InfoSec Island

How Does UC in the Cloud Impact Your Security Posture?

InfoSec Island - Thu, 07/20/2017 - 4:11am

Session border controllers (SBCs) provide the protection UC applications require – and data firewalls lack – enabling enterprises to make the leap to the cloud

Chief security officers have a lot on their plate these days, from a daily influx of zero-day vulnerabilities to increasingly sophisticated denial-of-service (DoS) attacks. It’s a good bet that securing their unified communications (UC) application isn’t keeping them up at night. But maybe it should be?  

Traditionally, enterprise security has centered around data: customer data, corporate data, credit card data, etc. There is a thriving, global, cybercriminal community built just around the goal of stealing data or, increasingly, encrypting it and holding it for ransom (known as ransomware). Enterprises collectively spend billions of dollars each year protecting their data through firewalls and other data-centric security devices. In a sense, enterprises have locked their data doors tightly, but have they left another window open?    

UC applications such as voice, video, messaging and file sharing are transmitted over the same IP network as web and data applications, and thus are prone to the same type of network attacks. Where UC applications differ from their purely data-based counterparts is in the fact that they are real-time applications that use the Session Initiation Protocol (SIP) for signaling between UC stacks and endpoints. Unsecured UC expands an enterprise’s potential risk by introducing data exfiltration, Denial of Service (DoS), telephony denial-of-service (TDoS) attacks and eavesdropping into the equation. And data firewalls – even advanced next-generation firewalls – don’t have the deep, stateful knowledge of SIP to protect SIP-based real-time applications. For that, you need a session border controller (SBC).  

As many enterprises are adopting a zero-trust model for security, every application must be secured. SBCs play many important roles in enterprise communications networks by providing intelligent routing, signaling interworking, and media services to ensure quality of experience. But the SBC’s primary function is to protect the UC network from SIP-based attacks. With inherent security features such as per-session state awareness, protocol filtering, topology hiding, encryption and dynamic blacklisting, SBCs can secure voice calls and prevent telephony-based attacks from happening.  

As traditional circuit-switched communications have evolved into IP-based UC, the attack surface has grown. It’s now possible, and easier, to mount DDoS attacks, spoof caller IDs for toll fraud, or use media or signaling UDP/TCP ports to exfiltrate data. The importance of SBCs to secure UC has likewise grown – many enterprises today use SBCs as a UC firewall, a demark point for SIP trunking services, and a tool to encrypt and interwork their UC assets.    

These perimeter-based SBCs are intended to secure UC applications that are deployed within the enterprise—for example, on an internal Skype for Business server. But what happens when UC moves into the cloud? It’s a question that many enterprises will need to answer in the coming years. According to IHS, the number of UC and VoIP subscribers in the cloud will double over the next few years, reaching over 75 million by 2020.  

The cloud represents a much larger surface area for attack. Cloud-based services are comprised of many different virtual machines (VMs) and potentially dozens of different microservices, each with their own security weakpoints. Every weakpoint – whether in code, access or protocol – can expose an application to a potential security breach, and once an application is hacked, intruders can move laterally within a cloud-based network to access other applications and data. You can think of a cloud service as being composed of hundreds of different Lego-like blocks. In the cloud, your security posture is only as strong as your weakest block.  

Enterprises cannot solely rely on their cloud service provider to completely secure the myriad UC connections taking place—especially if the enterprise is in a compliance-restricted industry, such as finance or healthcare. The increased surface area of the cloud provides more attack points for hackers. And compared to an on-premises UC deployment, enterprises will have less control. For these reasons, enterprises need to scrutinize their security practices so that they can ensure they’re protecting their networks appropriately.   

To create a consistent defense system against network attacks, it is critical for enterprises to integrate SBCs into their security posture at the edge of their network. Just as an enterprise wouldn’t think of connecting its data network to the internet without a firewall or performing commerce over the internet without encryption, an SBC is just as critical to real-time SIP communications.  

But enterprises need to be mindful that not all SBCs are created equal. They may support static blacklists, but not the dynamic generation of new blacklists. They may identify malformed SIP packets, but not anomalous network behavior that could indicate an attack. Or encryption may be turned off, because turning it on causes performance and jitter issues. These security gaps are points of exposure that cybercriminals can, and will, exploit.   

The cloud is already the future of IT and, for many enterprises, it is the future of UC as well. There is much intrinsic value in UC-as-a-Service (UCaaS), from cost stabilization to unified messaging across multiple devices/locations. But it does require a different security posture than an on-premises system. Cybercriminals are actively targeting cloud platforms, and enterprises need to be proactive in their defense against cloud-based attacks—particularly from traditionally under-secured vectors such as SIP-based communications.  

The best approach is to remember that moving an application into the cloud doesn’t shift the responsibility of security to the cloud. To maintain the security posture of unified communications, enterprises must implement a holistic approach to security that extends from their infrastructure to the cloud.  

About the author: Mykola Konrad is the Vice President, Product Management and Marketing at Sonus Networks. At Sonus, Mykola is leading the introduction of the Sonus portfolio of products to the Enterprise customer segment.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

How to Prevent Ransomware and Cyberattacks

InfoSec Island - Fri, 07/14/2017 - 12:58pm

The impacts of ransomware and other breaches, which exploit failures in risk management, are preventable. The WannaCry ransomware attack was the most widespread of its kind in history. It took advantage of a Windows vulnerability – one detected and resolved months ago – encrypting victims’ data and demanding a ransom payment for un-encryption.

More recently, many organizations in Europe and the US have been crippled by a second ransomware attack, known as “NotPetya” or “GoldenEye.” NotPetya was a malicious, destructive attack disguised as ransomware.

The scope and speed of these new attacks are major wakeup calls for organizations around the globe; an attack can come at any time, and failing to implement a strong prevention strategy is a recipe for disaster. Often, when a cyberattack is resolved (or even while it’s still ongoing), unaffected organizations may instinctively dismiss its significance, assuming the dangerous mindset that their business’ operations are different and won’t be affected. This frame of mind fails to acknowledge that mistakes made by cyberattack victims are typically shared by many others.

