Professional Documents
Culture Documents
1
Copyright © Cyber Defense Magazine, All rights reserved worldwide
CONTENTS
CONGRATULATIONS TO THE CYBER SECURITY LEADERS OF 2017 6
MALVERTISING - ADVERTISING, BUT WITH A HOOK THAT HURTS, AND HURTS AGAIN
22
VPN: DO YOU REALLY NEED IT? THIS WILL HELP YOU DECIDE! 37
COULD YOUR REACTIVE CYBER SECURITY APPROACH PUT YOU OUT OF BUSINESS?
44
DIGITAL CERTIFICATES 70
EDITOR
“Black Friday” and “Cyber Pierluigi Paganini, CEH
Monday” – two huge retail Pierluigi.paganini@cyberdefensemagazine.com
days where more than 150m Americans are online ADVERTISING
Sarah Brandow
shopping. We’ll of course keep you informed of the sarahb@cyberdefensemagazine.com
latest wave of cybercrime on our home and news Interested in writing for us:
marketing@cyberdefensemagazine.com
pages. We’re thrilled to continue covering the fifty
CONTACT US:
cyber security leaders of 2017 in this edition and some Cyber Defense Magazine
Toll Free: +1-800-518-5248
powerful topics including how to beat ransomware. Fax: +1-702-703-5505
SKYPE: cyber.defense
http://www.cyberdefensemagazine.com
Also, we’re launching our InfoSec Innovators Awards
Copyright (C) 2017, Cyber Defense Magazine, a
for 2018 which will be given out during the RSA division of STEVEN G. SAMUELS LLC
848 N. Rainbow Blvd. #4496, Las Vegas, NV
Conference 2018 in San Francisco, California. We’re 89107.
EIN: 454-18-8465, DUNS# 078358935.
heading into our sixth year of CDM and we’ve taken in All rights reserved worldwide.
a lot of great ideas from sponsors, readers, partners FOUNDER & PUBLISHER
Gary S. Miliefsky, CISSP®
and our writing team so you’ll continue to see
improvements and changes as we grow. We have
some amazing writers covering incredibly important
topics and It’s always free so tell your friends to
subscribe. Spread the word, with our appreciation.
When talking about good practices in the use of Information Technology and Communication
resources, we should look to Daniel Dantas (Satiagraha) and Marcelo Odebrecht as great
personalities in the management of information security. We will not go into the merit of what
kind of information these personalities protect in their digital safes. However, it is true that Mr.
Trump, Mrs. Dilma, Mr. Nixon, Mrs. Clinton, NASA, CIA and all of us must learn to protect our
information with the masters of real life House of Cards.
“Neither FBI was able to open the archives of the Satiagraha task force,
culminating in the nullity of the operation and the exile of the Delegate
The success of our personalities begins in the consciousness about having sensitive data and
the need to protect them. Next, we must learn to control our mouth. Secret that many people
know, well ... it is no secret. Remember that nowadays almost anything can hide a tape
recorder. Google holds restricted meetings with any electronic device. Mark Twain said,
"We ought never to do wrong when people are looking".
The use of encryption software (a way to hide text so that only the key holder can read the text)
is essential for storing large amounts of sensitive information. However, that alone is not
enough. We have already published research in specialized journals and security conferences
demonstrating failures in cryptographic systems: Symantec PGP, BitDefender, Truecrypt and
BitLocker from Microsoft, you can check in the Journal of Cyber Security and Mobility V5-2.
These flaws, coupled with the unsafe use of systems, can put their secrets on the first page
newspaper!
Imagine the following scenario: You are a politician, director of a large company or a
revolutionary researcher. Your life is in the security of your information. Therefore, you ask your
director of ICT to give you an encrypted notebook.
Neither FBI was able to open the archives of the Satiagraha task force, culminating in the nullity
of the operation and the exile of the Delegate responsible for the operation. The Brazilian press
announced that the computer of Marcelo Odebrecht (investigated in the Car Wash task force) is
so protected that it will not be able to have its data exposed.
No matter what you think about protecting. To do it right, learn from these "good" examples.
Vehicle security assessment (car hacking) being in earnest three to four years ago. The
momentous occasion most associated with this was the Jeep attack (Greenberg, 2017). This
has been well publicized in the print media, social media, YouTube, and many other
placements. This act of research truly opened the eyes of not just the public, but also politicians
and InfoSec personnel.
One area that continues to be an issue is with connect vehicles being vulnerable due to several
factors, one of which is the link to the internet. This link has the potential to open a door widely
to the vehicle, allowing the knowledgeable attacker the opportunity to exploit any vulnerabilities,
both openly known and not yet well publicized. A recent vehicle attack was presented at the
DIVMA security conference in Bonn, Germany (Greenberg, 2017).
Vulnerability
This particular attack is focused on the vehicle’s internal network and CAN. In effect, this takes
the form of a DoS attack. This is present in the vehicles manufactured for years. Unfortunately,
the attack and vulnerability is nearly a universal problem. The fundamental security issue for this
attack is the CAN protocol. This allows for the vehicle’s components to communicate with each
other within the vehicle’s network. This was designed for this and is within the standard
operations. With the current level of technology with the vehicles, this attack is nearly impossible
to detect.
The technology in the vehicles which are in service at this time are not designed to defend
against this (Maggi, 2017). To defend against the DoS attack seemingly would not require a
massive integration and a multitude of change orders. An issue within this implementation is
finding the application(s) that may work in this environment, completing successful proof of
concept, and then implementing this within each OEM’s platform. With the level of
administration and planning with this application, having this be an integral part of the vehicle’s
technology platform may require this being planned on with the next generation.
Attack
The issue is with the CAN standard itself (Maggi, 2017). This particular attack works a bit
different than the normal DoS attack that has plagued victims through the IoT botnet army. The
attack seeks a frame, or basic unit of communication. Once this is identified, the attacker would
insert its own frame with a corrupted bit. This corrupted bit is substituted for another bit already
present in the communication channel. The targeted vehicle component recognizes the bit is not
correct, as it has been corrupted by the attacker.
The attacker may focus on the different modules in the vehicle for the attack. With a successful
attack, the airbags, anti-lock brakes, door locks, or other areas in the vehicle may be disabled
(Greenberg, 2017).
Remediation
In the non-vehicle realm, the remediation for this is not a complex issue to solve. There are a
number of applications that may work well with the use case in the enterprise. These, while
coded for the enterprise, accomplishes its task exceptionally well, do not work in the vehicle
technology environment. To correct this and would require an update to the CAN standard
(Maggi, 2017). There are many different configurations to attempt to correct this, including
segmenting the network in the vehicle and encryption.
Reference
Greenberg, A. (2017, August 16). A deep flaw in your car lets hackers shut down safety
features. Retrieved from https://www.wired.com/story/car-hack-sht-down-safety-features/
Kovacs, E. (2017, July 31). ICS-CERT warns of CANBus vulnerability. Retrieved from
http://www.securityweek.com/ics-cert-warns-can-bus-vulnerability
Maggi, F. (2017, August 16). The crisis of connected cars: When vulnerabilities affect the CAN
standard. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/connected-
car-hack/
Palanca, A., Evenchick, E., Maggi, F., & Zanero, S. (2017, June 4). A stealth, selective, link-
layer denial-of-service attack against automotive networks. Retrieved from
https://link.springer.com/chapter/0.1007/978-3-319-60876-1_9
DRP is a Cybersecurity Lab Engineer focused on securing the world for the users one module
at a time. DRP’s interests include the intersection AI & ML and automotive cybersecurity.
Nine to five ain't what it used to be; today, you have to add about a half hour in each direction to
account for commuting time (that doesn't include time spent looking for parking in the city or at
the train station, walking back and forth to the parking lot/train station, etc.). According to the
U.S. Census Bureau, the average American commute was 26.4 minutes long in 2015 – but
honestly, do you know anyone who can get to or from work in under an hour?
Actually, you do – it's the workers who get to stay at home and telecommute. Those same
Census Bureau statistics show that the number of workers who do their jobs at home has grown
at a healthy clip, more than tripling in the past 25 years, and up 5% between 2014 and 2015
(the last year for which the Bureau has figures).
