Cyber Security Institute

Monday, July 11, 2016

IT Security News - 2017-07-11

Table of Contents

  • How to handle security risks in Red Hat virtualization environments
  • Google is already fighting hackers from the future with post-quantum cryptography
  • If My Website Is Hacked and Customer Data Exposed, Am I Liable?
  • Business travellers putting organisations' cyber-security at risk
  • Protecting a BIT of Integrity BYTES
  • Global Cybergangs Take The ‘Cyber Arms Race’ Lead
  • Cybercrime Now Surpasses Traditional Crime In UK
  • Report: Firms see cyber threats, but not the means to deal with them
  • Business Intelligence and Data Security: A Double-Edged Sword
  • 8 Ways Ethically Compromised Employees Compromise Security How to handle security risks in Red Hat virtualization environments 
Here's a rundown of the types of threats to virtualization environments, and ways they can be mitigated: 
- Denial of Service (DOS) attacks
- Memory corruption and leakage  
- Guest-to-Host escape
Mitigation Techniques
-You can use control groups to protect the four core resources (memory, CPU, disk or network) that can be exploited. 
-SELinux is Red Hat's Linux Security Module and it operates by implementing Mandatory Access Controls (MAC). 
-sVirt (secure virtualization) combines SELinux and virtualization. 
-SecComp is a kernel feature still early in development which also provides sandboxing like capabilities.
Link: Google is already fighting hackers from the future with post-quantum cryptography 
"We're announcing an experiment in Chrome where a small fraction of connections between desktop Chrome and Google's servers will use a post-quantum key-exchange algorithm in addition to the elliptic-curve key-exchange algorithm that would typically be used," Google Software Engineer Matt Braithwaite wrote in a blog post Thursday, pointing out that Google plans to discontinue the experiment after two years, and hopefully move on to an even better algorithm. 
What does all this mean for Chrome users.
Not much.
Regular users won't be part of the test.
Those who want to have a fraction of their online communication protected with a post-quantum key exchange algorithm should install the latest Chrome Canary build.
To check whether post-quantum crypto was on, go to a HTTPS-secured page, click on the lock next to the URL in the address bar, click on "details," and check if Key Exchange starts with “CECPQ1”.

If My Website Is Hacked and Customer Data Exposed, Am I Liable?
That is a question most small business owners aren’t losing sleep over or are readily prepared to answer.
But in an era where data breaches routinely occur, it warrants serious consideration. 
Unfortunately, there is no cut-and-dried answer to that question.
Some attest that the entity holding the information is liable while others suggest the customer bears responsibility. 
Perez, weighing in on the liability issue, warns that small businesses running an ecommerce site must comply with the Payment Card Industry Data Security Standard (PCI DSS). 
“The landscape of cyber security is shifting rapidly as data breaches are spiking,” Delaney said. “Congress, regulators and state attorneys general are taking a hard look at how companies … are protecting consumer information from unauthorized access.
Hearings have been held, and new laws pushed.” 
Notification can quickly become very expensive, however, particularly if you have thousands of customers with which to communicate. 
Unfortunately, standard commercial property and liability insurance does not cover the loss of personally identifiable information.
To address the issue, several companies now offer cyber liability policies intended to cover a data breach where customer information, such as Social Security or credit card numbers, is exposed or stolen. 
While the question of liability is still not clear cut, businesses can protect themselves and their customers by following the guidelines included in this article.
Link: Business travellers putting organisations' cyber-security at risk 
A survey by Kaspersky Lab of 11,850 people from across Europe, Russia, Latin America, Asia Pacific and the US found that the pressure from work to get online is clouding the judgment of business travellers when connecting to the internet. 
It said that three in five (59 percent) of people in senior roles say they try to log on as quickly as possible upon arrival abroad because there is an expectation at work that they will stay connected.
The research also found that 47 percent think that employers, if they send staff overseas, must accept any security risks that go with it. 
Almost half (48 percent) of senior managers and more than two in five (43 percent) of mid-level managers use unsecure public access Wi-Fi networks to connect their work devices when abroad.
At least two in five (44 percent and 40 percent, respectively) use Wi-Fi to transmit work emails with sensitive or confidential attachments. 
One in five (20 percent) senior executives admit to using work devices to access websites of a sensitive nature via Wi-Fi – compared to an average 12 percent.
One in four (27 percent) have done the same for online banking – compared to an average 16 percent.
Link: Protecting a BIT of Integrity BYTES 
Leveraging the NIST Cybersecurity Framework to apply necessary albeit painful and often overlooked cyber changes to protect your most critical high-value assets (“Crown Jewels”) from advanced cyber threats
This post will focus primarily on Identify function’s Asset Management component and the Protect function of the NIST framework as it relates to often overlooked operational changes needed to isolate critical high-value assets. 
What to Protect? 
How to Protect? 
Rise above the threats.
Leverage the NIST Cybersecurity Framework and follow best practices to isolate and protect your most critical “crown jewels” and tier-0 credentials using operational security practices and not just dependence on the latest “shiny object” security tools.
Bad guys have these same security tools before they attack, so we need to change the way we isolate and operate on our network.
These changes can be painful and often not intuitive, but defending against advanced attackers require advanced operational defenses to keep a breached PC from becoming a totally owned network.
Link: Global Cybergangs Take The ‘Cyber Arms Race’ Lead 
In the release of its first Cyber Crime Assessment report on Thursday (July 7), the U.K.’s National Crime Agency (NCA) said that police and businesses are losing the “cyber arms race” to these sophisticated criminals. 
According to the data, the most significant and advanced threat to the U.K. is actually from a small group of international crooks that use “highly profitable” malware to fuel cyberattacks.
These organized gangs of criminals are able to launch attacks directly at both businesses and individuals. 
According to the report, advertisements — ranging from “DDOS attacks for as low as $5 USD an hour” to “Online tutorials from $20 USD that cover DDOS attacks, cracking Wi-Fi, Crypters and much more” — are just a sample of the offerings posted across the underground marketplace, which it describes as growing bigger, more sophisticated and competitive. 
The intelligence analysts found that malware is becoming “much cheaper and continues to offer a low barrier to entry for cybercriminals looking to steal information,” posing an even greater threat to unsuspecting groups, consumers, private organizations and the government.

