Info Security

Subscribe to Info Security  feed
Updated: 2 hours 28 min ago

Nearly Half of US Orgs Not Ready for CCPA

Fri, 05/03/2019 - 15:49
Nearly Half of US Orgs Not Ready for CCPA

In advance of the California Consumer Privacy Act (CCPA) going into effect January 1, 2020, researchers analyzed how prepared US organizations are for the new regulations and found that nearly half of all companies will not be ready to comply with CCPA.

According to research conducted by the International Association of Privacy Professionals (IAPP) and OneTrust, reputation and consumer privacy are the biggest drivers for CCPA compliance, yet only 55% of companies report that they will be ready by the January effective date.

"Our survey targeted a community of well-informed privacy professionals, and even they seem a bit caught off guard by the CCPA,” said Rita Heimes, IAPP research director and data protection officer, said in a press release. “Nevertheless, they seem to think it’s not likely to be replaced by a federal law any time soon.”

Though nearly half of those organizations surveyed will not be ready for the initial effective date, an additional 25% claimed they will be in compliance by the enforceable date of July 1, 2020.

“The CCPA is a major moment for the U.S. privacy landscape, and our research reveals companies that didn’t need to overhaul privacy practices for GDPR compliance are now struggling to meet the CCPA’s 2020 deadline,” said Kabir Barday, OneTrust CEO and fellow of information privacy (FIP), in the release.

The report did find a correlation between those organizations that are already in compliance with the EU’s General Data Protection Regulation (GDPR) and their readiness for CCPA to take effect.

“GDPR ‘raised the bar’ for data privacy awareness for companies in the US because the regulation put privacy controls in the hands of the consumer,” Jonathan Deveaux, head of enterprise data protection at comforte AG. “CCPA is similar in this regard, as the law will require organizations to provide consumers with legal ‘rights’ based on the data collected.

“Part of the lack of confidence in CCPA readiness for many organizations surrounds the use of data. The vast amounts of data collected and used for monetization and business growth have added to the complexity of managing and securing data. Organizations need to determine what kind of data they have, where it is, how they are using it and who has access to it.”

Categories: Cyber Risk News

Senate Passed Fed Cyber Workforce Program Act

Fri, 05/03/2019 - 15:33
Senate Passed Fed Cyber Workforce Program Act

In an effort to address the cybersecurity skills gap and create a more resourceful and effective cybersecurity workforce, the US Senate has passed the Federal Rotational Cyber Workforce Program Act of 2019.  

In 2017 the Government Accountability Office (GAO) determined that the country’s cyber workforce challenges posed high risk and reported that “the federal government needs to expand its cyber workforce planning and training efforts. Federal agencies need to enhance efforts for recruiting and retaining a qualified cybersecurity workforce and improve cybersecurity workforce planning activities.”

The act, which was unanimously passed on May 1, is intended “to create a rotational cyber workforce program in which Federal employees in cyber workforce positions can be detailed to another agency to perform cyber functions. This program will enable Federal cyber workforce employees to enhance their cyber skills with experience from executing the cyber missions of other agencies.”

Enabling the mobility of cybersecurity practitioners will allow them to serve in various roles across different entities, which Keenan Skelly, VP of global partnerships at Circadence, said is critical in order for this government to address the cybersecurity skills gap that exists not just in the US but globally.

“Allowing cybersecurity professionals to gain experience in multiple agencies, both government and private sector, will strengthen our overall cybersecurity posture,” Skelly said.

An additional goal of the act is to develop cybersecurity skills so that America can maintain its competitive edge in cybersecurity. As such, the act provides that “the United States Government must also recognize and reward the country’s highest-performing cybersecurity practitioners and teams.”  

Because the concept of rewards is often lost in the job of a cyber defender, Skelly said, “we must encourage and recognize those who go above and beyond.   

“The aptitude for cybersecurity lies not only in the technical fields but across the entire workforce. Most of the best cyber defenders I know started life out as something completely different. We need that diversity of thinking and skill, both technical and soft skills, to combat today’s hackers.”

Categories: Cyber Risk News

Experts Warn of Office 365 Account Takeover Surge

Fri, 05/03/2019 - 09:58
Experts Warn of Office 365 Account Takeover Surge

Over 1.5 million malicious and spam emails were sent from thousands of compromised Office 365 accounts in just one month thanks to a surge in account takeovers (ATOs), according to Barracuda Networks.

The security vendor yesterday revealed new findings from an analysis of cloud-based email accounts under fire from ATO attempts in March.

It claimed over a quarter (29%) of organizations it monitored had Office 365 accounts compromised by attackers, often via credential stuffing using previously breached credentials, stolen passwords from the same user’s personal email account, brute force attacks, and other web and application channels.

One of the most popular tactics is phishing emails which impersonate Microsoft and request Office 365 log-ins from the unwitting recipient.