Fortunately, the technology exists to enable home workers to participate in office life fully, being
“there” in everything but their bodies. Videoconferencing software via devices like tablets and
smartphones, fast and robust networks, connected computers using secure protocols, systems
that are armored with corporate level security systems – working at home should be as cyber-
safe as working at the office, and offers the advantage of letting employees avoid slogging
through traffic – ensuring a happier and more productive employee, according to many studies.
But that is just the problem: Who said working at the office was cyber-safe, anyway? By all
measures, the state of cybersecurity in corporate America is lousy, and it's getting worse.
According to the Identity Theft Resource Center, some 1,100 major data breaches were
reported in 2016, 40% more than in 2015. 2017 isn't over yet, but there have already been more
major data breaches this year than in 2016, with high-profile hacks of organizations like Equifax,
the SEC, Dun and Bradstreet, the IRS, River City Media, OneLogin, Verizon, and many others.
Meanwhile, a study by Ponemon and IBM says that each data breach costs victims $4 million
each on average; according to Forbes, losses to cybercrime will exceed $2 trillion by 2019. To
protect themselves in 2018, companies are set to spend some $90 billion.
Does that mean that telecommuting is a bad idea, at least from a cybersecurity point of view?
Not necessarily; that same malware infection process could take place inside the office; after all,
the statistics we cited on breaches and cybersecurity are for all organizations, which are mostly
still office-centric. Blaming the telecommuters for the sorry state of cybersecurity is very short-
sighted; what's needed is a solution that will work both in-office and at home. Here are some
strategies that can be implemented both at the office, and at home offices:
1) Policy clarity: A recent study by Dell indicates exactly that: 91% of business users said
that productivity was harmed because of security measures - meaning that many users
are likely to try and do an end-run around IT department rules if they feel too constricted
by the rules. But much of that, according to the study, is due to a lack of clarity on the
rules, and why they are in place; the study shows that over 60% of IT pros said that a
lack of “leadership awareness” was the greatest barrier to delivering a context-aware
security approach. “Context-aware” in this instance means knowing exactly how to
connect to the corporate network, what to do, and what not to do. A good context-aware
security system will make clear to users which protocol (like a specific browser or app)
to use to connect from within the network, and specify rules on where, what, and for how
long activity on the network can continue. With clear rules that are easy to understand,
employees both inside and outside the office are more likely to follow them, ensuring
that the network remains safe.
2) Superior supervision: Part of implementing rules is ensuring that they are followed, and
to ensure compliance, IT departments should be installing systems that monitor
compliance but are not intrusive. As mentioned, company-wide problems could result
from the actions of a single individual, who is seeking to get their work done more
quickly or easily – a temptation which might be even greater for highly productive
workers at home, who are hoping to knock off work early, once they finish their tasks.
Productivity is great, but not at the expense of security!
In a virtual container scheme, security systems check files and connections for activity in a “safe
zone,” with all aspects of the file or connection tested to ensure that it behaves as it is supposed
to – that a file does not seek to query areas of the registry that it ostensibly has no business with
or tries to execute code that should not be associated with it, or that a connection does not try to
hijack a user to another, rogue site. If the file/connection does try that, the system will keep it
away from the rest of the network, but still display the contents of the document or the site.
These ideas are certainly not the “silver bullet” that will eliminate cyber-insecurity – one would
think that with $90 billion spent on cybersecurity, we would have found that by now – but they
are likely to make organizations, and the workers who make them thrive, safer and more
productive, whether they are in the office or out of it.
Malvertising, a combination of malware and advertising, has more than doubled in the
past three years and is increasingly found on premium websites that are typically
whitelisted by enterprises for employee internet use. Malvertising is typically spread via
legitimate digital advertising services and packs a nasty, unexpected and frequently
unseen punch for visitors to a compromised website. The harm is palpable: downloads
exploit kits, drops ransomware code, redirects to compromised landing pages, serves
fake pop ups, presents a phishing-oriented form, and the list goes on.
Malvertising comes in many shapes and sizes: majority of the time, malicious code
triggers auto-downloads of malware and occasionally requires user-initiated clicks. The
malware is also hard to detect, since it attacks only when certain conditions are met, for
example, if a website is accessed via mobile devices, or if a user from a specific
geography visits an infected webpage. Today, malvertising is designed to target
geographies, devices, browsers, behavior and even corporate IP blocks. Unfortunately,
evolving sophistication makes it a difficult beast to control. Its ability to penetrate
corporate networks highlights the fallibility of traditional security defenses like blacklists,
whitelists, generic threat intelligence, AVs, web filters and firewalls, etc.
Hackers use the digital ecosystem to hide malware in plain sight by hitching a ride with
legitimate advertising campaigns, and the result is a malvertising incident. That is what
makes it so stealthy and able to evade traditional enterprise security defenses.
Fake virus alerts and system updates delivering malicious exploit kits are ubiquitous in
today’s highly complex and dynamic digital ecosystem. But, those tricks are easy to
see. In order to effectively deliver malware, threat actors have resorted to sophisticated
coding to evade detection. Increasingly, malware only executes when predetermined
conditions are met, i.e., geography, device, or user profile combinations. For example,
Lucy in London on a mobile device receives the malware but Bob in Boston on a laptop
did not. Furthermore, in order to accurately target and deliver malware to specific
endpoints and internet users, threat actors exploit the very technologies that website
owners utilize to deliver customized and personalized content to their users.
Each new malvertising campaign erodes consumer trust, both in the website operator
and the internet at large.
Complementing anti-virus and other filtering tools, enterprises need an additional layer
of protection that leverages real-time threat intelligence regarding active and stealthy
threats propagating in the digital ecosystem. This web-based attack data exposes real
malware events that can be proactively arrested before penetrating the enterprise
network and endpoints.
Malvertising is a chameleon that can change domains, delivery channels, and payloads
by blending in with the background. Rather than allowing malvertising instances to
successfully penetrate the enterprise network, organizations must employ defenses that
investigate all code operating within their domain so threats can be identified and barbs
removed before anyone gets hooked.
By the end of June, 2017, the Petya ransomware and its variants had infected devices in 65
countries. The scope, severity and speed of the attack rivaled some of the most improbable,
imaginative of Hollywood plots - but the attack was indeed an actual security event, being
executed on a new and global level new level.
The exploit leveraged the same vulnerability as the infamous WannaCry malware which had
spread rapidly the previous month: MS17-010 (EternalBlue). But unlike WannaCry, Petya did
“Damage estimates from Petya were in the tens of millions from many
affected organizations, with most costs due to lost productivity and
remediation costs. But the greater damage was trust – Petya served as
a wake-up call that power grids, financial institutions and major
corporations were all vulnerable to ransomware.”
not have the sort of “back-door” kill switch that was inadvertently discovered as the exploit threat
spread, helping to halt its contagion.
Could operatively-sourced intelligence have prevented the contagion? Recent research finds
that for several companies, it did just that.
For example, InfoArmor has published research findings: InfoArmor Preempts Ransomware
Attacks
In January 2017, InfoArmor’s operative intelligence team identified the threat’s potential for
exploitation, enabling clients to identify and patch the open vulnerability, protecting their digital
assets from ransomware attack.
As the result of intel gleaned on the dark web as early as January, by April some companies
were aware of the MS17-010 vulnerability. By late April, those same companies knew which
specific hosts contained the MS17-010 vulnerability, and were able to bypass the Petya threat
entirely.
No matter how much organizations automate their cyber defenses, black hat hackers and other
bad actors will scour out vulnerabilities... and the ‘white hat’ operatives quietly conducting
operatively sourced threat intelligence will be looking over their shoulders in the web’s darker
corners to help discover who’s next at risk.
The InfoSec field and industry continue to grow at an outstanding pace. This is being driven by
many market forces, including the increase in attacks, malware being released into the wild,
phishing, and spear phishing being promulgated by the attackers. From the technical side, there
are also massive advances in the hardware and software, and their connectivity. The number of
connected devices and their complexity are in an increasing varied devices such as vehicles,
refrigerators, coffee makers, thermostats, garage doors, home locks, and too many other
devices to name. This is a function of our society being directed towards ease and having
devices be automated in their functionality.
