[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
FFIEC Releases Statement on Cyber Attacks Involving Extortion
The Federal Financial Institutions Examination Council (FFIEC) members today issued a statement alerting financial institutions to the increasing frequency and severity of cyber attacks involving extortion.
The statement describes steps financial institutions should take to respond to these attacks and highlights resources institutions can use to mitigate the risks posed by such attacks.
Financial institutions are also encouraged to notify law enforcement and their primary regulator or regulators of a cyber attack involving extortion.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1bf4aa15bc&e=20056c7556
CYREN Cyber Threat Report: Malware Distribution Peaks on Fridays to Target Employees’ Less Protected Weekend Internet Access
MCLEAN, Va., Nov. 4, 2015 /PRNewswire/ — CYREN (NASDAQ: CYRN) today announced the release of its latest CYREN Cyber Threat Report that examines trends surrounding malware, phishing, spam and other online threats.
The full report is available to download here.
Friday Malware Spike Results in Busy Mondays for IT Security Professionals
In the report, CYREN research confirms long-held suspicions that criminals are purposely intensifying their malware distribution on Fridays in order to take advantage of employees who are less protected over the weekend.
Examining daily malware distribution trends during Q3 2015, CYREN detected an average of 2.25 billion malware attachments on Fridays â that’s more than triple the number seen on Mondays during the same quarter.
CYREN’s findings validate the theory that Monday mornings are one of the most common times for threats and breaches to appear on corporate networks due to employees downloading unsafe content on Saturdays and Sundays when using unsecured networks.
When employees take their devices home over the weekend, they often connect to the Internet through public or personal unsecured Wi-Fi networks, and proceed to surf the web, download content, and click on links delivered through email.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3a657f244e&e=20056c7556
Mobile malware evolves: Adware now breaks and roots your phone
The rates of adware-based malware campaigns, known as malvertising, are low but still a threat.
According to Blue Coat, five percent of mobile threats users face were through malvertising campaigns — nothing in comparison to adult websites loading up devices with junkware and malicious code — but techniques are refining and adware is becoming more sophisticated over time.
A new report released by Lookout says auto-rooting apps installed through malicious mobile campaigns is a recent and “worrying” development within Google’s Android ecosystem.
The security team revealed that adware is now becoming trojanized, with malicious adware masquerading as legitimate apps in order to load up malicious code and steal consumer data — after rooting the victim’s device to become firmly entrenched in smartphones and tablets.
The Shuanet, Kemog — also known as ShiftyBug — and Shedun are adware families which Lookout has traced over the past year.
While technically classified as adware, the researchers say the families can now firmly be viewed as Trojans as they are responsible for over 20,000 repackaged malicious apps alone.
The highest detection rates are in the US, Germany, Iran, Russia and India.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=43f97761e0&e=20056c7556
JSocket: Android malware that hijacks legitimate apps
First discovered in June this year, JSocket — most recently known as AlienSpy — is described by Fidelis in a new report as a “reincarnation” of previous malware.
Not only can Java-based JSocket control Linux, Mac and Windows PC systems remotely, but the malicious code is also able to affect mobile devices.
As an example, JSocket is able to take existing mobile apps and embed malware so victims can remain infected all the while using otherwise fully functional and legitimate software on their Android mobile devices.
The malware is able to remotely control and access microphones and cameras, use a mobile device’s GPS systems to track victims and both modify and view text messages and phone call data.
To infect mobile devices, the Trojan is loaded into apps downloadable outside of the official Google Play store, as the malicious code requires an Android APK to function.
This is not the only example of mobile malware developed with remote access capabilities.
The security team from Recorded Future have analyzed malware samples revealing cyberattackers from Iran targeting Android systems through RATs.
NjRAT and XtremeRAT are common examples used in Syrian surveillance campaigns and attacks launched against Israeli, Egyptian, and Saudi Arabian targets.
Fidelis suggests that both consumers and business users do not root their devices in the first place, and to ensure the security setting “Allow installation of non-Market applications” is not turned on.