“With more than half of all global businesses already using Office 365 and adoption continuing to grow quickly, hackers have set their sights on taking over accounts because they serve as a gateway to an organization and its data — a lucrative payoff for the criminals,” warned Barracuda Networks VP of content security services, Asaf Cidon.

Once an account has been taken over, hackers don’t usually launch an attack from it immediately.

“Instead, they monitor email and track activity in the company, to maximize the chances of executing a successful attack,” Cidon explained.

“As part of their reconnaissance, scammers often set up mailbox rules to hide or delete any emails they send from the compromised account. In the March 2019 analysis performed by Barracuda researchers, hackers set up malicious rules to hide their activity in 34% of the nearly 4000 compromised accounts.”

The attackers then use their reconnaissance to target high value accounts in the organization such as executives and finance bosses, which could be used to facilitate BEC scams.

“Hackers also use compromised accounts to monetize attacks by stealing personal, financial, and confidential data and using it to commit identity theft, fraud, and other crimes,” Cidon claimed.

“Compromised accounts are also used to launch external attacks targeting partners and customers. With conversation hijacking, hackers insert themselves into important conversations or threads, such as during a wire transfer or other financial transaction.”

He urged the use of MFA to protect accounts, alongside tools to monitor inbox rules and suspicious activity, staff training, ATO protection and AI tools to better spot BEC and spear-phishing.

Categories: Cyber Risk News

BYOD Risks Grow as Half of Firms Fail on Policies

Fri, 05/03/2019 - 09:23
BYOD Risks Grow as Half of Firms Fail on Policies

BYOD is increasingly popular in the workplace, but half of organizations are exposing themselves to unnecessary extra risks by not implementing a clear policy on usage, according to Bitglass.

The security vendor polled 150 IT and security professionals at Cloud Expo Europe in London earlier this year.

It revealed that 74% are allowing employees to use their personal devices at work, but 47% either don’t have a policy in place to manage them, or don’t know if one existed.

Particularly baffling were the findings that unmanaged devices were considered the top blind spot for data leakage, with 31% agreeing. However, just 16% cited this as a top security priority for the coming year. Instead, malware protection (26%) came top.

Also concerning was the fact that over a quarter of respondents (28%) claimed they don’t enforce any multi-factor authentication (MFA) to protect personal devices.

Steve Armstrong, regional director at Bitglass, argued that BYOD can drive improved productivity, cost savings and talent retention, but in so doing may increase the risk of data loss if proper policies and security controls aren’t put in place.

“In order to securely reap the benefits of BYOD, organizations need advanced tools such as user and entity behavior analytics (UEBA) and data loss prevention (DLP),” he added.

“Additionally, they must be able to selectively wipe corporate data from personal devices without affecting the personal data therein. However, for deployments to be successful, these capabilities need to be implemented through an agentless solution that won’t hinder user privacy or device functionality.”

A study from 2018 revealed that 61% of UK small businesses experienced a cybersecurity incident following their introduction of BYOD.

A government breaches survey from earlier this year claimed that the use of personal devices “tend to be less commonly covered” by cybersecurity policies.

Categories: Cyber Risk News

Europol: Two More Dark Web Marketplaces Seized

Fri, 05/03/2019 - 08:50
Europol: Two More Dark Web Marketplaces Seized

Europol is claiming victory after announcing the shut down of two more dark web marketplaces and several arrests.

The law enforcement organization said German police shut Wall Street Market, which it claimed was the world’s second largest dark web market, while earlier this year Finnish customs put paid to Silkkitie, aka the Valhalla Marketplace.

It was also revealed that German police arrested three suspects and seized €550,000 in cash, along with six-digit sums of cryptocurrency, vehicles, computers, storage devices and other evidence. US authorities arrested two alleged major drug dealers operating on the site.

The Finnish authorities are also said to have made a major Bitcoin seizure when they shut down the main server hosting Silkkitie, which has been running since 2013. It was claimed that illegal traders were monitored as they moved to other dark web sites following the seizure, although it’s unclear whether they were arrested.

“These two investigations show the importance of law enforcement cooperation at an international level and demonstrate that illegal activity on the dark web is not as anonymous as criminals may think,” said Europol executive director, Catherine De Bolle.

It’s unclear whether the law enforcement activity was linked to the recent news that the site’s admins were attempting an exit scam.

At the time, one moderator was threatening to release the details of any user who sent their address in plain text as part of disputes or tickets, unless they paid a fee.

That same moderator, “Med3l1n,” reportedly posted their Wall Street Market logins and server IP address to Dread, a Reddit-like site for the dark web. That would have given law enforcers vital intelligence to shut down the operation and go after some of the most prolific traders on the site.

In a final irony, the world’s biggest market, Dream Market, which many users left after it said it was going to move to a “partner site,” appears to still be up and running.

