InfoSec Island

EDR for Everyone Is about Fighting Alert Fatigue

InfoSec Island - Wed, 02/21/2018 - 5:16am

Endpoint detection and response solutions (EDR) are predicted to become a key security technology by 2020, with 80 percent of large organizations, 25 percent of midsize organizations, and 10 percent of small organizations investing in them. Demand for incident response tools that offer early visibility into advanced threats will fuel the EDR market growth, with expectations of a CAGR of 45.27 percent from 2015 through 2020.

The EDR market is already booming, having grown from $238 million in 2015 revenue to about $500 million in 2016. By 2020, it’s going to be a billion-dollar market and could even match the $3.2 billion (2015) endpoint protection platform (EPP) market.

Despite the rapid growth in the EDR market, these preventative controls are still out of the reach of mid-size and small organizations. As EDR requires dedicated security operations center (SOC) teams to manually investigate alerts, the high cost barrier is something that only large organizations can currently overcome. Or is it?

Fighting Alert Fatigue

EDR solutions have emerged from the premise that it’s impossible to prevent all threats, meaning their purpose is to minimize dwell time of an infection while also reducing the amount of damage it can cause. However, managing the number of security alerts for potential threats can be overwhelming for any under-resourced IT team. Because of that, investigation decisions may end up being either ill-informed or based on summary judgements. This broad strokes approach can lead to full network compromise, especially if traditional EDR is not properly managed or used to its full potential.

Since EDR agents often come installed on top of existing EPP agents and other security technologies, such as SIEM, IDS and IPS, security teams are often bombarded with up to tens of thousands of alerts coming from multiple security consoles, making prioritization nearly impossible. Instead of increasing visibility and raising the overall security posture of the organization, this fragmentation and segregation of security consoles only makes security more cumbersome.

EDR should be about having a single agent and a single management console, and only focusing on really important security events, instead of spreading human resources thin. After all, EDR should enable your security “SWAT team” to focus on truly important tasks, and not just chase ghosts and put out fires.

EDR for Everyone

Advanced threat hunting capabilities enabled by EDR agents require alert prioritization and manual investigation by dedicated teams, something that drives costs up beyond the initial purchasing and deployment price. The key to having an EDR solution for everyone lies in detecting advanced attacks using built-in intelligence in the endpoint agent. This lets admins focus solely on specific elusive and advanced threats that have crossed the other layers of prevention, and prevents them from wasting time on false positives. This enhanced security operation enables automated triage of truly important security events, and doesn’t require a full-time dedicated team of security specialists to investigate each and every event or anomaly.

Incident visualization and investigation are also greatly simplified, as detected elusive threats are presented in a comprehensive fashion, with all contextually relevant information, so that the admins can assess the impact of the threat in seconds. This directly translates into swift incident response tactics that enable admins to use surgical precision to remediate the elusive threat by deleting or quarantining it, containing spread.

This type of evolved prevention, which even comes with the ability to fine-tune the protection level of controls from incident response workflows, helps reduce incident response costs by focusing on truly significant alerts. Unlike traditional EDR, which is usually noisy and overburdens already under-resourced IT teams, a smart EDR solution designed to bring the same early detection capabilities but with pinpoint accuracy is within the reach of any organization, regardless of size, vertical, or IT team size.

It’s the Last 1 Percent of Attacks You Should Worry About

Layered security solutions are doing a great job at detecting, preventing and mitigating close to 99 percent of all threats. However, the last 1 percent – or less – are usually the type of sophisticated attack that flies under the radar. The final frontier in cybersecurity involves having the capability of accurately identifying these elusive threats.

The value of EDR for everyone should lie in its ability to fully integrate with your EPP solution, while enabling IT admins to have a holistic view of the security status of the entire infrastructure. This last 1 percent of attacks is not only elusive, but the attacks can also hide behind background noise generated by trivial security incidents, which is why IT admins need the ability to focus on real dangers and problems by preventing, investigating, detecting, and responding to advanced threats effectively and promptly.

About the author: Liviu Arsene is a Senior E-Threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Researchers Detail Linux-Based “Chaos” Backdoor

InfoSec Island - Tue, 02/20/2018 - 10:47am

A Linux-targeting backdoor observed in live attacks in June last year was recently found to have been part of an older rootkit, GoSecure researchers reveal.

