[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* Disaster recovery in a DevOps world
* Better Security through Benchmarks
* Phishers Creating More Noise to Fool Defenses
* Welcome to the after-hack party
* Kaspersky Lab Reports Significant Increase in Malicious Spam Emails in Q1 2016
* Hackers build alternative to ‘flawed’ CVE bug ID system
* Forward planning is key to combat cybercrime
* Swift Hack Probe Expands to Up to 12 Banks Beyond Bangladesh (3)
* Outdated systems placing maritime vessels at risk of cyber-attack, study suggests
* Cisco Looks to Open Source for ‘Badder Ass’ Internet
* Android will replace passwords with trust scores by 2017
* The next wave of smart Data Loss Prevention solutions
* After Record High Numbers, a Lot of People Still Don’t Know What Ransomware Is
* Microsoft bans common passwords
* SANS MAPS SAP CYBERSECURITY TO TOP TWENTY CIS CRITICAL SECURITY CONTROLS FOR EFFECTIVE CYBER DEFENSE
* Expect UK court disputes over whether general insurance cover applies to cyber incidents, says expert
* New Report Sheds Light on Riskiest Countries for Conducting Business
Disaster recovery in a DevOps world
According to a 2015 survey by IT Revolution Press in conjunction with Puppet Labs, organizations using DevOps deploy code 30 times faster than others, doing deployments multiple times per day.
Moreover, change failure gets cut in half with DevOps and services are restored up to 168 times faster than they are at non-DevOps organizations.
The prime tenet of DevOps is that developers should be writing code and testing their apps in a copy of the production environment in which their code will run.
This is often nearly achieved using virtual machines and container solutions like Docker running on individual laptops or desktops.
This is much better, of course, than just writing code blindly in Xcode or Visual Studio and then shipping packages to system administrators to deploy, but I said nearly in the previous sentence because even this type of virtualization does not entirely simulate the capacity constraints of a real world production environment.
It’s difficult to test a real load against a containerized microservice running on an Apple MacBook Air, for example, but load testing could be carried out in a more realistic, actionable way against a full Azure Stack service deployment, for instance.
As you begin thinking more about continuous disaster recovery, here are some points to consider with your team.
How do we “tabletop” our disaster recovery procedures.
Who owns the checklist of procedures to follow.
Who fires the scripts or is responsible for the automation.
How can we simulate failure of a single application, an entire workload, and the infrastructure itself.
What types of scenarios would cause failures in each of those key elements?
What natural employee strengths can I emphasize around disaster recovery.
While DevOps tends to blend the roles of developers and operations folks, there will naturally be employees with stronger tendencies and experiences in operations who should be empowered to deal with the accountability that failover requires.
On the development side, coders should be held accountable if their code is responsible for causing a failover event, and those coders who gravitate toward being superior debuggers might want to pick up some slack here.
How can I better utilize the disaster recovery sites and existing infrastructure I’ve already paid for.
Is that environment set up for easy virtualization buildup and tear-down.
And if it isn’t, what do I need to do to get to that ready state?
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2380aa5b8e&e=20056c7556
Better Security through Benchmarks
Despite all of the log files and other security information that flows through organizations, most security professionals have a big blind spot, said Steve Kahan, CMO of Thycotic, a provider of privileged account management software, and president of a new organization called Security by the Numbers.
Kahan said his discussions with security pros often revealed their inability to answer a key question: How secure is my organization?
Security by the Numbers aims to change that, by providing benchmarks that help companies understand how their security postures stack up against similar companies.
SecurebyNumberCompanies can visit the Security by the Numbers website to take an online security measurement index survey, the first of what the group hopes will be many such surveys.
It takes roughly 15 minutes to complete, and there is no charge, Kahan said.
The first survey – which is online now — is based on the ISO 27001 standard, which encompasses a broad array of security management best practices, including those involving security policy, software development, incident management and asset management, and is designed to help organizations successfully pass a formal security audit.
These kinds of controls-based metrics are easier for executive managers and boards of directors to understand, said Mark Carney, a member of the Security by the Numbers’ advisory council and CISO of FireMon, a provider of firewall management software.
It plans to complement — not compete with — the SANS Institute and other existing organizations, he added. “We want to stay true to our niche: showing how you compare with peer groups on useful benchmarks, and providing good comparative metrics.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6b0a01019c&e=20056c7556
Phishers Creating More Noise to Fool Defenses
The criminals behind phishing attacks are creating vast numbers of unique Web pages to host their attacks in an attempt to dodge defenses, according to an industry report.