Categories: Cyber Risk News

TinyPOS: Handcrafted Malware in Assembly Code

Thu, 05/02/2019 - 18:22
TinyPOS: Handcrafted Malware in Assembly Code

Legacy software vulnerabilities have created opportunities for hackers to steal credit card data and other personal information using tiny point of sale (POS) malware, according to research published by Forcepoint.

Researchers reportedly analyzed 2,000 samples of POS malware and found that many are handcrafted, written in assembly code and very small; thus, researchers aptly named the malware TinyPOS.

Of the samples analyzed, 95% were loaders used to distribute malware to systems. In addition, researchers found that system compromises can go months without detection due to the small code size (2.7kb). Though researchers suggested that protecting against these attacks is not difficult, the issue for many organizations is that they are using old, outdated POS software and hardware that can do a lot of damage. 

The samples were grouped into four categories: loaders, mappers, scrapers and cleaners, wrote Robert Neumann, senior security researcher at Forcepoint. “The most probable initial vector would be a remote hack into the POS system to deliver the Loaders. Other options could include physical access (unlikely) or a rogue auto-update to deliver a compromised file to the POS operating system.”

That attackers are targeting POS systems is nothing new, particularly because they collect large amounts of personal data. Because of their vulnerabilities, Ryan Wilk, VP of customer success for NuData Security, a Mastercard company, said POS systems have long been a prime target for cyber-criminals.

“This latest credit card–stealing malware is extremely stealth and hard to detect, making some retailers even more vulnerable. Storing data securely is another basic security tenant. If merchants store credit card information offline and don’t encrypt it, it is sure to be stolen and abused,” Wilk said.

“However, once the credit card information is stolen, businesses can combat fraudulent online transactions through verification frameworks that can confirm the identity of users and prevent this type of fraud. Analyzing their online behavior, combined with hundreds of other identifiers that hackers can't imitate or steal, is the best protection against fraud, once the user data has been leaked.”

Categories: Cyber Risk News

New Exploits Target Components of SAP Applications

Thu, 05/02/2019 - 18:01
New Exploits Target Components of SAP Applications

New exploits have been targeting SAP systems, allowing attackers to fully compromise the platform and delete all business application data, according to new research from Onapsis Inc.

The exploits, dubbed 10KBLAZE, can potentially compromise all NetWeaver Application Server (AS) and S/4HANA systems. “In exposed systems, the exploits can be executed by a remote, unauthenticated attacker having only network connectivity to the vulnerable systems. These exploits are not targeting vulnerabilities inherent in SAP code, but administrative misconfiguration of SAP NetWeaver installations,” the report said.

Attackers could also modify or extract highly sensitive and regulated information in what Onapsis called a serious threat, given that an estimated 50,000 companies and one million systems are configured using SAP NetWeaver and S/4HANA.

Misconfigurations in access control lists (ACLs) could leave systems vulnerable. Based on research collected over the past decade, the report estimated that nearly 90% of these systems suffer from the misconfigurations for which these exploits are now publicly available.“The lack of one of these ACLs being properly protected is enough for an attacker to successfully exploit it. Customers must secure both of the ACL configurations in Gateway and Message Server to stay protected,” the report said.

“This risk to SAP customers can represent a weakness in affected publicly traded organizations that may result in material misstatements of the company's annual financial statements (form 10-K). Further, a breach against these business-critical applications would likely result in the need for disclosure, given the recent SEC's Cybersecurity Disclosure Guidance,” said Larry Harrington, former chairman of the board of the Institute of Internal Auditors (IIA), in a press release.

“SAP released relevant security notes and guidance to help customers secure these critical configurations several years ago. The onus is on service providers and customers to implement, enforce and monitor tighter security controls on the systems. This can be very challenging and take significant resources, but the stakes are simply too high not to make the suggested configuration changes,” said Mariano Nunez, CEO and co-founder, Onapsis, in the press release.

Categories: Cyber Risk News

Putin Signs Law to 'Stabilize' Russian Internet

Thu, 05/02/2019 - 16:53
Putin Signs Law to 'Stabilize' Russian Internet

In the event that Russia should ever be disconnected from the global infrastructure of the World Wide Web, Russian president Vladimir Putin has signed a law to stabilize the operation of the Russian internet, dubbed Runet, according to Tass, a Russian news agency.

Infosecurity Magazine reported last month on the then-proposed law, which was has been seen as part of Russia’s plan to cut access to the global internet. The final draft of the bill reportedly prepares for the unlikely event that – should anything threaten the stable, safe and integral operation of the Russian internet on Russian territory – “the Federal Service for Supervision of Communications, Information Technology and Mass Media will be able to carry out 'the centralized operation of the general communications network,'" Tass reported.

The law essentially lays the groundwork for Russia to develop an alternate domain name system (DNS), which would reportedly force all internet service providers to “disconnect from any foreign servers, relying on Russia's DNS instead,” according to Forbes.