Consider the ever-increasing capabilities of cyberattackers. Constantly improving technologies allow attackers to evolve their strategies, find new points of entry, and make themselves harder to detect. Your security and business continuity programs must stay one step ahead of this evolution, a process that requires implementation across departments and levels.

Cyberattacks – alongside all risk management failures – are entirely preventable with good governance and integrated risk management processes. The standardization and automation of these components does not require a revolution in your operational structure. They are achieved by using centralized monitoring and policy operationalization, making sure you adhere to best practices without exception. Senior leadership can then use the information gathered to make informed strategic decisions.

The traditional understanding of departmental interaction – namely that each department conducts its own operations and is most qualified to evaluate its own risk profile – creates cracks through which incidents and attacks can slip. A truly integrated approach, requiring strong governance and board oversight, illuminates vulnerabilities shared by departments. This allows for efficiency (and efficacy) through collaboration and allocation of responsibilities.

Poor governance and operationalization have led to risk management failures including those seen at Target, Ashley Madison, Dwolla, and Wendy’s. These breaches would have been prevented not with complex, expensive technology, but with improved governance processes.

Strengthening Cybersecurity and Preventing Surprises with Good Governance

Enterprise risk management accomplishes more than simply identify new risks and to-do items. By revealing the interdependencies and interactions between departments, applications, vendors, and other resources, it closes the gap between policies and everyday operations. This makes it easier to resolve known issues and prevent scandals. For example, which applications contain sensitive data that might have a material impact on your reputation? Which departments use those applications, and which policies and controls (if any) currently address those weaknesses? Are these policies and other mitigation activities effective in addressing this risk?

Going back to WannaCry, prevention would have been as simple as automated alerts. Alerts would have prompted verification that appropriate Windows patches were implemented, followed by a report of all critical systems not covered by patch deployments. This is a good example of the importance of governance over existing processes, as opposed to the wasteful alternative of expensive technology solutions that may not even address future issues.

It’s a known fact in the security community that, due to human or technology errors, 10-15% of authorized, scheduled patches are not implemented. Resulting vulnerabilities are often detected by the “right” people (in this case, Windows itself) before they are the “wrong” people, but when fixes aren’t implemented punctually, the risk remains. Notifications remove the possibility that risk goes unaddressed.

Mitigating risks presented by any cyberattack can take place at your organization today. If necessary, the following steps can be performed on a manual basis, but for long-term sustainability, use a centrally managed, risk-based approach.

Off-site backups are your first and most basic line of defense. Frequency and scope will be different for each organization; your security team should collaborate with senior leadership to determine minimum standards. Has a restoration test been performed, ensuring that your infrastructure and applications infrastructure can be restored? Can back-up data actually be used within your stated recovery time objective (RTO)? Your RTO is the maximum “downtime” window that can be tolerated for a particular process before financial, reputational, or legal damage occurs.

Most organizations have formal internal policies, but few identify the risks associated with these policies. After risks are identified, regularized tests and notifications verify risks they are mitigated. Backups take time, and without using a risk-based approach to prioritize data and the application infrastructure, much existing activity is wasted. The relationships between your people and resources, once identified, reveals what is integral to critical functions.

Backups will compose a piece of your overall business continuity and disaster recovery (BC/DR) plan. The BC/DR plan needs not just be created, but tested regularly. Most back-up systems only preserve data, not the application infrastructure. Doing so requires a second level of testing; can the applications and infrastructure be reestablished, and will they be compatible with restored data? Test your organization’s ability to implement a “clean recovery,” or total restoration of all data. The program cannot be made fully operational until those regular tests are implemented. Without an operationalized BC/DR program, it’s difficult to impossible to recover from an attack within the required timeframe.

Most organizations also understand of access rights from a policy point of view. However, are access rights managed effectively by all the users? The principle of least privilege, by which a company grants employees only the access they need to perform their duties, limits vulnerability without compromising efficiency. Begin this process by implementing and enforcing password complexity/change requirements. Rights then need to be defined and updated regularly by engaging front-line managers. Ransomware and breaches target the weakest links in an organization, often through vendors and supply chains.

With an ERM solution, you can maintain an effective asset management process by determining which applications, devices, and other resources require access rights protection. The next step is to create transparency into how effective policies are over these processes.

Through good governance, you can make sure everyday activities are aligned with leadership’s strategic goals. An integrated risk management approach reduces overall exposure and allows the organization to better leverage existing assets and prevent potentially disastrous disruptions like the WannaCry attack – without using additional budget to security technologies.

About the author: Steven Minsky is the CEO of LogicManager, the leading provider of ERM solutions. Steven is also the author of the popular Risk Maturity Model, RIMS State of ERM Report, a frequent contributor to blogs and press, as well as an instructor on many risk management topics.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

SAP Cyber Threat Intelligence report – July 2017

InfoSec Island - Fri, 07/14/2017 - 11:57am

The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.

Key takeaways

  • July’s set of SAP Security Notes consists of 23 patches with the majority of them rated medium.
  • The most severe vulnerabilities of this month affect SAP POS, a point of sale solution. The vulnerabilities allow attackers to Read/write/delete sensitive information and even monitor all content displayed on a receipt window of a POS remotely without authentication.

SAP Security Notes – July 2017

SAP has released the monthly critical patch update for July 2017. This patch update includes 23 SAP Security Notes (12 SAP Security Patch Day Notes and 11 Support Package Notes).

11 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 5 of all the Notes are updates to previously released Security Notes.

4 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 8.1.

The most common vulnerability types are Missing Authentication check, Switchable authorization check, and Implementation flaw.

Issues that were patched with the help of ERPScan

This month, several critical vulnerabilities identified by ERPScan’s researchers Dmitry Chastuhin, Mathieu Geli, and Vladimir Egorov were closed by 3 SAP Security Notes.

Below are the details of the SAP vulnerability, which was identified by ERPScan team.