With the significant increase in these technologies, the need or demand for personnel with these
skills has increased substantially. There is a direct, positive correlation with the number of
devices and technologies and the personnel required to secure these. As an example, if the
number of connected devices, all from different regions on the planet from different
manufacturers, there will need to be more personnel to work on securing these. A person’s
number of hours to work is somewhat limited due to sleep requirements. Seemingly, with the
number of IT personnel across the planet, there should be the requisite number of InfoSec
personnel to manage most of the issues surrounding this sub-industry. This is especially the
case with DevSecOps.
With the focus and attention given InfoSec due to the business compromises and direct effects
on the consumers, likewise it would appear there should be enough programs at the University
and College level to fill these positions. On a secondary front, there should be other training
programs in place designed to fill in the gaps.
Appearances can be deceiving. The lack of a sufficient level of adequately trained and
experienced personnel to accomplish these tasks is well-publicized. This has increased the rate
of InfoSec persons also leaving the field due to the number of hours required to simply maintain
the baseline level of InfoSec for the business environment, stress, and other factors. This lack of
adequate training issue was researched by Veracode (Kawamoto, 2017) with their 2017
DevSecOps survey. The research sample included 400 respondents. The research indicated
70% of the sample noted the college training they received did not properly train them for
implementing security with application development. Also 65% of respondents received their
most relevant training on the job.
The results are rather disheartening. If this continues, the issue is only going to become worse,
as the number of personnel do not enter the field in sufficient numbers. The spiral downwards
will only continue. As this continues, the processes, software, and hardware will continue initially
to not be as secure as these should be. Granted there would be requests to have this reviewed
Reference
Kawamoto, D. (2017, August 17). Veracode survey shows a majority of DevOps pros mostly
learn on the job about security. Retrieved from https://www.darkreading.com/application-
security/70-of-devops-pros-say-they-didnt-get-proper-security-training-in-college/d/d-id/1329654
DRP is a Cybersecurity Lab Engineer focused on securing the world for the users one module
at a time. DRP’s interests include the intersection AI & ML and automotive cybersecurity.
At the time this article is being written, there are more than 35,000 cyber security jobs posted on
indeed.com, out of which more than 5000 were posted within the last 48-72 hours. According to
an article published in Forbes, there will be a shortage of 2 million cyber security professionals
by 2019. In fact, there is a shortage of one million cyber security professionals across the world
as we speak. With an average salary of more than 116,000 per year, and organizations literally
getting into bidding wars over skilled cyber security professionals, it is safe to say that if you
want to switch to an industry, cyber security should be at the top of your list.
You cannot start a career in cyber security without a background in IT. This does not mean you
need to come from IT exclusively, but you need to have a thorough understanding of how things
work in the IT world. If you are working in a different domain altogether, you will need to do a
number of courses and certifications before you can start applying for jobs in cyber security. If
you are just starting your professional career, you should look for career paths such as
Exchange Administrator, Network Administrator, System Administrator, and Web Developer.
From these career paths, you can get into email security, network security, system security, and
web security respectively.
To summarize this section, let’s just say that you need to put some time in the IT sector in one
of the career paths we just mentioned, and develop skills in Operating Systems & Database
Management, Programming & Coding, and Networks. Once you have that on your resume, and
have a clear understanding of how data works, how it is transferred, how it can be
compromised, and why it needs protection, you can move on to the next phase, which is
acquiring the relevant certifications.
While there are a number of courses and certifications being offered by Microsoft, Linux, (ISC)²
and Comptia in this category, we have narrowed it down to the following two:
1. CISSP
Certified Information Systems Security Professional (CISSP) will equip you with all the
information you need about best practices in terms of cyber security, its methodologies,
principles, concepts. After taking the CISSP exam, you will be able to start a career in cyber
security as an Information Security Consultant or an Information Assurance Engineer. You will
2. COMPTIA SECURITY+
This course equips you with the skills needed to identify vulnerabilities and threats, and plan
and implement the cyber security strategy of an organization. You will learn the fundamental
concepts of cyber security, and will be able to troubleshoot cyber security incidents. Your job
responsibilities will include ensuring business continuity and disaster recovery. By doing this
certification, you can get a job as a cyber security analyst, an IT support technician, a
penetration tester, and a cyber security tester.
As with beginner level courses, there are tons of courses in this category but we have decided
to go with the following two:
We hope you found this article helpful. Do reach out to us if you require any further information
on the subject.
Facing ever-evolving malware, vulnerabilities and hacking attempts, companies today need to
seriously look at and evaluate their cyber security policies.
Studies show a vast number of businesses of all kinds seem to be woefully unprepared to deal
with cyber threats. Some companies that have yet to be compromised operate with a false
sense of confidence about their cyber security capabilities. Many companies that discover they
have been compromised find that hackers had been in their network from as far as 4-6 months
back, before the breach was found.
According to Deloitte’s 2017 “Cyber Risk in Consumer Business” online survey and in-depth
interviews of over 400 CIOs and CTOs in retail, restaurants and consumer products, 76% of the
executives felt they were adequately ready for cyber incidents. However, 82% had not
documented and tested their cyber response plans involving business stakeholders in the past
year and less than half of the executives performed threat simulations on a regular basis. For
consumer-facing businesses who have a lot at stake should a cyber incident cause them to lose
the confidence of their customers, the neglect of cybersecurity best practices could be
imminently harmful to their overall business.
Small companies, who are particularly vulnerable to cyber threats, illustrate the fatal danger
posed to an organization that does not have adequate security practices in place. According to
stats collected last year by the publication Small Business Trends, 43% of cyberattacks targeted
small businesses, but only 14% of these businesses felt they were ready with a security plan. It
is estimated that 60% of small businesses will go out of business within six months of a cyber-
attack. Scary numbers like this are a cybersecurity-cry-for-help.
Did Human Error Cause One of the Biggest Cyber Attacks Ever?
The greatest vulnerability in cyber-attacks are not even the security programs themselves:
human error plays a significant role. According to a study from the IT industry association
CompTIA, human error is the reason for 52 percent of the root causes of security breaches. A
2016 Data Security Report commissioned by a law firm which handled cyber cases found that
out of 300 security incidents it handled in the previous year, human error was the leading cause
of the incidents, accounting for nearly 40% of them.
Failing to address the human component of security protection can negate many of the
cybersecurity programs which organizations are investing in. And each year, as companies try
to keep up with and deploy the latest security technologies, attackers in turn develop and launch
new tactics to circumvent those technologies. As the world increasingly becomes more
digitalized, the threat of cyber attacks on organizations large and small grows exponentially.
So what are companies to do when 1) their security programs are not adequate or 2) their staffs
are not adequately overseeing security programs or 3) both?
Once companies realize that in the era of cyber attacks, their chances of being compromised on
security are most likely to happen than not, they need to incorporate and shore up their
detection and response levels. But for many companies, self-managing their security systems is
not realistic, given the level of sophistication of today’s hackers, as well as organizations’ scarce
internal resources.
In a trend that is changing the cybersecurity industry, companies are increasingly looking for
security programs which enable them to focus on their core business and not get caught up in
managing security. As the global management consulting company McKinsey stated in a report
from a few years ago: “Eliminating threats is impossible, so protecting against them without
disrupting business innovation and growth is a top management issue.”
Organizations that feel overwhelmed in running their core business and do not have the
resources to self-manage their own security programs would be well served to contact a
solutions provider who can identify and recommend the best security programs that best fits the
organization’s needs. The benefits of signing on with a security solutions provider are
numerous, including:
Cyber attacks are on the rise and companies have scarce internal resources, as well as
inadequately trained employees, to deal with managing security programs in-house.
Organizations that work with experienced security solutions providers will mitigate the risks
posed by security threats in an efficient and cost-effective manner and enable the organization
to concentrate on its actual business.
We are happy to announce that in the coming months we will be releasing an app.
This app in short, will give real time access for law enforcement to our chat logs and hunters. In
hope this real-time access will cut down on court time and enhance our ability to work with law
enforcement.
We will be releasing it first in the United States, and hopefully after in Canada.