We’re disappointed to see this request from Roskomnadzor. OpenVPN cannot in good conscience support censorship; I’ve personally experienced it and know the damage it can cause. We stand by our belief that open, secure access to the internet is a human right,” said Francis Dinha, CEO and co-founder of OpenVPN.

OpenVPN is a protocol and technology, and Dinha said it does not believe the law will impact its B2B services, unless Russia decides to block the OpenVPN protocol. Though the company has a consumer VPN service, it does not have any servers in Russia.

“OpenVPN is committed to our users and customers by protecting them against cyber-threats and providing secure and private access to their information from anywhere in the world. State governments and institutions may have the right to create policies and restrict its citizens from accessing certain content. However, OpenVPN will continue to provide access to our software and services to people no matter where they live or travel to. OpenVPN can’t compromise and must protect the security and privacy of those we serve.”

Categories: Cyber Risk News

UK IT Bosses Failing on Password Best Practices

Thu, 05/02/2019 - 10:30
UK IT Bosses Failing on Password Best Practices

UK IT managers are exposing their organizations to unnecessary risk by failing to adhere to best practices around password security, according to OneLogin research.

Released on World Password Day today, the poll of 300 IT decision makers revealed a worrying gap between perception and reality.

Although nearly all respondents (98%) had company guidelines in place to protect passwords and a similar number (95%) claimed such measures were adequate, the research highlighted several shortcomings.

For example, two-thirds (66%) admitted they don’t check employee passwords against common credential lists, and even more (78%) don’t check for password complexity.

What’s more, just 53% require single sign-on (SSO) and less than half require numbers (47%) and upper and lower-case characters (37%).

"This report should be a reminder to every business leader in the UK to carefully review their password management," said OneLogin CTO, Thomas Pedersen. "Cyber-criminals thrive on companies overlooking fundamental security requirements, which becomes an open invitation for any hacker on the hunt for easy passwords."

Experts used the awareness-raising day to call for an end to static credentials.

“Maybe it’s time to retire ‘World Password Day’ in favor of ‘World Authentication Day’,” argued Tripwire VP of product management, Tim Erlin.

“The password is the least secure component in most authentication systems, and passwords alone are no longer sufficient. World Password Day is a good day to set up multi-factor authentication (MFA) everywhere you can.”

Colin Truran, principal technology strategist at Quest, welcomed the growing popularity of MFA but argued that firms need to go further.

“Today things are starting to change and I am encouraged to hear many more organizations turning to multiple levels of biometric identification, including government bodies,” he added.

“Of course, it’s a huge responsibility to hold such biometric information in our consumer and user base, so this information must itself be protected by something better than a password! Let’s try to make this day a day of remembrance rather than a reminder of our reluctance to let go of an outmoded concept.”

Categories: Cyber Risk News

UK Government Intros Landmark IoT Security Proposals

Thu, 05/02/2019 - 10:00
UK Government Intros Landmark IoT Security Proposals

The UK government has introduced a proposed new law designed to improve IoT security-by-design and demand that retailers can only sell devices featuring an explanatory label for consumers.

The new rules build on a voluntary code of practice introduced last year which was intended to force manufacturers to build security protections into products at the design stage.

The government is now consulting on how to go further, in an attempt to improve the baseline security of products and consumers’ ability to differentiate between those on the shelves.

Also mooted are proposals to make the main elements of the code of practice mandatory, including requirements that: IoT device passwords be unique and can’t be reset to factory defaults; manufacturers provide a vulnerable disclosure policy and public point of contact; and manufacturers state the minimum length of time during which the device will receive security updates.

Although the labeling scheme will initially be voluntary, the plans have been billed as another milestone in the government’s efforts to make the UK a global leader in online safety.

“This is an important first step in creating flexible and purposeful regulation that stamps out poor security practices, which techUK’s research shows can act as significant barriers on the take-up of consumer IoT devices,” said techUK CEO, Julian David.

“The proposals set out have the potential to positively impact the security of devices made across the world and it is good to see the government is working with international partners to ensure a consistent approach to IoT security. TechUK looks forward to responding to this consultation on behalf of our members.”

F-Secure principal consultant, Tom Gaffney, said the security vendor was critical of the code of conduct as it was voluntary, but added that “by proposing a legal framework the UK government is taking a step in the right direction.”

“As many as one third of IoT attacks abuse weak passwords and legislating to fix this basic issue can only be a good thing,” he argued.

Katie Vickery, partner at international law firm Osborne Clarke, said even the voluntary code of conduct was intended to alter the legal liability framework for IoT products.

“This proposed new legislation would make that shift absolutely clear – manufacturers would have to meet minimum security standards on all IoT devices sold in the UK,” she added. “The use of voluntary labeling will also encourage compliance, as consumers seek out those devices that give them some added assurance.”

