[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nSo onto the news:<\/p>\n
Cisco disrupts major ransomware campaign that brought in $30M annually
\nCisco researchers, with the help of Level 3 Threat Research Labs and OpenDNS, have managed to strike a considerable blow against ransomware peddlers that used the Angler exploit kit to deliver the malware to unfortunate victims.
\nAccording to OpenDNS’ Stephen Lynch, Cisco’s Talos Research Group managed to “disrupt the operations of a threat actor responsible for up to 50 percent of the malicious software\u2019s activity from a ransomware campaign that generated more than $30M USD annually.”
\nCisco has released Snort rules to detect and block checks from the health monitoring servers, has published details about the communications mechanisms used by the severs and indicators of compromise (IP addresses, subdomains, hashes) that should help defenders discover infections on their own networks.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a0f6f8e802&e=20056c7556<\/p>\n
Google patches Stagefright 2.0 on Nexus devices
\nGoogle has released its monthly security update for Nexus devices.
\nAmong the issues this update fixes are the two vulnerabilities in the stagefright and utils Android libraries, which have been dubbed Stagefright 2.0.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=f28cc852a6&e=20056c7556<\/p>\n
NIST Tackles Email Security with a Two-Faceted Approach
\nNIST is publishing a draft document for comment that provides guidelines to enhance trust in email.
\nAnd the National Cybersecurity Center of Excellence (NCCoE) is seeking collaborators to provide products and expertise to demonstrate a secure, standards-based email system using commercially available software and other tools.
\nIn the draft Trustworthy Email (NIST Special Publication (SP) 800-177), authors provide an overview of existing technologies and best practices, and they offer deployment guidance to meet federal government security requirements.
\nEmerging protocols to make email security and privacy easier for end users also are described.
\nThe authors seek input on the draft document.
\nThe deadline for comments on Trustworthy Email, SP 800-177, is November 30, 2015.
\nPlease send any questions or comments to sp800-177@nist.gov.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=712ee94d3b&e=20056c7556<\/p>\n
Quarter of firms can’t tell how hackers get in
\n“That was pretty eye-opening,” said Tim Helming, director of product management at DomainTools, the company that sponsored the research. “If you don’t know how it got onto your network, you can’t protect against it.”
\nOf the firms who did know how the attackers got in, 67 percent said that malware had infiltrated their networks through email, 63 percent named web surfing as a vector of infection, 12 percent cited cloud apps or social media, and 4 percent pointed to instant messaging.
\nOne reason that so many companies could not spot the channel through which malware got into their network was that almost half, or 46 percent, of all organizations surveyed did not have a threat intelligence solution in place.
\nAnother 36 percent said that the cost of the technology is too high.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=f3d3d30eb5&e=20056c7556<\/p>\n
Business Leaders Gaining on Cybersecurity Risks, According to the PwC, CIO and CSO Global State of Information Security\u00ae Survey 2016
\nAccording to the PwC, CIO and CSO Global State of Information Security\u00ae Survey 2016
\n— New tools are helping to transform cybersecurity frameworks, yielding holistic, integrated safeguards against cyberattacks
\n— Cloud computing has had a significant impact on technology innovation in the past decade, and it is increasingly central to secure interconnected digital ecosystems
\n— The Internet of Things are expected to increase the stakes for securing cloud-based networks as the number of internet connected devices continues to surge to greater than 30 billion by 2020
\n— There was a 38% increase in detected information security incidents, as well as a 24% boost in security budgets observed in 2015
\n54% of respondents have a CISO in charge of the security program.
\nThe most frequently cited reporting structure is the CEO, CIO, Board and CTO, in that order.
\nTechnically adept adversaries will always find new ways to circumvent security safeguards.
\nThat’s why many businesses (59%) are purchasing cybersecurity insurance to help mitigate the financial impact of cybercrimes when they do occur.
\nPurchases in certain countries are either under review (34%) or happening less frequently (22%) as a result of hearing about reports that the government is conducting surveillance on hardware
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8a9cc5e75a&e=20056c7556<\/p>\n
HP Extends Global Threat Intelligence Sharing Platform Through Alliance With Hitachi
\nPALO ALTO, CA, Oct 06, 2015 (Marketwired via COMTEX) — Extending the reach of its security intelligence sharing network, HP HPQ, +0.04% has formed an alliance with Hitachi designed to capture and share Japan-specific threat information.
\nThis first-of-its-kind partnership significantly advances HP’s efforts to foster a wider reach of international security information sharing, and is an extension of the 25-year alliance between Hitachi and HP.
