Cyber Security Institute

Friday, July 08, 2016

IT Security News - 2017-07-08

Table of Contents

  • Commission boosts cybersecurity industry and steps up efforts to tackle cyber-threats
  • Endpoint and Network Security: The rise of “Defense in Depth”
  • EU to invest €450 million in cybersecurity partnership fund
  • The Information Security Leader, Part 1: Two Distinct Roles, Four Fundamental Questions and Three Persistent Challenges
  • Password Sharing Is a Federal Crime, Appeals Court Rules
  • French internet security report urges use of best practice
  • Meeting the cyberchallenge
  • BT : Industrialisation Of Cybercrime Is Disrupting Digital Enterprises
  • Brian Krebs at TMG Executive Summit: Financial institutions have to empower security leaders
  • Microsoft Cybersecurity Advocates for Coordinated Norms Commission boosts cybersecurity industry and steps up efforts to tackle cyber-threats 
Since the adoption of the EU Cybersecurity Strategyin 2013, the European Commission has stepped up its efforts to better protect Europeans online.
It has adopted a set of legislative proposals, in particular on network and information security, earmarked more than €600 million of EU investment for research and innovation in cybersecurity projects during the 2014-2020 period, and fostered cybersecurity cooperation within the EU and with partners on the global stage. 
But more work is needed to address the increasing number and complexity of cyber-threats.
This is why the Commission proposes today a series of measures to reinforce cooperation to secure Europe's digital economy and society, and to help develop innovative and secure technologies, products and services throughout the EU. 
The Commission has proposed an action plan to further strengthen Europe’s cyber resilience and its cybersecurity industry.
This includes measures to: 
- Step up cooperationacross Europe
- Support the emerging single market for cybersecurity products and services in the EU
- Establish a contractual public-private partnership (PPP) with industry  
The EU Cybersecurity Strategy and the forthcoming NIS Directive already lay the groundwork for improved EU-level cooperation and cyber resilience. 
The forthcoming NIS Directive establishes two coordination mechanisms:
-  the Cooperation Group which supports strategic cooperation and exchange of relevant information related to cyber incidents among Member States, and
-  the Network of Computer Security Incident Response Teams (so-called CSIRT network) which promotes swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.
Link: Endpoint and Network Security: The rise of “Defense in Depth” 
While there is an important place for network security – the simple fact that no system will ever be 100% secure shines light on the need for additional layers of security.
Often network security solutions are trying to filter dangerous content from reaching vulnerable endpoints, but isn’t it better if we can make the endpoints less vulnerable.
With this in mind, the best strategy is to build security from the endpoint out - reducing the attack surface and building defendable infrastructure. 
While network-based security solutions can attempt to block threats before they hit the endpoint, the major problem with this approach is that companies that rely heavily on network security end up with an “eggshell” security stance – whereby a system is reliant on a single outer shell to protect all of the organization’s data. 
The main difficulty faced by detection solutions is the impossible trade-off between security and usability.
Namely, all threats need to be deeply analyzed, but security teams simply cannot make employees wait while they address these issues, which would reduce productivity and staff morale. 
Intel Security found that more than 30% of organizations disable network-based security features for this exact reason.
Malware authors know this, and therefore will create attacks that simply lay dormant for a period of time to bypass the network sandbox.
This has caused malware to evolve new methods of avoiding networks security products, including:
• Delayed onset
• Detecting virtualized environment
• Checking the number of CPU cores (network sandbox usually only presents one)
• Checking if user is real (monitor mouse movement, etc.)
• Exploiting the virtual environment to escape
The most effective way to complement a strong network defense is by reducing the attack surface of the endpoint. 
1- Removing administrator privileges
2- Application whitelisting
3- Sandboxing
A bank doesn’t leave the vault door open just because they have a security guard on the door – they start from the vault and layer security outward.
If the endpoint isn’t secure, and security admins do not ensure that both systems work in tandem, companies simply risk losing data, intellectual property, resources, money and invaluably, trust – in other words, everything.

