Info Security

Subscribe to Info Security  feed
Updated: 2 hours 57 min ago

Dark Web Seller Remove Listings after Data Dump

Wed, 02/13/2019 - 20:47
Dark Web Seller Remove Listings after Data Dump

The dark web seller identified as gnosticplayers on Dream Market has removed all listings that were previously up for sale, which reportedly included upwards of 620 million account records.

“All my listings have been removed, to avoid them being bought so many times and being leaked, as a respect for my buyers. But don’t worry, next round of breaches coming soon,” the vendor wrote on his seller profile.

Dream Market vendor profile

The data trove was reportedly the compilation of information of data that had been stolen in past data breaches. Several news outlets have reported that the data from 16 different hacked websites were part of the massive trove of account information up for sale. According to The Register, those sites include Dubsmash, Armor Games, 500px (as was reported by Infosecurity), MyFitnessPal, MyHeritage and many others.

On February 11, an exclusive report from The Register stated: “A spokesperson for MyHeritage confirmed samples from its now-for-sale database are real, and were taken from its servers in October 2017, a cyber-break-in it told the world about in 2018.”

Infosecurity has reached out to many of the listed vendors, including MyHeritage, which has not responded. A ShareThis spokesperson stated in an email, “At this point we are investigating these claims and can come back to you once we have more facts to share.”

Armor Games Studio said, “We have started an investigation into these allegations, and we will notify users once we have confirmation and details. That’s all we have to say at this time.”

Given that 2018 was a record-breaking year for the number of records compromised, it’s not surprising that cyber-criminals are leveraging dark web marketplaces to turn a profit on all of that data.

Categories: Cyber Risk News

Two in Three Orgs Not Convinced They Can Avoid a Breach

Wed, 02/13/2019 - 19:38
Two in Three Orgs Not Convinced They Can Avoid a Breach

A majority of organizations confessed that they are not certain whether the security strategies they have in place will be effective in preventing data breaches, according to a Ponemon Institute survey.

More than 600 cybersecurity leaders and professionals who are responsible for evaluating, selecting and/or implementing security solutions took part in the survey. Based on the survey results, Balbix published a new report, The Challenging State of Vulnerability Management Today, which found that only one in three organizations are confident they can avoid data breaches.

Vulnerability management, particularly those vulnerabilities in unseen or unpatched systems is an issue for many organizations, with 69% of respondents identifying delayed patching as an issue and 63% admitting that they are not able to respond to alerts.

“We are not surprised by these findings from Ponemon Institute’s research,” said Gaurav Banga, founder and CEO of Balbix.

“While respondents’ confidence levels in their ability to avoid a breach is obviously troubling, it is clear that most understand the reasons why – alert volume, limited team resources, lack of visibility across assets and very limited contextual risk. On the positive side, respondents cite a clear list of capabilities that can help them better see and manage their vulnerabilities, which will eventually improve their overall security posture.”

With regard to mitigating vulnerabilities and patching, 68% of respondents said staffing is an obstacle that stands in the way of their organizations having a strong cybersecurity posture, while only 15% reported that patching is highly effective. The results are indicative of a lack of resources, leaving security teams unable to identify and patch vulnerabilities, as 67% of participants said they lack the time and resources needed for vulnerability management.

In addition, 63% say “inability to act on the large number of resulting alerts and actions” is problematic. Nearly half (49%) of organizations said they do complete, up-to-date patching, yet 49% also said that they scan only quarterly or on an "ad hoc" basis. Another 69% admitted to scanning only once a month or less frequently.

“From this research, it is clear that most enterprises recognize not only are they under-resourced in finding and managing their vulnerabilities, but they also have gaps around assessing the risk and getting full visibility across their IT assets,” said Larry Ponemon, founder and chairman of Ponemon Institute, “which no doubt led to that low confidence vote in their ability to avoid a data breach.”

Categories: Cyber Risk News

DoJ Charges Hackers with Staging Computer Attacks

Wed, 02/13/2019 - 14:24
DoJ Charges Hackers with Staging Computer Attacks

Federal authorities have arrested two alleged members of a hacking group known as the Apophis Squad on charges of making false threats of violent attacks and staging attacks on multiple computer systems.

According to an announcement from the Department of Justice (DoJ), the two defendants, Timothy Dalton Vaughn, 20, of Winston-Salem, North Carolina, and George Duke-Cohan, 19, of Hertfordshire, United Kingdom, are allegedly part of a global group of hackers suspected of wreaking havoc on the internet for the better part of 2018, including launching distributed-denial-of-service (DDoS) attacks.

