[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
Ten reasons threat intelligence is here to stay
Threat intelligence has drastically transformed the industry.
In fact, it’s hard to go to a security conference without hearing about threat intelligence.
However, recent articles have turned threat intelligence into quite the controversial debate and many touting that threat intelligence will do very little to improve cybersecurity.
Well no offense to those individuals, but the fact of the matter is threat intelligence is not going away anytime soon.
In this article, Iâve laid out 10 arguments being made against threat intelligence.
All companies, whether enterprise or SMBs — especially those dealing with proprietary information or customer data — must balance their security resources against their risk tolerance.
And ultimately look at threat intelligence solutions that provide them with the greatest scope of protection.
The only way for companies to defend themselves is by adopting a more pragmatic and intelligent threat response: stopping a compromise at the host, proactively segmenting networks, and spending the time to develop in-depth situational awareness.
Otherwise, the next decade will end up much like the current.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=85c52eb06b&e=20056c7556
Sherlock Threat Intelligence Report: September 2015
August saw an uptick in critical web browser-based attacks via Internet Explorer and Firefox.
These vulnerabilities allow attackers to remotely steal files or execute code at the permission of the web browsing user.
Mozilla even reports attacks exist in the wild for the Firefox vulnerabilities.
Proxy bots have been one of our on-going hunts this year.
Our research indicates that few organizations block outbound proxy protocols.
Shadow IT is difficult to tame.
One of the greatest challenges in Information Security is the human element.
Collectively, we can help each other and push forward toward creating and maintaining systems that are both usable and safe.
As such, we hope these highlights for the last month have been useful to you.
We welcome any conversation on these topics in the comments below!
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=902d10d229&e=20056c7556
2015 THREAT REPORT
This is the first unclassified Australian Cyber Security Centre (ACSC) Threat Report.
All ACSC partner
agencies have contributed to provide information tailored for Australian organisations about the threats their networks face from cyber espionage, cyber attacks and cybercrime.
It also contains mitigation and remediation information to organisations to prevent, and respond to, the threat.
Australiaâs systems of national interest and critical infrastructure are vulnerable to malicious cyber activity.
In 2014, CERT Australia responded to 11,073 cyber security incidents affecting Australian businesses, 153 of which involved systems of national interest, critical infrastructure and government.
In 2014, the top five non-government sectors assisted by CERT Australia in relation to cyber security incidents were: energy, banking and financial services, communications, defence industry, and transport.
Between 17 October 2014 and 14 January 2015, the AISI reported over 15,000 malware compromises daily to Australian Internet Service Providers (ISPs) for them to action Key publications such as the Australian Government Information Security Manual (ISM) and the Strategies to Mitigate Targeted Cyber Intrusions are regularly updated to reflect the increasing sophistication of cyber adversaries tar geting Australian networks.
When implemented as a package, the Top 4 Strategies to Mitigate Targeted Cyber Intrusions can mitigate at least 85% of targeted cyber intrusions responded to by the ACSC.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bb7c8fae11&e=20056c7556
Unpatched software vulnerabilities continue to plague businesses
Cybersecurity firm F-Secure says over 70 per cent of businesses continue to leave themselves open to attacks by failing to update their software.
The finding is surprising given the availability of security solutions that can help businesses control and manage software updating within their companies.
However, many businesses continue to neglect the importance and value of updating their software.
A recent F-Secure survey** found that only 27 per cent of companies have a patch management solution.
The problem was particularly evident in France, where only 15 per cent of respondents said their companies had a tool to manage software updates.
On the other hand, 46 per cent of Nordic companies had a patch management solution, making them better prepared to protect their company assets against threats designed to capitalise on software vulnerabilities.
F-Secure Labs reported an 82 per cent increase in exploits targeting a Flash-based vulnerability that was disclosed after the Hacking Team data breach last July***.
Hirvonen said that itâs surges in activity like this that makes exploits such prominent security concerns, and why timely and diligent software updating is so important.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=53f17419e3&e=20056c7556
New Research Reveals Finance and Human Resource Departments Believed to Pose Biggest Security Risk to Organizations
Clearswift, a global cybersecurity innovator and data loss prevention provider, today disclosed new research that demonstrates Finance and Human Resources (HR) departments are thought to represent the biggest information security threat to organizations with nearly half of respondents (46 percent) indicating that finance departments posed a security threat to their organization and 39 percent said the same of HR.
