[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nSo onto the news:<\/p>\n
Ten reasons threat intelligence is here to stay
\nThreat intelligence has drastically transformed the industry.
\nIn fact, it’s hard to go to a security conference without hearing about threat intelligence.
\nHowever, recent articles have turned threat intelligence into quite the controversial debate and many touting that threat intelligence will do very little to improve cybersecurity.
\nWell no offense to those individuals, but the fact of the matter is threat intelligence is not going away anytime soon.
\nIn this article, I\u2019ve laid out 10 arguments being made against threat intelligence.
\nAll companies, whether enterprise or SMBs — especially those dealing with proprietary information or customer data — must balance their security resources against their risk tolerance.
\nAnd ultimately look at threat intelligence solutions that provide them with the greatest scope of protection.
\nThe only way for companies to defend themselves is by adopting a more pragmatic and intelligent threat response: stopping a compromise at the host, proactively segmenting networks, and spending the time to develop in-depth situational awareness.
\nOtherwise, the next decade will end up much like the current.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=85c52eb06b&e=20056c7556<\/p>\n
Sherlock Threat Intelligence Report: September 2015
\nAugust saw an uptick in critical web browser-based attacks via Internet Explorer and Firefox.
\nThese vulnerabilities allow attackers to remotely steal files or execute code at the permission of the web browsing user.
\nMozilla even reports attacks exist in the wild for the Firefox vulnerabilities.
\nProxy bots have been one of our on-going hunts this year.
\nOur research indicates that few organizations block outbound proxy protocols.
\nShadow IT is difficult to tame.
\nOne of the greatest challenges in Information Security is the human element.
\nCollectively, we can help each other and push forward toward creating and maintaining systems that are both usable and safe.
\nAs such, we hope these highlights for the last month have been useful to you.
\nWe welcome any conversation on these topics in the comments below!
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=902d10d229&e=20056c7556<\/p>\n
2015 THREAT REPORT
\nThis is the first unclassified Australian Cyber Security Centre (ACSC) Threat Report.
\nAll ACSC partner
\nagencies have contributed to provide information tailored for Australian organisations about the threats their networks face from cyber espionage, cyber attacks and cybercrime.
\nIt also contains mitigation and remediation information to organisations to prevent, and respond to, the threat.
\nAustralia\u2019s systems of national interest and critical infrastructure are vulnerable to malicious cyber activity.
\nIn 2014, CERT Australia responded to 11,073 cyber security incidents affecting Australian businesses, 153 of which involved systems of national interest, critical infrastructure and government.
\nIn 2014, the top five non-government sectors assisted by CERT Australia in relation to cyber security incidents were: energy, banking and financial services, communications, defence industry, and transport.
\nBetween 17 October 2014 and 14 January 2015, the AISI reported over 15,000 malware compromises daily to Australian Internet Service Providers (ISPs) for them to action Key publications such as the Australian Government Information Security Manual (ISM) and the Strategies to Mitigate Targeted Cyber Intrusions are regularly updated to reflect the increasing sophistication of cyber adversaries tar geting Australian networks.
\nWhen implemented as a package, the Top 4 Strategies to Mitigate Targeted Cyber Intrusions can mitigate at least 85% of targeted cyber intrusions responded to by the ACSC.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=bb7c8fae11&e=20056c7556<\/p>\n
Unpatched software vulnerabilities continue to plague businesses
\nCybersecurity firm F-Secure says over 70 per cent of businesses continue to leave themselves open to attacks by failing to update their software.
\nThe finding is surprising given the availability of security solutions that can help businesses control and manage software updating within their companies.
\nHowever, many businesses continue to neglect the importance and value of updating their software.
\nA recent F-Secure survey** found that only 27 per cent of companies have a patch management solution.
\nThe problem was particularly evident in France, where only 15 per cent of respondents said their companies had a tool to manage software updates.
\nOn the other hand, 46 per cent of Nordic companies had a patch management solution, making them better prepared to protect their company assets against threats designed to capitalise on software vulnerabilities.
\nF-Secure Labs reported an 82 per cent increase in exploits targeting a Flash-based vulnerability that was disclosed after the Hacking Team data breach last July***.
\nHirvonen said that it\u2019s surges in activity like this that makes exploits such prominent security concerns, and why timely and diligent software updating is so important.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=53f17419e3&e=20056c7556<\/p>\n
New Research Reveals Finance and Human Resource Departments Believed to Pose Biggest Security Risk to Organizations
\nClearswift, a global cybersecurity innovator and data loss prevention provider, today disclosed new research that demonstrates Finance and Human Resources (HR) departments are thought to represent the biggest information security threat to organizations with nearly half of respondents (46 percent) indicating that finance departments posed a security threat to their organization and 39 percent said the same of HR.