EU to invest €450 million in cybersecurity partnership fund
The Commission said that it will invest an initial €450 million in the partnership and expects organisations including national, regional and local government bodies, research centres and academia to invest three times as much. 
The partnership will bring companies together for research into cybersecurity solutions for different sectors including energy, health, transport and finance, the Commission said. 
The Commission will encourage EU countries to make use of cooperation mechanisms which will be established under the new Network and Information Security (NIS) Directive, which is expected to be adopted by the European Parliament this week.
Link: The Information Security Leader, Part 1: Two Distinct Roles, Four Fundamental Questions and Three Persistent Challenges 
This kernel of wisdom comes from a certain high-tech headhunter in the late 1980s, who passed it on as she was helping her candidates prepare for their next job.
Twenty years later, it showed up again in “What Got You Here Won’t Get You There,” a best-selling business book by Marshall Goldsmith. 
Two Distinct Roles
As recommended in a strategy map for security leaders, successful next-generation CISOs should strive for their information security teams to be perceived by key stakeholders as being strong in both of two distinct roles: 
- Subject matter experts
- Trusted advisers
Four Fundamental Questions
1) What’s the risk? 
2) What’s the annualized risk in the specific context
3) How does an incremental investment quantifiably reduce risk? 
4) How does one investment compare to another
Three Persistent Challenges
1) A language challenge
2) A measurement challenge
3) A communications challenge
Link: Password Sharing Is a Federal Crime, Appeals Court Rules 
One of the nation’s most powerful appeals courts ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all “hacking” law that has been widely used to prosecute behavior that bears no resemblance to hacking. 
In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal’s use of a former coworker’s password to access one of the firm’s databases was an “unauthorized” use of a computer system under the CFAA. 
At issue is language in the CFAA that makes it illegal to access a computer system “without authorization.” McKeown said that “without authorization” is “an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?

French internet security report urges use of best practice
An official report on internet security in France has urged all players in the sector to follow best practice recommendations for the BGP, DNS and TLS security protocols. 
The Resiliance of the French Internet report also encouraged all those in the sector to prepare themselves against the distributed denial-of-service (DDoS) attacks that have been behind some of the higher-profile failures of internet services. 
The 2015 report, the fifth of its kind, made the following principle recommendations: monitor prefix advertisements, and be prepared to react in case of hijacking; use protocols that support forward secrecy and discontinue the increasingly vulnerable SSLv2 and SHA-1 algorithms; diversify the number of SMTP and DNS servers in order to improve the robustness of the infrastructure; apply best practices to limit the effects of failures and operational errors and pursue the deployment of IPv6, DNSSEC, and RPKI to help develop skills and to anticipate possible operational problems.
Link:—1152056 Meeting the cyberchallenge 
Each year, the United States falls farther behind in educating K-12 students in science, technology, engineering and math (STEM).
It falls behind in teaching the next generation of technology workers for American companies.
And it falls behind in instructing cybersecurity professionals who will help protect our country.
This deficiency puts our national security at greater risk.
After years of analyzing this challenge, it’s now time for the federal government to act and help address this vulnerability.
Congress should invest in the future by providing adequate resources for K-12 computer science education for the next fiscal year, especially in this transition period between presidential administrations. 
In addition, at a time of increasing cyberthreats and greater complexity in cyberwarfare, the nation also needs skilled cybersecurity.
We now require individuals who can design weapons to support U.S. warfighters and provide cyberdefense for our country’s assets.
Our cyberstrength relative to that of our nation’s adversaries is too vital to ignore.
Link: BT : Industrialisation Of Cybercrime Is Disrupting Digital Enterprises 
DALLAS, July 5, 2016 /PRNewswire/—Only a fifth of IT decision makers in large multinational corporations are confident that their organisation is fully prepared against the threat of cyber-criminals.
The vast majority of companies feel constrained by regulation, available resources and a dependence on third parties when responding to attacks, according to new research from BT and KPMG. 
The report, Taking the Offensive - Working together to disrupt digital crime finds that, while 94 per cent of IT decision makers are aware that criminal entrepreneurs are blackmailing and bribing employees to gain access to organisations, roughly half (47 per cent) admit that they don't have a strategy in place to prevent it. 
The report also finds that 97 per cent of respondents experienced a cyber-attack, with half of them reporting an increase in the last two years.
At the same time, 91 per cent of respondents believe they face obstacles in defending against digital attack, with many citing regulatory obstacles, and 44 per cent being concerned about the dependence on third parties for aspects of their response. 
Mark Hughes, CEO Security, BT, said: "The industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft.
The twenty-first century cyber criminal is a ruthless and efficient entrepreneur, supported by a highly developed and rapidly evolving black market." 
The BT-KPMG report shows that Chief Digital Risk Officers (CDROs) are now being appointed to hold strategic roles which combine digital expertise with high-level management skills.
With 26 per cent of respondents confirming that a CDRO has already been appointed, the report's data suggests that the security role and accountability for it is being re-examined.