This data was drawn from research conducted by technology research firm Loudhouse on behalf of Clearswift.
Loudhouse polled over 500 information technology decision makers and 4000 employees to determine that male, office-based middle managers in the finance department are viewed as most likely to present an internal security threat, accidental or malicious, by their employers.
Supporting Statistics:
=============
— 33 percent of respondents believe middle management presents the biggest security threat (compared to 19 percent for senior management and 16 percent for executives)
— 49 percent of respondents believe that permanent employees are more likely to cause a breach
— 79 percent of respondents believe that male employees are more likely to cause a breach than female
— 69 percent of respondents believe office-based employees are most likely to cause a breach than those working remotely
— 28 percent of respondents indicated that those aged 35-44 were most likely to be behind malicious data theft
— 88 percent of companies questioned had experienced a security incident in the last 12 months, of which 73 percent were from people they knew: employees, past employees or customers/suppliers
— U.S. security professionals estimated 54 percent of the workforce is in a position where they might cause an accidental security breach, while 5 percent are seen as having the potential to cause a malicious one
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a04ffce7e6&e=20056c7556
New survey shows continued lack of executive confidence in cybersecurity and increases in data loss
A new survey released by Raytheon and websense, called âStudy-Why Executives Lack Security Posture Confidence While Knowing that the Metrics They Use to Gauge it are Ineffectiveâ âreveals that confidence in [executivesâ] enterprise security posture is lacking.â The results of a survey of 100 security executives were that less than a third (31%) of the executives feel âvery confidentâ in the organizationâs security posture, and âonly slightly more than a quarter feel that their communications on security metrics and posture to senior management is effective.â The survey revealed that the overwhelming majority (65%) are only âsomewhat confidentâ in their organizationâs security posture.
Further, those responding to the survey indicated that almost 9-in-10 organizations had at least one breach in the last year that resulted in data loss or compromise and nearly 1-in-5 have had three to five breaches in the last year resulting in the loss or compromise of data.
Data breaches and compromises are not going away.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=35b3984a22&e=20056c7556
Fake recruiters on LinkedIn are targeting infosec pros
“There’s a group of fake recruiters on LinkedIn mapping infosec people’s networks.
Not sure what their goal is yet, just a heads-up to others,” Yonathan Klijnsma, a threat intelligence analyst working at Dutch infosec firm Fox-IT, warned via his Twitter account.
“They will approach you by sending a general recruiter message with a profile picture of an attractive woman,” he then explained their modus operandi. “The job will be relative to your job.
They will ‘scout’ a few people (besides you).
After about a week they stop sending out new requests, the profile picture is removed and a bit later their name is changed making it hard to find these people back in your list if its big).
In about a month the accounts disappear, not sure if on purpose.”
F-Secure’s Sean Sullivan dug a bit into these recruiters’ company’s – Talent Src or Talent Sources – online presence and found an official website that provides no useful information and a skimpy Twitter account that has last been updated in January (likely on the date when it was set up).
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1655574bd1&e=20056c7556
DHS selects University of Texas at San Antonio to develop standards for more flexible ISAOs
The Homeland Security Department Sept. 3 announced that it has selected the University of Texas at San Antonio to develop standards and leading practices to help create flexible cyber threat intelligence sharing groups that can be regionally based or established by company size.
The university will work with existing information sharing groups, critical infrastructure owners and operators, federal agencies and other stakeholders to “identify a common set of voluntary standards or guidelines” for forming such information sharing and analysis organizations, or ISAOs, wrote Andy Ozment, the department’s assistant secretary for cybersecurity and communications, in a DHS blog post.
ISAOs would be different from the existing information sharing and analysis centers, which are better known as ISACs, that are formed around specific critical infrastructure sectors or industries such as financial services, oil and gas, aviation and electric, among others.
Typically, owners and operators in those sectors are members of ISACs.
Under the five-year agreement with DHS, once the standards are developed, the university will continue to monitor the progress and address issues that ISAOs may be having in implementing the standards, according to information posted on DHS’s ISAO website.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=aa48197fda&e=20056c7556
Cognitive Research: Learning Detectors of Malicious Network Traffic
The statistical features calculated from flows of malware samples are used to train a classifier of malicious traffic.