  • Multiple Missing authorization check vulnerabilities in SAP Point of Sale (PoS) (CVSS Base Score: 8.1). Update is available in SAP Security Note 2476601. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
  • A Missing authorization check vulnerability in SAP Host Agent (CVSS Base Score: 7.5). Update is available in SAP Security Note 2442993. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
  • Multiple vulnerabilities (Cross-site scripting and Cross-site request forgery) in SAP CRM Internet Sales Administration Console (CVSS Base Score: 6.1). Update is available in SAP Security Note 2478964. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Moreover, an attacker can use a Cross-site request forgery vulnerability for exploiting an authenticated user’s session with a help of making a request containing a certain URL and specific parameters. A function will be executed with authenticated user’s rights.

About Multiple Missing Authorization Check in SAP Point of Sale

SAP POS, a client-server point-of-sale (POS) solution from the German software maker, is a part of its Retail solution portfolio, which products are in use at 80% of the retailers in the Forbes Global 2000.

From a technical point of view, SAP POS consists of Client applications, Store Server side (serve connective, operative and administrative needs) and applications running in the head office to allow central configuration.

This month, SAP released Security Note 2476601 to close multiple severe vulnerabilities in SAP POS Xpress Server. The component lacks authentication checks for critical functionality. The missing authorization checks would allow an attacker to:

  • Read/write/delete files stored on SAP POS server;
  • Shutdown the Xpress Server application;
  • Monitor all content displayed on a receipt window of a POS.

The described malicious actions can be performed over the network without authentication.

The vulnerabilities were rated at 8.1 by CVSS base score v.3, with all 3 impact metrics (Confidentiality, Integrity, and Availability) assessed High

According to the rules of responsible disclosure, ERPScan doesn’t disclose technical details to allow SAP customers a period of time to patch the issues. Researchers who identified the vulnerabilities will deliver a talk at Hack in the Box Singapore (August 24) where they will demonstrate an attack vector against SAP POS.

Other critical issues closed by SAP Security Notes July

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2453640: SAP Governance, Risk and Compliance Access Controls (GRC) has a Code injection vulnerability (CVSS Base Score: 6.5). Depending on code type, attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or can potentially escalate privileges by executing malicious code or even to perform a DOS attack. Install this SAP Security Note to prevent the risks.
  • 2409262: SAP BI Promotion Management Application has an XML external entity vulnerability (CVSS Base Score: 6.1). An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.
  • 2398144: SAP Business Objects Titan has an XML external entity vulnerability (CVSS Base Score: 5.4). An attacker can use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorized access to OS filesystem. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

NotPetya — 'Ransomware' That Spreads like a Worm

InfoSec Island - Wed, 07/12/2017 - 8:48am

Barely out of the woods with WannaCry, another global ransomware attack, a new variant of ‘Petya,’ began infecting organizations throughout Europe and into the Americas. Upon initial analysis and investigation, the attack was thought to be a variant of Petya ransomware, as the the threat actors behind the attack carefully designed it to look the same. However, upon further analysis, it was discovered that the main distribution and payment schemes were inconsistent with Petya.

NotPetya, as it turned out, was disseminated via the compromised software from MeDoc, a distributor of tax accounting software mandated by the Ukrainian government. Hackers seemed to have breached the firm’s computer systems and compromised a software update that was published to customers on June 22 -- leading the malware to spread to more than 12,000 systems throughout Europe and America. This new variant started spreading across networks using Windows Management Instrumentation Command-line (WMIC) or the Microsoft Server Message Block (SMB) exploit known as ETERNALBLUE. The SMB exploit used in NotPetya, was in fact the same SMB exploit method used by the devastating WannaCry ransomware attack.

Once NotPetya infects a system, it establishes encryption routines and attempts to spread over the network. What makes NotPetya unique however, is that it attempts to extract cached user credentials from the original infected machine and propagates using WMIC. The other key difference between NotPetya and WannaCry is that while WannaCry used a killswitch domain, NotPetya doesn’t. Encryption will happen irrespective of whether the infected system is in an isolated environment or connected to the internet.

What Makes ‘NotPetya’ Unique

Ransomware locks up files on infected machines and demands payment to retrieve the data. NotPetya differentiated itself from this through its unique encryption process. It presented a fake chkdsk page, which encrypts the hard disk master boot record if a privileges user executes it. From there, it schedules a task to restart the system and prompts the ransom note. If it is unable to execute the payload as a privileged user, it moves to encrypt the file types annotated below and writes a README.TXT ransom note.

Prior Petya campaigns operated on a single organized payment and decryption key distribution system accessed via the Tor network. By contrast, this particular attack relied upon a single email account for coordinating ransom payments and decryption keys. As a result, the email address was identified and deactivated early on, leading investigators to conclude it was unlikely that attackers intended it to remain operational throughout the campaign. Thus, these unique NotPetya techniques led many researchers to believe the true goals of the attack may have been disruption rather than monetary gain.

According to an open-source intelligence analysis by Infoblox, the campaign involved the following major actions:

  1. Implanted trojan: Attackers disguised a trojan to appear as though it was a legitimate update for MeDoc software. Since MeDoc is one of the two tax accounting software vendors approved by the Ukrainian government for this work, the threat actors knew this software would be essential to the financial sector and companies doing business in Ukraine.
  2. Watering-hole attack: Attackers often compromise a website or create a look-alike domain to function as a watering-hole attack where victims will visit without being lured. What made this attack so effective was the compromise of the software supply chain by compromising MeDoc and using their software update service to deliver the trojan. Because the update service was genuinely operated by the real vendor, updates would most likely have been trusted by the customer and automatically deployed.  
  3. Enhanced malware: Attackers enhanced the malware in order to harvest user credentials and use the capabilities inherent in the operation systems to move lateral and spread the malware.

Best Practices

Throughout recent months, ransomware has emerged as one of this year’s biggest threats. More than $1B was paid out to ransomware criminals in 2016 alone, and 2017 has seen a 6,000 percent increase in ransomware infected emails, compared to 2016. As attacks of this scale and ambiguity are likely to continue, organizations must adopt to certain best practices to stay protected and keep themselves and their customers safe. 