In a recent report detailing the threat, the security researchers explain that the backdoor was designed to spawn a fully encrypted and integrity checked reverse shell. Dubbed Chaos, the backdoor appears to have originally been part of the ‘sebd’ rootkit that emerged in 2013.

In the observed attack, the malware’s operator penetrated the targeted system by brute-forcing SSH credentials. The assault was launched from two IPs known to be part of the TOR network, the security researchers explain.

The attacker then disabled the logging history, checked the SSHD binary, and searched the system for certain files that would indicate that other malware has already infected the machine. These files are normally used by patched SSHDs to log stolen SSH credentials.

To finalize the infection, the attacker would then download and install the payload. A .tar archive containing two ELF executables (Chaos and Client) and two shell scripts (initrunlevels and install) and masquerading as a .jpg file would be fetched from a remote server.

While the Chaos executable in the archive is the backdoor itself, the Client executable is responsible for connecting to the installed backdoor. The install script would copy initrunlevels to /etc/init.d, thus ensuring it is executed at each system start.

The initrunlevels script was designed to open port 8338, check if certain files exist, and copy them to the paths it checked for. The script also copies the Client to /usr/include/cli.h and Chaos to /usr/include/stabd.h and /usr/sbin/smdb, to create backups of both of them.

As part of the attack, additional files were dropped and executed on the monitored system to make it part of an IRC botnet, the security researchers say.

Chaos first opens a raw TCP socket and monitors for a specific string in incoming packets in all open ports. When the string is identified, the malware connects back to the client listening on TCP port 8338. Next, the two exchange key material to derive two AES keys (which are used for sending and receiving data) and verify that the key negotiation was successful.

By using a raw socket, Chaos can bypass firewalls, as it can be triggered on ports running an existing legitimate service, the researchers point out.

The communication packets transmitted by the backdoor are not only encrypted but also checked for integrity using an HMAC.

The backdoor was previously part of the ‘sebd’ rootkit that first appeared in 2013, but became public after its source code was allegedly caught by a honeypot and the operator decided to release the source code on a forum to make it available for script kiddies.

The backdoor has a low infection rate, with most of its victims apparently located in the United States (the researchers performed an Internet-wide scan using the handshake extracted from the client in order to assess the spread of the malware).

“The Chaos backdoor is pretty interesting as it uses a stealthy raw socket to spawn a reverse-shell with full network encryption and integrity checks. However, the backdoor’s encryption can easily be broken if the pre-shared key is known, as it is transmitted in clear text,” GoSecure notes.

The researchers also point out that the opening of port 8338 for incoming packets suggests the attackers want to use the client binary on the infected machine. According to them, the compromised systems would be used as proxies to conduct further criminal actions, potentially crossing network boundaries in the process.

Related: Iranian Hackers Target IIS Web Servers With New Backdoor

Related: macOS Backdoor Uses Innovative Disguise Technique

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Large Crypto-Mining Operation Targeting Jenkins CI Servers

InfoSec Island - Tue, 02/20/2018 - 10:45am

A large malicious crypto-mining operation has recently started targeting the powerful Jenkins CI server, Check Point security researchers have discovered.

Dubbed JenkinsMiner, the attack attempts to exploit the CVE-2017-1000353 vulnerability in the Jenkins Java deserialization implementation and to install a mining application designed to mine for the Monero crypto-currency.

The actor behind this campaign is allegedly of Chinese origin and was previously observed targeting many Windows versions to maliciously install the XMRig miner on them. This has allowed it to already secure over $3 million worth of Monero.

However, it appears that the actor has decided to expand its operation to the Jenkins CI server, which allows it to generate even more coins. Because of that, the attack has the potential to become the largest malicious crypto-mining campaign ever, Check Point says.

The same as the recently detailed RubyMiner attack, JenkinsMiner can prove highly lucrative, but could also have a negative impact on the compromised servers. Once a resource becomes infected with a crypto-miner, sluggish performance and even denial of service (DoS) are to be expected.

The attack is targeting a critical vulnerability in Jenkins, the most popular open source automation server, with over 133,000 installations globally. The security flaw is created because of lack of validation of the serialized object and allows for any serialized object to be accepted.