Tim Rawlins, director and senior adviser at NCC Group, argued that the proposed laws would put pressure on manufacturers to improve baseline security.

“But there needs to be a continuing focus on driving improvements in security in IoT products across the design and manufacturing industry. Security needs to be a firm focus well before any of these IoT devices end up in users’ hands,” he added.

Categories: Cyber Risk News

UK Defense Secretary Sacked Over Huawei Leak

Thu, 05/02/2019 - 09:10
UK Defense Secretary Sacked Over Huawei Leak

Opposition parties are calling for a criminal inquiry after the UK defense secretary was sacked for allegedly leaking news of the government’s decision to allow Huawei to supply parts of its 5G network.

Gavin Williamson reportedly refused to resign when confronted with evidence suggesting he leaked details of the highly sensitive decision made by the National Security Council to a Daily Telegraph journalist.

Prime Minister Theresa May duly sacked him, although Williamson has since gone on the offensive, claiming his firing was a “witch hunt” and that he was tried “in a kangaroo court with summary execution.”

Although he admitted speaking to a journalist from the paper in question for 11 minutes on the day of the leak, he maintains it came from outside his team.

Now Labour and Liberal Democrat leaders are calling for a criminal investigation into whether the Official Secrets Act was broken.

“This story cannot begin and end with dismissal from office,” Lib Dem leader Vince Cable is reported as saying. “What is at stake is the capacity of our security services to give advice at the highest level.”

Williamson was one of several cabinet ministers said to have raised concerns about Theresa May’s decision to allow Huawei to provide “non-core” equipment for Britain’s 5G networks.

The security services have continuously sought to downplay the risk of Chinese intelligence interference in its kit going forward, although they have highlighted serious issues with the quality of the engineering and coding, which could itself be exploited by spies.

A Bloomberg report this week claimed that Vodafone found hidden backdoors in Huawei kit in 2011 and 2012 “that could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy.”

However, Vodafone itself denied the claims, stating that the incident was “nothing more than a failure to remove a diagnostic function after development.”

"The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet,” the statement continued.

"Bloomberg is incorrect in saying that this 'could have given Huawei unauthorised access to the carrier's fixed-line network in Italy'.”

The journalist has since taken to Twitter to defend his story, saying:

“Vodafone found a non-documented Telnet Service built by Huawei with hardcoded credentials on a non-standard port that was re-added after being found a first time through security testing and removed, according to Vodafone IT Incident Report. Vodafone called it ‘Telnet Backdoor’.”

If nothing else, the incidents highlight the high stakes for national governments when deciding whether to allow Chinese companies to compete for what will be an essential part of critical infrastructure for many years.

Categories: Cyber Risk News

Cyber-Attacks in UK Grew by 140% in 2018

Wed, 05/01/2019 - 18:07
Cyber-Attacks in UK Grew by 140% in 2018

Cyber-attacks in the UK grew by an alarming 140% in 2018, according to a cyber-threat landscape report by eSentire that discusses the most impacted industries in the UK and which types of attacks were the most successful.

Attacks on IoT devices have also seen significant growth, with “a growing trend in IoT exploits targeting cameras, door controllers, surveillance equipment and media devices throughout our global customer base. In the UK, the vast majority of the observed exploits specifically impacted devices manufactured by AVTech, a leading manufacturer of video surveillance and monitoring equipment.”

The researchers found that attackers were keen to use Dropbox-theme phishing lures. However, the report found that employees in the UK are better than their global counterparts at preventing malicious attacks, including phishing attacks, despite evidence that organizations in the UK had a higher percentage of exploit attacks than the global average.

“In the UK, this increase in global botnet activity drove significant increases in the number of exploit (10%), malware (45%) and scanning (15%) detections observed by eSentire during 2018. The only attack type to see a decline was phishing, which while still a significant threat to UK businesses, saw roughly 20 percent decrease in observed incidents,” the report said.

While no industry is without its risk, marketing and manufacturing were reportedly the industries most impacted by cyber-attacks. “Marketing agencies received a significant number of Apple-related lures in 2018. This concentration of Apple lures in an industry perceived to have a high number of Apple desktops and laptops reveals that threat actors are customizing lures to specific sectors in an attempt to improve their success rate,” the report said.  

The report also found that email is one of the most common attack vectors and that “reducing this attack surface will protect UK organizations from both phishing and email-borne malware.”

Categories: Cyber Risk News

Brute-Force Attempts More Common on Edge Devices

Wed, 05/01/2019 - 17:11
Brute-Force Attempts More Common on Edge Devices

As edge devices continue to be the target of malicious attacks, security experts have found an increase in brute-force attempts, according to a new white paper released by the Cyber Threat Alliance (CTA).

