity governance solution to the cloud or implementing a cloud-based identity governance solution for the first time, it’s important to take a close look at your organization and its needs before taking the next step. With these best practices in mind, you can properly manage identities and limit the risk of inappropriate access to your sensitive business data.

About the author: Dave Hendrix oversees the engineering, product management, development, operations and client services functions in his role as senior vice president of IdentityNow.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Artificial Intelligence: A New Hope to Stop Multi-Stage Spear-Phishing Attacks

InfoSec Island - Tue, 11/07/2017 - 11:19am

Cybercriminals are notorious for conducting attacks that are widespread, hitting as many people as possible, and taking advantage of the unsuspecting. Practically everyone has received emails from a Nigerian prince, foreign banker, or dying widow offering a ridiculous amount of money in return for something from you. There are countless creative examples of phishing, even health drugs promising the fountain of youth or skyrocketing your love life in return for your credit card.

In more recent times, cybercriminals are taking an “enterprise approach” to attacks. Just like business to business sales functions, they focus on a smaller number of targets, with an objective of obtaining an exponentially greater payload with extremely personalized and sophisticated techniques. These pointed attacks, labeled spear phishing, leverage impersonation of an employee, a colleague, your bank, or popular web service to exploit their victims. Spear phishing has steadily been on the rise, and according to the FBI, this means of social engineering has proven to be extremely lucrative for cybercriminals. Even more concerning, spear phishing is incredibly elusive and difficult to prevent with traditional security solutions. 

The most recent evolution in social engineering involves multiple premeditated steps. Cybercriminals hunt their victims instead of targeting company executives with a fake wire fraud out of the blue. They first infiltrate their target organization from an administrative mail account or low-level employee, then use reconnaissance and wait for the most opportune time to fool the executive by initiating an attack from a compromised mail account. Here are the abbreviated steps commonly taken in these spear phishing attacks and solutions to stop these attackers in their tracks. 

Step 1: Infiltration

Most phishing attempts are glaringly obvious for people that receive cyber security training (executives, IT teams) to sniff out. These emails contain strange addresses, bold requests, and grammar mistakes that often invoke deletion. However, there is a stark increase in personalized attacks that are extremely hard to sniff out, especially for people who aren’t trained. Many times, the only blemish to this attack is that malicious email links will be spotted only if you hover over them with your mouse. Highly trained individuals would spot this flaw but not common employees. 

This is why cybercriminals find easier targets at first. Mid-level sales, marketing, support and operations folks are the most usual. This initial attack is aimed to steal a username and password. When the attacker has control of this mid-level person, if they haven’t enabled multi-factor authentication (and many organizations do not), they can log into the account. 

Step 2: Reconnaissance

At this stage, cybercriminals will normally monitor the compromised account and study email traffic to learn about the organization. Often times, attackers will setup forwarding rules on the account to prevent logging in frequently. Analysis of the victim’s email traffic allows the attacker to understand more about the target and organization: who makes the decisions, who handles or influences financial transactions, has access to HR information, etc. It also opens the door for the attacker to spy on communications with partners, customers, and vendors.

This information is then leveraged for the final step of this spear phishing attack.

Step 3: Extract Value

Cybercriminals leverage this learned information to launch a targeted spear phishing attack. They often send customers fake bank account information precisely when they are planning to make a payment. They can hoax other employees to send HR information, wire money or easily sway them to click on links to collect additional credentials and passwords. Since the email is coming from a legitimate (albeit compromised) account like a colleague, it appears totally normal. The reconnaissance allows the attacker to precisely mimic the senders’ signature, tone and text style. So, how do you stop this attacker in his tracks? Thankfully there is a new hope and well-known methods for organizations to implement to thwart these cybercriminals from having their way, a multi-layer strategy.

End of the Line for Spear Phishing

There are three things that organizations should be employing now to combat spear phishing. The two obvious ones are user training and awareness and multi-factor authentication. The last, and newest technology to stop these attacks is real-time analytics and artificial intelligence. Artificial intelligence offers some of the strongest hope of shutting down spear phishing in the market today.  

