A new variant of the Gameover computer Trojan is targeting job seekers and recruiters by attempting to steal log-in credentials for Monster.com and CareerBuilder.com accounts. Gameover is one of several Trojan programs that are based on the infamous Zeus … Link: http://news.techworld.com/security/3508691/gameover-malware-targets-accounts-on-employment-websites/
Tenable Launches Security “App Store” For SecurityCenter 4.7
“Tenable’s advanced analytics have allowed us to extend SecurityCenter as both a solution for security assessments and one for data center maintenance and operations. We are looking forward to the ‘security apps’ in 4.7,” said Russell Butturini, Senior Enterprise Security Architect at Healthways, a global disease management and well-being provider and ranked #8 on Information Week 500.
These analytics are directly accessible from within the SecurityCenter console and offer extensive visibility for multiple teams – network, security, operations, and compliance. The apps dramatically cut time and resources required to identify and respond to vulnerabilities, advanced threats, and compliance violations without the need to write complex scripts or rely on 3rd party tools.
Extended mobile device coverage to track mobile device types, users, and vulnerabilities through active, passive scanning and MDM integration.
“Tenable’s mandate is to protect its clients 24/7, so we realize that our solutions’ capabilities need to be as dynamic as the current threat landscape,” said Ron Gula, CEO of Tenable. “We provide customers with the only real-time vulnerability management platform with built-in scan, log, and network analysis technology to assess IT infrastructure risk. With this release, we’re making SecurityCenter even more strategic for our customers by providing direct access to the latest security and compliance intelligence as identified by our world class researchers.”
Cybercrime-as-a-Service, the rise of hacking services
The service doesn’t utilize Google for finding vulnerable Web sites on a mass scale, instead it allows the cybercriminal to manually enter the Web site about to get unethically pen-tested. Even if the service cannot automatically hack into the Web site (based on what the service claims are private techniques for exploitation) the specially displayed output is supposed to increase the probability for a successful compromise
At the moment the impact of the specific service is limited due its actual inability cause widespread damage but the availability of a huge quantity of tools and hacking services represents an alarming reality that is causing a sensible increase in blended, automated attacks.
The same Danchev already profiled other DIY tools such as Google Dorks Web site exploitation tools, brute forcing applications and stealth Apache module for backdoor distribution, the greater the number of these tools on the market and the greater the number of cyber criminals who provide for the complete outsourcing of attacks.
According last McAfee report “Cybercrime-as-a-Service” security experts observed a sensible increase for attack-as-a-service proposal, the study profiled as example Password cracking services and Denial-of-services.
“If the budget allows, a budding cybercriminal can skip the process of conducting research, building appropriate tools, and developing an infrastructure to launch a cyberattack by choosing a service that will outsource the entire process.” the report states.
Handling Incident Management in a Virtualized Environment
… however, this is still reason for concern: a large majority of reported vulnerabilities allow an attacker to gain full control of a single hardware platform’s multi-server environment. Consequently, a close look at detection, containment, and response capabilities for the unique needs of VMs is an important step in integrating virtualization into the organization’s security program.
It is in this phase of incident management, security and infrastructure design teams address the unique challenges associated with virtualization.
A few simple steps – not always so simple to implement – will ensure an organization’s ability to detect unwanted behavior and effectively respond as virtual servers spread across the enterprise, including:
For example, critical or high-value breach targets might reside on a host with more than the recommended two NICs (one for partition management and one for VMs to access the physical network).
Implemented using VLANs configured in a virtual switch and VLAN access control lists (VACLs), this example is one way to help ensure unwanted traffic does not pass from a compromised VM to other VMs on the same host.
Remember that many controls you implement on the physical network must be configured in virtual environments, but VMs are by design isolated from controls on your physical network.
Security teams often face two challenges when trying to remove a physical server from service: retention of potential evidence in volatile storage or removal of a device from a critical business process.
For example, removing power from a server starts the process of mitigating business impact, but it also denies forensic analysis of data, processes, keys, and possible footprints left by an attacker. A VMware snapshot is a point-in-time image of a VM, including RAM and the virtual machine disk file (Siebert, 2011). Administrators typically strive to meet four goals when a virtual server is removed from service: 1) contain a breach or malware infestation by removing the affected server from the network; 2) prevent any further damage to, or loss of, information residing on local storage; 3) remove the server to a secure location for forensics analysis; and 4) restore services provided by the VM.
As I wrote in Step 3: Segment virtual networks, this is easily accomplished using documented steps to isolate one or more virtual network segments.
They examine and help remedy system, network, and process design challenges associated with VM placement, incident detection and containment, and business process recovery unique to virtualization.
Hackers break into Energy’s computer networks, put employees at risk
In 2011, Energy’s lab went offline for almost two weeks after a cyber attack against the Northwest National Laboratory in Washington state limited Internet access and took down its website.
Auditors said Energy maintained a number of independent, at least partially duplicative, cybersecurity incident management capabilities that created inefficiencies in the process and security of the network.
Since the report, Energy CIO Bob Brese told Federal News Radio in December he’s trying to modernize the agency’s network in layers and start up a new security operations center.
Former Energy Chief Information Security Officer Gil Vega said in April Energy faced a zero day attack earlier this year and responded quickly because of the cyber threat intelligence coming from the coordination center.
Security incident response procedures: When to do a system shutdown
Shutting down a system in response to an information security incident is arguably the most drastic option that can be taken, but it might be the best option in certain scenarios.
For example, if there were a possibility that an attacker could gain control of a computer system that regulates traffic lights, it would likely be best to disable that system, and thus the traffic lights, because drivers would hopefully know to treat the non-working traffic signals like stop signs.
Such a decision would also depend on the security and availability controls implemented, including if there were controls in place that limited the compromise from spreading to the complete system versus just a compromised account.
In a system that contains no sensitive data and only has availability requirements, the security team could just do a basic calculation of the cost incurred from the downtime versus the recovery cost from containing and remediating the compromised system, and then make a decision based on the numbers.
This will lead into developing a business continuity and disaster recovery plan (BCDRP), which is similar to an incident response plan in that they both need to be developed prior to an incident and periodically tested so if a shutdown becomes necessary, a playbook for dealing with the situation is on hand.
In developing the BCDRP or incident response plan, establish a channel of communication with the necessary people, including the chief information security officer, chief information officer, helpdesk, business owners and marketing so they will be able to quickly make an informed decision about potentially shutting down a system.
For example, a Web server with a Web application susceptible to an SQL injection vulnerability might be shut down while a patch is being developed, a Web application firewall is set up or the configuration is changed to remove access by the Web server to run commands on the system.
Regardless of which option is the best in a given scenario, ensuring a plan and communication channels are in place prior to an incident is critical to minimizing the impact on your organization.