The number of distinct Website links in phishing attacks jumped by more than 150 percent in five months, showing that phishing remains a major vector of compromise, the Anti-Phishing Working Group stated in a report released on May 24.
In March 2016, phishing emails seen by APWG members contained more than 123,000 unique URLs, up from 48,000 in October 2015.
While the number of URLs has increased dramatically, the number of domains and the number of brands used as camouflage by phishers have remained relatively constant at about 20,000 and 418, respectively, according to the report.
When cyber-criminals wanted to dodge antivirus programs, they focused on automating the creation of distinct malware binaries—usually called “variants”—overwhelming traditional defenses.
PandaLabs currently sees about 227,000 distinct binaries of malware every day—more than 20 million a year, according to the report.
“As soon as security vendors find a new phishing Website, we attempt to shut it down,” Corrons said. “Depending who is hosting it, the lifetime [of the site] is short.”
Most are taken down in hours or days, he said.
But keeping up with the quick churn of Websites—more than 3,000 per day on average—is difficult, Corrons said.
PandaLabs classified almost two-thirds of the malware encountered in a phishing attack as Trojans and about a quarter as potentially unwanted programs.
The remaining malware was classified as viruses, worms or adware.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=65d738087f&e=20056c7556
Welcome to the after-hack party
Hinne Hettema is the team leader of the operational security team at the University of Auckland.
He believes there are six critical security services every organisations should have.
These are security architecture and security consulting, security and penetration testing of the deployed environment, monitoring and alerting, incident response, security strategy, and policies.
It’s clear from talking with Hettema that he has thought not only differently to many other practitioners about security but that sees there is something wrong with how many people approach cybersecurity.
He says they tend to address the challenges through the lens of ethics.
Hettema’s view is that something is wrong with the system and that we should develop a view on its security from the perspective of social philosophy, in particular social contract theory, where a “persons’ moral and/or political obligations are dependent upon a contract or agreement among them to form the society in which they live” (ref: Internet Encyclopedia of Philosophy).
In Hettema’s observation, once a company is hacked once, they become a more likely target for future attacks.
He says “An initial compromise may be picked up because something unusual happens – a strange email, an AV alert, and IDS alert.
Then, once an attacker gains a foothold, they change their tooling, and start working with the sort of things most organisations don’t monitor for very well”.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c1c1d4f052&e=20056c7556
Kaspersky Lab Reports Significant Increase in Malicious Spam Emails in Q1 2016
The latest Kaspersky Lab Spam and Phishing Report has discovered that although the quantity of spam emails has been decreasing, they have become more criminalized.
At the same time, the level of malicious mailshots has dramatically increased – Kaspersky Lab products prevented 22,890,956 attempts to infect users via emails with malicious attachments in March 2016, twice the number of attempts reported in February 2016.
There was also a growing amount of ransomware reported throughout the quarter.
This is often propagated through emails with infected attachments – for example Word documents.
The main actor on this field in Q1 was the ransomware Trojan Locky, which has been actively distributed via emails in different languages and has targeted at least 114 countries.
Kaspersky Lab’s findings suggest that spam is becoming more popular for fraudsters to target Internet users, because web browsing is becoming safer.
In Q1 2016 Kaspersky Lab registered 56.3% of spam in email flow.
This is 2.9 percent lower compared to the same period in 2015, when it equaled 59.2%.
Germany was the country most targeted by malicious mailshots, with a total share of 18.9% of Kaspersky Lab product users in the country targeted this way.
Germany was followed by China (9.43%) and Brazil took third place (7.35%).
For the same period in 2015, the top three countries were Great Britain (7.8%), Brazil (7.4%) and the USA (7.2%).
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7ae90b075a&e=20056c7556
Hackers build alternative to ‘flawed’ CVE bug ID system
Security researchers are urging the infosec community to abandon the MITRE-run CVE scheme for naming flaws in favour of a system that distributes the responsibility for assigning identifiers away from a single, government-run organisation.
The issue came to a head in March this year when a group of security researchers banded together to create a new ID system to catalogue software flaws they say were ignored by MITRE.
The distributed weakness filing (DWF) system was created by Red Hat employee and MITRE board member Kurt Seifried together with researchers Larry Cashdollar, Zachary Wikholm, and Josh Bressers.
