[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
Vendor claims these three steps will prevent data breaches
Cheesy headlines aside, Netwrix, a firm that focuses on change and configuration auditing, has published a curious list of steps that are said to be the key in preventing a data breach.
Netwrix makes some valid points, but security isn’t as simple checklist and if there was a magical list of three things, I’m sure this list would have been sold many times over long before now.
– Ensure that changes are documented.
– Control access to sensitive data.
– Audit and evaluate your environment continuously.
While each of the three (two really) items have valid uses for IT and InfoSec operations, they’re not silver bullets together or separately.
Truthfully, there is no magical list.
Security isn’t easy, and the more a business grows, the harder security gets. Checklists are not going to solve anything. Even if they could, you’d still need more than two items.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=26ceb6ced8&e=20056c7556
Security now top executive priority across all key IT areas: IDC
Australian business executives have become so concerned about data security that the topic has surpassed all other priorities in all four of IDC’s key technology pillars, the research firm has found.
IDC conducts regular surveys of C-suite executives to ascertain their investment priorities and concerns in various areas. Yet while security has traditionally ranked high on the list, the latest IDC Continuum Survey marked the first time that security had topped the list in every key technology area.
Australia has climbed the ranks of the most-targeted countries, with recent figures variously proclaiming it the world’s biggest target for phishing, the second most-attacked Web target, a growing target for botnet-driven financial attacks, and a growing source of DDoS attacks as well as a target.
Recognising this growing threat profile, IDC has highlighted three key steps for organisations working to take control of their IT security. These include assessing current security solutions â with a particular eye to consolidation, IDC said while noting that most companies have contracts with an average of 40 security vendors.
Finally, IDC advises, security vendor or services suppliers should be chosen based on their track record in the same vertical, as well as for their risk-management expertise.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4509859afb&e=20056c7556
The 5 Most Common Attack Patterns of 2014
Tripwire is pleased to announce the release of its newest infographic, âWhere Are Your Cyberattacks Coming From?â Created in response to the release of Verizonâs 2015 Data Breach Investigations Report (DBIR 2015) back in April, the infographic explains the five most common attack patterns behind todayâs data breaches. In this article, I will review each of these methods, identify which industries are most vulnerable to each pattern of attack, and identify real-world examples for each attack type.
– ATTACK PATTERN #1: WEB APPLICATIONS (9.4% OF INCIDENTS)
– ATTACK PATTERN #2: PRIVILEGE MISUSE (10.6% OF INCIDENTS)
– ATTACK PATTERN #3: CYBER ESPIONAGE (18% OF INCIDENTS)
– ATTACK PATTERN #4: CRIMEWARE (18.8% OF INCIDENTS)
– ATTACK PATTERN #5: POINT-OF-SALE (28.5% OF INCIDENTS)
As our infographic demonstrates, organizations today face the pressure of defending against a variety of attack vectors. These threats emphasize the importance of adhering to basic security standards at minimum and pursuing more sophisticated solutions if the resources are available.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=48aa63e557&e=20056c7556
Why It’s Time To Turn Your Business Continuity Management Program On Its Head
Business continuity management historically has focused on protection: protect your people, protect your assets, protect your information, protect your revenue. Essentially, dig in and prepare for a siege.
But in todayâs world, protecting what you have isnât going to get you where you need to be. In every area of business, companies are being forced to proactively meet customer and business demands in new and innovative ways. In marketing, that has involved a shift from huge mass-market campaigns to micro-personalized outreach. In software development, it often requires leaving behind sequential waterfall design methodologies and embracing incremental agile approaches. What about for business continuity management?
Hereâs what does need to change to bring about a new business continuity management model:
– Adopt a business-wide perspective.
– Challenge your business continuity management methodology
– Reconsider your business impact analysis (BIA) process.
– Reinvent intelligent plans.
– Promote collaboration and communication.
– Drive resiliency roadmap innovation.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7bcf36335f&e=20056c7556
[Japenese] Govt moves to protect My Number / New cybersecurity measures aim to address data loss fears
The government will establish a cybersecurity unit in an administrative committee that will monitor the My Number system and also set up a Security Operation Center (SOC) (see below) to closely monitor local government networks, The Yomiuri Shimbun has learned.