AI Protection

Artificial intelligence to stop spear-phishing sounds futuristic and out of reach, but it’s in the market today and attainable for businesses of all sizes, because every business is a potential target. AI has the ability to learn and analyze an organization’s unique communication pattern and flag inconsistencies. The nature of AI is it becomes stronger, smarter and endlessly more effective over time to quarantine attacks in real-time while identifying high-risk individuals within an organization. For example, AI would have been able to automatically classify the email in the first stage of the attack as spear phishing, and would even detect anomalous activity in the compromised account, subsequently stopping stage two and three. It also has the ability to stop domain spoofing and authorized activity to prevent impersonation to customers, partners and vendors to steal credentials and gain access to their accounts.

Authentication

It is absolutely essential for organizations to implement multi-factor authentication (MFA). In the above attack, if multi-factor authentication was enabled, the criminal would not have been able to gain entry to the account. There are many effective methods for multi-factor authentication including SMS codes or mobile phone calls, key fobs, biometric thumb prints, retina scans and even face recognition.

Targeted User Training

Employees should be trained regularly and tested to increase their security awareness of the latest and most common attacks. Staging simulated attacks for training purposes is the most effective activity for prevention and promoting an employee mindset of staying on alert. For employees who handle financial transactions or are higher-risk, it’s worth giving them fraud simulation testing to assess their awareness. Most importantly, training should be companywide and not only focused on executives.  

About the author: Asaf Cidon is Vice President, Content Security Services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense.

 

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Category #1 cyberattack: are critical infrastructures exposed?

InfoSec Island - Tue, 11/07/2017 - 7:23am

Critical national infrastructures are the vital systems and assets pertaining to a nation’s security, economy and welfare. They provide light for our homes; the water in our taps; a means of transportation to and from work; and the communication systems to power our modern lives. The loss or incapacity of such necessary assets upon which our daily lives depend would have a truly debilitating impact on a nation’s health and wealth. One might assume then that the security of such assets, whether virtual or physical, would be a key consideration. Or to put that another way, failing to address security vulnerabilities of such important systems would surely be an inconceivable idea.

However, the worrying truth is that the security measures of many of our nation’s critical systems are not, in the large, what they should be. Perhaps this shouldn’t be a surprise. The rapid progression of technology has enabled critical systems to become increasingly connected and intelligent, but with little experience of the problems this connectivity could create, few thought about the systems’ security.

Although this new found connectivity has helped industries to realise great productivity and efficiency benefits, the attack on Ukraine’s power grid in 2015 opened the eyes of many in charge of such industries. After nationwide power-outages struck, it has now become clear that if security is not prioritised, the worst-case scenario could wreak havoc across our nations. Prevention is a must; a short-term fix will only delay the inevitable…

Critical infrastructures: an imminent attack

Not a case of if. But when.

It has been two years since news of Ukraine’s power grid cyberattack made headlines across the globe. And once again, critical infrastructure security has been propelled into the spotlight following a number of recent reports suggesting that a devastating attack is imminent.

The UK’s National Cyber Security Centre (NCSC) revealed in its first annual review that it received 1,131 incident reports, with 590 of these classed as ‘significant’. This included the WannaCry ransomware that took down the NHS. While none of these were identified as category one incidents, i.e. interfering with democratic systems or crippling critical infrastructures such as power, the head of the NCSC, Ciaran Martin, warned there could be damaging attacks in the not too distant future.

Furthermore, US-CERT recently issued an alert warning critical national infrastructure firms, including nuclear, energy and water providers, that they are now at an increased risk of ‘highly targeted’ attacks by the Dragonfly APT group. This follows a report by security researchers Symantec, who recently found that during a two-year period the group has been increasing its attempts to compromise energy industry infrastructure, most notably in the UK, Turkey and Switzerland.

Although no damage has yet been done, the group has been trying to determine how power supply systems work and what could be compromised and controlled as a result. If we know the group now has the potential ability to sabotage or gain control of these systems should it decide to do so, this should increase the urgency around the preventative measures needed to defend against a future attack.It is therefore hardly surprising that to combat the rise of such threats, the first piece of EU-wide cybersecurity legislation has been developed to boost the overall level of cybersecurity in the EU. This is called the NIS Directive.

Addressing security from the outset

The potential consequences are disturbing, so infrastructure owners need to consider working in closer collaboration with security experts to ensure the lights remain on. While most in the security industry recognise that there is no silver bullet to ensure total security, we recommend all of those in charge of critical infrastructures ensure they have enough barriers in place to safeguard industrial and critical assets. Proactive regimes that balance defensive and offensive countermeasures, as well as include regular retraining and security techniques such as penetration testing and “red teaming”, are vital to keep defences sharpened.