The bug was addressed in early 2017 with the release of Jenkins 2.57 and 2.46.2 (LTS), but any unpatched system remains vulnerable to the attack.

As part of the newly discovered attack, 2 subsequent requests are sent to the CLI interface. The second request, matched by the session header, contains two main objects: the Capability object to inform the server of the client capabilities, and the Command object with the Monero miner payload.

The injected code includes a hidden PowerShell initiation to allow the script to run in the background, a variable (using case-sensitive diversion) to attempt to evade security products, a command to download the miner from the attacker’s server, and a start command to execute the miner.

Over the past months, the campaign was observed targeting victims all around the world with a mixture of malware that also included a Remote Access Trojan (RAT) in addition to the XMRig miner.

“The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed,” Check Point reports.

Because the campaign’s operator only appears to be using a single wallet for all deposits and does not change it from one attack to the next, the security researchers determined that they managed to mine $3 million to date. Other than that, the attack is “well operated and maintained, and many mining-pools are used to collect the profits out of the infected machines,” the researchers note.

Related: Crypto-Mining Attack Targets Web Servers Globally

Related: Monero Miner Infects Hundreds of Windows Servers

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Three Ways to Take Home the Gold When It Comes to Cybersecurity at the Olympics

InfoSec Island - Fri, 02/16/2018 - 10:50am

The Winter Olympics have officially kicked off in Pyeongchang, South Korea – where the best athletes from around the world showcase their talents and vie for Gold as they represent their countries on the world stage.Although sometimes overlooked, the Olympic Games – and other high-profile events – become ground zero for another global talent race: cybercrime.

The Olympics are a massive undertaking – requiring additional help to be recruited to make sure the host-city is able to accommodate all of the athletes and attendees, under a tight timeline (i.e. building and maintaining the Olympic Village, stadiums, public transportation and lodging). Additional help is also required of the organizations who are broadcasting, sponsoring and advertising the Games. These professionals are not necessarily security experts, which attackers are both aware of and ready to take advantage of.

With the threat landscape and complexity of attacks continually increasing, here are the top three ways to go for the gold when it comes to getting you, your organization and your customers cyber-secure for the Olympic Games:

1) Put a Training Timeline in Place

Just as the cyclical nature of the Olympic Games presents a timeline for malicious actors to design their attacks around, it provides host-city organizations, attending organizations, and participating organizations a two-year timeline to develop threat intelligence. Organizations should be utilizing this timeline to their advantage: it gives them the (rare) opportunity to prepare for attack.

It’s best to put timeline in place to plan ahead and actually train for the likely attack scenarios, as well as preparing a response strategy in anticipation of when the unexpected happens. This two-year timeline leaves no excuse for putting cyber defenders in a position where they experience their first cyberattack scenario when it happens in real-life – requiring them to combat aggressive attackers under pressure (and manage it effectively). Instead, take advantage of the time in between each event to provide cyber defenders with real-life training scenarios, so they can be properly prepared for combat. Tokyo is following this best-practice and is already providinghands-on simulated training for cybersecurity professionals and citizens in preparation for the 2020 Tokyo Olympic and Paralympic games.

2) Evaluate and Identify Your Attack Surface

It’s important to realize that cybercrime is not getting smaller, as the attack surface continues to morph and grow. Therefore, it is critical to determine your own attack surface (which directly relates to your engagement level) – and then ensure that this surface is protected.

The first important step towards assessing your attack surface is identifying the likely targets for the events in question. This will most likely depend on where your engagement with the event exists. Are you a sponsor, are you engaging in business at the event with potential customers at risk, or did you send employees? Individuals often overlook that major events are a major risk –  even if the individual isn’t officially participating themselves. Why? The individual could still have high-value internal resources or employees that will be engaged or participate with the event. For example, is one of your C-level executives will be at the Olympics in South Korea? What preparation have you done to insulate that asset from potential threats at the event – whether they be physical or cyber? It’s time to think ahead and be on the offensive side of the equation.