The government currently handles cybersecurity surveillance and audits only for central government ministries and agencies, but it will now expand coverage to include the JPS and other public corporations as well as independent administrative agencies, sources said.
Under the My Number system set to be rolled out from October, a 12-digit number assigned to each individual will be used for a range of administrative functions including residence registration and pension-related matters.
The SOC will also be set up within this fiscal year to shore up cybersecurity for the Local Government Wide Area Network, which links local governments across the nation with the central government through dedicated lines. The SOC will share information on cyber-attacks with the Government Security Operation Center (GSOC), a government surveillance body operated by the National Center of Incident Readiness and Strategy for Cybersecurity (NISC).
The NISC will therefore expand the security coverage of the GSOC to cover some public corporations including the JPS and independent administrative agencies handling important data within this fiscal year. The NISC has already started auditing the networks of central government and independent administrative agencies this fiscal year, and plans to inspect the JPS and other relevant bodies in turns.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5de8b7b5a6&e=20056c7556
Cyber Insecurity: 4 in 10 Midsize Businesses Have Experienced A Data Breach
HARTFORD, Conn.–(BUSINESS WIRE)–Most midsize business leaders view a data breach among their top risks and a majority consider IT security âvery importantâ when selecting a supplier, according to The Hartfordâs survey of midsize business owners and C-level executives. They have good reason to be concerned: 43 percent had experienced a data breach in the prior three years, and 13 percent have had a supplierâs data breach impact their business information.
The Hartford survey found most midsize business leaders (82 percent) consider a data breach at least a minor risk to their business. Nearly one-third (32 percent) view it as a major risk.
Recognizing the data risks involving suppliers, more than half of the midsize business leaders (53 percent) surveyed consider IT security and data protection practices very important when selecting a supplier. By comparison, 36 percent consider a supplierâs contingency planning and 28 percent view a supplierâs location relative to their business as very important.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bef34d3954&e=20056c7556
Java updater dumps Ask toolbar adware, replaces it with Yahoo search
Earlier this week Yahoo Chief Executive Marissa Mayer announced a partnership with Oracle in an attempt to get more people using its search service, and cornerstone to that are the millions of Java users struggling to patch what is considered by many to be a notoriously insecure product.
Beginning next month users who install or update the Java software — which is found on almost nine out of 10 PCs in the US — will be prompted to make Yahoo their browser’s default search engine and home page.
And the option to make those changes will be pre-checked, so if the user is in a hurry or isn’t aware of what the change entails, they will find their browser settings changed. These changes aren’t as intrusive as the Ask toolbar, and the more tech literate out there will have no problems reversing the change. But the fact remains that Yahoo is choosing to push its services to users who haven’t explicitly requested them.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cf20080d21&e=20056c7556
Facebook headhunts new chief security officer Alex Stamos from Yahoo
Social media giant Facebook has appointed a new chief security officer, Alex Stamos, headhunted from rival Yahoo – and starting this Monday.
Stamos joins Facebook after its previous CSO, Joe Sullivan, left in April to join taxi company Uber.
At Yahoo under CEO Marissa Mayer, Stamos will have been responsible for many of the improvements in security at the company, particularly the use of encryption for Yahoo Mail, or Ymail, after the Edward Snowden disclosures revealed just how much snooping the US National Security Agency and GCHQ – and, no doubt, other intelligence services – do on insufficiently secured communications.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2bb8bec0d2&e=20056c7556
Stealthy Fobber Malware Takes Anti-Analysis To New Heights
Built off the Tinba banking Trojan and distributed through the elusive HanJuan exploit kit, Fobber info-stealer defies researchers with layers upon layers of encryption.
A stealthy new info-stealing browser injection malware aims to make security researchers’ job very difficult. Fobber evades detection and defies anaylsis by sliding from one program to another, using randomly generated filenames, encrypting command-and-control communications with a custom algorithm, and encrypting individual pieces of code within the payload, so that each function must be separately, painstakingly decrypted before it can be run.