One of the greatest lessons that should be heeded is that the issue of security must be addressed from the outset of infrastructure development and deployment. It has become abundantly clear that cyberattacks against critical infrastructures are only going to increase in the coming months and years. Those in charge of securing such environments must deploy a new preventative mindset, ensuring strong barriers are in place to avert the hijacking of any critical infrastructures before there is a need to clean up its devastating result.

About the author: Jalal Bouhdada is the Founder and Principal ICS Security Consultant at Applied Risk. He has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Category #1 Cyberattacks: Are Critical Infrastructures Exposed?

InfoSec Island - Tue, 11/07/2017 - 7:23am

Critical national infrastructures are the vital systems and assets pertaining to a nation’s security, economy and welfare. They provide light for our homes; the water in our taps; a means of transportation to and from work; and the communication systems to power our modern lives. The loss or incapacity of such necessary assets upon which our daily lives depend would have a truly debilitating impact on a nation’s health and wealth. One might assume then that the security of such assets, whether virtual or physical, would be a key consideration. Or to put that another way, failing to address security vulnerabilities of such important systems would surely be an inconceivable idea.

However, the worrying truth is that the security measures of many of our nation’s critical systems are not, in the large, what they should be. Perhaps this shouldn’t be a surprise. The rapid progression of technology has enabled critical systems to become increasingly connected and intelligent, but with little experience of the problems this connectivity could create, few thought about the systems’ security.

Although this new found connectivity has helped industries to realise great productivity and efficiency benefits, the attack on Ukraine’s power grid in 2015 opened the eyes of many in charge of such industries. After nationwide power-outages struck, it has now become clear that if security is not prioritised, the worst-case scenario could wreak havoc across our nations. Prevention is a must; a short-term fix will only delay the inevitable…

Critical infrastructures: an imminent attack

Not a case of if. But when.

It has been two years since news of Ukraine’s power grid cyberattack made headlines across the globe. And once again, critical infrastructure security has been propelled into the spotlight following a number of recent reports suggesting that a devastating attack is imminent.

The UK’s National Cyber Security Centre (NCSC) revealed in its first annual review that it received 1,131 incident reports, with 590 of these classed as ‘significant’. This included the WannaCry ransomware that took down the NHS. While none of these were identified as category one incidents, i.e. interfering with democratic systems or crippling critical infrastructures such as power, the head of the NCSC, Ciaran Martin, warned there could be damaging attacks in the not too distant future.

Furthermore, US-CERT recently issued an alert warning critical national infrastructure firms, including nuclear, energy and water providers, that they are now at an increased risk of ‘highly targeted’ attacks by the Dragonfly APT group. This follows a report by security researchers Symantec, who recently found that during a two-year period the group has been increasing its attempts to compromise energy industry infrastructure, most notably in the UK, Turkey and Switzerland.

Although no damage has yet been done, the group has been trying to determine how power supply systems work and what could be compromised and controlled as a result. If we know the group now has the potential ability to sabotage or gain control of these systems should it decide to do so, this should increase the urgency around the preventative measures needed to defend against a future attack.It is therefore hardly surprising that to combat the rise of such threats, the first piece of EU-wide cybersecurity legislation has been developed to boost the overall level of cybersecurity in the EU. This is called the NIS Directive.

Addressing security from the outset

The potential consequences are disturbing, so infrastructure owners need to consider working in closer collaboration with security experts to ensure the lights remain on. While most in the security industry recognise that there is no silver bullet to ensure total security, we recommend all of those in charge of critical infrastructures ensure they have enough barriers in place to safeguard industrial and critical assets. Proactive regimes that balance defensive and offensive countermeasures, as well as include regular retraining and security techniques such as penetration testing and “red teaming”, are vital to keep defences sharpened.

One of the greatest lessons that should be heeded is that the issue of security must be addressed from the outset of infrastructure development and deployment. It has become abundantly clear that cyberattacks against critical infrastructures are only going to increase in the coming months and years. Those in charge of securing such environments must deploy a new preventative mindset, ensuring strong barriers are in place to avert the hijacking of any critical infrastructures before there is a need to clean up its devastating result.

