[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
Cisco disrupts major ransomware campaign that brought in $30M annually
Cisco researchers, with the help of Level 3 Threat Research Labs and OpenDNS, have managed to strike a considerable blow against ransomware peddlers that used the Angler exploit kit to deliver the malware to unfortunate victims.
According to OpenDNS’ Stephen Lynch, Cisco’s Talos Research Group managed to “disrupt the operations of a threat actor responsible for up to 50 percent of the malicious softwareâs activity from a ransomware campaign that generated more than $30M USD annually.”
Cisco has released Snort rules to detect and block checks from the health monitoring servers, has published details about the communications mechanisms used by the severs and indicators of compromise (IP addresses, subdomains, hashes) that should help defenders discover infections on their own networks.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a0f6f8e802&e=20056c7556
Google patches Stagefright 2.0 on Nexus devices
Google has released its monthly security update for Nexus devices.
Among the issues this update fixes are the two vulnerabilities in the stagefright and utils Android libraries, which have been dubbed Stagefright 2.0.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f28cc852a6&e=20056c7556
NIST Tackles Email Security with a Two-Faceted Approach
NIST is publishing a draft document for comment that provides guidelines to enhance trust in email.
And the National Cybersecurity Center of Excellence (NCCoE) is seeking collaborators to provide products and expertise to demonstrate a secure, standards-based email system using commercially available software and other tools.
In the draft Trustworthy Email (NIST Special Publication (SP) 800-177), authors provide an overview of existing technologies and best practices, and they offer deployment guidance to meet federal government security requirements.
Emerging protocols to make email security and privacy easier for end users also are described.
The authors seek input on the draft document.
The deadline for comments on Trustworthy Email, SP 800-177, is November 30, 2015.
Please send any questions or comments to sp800-177@nist.gov.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=712ee94d3b&e=20056c7556
Quarter of firms can’t tell how hackers get in
“That was pretty eye-opening,” said Tim Helming, director of product management at DomainTools, the company that sponsored the research. “If you don’t know how it got onto your network, you can’t protect against it.”
Of the firms who did know how the attackers got in, 67 percent said that malware had infiltrated their networks through email, 63 percent named web surfing as a vector of infection, 12 percent cited cloud apps or social media, and 4 percent pointed to instant messaging.
One reason that so many companies could not spot the channel through which malware got into their network was that almost half, or 46 percent, of all organizations surveyed did not have a threat intelligence solution in place.
Another 36 percent said that the cost of the technology is too high.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f3d3d30eb5&e=20056c7556
Business Leaders Gaining on Cybersecurity Risks, According to the PwC, CIO and CSO Global State of Information SecurityÂź Survey 2016
According to the PwC, CIO and CSO Global State of Information SecurityÂź Survey 2016
— New tools are helping to transform cybersecurity frameworks, yielding holistic, integrated safeguards against cyberattacks
— Cloud computing has had a significant impact on technology innovation in the past decade, and it is increasingly central to secure interconnected digital ecosystems
— The Internet of Things are expected to increase the stakes for securing cloud-based networks as the number of internet connected devices continues to surge to greater than 30 billion by 2020
— There was a 38% increase in detected information security incidents, as well as a 24% boost in security budgets observed in 2015
54% of respondents have a CISO in charge of the security program.
The most frequently cited reporting structure is the CEO, CIO, Board and CTO, in that order.
Technically adept adversaries will always find new ways to circumvent security safeguards.
That’s why many businesses (59%) are purchasing cybersecurity insurance to help mitigate the financial impact of cybercrimes when they do occur.
Purchases in certain countries are either under review (34%) or happening less frequently (22%) as a result of hearing about reports that the government is conducting surveillance on hardware
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8a9cc5e75a&e=20056c7556
HP Extends Global Threat Intelligence Sharing Platform Through Alliance With Hitachi
PALO ALTO, CA, Oct 06, 2015 (Marketwired via COMTEX) — Extending the reach of its security intelligence sharing network, HP HPQ, +0.04% has formed an alliance with Hitachi designed to capture and share Japan-specific threat information.
This first-of-its-kind partnership significantly advances HP’s efforts to foster a wider reach of international security information sharing, and is an extension of the 25-year alliance between Hitachi and HP.