\nThis data was drawn from research conducted by technology research firm Loudhouse on behalf of Clearswift.
\nLoudhouse polled over 500 information technology decision makers and 4000 employees to determine that male, office-based middle managers in the finance department are viewed as most likely to present an internal security threat, accidental or malicious, by their employers.
\nSupporting Statistics:
\n=============
\n— 33 percent of respondents believe middle management presents the biggest security threat (compared to 19 percent for senior management and 16 percent for executives)
\n— 49 percent of respondents believe that permanent employees are more likely to cause a breach
\n— 79 percent of respondents believe that male employees are more likely to cause a breach than female
\n— 69 percent of respondents believe office-based employees are most likely to cause a breach than those working remotely
\n— 28 percent of respondents indicated that those aged 35-44 were most likely to be behind malicious data theft
\n— 88 percent of companies questioned had experienced a security incident in the last 12 months, of which 73 percent were from people they knew: employees, past employees or customers\/suppliers
\n— U.S. security professionals estimated 54 percent of the workforce is in a position where they might cause an accidental security breach, while 5 percent are seen as having the potential to cause a malicious one
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a04ffce7e6&e=20056c7556<\/p>\n
New survey shows continued lack of executive confidence in cybersecurity and increases in data loss
\nA new survey released by Raytheon and websense, called \u201cStudy-Why Executives Lack Security Posture Confidence While Knowing that the Metrics They Use to Gauge it are Ineffective\u201d \u201creveals that confidence in [executives\u2019] enterprise security posture is lacking.\u201d The results of a survey of 100 security executives were that less than a third (31%) of the executives feel \u201cvery confident\u201d in the organization\u2019s security posture, and \u201conly slightly more than a quarter feel that their communications on security metrics and posture to senior management is effective.\u201d The survey revealed that the overwhelming majority (65%) are only \u201csomewhat confident\u201d in their organization\u2019s security posture.
\nFurther, those responding to the survey indicated that almost 9-in-10 organizations had at least one breach in the last year that resulted in data loss or compromise and nearly 1-in-5 have had three to five breaches in the last year resulting in the loss or compromise of data.
\nData breaches and compromises are not going away.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=35b3984a22&e=20056c7556<\/p>\n
Fake recruiters on LinkedIn are targeting infosec pros
\n“There’s a group of fake recruiters on LinkedIn mapping infosec people’s networks.
\nNot sure what their goal is yet, just a heads-up to others,” Yonathan Klijnsma, a threat intelligence analyst working at Dutch infosec firm Fox-IT, warned via his Twitter account.
\n“They will approach you by sending a general recruiter message with a profile picture of an attractive woman,” he then explained their modus operandi. “The job will be relative to your job.
\nThey will ‘scout’ a few people (besides you).
\nAfter about a week they stop sending out new requests, the profile picture is removed and a bit later their name is changed making it hard to find these people back in your list if its big).
\nIn about a month the accounts disappear, not sure if on purpose.”
\nF-Secure’s Sean Sullivan dug a bit into these recruiters’ company’s – Talent Src or Talent Sources – online presence and found an official website that provides no useful information and a skimpy Twitter account that has last been updated in January (likely on the date when it was set up).
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=1655574bd1&e=20056c7556<\/p>\n
DHS selects University of Texas at San Antonio to develop standards for more flexible ISAOs
\nThe Homeland Security Department Sept. 3 announced that it has selected the University of Texas at San Antonio to develop standards and leading practices to help create flexible cyber threat intelligence sharing groups that can be regionally based or established by company size.
\nThe university will work with existing information sharing groups, critical infrastructure owners and operators, federal agencies and other stakeholders to “identify a common set of voluntary standards or guidelines” for forming such information sharing and analysis organizations, or ISAOs, wrote Andy Ozment, the department’s assistant secretary for cybersecurity and communications, in a DHS blog post.
\nISAOs would be different from the existing information sharing and analysis centers, which are better known as ISACs, that are formed around specific critical infrastructure sectors or industries such as financial services, oil and gas, aviation and electric, among others.
\nTypically, owners and operators in those sectors are members of ISACs.
\nUnder the five-year agreement with DHS, once the standards are developed, the university will continue to monitor the progress and address issues that ISAOs may be having in implementing the standards, according to information posted on DHS’s ISAO website.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=aa48197fda&e=20056c7556<\/p>\n
Cognitive Research: Learning Detectors of Malicious Network Traffic
\nThe statistical features calculated from flows of malware samples are used to train a classifier of malicious traffic.
\nThis way, the classifier generalizes the information present in the flows and features and learns to recognize a malware behavior.