About the author: Jalal Bouhdada is the Founder and Principal ICS Security Consultant at Applied Risk. He has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

The Evolution from Waterfall to DevOps to DevSecOps and Continuous Security

InfoSec Island - Fri, 11/03/2017 - 12:01pm

Software development started with the Waterfall model, proposed in 1956, where the process was pre-planned, set in stone, with a phase for every step. Everything was predictably…sluggish. Every organization involved in developing web applications was siloed, and had its own priorities and processes. A common situation involved development teams with their own timelines, but quality assurance teams had to test another app, and operations hadn’t been notified in time to build out the infrastructure needed. Not to mention, security felt that they weren’t taken seriously. Fixing a bug that was made early in the application lifecycle was painful, because testing was much later in the process. Repeatedly, the end product did not address the business’s needs because the requirements changed, or the need for the product itself was long gone.

The Agile Manifesto

After give or take 45 years of this inadequacy, in 2001, the Agilemanifesto emerged. This revolutionary model advocated for adaptive planning, evolutionary development, early delivery, continuous improvement, and encouraged rapid and flexible response to change. Agile adoption increased and therefore sped up the software development process embracing smaller release cycles and cross-functional teams. This meant that stakeholders could navigate and course correct projects earlier in the cycle. Applications began to be released on time with translated to addressing immediate business needs.

The DevOps Culture

With this increased agile adoption from development and testing teams, operations now became the holdup. The remedy was to bring agility to operations and infrastructure, resulting in DevOps. The DevOps culture brought together all participants involved resulting in faster builds and deployments. Operations began building automated infrastructure, enabling developers to move significantly faster. DevOps led to the evolution of Continuous Integration/Continuous Delivery (CI/CD), basing the application development process around an automation toolchain. To convey this shift, organizations advanced from deploying a production application once annually to deploying production changes hundreds of time daily.

Security as a DevOps Afterthought

Although many processes had been automated with DevOps thus far, some functions had been ignored. A substantial piece that is not automated, but is increasingly critical to an organization’s very survival, is security. Security is one of the most challenging parts of application development. Standard testing doesn’t always catch vulnerabilities, and many times someone has to wake up at three in the morning to fix that critical SQL Injection vulnerability. Security is often perceived as being behind the times – and more commonly blamed for stalling the pace of development. Teams feel that security is a barrier to continuous deployment because of the manual testing and configuration halting automated deployments.  

As the Puppet State of DevOps report aptly states:

All too often, we tack on security testing at the end of the delivery process. This typically means we discover significant problems, that are very expensive and painful to fix once development is complete, which could have been avoided altogether if security experts had worked with delivery teams throughout the delivery process”

Birth of DevSecOps

The next iteration in this evolution of DevOps was integrating security into the process – with DevSecOps. DevSecOps essentially incorporates security into the CI/CD process, removing manual testing and configuration and enabling continuous deployments. As organizations move toward DevSecOps, there are substantial modifications they are encouraged to undergo to be successful. Instilling security into DevOps demands cultural and technical changes. Security teams must be included in the development lifecycle starting day one. Security stakeholders should be integrated right from planning to being involved with each step. They need to work closely with development, testing, and quality assurance teams to discover and address security risks, software vulnerabilities and mitigate them. Culturally, security should become accustom to rapid change and adapting to new methods to enable continuous deployment. There needs to be a happy medium to result in rapid and secure application deployments.

Security Automation is the Key

A critical measure moving toward DevSecOps is removing manual testing and configuration. Security should be automated and driven by testing. Security teams should automate their testing and integrate them into the overall CI/CD chain. However, based on each individual application, it’s not uncommon for some tests to be manual – but the overall portion can and should be automated. Especially tests that ensure applications satisfy certain defined baseline security needs. Security should be a priority from development to pre-production and should be automated, repeatable and consistent. When done correctly, responding to security vulnerabilities becomes much more trivial each step of the way which inherently reduces time taken to fix and mitigate flaws.