Through this partnership, Hitachi will join the HP Global Threat Intelligence Alliance and contribute threat intelligence to HP’s existing security information sharing platform, HP Threat Central.
The platform delivers automated and open sharing of information and contextual analysis that allows organizations to take action.
This intelligence will also inform periodically published reports from HP Security Research.
Cyber Crime on the Rise in Japan & Asia Pacific With cyber attacks on the rise, and impacting Japanese enterprises across the financial services, technology, communications and automotive sectors, this alliance is particularly well timed.
In fact, the financial impact of cyber crime continues to rise in Japan, as evidenced by a 68 percent net increase in the past four years, according to the 2015 Cost of Cyber Crime Study conducted by The Ponemon Institute.(1)
This announcement comes on the heels of a Cybersecurity Alliance signed between Japan and the United States in April 2015 that will contribute to the growth of international cyber norms.
The alliance with Hitachi also builds on previously announced service intelligence feeds to HP Threat Central from a network of other companies, including AlienVault and Crowdstrike.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=af4ac3fed2&e=20056c7556
EU Court Invalidates U.S.-EU Data Sharing Agreement
The Court of Justice of the European Union ruled Oct. 6 that the EU-U.S. data sharing agreement, known as Safe Harbor, is invalid because the United States has failed to ensure that its “law and practices … ensure an adequate level of protection” for Europeans’ right to privacy.
Privacy rights groups and some EU legislators have lauded the European Justice Court’s new ruling.
But the judgment has triggered concern from some businesses, who warn that they will remain stuck in legal limbo until the European Commission creates a new framework to allow U.S. businesses to import Europeans’ private information.
The ruling by Europe’s high court is the culmination of a legal challenge against Facebook, launched by Austrian privacy campaigner Max Schrems, 28, who pointed to documents leaked by Snowden that suggested Europeans’ private information was being shared with U.S. intelligence agencies (see Facebook NSA Case Moves to EU Court).
Europe’s high court, however, has now ruled that Ireland’s data commissioner should have heard the case, saying the Safe Harbor agreement did not override either Europe’s data protection directive or Ireland’s responsibility to serve as an independent body that supervises whether Europeans’ privacy rights are being respected.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fb37160c9d&e=20056c7556
Applying Threat Intelligence Research: The Myth of the Generalist
After a long absence (mostly due to workload and travel schedule), Iâm back with part 2 of 5 on this series on threat intelligence.
In part 1, I discussed how security incident and event management (SIEM) and its place in a threat intelligence program.
This time Iâd like to discuss the âmyth of the generalist,â something I see lots of organizations struggling with as we talk to companies trying to build and refine their threat intelligence programs.
One of the key things thatâs happening, as a result of the shortage of high-quality talent, is that security program managers are filling specialist roles with generalists â and thatâs not going so well.
n my opinion, one of the biggest outcomes of the incredible amount of off-shoring that IT organizations have done over the last 10 years is that there is a severe shortage of qualified talent for the specialist roles for which we have a dire need right now.
Letâs take a specific look at threat intelligence process from the vantage point of the decision cycle of observe, orient, decide, and act (OODA) loop.
Functionally, we have 11 pieces, as defined in the research from Optiv Solutions R&D, including: acquisition, secondary development, triage, collaboration, enrichment, distribution, execution, feedback, strategy, governance and measurement.
If we focus on just the steps where we deal with the aggregation and transformation of simple data to actionable information we can quickly see multiple specialized roles evolving.
Acquisition, secondary development, triage and collaboration/enrichment (collectively known as refinement) are very different and very specialized roles.
The problem with staffing them with a generic âsecurity analystâ is that we completely miss the opportunity to drive excellence
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c27a7065d2&e=20056c7556
Why Network Behavioural Analytics Should be a Critical Part of Your Security Strategy?
Network behavioural analysis â a systematic, architectural approach to network security â involves deep packet analysis to identify advanced persistent threats (APTs) and zero-day attacks.
Similar analytical capabilities are used by the financial and banking sectors to spot fraudulent transactions and card activity.
From an IT perspective, the sophisticated cyber attacks that have plagued Apple, Facebook and Microsoft (with the goal of carrying out industrial espionage) have been detected through behavioural analytics.