Cybercrime Now Surpasses Traditional Crime In UK
Cybercrime is currently outpacing traditional crime in the United Kingdom in terms of impact spurred on by the rapid pace of technology and criminal cyber-capability, according to the UK’s National Crime Agency. 
The trend suggests the need for a more collective response from government, law enforcement, and industry to reduce vulnerabilities and prevent crime, the NCA report says. 
One security expert notes that the cybercrime situation here in the US is even more dire. 
“I think it is more dramatic in the US and I do think cybercrime is a larger industry than narcotics trafficking because of intellectual property theft and secondary infection,” says Tom Kellermann, co-founder and CEO of Strategic Cyber Ventures, which invests in next-generation security technology.
Link: Report: Firms see cyber threats, but not the means to deal with them 
The study, “Taking the Offensive: Working Together to Disrupt Cyber Crime,” was undertaken by international consulting firm KPMG and telecoms group BT. 
While awareness of the threat has never been higher — 73 percent of respondents said digital security was on the agenda of board meetings — most organizations still don’t understand the scale of the threat and aren’t ready for it, according to the report. 
Businesses are struggling to keep their data and systems secure against a backdrop of proliferating attack tools and growing cyber-criminal sophistication—what the report calls a “vast dark market” for cyber crime tools.
Less than a quarter (22 percent) said they were “fully prepared” to combat security breaches by ever-more-agile cyber criminals. 
Nearly half of senior decision makers said they were constrained by regulation and lacked the right skills and people to thwart cyber crime.
Other constraints were organization-specific; 46 percent cited legacy IT systems as an issue and 38 percent identified bureaucratic processes.
Lack of investment and even cultural change within organizations were cited as barriers.
Link: Business Intelligence and Data Security: A Double-Edged Sword 
Business intelligence represents great opportunities for businesses that have the right people, processes and technology in place.
According to a recent ComputerWorld survey, 50 percent of respondents are increasing their IT security budget. 41 percent are increasing their analytics investment.
Another survey found that 35 percent of respondents considered security concerns to be the biggest obstacle surrounding data analysis.
The analytics software space is packed with vendors looking to cash in on this opportunity.
Proof positive is how hot the big data market has been over the past several years.
New data frontiers like social media, mobile ecommerce and web content performance represent new challenges and opportunities for insight for companies of all sizes.
Security Information and Event Management systems are powerful analytics solutions in their own right.
The latest security analytics systems are positioned as more advanced than SIEM could offer.
Threat Analytics/Intelligence solutions, delivered via the cloud by companies like FireEye, Palo Alto Networks and Fortinet are seen as the next generation of security intelligence.
Traditional BI vendors collect a lot of data from various repositories such as ERP, CRM and asset management systems, though they have typically left security and threat analytics to the leading vendors in that space.
Sharing business performance information across your company should be carried out on a “need to know” basis.
Providing permission-based access to data visualizations and executive dashboards should be provisioned with consideration of:
Standards-based API’s, certified by credible sources makes for safer analytics hub than coding your own connections.
Analytics engines are often at the center of multiple systems, which makes them a potentially lucrative target for opportunistic hackers.
Since many data breaches are as a result of employee activities, it emphasizes the need to govern access to reporting systems.

8 Ways Ethically Compromised Employees Compromise Security
The fact is that there are always a few bad apples in the barrel, and when it comes to employees—whether IT or your typical corporate user—the bad actors can introduce a lot of risk to the organization.
But some IT executives may not realize just how many potential bad apples there can be, depending on the circumstances. 
Here are a few statistics that show how prevalent shaky ethics really are in the workplace.