Based on a compilation of research from several contributors, the white paper notes that CTA members have seen “a quiet but growing threat to edge devices since 2016. These devices are deployed at the boundaries between interconnected networks. The resulting impact of these devices – such as routers, switches and firewalls – on an enterprise and to the connected digital ecosystem can be significant.”

Edge devices are not only used to develop infrastructure for future attacks, but they are also used to monitor traffic and to establish persistent access, targeting networks or systems in order to steal data and even to put offensive cyber-attacks that deny, degrade, disrupt, or destroy into operation, according to an April 30 CTA blog post.

What’s concerning, according to CTA members, is that while attacks against edge devices continue to increase, basic protections for these devices are not keeping pace.

“This is often due to a lack of built-in security and a 'set it and forget it' mentality by owners. This report describes the security challenges for edge devices and highlights five case studies to illustrate how attackers have taken advantage of weaknesses in the systems themselves and poor security practices common to the use of edge devices,” the blog said.

According to research from Sophos, which was contributed to the white paper, “most of the attacks we saw involved a simple brute-force attempt to pass default or common username/password credentials to a selection of services, including web-based content management systems, the remote access VNC or RDP protocols, remote terminals over telnet or SSH, Internet telephony adapters, or database servers. But there were several others that sent us down a rabbit hole.”

Categories: Cyber Risk News

US DHS Issues Cybersecurity Vulnerability Directive

Wed, 05/01/2019 - 17:04
US DHS Issues Cybersecurity Vulnerability Directive

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued binding operative directive (BOD) 19-02, Vulnerability Remediation Requirements for Internet-Accessible Systems, which requires federal agencies to remediate critical security vulnerabilities within 15 days from the initial detection.

CISA explained, "A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.”

This new directive supersedes BOD 15-01, which required federal agencies to review and remediate any critical vulnerabilities on internet-facing systems identified by the National Cybersecurity and Communications Integration Center (NCCIC) within 30 days of receiving the weekly Cyber Hygiene report, according to the April 29 CISA post.

Per the directive, CISA will continue to provide all federal agencies with Cyber Hygiene reports, which agencies must review. Critical vulnerabilities must then be remediated within 15 calendar days of initial detection, while those categorized as high vulnerability must be remediated within 30 days of initial detection.

“If vulnerabilities are not remediated within the specified timeframes, CISA will send a partially populated remediation plan identifying all overdue, in-scope vulnerabilities to the agency POCs for validation and population. Agencies shall return the completed remediation plan within three working days of receipt,” the agency wrote.

“This is a good initiative, one for which all reputable private sector enterprises already subscribe to via third-party scanning services. It wouldn’t surprise me if some government agencies also subscribe to similar services in the private sector as it is definitely a best practice in the industry,” said Mounir Hahad, head of Juniper Networks' Juniper Threat Labs.

“I would argue that the directive does not go far enough to call out critical vulnerabilities for which proofs of concept may already be published or for which developing an exploit is trivial. Those indeed have a higher chance of being exploited by threat actors in record time. In my view, 15 days for remediation is too slow in those circumstances.”

Categories: Cyber Risk News

Consumers Revolt Over IoT Security Shortcomings

Wed, 05/01/2019 - 10:30
Consumers Revolt Over IoT Security Shortcomings

The Internet Society is urging IoT manufacturers to build stronger security measures into devices after releasing new research revealing that nearly two-thirds (64%) of British consumers have concerns over the way they collect personal data.

The non-profit polled over 1300 adults in the UK as part of global research into the fast-growing market for connected devices.

With the majority of consumers now owning such devices, there appears to be a growing gap between their expectations regarding security and privacy and what is being provided by device makers.

Nearly half of Brits don’t trust their device to protect their privacy (48%) or handle their information responsibly (49%), while 59% think their IoT device is “creepy,” the research found.

Global respondents believe that IoT security and privacy is a shared responsibility between consumers (60%), regulators (88%), manufacturers (81%) and retailers (80%).

“Consumers have told us they accept that they have some responsibility for the security and privacy of their IoT products but that isn’t the end of the story. They, and we, want to see tangible action from manufacturers, retailers, and governments on this issue. It has to be a collective effort, not the responsibility of one group,” argued Helena Leurent, director general of Consumers International.

“We are exploring this conversation with progressive manufacturers. Together we are looking at the opportunity to create person-centered technology, that people not only enjoy using, but feel safe and secure doing so. By doing this business can address the concerns of those not engaging with this tech, and open up the benefits of the Internet of Things to everyone.”

The majority of British consumers agree, with 85% arguing manufacturers should only produce secure and privacy-protecting kit, while a similar number (86%) said retailers have a responsibility to only sell hardware that meets these standards.

The ability of consumers and retailers to differentiate between secure and potentially vulnerable IoT devices received a boost earlier this year when the European Telecommunications Standards Institute (ETSI) introduced a new globally applicable standard.