In addition, you should always check what permissions a mobile app requests upon installation — as it is a common practice for mobile malware to request everything.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=417edc80ef&e=20056c7556
Ransomware’s new threat: if you don’t pay, we’ll publish your photos online
The âscareware’ variant of the Chimera ransomware trojan has been spotted by the Cologne-based anti-botnet advisory centre, Botfrei (âBotfree’).
The agency says Chimera is a classic blackmail trojan which is now targeting specific employees in German companies with fake emails about job applications or job offers.
The emails point them to a Dropbox address to get more information but if victims click on the link, Chimera instantly starts to encrypt their computer files and the data on their corporate network.
In an extra twist, Chimera also threatens to publish their photos and other personal information online if they fail to pay the 2.45 bitcoin (ÂŁ450) ransom.
James also believes Chimera is likely to spread to English-speaking countries such as the UK. âWe have seen many variants of CryptoLocker targeted for different countries and tailored for maximum effectiveness and this was very successful.
There is no reason to suggest that this is localised and will only stay in Germany,â he said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=137683876d&e=20056c7556
Stuxnet-style code signing of malware becomes darknet cottage industry
Underground cybercrooks are selling digital certificates that allow code signing of malicious instructions, creating a lucrative and expanding cottage industry in the process, according to new research from threat intelligence firm InfoArmor.
In one case, a hacker tricked a legitimate certificate authority into issuing digital certificates for malware before marketing a cyber-espionage tool called GovRAT.
GovRAT is a malware creation tool that comes bundled with digital certificates for code signing initially sold through TheRealDeal Market, an underground marketplace on the so-called dark net thatâs only accessible using TOR.
The cybercrime or cyber-espionage toolkit was offered for sale at 1.25 Bitcoin ($420, at current rates, or $1,000 at the time) before the seller began selling it privately.
InfoArmor found other posts promoting code-signing certificates1 in various underground marketplace.
Hackers price these certificates at between $600-$900 depending on the issuing company.
Code-signing certificates issued by Comodo, Thawte DigiCert and GoDaddy â firms well known for supplying digital credentials to legitimate software developers â are among those on offer.
The GovRAT malware is probably designed for cyber espionage APT campaigns.
The use of a digital certificate is designed to fool antivirus software.
Once planted, malware signed using the tool can communicate over SSL, obscuring the exfiltration of sensitive data.
Seven banks, some in the US, and 30 defence contractors have also been targeted for attack.
In addition, more than 100 corporations have been hit by malware developed using GovRAT since early 2014.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2aa7404412&e=20056c7556
Throttling mobile malware with per-app VPNs
One way to deter malware is application blacklisting, which relies on IT-managed policies to prevent user-installation of unwanted apps on devices used for business.
Blacklisting can often be applied to mobile devices using an enterprise mobility management (EMM) platform.
However, barriers to blacklisting include maintenance and personal privacy.
To address the former, you can treat blacklists as a stop-loss measure and create them selectively to identify, quarantine and remediate specific malware outbreaks.
This approach can be strengthened by mobile app reputational analysis.
It may not be feasible on BYODs (bring your own devices) because many employers opt against inventorying user-installed personal apps.
More recently, a new method of throttling mobile malware has emerged: per-app virtual private networks (VPNs), which are now available for mobile devices running iOS 9 and Android 5.
Per-app VPNs made their debut in iOS 7, but it was limited to app-layer VPN clients that supported the functionality.
In iOS 9, it has been integrated into the native iOS VPN client and applies to network-layer (IPsec) VPN tunnels.
In addition, apps configured to authenticate via Kerberos can now automatically launch the native VPN client upon successful authentication.
This makes per-app VPN a lot more usable from an enterprise perspective, and also effective as a way of stopping malware from riding network-layer tunnels into enterprise networks.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cfcd6bbb80&e=20056c7556
Kaspersky: Financial institutions in ANZ DDoS attack targets in Q3
Financial institutions in Australia and New Zealand were amongst the first to fall victim to distributed-denial-of-service (DDoS) attacks in the third quarter of 2015, according to Kaspersky’s latest DDoS Intelligence Report.