Duke-Cohan, who is already serving a three-year sentence in the UK for threatening an airline, which turned out to be a hoax, is believed to go by the names DigitalCrimes and 7R1D3N7 online.

The defendants face multiple charges, including conducting cyber- and swatting attacks against individuals, businesses and institutions in the US and the UK, according to the DoJ.

“Members of Apophis Squad communicated various threats – sometimes using 'spoofed' email addresses to make it appear the threats had been sent by innocent parties, including the mayor of London," the announcement stated.

“They also allegedly defaced websites and launched denial-of-service attacks. In addition, Vaughn allegedly conducted a DDoS attack that took down hoonigan.com, the website of a Long Beach motorsport company, for three days, and sent extortionate emails to the company demanding a Bitcoin payment to cease the attack.”

If convicted of all charges in the 11-count indictment, Vaughn could be sentenced to a maximum of 80 years in prison. Duke-Cohen, who is facing nine charges, would be sentenced to a maximum of 65 years if found guilty.

“The Apophis Squad also took credit for hacking and defacing the website of a university in Colombia, resulting in visitors to the site seeing a picture of Adolf Hitler holding a sign saying 'YOU ARE HACKED' alongside the message ‘Hacked by APOPHIS SQUAD,’” the DoJ wrote.

Categories: Cyber Risk News

#TEISS19: Deliver Your Security Message at an Understandable Level

Wed, 02/13/2019 - 14:07
#TEISS19: Deliver Your Security Message at an Understandable Level

Speaking at The European Information Security Summit 2019 in London, Condé Nast International CISO Nick Nagle said that threat intelligence is easily collected, but it can also be translated across the business.

In his talk 'Effective threat intelligence communication strategies: Upwards, downwards and outwards' Nagle explained that threat intelligence is readily available, but turning it into actionable awareness points for the business requires another level of capability.

He said: “Know your audience, who are you trying to translate it to? What is the culture of the organization? How is the message going to land? What is the best way to send that message out? What is really going to grab people’s attention? Everyone has email overload, so how do you get that threat intel out there?”

Nagle recommended getting the basic points across, and to avoid “a condescending explanation” as executives often know the basics, but give them the option to learn more. 

To deliver successful communications, Nagle suggested using the “AIM” structure of audience, intent and message, and ask yourself questions as you structure your message based on those three factors

He gave the example of communicating with the board: detailing an active attack, what existing technology the company has in place and a request for budget for what else is needed.

“That works, but it is a bit dull, a bit dry, but if that is what the board want that is what they will respond to,” he said, recommending using a threat radar or even using the threat intelligence in your email signature or an instant message.

This was part of moving it “away from text and boring” and into a PowerPoint template to highlight the issue, so it gives you a feedback loop, and you know the employee has read it.

He concluded by saying that building this sort of material gives you a toolkit for education and awareness, and “one that you can use internally, externally and across any other interested parties.”

Categories: Cyber Risk News

#TEISS19: Consider Psychology of Staff to Meet Data Protection Ambitions

Wed, 02/13/2019 - 12:30
#TEISS19: Consider Psychology of Staff to Meet Data Protection Ambitions

Speaking at The European Information Security Summit 2019 in London, Matthew Kay, group data protection officer at Balfour Beatty, said that organizations “are very different” in how data protection and risk is approached, and it is up to the data protection team and board-level executives to dictate the right direction.

“In our organization we have four pillars: to lead, being experts, being trusted and being safe, and it is really important to align your work with the wider strategy of the organization as you’re likely to get more buy-in,” he said. “In terms of data protection, we want to be trusted in terms of how we process people’s information.” 

Kay encouraged delegates to consider drivers for individuals, as not everything works the same for every person, and to consider the psychology of people and what motivation and coaching you have to do. 

Looking at how to overcome internal challenges of employee and board-level buy-in, Kay recommended the following:

  • Clear direction and strategy
  • Policy framework
  • User-friendly approach
  • Context
  • Contingency
  • Budget
  • Resource

He admitted that we’re all guilty of not reading policies, but it is about having a user-friendly approach because if you make a policy simple and just deliver the key points, you will get better buy-in and this can lead to better budget allowance.

“A lot of the time, if you cannot put it in language that individuals understand and appreciate, they are not going to respond to it as they cannot draw the line on how it relates to them in terms of data protection and security, so you have to bring it to life,” he said.

In terms of how to ensure individuals are aware of their data protection responsibilities, Kay said this can work both inside and outside the office:

  • Senior leadership engagement – if they lead from the front the rest will follow
  • Technology – there are so many tools that can be used to your benefit
  • Trust – if you cannot trust people to work remotely why employ them in the first place? 
  • Communications plan and training – keep it to the point on what they need to know
  • Incentivize – encourage and engage individuals who want to do the right thing

He concluded by encouraging regular and refresher training to ensure employees remain engaged, and an openness towards staff and partners. “If they are happy with what you are doing they are not going to complain, and if they are not going to complain, they will hopefully not go to the regulator and if they do, manage that complaint on a regular basis.”