3) Implement Training at the Individual Level Based on Attack Surface

Depending on the surface area of your attack surface, here are recommended, proactive approaches to ensure protection during future Olympics Games:

Hold a security training class for all employees planning to attend the Olympic Games

Educate attendees about the vulnerabilities associated with the Olympic Village and Stadiums. It will be important to explain that malicious actors are rethinking their approach to cyberattacks and how they execute on them. Thinking about the current trends in cybersecurity – here are two areas to focus on with attendees: 1) identify where IT links to OT or IoT within Olympic sites, and 2) beware of phishing scams and entering through the least protected link.

Secure your CEO

40 percent of organizations believe that C-level executives are the greatest risk to their organization being hacked. Furthermore, C-level executives are the most at-risk of cyberattacks when working outside the office – with airports, hotels and airplanes among the riskiest venues. If your CEO or members of your C-Suite are attending the event, hold a training seminar before they depart for the event to educate them about the threats associated with attending the Games – from “Checking-in” to the host city on social media to connecting to unsecured Wi-Fi during their travel and stay. In addition, pull together a one-pager with security tips and official sites for them to reference while they are abroad.

Educate all employees/customers of the vulnerabilities associated with digitally engaging with the Olympic Games

Make sure your employees and customers are aware of all of the phishing and malware campaigns associated with digitally engaging with the Games. With the Games happening overseas, it is imperative that they know the signs and can differentiate what is safe and what is not. This can be applied to planning to joining social media conversations around the events, purchasing merchandise, or even streaming content from their devices.

The Takeaway

Start planning now for the events on the horizon; hopefully you thought ahead for Pyeongchang – but remember Tokyo 2020 isn’t that far way. Plan, train, evolve from tabletop exercises to cyber simulators, educate your employees on the threats and have a plan for response. At the end of the day, athletes don’t win because they just show up – they win because of the rigorous training, planning, and relentless execution that comes from true focus on the objective. For this month’s Games and all that come after, we need to become World Class Cyber Athletes.

About the author: Ben Carr, is the VP of Strategy at Cyberbit. Ben is an information security and risk executive and thought leader with more than 20 years of results driven experience in developing and executing long-term security strategies.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

SAP Cyber Threat Intelligence Report – February 2018

InfoSec Island - Fri, 02/16/2018 - 10:29am

The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

  • The second set of SAP Security Notes in 2018 consists of 26 patches with the majority of them rated medium.
  • Missing authorization check is the most common vulnerability type this month, again.

SAP Security Notes – February 2018

SAP has released the monthly critical patch update for February 2018. This patch update closes 26 SAP Security Notes (14 SAP Security Patch Day Notes and 12 Support Package Notes). 7 of all the patches are updates to previously released Security Notes.

14 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

Five of the released SAP Security Notes received a High priority rating, two was assessed at Low, and 19 fixes were rated medium.

SAP Security Notes Distribution by Priority (September 2017-February 2018)

The most common vulnerability type is Missing authorization check.

SAP Security Notes Distribution by Vunerability Types – February 2018

SAP users are recommended to implement security patches as they are released.

Issues that were patched with the help of ERPScan

This month, three critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli, Vahagn Vardanyan, and Vladimir Egorov were closed.

You can find their details below.

  • A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.
  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380). Update is available in SAP Security Note 2547431. An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). Update is available in SAP Security Note 2572940. An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks.

Critical issues closed by SAP Security Notes in February

The most dangerous vulnerabilities of this update can be patched with the help of the following SAP Security Notes:

  • 2525222: SAP Internet Graphics Server (IGS) has an Security vulnerabilities (CVSS Base Score: 8.3 Unrestricted File Upload - CVE-2018-2395, DoS CVE-2018-2394, CVE-2018-2396, CVE-2018-2391, CVE-2018-2390, CVE-2018-2386, CVE-2018-2385, CVE-2018-2384, XXE CVE-2018-2393, CVE-2018-2392, Log Injection CVE-2018-2389, Information Disclosure CVE-2018-2382, CVE-2018-2387). Depending on the vulnerability, attackers can use Denial of service vulnerability for terminating a process of vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result or use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorised access to OS filesystem. and another vectors. Install this SAP Security Note to prevent the risks.
  • 2589129: SAP HANA Extended Application Services has an Security vulnerabilities  (CVSS Base Score: 7.1 CVE-2018-2374, CVE-2018-2375, CVE-2018-2376, CVE-2018-2379, CVE-2018-2377, CVE-2018-2372, CVE-2018-2373). An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks. Install this SAP Security Note to prevent the risks.
  • 2562089: SAP ABAP File Interface has a Directory Traversal vulnerability  (CVSS Base Score: 6.6 CVE-2018-2367). An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in three months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

