Month: April 2013

When sending spear phishing emails, attackers opt for file names with common business terms to lure unsuspecting users into opening the malware and initiating the attack. These terms fall into three general categories: shipping and delivery, finance, and general business.

Instances of malware are uncovered that execute only when users move a mouse, a tactic which could dupe current sandbox detection systems since the malware doesn’t generate any activity.

By avoiding the more common .exe file type, attackers leverage DLL files to prolong infections. Ashar Aziz, FireEye founder and CTO said: “As cybercriminals invest more in advanced malware and innovations to better evade detection, enterprises must rethink their security infrastructure and reinforce their traditional defenses with a new layer of security that is able to detect these dynamic, unknown threats in real time.”

Link: http://www.net-security.org/malware_news.php?id=2455

“ICS-CERT encourages asset owners to review their network for these common security gaps and take measures to eliminate known system vulnerabilities,” ICS-CERT wrote.

For some organizations, the network architecture was not well understood, or the administrators were not consistently enforcing remote login policies or controlling incoming and outgoing media.

Along with improperly deployed network devices, the assessment uncovered configuration issues, such as weak testing environments, weak backup and restore capabilities, and poor or limited patch management.

“The assessments also assisted these organizations in identifying and prioritizing their most critical vulnerabilities requiring immediate attention and provided real-time resolutions and recommendations for enhancing their security awareness and defensive posture,” ICS-CERT said.

Link: http://www.securityweek.com/ics-cert-examines-3-years-data-reveal-common-vulnerabilities-critical-asset-owners

After a wave of cyber attacks hit a Federal Reserve website, the New York Times and other news outlets, and U.S. banks, President Barack Obama issued an executive order in February to better protect businesses and critical assets, such as pipelines and power grids.

The SEC issued guidance in October 2011 telling companies to disclose cyber attacks or risks if that information is material, meaning it would affect an investor’s willingness to buy, hold, or sell the company’s stock.

“For the sake of investors, the SEC needs to figure out a way of enforcing the appropriate disclosure of material cyber attacks,” said Jacob Olcott, who led a congressional review as counsel to Senator Jay Rockefeller, a West Virginia Democrat, that resulted in the SEC guidance.

Cyber attacks are more likely to be material for some companies than others, Brian Lane, a former SEC corporation finance director, said in an interview.

Almost all of the top 100 U.S. companies by revenue said they rely on technology that may be vulnerable to security breaches, theft of proprietary data and disrupted operations, according to a review of their most recent annual reports.

ConocoPhillips, one of at least six major U.S. and European energy companies reported by Bloomberg to have been breached by China-based hackers beginning in 2009, said in its 2012 annual report no cyber breaches “had a material effect.”

Coca-Cola acknowledged its “information systems are a target of attacks,” in its 10-K and said the disruptions “to date have not had a material effect on our business, financial condition or results of operations.”

If a company doesn’t disclose an attack in an SEC filing that was reported in the news media, “don’t be surprised if we ask you to provide us with a materiality analysis,” Jim Lopez, an SEC branch chief for disclosure operations, said at a Washington conference in February.

While Verizon said in its 2012 10-K the cyber attacks it experienced haven’t been material, the company said the potential costs of a major assault include “expensive incentives” to keep customers, a jump in security spending, lost revenue and damage to the company’s reputation.

Link: http://www.bloomberg.com/news/2013-04-04/cyberattacks-abound-yet-companies-tell-sec-losses-are-few.html