Remember, a complex network is a type of self-organising system.
Network behavioural analysis uses a range of techniques to find unusual or altered network activities.
These are often indicators of an advanced persistent threat.
Businesses will never be able to stop every single hacker at the network perimeter, so it is essential to spot abnormal activities occurring on the network before they develop.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f66c5b38ad&e=20056c7556
Most UK Workers Feel More Vulnerable to Data Hacks Than a Year Ago
According to new research from Citrix, the majority (71%) of respondents cited data theft as âinevitableâ at some point.
And one in three (33%) 16 to 25-year-olds feel much more vulnerable to hacks, compared with just 15% of over-55s.
While workers clearly feel more at risk of personal data theft than ever before, it seems their approaches to combating this threat are outdated: Two in three respondents (68%) cited physical documentation as a risk and chose shredding as a preferred means of disposing of information, almost a third (30%) of respondents are still reliant on USB memory sticks to back-up important data and just nine percent use the cloud.
âWhile workers clearly accept their data is at risk, many are still reliant on dated practicesâsuch as using USB sticks and shredding paper documentsâto store and protect their information, when more advanced and robust measures are available,â Mayers said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a6924453f9&e=20056c7556
New Calif. law mandates warrants for access to private communications
The new law, backed by a number of tech companies and civil liberties groups, requires a judge to approve such access to a personâs private information, including data from personal electronic devices, email, digital documents, text messages and location information.
California Electronic Privacy Act (CalECPA, SB 178) was passed in September by the state assembly after the senate passed it in June.
The bill was co-sponsored by the American Civil Liberties Union of California, Electronic Frontier Foundation and California Newspaper Publishers Association.
While providing some exceptions for law enforcement in emergencies or for other public safety requirements, the law also prohibits access to electronic device information by means of physical interaction or electronic communication with the device, except with the specific consent of the authorized possessor of the device, or through other relevant provisions such as a warrant.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=80612e9939&e=20056c7556
Joint Partnership Bolsters Cybersecurity in Indiana; State, Purdue and Intel Team Up for Security Operations Center
WEST LAFAYETTE, Ind.–(BUSINESS WIRE)–Today, Lt.
Gov.
Sue Ellspermann, who chairs the Indiana Counterterrorism and Security Council, joined Purdue University Chief Information Officer Gerry McCartney and Intel Vice President Rick Echevarria to announce the opening of the state of Indiana Security Operations Center (SOC) near the Purdue campus.
The SOC is a project of the new Indiana Information Sharing and Analysis Center (IN-ISAC) â a joint mission of the Indiana Office of Technology, Indiana Department of Homeland Security, Indiana National Guard, Indiana State Police, Purdue University, Intel Security and other private sector partners.
At the outset, the IN-ISAC is focusing on serving Indiana state government and Purdue University through the sharing of threat information and collaboration on strategies.
It provides real-time network monitoring, vulnerability identification and threat warnings of state government computer systems.
Located in Purdue Research Park, the SOC is staffed by a combination of state employees and Purdue students who monitor security incidents across the state of Indianaâs computer network.
The students are employed as part of the Purdue Pathmaker Internship Program, which provides career-relevant internships to students on or near campus.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c5f56f6148&e=20056c7556
How to hack-proof your cloud with native AWS tools
On Wednesday, CloudCheckr CTO and founder Aaron Newman presented a breakout session at the 2015 Amazon AWS re:Invent conference detailing some of the ways that AWS users could secure what they have on the platform, using native AWS capabilities.
If you use the AWS platform then, by definition, you share responsibility for security with AWS.
As a customer, you are in charge of security for your applications and content, network security, inventory and configuration, data security, and access control.
AWS is responsible for securing its core products and infrastructure.
So, how do you assess your perimeter security in this new landscape.
Leverage the AWS API.
Since we are building out security on the AWS API, it’s a good idea to monitor the API itself.
AWS CloudTrail records each time your API is called and supports most AWS services.
Newman said it’s “like the video camera in your data center.” The problem is, most people don’t turn it on in the beginning.
Newman recommends turning it on in every region and setting alerts for any time it could be disabled.