Continuous Security Beyond Deployment

Continuous security does not stop once an application is deployed. Continuous monitoring and incident response processes should be incorporated as well. The automation of monitoring and the ability to respond quickly to events is a fundamental piece toward achieving DevSecOps. Security is more important today than ever before. History shows that any security breach event can be catastrophic for both customers, end users and organizations themselves. With more services going online and hosted in the cloud or elsewhere the threat landscape is growing at an exponential rate. The more software written inherently results in more security flaws and more attack surface. Incorporating security into the daily workflow of engineering teams and ensuring that vulnerabilities are fixed or mitigated much ahead of production is critical to the success of any product and business today.

About the author: Jonathan Bregman is a Product Marketing Manager with Barracuda Networks focused on web application firewalls and DDoS prevention for customers. Prior to Barracuda, Jonathan was a research and development engineer with Google.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

From the Medicine Cabinet to the Data Center – Snooping Is Still Snooping

InfoSec Island - Fri, 11/03/2017 - 9:52am

We’ve all done it in one form or another. You go to a friend’s house for a party and you have to use the restroom. While you are there, you look behind the mirror or open the cabinet in hopes of finding out some detail -- something juicy -- about your friend. What exactly are you looking for? And why? Are you feeding into some insecurity? You don’t really know, you just know you are compelled to look.

Turns out that same human reaction carries forward to your place of employment. 

At One Identity we recently conducted a global survey that revealed a lot of eye-opening facts about people’s snooping habits on their company’s network.  At a high level, the survey revealed that when given the opportunity to look through sensitive company data that employee may not be permitted to access -- the instinct is to snoop. Before we get into specific  results, here are the demographics:

  • We surveyed over 900 people from around the world.
  • Countries include the U.S., U.K., Germany, France, Australia, Singapore and Hong Kong.
  • Eighty-seven percent have privileged access to something within their place of employment.
  • They all have some level of security responsibility with varied titles ranging from executive to front-line security pros.
  • Twenty-eight percent are from large enterprises (>5,000 employees)); 28 percent from mid-sized enterprises (2,000 to 5,000 employees); the remainder were from organizations with less than 2,000 employees.

Key Finding Number One: 92 percent of respondents stated that employees at their company attempt to access information that they do not need. 

Think about that. Ninety-two percent of us are trying to access the information we don’t need to get our jobs done. Imagine if any employee at your company could access sensitive data like salary. That would. Now imagine employees obtained access to financial data, customer data or merger information -- and then shared it. The result could be catastrophic to your business.

Key Finding Number Two: 66 percent of the security professionals surveyed have tried to access the information they didn’t need.

Worse yet, these are security people that probably have some form of elevated privileges. This means not only are they attempting to access that information but in many cases, they are actually obtaining access and ultimately abusing that privilege.

Key Finding Number Three: Executives are more likely to snoop than managers or front-line workers.

Interestingly, IT security executives are the most likely to look for sensitive data not relevant to their job than any other job level. This is worrisome for many since they tend to have greater access rights and permissions -- once again, indicated abuse of power.

The bottom line here is that organizations should be alarmed by these findings. A common myth among many is that data is safe when it’s on a company network and in the hands of its trusted employees -- it’s the outsiders and hackers you have to look out for. While the latter is certainly true, the data shows that the majority of all employees -- even those within the ranks of IT security groups -- are nosy when given the opportunity to be. Implementing best practices around identity and access management -- like role-based access rights and permissions and applying identity analytics to spot any signs of unusual access behavior -- can help organizations safeguard themselves from letting sensitive data fall into the wrong hands before it’s too late.

About the author: Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Healthcare Orgs in the Crosshairs: Ransomware Takes Aim

InfoSec Island - Fri, 11/03/2017 - 5:57am

Criminals are using ransomware to extort big money from organizations of all sizes in all industries. But healthcare organizations are especially attractive targets. Healthcare organizations are entrusted with the most personal, intimate information that people have – not just their financial data, but their very private health and treatment histories. Attackers perceive healthcare IT security to be the least effective and outdated in comparison with other industries. They also know that healthcare organizations tend to have significant cash on hand and have a high cost of downtime, therefore are more likely to pay the ransom for encrypted data. If you fail to take the necessary steps to combat ransomware and other advanced malware and that trust is betrayed, the cost to your business could extend far beyond paying a ransom or a noncompliance fine. If your reputation for safeguarding patient data is damaged, not only will you be scrutinized under the microscope, in some cases, companies never recover and leadership is forced to resign.