\nThrough this partnership, Hitachi will join the HP Global Threat Intelligence Alliance and contribute threat intelligence to HP’s existing security information sharing platform, HP Threat Central.
\nThe platform delivers automated and open sharing of information and contextual analysis that allows organizations to take action.
\nThis intelligence will also inform periodically published reports from HP Security Research.
\nCyber Crime on the Rise in Japan & Asia Pacific With cyber attacks on the rise, and impacting Japanese enterprises across the financial services, technology, communications and automotive sectors, this alliance is particularly well timed.
\nIn fact, the financial impact of cyber crime continues to rise in Japan, as evidenced by a 68 percent net increase in the past four years, according to the 2015 Cost of Cyber Crime Study conducted by The Ponemon Institute.(1)
\nThis announcement comes on the heels of a Cybersecurity Alliance signed between Japan and the United States in April 2015 that will contribute to the growth of international cyber norms.
\nThe alliance with Hitachi also builds on previously announced service intelligence feeds to HP Threat Central from a network of other companies, including AlienVault and Crowdstrike.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=af4ac3fed2&e=20056c7556<\/p>\n
EU Court Invalidates U.S.-EU Data Sharing Agreement
\nThe Court of Justice of the European Union ruled Oct. 6 that the EU-U.S. data sharing agreement, known as Safe Harbor, is invalid because the United States has failed to ensure that its “law and practices … ensure an adequate level of protection” for Europeans’ right to privacy.
\nPrivacy rights groups and some EU legislators have lauded the European Justice Court’s new ruling.
\nBut the judgment has triggered concern from some businesses, who warn that they will remain stuck in legal limbo until the European Commission creates a new framework to allow U.S. businesses to import Europeans’ private information.
\nThe ruling by Europe’s high court is the culmination of a legal challenge against Facebook, launched by Austrian privacy campaigner Max Schrems, 28, who pointed to documents leaked by Snowden that suggested Europeans’ private information was being shared with U.S. intelligence agencies (see Facebook NSA Case Moves to EU Court).
\nEurope’s high court, however, has now ruled that Ireland’s data commissioner should have heard the case, saying the Safe Harbor agreement did not override either Europe’s data protection directive or Ireland’s responsibility to serve as an independent body that supervises whether Europeans’ privacy rights are being respected.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=fb37160c9d&e=20056c7556<\/p>\n
Applying Threat Intelligence Research: The Myth of the Generalist
\nAfter a long absence (mostly due to workload and travel schedule), I\u2019m back with part 2 of 5 on this series on threat intelligence.
\nIn part 1, I discussed how security incident and event management (SIEM) and its place in a threat intelligence program.
\nThis time I\u2019d like to discuss the \u201cmyth of the generalist,\u201d something I see lots of organizations struggling with as we talk to companies trying to build and refine their threat intelligence programs.
\nOne of the key things that\u2019s happening, as a result of the shortage of high-quality talent, is that security program managers are filling specialist roles with generalists \u2014 and that\u2019s not going so well.
\nn my opinion, one of the biggest outcomes of the incredible amount of off-shoring that IT organizations have done over the last 10 years is that there is a severe shortage of qualified talent for the specialist roles for which we have a dire need right now.
\nLet\u2019s take a specific look at threat intelligence process from the vantage point of the decision cycle of observe, orient, decide, and act (OODA) loop.
\nFunctionally, we have 11 pieces, as defined in the research from Optiv Solutions R&D, including: acquisition, secondary development, triage, collaboration, enrichment, distribution, execution, feedback, strategy, governance and measurement.
\nIf we focus on just the steps where we deal with the aggregation and transformation of simple data to actionable information we can quickly see multiple specialized roles evolving.
\nAcquisition, secondary development, triage and collaboration\/enrichment (collectively known as refinement) are very different and very specialized roles.
\nThe problem with staffing them with a generic \u201csecurity analyst\u201d is that we completely miss the opportunity to drive excellence
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c27a7065d2&e=20056c7556<\/p>\n
Why Network Behavioural Analytics Should be a Critical Part of Your Security Strategy?
\nNetwork behavioural analysis \u2013 a systematic, architectural approach to network security \u2013 involves deep packet analysis to identify advanced persistent threats (APTs) and zero-day attacks.
\nSimilar analytical capabilities are used by the financial and banking sectors to spot fraudulent transactions and card activity.
\nFrom an IT perspective, the sophisticated cyber attacks that have plagued Apple, Facebook and Microsoft (with the goal of carrying out industrial espionage) have been detected through behavioural analytics.
\nRemember, a complex network is a type of self-organising system.
\nNetwork behavioural analysis uses a range of techniques to find unusual or altered network activities.