Another good monitoring tool is the VPC flow logs, which record each time packets enter or leave a VPC.
It’s the “metadata about who’s talking to who,” Newman said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8a78d17cd2&e=20056c7556
The result: 789 of the 3,125 employees baited — or 25 percent — clicked on a phony link in the “phishing” email, according to an IG audit publicly released Wednesday. Most of the would-be victims were administration personnel and operations workers.
This May, the USPS Office of Inspector General sent bogus emails to a sample population of agency employees as a way of evaluating compliance with incident reporting policies.
After clicking on a test email or even just receiving one, almost nobody (7 percent) reported the incident to the USPS Computer Incident Response Team, as required.
USPS officials said the evaluation took place right at the start of a new cybersecurity training course, adding that the 25 percent click rate is comparable to industry benchmarks for organizations just beginning their training.
The new course focuses on how to identify phishing traps, officials said.
About 18 percent of federal IT professionals ranked phishing among the primary security threats affecting their agencies, while negligent insiders were the most pervasive hazard, garnering 44 percent of votes, according to an Oct.1 Ponemon Institute study.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9185198a15&e=20056c7556
IP Expo Europe: The way you buy threat intelligence will change, says BAE Systems
BAE Systems has made a series of bold predictions about the future of threat intelligence.
Russell Kempley, BAE’s head of technical services for the EMEA region, gave a talk today at IPExpo, titled “The Future of Threat intelligence: how you ingest, analyse and act on threat intelligence?”
Kempley predicts that the future will see a split forming in how organisations and companies use threat intelligence.
Some will not have the need for round-the-clock comprehensive access to threat intelligence; those who think it’s not core to their business, says Kempley, will get their threat intelligence indirectly through vendors.
The advantage of this is, of course, that the vendor can share intelligence across their customer base.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0477922a3f&e=20056c7556
Comparing Different Tools for Threat Sharing
I took a look at two tools for the sharing of threat intelligence data: MISP and IBMâs X-Force Exchange.
Although both tools aim to achieve the same result â sharing data â they use different approaches to achieve that goal.
MISP, the Malware Information Sharing Platform, needs to be installed on a server in your infrastructure.
You need a Web server, database and PHP support with a couple of modules.
All of the data is stored on your premises and is under your control.
The hardening of the server, securing the access and communication and foreseeing backups and redundancy are your responsibility.
Obviously, you fully control what happens with the data.
On the other hand, IBMâs X-Force Exchange is a cloud-based platform.
You need an IBM ID to get full access to the available threat data (anonymous access is also possible but with restrictive usage) and only a browser to get started; thereâs no need for installing extra software.
All the data is stored in the cloud, so you do not have to worry about backups or redundancy.
MISP is very strong when it comes to building a central indicators of compromise database containing both technical and nontechnical information.
Meanwhile, the Web version of X-Force Exchange provides a much slicker interface for viewing trends and ongoing threat activity, giving you an immediate view on whatâs happening.
The different tools available for sharing threat intelligence do not exclude each other.
Itâs perfectly normal to acquire both on-premises and cloud-based solutions and then choose, depending on the type of threat information you are dealing with, where to store the information.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5d7dc1948b&e=20056c7556
The politics of APT reports
Juan Andrés Guerrero-Saade made the argument in a recently-released paper, which he talked about last week at the Virus Bulletin conference in Prague.
Guerrero-Saade believes the race to issue malware discoveries has become part of vendorsâ marketing campaigns, and there is truth to that.
Sometimes the purpose of issuing a report is to show a vendor, or individual security researcher, is a leader.
That doesnât negate the significance of the find.
But Guerrero-Saadeâs point is attribution has to be more carefully analyzed.
In fact one point he makes is that PR and marketing departments should be pulled out of the loop when it comes time to decide what should be in a report and when it should be released.
An example of his concern, Guerrero-Saade told SecurityWeek in an interview, is that threat actors can plant false evidence to throw investigators off track, like including code with strings in Russian and Romanian.
A good CISO, of course, cares less about where a threat has come from than for actionable intelligence.
But more ruthless scrutiny before threat reports are issued will help improve their usefulness.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e11acfde3a&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=a1abee00f1)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)