The ETSI TS 103 645 standard is based on a UK government industry code of practice introduced last year and should encourage more manufacturers to improve baseline security whilst providing buyers with a clear label of quality to look out for.

It comes a year after the British Standards Institution (BSI) introduced a kitemark for consumer and business-grade IoT devices.

Categories: Cyber Risk News

Most Firms Rely on Trust Alone for Supply Chain Security

Wed, 05/01/2019 - 09:30
Most Firms Rely on Trust Alone for Supply Chain Security

Around 70% of global organizations could be at risk from supply chain attacks because they don’t have enough visibility into their partners’ security posture, according to new Accenture research.

The consulting giant polled over 6600 IT and business executives in 27 countries worldwide to compile its findings as part of the Tech Vision report.

It revealed that just 29% of global companies know enough about their suppliers’ approach to cybersecurity. Even worse, over half (56%) claimed to rely on trust alone to satisfy any question marks over cyber-risk.

The UK was aligned with the global average, with just 29% of business and IT execs having insight into partner security processes, although the figure dropped to less than half that in China (11%) and Japan (14%).

The US (35%) and Germany (30%) boasted among the largest number of companies with supply chain insight. However, at still only around a third, many organizations would seem to be exposed to third-party attacks such as “island hopping,” which led to major breaches at the likes of US retailer Target and the US Office of Personnel Management (OPM).

Chinese state-sponsored hackers were behind another major supply chain attack in recent years: Cloud Hopper targeted firms through their managed service providers (MSPs) in what has been described by British investigators as “one of the largest ever sustained global cyber-espionage campaigns.”

Accenture warned that supply chain attacks like this could account for around a quarter of the total value at risk from cybercrime over the next five years.

“Business perimeters used to be like a castle, where security teams could create thick walls to guard against attacks. But the days of doing business in this medieval way are well and truly over” said Nick Taylor, cybersecurity lead for Accenture UK. “Now, business structures resemble something more like the London Underground, with thousands of entry points. Threat actors are preying on the weaker links. Smaller businesses, in particular, are seen as a means of infiltrating larger organizations.”

He urged organizations to collaborate more with other firms and reach out to governments to help manage these risks better.

CISOs should be included in new business discussions from the start, threat modelling must be improved by anticipating where hackers may strike, and processes should be designed to continuously assess risk as suppliers are on- and offboarded, Accenture argued.

Categories: Cyber Risk News

US Church Hit in $1.8m BEC Scam

Wed, 05/01/2019 - 08:40
US Church Hit in $1.8m BEC Scam

A US church has been hit by a major Business Email Compromise (BEC) attack, losing almost $1.8m after fraudsters tricked staff into changing a contractor’s payment details.

Saint Ambrose Catholic Parish — based in Brunswick, Ohio — is currently renovating its church in a Vision 2020 project. However, BEC scammers recently targeted the large monthly payments it makes to a local construction firm.

“On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months totalling approximately $1,750,000. This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed,” explained father Bob Stec.

“Upon a deeper investigation by the FBI, we found that our email system was hacked and the perpetrators were able to deceive us into believing Marous Brothers had changed their bank and wiring instructions. The result is that our payments were sent to a fraudulent bank account and the money was then swept out by the perpetrators before anyone knew what had happened. Needless to say, this was very distressing information.”

Hackers are said to have compromised two email accounts to “deceive the parish and perpetrate the fraud.” It’s unclear how, although phishing is the most likely tactic.

“After reviewing our systems, to the best of our knowledge, only the email system was breached/compromised,” said Stec. “Our parish database is stored in a secure cloud-based system. This allows for many layers of security/protection of our parish database information.”

The church has submitted an urgent insurance claim in order to recoup the funds and pay its construction company, although there’s no guarantee that the policy will pay out.

The news comes a few days after an annual FBI report revealed that BEC attacks caused more losses than any other cyber-threat reported to its Internet Crime Complaint Center in 2018: a total of nearly $1.3bn.

Corin Imai, senior security advisor at DomainTools, argued the Saint Ambrose case highlights that no organization is safe from such scams.

“In addition to email filtering systems, those responsible for organizational finances should take the time to cross reference any emails they receive with those from addresses known to be genuine,” she added. “It’s better to make a legitimate transfer late than a fraudulent one promptly.”

Categories: Cyber Risk News

Not Managing Open Source Opens Door for Hackers

Tue, 04/30/2019 - 18:10
Not Managing Open Source Opens Door for Hackers

Organizations continue to face challenges with managing open source risk, according to a new report published today by Black Duck by Synopsys.

The annual Open Source Security and Risk Analysis (OSSRA) Report, analyzed the anonymized data of over 1,200 commercial codebases from 2018 and found that 96% contained open source components, with an average of 298 open source components per codebase. The results reflect an increase from the number of codebases in 2017, which was only 257.