The Only Gold Russia Can Win at the Winter Olympics Is for Cyber-Hacking

InfoSec Island - Fri, 02/09/2018 - 10:52am

Russia has already come out swinging against the IOC and WADA in attempted retaliation for being banned from the 2018 Olympics. Unfortunately, their old tricks appear to be decreasing in effectiveness. Each time Russia leaks information in connection to doping commissions, it garners less news attention and is increasingly being viewed as a failed operation.

Stumbling into the games makes Russia the most unpredictable threat actor vying for the title of “most disruptive to the Olympic games” this year. Other major contenders? Non-state actors and organized crime groups. Absent from this list, despite popular opinion, is who many view as the heavy favorite going into 2018, North Korea.

Likely to win Bronze: Your second runner up this year is likely to be organized crime. In the past decade or so they have made a consistent appearance with fraud and scams going after the visitors to the games. This year has the potential for them to expand their operations into match fixing, due to the increased reliance on electronic measurements to determine winners. This years judging scandal might be centered around a hacked timer rather than judges from Old Europe.

Reaching for the Silver: The safe money is on non-state actors (hacktivists, cyberterrorists, and fame seekers) to be the cause of the largest cyber disruptions to the games. They usually use large global events as a springboard for their agendas and are unusually hard to predict and model because of the relative obscurity of most of these actors. Having the element of surprise, a swashbuckling attitude, and a successful outcome being defined as any disruption, makes these actors the hardest to stop and generally the most prolific.

And the outside contender for Gold: We have the wild card Russia. They have the technical sophistication to out perform these other two groups but the question is - Is their heart really in the competition? The declining effectiveness of doxing, combined with recurring punishments could push the Kremlin to up its game. They have proven a willingness to unleash destructive malware in multiple countries for multiple reasons. Even if they just repackaged the self-propagating principles of the NotPetya attack with the payload concepts of the TV5Monde attack. They have the capability to shut down the broadcast of the games. If they decide that the Olympics is no longer a neutral arbiter of friendly competition but rather a politicized organization dominated by anti-Russian sentiments, Moscow could very well debut a few cyber tricks never before seen.

Who’s not taking home any honors? Noticeably absent from this list is North Korea. Cyber threats from groups linked to North Korea have been in the news practically every month in the run up to the games, so if anyone has a shot of pulling off something spectacular it was this group of well-funded and motivated actors. Fortunately for the South Korean defenders they appear to have withdrawn themselves from contention. Kim Jong Un’s strategy of rapprochement means that if negotiations are going where he wants them to, the DPRK cyber menace is likely in standby mode. South Korea, by sacrificing part of its women’s hockey team, made the overall games significantly safer.

Will South Korea prevent any of these threat groups from gaining the notoriety they seek? The country’s capability to deal with these types of intrusions far exceeds that of Brazil during the 2016 Rio games. From a vulnerability and defensive capabilities standpoint, the overall cyber interruption to the 2018 Winter Olympics should be low compared to previous games.

However, given the onslaught of high caliber tools and exploits released over the last year, the ability of the security teams to keep up with all of the needed patches and other security controls will still be a big challenge for South Korea and will be more difficult than in past years.

Like all good competitions, this one will likely be decided by which groups have focused more on the fundamentals. If South Korea has kept their house in order and focused on the fundamentals of network security, they stand a good chance of surviving the short duration of the Olympic games. If they have focused too much on elaborate concepts and advanced skills at the detriment of those fundamentals, they stand a strong chance of falling short when the real games begin.

About the author: Ross is the Senior Director for Intelligence Services at Cybereason. Before joining Cybereason in 2016, he served as a Technical Lead and Cyber Lead for the United States Department of Defense.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Think GDPR Won’t Affect Your U.S. Company? Guess Again

InfoSec Island - Wed, 02/07/2018 - 5:55am

When the EU General Data Protection Regulation (GDPR) deadline arrives in May, companies that handle information belonging to European Union residents will have to adhere to a strict new set of guidelines – regardless of whether the company is based within the EU or outside the 28 member countries.