This app will give law enforcement open access from the beginning of our investigations to point
they deem fit to take over those investigation.
We hope this will help those police departments that are underfunded have a stronger presence
online.
By giving people the opportunity to volunteer their time to chat logs in on a police monitored
environment.
The NotPetya attack took the world by storm when a compromised update of M.E.Doc financial
software spread the virus across major corporations in Europe, encrypting files and demanding
bitcoins in exchange for file decryption. Upon further investigation, impacted companies learned
there was no way to decrypt infected files and spent days and, in some cases, weeks trying to
repair the damage. The real shocker? The astronomical costs associated with virus-related
downtime. As each impacted organization reported their quarterly results, it became evident that
the total monetary impact of the NotPetya virus was more than a billion dollars.
While NotPetya ransomware authors may have asked for 100 bitcoins (or $250K in regular
currency) in exchange for decrypting victim’s files, the actual cost of the attack was
exponentially greater. The virus hit industry giants Maersk, FedEx, Mondelez, Reckitt-Benckiser
and Merck hardest, halting operations and leading to a combined estimated loss of over $1.2B
dollars. In addition to financial losses, both Mondelez and Reckitt-Benckiser said goodbye to a
few C-level executives post-attack.
Ransomware attacks on enterprises are escalating both in frequency and complexity. As seen
in the Petya/NotPetya attack, cyberattackers are employing more sophisticated methods of
attack, spreading malware through the enterprise software (i.e. accounting software) to
maximize reach and impact. Subsequently, the total average cost of cybercrime is increasing at
a rate of 23% annually, mostly due to information loss and business disruption.
Enterprises that employ identity and access management (IAM) technology are able to save, on
average, roughly $2.4MM in cybercrime costs. Therefore, in order to protect against
ransomware attacks and the associated costs, organizations need to put into place systems and
processes to protect their enterprise identity. This includes:
1. Solid Patch Deployment Processes: NotPetya was able to infect victims through a
Windows SMBv1 vulnerability dubbed “EternalBlue”. Microsoft had released a security
update, MS17-010, to resolve the SMBv1 vulnerability just three months prior to the
Petya attack which, had it been deployed, would have prevented the spread of the virus
for the companies that were attacked.
2. Employee Education: According to the Verizon Data Breach Investigation Report, more
than half of all malware attacks are caused by malicious email attachments, so training
employees to recognize and report any suspicious email activity is crucial in preventing
malware attacks.
4. Disaster Recovery: Implementing a robust Disaster Recovery plan is the last, but most
critical, step in protecting against ransomware. If you have a strong backup and recovery
solution in place, and are hit by a ransomware attack, you can simply restore your
encrypted files from backup.
Last, but not least, if you are ever hit by a ransomware attack, never ever pay the ransom
because there’s no guarantee that the attacker will unencrypt the files. Reports indicate that
NotPetya was actually wiper malware, and not ransomware, and no amount of money could
have reversed the damage cause by the virus.
The advantages of VPNs are several. First, it adds a layer of security that reinforces our
anonymity against the different tools that spy on our data or surfing habits on the Internet.
Secondly, they allow us to access certain portals that are blocked in our country for one reason
or another.
● Security
VPN provides security to its users by allowing them to avoid the restricted sites.
● Anonymous surfing
By using VPN, you are guaranteed a high level of inaccessibility to your traffic making it
unavailable to the unauthorized parties.
Once you have decided to use a vpn services, get the money needed for a subscription. The
VPN service allows its users to choose from a range of differently priced services which range
from the cheapest to the ones which are freely provided.
The Hello extension is a clear example of how a free tool for anonymous surfing and accessing
services from other countries can affect our privacy. In the past it was discovered that they were
selling user traffic and doing business with them.
If you think that free VPNs are not for you and you want to go a step further in your security, we
recommend you to read the collection of anonymous VPN servers for payment.
Anyone who needs to use a Virtual Private Network service should first consider the following
important factors;
The different users of the Virtual private network are encouraged to always leave a review about
the services rendered. This provides a good starting point to a new subscriber since he is able
to get information from other users. This information is constantly updated for the purpose of
providing up to date information.
The FAQ sections will help you get answers for your questions, leaving you informed and up to
date.
The top rated VPN services are outlined to give you great insight of the services to help you
choose your systems’ best protector.
The reviews are not only useful to the newbies but also to users who are considered advanced.
Other information one can get from the reviews include server network, internet connection,
multiple connection, encryption protocols the payment methods accepted, supported systems
and many more.
Conclusion
The benefits and importance of using a Virtual Private Network are very clear. Go ahead and
subscribe to a VPN of your so as to protect your system.
Through simply-written
articles, Amelie teaches
residents of Hawaii
about Internet security
tools and how to use
them for playing games
or browsing the Net.
We’re heading into cold season and the common cold is well… common. A trip to the pharmacy
presents us with endless options for making your week a little more bearable, but unfortunately,
it’s after the fact. Colds keep evolving and staying one step ahead of medications.
Ransomware is similar to the common cold in the way that there is no foolproof preventative
cure, its roots date way back, it continuously reinvents itself to find new methods of attack and
overall, just makes your life miserable.
You’ve probably been seeing a lot of news about Ransomware lately due to the recent
devastation executed upon high profile targets including universities, hospitals and government
agencies by strains that include names like WannaCry, Locky, Bad Rabbit, etc. The targets you
probably don’t hear as much about are everyday small businesses, lawyers, dental offices,
construction companies for example – who bear the lion’s share of these attacks.
We call it Ransomware because in the moments that follow the breach of an unsuspecting
victim, it locks down access to data on their system and then purports to provide the key for
unlocking information, if a ransom is paid within a specified amount of time. Maybe.
Rule number one is not to pay a ransom as numerous cases exist where a victim has paid only
to never receive the promised key. Also, who is to say that paying does not make you a target
for future attacks?
Like the common cold, taking measures to prevent getting infected in the first place is the best
way to deal with ransomware. You need to think prevention – Think smoke detectors over fire
extinguishers. Investing the time in advance preparation will pay off in the long run when
compared to the resources needed to deal with the aftermath.
To understand how to prevent ransomware attacks, it’s best to know how they work, what are
the unique types of ransomware for identification, and what preventative actions to take.
• Crypto-Ransomware
o Encrypts the files on a victim’s machine.
o Gives a time limit.
o Victim must pay a fee.
• Lock-Screen Ransomware
o Locks the screen.
o Demands payment.
o No files encrypted or affected.
• Master Boot Record Blocking
o Computer will not boot up.
o Ransom instructions displayed on screen.
Educate your users – Schedule a meeting to discuss what threats look like, and what to avoid.
How to store passwords and media. How to disconnect their machine safely from the network
and who to contact if infected.
Scanning and filtering – Antispam/anti-phishing in place. Filter file attachments in email (.ece,
.scr, .com, etc.). Show file name extensions in Windows, and disable macros (MS Office).
Patch early and patch often – Ensure that all server and workstation operating system are up
to date with regular patch maintenance.
Configure intrusion prevention – Business grade antivirus and firewall protection, with
advanced filtering, centrally managed with alerting capability.
Test your backup solution – Ensure that you have the ability to restore in the event that
prevention methods fail. Follow the 3-2-1 backup rule (3 backups, 2 different types of media, 1
offsite). Test restorability monthly.
With a cold, you can take every preventative measure in the world, and it can still get the better
of you.
The same goes for ransomware. These attackers are continually changing their techniques and
their code evolving to be smarter and trickier. All it takes is one person letting their guard down
to create a break in your cyber defense security chain.
For a healthier winter season, be sure to take your vitamin C and talk to your system
administrator about implementing a ransomware prevention checklist that your organization can
live by. Here’s to you and your critical corporate data’s health… Gesundheit!
About the Author
In our last article, we looked at three different technology standards that combat spam and
phishing attacks. If you haven’t read the first installment of this two-part series yet, check it out
now to familiarize yourself with some important terms we’ll use while exploring why these anti-
phishing standards aren’t more widely used today.