Categories: Cyber Risk News

Equifax Partner Breaches Customer Data

Wed, 02/13/2019 - 12:01
Equifax Partner Breaches Customer Data

A technology partner of the three big credit reporting agencies has been breached in what appears to be a classic supply chain attack.

Image-I-Nation Technologies is a North Carolina-based provider of software and hosting services. It’s part of FRS Software, which produces employee and background screening software used by Equifax, Experian and TransUnion, among other organizations.

Although the firm remains tight-lipped on the nature of the incident, breach notifications to various US states shed some light on what happened.

It claimed hackers may have had a two-week window in which to steal sensitive personal information including Social Security numbers, names, dates of birth and home addresses.

“On December 20, 2018, Image-I-Nation Technologies discovered that there had been unauthorized access to our database containing the personal information of individuals who had a consumer report through our system at some point in the past,” it revealed in a noticed published by the Montana DoJ.

“Based upon our investigation, we have determined that the incident began on or about November 1, 2018 and that our systems were secure as of November 15, 2018.”

The firm claimed not to be aware of any misuse of personal info as a result of the incident, but that will not reassure those whose details have been exposed to the risk of identity theft and follow-on phishing attacks.

It’s unclear how many individuals may have been affected although Infosecurity has been able to locate breach notifications filed with at least four states: Washington, Montana, Vermont and New Hampshire.

Given Image-I-Nation’s relationship with the big credit agencies, it’s perhaps not surprising that it has been targeted by hackers looking for valuable identity information. Although cyber-criminals have gone after the agencies themselves, most notably in a major breach of around 148 million Equifax customers, they may view trusted partners of the firms as an even softer target.

“It is clear that even if an organization has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain,” the UK’s National Cyber Security Centre warned last year. “Attackers will target the most vulnerable part of a supply chain to reach their intended victim.”

Image-I-Nation is not to be confused with a UK chip specialist which shares the same name, without the hyphens.

Categories: Cyber Risk News

Millions Affected by 500px Data Breach

Wed, 02/13/2019 - 10:55
Millions Affected by 500px Data Breach

Online photography network 500px has forced a password reset for all users after revealing this week that it suffered a data breach last summer.

The site claimed that the incident, which it believes occurred on around July 5 2018, was not discovered until last week, when its engineering team “became aware of a potential security issue affecting certain user profile data.”

The firm said all users on or prior to July 5 have been affected. The site currently claims to have over 15 million photographers signed up.

“We’ve concluded this issue affected certain information that users provided when filling out their user profiles ... Our engineers are closely monitoring our platform and we’ve found no evidence to date of any recurrence of this issue,” an FAQ about the incident revealed.

“A system-wide password reset is currently underway for all users, prioritized in order of potential risk, and we have already forced a reset of all MD5-encrypted passwords.”

The stolen data includes: users’ names, email addresses, usernames, hashed passwords and birth date, gender and city/state/country if provided.

The photo network claimed that there’s no evidence to suggest hackers managed to compromise individual accounts, and said that payment card details aren’t stored on its servers. However, it did warn of possible follow-on attacks.

“Regardless of whether or not you were directly affected, given the nature of the personal data involved, we are alerting you to this matter so you can take steps to help protect yourself against the risk of phishing, spam, and other misuse of your information as a result of this issue,” it said.

“We recommend you change your password on any other website or app on which you use a password that is the same as or similar to your password for your 500px account.”

Some reports suggest 500px user data is already up for sale on the dark web.

Categories: Cyber Risk News

Patch Tuesday Roundup Includes IE Zero Day

Wed, 02/13/2019 - 10:04
Patch Tuesday Roundup Includes IE Zero Day

Microsoft has given system admins plenty of work to do this month with patches for nearly 80 vulnerabilities, including a zero-day flaw in Internet Explorer and a publicly disclosed Exchange server bug.

Top of the priority list in this month’s Patch Tuesday security round-up will probably be CVE-2019-0676, an information disclosure vulnerability in IE which Microsoft claimed has been actively exploited in the wild.

The bug allows attackers to test for the presence of files on the disks of targeted machines.

Also up there is CVE-2019-0686, an elevation of privilege vulnerability in Exchange Server 2010 and newer systems. Microsoft said no attacks had been spotted exploiting the flaw as yet but that this was “likely” in the future.