In addition, 2018 yielded more open source vulnerabilities disclosed than in years past, with a notable list of more than 16,500 vulnerabilities reported on the National Vulnerability Database (NVD).

While more than 40% of codebases contained at least one high-risk open source vulnerability, the report noted that the use of open source software is not a problem in and of itself. Rather, failing to identify and manage the security and license risk associated with the open source components your organization uses can lead to significant negative business impacts and damage to your brand.

“At the end of the day, all software is vulnerable to attack – without exception – and the nature of open source software is to shine a light on the issues it has, leading to increased visibility of bugs, not an increase in bugs,” said Cody Brocious, hacker and head of hacker education at HackerOne.

“The security risk is significantly diminished by increasing visibility. If you’re not using open source components, you’d be using closed source components – either commercially available or hand-rolled – that have just as high of a likelihood of being vulnerable. Except that you just don't know about the bugs, unlike with open source components.

“There are a multitude of tools which can be used to scan your codebase to determine which open source components (and versions) are in use, and check this against various vulnerability databases. Example tools include Dependency-check from OWASP, and commercial tools such as SourceClear and Snyk.”

Categories: Cyber Risk News

Data Dispersion Yields More Off-Prem Risk

Tue, 04/30/2019 - 17:51
Data Dispersion Yields More Off-Prem Risk

The vast majority (84%) of global organizations host critical or sensitive assets with third-party vendors, according to a comprehensive study published by The Cyentia Institute and commissioned by RiskRecon.

The study analyzed the third- and fourth-party cyber risks of 18,000 organizations across 200 countries and found that the average firm has 22 internet-facing hosts, while some maintain more than 100,000 hosts. “That matters because protecting a large internet presence is a different ballgame than protecting a tiny one, regardless of any other factors,” the report said.

Additional findings revealed that 27% of companies host their assets with at least 10 external providers. Overall, 65% are hosted on a netblock that is owned by an external entity, with 57% of firms using hosts in multiple countries.   

The growth of data dispersion has been enabled by the cloud, yet global companies are starting to see that putting sensitive enterprise and consumer data in the hands of external players creates vulnerabilities. In addition, high-value assets are three times as likely to have severe findings off-premise than on-premise, the report found.

“Since a huge portion of a modern organization’s value-generating activities relies on internet-enabled processes and 3rd party relationships, that surface is much more extensive than one might expect. In this section, we identify and measure key aspects of the internet risk surface through the data sample collected,” the report said.

“Your risk surface is anywhere your ability to operate, your reputation, your assets, your legal obligations or your regulatory compliance is at risk,” explained Kelly White, RiskRecon’s CEO and co-founder, in a press release.

“The digital transformation has moved the enterprise risk surface well beyond the internal enterprise network, with 65% of all enterprise internet-facing systems hosted with third-party providers. The data show that enterprises are not keeping up, with the security of internally hosted systems being much better managed than third-party hosted systems. This dilemma has now become critical because organizations are failing to understand how to manage their entire risk surface based on the volume of external digital exposure they face.”

Categories: Cyber Risk News

Developer Reveals Phishing Exploit in Chrome

Tue, 04/30/2019 - 17:43
Developer Reveals Phishing Exploit in Chrome

In a proof-of-concept (PoC) blog post published earlier this week, developer James Fisher disclosed a new phishing method in Chrome for mobile on Android in which the browser hides the URL bar.

After hiding the URL bar, the browser “passes the URL bar’s screen space to the web page. Because the user associates this screen space with 'trustworthy browser UI,' a phishing site can then use it to pose as a different site, by displaying its own fake URL bar – the inception bar,” Fisher wrote.

“In my proof-of-concept, I’ve just screen shotted Chrome’s URL bar on the HSBC website, then inserted that into this webpage. With a little more effort, the page could detect which browser it’s in, and forge an inception bar for that browser. With yet more effort, the inception bar could be made interactive. Even if the user isn’t fooled by the current page, you can get another try after the user enters '' in the inception bar!”

Still, Fisher’s post has gotten a variety of responses on Twitter, with several noting that they are unable to get the PoC working on Chrome.

"Whilst the proof of concept by Mr. Fisher isn't perfect, Google and others should consider implementing mitigation techniques like the 'Line of Death' to make the demarcation between browser UI and web content more obvious," said Gavin Millard, VP of intelligence, Tenable.

"Users fall for fake websites constantly, hence the continued scourge of phishing sites, but this new approach could fool even the most cyber-savvy individual. Exploiting this could lead to confidential information disclosure and fraud.”

A Google spokesperson told Infosecurity, “Protecting users from phishing has always been important to us. We're constantly improving more holistic solutions to phishing like Safe Browsing, security keys, and Chrome’s password manager. Our team is aware of this issue and continues to explore solutions."

Categories: Cyber Risk News