\nThese are often indicators of an advanced persistent threat.
\nBusinesses will never be able to stop every single hacker at the network perimeter, so it is essential to spot abnormal activities occurring on the network before they develop.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=f66c5b38ad&e=20056c7556<\/p>\n
Most UK Workers Feel More Vulnerable to Data Hacks Than a Year Ago
\nAccording to new research from Citrix, the majority (71%) of respondents cited data theft as \u201cinevitable\u201d at some point.
\nAnd one in three (33%) 16 to 25-year-olds feel much more vulnerable to hacks, compared with just 15% of over-55s.
\nWhile workers clearly feel more at risk of personal data theft than ever before, it seems their approaches to combating this threat are outdated: Two in three respondents (68%) cited physical documentation as a risk and chose shredding as a preferred means of disposing of information, almost a third (30%) of respondents are still reliant on USB memory sticks to back-up important data and just nine percent use the cloud.
\n\u201cWhile workers clearly accept their data is at risk, many are still reliant on dated practices\u2014such as using USB sticks and shredding paper documents\u2014to store and protect their information, when more advanced and robust measures are available,\u201d Mayers said.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a6924453f9&e=20056c7556<\/p>\n
New Calif. law mandates warrants for access to private communications
\nThe new law, backed by a number of tech companies and civil liberties groups, requires a judge to approve such access to a person\u2019s private information, including data from personal electronic devices, email, digital documents, text messages and location information.
\nCalifornia Electronic Privacy Act (CalECPA, SB 178) was passed in September by the state assembly after the senate passed it in June.
\nThe bill was co-sponsored by the American Civil Liberties Union of California, Electronic Frontier Foundation and California Newspaper Publishers Association.
\nWhile providing some exceptions for law enforcement in emergencies or for other public safety requirements, the law also prohibits access to electronic device information by means of physical interaction or electronic communication with the device, except with the specific consent of the authorized possessor of the device, or through other relevant provisions such as a warrant.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=80612e9939&e=20056c7556<\/p>\n
Joint Partnership Bolsters Cybersecurity in Indiana; State, Purdue and Intel Team Up for Security Operations Center
\nWEST LAFAYETTE, Ind.–(BUSINESS WIRE)–Today, Lt.
\nGov.
\nSue Ellspermann, who chairs the Indiana Counterterrorism and Security Council, joined Purdue University Chief Information Officer Gerry McCartney and Intel Vice President Rick Echevarria to announce the opening of the state of Indiana Security Operations Center (SOC) near the Purdue campus.
\nThe SOC is a project of the new Indiana Information Sharing and Analysis Center (IN-ISAC) \u2013 a joint mission of the Indiana Office of Technology, Indiana Department of Homeland Security, Indiana National Guard, Indiana State Police, Purdue University, Intel Security and other private sector partners.
\nAt the outset, the IN-ISAC is focusing on serving Indiana state government and Purdue University through the sharing of threat information and collaboration on strategies.
\nIt provides real-time network monitoring, vulnerability identification and threat warnings of state government computer systems.
\nLocated in Purdue Research Park, the SOC is staffed by a combination of state employees and Purdue students who monitor security incidents across the state of Indiana\u2019s computer network.
\nThe students are employed as part of the Purdue Pathmaker Internship Program, which provides career-relevant internships to students on or near campus.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c5f56f6148&e=20056c7556<\/p>\n
How to hack-proof your cloud with native AWS tools
\nOn Wednesday, CloudCheckr CTO and founder Aaron Newman presented a breakout session at the 2015 Amazon AWS re:Invent conference detailing some of the ways that AWS users could secure what they have on the platform, using native AWS capabilities.
\nIf you use the AWS platform then, by definition, you share responsibility for security with AWS.
\nAs a customer, you are in charge of security for your applications and content, network security, inventory and configuration, data security, and access control.
\nAWS is responsible for securing its core products and infrastructure.
\nSo, how do you assess your perimeter security in this new landscape.
\nLeverage the AWS API.
\nSince we are building out security on the AWS API, it’s a good idea to monitor the API itself.
\nAWS CloudTrail records each time your API is called and supports most AWS services.
\nNewman said it’s “like the video camera in your data center.” The problem is, most people don’t turn it on in the beginning.
\nNewman recommends turning it on in every region and setting alerts for any time it could be disabled.
\nAnother good monitoring tool is the VPC flow logs, which record each time packets enter or leave a VPC.
\nIt’s the “metadata about who’s talking to who,” Newman said.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8a78d17cd2&e=20056c7556<\/p>\n
The result: 789 of the 3,125 employees baited — or 25 percent — clicked on a phony link in the “phishing” email, according to an IG audit publicly released Wednesday. Most of the would-be victims were administration personnel and operations workers.