Recorded Future senior solutions architect, Allan Liska, claimed exploitation requires both Exchange Web Service and push notifications to be enabled.

“While this is not a common configuration, the vulnerability is relatively easy to exploit using the PushSubscriptionRequest API call,” he added.

Also of note this month are two remote code execution vulnerabilities in the Windows SMBv2 server: the same service WannaCry and NotPetya used to spread globally.

“While you can take comfort in the knowing that an attacker would need to be authenticated to exploit them, they could easily run arbitrary code on a vulnerable system,” warned Rapid7 senior security researcher, Greg Wiseman.

He argued that IT teams should prioritize yet another vulnerability for patching: CVE-2019-0626.

“It is an RCE in Windows DHCP Server that could allow an attacker to execute arbitrary code on an affected DHCP server,” he explained. “CVE-2019-0662 and CVE-2019-0618 are also worrisome as RCEs in the Windows Graphic Device Interface could allow a miscreant to take control of affected systems via web-based or file-sharing attacks.”

Other vulnerabilities noted by the experts included: CVE-2019-0540, a security bypass bug in Office, CVE-2019-0636, a Windows information disclosure flaw and CVE-2019-0590, a memory corruption bug in the Chakra Core scripting engine.

“This is the now the 17th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine. The last Patch Tuesday without a Chakra disclosure was September of 2017,” said Liska.

Categories: Cyber Risk News

Phishing, Humans Root of Most Healthcare Attacks

Tue, 02/12/2019 - 18:31
Phishing, Humans Root of Most Healthcare Attacks

Across healthcare organizations in the US, malicious actors are successfully leveraging phishing attacks to initially gain access to networks, according to findings from the 2019 HIMSS Cybersecurity Survey published by the Healthcare Information and Management Systems Society (HIMSS).

The study, which surveyed 166 qualified information security leaders from November to December 2018, found that there are particular patterns of cybersecurity threats and experiences distinctive to healthcare organizations.

“Significant security incidents are a near universal experience in US healthcare organizations with many of the incidents initiated by bad actors, leveraging email as a means to compromise the integrity of their targets,” the survey said.   

Nearly half (48%) of all respondents identified two different categories of major threat actors, which included online scam artists (28%) and negligent insiders (20%). The hospitals that participated in the survey said that when looking at the security incidents that occurred in the last 12 months, the initial point of compromise for 69% of the attacks was the result of phishing emails.

Not all healthcare organizations are hospitals, though. Among all the survey participant, 59% said that the most commonly cited point of compromise was email and 25% were human error.

“There are certain responses that are not necessarily 'bad' cybersecurity practices, but may be an 'early warning signal' about potential complacency seeping into the organization’s information security practices,” the report said.

“Notable cybersecurity gaps exist in key areas of the healthcare ecosystem. The lack of phishing tests in certain organizations and the pervasiveness of legacy systems raise grave concerns regarding the vulnerability of the healthcare ecosystem.”

The potential complacency is particularly concerning given that the healthcare industry as a whole is making positive advances in cybersecurity practices.

“Healthcare organizations appear to be allocating more of their information technology ('IT') budgets to cybersecurity," according to the report. "Complacency with cybersecurity practices can put cybersecurity programs at risk.”

Categories: Cyber Risk News

VFEmail Suffers Catastrophic Attack, All Data Lost

Tue, 02/12/2019 - 17:43
VFEmail Suffers Catastrophic Attack, All Data Lost

A major cyber-attack has hit email provider VFEmail in what the company is calling a "catastrophic attack," which has destroyed all data in the US, including backups.

The company issued an alert via its website and social media accounts on February 11, 2019, warning, “At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK. If you reconnect your client to your new mailbox, all your local mail will be lost.”

In an update, VFEmail owner Rick Romero wrote that new email was being delivered and that efforts were being made to recover what user data could be salvaged. Romero also noted that the malicious actor was last identified as aktv@94.155.49.9.

In one tweet, VFEmail said, “Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.”

These types of attacks are rare and highly destructive. “The devastating attack on VFEmail is a strong reminder to enterprises that a single keystroke or attack can destroy thousands of workloads and take down a business," said Balaji Parimi, CEO, CloudKnox Security.

“Attacks of this magnitude – where the goal is simply to attack and destroy – are well within the power of attackers who gain access to infrastructure. Enterprises need to do a better job of mitigating the threat of over-privileged identities, and that begins with gaining an understanding of which identities have access to the types of privileges that can destroy their business and limiting those privileges to properly trained, security-conscious personnel.”

That an attacker was able to pull off this attack also raises questions about the company’s disaster recovery plans, as this attack left VFEmail and some of its customers without access to their information.

