[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
Linux Foundation’s security checklist can help sysadmins harden workstations
Konstantin Ryabitsev, the Foundation’s director of collaborative IT services, published the security checklist that the organization uses to harden the laptops of its remote sysadmins against attacks.
The recommendations aim to balance security decisions with usability and are accompanied by explanations of why they were considered.
They also have different severity levels: critical, moderate, low and paranoid.
Critical recommendations are those whose implementation should be considered a must-do.
They include things like enabling SecureBoot to prevent rootkits or “Evil Maid” attacks, and choosing a Linux distribution that supports native full disk encryption, has timely security updates, provides cryptographic verification of packages and supports Mandatory Access Control (MAC) or Role-Based Access Control (RBAC) mechanisms like SELinux, AppArmor or Grsecurity.
Other critical recommendations include making sure the swap partition is also encrypted, requiring a password to edit the bootloader, setting up a robust root password and using an unprivileged account with a separate password for regular operations.
The critical checklist also advises disabling hardware modules with direct full memory access like Firewire or Thunderbolt, filtering all incoming ports and setting up an encrypted backup routine to external storage.
Following the security tips in the Foundation’s document is by no means a guarantee that the system will not get compromised, but it would certainly make the job much harder for attackers.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d6690e240b&e=20056c7556
A Digital Revolution: What the IoT Means for the Future of Health Care
For years, we’ve speculated how the Internet of Things (IoT) will impact our lives.
We predicted that household appliances would issue maintenance alerts before breaking, or send out e-mails if they needed to be serviced.
We imagined a world in which the user experience would mean the dividing line between technology and humans would fade, one in which gadgets like Nest and the Apple Watch were part of our daily routines.
These were mere possibilities a few short years ago, but the days of connected devices are finally here.
However, health care, the most critical market for IoT technologies, has yet to reach its full potential.
According to research conducted by Aspect, health care is the industry most likely to adopt changes to technology during the next two years.
In fact, 91 percent of health-care professionals believe in the positive impact of cloud technology investment.
Clearly, health-care professionals recognize the potential of connected devices in improving the patient experience, but what exactly does the future of health care look like in this connected world?
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ebced56989&e=20056c7556
More companies add cyber security pros to boardrooms
In recent months, AIG, Blackberry, CMS Energy, General Motors, and Wells Fargo have added a board member with computer-security knowledge.
Delta Air Lines and Ecolab did the same in recent years.
The reasons.
Cyberattacks on large companies skyrocketed 44 percent last year from 2013.
Cybercrime costs businesses more than $400 billion a year, according to Lloydâs of London.
Boards are responsible for advising chief executives on setting goals and plans to achieve them, and to question the challenges standing in the way.
Not adequately addressing a cybersecurity risk could prove costly â in money, reputation, legal bills, lost time, and lost customers.
Data show that corporate boards have a long way to go.
Just 11 percent of public-company boards queried this year reported a high-level understanding of cybersecurity, the National Association of Corporate Directors said.
A review by the New York Stock Exchange and security firm Veracode found that two-thirds of board members questioned think their companies are ill-prepared for a cyberattack.
Heavily hacked industries â retail, finance, and health care among them â doubled cybersecurity hiring during the last five years.
Security gigs pay $6,500 more annually than other tech jobs, according to job-market data firm Burning Glass Technologies.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=52ae325f88&e=20056c7556
CISO Transitions: Experience Alone is Not Enough
Recent findings from Deloitteâs CISO Transition Lab, an immersive one-day workshop developed to help accelerate a CISOâs performance, highlighted some of the more pressing issues facing the key cybersecurity role.
Mike Wyatt, director with Deloitte Cyber Risk Services, said the responsibilities of information security officers have had to evolve significantly in both the private and public sectors in the face of the changing technology landscape, and mounting internal and external challenges.
On top of having to manage the information security needs of their organization, Wyatt said private and public CISOs are having to take a more active role when it comes to meeting stakeholders, managing expectations and balancing business initiatives.
Deloitte reports that there are four main faces to the modern CISO: the strategist, the adviser, the guardian and the technologist.
According to Deloitte, roughly 77 percent of CISOs spend their time as technologists and guardians, while the findings suggest they would prefer to spend closer to 35 percent of their time in these reactive roles.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b2881c195a&e=20056c7556
Telstraâs âfive knows of cyber securityâ
Burgess â who was speaking at a cyber security event in Sydney â said although the telco pays attention to malware threats and determining who was responsible for an attack, focusing on the following five areas is crucial.
1. Know the value of your data
2. Know who has access to your data
3. Know where your data is located
4. Know who is protecting your data
5. Know how well your data is protected
âItâs a business risk issue. We [Telstra] are also of the view that this more of a human issue, not a technical one. Itâs not a problem induced and solved by technology alone. This is a very much a human issue, a leadership issue and a business risk that you need to pay attention to.â
He added that cyber security is not solely an espionage problem.