It also encrypts all communication with the command-and-control server, using a custom algorithm. According to Segura’s blog “Content sent by the server is signed by its RSA1 key (to prevent botnet hijacking) while the Fobber code has the public key embedded within, notifying the signature before processing the content.â
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f70c94c0d5&e=20056c7556
Malware getting smarter, stealthier once it breaches networks, Vectra analysis finds
Malicious actors are increasingly using the anonymous Tor network and external remote access tools to instigate targeted attacks that are growing in sophistication and complexity, a Vectra Networks analysis of internal traffic has shown.
The firm’s June Post-Intrusion Report analysed internal monitoring of host-to-host traffic as well as traffic to and from the Internet, allowing the observation of malicious attacks at every phase.
Fully 100 percent of the 40 analysed firms’ networks â including 248,198 hosts â showed one or more of the five indicators of a targeted attack, which Vectra outlined as characterising the various types of attack traffic to traverse internal networks.
These included command-and-control (C&C) communications, which accounted for 32 percent of the 46,610 total threats detected; botnet monetisation (18 percent), internal reconnaissance (13 percent), lateral movement (34 percent), and data exfiltration (3 percent).
This reflected malware that is increasingly active on victim networks once it has breached perimeter defences. Growing use of Tor and HTTPS-secured remote access services had displaced C&C traffic.
C&C activity was most common in technology firms (43 percent), whereas just 1 percent of financial and services organisations experienced C&C type activity.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=123753a0f2&e=20056c7556
Paper: Using .NET GUIDs to help hunt for malware
Today, we publish a paper by Cylance researcher Brian Wallace, who looks at two globally unique identifiers (GUIDs) found in malware created using .NET, which can help link multiple files to the same Visual Studio project. He released a Python tool to safely extract these identifiers; the tool has since been incorporated into VirusTotal.
Although the GUIDs can easily be extracted from executables, not all methods of doing so are safe; hence Brian has written a tool that does so securely and works cross-platform. The tool, GetNETGUIDs, has been published on Cylance’s GitHub page.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3000e67758&e=20056c7556
Signature-Based Detection With YARA
In a previous post, I talked about how you can use STIX, TAXII and CybOX to share threat intelligence.
CybOX provides a common structure for representing cyber observables across and among the operational areas of enterprise cybersecurity. CybOX can contain hashes, strings or registry keys. Information provided via the system can be used to check for the presence of malware inside your environment. YARA is one of the alternatives to using CyBOX, but the two are not mutually exclusive.
YARA is a tool designed to help malware researchers identify and classify malware samples. Itâs been called the pattern-matching Swiss Army knife for security researchers (and everyone else). It is multiplatform and can be used from both its command-line interface or through your own Python scripts.
Because YARA uses signatures similar to antivirus solutions, it would make sense to reuse these signatures as a rule database. With the use of the script clamav_to_yara.py, you can convert the ClamAV signature database to your own ruleset.
Although signature-based detection with YARA has its limits, it is an easy-to-use and fairly simple way of detecting malware in your environment. It would not be wise to rely on it as the only threat protection measure, but given the straightforward use, missing out on this tool would not be a good idea, either.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6e1f368bd3&e=20056c7556
Understanding the Threat Landscape: Indicators of Compromise (IOCs)
I previously provided a brief overview of how Verisign iDefense characterizes threat actors and their motivations through adversarial analysis. Not only do security professionals need to be aware of the kinds of actors they are up against, but they should also be aware of the tactical data fundamentals associated with cyber-attacks most commonly referred to as indicators of compromise (IOCs). Understanding the different types of tactical IOCs can allow for quick detection of a breach, as well as prevention of a future breach. For purposes of this overview, iDefense breaks IOCs into three distinct categories: email, network and host-based.
– Email Indicators
– Network Indicators
– Host-Based Indicators
Organizations need to be wary of the increasing number of IOCs and implement a system to measure and evaluate the quality of indicators accordingly. Having contextual information to accompany indicators is critical for a machine or a human to make better decisions around resource allocation and determine a proper course of action.
Creating a dynamic database comprised of all the elements, or data fundamentals, that make up the cyber threat landscape, and having them visually displayed in an interconnected contextual manner is a great way to enable people and machines to make better security and business decisions.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=61dc81bcbc&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=1442974ee6)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)