This way, the classifier generalizes the information present in the flows and features and learns to recognize a malware behavior.
We use features describing URL structures (such as URL length, decomposition, or character distribution), number of bytes transferred from server to client and vice versa, user agent, HTTP status, MIME type, port, etc.
In our experimental evaluation, we used 305 features in total for each flow.
Learning of the Neyman-Pearson detector is formulated as an optimization problem with two terms: false negatives are minimized while choosing a detector with prescribed and guaranteed (very low) false positive rate.
False negatives and false positives are approximated by empirical estimates computed from the weakly annotated data.
The hypothesis space of the detector is composed of a linear decision rules parameterized by a weight vector and an offset.
The described Neyman-Pearson learning is a modification of the Multi-Instance Support Vector Machines (mi-SVM) algorithm.
The mi-SVM treats the flow labels as unobserved hidden variables subject to constraints defined by their bag labels.
The goal is to maximize the instance margin jointly over the unknown instance labels and a linear discriminant function.
Our evaluation of the detectors uses datasets that represent 14 days of real network traffic of a large international company (80,000 seats).
The MIL detector is compared to the SVM detector learned by considering all instances in the malicious bags to be positive and instances in the legitimate bags to be negative.
The Figure 2 presents results obtained on the first 150 test flows with the highest decision score computed by both detectors.
The flows were automatically selected from a dataset of 10M test flows.
We have shown how to use bags of flows to represent communication of malware samples.
The bags can be used to train a classifier of malicious flows by computing statistical feature vectors of the flows in a bag and labeling the bags by feeds and other security intelligence.
This has the advantage that the labels of individual flows do not need to be provided which makes the labeling process tractable.
The MIL algorithm used in the detector training minimizes a weighted sum of errors made by the detector on the negative and the positive bags.
The trained flow-based classifier has better performance than a classifier trained from individual flows without forming the bags.
The entire bags can also be classified by computing a new representation that leverages all flows in a bag to capture malware dynamics and behavior in time.
The representation is robust to malware variations attempting to evade detection (e.g. by changing the URL pattern, number of transferred bytes, user agent, etc.).
The invariant representation is based on the idea that malicious flows in a bag will have different statistical properties than legitimate flows in another bag.
This richer information makes it possible to improve the efficacy of learning-based detectors.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0540fbcd12&e=20056c7556
TSA’s ‘Airport of the Future’ Includes More Biometrics and ‘Intelligence-Driven’ Procedures
This week, the Transportation Security Administration released its ambitious strategy to create what the agency describes as the “airport of the future.”
The agency âenvisions a future defined by intelligence-driven, risk-based screening procedures and enhanced technology that will enable TSA to employ a flexible, adaptable and robust multilayered approach to detecting an evolving range of threats,â the plan stated.
TSAâs near-term enhancements, which have a 1- to 3-year timetable, include such programs as a checked baggage risk-based security pilot and an open threat assessment platform, which would be an X-ray detection system to help TSA employees complete passenger risk assessment.
The agencyâs long-term functional enhancements, which have a 3- to 5-year timetable, included the APEX Screen at Speed program, which would implement advanced and quick screening technology, and the use of more biometrics in security procedures, according to the plan.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=68acdfe22d&e=20056c7556
Chrysler Catches Flak for Patching Hack Via Mailed USB
Six weeks after hackers revealed vulnerabilities in a 2014 Jeep Cherokee that they could use to take over its transmission and brakes, Chrysler has pushed out its patch for that epic exploit.
Now itâs getting another round of criticism for what some are calling a sloppy method of distributing that patch: On more than a million USB drives mailed to drivers via the US Postal Service.
Security pros have long warned computer users not to plug in USB sticks sent to them in the mailâjust as they shouldnât plug in thumb drives given to them by strangers or found in their companyâs parking lotâfor fear that they could be part of a mass malware mailing campaign.
Now Chrysler is asking consumers to do exactly that, potentially paving the way for a future attacker to spoof the USB mailers and trick users into installing malware on their cars or trucks.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2a67f30dea&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=d9de38f125)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)