In its report [PDF], Kaspersky attributed a number of the financial sector’s DDoS attacks to the cyber criminal group, DD4BC, which reportedly stands for “DDoS for Bitcoin”.
Kaspersky said the group had been targeting banks, media groups, and gaming companies since September, and had threatened to take down their customer websites unless a ransom was paid.
In its report [PDF], Kaspersky attributed a number of the financial sector’s DDoS attacks to the cyber criminal group, DD4BC, which reportedly stands for “DDoS for Bitcoin”.
Kaspersky said the group had been targeting banks, media groups, and gaming companies since September, and had threatened to take down their customer websites unless a ransom was paid.
Citing findings by Akamai Technologies, Kaspersky said the proportion of attacks by Linux-based bots grew from 37.6 percent in the second quarter, to 45.6 percent in the third quarter; adding that victims were mostly Asian sites belonging to educational institutions and gaming communities.
China received 35 percent of the world’s DDoS attacks, the United States had 21 percent, and South Korea were third with 18 percent of attacks — a 7.9 percentage point jump in attacks for South Korea from the previous quarter.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=664482529c&e=20056c7556
Ireland to lose world-leading cyber-crime research centre
The Royal College of Surgeons in Ireland (RCSI) confirmed it would no longer be supporting the CyberPsychology programme run by Professor Mary Aiken, who spoke on the main stage at the Web Summit yesterday.
Prof Aiken’s work has inspired the latest series of the hit US TV show CSI and was at the forefront of research into cyber-crime and online crime motivation.
RCSI said the decision was made after a “strategic review to better align itself” with its broader objectives and to increase the impact of research in areas of core expertise.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=803a227dae&e=20056c7556
Maximizing Your Investment In Cyberthreat Intelligence Providers
I just published my latest research on threat intelligence: Vendor Landscape: S&R Pros Turn To Cyberthreat Intelligence Providers For Help.
This report builds upon The State Of The Cyberthreat Intelligence Market research from June.
In the new research, I divide the threat intelligence space into four functional areas: 1) Providers 2) Platforms 3) Enrichment 4) Integration.
This research is designed to help readers navigate the crowded threat intelligence provider landscape and maximize limited investment resources.
In this report, we looked at 20 vendors providing a range of tactical, operational, and strategic threat intelligence.
In the report, I use the traditional intelligence cycle as a framework to evaluate threat intelligence providers.
The intelligence cycle consists of five phases:
1) Planning and direction.
2) Collection.
3) Processing.
4) Analysis and production.
5) Dissemination.
The traditional intelligence cycle does have its flaws, the hierarchical model doesn’t reflect the real world intelligence operations and intelligence takes to long to be created.
As a result, other methodologies have emerged including target centric intelligence and most recently activity based intelligence.
Pragmatically speaking, for most commercial organizations the traditional intelligence cycle is more than sufficient to meet your needs.
The following threat intelligence providers were evaluated in this research: Bitsight Technologies (AnubisNetworks), CrowdStrike, Cyjax, Cytegic, Cyveillance, Digital Shadows, Emerging Threats, FireEye/Mandiant, Flashpoint, IID, Intel 471, iSight Partners, Norse, Recorded Future, SurfWatch Labs, Symantec, Verisign iDefense, Wapack Labs, Webroot, and ZeroFox
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=112659795d&e=20056c7556
Creating and Delivering Actionable Threat Intelligence
This foundational element of a threat intelligence program is building out your organizationâs individual Priority Intelligence Requirements (PIRs): What are your threat intelligence goals.
What threats/actors/exploits/leaked information are you looking for.
What does your organization most need to protect?
PIRs must provide situational awareness into the threat landscape and help feed the businessâs overall strategic goals.
Itâs particularly important that PIRs be evaluated constantly, as the business grows and the threat landscape evolves.
Neither side is static, and therefore a set-it-and-forget-it mentality will turn your threat program into a wasted effort.
