[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
Identifying the five principal methods of network attacks
A new Intel Security study, which surveyed IT decision makers in European-based companies, found that within UK companies, sales staff are the most exposed to online attacks. This is thanks to their frequent online contact with non-staff members.
51% of UK companies fail to provide sales staff with IT security training.
With the number of suspect URLs soaring 87% between 2013 and 2014, the risk of untrained staff clicking on dangerous links and unwittingly unleashing a browser attack on their organization is also on the rise.
52% of UK organizations fail to train their customer service team, while 60% do not train their receptionists and front-of-house staff.
Most worryingly, more than 1 in 10 UK companies fail to provide mandatory online security training to any of their staff, which is the highest example of this across Europe.
The principal methods of network attacks that are threatening businesses today are browser attacks (which target unsuspecting staff members with dangerous links), network abuse, stealthy attacks, evasive technologies and SSL attacks (which hide in a company’s encrypted traffic).
Despite this, 75% of UK IT professionals believe their organization’s security strategy always considers the latest threats. However, the research shows that 73% admit their organization’s overall security posture would benefit from a security strategy that takes into consideration solutions that proactively work together and inform each other of their findings – an important and connected strategy for battling advanced stealth attacks.
However, just 19% of UK IT professionals questioned believe DDoS attacks pose the biggest threat to their company network. Designed to enforce a network outage, DDoS attacks often come with a demand for a ransom. However, just 17% believe ransomware poses any real threat to their company network, while a mere 2% believe it is the biggest threat to their company’s security.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ea9cf861bb&e=20056c7556
The Importance of Building an Information Security Strategic Plan
A clear and concise security strategic plan allows executives, management and employees to see where they are expected to go, focus their efforts in the right direction and know when they have accomplished their goals.
An information security strategic plan can position an organization to mitigate, transfer, accept or avoid information risk related to people, processes and technologies. An established strategy also helps the organization adequately protect the confidentiality, integrity and availability of information. The business benefits of an effective information security strategic plan are significant and can offer a competitive advantage. These may include complying with industry standards, avoiding a damaging security incident, sustaining the reputation of the business and supporting commitment to shareholders, customers, partners and suppliers.
A gap assessment of an organization’s current state and existing efforts is an important first step in establishing a security strategic plan. A documented information security program assessment against a defined standard such as ISO/IEC 27002 — especially when that standard is a part of the strategy — enables more efficient planning. Additional steps to building a policy include defining the vision, mission, strategy, initiatives and tasks to be completed so they enhance the existing information security program. The plan should contain a list of deliverables or benchmarks for the initiatives, including the name of the person responsible for each.
Information security is a journey and not a destination. There are always new challenges to meet. Executing a security strategic plan is a critical success factor for organizations that truly want to maximize their ability to manage information risk. Committing to this process takes resources and time. To be fully effective, security leaders need to be viewed as adding value to the business and IT strategic planning processes, focusing on how their strategy can enhance the business and help it succeed.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4ceb9523ea&e=20056c7556
Mobile Malware Threats in 2015: Fraudsters Are Still Two Steps Ahead
Mobile malware remains a significant cybersecurity threat, with 1.12 percent of mobile devices monitored by IBM Trusteer in the first half of 2015 exhibiting an active malware infection. This is equal to PC infection rates, signifying that cybercriminals are shifting their resources and attention to the mobile channel.
Unsurprisingly, financial Trojans were the most prevalent form of mobile malware, with approximately 30 percent of the distinct variants targeted at stealing financial information. The remainder are capable of performing malicious actions such as stealing personal information, sending SMS to premium numbers, keylogging and deploying cryptographic ransomeware on the device, effectively hijacking images and files stored on it.