In fact, the espionage piece is a relatively small but significant piece of the cyber landscape, he said.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fefe37c328&e=20056c7556
Threat Modeling 101: Ten Common Traps Not to Fall Into
As part of Tripwireâs Threat Intelligence University webcast series, we recently had the pleasure of hosting industry expert and renowned author Adam Shostack who shared with us how threat modeling can effectively drive security through your product, service or system.
Shostack outlined a simple threat modeling approach, which is centered around answering the following four questions:
– What are you deploying/building?
– What can go wrong?
– What are you going to do about it?
– Did you do an acceptable job at 1-3? (For quality assurance)
A good place to begin threat modeling is by creating a data flow diagram, which includes the representation of external entities, processes, âswim lanesâ and trust boundaries, demonstrating what it is you are building or deploying.
With the previous four questions in mind, Shostack outlined some of the most common threat modeling mistakes or âtrapsâ that heâs encountered
Trap #1: âSearch your feelings!â
Trap #2: âYouâre never done threat modeling.â
Trap #3: âThe Way to Threat Model IsâŚâ
Trap #4: Thinking of Threat Modeling as One Skill
Trap #5: Threat Modeling is Born, Not Taught
Trap #6: The Wrong Focus
Trap #7: Threat Modeling is for Specialists
Trap #8: Threat Modeling in a Vacuum
Trap #9: Laser-Like Focus on Threats
Trap #10: Threat Modeling at the Wrong Time
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=457c1246a2&e=20056c7556
Adobe Flash Playerâs extra security measures broken in less than a month
Cybercriminals have developed an exploit for a leak that Adobe patched earlier this month.
Through the vulnerability unpatched computers can be infected with malware, just like with previous vulnerabilities.
Itâs a trend to release exploits quickly after a security update for a vulnerability is released.
The Flash updates allowed cybercriminals to find out what kind of vulnerabilities were patched.
And these vulnerabilities were then used to infect users who hadnât updated yet.
After the release of a better protected version of Flash Player, cybercriminals shifted their attention to Internet Explorer and no exploits for Flash appeared anymore.
It seems that shift was only temporarily.
Security researcher Kafeine from the blog âMalware donât need coffeeâ reports that the now discovered exploit has been added to the Angler exploit kit and exploits a vulnerability in Flash Player 18.0.0.209.
In case the attack is successful the exploit kit will installed a Bedep Trojan and makes the computer part of a botnet.
This botnet can then install additional malware to use the computer for all kinds of purposes, like click fraud or sending SPAM.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b1cf3258ca&e=20056c7556
Four Stealthy Cyber Attacks Targeting Energy Companies
In 2013 the Department of Homeland Security (DHS) issued an industry-wide alert about the growing threat of cyber sabotage attacks to the power sector after its incident response teams noticed an alarming trend of hackers, possibly from the Middle East, systematically breaching U.S. energy companies in an effort to probe their networks and determine how to take control of key processing systems.
– Cross-Site Scripting (or XSS)
– Drive-by Downloads
– Watering Hole Attack
– Wrappers/Packers
Because the utility sector already has one of the highest incidences of malware per week (221% higher than financial service firms, according to Verizonâs 2015 Data Breach Investigations Report, Figure 2), these advanced techniques pose a significant threat to plant operations.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c012f7d7b2&e=20056c7556
Macro Threats and Ransomware Make Their Mark: A Midyear Look at the Email Landscape
The first half of the year was defined by two trends in the spam landscape.
The first was the continued rise of macro-based malware in spam.
The second was the slew of ransomware attacks delivered via spam.
In the first few months of the year, we noticed that there was a noticeable increase in macro-based threats in spammed messages.
These spammed messages had attachments with Microsoft Office file extensions like .DOC, .DOCM, .XLS, and .XLSM.
In Figure 1 below, we broke down the type of malware-related spam we saw throughout the months.
While UPATRE (in red) is still the top type of mal-spam, we can see that macro spam (in green) has increased throughout the months.
But not all spammed messages related to ransomware had attachments.
Other emails contained links that lead to legitimate file hosting websites like Dropbox, where the malicious file is hosted.
UPATRE continued its streak as the top distributed malware via spam.
Last year, we noted that there was a decrease in UPATRE-related spam campaigns due to the Gameover takedown.
However, activity soon picked up due to the CUTWAIL botnet.
A year later, UPATRE remains on top, distributed by the CUTWAIL botnet.
CUTWAIL has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.
But while UPATRE might be considered âoldâ at this point, it still has a few tricks up its sleeve.
We spotted an upgraded version of UPATRE that can disable security featuresâmaking it easier to avoid detection.
We also encountered a new variant being dropped as a Microsoft-compiled HTM file (.CHM).
The use of this file extension is a way to avoid suspicion: .CHM is the extension of Microsoft help files.
For the first half of the year, spear-phishing emails used a variety of social engineering lures like upcoming seminars, job vacancies, and personnel issues.
However, what stood out was the fact that the two most common payloads were PLUGX and EMDIVI.
PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries.
EMDIVI, which first appeared in 2014, is notoriously used in targeted attacks against Japanese companies.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9fa2f6b0ed&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=e4ef91170e)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)