“What disaster recovery strategy was in place and why wasn't data backed up into cold storage, thus making it unavailable to attackers?” asked Fausto Oliveira, principal security architect at Acceptto. “If they had a strategy in place, they should be able to recover at least a substantial part of their customers data.”

Categories: Cyber Risk News

SMBs Believe Attack Will Kill Their Company

Tue, 02/12/2019 - 16:20
SMBs Believe Attack Will Kill Their Company

Just under half of a surveyed set of British small to medium-sized businesses (SMBs) believe that a cyber-attack would put them out of business.

The survey of 501 IT decision makers by Webroot found that 48% have suffered a cyber-attack or data breach in their lifetime, with over one in seven saying this happened more than once. The same number also believed that the cases negatively impacted relationships with partners, with almost a quarter (22%) admitting they are no longer a supplier as a result.

One example of a company going out of business was Code Spaces, which was forced to close down after a wiper attack deleted its files as part of a larger DDoS attack in 2014. Then, Code Spaces claimed it “will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of on going credibility." 

In an email to Infosecurity, Ed Tucker, CISO and co-founder of Email Auth, Byte and Human Firewall, said that companies of all sizes suffer from attacks, some of which are successful, but rarely have we seen anyone actually go under from such.

“It smarts of hyperbolic fear mongering” he said. “When assessing risk, you must consider impact and thus consequence to the business. Is there any evidence to back this claim where cyber-attacks have actually resulted in the closure of a business to the extent that this is a tangible consequence? The simple answer is no. Most business have it in them to recover. A clear ability to plan; to respond and recover is a must for any organization. 

“Closure is a possibility, but using current evidence of successful cyber-attacks then it would be a remote, rather than likely consequence.”

Nearly two-thirds of respondents (64%) said that being smaller enables their business to react more quickly to industry or political change than larger enterprises.

Paul Barnes, senior director of product strategy at Webroot, said: “SMBs can no longer consider themselves too small to be targets. They need to use their nimble size to their advantage by quickly identifying risks and educating everyone in the business of how to mitigate those risks, because people will always be the first line of defense.

“Working with the right cybersecurity partner or managed service provider (MSP) to develop the right strategy for their size will allow smaller businesses to prioritize the activities that matter most and help them grow.”

Categories: Cyber Risk News

#TEISS19: Brute Force Won’t Change People's Behaviors, You Must ‘Modify’ Their Beliefs

Tue, 02/12/2019 - 13:04
#TEISS19: Brute Force Won’t Change People's Behaviors, You Must ‘Modify’ Their Beliefs

Speaking at The European Information Security Summit 2019 in London, Adam Anderson, CSO and founder, Hook Security, explored behavioral psychology and how IT security leaders can effect changes in behaviors to improve security buy-in from the C-suite.

Anderson said that you “can’t change [people’s] behaviors with just brute force efforts, you have to modify their beliefs to get to behavioral change.”

When it comes to beliefs about security that C-level execs typically hold, he pointed to the following:

  • “Security slows down my project”
  • “Security is going to kill my budget”
  • “Security doesn’t understand what I’m trying to do so it can’t advise me effectively, I most likely don’t need as much as they think I do”

Anderson argued that these beliefs are damaging to a company’s security efforts and the challenge for security leaders is to change them. However, he argued that the number one cybersecurity risk facing the world is the “nerd’s inability to write a business case that the CFO will fund.

“Technology is not a problem,” he added. “All of us [IT security leaders] are very, very smart and have a very solid idea of what kind of technology we need to lay down on top of various security controls or risks. What we fail at is communicating that to anyone that has the power to do something about it.”

So, to rise to that challenge, Anderson said that IT security leaders must stop overusing compliance and fear-mongering language and change their own approach to communicating to C-level execs to ultimately gain the buy-in they need.

Firstly, security leaders must understand their target by finding out who the CIO reports to.

They must also remember that they are not the “hero” or the star of the story: the business is the star and “your job is to advise it, and you do that by changing your words.” IT leaders do not “own” risk, they advise on it; they do not “enforce” compliance, they align it; and they do not “inflict” business, they enable it.

Anderson concluded by saying that by changing the damaging security beliefs of the C-suite, you will “help them avoid the horrible consequences of their decisions.”

Categories: Cyber Risk News

#TEISS19: Brute Force Won’t Change Peoples' Behaviors, You Must ‘Modify’ Their Beliefs

Tue, 02/12/2019 - 13:04
#TEISS19: Brute Force Won’t Change Peoples' Behaviors, You Must ‘Modify’ Their Beliefs

Speaking at The European Information Security Summit 2019 in London, Adam Anderson, CSO and founder, Hook Security, explored behavioral psychology and how IT security leaders can effect changes in behaviors to improve security buy-in from the C-suite.