Sender Policy Framework (SPF) was an open standard created to prevent sender address
forgery in email envelope MAIL FROM headers. At around the same time, DomainKeys
Identified Mail (DKIM) was developed to authenticate approved mail servers for a domain.
Finally, Domain-based Message Authentication, Reporting and Conformance (DMARC) was a
solution crafted to tie SPF and DKIM together with added reporting functionality. All three of
these technologies are great at helping to stop common forms of phishing. So, why haven’t they
reached 100 percent adoption?
As it turns out, SPF and DKIM adoption are actually doing quite well with email senders.
According to a 2016 report by Google, 95 percent of non-spam emails received by Gmail users
came from senders with SPF records, and nearly 88 percent of non-spam emails employed
DKIM signing. DMARC, however, is still struggling to take off. A Federal Trade Commission
report earlier this year found that only a third of surveyed companies have published DMARC
records and less than 10 percent of that group have configured their DMARC records to reject
unauthenticated messages.
The good news is that DMARC adoption has been seeing modest improvements. According to
the Online Trust Alliance (OTA), adoption for both DMARC record and rejection/quarantine
grown over the past year (from 27.4 percent to 34.3 percent and from 5.8 percent to 14.6
percent, respectively), and that the Internet Retailer and Consumer categories were the lead
adopters for both. Unfortunately, organizations in the Federal and ISP categories were the
laggards for records adoption, and banks and federal groups were dragging their feet in
rejection/quarantine adoption.
So, while there have been humble increases in DMARC adoption, the rates are still low;
especially with compliance enforcement enabled. Why might this be? For one thing, it’s
common for businesses to start with a DMARC solution configured with a “none” policy while
testing, which means they don’t want recipient email servers to take any action against non-
compliant messages. Businesses might choose to do this if they use third-party mailer services
to send newsletters, since DMARC can cause these messages to be denied if misconfigured.
It’s certainly important to test policy changes in phases instead of diving right in at the risk of
breaking something critical, like your company’s ability to send email.
• First, test with a “none” policy. Mailboxes that support DMARC should still send reports
on messages that fail DKIM and SPF checking. This can help you identify legitimate
email sources from your domain that you may have overlooked.
• Make sure you follow the correct syntax when configuring your DMARC DNS record.
Dmarc.org has a wide range of tutorials and guides that can help you with this.
• Once you have finished testing your DMARC record, change the policy to “reject” or
“quarantine” to instruct recipient mailboxes on how to handle spoofed messages from
your domain.
Configuration issues aren’t the only obstacle here. DMARC also suffers somewhat from the
“chicken or the egg” conundrum. Some companies wonder why they should invest precious
resources into testing and deploying DMARC records for their domain when recipient mail
servers don’t bother verifying emails against them. It is commendable that DMARC’s adoption
rate was 60 percent by mailboxes after just one year, but that percentage has only grown by 10
percent as of 2016 according to a recent report by Return Path. DMARC verification by recipient
servers must increase as well, in order to help slow the growing epidemic of spam and phishing.
It is in everyone’s best interest to fully adopt protocol standards like SPF, DKIM and DMARC.
While they may take some effort to deploy, the benefits are more than worth it. Preventing
spammers from spoofing your company’s domain can help you avoid costly reputation damage
and shield your customers from annoying, potentially malicious emails. Enabling DMARC
verification on your own mailboxes for incoming messages can also drastically reduce your
chances of falling for convincing phishing attacks.
Cyber security is a concern for businesses of any of size, but it’s especially pressing for smaller
companies.
That’s because they tend to be more vulnerable than larger enterprises. They often lack the
resources and manpower to fully protect themselves from a sophisticated attack, which can
make them very appealing targets.
In fact, Small Business Trends reports that smaller businesses encounter nearly half (43
percent) of all cyber-attacks. What’s scary is the damage that can stem from an attack. Many
companies never recover, and 60 percent of SMBs end up going out of business within six
months.
Protecting your business through effective cyber security processes can literally mean the
difference between averting disaster or being so crippled by it that you have to close your doors.
One area where many organisations go wrong is taking a reactive approach to security rather
than a proactive one. They often end up waiting until something happens and responding to it
rather than taking effective measures to heighten cyber security ahead of time.
This obviously isn’t ideal, but could it put you out of business?
Some Unsettling Statistics
Small Business Trends provides some additional data that puts perspective on the current state
of cyber security attacks.
Studies have found that 55 percent of SMBs dealt with a cyber-attack between May 2015 and
May 2016. They also found that 50 percent experienced data breaches that compromised
customer and employee data during that same period.
So in theory, at least half of all SMBs will suffer from some type of cyber-attack during any given
year. In terms of specific attacks, these were the most common:
• Web-based attack (49 percent)
• Phishing/ social engineering (43 percent)
• General malware (35 percent)
• SQL injection (26 percent)
• Compromised/stolen devices (25 percent)
• Denial of services (21 percent)
In terms of costs, the affected enterprises ended up spending an average of $879,582 to cover
the expenses of damage or theft to their IT assets. On top of this, there’s the issue of disruption
to operations, which resulted in an additional $955,429.
Here’s the problem. Even though most companies are at least somewhat aware of the growing
threat of cyber-attacks, not much is being done about it.
President and Co-founder of CSID, Joe Ross explains that 58 percent of companies have
expressed concern, but a staggering 51 percent have failed to allocate any budget into
mitigating cyber security risks.
There are a variety of reasons why companies are reluctant to invest time and resources into
cyber security. It could be a limited budget, a lack of knowledge, a false sense of security or a
combination of these factors.
Some companies even operate under the assumption that these types of things happen to other
businesses, but it won’t happen to them. Regardless of the reasoning, a reactive approach is a
recipe for disaster.
One scenario could involve your organisation becoming the victim of ransomware where an
attacker hijacks your data and demands compensation for it. Without paying up, your operations
come to a screeching halt, and your revenue plummets overnight.
Another would be having sensitive customer or employee information fall into the wrong hands.
This can lead to everything from identify theft to corporate espionage. Even basic information,
like email addresses, phone numbers and billing addresses can be of significant value to cyber
criminals and open a can of worms.
You also have to consider the level of disruption that comes along with an attack. Not only does
downtime cost your business serious money, it can tarnish your brand reputation, and many
customers may end up turning to competitors. Hardly anyone wants to risk their own security
and privacy by doing business with a company with inadequate security protocol.
It’s a bad deal all around. If your organisation isn’t taking proper cyber security measures, it’s
something you’ll want to address right away. You’ll want to make the transition from being
reactive to proactive.
It’s clear that the threats modern businesses face are very real. But what can they do in order to
mitigate their risks?
It all starts with a mental shift where there’s a genuine commitment to enhancing cyber security.
This is integral to creating a security-minded culture and lays the groundwork for a real
transformation to begin.
Our philosophy is based upon cyber security by design rather than chance. As cyber criminals
continue to become more sophisticated and advanced with their attacks, it requires diligence
and perseverance to stay ahead.
You need a comprehensive plan that covers all of the core areas and enables you to get your
cyber security to where it needs to be. This involves a five-step process:
1. Define
2. Plan
3. Execute
4. Report
5. Monitor
Defining involves examining where your company is currently at in terms of cyber attack
prevention and determining where you need to be and what your target profile looks like.
Planning is where you develop and implement a plan that will ultimately enable you to attain
your cyber security target profile. It’s where you must devise realistic and actionable steps to
take.
Execution revolves around implementation of the plan that’s based on a specific timeline, while
taking resources and budget into account.
These first three steps are what allow you to initially ramp up your cyber security. They help
catalyse the transformation and get security to where it needs to be.
At that point, reporting and monitoring are what allow you to assess and track the results and
continually fine-tune your security practices. This provides consistent protection even as threats
evolve and advance over time.
Performing Penetration Testing
One of the most effective ways to protect your data assets is to identify potential vulnerabilities
before attackers have the chance to. Penetration testing is a means of accomplishing this and
involves a comprehensive assessment of your web app, mobile app, network and so on.
By pinpointing weaknesses, you can come up with viable solutions to drastically reduce the
attack surface. In turn, you can ensure that your company remains ahead of cyber attackers,
which will give you greater peace of mind.