  1. Backup: Always backup essential data and test the restore procedures.
  2. Timely Patches: Prioritize and apply security updates and patches. Since a known vulnerability in the Microsoft Server Message Block (SMB) was used in this attack, installing updates in the Microsoft March 2017 Security Bulletin will resolve the weakness. It is also recommended that SMB be disabled until the proper patches can be applied to the system. (How to Disable SMB)
  3. Network Hygiene: Segment networks to limit the propagation of malware.
  4. User Training: Train your employees to delete emails with attachments received from unknown senders, and to disable Microsoft Office document macros by default. It is also important to not allow documents to open additional files or execute macros without external confirmation (e.g. phone, in person, etc.) that the sender is valid.
  5. High quality, curated-threat intelligence feeds: Using high quality curated threat intelligence that is fully up-to-date can protect users from unwanted DNS communications, all while maximizing DNS protection. In addition, using RPZ-based security capability integrated with DNS to detect and block communications to bad sites and command and control servers can help stop the spread of advanced malware and ransomware.

About the author: As Director of Cyber Intelligence for Infoblox, Sean Tierney leads the efforts to develop and refine threat data; delivered to customers as machine readable, actionable intelligence. His team collaborates with industry peers, Fortune 500 companies, and government agencies to identify emerging cybersecurity threats.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Convenience Comes at a Steep Price: Password Management Systems & SSO

InfoSec Island - Wed, 07/12/2017 - 4:47am

In today’s environment, it can often be a challenge (if not impossible) to memorize and keep track of all our login credentials for our daily interaction with online apps and services. Users also typically circumvent unwanted, extra layers of security in favor of convenience. Many consumers and businesses are flocking to the mirage of safety offered by password management firms, which are only as strong as their weakest link (often humans), and we must continuously reinforce the need for advanced authentication methods for nearly everyone – consumers, employees, suppliers, etc.

While password management firms may seem like a great idea given the increasing number of digital tools and devices that we rely on every day, they are not a “fix-all” solution. Their protection is only as strong as the password you create to use with the service itself, or the one the administrator/operator creates to secure the system’s database. Moreover, if the credentials associated with password management firms become compromised, the impact is far worse – akin to losing the “Keys to the Castle.” Given the fact that more than 81 percent of data breaches last year involved either stolen and/or weak passwords, the issue must become a central theme in any conversation about online security (2016 Verizon Breach Report).

Users frequently utilize the same username and password combination for multiple accounts, and use social media applications (such as Facebook & Twitter) to automatically create accounts for new products. However, while this is convenient, it’s clearly not secure. According to a 2016 survey, 73% of adults in the United States and UK use the same password (or a simple variation) for all of their accounts.

Many large organizations are switching to another, convenience-driven solution to ease the time and burden of logging into multiple systems by implementing Single Sign On (SSO) applications. But SSO, like password management systems, can be a double-edged sword for security practices.

If the central database of credentials for these systems is eventually compromised through brute force attacks against privileged users – a feat that becomes increasingly easier and less time consuming with steady advances in computing power – the consequences can be devastating for enterprises, vendors, and customers.

As we have repeatedly witnessed, a primary attack vector for large firms has been through third-party vendors, and this was again the case in last month’s massive breach of the password management firm OneLogin. A company statement conveyed the enormous scope of the incident by admitting that the hacker was able to access database tables that contain information about users, apps, and various types of keys – which could enable the malicious party to decrypt sensitive files for thousands, if not many more, of their clients.

Many security experts have touted password management services and SSO providers as positive advancements for our somewhat outdated reliance on a username and password combination as the most common method of verification. However, trusting cloud-based storage of highly sensitive data always increases the risks of compromise. If an attacker can obtain access to any user’s credentials that have the capability to unlock other applications, they will likely be able to compromise additional applications.

Social media accounts are also an increasingly common authentication point for third-party applications, which is commonly justified by not having to keep track of yet another new password. It streamlines the sign-in process and only requires permission to be granted during the first session. The third-party permission requirement does deter some users, and it is often restricted by firewalls that block employee access to the social media site. Instituted with an eye toward convenience, it too can allow hackers to compromise all of the linked accounts by authenticating with only the social media credentials.

The common denominator in all of these scenarios circles back to an arcane overreliance and overconfidence in the level of protection that the username/password combo provides. While several security-centric industries have adopted optional security measures such as two-factor authentication, enhanced authentication must be universally reinforced by making these procedures default requirements for the vast majority online activity. Multi-factor authentication should be used to enhance our ability to help avoid credential theft from every angle. These should be expanded to include providing something you have, something you know, and something you are as the new minimum standards for identification.

As nefarious actors and groups of all kinds have evolved their capabilities on a regular basis to commit ever more complex acts of cybercrime, we must finally take steps to evolve basic security processes in turn. Password management systems and similar tools aren’t silver bullets, as they only serve as yet another layer of simple, insecure passwords. After all, if all you need is a password to gain access to another password, there’s no substantive enhancement to security.

About the author: Alexandre Cagnoni is CEO of McLean, Virginia-based Datablink (, a global provider of advanced authentication and transaction signing solutions.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

The Security Risk Within Smart Cities

InfoSec Island - Fri, 06/30/2017 - 11:29am

Technical innovations and increasing digitisation are a mixed blessing: On the one hand, we benefit from them as they simplify our everyday life and can help us to overcome challenges. On the other hand, they present new difficulties and problems. The concept of the smart city, which has been under development around the world for some years now, is a perfect example of this.

Whether it’s growing traffic volumes, environmental pollution, dissipation of energy, or growing mountains of waste – the smart city of the future has the answer for a number of problems faced by our cities. The answer being, the internet of things, i.e. millions of connected, digitised and sensor equipped devices and infrastructures. From connected automobiles within a car sharing service, smart traffic light circuits and energy-efficient street lighting, to sensor equipped garbage cans or irrigation systems in parks – everything is possible.