Anderson said that you “can’t change [people’s] behaviors with just brute force efforts, you have to modify their beliefs to get to behavioral change.”

When it comes to beliefs about security that C-level execs typically hold, he pointed to the following:

  • “Security slows down my project”
  • “Security is going to kill my budget”
  • “Security doesn’t understand what I’m trying to do so it can’t advise me effectively, I most likely don’t need as much as they think I do”

Anderson argued that these beliefs are damaging to a company’s security efforts and the challenge for security leaders is to change them. However, he argued that the number one cybersecurity risk facing the world is the “nerd’s inability to write a business case that the CFO will fund.

“Technology is not a problem,” he added. “All of us [IT security leaders] are very, very smart and have a very solid idea of what kind of technology we need to lay down on top of various security controls or risks. What we fail at is communicating that to anyone that has the power to do something about it.”

So, to rise to that challenge, Anderson said that IT security leaders must stop overusing compliance and fear-mongering language and change their own approach to communicating to C-level execs to ultimately gain the buy-in they need.

Firstly, security leaders must understand their target by finding out who the CIO reports to.

They must also remember that they are not the “hero” or the star of the story: the business is the star and “your job is to advise it, and you do that by changing your words.” IT leaders do not “own” risk, they advise on it; they do not “enforce” compliance, they align it; and they do not “inflict” business, they enable it.

Anderson concluded by saying that by changing the damaging security beliefs of the C-suite, you will “help them avoid the horrible consequences of their decisions.”

Categories: Cyber Risk News

#TEISS19: Quantifying Security Posture is Key to Mitigating Risk

Tue, 02/12/2019 - 12:30
#TEISS19: Quantifying Security Posture is Key to Mitigating Risk

“The security discussion starts with risk, but what has become very apparent at the board level is that most don’t really understand what’s in front of them.”

These were the words of Ali Neil, director international security, Verizon, speaking at The European Information Security Summit 2019 in London. Neil said that quantifying security posture is key to mitigating risk, and “we need a means of measurement” for proving that value to business leaders.

Neil presented a ‘360º Risk Visibility’ assessment of the security industry that highlighted the following:

  1. In 70% of attacks where we know the motive for the attack there is a secondary victim
  2. Traditional risk evaluation is often done through point in time engagements
  3. Supply chain audit is increasingly burdensome, diverse in method and costly
  4. Security programs must be programs of continuous improvement and their budgets and efficacy validated
  5. Risk evaluation in M&A activity is an increasing factor and workload
  6. Strategic, operational and tactical intelligence needs to be decoupled and provided to the right business user
  7. Organizations and service providers need a dynamic tool to measure the efficacy of their security strategy

He therefore suggested a framework of what is needed in order to do an effective risk measurement of where an organization sits in the market.

The first step of that framework is rating: using data from public sources on the internet, where external risk vectors are identified and evaluated to provide a risk rating.

The second is an external risk view, contextualized: external risk vectors data is augmented with the DBIR's three pattern data and dark web analytics for an enhanced external rating.

Third is an internal view from endpoint and infrastructure: a refined security posture rating through an internal scan for malware, unwanted programs and dual usage tools within your endpoints and infrastructure.

The fourth step is a culture and process view: an in-depth, onsite assessment of the security culture, processes, policies and governance within an organization.

Lastly is a security posture rating: an aggregated rating across all levels providing a 360º view of a company’s cyber-risk posture.

Categories: Cyber Risk News

UK Firms Are Drowning in Breaches

Tue, 02/12/2019 - 11:55
UK Firms Are Drowning in Breaches

The vast majority of UK businesses have suffered data breaches over the past 12 months, many of them multiple times, according to new research from Carbon Black.

The endpoint security vendor’s second UK Threat Report is based on interviews with over 250 CIOs, CTOs and CISOs in the country from a range of industries.

Of the 88% of respondents that claimed to have been breached over the previous year, over a quarter had seen this happen five or more times. That’s an average of 3.7 breaches per organization — up from around 3.5% in last September’s report.

Unfortunately, 100% of government and local authority respondents said they’d been breached: five times or more for 40% of them. That amounts to an average of just under 4.7 breaches per public sector organization.

Some 87% of total respondents said they’d seen an increase in attack volumes, up from 82% in September, while 89% of respondents claimed that attacks had become more sophisticated.

Phishing attacks were the root cause of just 20% of successful breaches, a much lower figure than the 93% claimed by Verizon in its 2018 Data Breaches Investigations Report.

Malware (27%) was described as the most prolific attack type, followed by ransomware (15%).