Developing a Business Continuity Plan
A business continuity plan is based upon devising a strategy and creating a plan of action in the
event of a disaster. If your enterprise is in fact hit with a serious attack, you will have a
sequence of steps in place to minimise the damage and get operations back to normal in the
shortest amount of time possible.
The ISACA’s 2015 Global Cybersecurity Status Report found that only 38 percent of
organisations were prepared for a sophisticated cyber attack. A lack of planning and preparation
could prove disastrous or even fatal for many SMBs.
Research has proven that a reactive approach can be incredibly costly, and even a single attack
puts more than half of all companies out of business. As attacks become more and more
prevalent, the threat level will only continue to rise.
Fortunately, there are numerous ways to protect your organisation, and it all starts with making
the shift to taking a proactive approach.
Being on the offence arms your company with the tools it needs to combat the omnipresent
threat of cyberattacks and gives you a much greater level of control. In the long run, this can
mean the difference between avoiding/withstanding attacks or being ruined by them.
How comfortable are you with your company’s current cyber security, and are there any
specific areas you need to improve upon?
Since the inception of the internet, hackers have used DDoS attacks as a vehicle to sabotage
and retaliate. Today, we see a widening array of DDoS targets and tactics as access to an
increased number of DDoS-for-hire tools and services significantly lower the barrier to entry for
anyone looking to cause chaos, benefit from extortion campaigns, gain notoriety or infiltrate
networks.
Anyone can access the depths of the dark web to launch a crippling attack for a nominal price;
DDoS-for-hire botnets offer a subscription-based model enabling the launch of DDoS attacks at
the size, scale or duration required to take a service offline and test existing security defenses.
The anonymity of these services, ease of access and bargain basement prices make it easy for
anyone to launch an attack against unsuspecting victims.
Ransom driven DDoS attacks (RDoS) – a tactic when attackers threaten DDoS attacks unless
paid in cryptocurrency, have been a hacker’s extortion tool of choice for several years, and the
activity appears to come in waves. In recent months RDoS appears to have hit another peak in
popularity targeting organizations across the globe with threats.
September 30 was a key date for RDoS targets– pay up or prepare for a DDoS attack. This
more recent campaign was driven by well-known hacker group Phantom Squad, and it spanned
across industries—from banking and financial institutions, to hosting providers, online gaming
services and software as a service (SaaS) organizations.
Unfortunately, when even one victim chooses to engage with attackers by paying a ransom, we
begin to see an onslaught of these types of attacks. RDoS attacks have grown in frequency as
cyber criminals are constantly on the lookout for more efficient methods to attack systems and
obtain profits. When faced with the costs of their business going offline if a successful DDoS
attack is launched against them, some organizations believe that paying a ransom demand
represents a worthwhile investment.
This approach offers no guarantee that an attack will not be launched, in fact it could result in
just the opposite. It is important to highlight the danger these attacks pose to businesses and
learn how to build a successful defense against them.
Today’s DDoS attacks are almost unrecognizable from the early days of attacks, when most
were simple, volumetric attacks intended to cause disruptions to online services, maybe even
publicly humiliate an organization. Today, the attack techniques are becoming ever-more
complex and the frequency of attacks is growing exponentially. The combination of the size,
frequency and duration of modern attacks represent a serious security and availability challenge
for any online organization. Minutes or even tens of minutes of downtime or latency significantly
impacts the delivery of essential services. As the DDoS attack landscape evolves toward more
sophisticated attack techniques, the objective is no longer focused solely on disruption.
The goal is not only to cripple a website, but rather to distract IT security staff with a low-
bandwidth, sub-saturating DDoS attack. Such attacks typically are short duration (under 5
minutes) and volume, which means that they can easily slip under the radar without being
detected or mitigated by some DDoS protection systems. These attacks are increasingly used
as a smokescreen to camouflage other cyberattacks, including data breached and data
exfiltration. The disruption caused by the DDoS attack can expose weaknesses in organizations’
cyber defenses or overwhelm other security tools, like firewalls or IPS/IDS, opening the door for
cyber criminals to plant malware or steal sensitive information.
Distinguish DDoS attack activity – Have a clear understanding of your network traffic
patterns. Short duration, low volume attacks can be used as ‘stress tests’ profiling for security
vulnerabilities within your edge security perimeter. Visibility into DDoS activity on your network
is step one in defining your DDoS resiliency plan.
Document your DDoS defense plan – Proactive planning requires both technical and
operational considerations. A comprehensive plan also includes a communication strategy that
spans across all facets of the business, to ensure that key stakeholders are notified and
consulted accordingly.
Vehicles have been connected and on the road for years throughout the nation. This has been
placed in the various vehicles and platforms to better the user experience. The consumers have
enjoyed the radios with added functionality, safety services, convenience of having the vehicle
start and defrost in mid-January while the owner is walking to the vehicle. Other connected
features include the user’s cell phone being connected with the car being a pass through,
current maps to guide the driver to their final destination, and other services to maintain a
seamless transition through life with the vehicle as just another point of existence.
The natural extension of this has been the autonomous vehicle. The autonomous vehicles
projects are closing in and will be a fully realized and executed project in the very near future.
These have been promised by the manufacturing community in the next 5-7 years. Initially these
may cohabitate with user driven vehicles, however the autonomous vehicle systems are where
the driving experience is clearly headed. On a tangent, this also has a number of very useful
and consumer friendly options. The benefits are present on many levels, from efficiency to
safety, and other measures. This will truly be another paradigm shift not only for the auto
market, but also consumers.
Potential Issues
These clearly are and will be a fantastic addition for the vehicles and the fleets. These assuredly
will continue to increase our efficiency and enjoyment of riding to our destination. As the
autonomous vehicles become an increasingly integral part of our society, there is one aspect
that have not been properly or fully addressed. If there is any doubt regarding this, there are a
number of vehicle compromises requiring recalls and OTA updates that have been present.
These devices are starting to take over a greater level of the user’s responsibilities in driving,
monitoring, and ownership. With this increasing, the users are more dependent on the vehicle
for these and other functions integral for the user’s experience, e.g. safety.
These functions, the vehicle modules, and the vehicle itself need to be fully secured from
unauthorized access and attempted unauthorized access. The OEMs should use the present
InfoSec standards with equipment. When this has not been accomplished and groups have not
included security into the process, except at the very end, there have been significant issues. If
third party equipment is used with these vehicles, the manufacturer’s efforts at security should
This is required by necessity. Without this in place and actively used, there is a rather direct
potential positive correlation with the user’s being in hazard’s way due to a lack of properly
applied security. If the vehicle’s systems are not secure from an attack and compromise, the
vehicle could be directed to brake during heavily traffic, make a sharp right turn while on the
expressway during rush hour and other malicious driving patterns the vehicle would normally
not complete.
This is not an easy task. The vehicle is a rather complex machine. Mechanically, there are many
different systems interacting and communicating within the vehicle. The electronics present a
separate and distinct set of security parameters. The attack points, physical and wireless, are
massive in number in a vehicle. To test every point repeatedly would require a large amount of
time.
On another point, the security surrounding the vehicle is not static. The red teams may test a
module or vehicle, recommend remediation for any issues, and once implemented believe the
subject is secure. As time passes however, there may be more insecure areas and attack points
that are present. This moving target makes security ever-changing and interesting.
Solution
With the complexity involved, any security function needs to be fully integrated throughout the
modules, guarding the process and embedded devices. The best alternative is to maintain a
quality research implementation from the design stage forward. Too many times, security is
thought of within the last stage prior to production, and the interested parties then are
substantially rushed. At this point also, any changes may need to be implemented with the next
iteration of the part or module, which allows for the end users to have their vehicle open to
compromise until the change or patch is applied to their vehicle’s application.
This does deserve more attention and focus from manufacturers at all levels. Until this is
implemented in the appropriate manner, there will continue to be the extra costs for recalls and
too many patches being uploaded.
DRP is a Cybersecurity Lab Engineer focused on securing the world for the users one module
at a time. DRP’s interests include the intersection AI & ML and automotive cybersecurity.
by Mary-Michael Horowitz
It seems like every business is trying to improve its company culture. And that’s a good thing.