\nThis May, the USPS Office of Inspector General sent bogus emails to a sample population of agency employees as a way of evaluating compliance with incident reporting policies.
\nAfter clicking on a test email or even just receiving one, almost nobody (7 percent) reported the incident to the USPS Computer Incident Response Team, as required.
\nUSPS officials said the evaluation took place right at the start of a new cybersecurity training course, adding that the 25 percent click rate is comparable to industry benchmarks for organizations just beginning their training.
\nThe new course focuses on how to identify phishing traps, officials said.
\nAbout 18 percent of federal IT professionals ranked phishing among the primary security threats affecting their agencies, while negligent insiders were the most pervasive hazard, garnering 44 percent of votes, according to an Oct.1 Ponemon Institute study.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9185198a15&e=20056c7556<\/p>\n
IP Expo Europe: The way you buy threat intelligence will change, says BAE Systems
\nBAE Systems has made a series of bold predictions about the future of threat intelligence.
\nRussell Kempley, BAE’s head of technical services for the EMEA region, gave a talk today at IPExpo, titled “The Future of Threat intelligence: how you ingest, analyse and act on threat intelligence?”
\nKempley predicts that the future will see a split forming in how organisations and companies use threat intelligence.
\nSome will not have the need for round-the-clock comprehensive access to threat intelligence; those who think it’s not core to their business, says Kempley, will get their threat intelligence indirectly through vendors.
\nThe advantage of this is, of course, that the vendor can share intelligence across their customer base.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0477922a3f&e=20056c7556<\/p>\n
Comparing Different Tools for Threat Sharing
\nI took a look at two tools for the sharing of threat intelligence data: MISP and IBM\u2019s X-Force Exchange.
\nAlthough both tools aim to achieve the same result \u2014 sharing data \u2014 they use different approaches to achieve that goal.
\nMISP, the Malware Information Sharing Platform, needs to be installed on a server in your infrastructure.
\nYou need a Web server, database and PHP support with a couple of modules.
\nAll of the data is stored on your premises and is under your control.
\nThe hardening of the server, securing the access and communication and foreseeing backups and redundancy are your responsibility.
\nObviously, you fully control what happens with the data.
\nOn the other hand, IBM\u2019s X-Force Exchange is a cloud-based platform.
\nYou need an IBM ID to get full access to the available threat data (anonymous access is also possible but with restrictive usage) and only a browser to get started; there\u2019s no need for installing extra software.
\nAll the data is stored in the cloud, so you do not have to worry about backups or redundancy.
\nMISP is very strong when it comes to building a central indicators of compromise database containing both technical and nontechnical information.
\nMeanwhile, the Web version of X-Force Exchange provides a much slicker interface for viewing trends and ongoing threat activity, giving you an immediate view on what\u2019s happening.
\nThe different tools available for sharing threat intelligence do not exclude each other.
\nIt\u2019s perfectly normal to acquire both on-premises and cloud-based solutions and then choose, depending on the type of threat information you are dealing with, where to store the information.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=5d7dc1948b&e=20056c7556<\/p>\n
The politics of APT reports
\nJuan Andr\u00e9s Guerrero-Saade made the argument in a recently-released paper, which he talked about last week at the Virus Bulletin conference in Prague.
\nGuerrero-Saade believes the race to issue malware discoveries has become part of vendors\u2019 marketing campaigns, and there is truth to that.
\nSometimes the purpose of issuing a report is to show a vendor, or individual security researcher, is a leader.
\nThat doesn\u2019t negate the significance of the find.
\nBut Guerrero-Saade\u2019s point is attribution has to be more carefully analyzed.
\nIn fact one point he makes is that PR and marketing departments should be pulled out of the loop when it comes time to decide what should be in a report and when it should be released.
\nAn example of his concern, Guerrero-Saade told SecurityWeek in an interview, is that threat actors can plant false evidence to throw investigators off track, like including code with strings in Russian and Romanian.
\nA good CISO, of course, cares less about where a threat has come from than for actionable intelligence.
\nBut more ruthless scrutiny before threat reports are issued will help improve their usefulness.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e11acfde3a&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=a1abee00f1)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 So onto the news: Cisco disrupts major ransomware campaign that brought in $30M annually Cisco researchers, with the help of Level 3 Threat Research Labs and OpenDNS, have managed to strike a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1158","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1158"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1158\/revisions"}],"predecessor-version":[{"id":3645,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1158\/revisions\/3645"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}