Mobile malware has become one of the most popular commodities sold in underground venues. Because of the ease of obtaining mobile bots and monetizing them, demand is high, and prices for mobile malware regularly sell for upwards of $5,000. This is also the average historical price for PC-based Trojan kits.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=efc382662d&e=20056c7556
New trojan hits Australian banks
Malware analysts from security vendor, Bitdefender, have discovered new variants of the Dyre family of financial trojans.
In Australia, the malware went after clients of the Bank of Melbourne and local units of ING, Citibank and HSBC.
According to Bitdefender Labs, 19,000 malicious emails were sent in three days from spam servers in the US, Taiwan, Hong Kong, Denmark, Russia, China, South Korea, UK, Australia and several other areas.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8bfbc1bfec&e=20056c7556
Australians lose $45 million to scams in 2015
The Australian Competition and Consumer Commission also reported it received 45,000 complaints about scams in the first six months of this year.
Data from the commission showed dating and romance scams led to $10 million lost in the six months with “investment schemes” a close second on about $9.1 million.
Other common scams executed on Australians included inheritance scams, fleecing $3.5 million from victims, “Nigerian scams” at $2.3 million and betting schemes at $1.3 million.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b0d47a6c33&e=20056c7556
Using memory analysis to pull Dyre Trojan config
Dyre is a well-known banking Trojan that harvests credentials, primarily targeting online banking. It does this by using man-in-the-browser functionality and dynamic web injects to manipulate content on a financial institution’s website and intercept credentials and sensitive information of the victim. This is where the configuration file comes in. The configuration file contains the proxy server(s) controlled by the attackers and the target bank URLs that trigger the man-in-the-browser to redirect the connection to the designated proxy server.
Because the plain text configuration file is held in memory, this is the easiest approach to retrieving it. There are two different approaches you can take here. The first is that you can do a full memory dump of the system or you take the second approach, and dump only the process memory of the injected process. If you take the full memory dump approach, you can use the volatility plugin dyrescan.
There may be other ways to figure out the exact impact that Dyre is having on your environment. But, checking what Dyre says it is doing may be the most effective way. And, I thinking dumping Dyre’s configuration file from memory is a pretty good way to see what Dyre is actually doing. Keep in mind though that Dyre continues to evolve and any techniques to retrieve the configuration file and additional memory contents might need to change with the evolution.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=92825b376f&e=20056c7556
Creating Your Own Threat Intel Through ‘Hunting’ & Visualization
Many companies today subscribe to some sort of threat intelligence feeds. They often get lists of malicious IP addresses and other indicators of compromise (IOC). These IOCs have the same problems as the attack signatures from yesterday because indicators are only useful for broad-stroke attacks where maybe an entire industry is hit with the same malware. It won’t help if you are dealing with a targeted attack that concerns only your company.
Start with collecting as much data as you can. Get data from your SIEM, your log management tools, log files, etc. and collect it in a big data lake. If you already have a columnar data store containing your security data, that’s a great starting point. If you don’t, go get one. For scalability I recommend storing your data on Hadoop in a columnar data format. Unfortunately, your SIEM is not suited for hunting. It doesn’t have the right scalability and is too closed off when it comes to adding analytics and visualization on top of it (see below).
Once the data is in a fast data store, you are ready to let the analysts interact with the data. Don’t expose your analysts to the textual data and have them write SQL queries. You want to empower your analysts, not slow them down. Give them a visual interface to interactively explore the data. Visually displaying large amounts of data requires the use of aggregation.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d14190189d&e=20056c7556
Numerous NSS Vulnerabilities Closed in All Ubuntu OSes
Canonical has released details in a security notice about a few NSS vulnerabilities that have been identified and repaired in Ubuntu 15.04, Ubuntu 14.10, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS, operating systems.
The flaw can be fixed if you upgrade your system(s) to the latest packages specific to each distribution. To apply the patch, you can simply run the Update Manager application. In general, a standard system update will make all the necessary changes. Apps that use NSS, such as Evolution and Chromium, will have to be restarted.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7031460e33&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=2a4e51da5d)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)