This may be news for some: One in four U.S. cybersecurity professionals believe their firm won’t need to comply with GDPR, according to a recent survey. Organizations that fall under the GDPR mandate could be fined up to 4% of annual global turnover or €20 Million (whichever is greater) in the event of a breach. While this is a worst-case scenario, it should be enough to get the attention of most companies that do business with EU citizens.

Does your company need to comply?

It’s surprising that so many U.S. firms simply aren’t worried, as the GDPR represents a significant change in the way data must be handled.

An important change in the GDPR involves the geographic scope of this new law. To summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.

Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply. Second, a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects "personal data" – aka personally identifiable information (PII) -- as part of a marketing survey, for example, then the data would have to be protected GDPR-style.

What kinds of U.S.-based companies are likely to fall under the GDPR’s territorial scope?

U.S.-based hospitality, travel, software services and e-commerce companies will need to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country and has localized online content should review their web operations.

U.S. companies without a physical presence in an EU country typically collect most of the personal data belonging to EU data subjects over the web. Are users in, say, Amsterdam who come across a U.S. website automatically protected by the GDPR? Here’s where the scope of requirements becomes a little more complicated: The organization would have to target a data subject in an EU country. Generic marketing doesn’t count.

For example, a Dutch user who searches the web and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply. Accepting currency of that country and having a domain suffix -- say a U.S. website that can be reached with a “.nl” from the Netherlands -- would certainly seal the case.

Do your GDPR “homework”

The best offense is a good defense. Companies that can show they essentially “did their homework” in following the GDPR requirements -- with the paperwork to back it up -- will be better off in the event of a violation where fines are involved. When the Article 40 “Codes of Conduct” -- allowing compliance to existing data security standards count towards GDPR -- are officially approved by the regulators, companies may receive “partial credit” for their compliance.

In short, Article 40 says that standards associations can submit their security controls, say PCI DSS, to the European Data Protection Board (EDPB) for approval. If a controller then follows an officially approved “code of conduct”, then this can dissuade the supervising authority from taking actions, including issuing fines, as long as the standards group — for example, the PCI Security Standards Council — has its own monitoring mechanism to check on compliance.

While we'll have to wait for more guidance, the point is that EU regulators will eventually let companies leverage their efforts (and investments) in meeting standards such as PCI DSS or ISO 27001 for GDPR compliance.

Take stock of your data

The GDPR also mandates "data minimization" -- not keeping data when it's no longer needed or even collecting it in the first place when it's not completely necessary for a business function. Most companies already have a policy for deleting "stale" data, though they may not follow through by applying those policies.  GDPR says that this IT practice is not just a good idea, but the law!

So companies that proactively automate their retention and disposition policies for their files will be better prepared for compliance -- and they will also better protected from insider threats and cyber attacks.

Unfortunately, many organizations have lost track of where their most sensitive information lives and who has access to it – over 70% of folders we analyzed  on corporate servers contained stale data and almost half had 1000 files with PII, credit card credentials, and other data on file servers accessible to everyone.

With just a few months left to go, 60% of cyber security professionals in the EU and 50% of respondents in the U.S. say they face some serious challenges in being compliant with the GDPR by the May deadline.

Organizations are running out of time to take stock of how exposed their data is to attack. Now is the time to reduce your risk profile by locking down sensitive data, removing users that no longer need access, and deleting or archiving stale data – plan to maintain a least-privilege model to keep data secure.

Ignorance is not bliss when it comes to the GDPR, and organizations that have fallen behind in their preparations must ramp up their compliance activities or they could take a serious financial hit once the regulations take effect. Start taking control now.

About the author: Ken Spinner joined Varonis in 2006 and leads all technical pre- and post- sales engineering activities for Varonis customers worldwide. Ken’s career spans 30 years with organizations ranging from startups to Fortune 500 industry leaders. Prior to Varonis, Ken held leadership and senior engineering roles at Neoteris, Netscreen, Juniper Networks, BlueCoat Systems and Merck.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Advancing the Usability of PKIs

InfoSec Island - Tue, 02/06/2018 - 10:48am

Public Key Infrastructure (PKI) certificates have long served as the optimal method for securing the servers on the web and, increasingly, Internet of Things (IoT) devices. Deploying and updating PKIs used to be a largely manual process that required the time and attention of IT personnel. Today, there are tools that can automate those tasks, which makes securing the connections between networks, devices and their users simpler and more cost-effective. 