An effective threat intelligence program is actionable and allows the organization to understand threats, threat actors and their capabilities; identify risks before they are realized; learn where exposed data may be lurking; mitigate attacks more effectively; and determine countermeasures and controls.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=25cfefbd31&e=20056c7556
Nettitudeâs new Cyber Threat Intelligence report reveals increase in targeted phishing emails
This new report details our examination of a global network â in which 82 percent of brute force attacks we observed originated in Hong Kong â and a number of attack trends.
For instance, phishing attacks show no sign of abating, with our research revealing a notable increase in highly advanced and targeted phishing emails, particularly aimed at financial organisations.
We found the US to be the most heavily plagued by phishing attacks, while the UK was the sixth most targeted nation during this period.
Our researchers also noted that attackers typically look to exploit organisationsâ Content Management System (CMS) administrator pages that are exposed to the internet, in order to launch attacks via their victimsâ domains.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=47c5970a3f&e=20056c7556
Technology Overview for Threat Intelligence Platforms
This research describes for CISOs and IT security leaders how threat intelligence platforms allow security organizations to ingest structured and unstructured threat intelligence so they can visualize, correlate and gain context; securely share TI that is machine-readable; and act on it.
Threat intelligence platforms (TIPs) are an emerging technology, and organizations investigating their use need to pay close attention to their specific requirements and how they are deployed.
An organization’s inability to share TI is an advantage to cyber threat actors.
TI sharing is a force multiplier and is becoming a key element in keeping up with the increasing number of threat actors and the attacks they use.
Some pure-play TI providers and industry groups are now delivering TI in nonproprietary machine-readable formats, accelerating the utility and value of machine-readable threat intelligence (MRTI).
A TIP is positioned to be the most advanced vehicle to take advantage of this development.
The staffing cost of running a TI capability can put this out of the reach of organizations.
A TIP can increase the capacity of existing intelligence teams and lower the threshold required to establish this functionality in existing environments.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1e1e45186e&e=20056c7556
Organizations Call for Major Security Vulnerability Remediation Changes
NEW YORK, NY–(Marketwired – Nov 4, 2015) – NopSec released its latest report today, “2016 Outlook: Vulnerability Risk Management and Remediation Trends.” Based on a recent survey of 200+ security and IT professionals, the report examines the current state of vulnerability risk management, top prioritization and remediation challenges, and 2016 priorities.
View the infographic now.
“Vulnerability scanners provide visibility into potential network, application and endpoint risks, but much of the value of that data is lost in a never-ending deluge of spreadsheets, ineffective business processes and lack of cross-team communication.
Security teams are already drowning, and more data is not always the answer,” added NopSec’s Vice President of Strategy and Operations, Kevin Ketts. “Organizations need clear visibility on what to fix, as well as when and how to fix it.”
Even though organizations claim to be actively detecting threats across their environment — nearly 70 percent noted they scan on a daily or weekly basis — they are still lost when it comes to next steps.
More than half (51 percent) of organizations surveyed cited data overload as their biggest challenge to prioritizing data generated from vulnerability scanning, followed by lack of resources (46 percent) and too many false positives (34 percent).
Roadblocks to faster remediation include lack of resources (78 percent), competing priorities among internal teams (76 percent) and validity of vulnerability data/ false positives (70 percent).
Organizations recognize the value of additional context with the majority of respondents (85 percent) citing the use of open source, commercial threat intelligence feeds, or a combination of both, within their current vulnerability management programs.
Organizations know that improving prioritization and remediation is critical to drastically reducing the risk of a data breach.
Respondents called out three vulnerability management priorities in 2016: implementing tools to improve vulnerability and threat prioritization (50 percent), scanning networks and applications more frequently (42 percent), and improving communication between remediation teams (40 percent).
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f09a1417fc&e=20056c7556
RSA: Cyber-security industry is “fundamentally broken”, says Amit Yoran
RSA, The Security Division of EMC EMC, -0.19% today announced new RSA Archer [ÂŽ] GRC offerings, enhancing the user experience for all RSA Archer solutions.