An effective culture is built on solid values and a core purpose. It gives employees the
opportunity to understand what makes the company tick – what its beliefs are, what its goals are
and how each person can help move the business forward.
In the same way, I encourage businesses to think about creating a culture of cybersecurity.
Ensuring your business, and its data, stay safe from the many cyber threats lurking in the ether
means constant education and discussion so that each team member understands how to
safeguard the business and demonstrates that day in and day out.
Maria from accounting notices a suspicious looking email in her inbox and realizes it’s
likely a phishing email, so she doesn’t open it. Feeling proud that she spotted the email
before opening it, she moves on to the next task at hand. She figures since she didn’t fall
for it, there’s no need to do anything else. She never reports it.
Hackers often send out mass amounts of phishing emails – possibly to employees within
the same company – looking for the weakest link. So while Maria didn’t take the bait, her
coworker who receives a similar email the next day might. Reporting suspicious emails
allows IT and company leaders to create awareness around the issue.
What if Maria had fallen for the phishing email but still didn’t tell anyone? The
consequences could have been tragic. It’s important to create a workplace where people
feel open and invested. Instilling fear in employees for reporting cybersecurity issues
won’t help. Instead, offer an incentive or award. For example, give a special treat to
those who report a phishing email.
Mary-Michael Horowitz is VP of sales and operations at Asylas, a security, privacy and risk
consulting firm located in Nashville, TN. She works with small- and medium-sized businesses to
align business goals and objectives with technology solutions that fit for today and plan for the
future.
Ransomware, IoT attacks, phishing, cloud vulnerabilities—there are plenty of reasons for the
increase in SecOps workloads. To reduce this growing burden on security analysts, many
SecOps teams are exploring new security architectures and uses of automation.
SecOps teams have a wealth of solutions—and acronyms—to choose from. They can evaluate
Security Automation and Orchestration (SAO) products, Security Orchestration Automation and
Response (SOAR) products (recommended by Gartner), or products based on a Security
Operations and Analytics Platform Architecture (SOAPA) (recommended by ESG).
SAO, SOAR, and SOAPA vary in several ways, including how much they rely on orchestration
and various types of automation.
How should a SecOps team decide which approach is right for them?
A good first step for cutting through the fog is to distinguish analytics from automation. Analytics
is a tool that helps analysts with their manual investigations. It produces data and insights for
evaluating alerts and IOCs. Most of an analyst’s time is unproductively spent on sifting out the
false positives by having to investigate each one.
Today, analytics supports decision making by the analysts. However, intelligent automation
must replace analytics with decision science. The automation itself needs to be advanced
enough to accurately weed through the torrents of false positives and mark them as such.
Analytics is not automation, and we should not be comparing them in the same bucket.
These solutions help tie together the various steps and moving pieces in an investigation
workflow. However, the act of determining whether an alert is a false positive still falls upon the
analyst. In most customer situations, we see that analysts receive hundreds of alerts a day, and
typically 90-95% of these will be false positives. The decision making burden on analysts is still
tremendously taxing, expensive, and unmanageable.
We fundamentally believe that automation can help analysts tremendously, not just with
repetitive actions, but more impactfully with key decision making several dozen times a day.
TYPES OF AUTOMATION
When evaluating security automation products, it’s useful to reference Harvard Business
Review’s three main types of automation. The ones that apply to security automation are:
Robotic process automation automates high-volume, low-complexity, and routine tasks. These
tasks might be physical, such as installing a rivet, or they might be software-based, such as
transforming a data set according to a set of rules and transferring the output to a file server.
Cognitive automation addresses complex, non-routine, creative, or exploratory tasks, which can
involve pattern recognition on large data sets and decision-making based on the results of that
pattern recognition. Cognitive automation has recently achieved major breakthroughs in areas
as diverse as language translation (e.g., Google Translate) and vehicle navigation (e.g., self-
driving cars).
How are these various types of automation applied in today’s SecOps offerings?
The vast majority of automation in SecOps today is robotic process automation. For example,
when an orchestration product processes a directive to close a specific firewall port or open a
trouble ticket, that’s robotic process automation. A well-defined process has been performed
quickly and efficiently, but the process itself hasn’t been changed or optimized, and the SecOps
system itself learns nothing from the experience.
To sort false positives from genuine security threats requires advanced cognitive abilities. A new
generation of SecOps solutions applies cognitive automation to improve the accuracy of threat
detection and thereby accelerate the mitigation of threats.
These new security automation products apply Machine Learning techniques to rapidly analyze
SIEM alerts and other contextual data. Their deep ranking and correlation algorithms perform
analysis far more sophisticated than the simple rule-based matching used by SIEM systems.
These products can even take into account the context of events, which enables them to more
easily identify false positives. Unlike robotic automation products that operate by rote, cognitive
automation systems accept feedback and tuning from security analysts, so they can learn from
experience and become more accurate over time.
● Incident Response – Use orchestration that applies robotic automation to open tickets
and make configuration changes to mitigate threats.
● Alert Triage –Orchestration is helpful for collecting investigative data, but for optimal
results, use cognitive automation to distinguish false positives from genuine threats and
to quickly understand those threats so they can be stopped.
With this rubric in mind, SecOps teams can develop strategies for investing in new security
technologies, confident that they have aligned new product capabilities with specific work
requirements in the SOC.
If a SOC is overwhelmed by the volume of security alerts they are receiving, they should invest
in cognitive automation. Automating analysis of alerts can greatly speed the identification of
false positives, dramatically reducing the number of alerts that analysts need to investigate. In
some enterprises, cognitive automation has been able to reduce false positives by as much as
95%.
Additionally, if a SOC is concerned about detecting Zero Day threats or data breaches that
might leave a network vulnerable for weeks or months, then cognitive automation is a must.
Machine Learning that goes beyond the rule-based analysis of SIEMs will be able to detect
threats that most of today’s security products overlook.
SecOps teams should explore intelligent automation solutions today so they will be prepared for
an even busier and more vulnerable future.
There have been few attacks in the last five years that have been more success overall and on
average than the phishing campaigns that have run rampant through the global email systems.
The users seem to want to click, click, click, and click again on the links and images. In the
newer variants, the user is directed to a URL to enter into their web browser as an additional
attack vector. This may be directly noted in the email, or a PDF that is partially obscured, with
the URL to venture to in order to retrieve the document intended for the user.
The corporate environment can introduce and have training on what to be wary of in these
emails, forward email alerts to current scams with or without examples, posters at the offices
and cafeteria stating the obvious things to look for, and unfortunately there will be a subset of
users that will click or click multiple times on a phishing email.
After this activity, the user may feel embarrassed or they will be ostracized and not immediately
tell the InfoSec team, which only further exasperates the situation. The general format for these
attacks have been general phishing or spear phishing emails. There are subtle varieties of
these, modifying the target or delivery, however the intent and initial delivery methodology are
mundane.
With the overall phishing campaigns, one form has been exceptionally profitable for the phishers
in the last three years. The emails do have to be customized, however it merely takes on
hapless finance or accounting staff member to ruin the week or quarter by relying on this. The
amounts fraudulently obtained have ranged from tens of thousands of dollars to several million.
Here comes MacEwan University. On August 23rd of this year, the University detected the issue.
The phishers sent a series of emails which convinced the staff to change the bank routing
number from the one they had been using for one of their primary vendors. The phishers
worked to take the identity of the University’s primary vendor through a series of emails.
The end, detrimental result was $11.8 million in Canadian dollars of the University’s funds were
transferred to a Canadian bank and subsequently to Hong Kong. This is not the smallest or
largest sum fraudulently obtained via this form of attack, however it is rather significant.
Having a bank routing number change is not a normally occurring event. This generally is an
anomaly, which may warrant a simple follow up act. Although the regular training, email alerts,
and other cybersecurity activities do not guaranty this will be found, it certainly is a help and
diminishes the pool of potential people that may be successful with. As a lesson, training is
beneficial, however it is still the user that makes the choice to click. If the user has even a not
significant level of concern, a simple phone call should be made.
DRP is a Cybersecurity Lab Engineer focused on securing the world for the users one module
at a time. DRP’s interests include the intersection AI & ML and automotive cybersecurity.