\nWe use features describing URL structures (such as URL length, decomposition, or character distribution), number of bytes transferred from server to client and vice versa, user agent, HTTP status, MIME type, port, etc.
\nIn our experimental evaluation, we used 305 features in total for each flow.
\nLearning of the Neyman-Pearson detector is formulated as an optimization problem with two terms: false negatives are minimized while choosing a detector with prescribed and guaranteed (very low) false positive rate.
\nFalse negatives and false positives are approximated by empirical estimates computed from the weakly annotated data.
\nThe hypothesis space of the detector is composed of a linear decision rules parameterized by a weight vector and an offset.
\nThe described Neyman-Pearson learning is a modification of the Multi-Instance Support Vector Machines (mi-SVM) algorithm.
\nThe mi-SVM treats the flow labels as unobserved hidden variables subject to constraints defined by their bag labels.
\nThe goal is to maximize the instance margin jointly over the unknown instance labels and a linear discriminant function.
\nOur evaluation of the detectors uses datasets that represent 14 days of real network traffic of a large international company (80,000 seats).
\nThe MIL detector is compared to the SVM detector learned by considering all instances in the malicious bags to be positive and instances in the legitimate bags to be negative.
\nThe Figure 2 presents results obtained on the first 150 test flows with the highest decision score computed by both detectors.
\nThe flows were automatically selected from a dataset of 10M test flows.
\nWe have shown how to use bags of flows to represent communication of malware samples.
\nThe bags can be used to train a classifier of malicious flows by computing statistical feature vectors of the flows in a bag and labeling the bags by feeds and other security intelligence.
\nThis has the advantage that the labels of individual flows do not need to be provided which makes the labeling process tractable.
\nThe MIL algorithm used in the detector training minimizes a weighted sum of errors made by the detector on the negative and the positive bags.
\nThe trained flow-based classifier has better performance than a classifier trained from individual flows without forming the bags.
\nThe entire bags can also be classified by computing a new representation that leverages all flows in a bag to capture malware dynamics and behavior in time.
\nThe representation is robust to malware variations attempting to evade detection (e.g. by changing the URL pattern, number of transferred bytes, user agent, etc.).
\nThe invariant representation is based on the idea that malicious flows in a bag will have different statistical properties than legitimate flows in another bag.
\nThis richer information makes it possible to improve the efficacy of learning-based detectors.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0540fbcd12&e=20056c7556<\/p>\n
TSA’s ‘Airport of the Future’ Includes More Biometrics and ‘Intelligence-Driven’ Procedures
\nThis week, the Transportation Security Administration released its ambitious strategy to create what the agency describes as the “airport of the future.”
\nThe agency \u201cenvisions a future defined by intelligence-driven, risk-based screening procedures and enhanced technology that will enable TSA to employ a flexible, adaptable and robust multilayered approach to detecting an evolving range of threats,\u201d the plan stated.
\nTSA\u2019s near-term enhancements, which have a 1- to 3-year timetable, include such programs as a checked baggage risk-based security pilot and an open threat assessment platform, which would be an X-ray detection system to help TSA employees complete passenger risk assessment.
\nThe agency\u2019s long-term functional enhancements, which have a 3- to 5-year timetable, included the APEX Screen at Speed program, which would implement advanced and quick screening technology, and the use of more biometrics in security procedures, according to the plan.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=68acdfe22d&e=20056c7556<\/p>\n
Chrysler Catches Flak for Patching Hack Via Mailed USB
\nSix weeks after hackers revealed vulnerabilities in a 2014 Jeep Cherokee that they could use to take over its transmission and brakes, Chrysler has pushed out its patch for that epic exploit.
\nNow it\u2019s getting another round of criticism for what some are calling a sloppy method of distributing that patch: On more than a million USB drives mailed to drivers via the US Postal Service.
\nSecurity pros have long warned computer users not to plug in USB sticks sent to them in the mail\u2014just as they shouldn\u2019t plug in thumb drives given to them by strangers or found in their company\u2019s parking lot\u2014for fear that they could be part of a mass malware mailing campaign.
\nNow Chrysler is asking consumers to do exactly that, potentially paving the way for a future attacker to spoof the USB mailers and trick users into installing malware on their cars or trucks.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=2a67f30dea&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If someone forwarded this email to you and you want to be added in,
\nplease click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=d9de38f125)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 So onto the news: Ten reasons threat intelligence is here to stay Threat intelligence has drastically transformed the industry. In fact, it’s hard to go to a security conference without hearing about…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1142","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1142"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1142\/revisions"}],"predecessor-version":[{"id":3629,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1142\/revisions\/3629"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}