Certificates can be used to encrypt data at rest. PKI also enables the authentication of users, systems, and devices without the need for tokens, password policies, or other cumbersome user-initiated factors. In mutual authentication scenarios, certificates will uniquely identify devices which enhances authorization and secure device-to-device communication.  As a result, certificates ensure that any data or messages transferred cannot be altered.

The challenge for an enterprise becomes determining what exactly it’s trying to protect, particularly as more companies embrace the IoT trend. PKIs ensure that the basic security requirements for data confidentiality, data integrity, and data accessibility are properly configured for all devices.

That’s becoming more complex, and virtually impossible to perform via manual processes. Why? Because of the sheer number of devices that are coming online.

By 2020, over 25 billion devices will be connected to the Internet, and each one of those connections must be secure to mitigate risks and protect organizations and individuals from malicious attacks.

To give you a better sense of scale, consider that 10 years ago, Certificate Authorities issued approximately 10 million certificates that verify a digital entity’s identity on the Internet worldwide. Today, just one company may request 10 million certificates for its realm of devices and services. That’s where the math starts to get complicated.

After all, PKI is built on math, leveraging algorithms to direct the inspection and validation of the signatures that enable secure communication and data-sharing between devices and networks. Fortunately, technology has advanced to enable computers to handle the complex algorithms used to inspect and validate the secure connection to a device or web site.

Unfortunately, the cyberattacks targeting those systems are also becoming more sophisticated and hitting more frequently. That is why a critical aspect of the effective use of PKI is updating those certificates as the threat landscape changes. In other words, PKI usage is not something to “set and forget”, and today requires thoughtful security planning in the process. Too often, a cloud service provider will experience a system outage simply because someone forgot to renew a certificate. The blame falls on a faulty manual process.

Therefore, the way PKI becomes more usable is by partnering with a Certificate Authority (CA) that can introduce and manage automation technologies to relieve IT of those responsibilities. IT and users should not have to worry about “breaking” something because they were not paying attention to the right discussion forum or right threads about new attacks. 

This can also be especially valuable in development environments, where developers are checking code in and out. PKIs enable each developer to sign what they are accessing, thereby creating chains of trust. This can be very useful to both open source projects, and to protecting a company’s download site from being hijacked and falling victim to a DNS attack.

If your organization is going to rely on PKI, it’s important to also leverage the benefits that automation can provide. This is where partnering with a CA can help, both today and tomorrow. CAs take on the responsibility of managing PKIs, which includes participating in forums and working groups to ensure that PKIs evolve to meet the ever-changing threat landscape. This relieves enterprises of having to take on those responsibilities, so they can focus on their strategic business priorities.

About the author: Dan Timpson is DigiCert Chief Technology Officer, responsible for DigiCert's technology strategy and driving development that advances PKI innovation for SSL and IoT customers. Timpson’s team focuses on continuous improvement to deliver a comprehensive digital certificate management platform for DigiCert customers that includes standards-based, automated certificate provisioning for devices and APIs for seamless integration with third-party systems.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

The Five Secrets to Making Security Awareness Work in 2018

InfoSec Island - Mon, 01/29/2018 - 12:29pm

So, it is the start of a new year and you are hoping to do great things with your security awareness and training program. You have a desire to move beyond simple ‘box checking’ and to actually change hearts, minds and behavior patterns. You know that it is the right thing to do for your organization and are looking forward to seeing the positive results. The sticking point, however, is that – like most organizations – you probably don’t exactly know how you are going to make it happen.

My hope with this article is to help you begin the process of creating a solid plan and foundation that will enable you to achieve a game changing level of security awareness and behavior transformation. With that goal in mind, here are the five secrets that I use to best position security awareness leaders for success:

Secret 1: Have a vision of what ‘good’ looks like for your organization

The key to implementing this secret is implementing a framework to help ensure that you are approaching things in a structured manner, rather than simply making it up as you go. Especially in large global organizations, I recommend conducting a series of interviews or quick surveys to understand how different divisions and divisional leaders view security, understand policy and best practices, and what they truly hold important. It is always interesting to see the differences and similarities that this process can help uncover. It also helps you understand if your key executives are in alignment and if there are some political or logistical hurdles that you need to work through as you build your plan.