Healthcare is making strides but isn’t there yet

There is good news. Healthcare organizations have made significant security improvements over the last year. According to the HIMMS 2017 Cybersecurity Survey, it is clear that IT security is an urgent business challenge for leadership, rather than solely an IT problem. There is a marked increase in the employment of CIOs and Chief Information Security Officers (CISOs) among healthcare organizations, and security shortcomings are being addressed.

Nonetheless, there is still room for improvement and ransomware attacks continue to be a serious and growing challenge. Those who continue to commit vital resources to implementing effective security measures will emerge as winners and you will never hear of them in the media. Effectively combating ransomware requires a well-thought-out combination of technical and cultural measures.

Detection: discovering the weaknesses

Keeping your network free of ransomware and other advanced malware requires a combination of effective perimeter filtering, strategically designed network architecture, and the capability to detect and eliminate resident malware that may already be inside your network. It’s an exercise of cleaning house as your infrastructure likely contains a number of latent threats. Email inboxes are full of malicious attachments and links just waiting to be clicked on. Similarly, all applications, whether locally hosted or cloud-based, must be regularly scanned and patched for vulnerabilities. There should be a regular vulnerability management schedule for scanning and patching of all network assets, which is checking the box for basics but extremely critical for thwarting threats. Building a solid foundation such as this is a fantastic start for effective ransomware detection and prevention.

Prevention: A non-negotiable requirement

There are some very effective security technologies that are a requirement in today’s threat landscape in order to prevent ransomware and other attacks. Prevention of threats entering the network requires a modern firewall or email gateway solution to filter out the majority of threats. An effective solution should scan incoming traffic using signature matching, advanced heuristics, behavioral analysis, sandboxing, and the ability to correlate findings with real-time global threat intelligence. This will ultimately prevent employees from having to be perfectly trained to spot these sophisticated threats. It’s recommended to control and segment network access to minimize the spread of threats that do get in. Ensure that patients and visitors can only spread malware within their own, limited domain, while also segmenting, for example, administration, caregivers, and technical staff, each with limited, specific access to online resources.Even with the most sophisticated methods like spear phishing, where attackers impersonate your coworker, there are now machine learning and artificial intelligence solutions that can spot and quarantine these threats before they ever get to an employee. The risk for healthcare organizations is immensely reduced when solutions such as these are deployed as part of an overall security posture.  However, when data is encrypted and held ransom, the fight isn’t over yet.

Backup—Your Last, Best Defense Against Ransomware

When a ransomware attack succeeds, your critical files—HR, payroll, electronic health records, patient financial and insurance info, strategic planning documents, email records, etc.—are encrypted, and the only way to obtain the decryption key is to pay a ransom. But if you’ve been diligent about using an effective backup system, you can simply refuse to pay and restore your files from your most recent backup—your attackers will have to find someone else to rob.Automated, cloud-based backup services can provide the greatest security. Reputable vendors offer a variety of very simple and secure backup service options, priced for organizations of any size, and requiring minimal staff time. Advanced solutions can even allow you to spin up a virtual copy of your servers in the cloud, restoring access to your critical files and applications within minutes of an attack or other disaster.

When all of these things are working simultaneously, healthcare organizations are well equipped to stop ransomware attacks effectively. Ransomware and other threats are not going away anytime soon and healthcare will continue to be a target for attackers. The hope is that healthcare professionals continue to keep IT security top of mind. 

About the author: Sanjay is a 20 year veteran in technology and has a passion for cutting edge technology and a desire to innovate at the intersection of technology trends. He currently leads product management, marketing and strategy for Barracuda’s security business worldwide

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Thinking Outside the Suite: Adding Anti-Evasive Strategies to Endpoint Security

InfoSec Island - Fri, 11/03/2017 - 2:52am

Despite ever-increasing investments in information security, endpoints are still the most vulnerable part of an organization’s technology infrastructure. In a 2016 report with Rapid7, IDC estimates that 70% of attacks start from the endpoint. Sophisticated ransomware exploded into a global epidemic this year, and other forms of malware exploits, including mobile malware and malvertising are also on the rise.

 

The only logical conclusion is that existing approaches to endpoint security are not working. As a result, security teams are exposed to mounting, multifaceted challenges due to the ineffectiveness of their current anti-malware solutions, large numbers of security incidents requiring costly and intensive response, and added pressure from the board to undergo risky and expensive “rip and replace” endpoint security procedures.