New features are engineered to include a walk-up friendly, task-driven user interface and drag-and-drop advanced workflow capabilities to make risk management easy and effective for all “three lines of defense” â business users, risk managers, and the audit team.
Additionally, new features have been added to RSA Archer Operational Risk Management to help streamline how organizations identify, assess, respond, and monitor existing and emerging risks.
New advanced configuration options also are engineered to allow business unit managers to view a history of their risk activity, configure key reports, and customize action buttons to quickly access specific risk-related actions from a single dashboard.
Additionally, RSA Archer Operational Risk Management now is designed to make it easier for risk managers to manage assessment campaigns, track metrics and loss events, and report on risk with thousands of out-of-the-box reports, risk analytics, dashboards and an ad hoc reporting tool.
This helps provide business units and risk managers with a thorough understanding of the risk environment, and enables more effective communication of the potential impact risk could have on the business â both good and bad â to executive management.
By proactively linking risk management to business objectives, risk can be harnessed and become a new source of competitive advantage.
Infosec is “fundamentally broken”.
That was the bold claim today from Amit Yoran, the president of RSA and former cyber-security director at the US Department of Homeland Security.
He was speaking this morning at RSA Middle East in Abu Dhabi, a place, he said, where “if it isn’t gold, it isn’t welcome”.
âToday’s threats are from aggressive professional actors,â said Yoran before proceeding to dump on that âglorious and useless money pit, we call the SIEM.â
It’s indicative of an industry asleep at the wheel, and if nothing is done, warned Yoran, âit’s going to get worse”.
First, advanced protections fail, he said: âDon’t make the mistake of thinking that an anti-malware solution is a strategy.â You can put as many walls up as you want, but sooner or later an adversary is going to find a way around, under or over them.
Second, we need pervasive and true vulnerability awareness, all the way from the network to the endpoint and into the cloud. âYou wouldn’t do brain surgery in the dark,â Yoran reminded the audience.
Don’t act first, think first, he said.
The single biggest mistake of any cyber-security team after breach is to try and clean up their system before understanding the extent of the breach.
Third, as attackers get more determined, more creative and pick their targets more carefully, identity and authentication is going to get even more important.
Malware, while still big, was the primary attack vector in less than half of recorded cases.
Instead, attackers steal access credentials and just âwalk right inâ.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=54bfa61411&e=20056c7556
Software-Defined Perimeter enables application-specific access control
SDP shrinks the perimeter down to the servers that deliver critical applications to end users.
By doing that, as shown in the diagram to the left, the âbad actorsâ are again on the outside of the perimeter and the servers are hidden to them.
This creates a very strong security model.
However, by shrinking the perimeter, the âgood guysâ are now outside the perimeter as well.
To complete the solution, a process is needed for identifying the âgood guysâ and proving them secure access to their authorized applications.
To achieve that, Software Defined Perimeter separates the control channel from the packet path.
The control path is used to assess user trust, authenticity, and authorization; and then to establish packet path connectivity for users or systems that are deemed trustworthy.
SDP puts all legitimate users of applications outside the shrunken perimeter, at the same time provides a robust method for identifying trusted authorized users to enable very granular access to just the application servers and servers they need to access.
This model can be applied to provide restricted connectivityâtherefore even more securelyâfor all types of users and devices, including less trusted users (e.g., contractors, external subject matter experts, business partners) and less trusted devices (e.g., employee mobile devices, non-managed laptops).
Connectivity is productivityâso anything that promotes it without sacrificing security is of huge value.
SDP provides a server perimeter that can be deployed anywhere there is a server.
SDP represents a common access control model that an enterprise can use to control access to any of their applications, independent of locationâinternal data center, internet data center, cloud service provider, hybrids, and so on.
SDP represents a unified solution not only for restoring security to the traditional enterprise architecture, but also for providing an ideal solution for all the new IT trends of BYOD, cloud migration, and complex business ecosystems.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f81422f7c3&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage2.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=5a84622bb5)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)