With this background knowledge, you can begin to create your goals for the year. For this, I like the SMARTER goal setting framework proposed by several productivity gurus. There are a few different versions of the SMARTER framework—I use the Michael Hyatt version.

Secret 2: View Awareness through the lens of organizational culture. I’ll be writing about this more in the coming months. But here is the big idea: your security culture is – and will always be – a subcomponent of your larger organizational culture. In other words, your organizational culture will ‘win out’ over your security awareness goals every time unless you are able to weave security-based thinking and values into the fabric of your overarching organizational culture.

Remember the survey and interviews that I mentioned at the start of the first secret. This where you’ll really get an idea of any organizational culture gaps that you need to account for. When you find these gaps, you’ll have a few choices: 1) modify your awareness program’s expectations and goals based on the identified gap, 2) work with organizational leaders to see how you can help influence the larger culture, or 3) a hybrid approach where you modify some goals while also doing the work of trying to influence the larger culture.

Of these, option 1 is clearly the easiest – but has very little reward associated with it; it’s the ‘safe’ route. Options 2 and 3 will involve more work, politicking, and likely a bit of frustration, but offer the greatest long-term benefit for the organization and for you. This is also where you can begin to leverage things like security champion/liaison programs to help infuse security-related values throughout the organization to create consistency and sustainability.

Secret 3: Leverage behavior management principles to help shape good security hygiene. Your awareness program shouldn’t focus only on information delivery. There are plenty of things that most of us are aware of – but we just don’t care about those things. Because of this, if the underlying motivation for your program is to reduce the overall risk of human-related security incidents in your organization, you need to incorporate behavior management practices. Most of my thinking about behavior management is heavily influenced by the research by BJ Fogg, who heads-up the Persuasion Tech Lab at Stanford University. Fogg’s research has influenced technology companies around the world who seek to create engaging experiences for their users and drive specific behaviors. His behavior model and work around habit creation is located here ( and here (

I realize that most readers won’t have time to dig into the deeper details of behavior management and create their own unique programs. Don’t lose heart! Simulated phishing platforms distill some of the fundamentals of behavior management into an easy to deploy platform that allows you to send simulated social engineering attacks to your users and then immediately initiate corrective and rehabilitative action if the user falls victim for the simulated attack. Do this frequently, and you will see dramatic behavior change!

Secret 4: Focus on understanding the different personalities, drivers, and learning styles within your organization. (This goes back to the Specific and Relevant attributes of the SMARTER framework I referenced). It is critically important to understand your overall organizational context, the different types of people within the organization, regional contexts, divisional and departmental contexts, and so on. This not only helps you tailor content that will best speak to each of the groups, but can also help you avoid stepping on potential landmines.

Secret 5: Be realistic about what is achievable in the short term and optimistic about the long-term payoff

So here is where the rubber meets the road. You’ve got all of the planning out of the way, created goals, understand the nuances of your organization, and are focusing on creating real, sustainable change. Now it’s time to get started and to commit to perseverance. Many aspects of your program will be spaced throughout the year, and so it is important to commit to being consistent with your efforts. The beginning is just that – the beginning. You are focusing on training an entire organization; and that sometimes means training people how to be trained!

But here’s good news, the data show that you can see dramatic behavior change in as little as 90 days if you follow a best practice of combining security awareness content (e.g. computer-based learning modules) with frequent simulated phishing testing conducted at least monthly. In a recent study, we looked at the progress of more than six million accounts across nearly 11,000 organizations over a 12 month timeframe. Organizations that followed the best practice that I just mentioned saw their employee’s Phish-prone percentage drop by 50% in just 90 days – from a 27% baseline Phish-prone percentage down to 13.3%. And consistent training brought that down even more dramatically at the 12 month mark… from that initial 27% baseline all the way to 2%.

Are you ready to make 2018 a break-out year for your security awareness program?

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island