But environmental compatibility, comfort, and resource efficiency do not come without their challenges. Not only is it difficult to cater for the immense amount of data and rapid analysis that comes with smart cities, but even more concerning is the susceptibility of smart cities to cyber-attacks. Something all security experts agree on is that the smart city of the future is insecure.

Manipulated Traffic Lights

One of the greatest weaknesses of IoT is the utilisation of insecure devices that lack sufficient security testing, allowing the devices to be hacked and fake data to be fed to them. The reason this happens is because during the development of IoT devices and applications, functionality and customer orientation still have the highest priority for the vendors. Even in times of increased connectedness, aspects regarding security and data protection are still neglected – be it for cost reasons, time pressure or limited processing performance.

What this means for smart cities and connected infrastructures, was demonstrated by security expert Cesar Cerrudo some time ago. On numerous trips through big American cities such as New York, Los Angeles or San Francisco, he demonstrated how thousands of traffic control sensors were vulnerable to attack. Cerrudo showed how information coming from these sensors could be intercepted from 1,500 feet away — or even by drone — made possible due to one company failing to encrypt its traffic data. This enables hackers and cybercriminals to manipulate traffic data, permitting them to cause faulty traffic light circuits, traffic jams, large-scale obstruction traffic or even dramatic accidents.

Minimising IoT Security Risks and Vulnerabilities

In the case of cyber-attacks on smart cities, millions of devices are potentially threatened by manipulations or malware infections. Therefore, a well thought out security strategy is indispensable. This starts with identifying and then prioritising the critical infrastructure. Only those who can identify and clear away vulnerabilities, security flaws, malicious environments, outdated operating systems, etc. in time, are able to prevent serious failures and manipulations.

The best possible protection against hacking attacks is a security solution that is embedded within the IoT application itself. Instead of constructing a fence around the device and its software, applications need to be hardened with effective protection solutions such as obfuscation or Whitebox cryptography as well as with advanced RASP (Runtime Application Self-Protection) technologies. Being protected in such a manner, the applications are able to protect themselves against all kinds of attacks with individually defined activities e.g. informing the provider of the IoT device that the software has been modified. Thanks to these application hardening technologies the application´s sensitive binary code – its crown jewels so to speak – is proactively protected.

Smart cities offer great opportunities, especially for rapidly growing cities which have to deal with population growth and increasing traffic loads. Nonetheless, in terms of IoT innovations security, data protection and privacy have to be top priority if they should be profitable in the long run. An important factor here is education. The issue of security must be top priority in all companies and organisations. Suppliers and vendors of IoT devices and technologies need to be better skilled and should dedicate time to discussing risks and informing their customers about possible threats.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Follow the Money — Stemming Hacker Habits

InfoSec Island - Fri, 06/30/2017 - 9:22am

Cybercrime has become a business — with everything from designers to customer service representatives to help monetize exploit kits, malware and DDoS botnets for hire. Gone are the days of the lone wolf hacker seeking to disrupt random organizations and websites for the “lulz.” Instead, there are fully fitted businesses selling their malicious services. What has given rise to new criminal business models?

The resurgence of attacks, from ransomware to DDoS attacks at massive scale, has been blamed on many factors. IoT is adding new points of vulnerability, network complexity due to the cloud has made it difficult to monitor and protect data flows, and digitization has networked all parts of an organization. Although these things do factor in the recent attack trends, more important, is the hacker’s motivation — which often follows the path of least resistance and greatest reward.

As in any legal business operation, cashing in on the opportunity for revenue growth is a must for criminals. And the path cyber criminals have taken has been driven by the prospect of an easy buck.

Tech Progress — A Double-Edged Sword

Technological advances in the workplace have and will continue changing how people work. But while it allows for greater productivity by way of streamlined workflows, hyperconnectivity, automation and more, it’s a double-edged sword. Things like the cloud and IoT have added another layer of complexity and almost limitless compute power and, in turn, make cybersecurity even more difficult.

For instance, clandestine devices and solutions are being brought into organizations unbeknownst to IT and security, ranging from personal connected devices to the use of unapproved cloud applications. This results in network visibility gaps that can be exploited by nefarious actors. All it takes is for a hacker to find this gap and exploit it for their benefit. It’s much easier to find a crack in a wall than it is to guard all of it.

Cyber Theft is Easy Money

In an unmonitored network, cybercrime and making money becomes easier for hackers — and cybercriminals aren’t missing a step in this seemingly easy-to-exploit environment. In 2016, we saw a record high of 1,093 breaches according to a recent report from Identity Theft Resource Center (ITRC) and CyberScout. This is a 40 percent spike over the previous year. And if recent headlines are any indicator, cybercriminals are likely to break the record again by the end of 2017.

The motivator is not just how easy it can be to get into a given network but the quick and big pay out it can provide. In the case of the past year’s breaches, over 36 million records were exposed. Databases worth of information were taken and then sold on the dark web on sites specially created for the purpose. It’s an entire ecosystem, as each record containing personally identifiable information (PII) can go for  $20 USD each. With thousands of records being sold at a time, it’s a large monetary win for cyber criminals that far outweigh the risk. Not to mention, they rarely face direct repercussions, as attribution is tenuous at best.

Shoring Up Defenses

In an attempt to prevent hackers from breaching their network, organizations across industries have begun to heavily invest in security. Cybersecurity Ventures predicts global security spending will exceed $1 trillion between 2017 and 2021. But throwing money at the problem will not solve it. As evidenced by a large number of breaches, best-in-breed solutions are not enough. Businesses can’t just plug and play, they need to have deep insight into their network in order to best orchestrate and manage solutions, traffic and, in turn, threats.

At the crux of this effort lies visibility. Without a single truth to work from and lack of network visibility to build on, organizations are haphazardly plugging holes — often, too late. Organizations need to ensure they take a step back before diving into the deep end of security. Cybercriminals only need to find one flaw to exploit and, without insight into where that can happen, organizations are left blind and unable to correct the flaws before it’s too late.