 

Current endpoint security solutions employ varying approaches. Some restrict the actions that legitimate applications can take on a system, others aim to prevent malicious software from running, and some monitor activity for incident investigations. The challenge for most IT department heads is finding the right balance of solutions that will work for their particular business.

 

Endpoint Protection Platforms (EPP), usually offered by established endpoint security vendors, promote the benefits of packaging endpoint control, anti-malware, and detection and response all in one agent, managed by from one console. While EPP suites can be useful and practical, it’s important to understand their limitations. For starters, a “suite” does not always mean the products are integrated — you may end up with one vendor but multiple agents and management consoles. Second, no single vendor offers the best-in-breed or best-for-your-business options for all the component solutions. If you adopt the EPP approach, be aware that you will be making trade-offs of some sort. Finally, it is likely that even after going through the painful process of deploying a full endpoint protection suite, it will still fail to prevent many attacks.

 

All these solutions, whether installed separately or as a suite, produce alerts. Many work by finding attacks that have already “landed” to some degree. This means your team will be busy (if not overwhelmed) sorting through the alerts for priority threats, investigating incidents, and remediating any intrusions. This can lead to inefficiencies and escalating staffing requirements, which will quickly wipe out any cost savings you hoped would come from installing bundled solutions.

 

In the end, it is imperative to understand the strengths and weaknesses within each suite and evaluate whether a best-of-breed or “suite-plus” approach offers better protection for your investment — this is often the case. EPP implementation can help companies consolidate vendors in order to reduce administrative overhead and licensing costs. It may also help minimize complexity and reduce the impact on operations, end-users, and business agility. But none of this matters much if the shortcomings of the platform end up introducing unacceptable levels of risk, draining staff resources, or constraining productivity and agility.

 

For example, it’s important to recognize that accepting the low detection rates of your conventional antivirus solution also means accepting the high likelihood of a breach. That’s because there is one critical factor most platforms don’t adequately address: unknown malware that has been designed specifically to evade existing defenses. Innovative endpoint defense strategies have emerged that allow you to block evasive malware, regardless of whether there is a known signature, behavior pattern, or machine learning model. This is achieved through the creative use of deceptive tricks that control how the malware perceives its environment.

Endpoint defense solutions that can neutralize evasive malware use three primary strategies: creating a hostile environment, preventing injection through deception, and restricting document executable capabilities. All three strategies contain and disarm the malware before it ever unpacks or puts down roots. 

To create a hostile environment, the malicious program is tricked into believing the environment is not safe for execution, resulting in the malware suspending or terminating its execution. To prevent malicious software from hiding in legitimate processes, the malware is deceived into registering that memory space is unavailable, so it never establishes a foothold on the device. To block malicious actions initiated by document files (via macros, PowerShell, and other scripts), the malware is tricked into registering that system resources like shell commands are not accessible.

These new strategies reduce risk without requiring increased overhead (nothing malicious installed, so nothing to investigate) or replacement of existing solutions. Anti-evasion solutions work alongside installed AV solutions to provide an added layer of protection against sophisticated malware and ransomware. The threat intelligence they produce (identifying previously unknown malware exploits) enhances your overall security program. In addition, because incident responders have fewer alerts and incidents to sort through, they can focus their expertise on high-priority threats and investigating attacks where the intruder has already gained access to the network.

Working smarter is key to managing the growing and ever-shifting challenges and responsibilities faced by security teams. Reducing workload and manual processes while reducing risk is a tough balancing act. Ongoing cyber security talent shortages combined with multiplying threat vectors make effective automated defenses a critical priority. Getting the most value out of your security budget and skilled experts requires neutralizing threats upfront, preventing as many attacks as possible, and developing automated threat management processes. It’s essential to cover gaps and shortcomings, augmenting existing endpoint security by layering on innovative, focused solutions. Given the recent surge of virulent, global malware and ransomware, anti-evasion defenses are a smart place to start.

About the author: Eddy Boritsky is the CEO and Co-Founder of Minerva Labs, an endpoint security and anti-evasion technology solution provider. He is a cyber and information security domain expert. Before founding Minerva, Eddy was a senior cyber security consultant for the defense and financial sectors.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island