Brian Krebs at TMG Executive Summit: Financial institutions have to empower security leaders
DES MOINES, IA (July 7, 2016) — TMG Executive Summit keynote speaker Brian Krebs told a room full of credit union and community bank leaders that layers of technology are not enough to stop a data breach.
Instead, the investigative reporter insisted, security is only as effective as the people managing it for you. 
“Organizations buy into the idea that doing security right is layering on the right mix of technology software and services, and that this magic combination will block 99 percent of attacks,” said Krebs, mastermind behind the popular Krebs on Security blog. “It’s just not true.
It’s very expensive to do security right, and that’s partly because the actual security of your organization comes from security specialists.” 
It’s not uncommon, Krebs said, for an organization to look at its event logs for the first time after someone like him gives them a call.
He devotes a lot of energy to breach notification.
Comparing the experience of being notified of a breach to the five stages of grief, Krebs says the people he notifies are almost always in denial. “Those with a high degree of security maturity skip through the first stages and go straight to depression,” Krebs said to a roomful of nervous laughter. 
Phishing, he said, is becoming increasingly sophisticated, even though some cybersecurity experts talk about it as a solved problem.
Over a span of three weeks, Krebs notified several different companies of phishing threats facing their C-suites.
He had seen actual communications spoofing CEO email addresses on the dark web.
No one from any of these vulnerable organizations returned his calls. 
Krebs concluded his hour-long talk by coming back to his point about the importance of human security leadership.
The head of security, Krebs advised, should always report to the COO, CEO or the board of directors.
Organizations with what he calls a high degree of security maturity have created separation between IT and security: “The surest way to deny your security people any say is to have them report to the head of IT.”
Link: Microsoft Cybersecurity Advocates for Coordinated Norms 
Microsoft wants new standards for the cybersecurity world, a vision proposed in its recently published paper “From Articulation to Implementation: Enabling Progress on Cybersecurity Norms.” 
Overall, the Microsoft cybersecurity viewpoint emphasizes the need for a consensus across the industry.
Specifically, the company wants to establish norms regarding the effective disclosure of security issues as well as methods to deal with the attribution of hostile acts directed at software. 
What Microsoft wants is a “coordinated disclosure” approach.
This is a variant of responsible disclosure that also allows disclosure to computer emergency response teams (CERTs) along with the vendor.
The company believes that public disclosure should only happen after a patch has been issued and believes this should be the new cybersecurity norm. 
But Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky Lab, may have identified a problem with trying to establish any norms.
He told SecurityWeek that “the whole concept of norms assumes that they relate to some homogeneous body guided by the same basic principles.
That clearly isn’t so in cyberspace.”