Australian security researcher David Jorm today told the AusCERT 2016 conference the problem had gotten so bad that infosec pros were mocking the CVE system by submitting false flaws from fake software they knew MITRE would easily assign a CVE ID to.
One researcher, who identified himself as Justin Timberlake with the email address hellokitty@hotpants.net, reported a flaw in the “simulated reaming algorithm” of a piece of software that turned out to be a “zip file of randomly generated garbage”, Jorm said.
The system will complement CVE; flaws with existing CVE identifiers can be mapped to DWF.
Researchers who have been unable to obtain a CVE can request a DWF from one of the numbering authorities, either by direct email or through Github.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3f8e3c9cd0&e=20056c7556
Forward planning is key to combat cybercrime
Of the $22.2 million, $20 million will be invested over the next four years on a new national Computer Emergency Response Team (CERT), to combat cyber-attacks and cybercrime.
At the time, Amy Adams, Communications Minister stated that “Cybercrime cost our economy $257 million last year and affected more than 856,000 New Zealanders”*.
While identifying and understanding the short and long term costs is important, Rowland says the real key is being prepared, “Estimating what a breach might cost today can help a company better develop a plan for the day when an event does occur.
Determining potential losses can highlight key areas of opportunity for enhancing security strategy, focusing budget and resources on the right vulnerabilities, and preparing the company to respond quickly and resolve a breach more effectively,” says Rowland.
Rowland’s vital tips for organisations on reducing and mitigating the overall impact of a breach include:
-Most importantly; don’t wait, take action now
-Understanding the costs of a breach to your organisation
-Plan from a consequence approach – Identifying a hierarchy of consequences based on breach scenarios can focus resources and potential investments in people, process and technology.
-Establish an incident response team and develop a comprehensive incident response plan.
-Test the plan frequently
-Engage a third party as part of the incident response plan – Third-party security responders should have the capabilities to plan for, detect, identify, and extricate cyber threats from the environment, and they should provide the necessary cyber forensics to assess damage and aid recovery
-Train your employees – Security awareness training can become your first line of defence to prevent the initial intrusion vector of many breaches
-Insure your organisation and make sure it’s got you covered – Purchasing cyber insurance is a good best practice for decreasing some costs of a breach, and can help lower the cost per compromised record
-Get leadership involved – Studies show that involving the board of directors in security decisions has a direct dollar correlation to decreasing the cost of a breach
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dd0d48e3da&e=20056c7556
Swift Hack Probe Expands to Up to 12 Banks Beyond Bangladesh (3)
(Bloomberg) — Investigators are examining possible computer breaches at as many as 12 banks linked to Swift’s global payments network that have irregularities similar to those in the theft of $81 million from the Bangladesh central bank, according to a person familiar with the probe.
FireEye, the security firm hired by the Bangladesh bank, has been contacted by the other banks, most of which are in Southeast Asia, because of signs that hackers may have breached their networks, the person said.
They include banks in the Philippines and New Zealand but not in Western Europe or the United States.
There is no indication of whether money was taken.
The expansion of the investigation four months after the discovery of the Bangladesh attack, the biggest known cyber-heist in history, suggests a broad and serious campaign to breach the international financial system.
FireEye declined to comment on the report.
Banks in the U.K. and the U.S. are now pushing for discussions with Swift about how it should help member banks better secure their systems, according to people familiar with the separate talks.
BITS, the section of the Financial Services Roundtable aimed at combating cyber fraud and other technological issues, could be selected to broker those discussions in the U.S., one person said.
In the U.K., banks are privately lobbying the Bank of England and possibly the British Bankers’ Association to press Swift into adopting new security measures, another person said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=367c6fd025&e=20056c7556
Outdated systems placing maritime vessels at risk of cyber-attack, study suggests
The article – published in Engineering and Technology Reference – suggests maritime cyber-attacks would most likely target systems responsible for navigation, propulsion, and cargo-related functions, with many incentives for attackers given that over 90% of world trade occurs via the oceans.
It also illustrates the potential severity of the problem by providing scenarios to demonstrate possible attacks, and examples of where successful cyber-attacks have been launched
But it says there are easy mitigations to help prevent attacks, by increasing awareness and good practice in the industry, enabling the crew and providing them with the necessary tools to prevent and stop some attacks.