Cybercriminals aren’t stopping anytime soon. Ensure you have a finger on the pulse of your network or be ready to become another notch on a hacker’s belt.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Survey Shows Employers under Pressure to Keep Mobile Workers Safe

InfoSec Island - Fri, 06/30/2017 - 7:21am

According to a new report, “Protecting the Modern Mobile Workforce”  from Everbridge, Inc. (NASDAQ: EVBG), 77 percent of employers said their employees would prioritize safety over privacy concerns when it comes to identifying their location during a critical event. And while more than 80 percent of employers regard it as their responsibility to locate, share information and confirm safety of mobile employees during critical events – it remains a challenge for them.

The report includes findings from a May 2017 survey which polled security, risk management, business continuity and emergency management leaders at 412 organizations across a broad range of industries, about how they inform and protect employees when threats such as an active shooter, terrorist attack, workplace violence, or severe weather put the personal security of mobile employees at risk.

With 72 percent of the U.S. workforce expected to be made up of mobile workers by 2020, companies will face new challenges as traditional physical security approaches aimed at protecting employees within company facilities will no longer apply to a majority of the workforce.

The 2017 State of Telecommuting in the U.S. Employee Workforce Report,” recently announced by Global Workplace Analytics and FlexJobs, reports that the number of telecommuting workers has increased 115 percent in a decade, totaling 3.9 million workers. In fact, telecommuting exceeded public transportation as the commute option of choice in more than half of the top U.S. metro areas, and 40 percent more U.S. employers offered flexible workplace options than they did in 2010.

As the number of remote worked continues to climb, more pressure is being placed on companies’ to keep employees safe – regardless of whether they’re in the office or working remotely. Unfortunately, only 37 percent of employers confirm maintaining an accurate record of where employees are expected to be during working hours.

The good news, is with 83 percent of employers confirming that it’s their responsibility to do more to locate mobile workers who are potentially at risk – including alerting them to local threats and confirming their safety – you can bet discussions in board rooms worldwide will increasingly focus on how to effectively locate and confirm mobile employee safety.

About the author: Vincent Geffray is the Senior Director of Product Marketing at Everbridge. He has spent the past 15 years in IT operations and management solutions, with a focus on IT Alerting and communications.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Lax IIoT Cybersecurity: the Perfect Breeding Environment for Industroyer

InfoSec Island - Thu, 06/29/2017 - 12:30pm

The growing threat against industrial environments is increasingly met by sub-par cybersecurity considerations. Jalal Bouhdada, Founder and Principal ICS Security Consultant at Applied Risk, explores the threat of poor security for IIoT technology, including why the industry must prioritise cybersecurity to ensure long-term profitability

The second major malware iteration to target Industrial Control System (ICS) technologies directly, Industroyer, is believed to be the source behind the 2016 attack against Kiev, Ukraine, which brought down segments of the electrical grid. The malware was designed to focus on unsecured Industrial Internet of Things (IIoT) ICS devices, propagated through IT systems, and is reportedly able to manipulate existing process commands to flip breakers, potentially resulting in downtime across power plants.

Whilst this is the second technology of its type to target ICS technology directly in the wild, there are a number of Proof of Concept (PoC) attacks demonstrably able to achieve the same result. Industroyer malware is unfortunately neither new nor unexpected to those within the security industry; attacks such as this are a natural conclusion of poor security practices and unsecured IIoT devices. While the risks may seem clear to security professionals, it has been found that suppliers, system integrators and end users often believe their systems to be secure, only to later fall victim to a breach.

Technological convergence - defending against unknown unknowns

Despite 83 per cent of organisations utilising ICS technology claiming they are well prepared to face cyber-attacks, half of global organisations revealed they had suffered between one and five security incidents in the last year. As industrial environments increasingly see convergence between IT and Operational Technology (OT) through IIoT technology, this trend of poor security will only get worse as best practice is neglected or ignored. Notably, among businesses utilising ICS technology, ineffective cybersecurity practices were found to cost each organisation up to £383,000 per year. Despite the increased risk of downtime and an exponentially growing financial incentive to ensure security, organisations often remain unsecured and vulnerable to attack.

As the adoption of new technology increases, so too will the associated risk. The operational benefits that come from IT and OT convergence in industry cannot be overstated. The advent of IIoT means that efficiency gains can be drawn from traditionally ‘dumb’ technology, with IoT in industrial environments set to add $14.2 trillion to the global economy by 2030. With this benefit, however, comes a greater threat level. Networking technology that has been designed with inadequate security considerations creates an ideal environment for hackers attempting to breach a system.

Security by design - the new business essential

The IIoT landscape is, by design, influenced by its consumer IoT counterpart. In the rush to drive products to market, technology is often not shipped or installed with security in mind. Originally, industrial control systems were designed to be used in air-gapped environments where outsider security threats were not a key consideration. With increasing risk to industrial environments through IIoT, business priorities must adapt to ensure both uptime and profitability. It is well known that a skills shortage exists among security professionals. Combined with human error, currently the weakest link in OT security, a skewed ratio is the result – one with too few security professionals to address a growing number of threats targeted at other staff.

With a revitalised focus on staff training, educating all employees with a baseline of cybersecurity know-how, organisations have an opportunity to ensure the security of their business and boost efficiency from the ground up. Within a supply chain, this requires products to be designed and tested to ensure security, contributing to a holistic security environment. Once this has been achieved, as an industry, collaboratively sourcing secure technology will be the next step. By only utilising technologies with strong security credentials, the industry will be pushed towards a supply chain where products are secure by design. This will assist in removing the burden from available security staff, allowing a greater degree of autonomy and proactivity around cybersecurity response.

In meeting the challenge posed by greater levels of threats and fewer cybersecurity specialists to meet them, a shift in focus is essential. Until security is accepted as a business enabler, and not a cost centre, attacks of this nature will continue uncontested.

About the author: Jalal Bouhdada has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security. Jalal has led several engagements for major clients, including many of the top utilities in the world and some of the largest global companies in industry verticals including power generators, electricity transmission provider, water utilities, petro chemical plants and oil refineries.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

How Does Samba Compare to WannaCry?