Rick McElroy, head of security strategy for Carbon Black, claimed the findings prove cyber-attacks are escalating.

“The report suggests that the average number of breaches has increased, but as threat hunting strategies start to mature, we hope to see fewer attacks making it to full breach status,” he added.

Carbon Black defines a breach for the purposes of this research as “the release of secure or private and confidential information to an untrusted environment,” although a spokesman told Infosecurity that individual respondents may have different interpretations.

However, either way, the good news is that 93% of organizations surveyed said they plan to increase security spending. In addition, 60% said they are proactively threat hunting, an activity which 95% claimed has improved their security posture.

Categories: Cyber Risk News

#TEISS19: Boards Must Become More Technical to Make Orgs More Secure, says NCSC CEO

Tue, 02/12/2019 - 11:10
#TEISS19: Boards Must Become More Technical to Make Orgs More Secure, says NCSC CEO

Speaking at The European Information Security Summit 2019 in London, Ciaran Martin, CEO, National Cyber Security Centre, reflected on the NCSC’s vision for a more secure Britain.

Martin said “Our approach isn’t to close down the many and vast opportunities for the UK in cyber space, we’re not seeking security as an end in itself. We want security only so that we can prosper safely; it’s not our aim to make our systems so secure they are not usable or too expensive, we want to secure the internet as it is and not as we might want it to be.”

For what that means for business leaders, Martin explained that there is a need for boards to become more tech-savvy.

Traditionally, “Most businesses leaders don’t spend their time thinking about cybersecurity,” he added. “We’ve [recently] made it our business to understand what businesses think about cybersecurity.

“We want to help business leaders manage the risks of cybersecurity in a way that works for them and their businesses. To do that, we need boards to get a little bit technical.”

Martin said that “we are getting there in terms of awareness,” but the bigger problem is a lack of understanding of and fear about cybersecurity.

To tackle the issue, the NCSC is this month launching a new board tool kit to support business leaders with a series of practical steps they can take to protect their company from the most common cyber-threats.

“We want to inform cybersecurity conversations at board level,” Martin concluded. “The stakes are high. This country, made up of our families and communities, has bet very, very heavily on a digital future and security is a vital underpinning of that. It needs a whole community effort, with business at the forefront.”

Categories: Cyber Risk News

Critical Runc Flaw Spells Trouble for Containers

Tue, 02/12/2019 - 10:39
Critical Runc Flaw Spells Trouble for Containers

Security researchers have discovered a critical flaw in runc, the default runtime for Docker and Kubernetes, allowing a malicious container to attack the host and all other containers running on it.

Aleksa Sarai — one of the maintainers for runc — made the announcement on Tuesday, attributing the discovery to researchers Adam Iwaniuk and Borys Poplawski. The runc runtime also supports containerd, Podman, CRI-O and countless other container offerings.

“The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,” said Sarai.

“The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts: creating a new container using an attacker-controlled image; attaching (docker exec) into an existing container which the attacker had previous write access to.”

RedHat senior principal product manager for containers, Scott McCarty, described this as a “bad scenario” for IT managers and CXOs.

“Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it,” he added.

“A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents.”

The same vulnerability also affects LXC and Apache Mesos containers, meaning virtually any organization running containers should get patching urgently.

“This isn’t the first major flaw in a container runtime to come to light and, as container deployments and interest in associated technologies increase, it’s unlikely to be the last,” said McCarty.

“Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like docker will now experience additional scrutiny from researchers and potentially malicious actors as well.”

Categories: Cyber Risk News

ICO Helps Secure Bans for Mobile Spam Bosses

Tue, 02/12/2019 - 09:55
ICO Helps Secure Bans for Mobile Spam Bosses

The directors of two UK companies have received several-year bans after allowing their respective firms to make hundreds of thousands of nuisance calls and texts.

Aaron Frederick Stalberg, (27), from Exmouth, was director of market research and polling business The Lead Experts, which made 115,000 illegal automated marketing calls to members of the public.

The messages didn’t reveal the name of the company, and it also tried to hide its identity by routing calls through Buenos Aires, according to a notice by the Insolvency Service and the Information Commissioner’s Office (ICO).

After denying everything to the data protection watchdog, the firm failed to respond to a £70,000 ICO penalty, leading to a six-year directorship disqualification against Stalberg.

“By working closely with The Insolvency Service we have been successful in stopping the unscrupulous activities of company directors like Aaron Stalberg who cause upset and distress to millions of people who are on the receiving end of this kind of illegal marketing activity,” said ICO investigations group manager, Andy Curry.