The Maritime Cyber Threats Research Group at Plymouth University has been formed to bring together leading-edge multidisciplinary research and practical expertise.
It includes experts in cyber-security and maritime operations, as well as psychology, maritime law and policy, to investigate the marine cyber threat at all levels from theory through to practice.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f5f8daa944&e=20056c7556
Cisco Looks to Open Source for ‘Badder Ass’ Internet
AUSTIN, Texas — Big Communications Event — Cisco needs open source to build a “badder ass” Internet — a network with sufficient performance, reliability and security for major business applications, a company executive said.
“Open source has shifted the innovation model in ways that allow for more rapid development, faster access to products and code for customers, and the ability for Cisco to get innovative technology out the door faster than we could have in the past,” said Lauren Cooney, who heads up Cisco Systems Inc. (Nasdaq: CSCO)’s open source strategy from her position as senior director, strategic programs, in the chief technology and architecture office at Cisco.
For an example of why open source is needed, Cooney suggested the difficulties faced by big online retailers.
Even a millisecond delay to customers is a big expense to a shop doing millions of dollars of transactions every minute.
A tiny delay is long enough for customers to become distracted and cost a retailer sales.
Reducing those kinds of delays requires coordination across the Internet community as a whole to build a “badder ass” — more robust — Internet.
And that requires the innovation speed and cooperation brought by open source.
“People think Cisco is not engaged in open source,” Cooney said.
But Cisco makes at least 1,500 contributions to open source per month, on average.
That figure is based on contributions to Github coming from cisco.com addresses alone.
The actual number is far higher than that, as many people register for Github from their personal email address, rather than business address. “I would guess it’s probably double,” Cooney said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e15fc01d5b&e=20056c7556
Android will replace passwords with trust scores by 2017
Google wants to replace traditional passwords on Android with “trust scores,” and it is planning to do it by 2017.
The announcement was officialized at the Google I/O conference, the IT giant intends to use Google’s Trust API technology developed by the Advanced Technology and Projects division to create a trust score.
Google will use a number of metrics, such as typing speed, facial recognition, vocal inflexions, vocal patterns, and proximity to familiar Bluetooth devices and Wi-Fi hotspots to calculate the score.
The new authentication process leverages on a scale of trust level, low trust score will allow the execution of operation with low privileges, high score to execute sensitive applications, such as banking and webmail.
A high score will be assigned by matching biometric information and location-based data.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9e34a70c8e&e=20056c7556
The next wave of smart Data Loss Prevention solutions
DLP is divided in several categories: endpoint DLP, gateway DLP and, depending on where data resides and how it is used, there is DLP for data at rest, DLP for data in use and DLP for data in motion.
AI will also pave the way for the inclusion of effective learning of data transfer and manipulation patterns as part of the Data Loss Prevention solutions of the future.
You can add to this self-repair capabilities and the capability to self-adjust detection and control techniques.
Another DLP concept that will become really familiar in the near future is that of context-aware protection.
Technologies like beacons and geo-location will contribute to the improvement of DLP and AI, enriching the data set required to detect security violations.
To avoid privacy issues, vendors should clearly communicate to businesses what data will be collected by context-aware DLP solutions, and organizations should do the same with their employees, along with informing them about the scope of the implementation.
Communication is the key to make sure all stakeholders understand and accept the implementation terms.
There are numerous systems that are crossing the fine line between personal data and business data.
But, like containerization in the Mobile Device Management context, context-aware DLP solutions will benefit from technologies that differentiate between appropriate-to-share-sensitive data contexts and those that are quite the opposite.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ce4fa137bc&e=20056c7556
After Record High Numbers, a Lot of People Still Don’t Know What Ransomware Is
A Kaspersky study of over 5,000 users in Canada and the US reveals that even if ransomware is today’s most dangerous and prevalent malware infection, a lot of regular users have no clue what it is and what it does.
The study shows that while almost all security experts are sweating only by thinking of getting infected with ransomware even by accident, almost half of the surveyed users have no clue what it is, or that they can lose critical data after such infections.
Kaspersky says that users were more scared about other malware categories such as viruses, trojans, and spyware, compared to ransomware, which only 16 percent of the around 5,000 users said they feared.
Of the same 5,000, 43 percent said they didn’t know what ransomware was, to begin with.