InfoSec Island - Thu, 06/29/2017 - 11:08am

And how can businesses mitigate their cyber risk with the “Three P’s”?

Many reports are drawing comparisons between the Samba vulnerability and WannaCry, withsome even dubbing it SambaCry. There’s no denying that the Samba vulnerability is serious. It also shares some similarities with WannaCry: it exploits a vulnerability in a service that utilizes Windows' SMB protocol, and, like WannaCry, is 'wormable' – meaning each infected machine could potentially infect other machines in its network, significantly increasing the spread of the malware. But, it doesn’t pose the same widespread risk as WannaCry.

To start, the number of potential targets of the Samba vulnerability is significantly less. Of the 2.3 million machines worldwide, the Samba vulnerability could only potentially impact a fraction – 60,000 to be exact. While, from a first glance, it would seem like there are millions of machines running Samba, from routers and network printers to your home NAS, there are several factors that must align for a machine to be exploited by this vulnerability:

  1. The machine needs to have TCP port 445 open and directly connected to the internet – this brings the number of potential targets down to 2.3 million machines worldwide;
  2. Guest login without password needs to be enabled – down to 980 thousand machines worldwide;
  3. The server is indeed running the vulnerable SAMBA version – down to 120 thousand machines worldwide;
  4. A writeable network share needs to exist on the system – down to about 70 thousand machines worldwide;
  5. And, finally, Samba inter-process communication needs to be enabled – down to about 60 thousand machines worldwide.

Although the risk is not as dire as WannaCry, organizations should always be vigilant to protect against any potential threats and should not ignore the possibility of an attacker exploiting Samba. The following “Three P’s” will help mitigate the potential threat posed by the Samba vulnerability to your business:

  • Patch, Patch & Patch: If a Samba server is enabled on a targeted device, or if your business is running an older Samba protocol version, keep that device updated with recent patches. File sharing is a business need, and patches will ensure that your system remains secure.
  • Password Protect: Often, guest logins do not require a password; however, all systems should be password protected to deflect attacks. Without a password, your system remains vulnerable.
  • Port it Shut: Firewalls are important, and ensuring that the specific Samba 445 Port is closed will eliminate the threat of external exploitation.

With new vulnerabilities constantly being brought to light, there’s considerable fear of security risks, and confusion about what these risks mean to organizations. In the case of the Samba vulnerability, it’s important to remember that this is just a vulnerability. There is no evidence to suggest that if a malware exploits the Samba vulnerability that it will be a ransom malware, nor would this likely be a massive attack.

But, organizations should always be aware of potential threats. They need to understand the business and technical implications of their systems’ vulnerabilities, and select the best set of controls to prevent attackers from using exploits.

About the author: Rotem Iram is the Founder and CEO of stealth cyber insurance company CyberJack. With nearly two decades of security and engineering experience, Rotem previously served as a Managing Director and COO in the Cyber Security practice of K2 Intelligence, a leading global risk management firm, focusing on cyber intelligence, cyber defense strategy, and incident response. Rotem

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

The Upcoming Oracle CPU: Struggling to Keep Pace with Vulnerabilities

InfoSec Island - Wed, 06/28/2017 - 12:27pm

Oracle releases a collection of security fixes for their products on every Tuesday closest to the 17th day of January, April, July, and October. These fixes are known as a Critical Patch Update (CPU), and are typically cumulative and address security vulnerabilities associated with Oracle products. April’s update, with fixes for 299 vulnerabilities across Oracle's platform, was its largest CPU to date.

With the next CPU landing on July 18, there’s plenty to consider.

The database and cloud computing giant sees its software used for vital operations by most of the Fortune 500. The Java-based open source software is used in mission-critical environments across the globe and on more than 15 billion devices.

April’s CPU contained patches for core components of Java products, many of them linked to commonly used third party software that is standard among large financial services firms, healthcare providers and transportation companies. These sectors are constantly under attack from malicious hackers, making it of utmost importance to apply the most recent security patches as soon possible – a task that can take even the most sophisticated organization months to complete.

With these releases, we have one of the largest software vendors in the world, with expert security resources and dedicated testing and remediation teams, belatedly discovering and responding to the presence of major, known-vulnerable components buried deep in the software stacks of their core software platforms.

To put things in perspective, Oracle finds a new flaw in their products every 100 hours. Some of the flaws included in the most recent CPU date back to 2012. Now, to be fair, every software developer releases the equivalent of the Oracle CPU. However, Oracle’s market share makes it the bellwether of the entire industry.

That’s five years of an open, unpatched vulnerability. Among the others are more than thirty Java-related Common Vulnerabilities and Exposures (CVEs), eight of which directly affect the core Java platform. Nearly 70% of the Java-related CVEs are remotely exploitable without authentication.

Addressing years-old vulnerabilities in current patches is proof that we’re approaching a crisis point where our ability to respond in a timely and effective manner is at risk. We continue to rely primarily on traditional approaches that can’t keep up with the pace and volume of vulnerabilities. That’s not a sustainable model. This should mean so much to so many organizations due to the ubiquity of third party software. In a recent report on more than a thousand commercial web applications, 96% included third party code. Of that, 67% had known vulnerabilities with 52% being high severity vulnerabilities.

Open source components are not automatically or routinely patched and it’s a challenge to keep up with vulnerabilities that require frequent patching. Unlike software from major developers where patches are sent on a schedule, open source code in libraries and central repositories normally require a user to seek a patch or develop their own.

Fortunately, proven technology exists to help alleviate the massive scope of these security updates. Many companies offer solutions that approach application monitoring in a new way, along with protection using a secure virtual container in server and cloud environments. Third party options offer approaches that behave like a patch without making code changes or affecting runtime speed, blocking attacks because it operates more deeply in the software, monitoring network packets, files system calls and CPU instructions.