In a similar case, 51-year-old Keith Nicholas Hancock, was handed a four-year ban after his company — lead gen and data brokerage Lad Media — sent over 393,000 SMS messages to members of the public who had specifically removed their consent.

Although the firm protested that the data list was obtained through a data supplier and the text messages were sent on its behalf by another third party, it was fined £20,000.

However, Hancock never paid the money, so the firm was shut down and investigators submitted a disqualification undertaking against the director.

“There is clear guidance on the internet about what communications you can send to people when it comes to marketing so there is no excuse about not knowing what your responsibilities are,” said David Brooks, chief investigator for the Insolvency Service.

“Keith Hancock clearly failed to ensure Lad Media carried out sufficient checks on who was being sent direct marketing, even if it was done by a third party, and thanks to the joint work with the ICO, we have secured a ban appropriate for the seriousness of the offence.”

The news proves the ICO is finally able to flex its muscles and show directors of nuisance call/text companies that there are consequences to their actions. In December it was granted the power to fine directors directly up to £500,000 for their part in any such activities that break the Privacy and Electronic Communications Regulations (PECR).

That came after a significant lobbying campaign and several big ticket PECR fines going unpaid as the directors in charge simply filed for bankruptcy — leaving them free to start other similar businesses.

Categories: Cyber Risk News

AWS Issues Alert for Multiple Container Systems

Mon, 02/11/2019 - 19:40
AWS Issues Alert for Multiple Container Systems

A security issue that affects several open source container management systems, including Amazon Linux and Amazon Elastic Container Service, has been disclosed by AWS.

The vulnerabilities (CVE-2019-5736) were reportedly discovered by security researchers Adam Iwaniuk, Borys Poplawski and Aleksa Sarai and would allow an attacker with minimal user interaction to “overwrite the host runc binary and thus gain root-level code execution on the host.”

Also among the affected AWS containers are the service for Kubernetes (Amazon EKS), Fargate, IoT Greengrass, Batch, Elastic Beanstalk, Cloud 9, SageMaker, RoboMaker and Deep Learning AMI. In its security issue notice published 11 February, AWS said that no customer action is required for those containers not on the list.

Though blocked when correctly using user namespaces, the vulnerability is not blocked by the default AppArmor policy or the default SELinux policy of Fedora [++], according to Sarai.

A common type of container exploit, this vulnerability is known as a host breakout attack, according to Praveen Jain, chief technology officer at Cavirin. “That these still occur, and will continue to occur, is all the more reason to ensure you have the people, processes and technical controls in place to identify and immediately remediate these types of vulnerabilities with a goal of securing their cyber posture.”

If malicious actors were to leverage this vulnerability, Sarai said they could create a new container using attacker-controlled images or attach to an existing container to which the attacker had previous write access.

“This is the first major container vulnerability we have seen in a while and it further enforces the need for visibility of your hosts and containers both in the cloud and traditional data centers using docker and other containers,” said Dan Hubbard, chief product officer at Lacework.

“Security here starts with deep visibility into who is installing containers and what are their behaviors and, of course, timely patching.”

Categories: Cyber Risk News

Data Privacy Top of Mind for 2020 Candidates

Mon, 02/11/2019 - 18:25
Data Privacy Top of Mind for 2020 Candidates

More candidates announced that they are throwing their hats into the 2020 presidential race, with one of the latest declarations coming from Sen. Amy Klobuchar, who promises to focus on data privacy regulations.

After posing the rhetorical question of what she would do as President, Klobuchar said she would protect consumer privacy.

“We need to put some digital rules of the road into law when it comes to privacy,” Klobuchar said in her announcement on 10 February, according to TwinCities.com.

“For too long the big tech companies have been telling you: ‘Don’t worry! We’ve got your back!’ while your identities in fact are being stolen and your data is mined. Our laws need to be as sophisticated as the people who are breaking them. We must revamp our nation’s cybersecurity and guarantee net neutrality.”

In addition to her promise to put forth legislation to protect consumer data from being misused by tech giants, Klobuchar also spoke of her support for net neutrality as an imperative to ensure that every household is able to be connected to the internet by 2020.

As the campaign trail gets underway, candidates can expect to be the target of malicious online activity from trolls to bots that spread misinformation, another reason why Klobuchar is driven to move data privacy regulations forward in the US.

In an interview with NPR today, Kelly Jones, news intelligence journalist at Storyful, said, “I think that the idea of automation or suspicious accounts is going to be an ongoing theme through the election. Obviously, the idea of memeing is going to be a theme because these people who are posting this content are creating these images to cause political discourse. And, in fact, one poster we saw on a fringe network claimed that they memed Trump into presidency.”

Categories: Cyber Risk News

Pages