An additional nine percent of the 5,000 thought that ransomware refers to someone hacking your social media account and holding it for ransom.
Furthermore, 15 percent of Americans and 17 percent of Canadians think that turning off the device would also fix their problems.
This practice can prove dangerous for some infections, if the ransomware is encrypting files at that particular time, resulting in the interruption of the encryption process that in some cases can lead to permanent data failure.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9aa8f784c7&e=20056c7556
Microsoft bans common passwords
If you’re using the Microsoft Account service to sign into the various services offered by the company, and you tried to set up a too commonly used password, you have already witnessed Microsoft’s dynamical banning of common passwords in action.
If you’re using the Microsoft Account service to sign into the various services offered by the company, and you tried to set up a too commonly used password, you have already witnessed Microsoft’s dynamical banning of common passwords in action.
They’ve created an automated system that is fed lists of usernames and passwords that have been stolen from other companies and organizations, and leaked online or offered for sale; and a list of usernames and passwords compiled from the over 10 million daily credential attacks their identity systems are hit with (a list that is constantly updated).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=580b7d2911&e=20056c7556
SANS MAPS SAP CYBERSECURITY TO TOP TWENTY CIS CRITICAL SECURITY CONTROLS FOR EFFECTIVE CYBER DEFENSE
Onapsis, the global experts in business-critical application security, today announced a SANS white paper that maps SAP cybersecurity to the CIS Critical Security Controls for Effective Cyber Defense for the first time.
As cyber attacks targeting SAP continue to grow, it is highly recommended that organizations secure their SAP landscape as part of their organization’s overall security posture.
The CIS Critical Security Controls are a set of internationally recognized standards outlining the most important cyber hygiene actions that every organization should implement to protect their information technology (IT) networks.
They are highly regarded by the global IT community as they are developed, refined, validated, and updated by cyber experts who pull data from a variety of public and private threat sources; and are transforming security in government agencies and other large enterprises by focusing spending on the key controls that block known attacks and find the ones that get through.
The SANS paper mapping the CIS Critical Security Controls for Effective Cyber Defense to SAP’s cybersecurity framework outlines a step-by-step approach organizations can take to secure SAP implementations.
This approach is largely application-oriented, but also applies network restrictions to underlying network devices and firewalls, in addition to closing loopholes through operational procedures and training.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1a200a2a58&e=20056c7556
Expect UK court disputes over whether general insurance cover applies to cyber incidents, says expert
FOCUS: UK courts are likely to see an increasing number of disputes over the extent to which insurers are liable for the cost of cyber incidents and data breaches suffered by businesses where those companies make claims under general insurance policies.
A ruling in the US last month (8-page / 22KB PDF) shows that general insurance policies can provide businesses with protection against cyber risks when they materialise even if insurers had not anticipated providing such coverage under those policies.
Until the cyber insurance market matures in the UK we can therefore expect many organisations to seek to rely on the terms of general insurance policies to provide coverage against costs they face from cyber incidents.
Insurers may not have anticipated providing cover against such risks under those general policies and so it is likely that disputes will arise as to the scope of cover they provide.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f2ca6744cb&e=20056c7556
New Report Sheds Light on Riskiest Countries for Conducting Business
CAMBRIDGE, Mass., May 26, 2016 /PRNewswire/ — BitSight Technologies, the standard in Security Ratings, today released a new BitSight Insights report titled, “BitSight Insights Global View: Revealing Security Performance Metrics Across Major World Economies,” which examined Security Ratings of a random sample of 250 companies per country from the United States, the United Kingdom, Singapore, Germany, China and Brazil, from May 1, 2015 to May 1, 2016.
The report is intended to inform risk managers and security professionals of the potential cyber risks that may arise when sharing data with partners and vendors across borders.
Key Findings
Companies based in Brazil have the lowest aggregate Security Rating, while companies in the UK, Germany and the United States have the highest.
Brazil and the United States have the poorest performance when it comes to preventing and mitigating machine compromise stemming from botnet infections; Germany and the UK perform the best in the fight against botnets.
Major vulnerabilities in important communication protocols such as Heartbleed, POODLE and FREAK continue to affect organizations within all countries included in the study.
Peer-to-peer file sharing is common across all countries included in the study, except Germany.
China, Brazil and Germany have a higher percentage of poorly configured email security protocols, such as SPF and DKIM.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bea362c4ef&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage2.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=edec239ff2)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)