The April CPU showed the scale of the challenge that the IT industry faces in securing modern modular enterprise applications that are composed of dozens or sometimes hundreds of third-party libraries and modules. Here’s something to think about next month: If a top vendor like Oracle struggles to account for and secure their third-party library dependencies in a major software platform like Oracle Fusion, then how can an “ordinary” enterprise that is not a sophisticated IT vendor be expected to do any better?

The fact that we’re still addressing vulnerabilities associated with Struts v1 and Apache Commons years after the issues were first raised is both surprising and troubling. The Struts 2 patch is less surprising because it was first announced in March 2017, but still no less troubling as it points to the continuing issues associated with third party software components.

An average of ten new open source flaws are reported every day. But the ability to find these problems isn’t the issue. It’s fixing them. Oracle's security team is doing the best it can, but like all cybersecurity teams, they struggle to keep up with the constant waves of vulnerabilities that are being discovered.

Every effective cybersecurity approach developed over the past two decades is fully integrated into the way businesses protect themselves today. The massive scale of vulnerabilities and ubiquity of software flaws, though, means that the measures we’ve relied upon for twenty-plus years are now unable to provide the level of protection required going forward.

Diligent system maintenance, consistent patching, and both automated and manual third-party security solutions are all necessary for end-users to be fully protected.

Avout the author: James Lee is the Executive Vice President and Chief Marketing Officer at Waratek Inc., a pioneer in the next generation of application security solutions.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Malware Prevention Key to Countering Evasive Attack Techniques

InfoSec Island - Wed, 06/28/2017 - 10:26am

Security teams had an unpleasant wake-up call on May 12, as a malware attack dubbed WannaCry spread rapidly to hundreds of companies, holding hundreds of thousands of systems hostage by ransomware until it was slowed down by a young security researcher. Those who know their systems are vulnerable were reminded once again of the potential damage these worms can cause: inability to access files leads to downtime, lost productivity, and more.

Instead of running fire drills and wringing their hands, companies should look at what happened as an opportunity to reflect upon their endpoint security architecture and try to better understand the role of the various defense layers that comprise it. As the post-WannaCry reports shed light on what happened, it’s useful to discuss questions like: What controls could have dampened the worm’s propagation? What measures could have been effective at preventing the infection? How might these security controls work or fail in future, copycat variations of this attack?

A widespread malware attack that exploits a known Microsoft vulnerability should not surprise anyone who is paying attention. Ransomware incidents have spiked, with damage totals increasing from $325 million in 2015 to a projected $5 billion in 2017. The SANS Institute reports that malware programs capable of evading detection rose 2000% in one year (2014-2015). Evasive techniques enable malware to bypass firewalls, gateways, and sandbox discovery tools. Configuration techniques like extended sleep and fast flux are quite common. Legacy systems, third-party devices and loosely administered computers are among those hit hardest. It’s important to assess risk regularly: confirm that endpoint defenses across the enterprise are in place, functioning as expected, and integrated to reinforce each other. More emphasis should be placed on prevention as a primary defense; detection methods are an important back-up layer, but are not foolproof and often lead to delayed incident response.

The best methods for defending against WannaCry and similar incidents are not a mystery; basic best practices can be executed with free and commercial tools. In any given attack, some security components might fail. Consider potential scenarios and plan to mitigate the biggest risks. For example, backing up important data is an essential defense against ransomware attacks. The following measures help establish a resilient environment:

  • Segment the network and block unnecessary protocols. WannaCry attacked over the SMB protocol. Microsoft recommends not using this protocol, but if you still need to, be sure to block access from outside the organization.
  • Keep up with security patches. WannaCry exploited a Microsoft Windows vulnerability that has been available for some time. Some machines cannot be patched quickly enough, and sometimes can’t be patched at all. In this case, be sure to harden the unpatched machines.
  • Install and regularly update anti-malware software. From the beginning, AV vendors were successfully identifying WannaCry components as malicious.

Stealthy attack methods are designed to evade these baseline mechanisms, so you also need endpoint defenses that disarm viruses not recognized by AV. This forces malware authors to “pick their poison.” If they design malware with evasive capabilities, prevention-oriented approaches can simulate an environment of security tools, which paralyzes evasive malware and forces it to abort the attack before any damage is done.  If the attacker doesn’t implement stealthy techniques, baseline antivirus will block the specimen.

It appears that the WannaCry authors didn’t implement evasion techniques (e.g., sandbox avoidance and memory injection), but it is quite possible that future derivatives will. By combining a preventative malware-neutralizing approach with baseline antivirus solutions, organizations will be protected regardless of which method malware developers choose.

It can be difficult to defend legacy systems and services without impeding performance, violating vendor contracts, or inconveniencing business users. Attackers are well aware that systems missing patches are often also missing baseline antivirus and other endpoint defenses; the WannaCry worm was optimized to propagate rapidly through vulnerable machines.

Malware vaccination can help stabilize legacy technology and distributed systems. Any enterprise not yet using an anti-evasion solution can immunize themselves against fast-spreading worms with vaccination. New approaches that simulate infection markers are proving to be effective in real world scenarios. Centrally managing vaccination through simulated infection eases deployment while preserving forensics capabilities and overall performance.

Some defenses (e.g., infection markers and sandbox malware analysis) are too computationally intensive to be practical for universal or continuous deployment. Detection-based solutions aren’t foolproof and generate false positives and alerts that have to be prioritized. Prevention-based solutions that account for evasive techniques can be extended to every endpoint via low-footprint agents that neutralize malware before it ever executes itself.

We can’t stay in the malware arms race by building a tool for every trick malware creators conjure up. It’s critical that we develop broadly applicable methods that frustrate their efforts by turning those tricks into defensive weapons. Creative countermeasures like malware prevention leverage the evasive mechanisms built into viruses to shut them down before they can sneak in and wreak havoc.

About the author: Eddy Boritsky is the CEO and Co-Founder of Minerva, an endpoint security solution provider. He is a cyber and information security domain expert. Before founding Minerva, Eddy was a senior cyber security consultant for the defense and financial sectors.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island