The increase in ransomware attacks has created security challenges for companies. CEO roles
have expanded to include cybersecurity. As CEO you can take steps to minimize these
potential threats. Prepare your company and take precautions to avoid costly data breaches.
Hacks can hurt the company financially, and the reputation and brand ruined.
Here are nine steps that CEOs can take to promote cybersecurity.
Once you have a clear picture of what practices are in place, you can identify areas that need
improvement. Work with other company leaders to develop a cybersecurity plan throughout the
company. Keep your security protocols updated to stay on top of new security threats.
Each employee needs to understand what rules are in place When a breach occurs; employees
should know what to do. Communicate changes to the whole company, to lessen the chance of
a security breach.
An annual security assessment can be a powerful tool to prevent and identify a breach.
Regulations like HIPAA Compliant hosting and the PCI require companies to perform these
evaluations. A security risk assessment (SRA) allows a company to identify key risk areas in the
network from the view of a hacker.
After the SRA, the CEO decides on where to allocate resources and security solutions. The size
and complexity of the network determine whether specific areas need to be prioritized or if it can
be more generalized
A CEO and the board decide what level of risk is acceptable for the company. An SRA cannot
eliminate all security risks. It identifies potential targets that hackers may target so that you can
protect those areas. Company resources are finite, but the assessment can assist with the
prioritization.
Establish a partnership with the company's Chief Information Security Officer (CISO).
In recent years, most CISO's have been connected to the company's leadership team, and in
half of the companies, they are a member of the executive leadership team. A CEO must
understand and carry out security procedures throughout the entire enterprise. Together with
the CISO, you can work together to run threat assessments and review the results.
Consult the CISO on new projects early on in the planning phase so that they can find ways to
improve security. It is easier to integrate security measures during the development rather than
after the fact. The CISO will work with each team to find ways to meet the project goals in a way
that complements security protocols. Then it is up to the CEO to make sure that the teams
follow through and stay accountable.
These programs train them to be able to identify network threats. An effective training program
stays up to date to meet new security threats. An outdated program wastes time and resources.
Take an active role in security awareness programs. By supporting these programs, you send a
message to employees on what they can do to promote cybersecurity awareness. It is also up
to your leadership to keep employees, managers, and other executives on track.
Involving yourself in the training program helps to measure its effectiveness. You can see how
many users have completed the training program, along with parts that they found helpful.
Employee surveys can provide feedback, and you can identify areas that need improvement.
A risk assessment identifies areas in your IT security that need to be improved. Whenever your
company adds new equipment or software, you should make sure that it keeps the existing
network secure. Cybersecurity becomes more relevant as your business continues to add these
new tools.
By the year 2020, there will be between 20 to 30 billion connected devices in the world.
Connected devices provide useful information, but unprotected they can be a liability. Adapt
your security protocols to reduce or eliminate these liabilities.
Place a higher priority on mobile and connected devices. Your cell phone that allows you to
connect to your business email can be a spot that hackers can exploit. Understand how these
devices fit into the network, you can make the changes needed to strengthen the network.
DECENTRALIZE ACCESS
People, not technology, is the weakest point in your network.
Having a CISO can help to identify possible breaches. How do you find the right CISO for your
company? Here are some of the key traits you should look for in a CISO.
You want a person that has a strong background in information security. They should be able to
keep an open perspective as well. When needed, they should be able to consult with outside
specialists to identify threats before they become an issue.
As the CEO, it is your job to bridge the gap between security offers and the board. Encourage
your CISOs to use business language in their reports for easy understanding.
Security training should occur on a regular basis. Most companies train on an annual basis but
can benefit from more frequent training. Quarterly or biannual meetings can help to reinforce
defensive behaviors. By improving these programs, you can communicate updates with your
employees as they occur.
Cybersecurity is an important part of every employee's job. As the CEO, you need to be a
role model for the company. Display proper security behavior, and create an environment where
security is constantly changing. Create a culture that promotes awareness so employees can
find weak spots in security.
Ransomware targets many worldwide institutions and businesses in all sectors. Software used
to steal information has become commonplace, and criminals for hire are not in short supply.
Many hacked victims have one thing in common. A part of their network is out of date, and
hackers exploit this vulnerability to enter the company's network.
An overextended IT department can have issues with keeping all of the devices on the network
up to date. A security threat assessment can identify these devices that can be exploited by
hackers. Once these threats are identified, you can create a schedule that ensures that devices
are not being skipped over.
Tools are available that can help to test your existing security. Anomaly detection tools can spot
unusual patterns in the network and user behavior. Penetration testing can also identify
weaknesses in the network.
Cyber Defense eMagazine – November 2017 Edition
63
Copyright © 2017, Cyber Defense Magazine, All rights reserved worldwide.
Active defense techniques is an area that has developed in the network security world. Active
defense techniques can embed programs in the data that will attack the hacker's computer if
data is stolen. These techniques can have legal issues and would need approval from a CEO
before being used.
A security breach can create both financial, and legal issues for your company. When your
business becomes a victim, you need to know how to respond to minimize the damage. Some
companies minimize risks by transferring liability to a third party. Securing data on a cloud
service cuts costs, and increase flexibility.
Cloud providers maintain security to protect their clients' data and function as a data backup.
Security risk can also be transferred to the provider, or cyber liability insurance can be
purchased by your company. If a breach occurs, react quickly. Identify when and where the
breach occurred. You should work with your security team to gather information. This will help
you figure out if any information is stolen so that you have a complete picture of the situation.
Staying on top of the issue will minimize the damage so that you can work on recovery as soon
as possible.
Conclusion
Having the right cybersecurity culture can help with protecting your company's valuable data..
These nine methods will contribute to strengthening your organization's cybersecurity.
Jessica Anderson is a cybersecurity enthusiast and writer who studied journalism at Rhodes
University. She is working as Director of Public Relations in Phoenix NAP LLC. Jessica can be
reached online at jessicaphoenixnap@gmail.com and her company website
https://phoenixnap.com/
Phil Cracknell, Chief Information Security Officer (CISO) at Homeserve, is speaking alongside
senior public and private sector figures at the 16 November Cyber Security Summit in London,
shining a spotlight on the challenges facing Cyber Security practitioners.
He is keen to bring focus onto the lack of quantification in Cyber Security, pointing out that
“What good looks like is becoming increasingly important”, and as such, the ability to define
what construes “good” Cyber Security takes priority.
Phil has long made strides in developing co-operation between CISOs with a number of
purposes, one of which is the quantification of Cyber Security standards. Initially focusing on
“anonymous surveys of CISO’s to fill the void of information regarding breaches”, this work has
since evolved into The Metrics Project.
The Metrics Project focuses on defining the mechanisms and language used to measure the
effectiveness of Information Security, with over 50 UK CISO’s involved. As the collective work of
over 350 CISO’s over its current lifespan and purposely avoiding vendors and analysts thus far,
the Metrics Project focuses on developing something that will deliver true value to the
businesses of those involved, in Phil’s words – “By the CISO, for the CISO.”
Phil emphasised the role of metrics as “very much the key to our future” in measuring and
validating the effectiveness of Cyber Security. “Businesses are waking up to the fact that they
need metrics and risk indicators that our board, audit committees and non-executive directors
are able to understand.”
Promoting a “report what you should, not what you can” mind-set from organisations, Phil
suggests metrics have the ability to affect business practice in a number of ways. Metrics can
demonstrate effectiveness, measure exposure and agility, test organisation culture, pinpoint
responsibilities and highlight levels of investment”, all of which provide a great insight into a
sector and tangible, measurable indicators of Cyber Security suitability.
Suggesting the current focus by security providers on product and technology may not be the
optimum strategy going forward, Phil draws attention to the softer skills involved in effective
Cyber Security. “Security leads are still procuring solutions that don’t address their top issues or
risks.
Good risk management will avoid this, and of course a solution for a risk doesn’t always have to
involve buying hardware, software or a service at all”. Instead, Phil advocates an introspective
business model, with training of staff and improved process management.
Casting a glance to the future, Phil addressed the rising trend in both work and society of ‘Bring
your own Device’, and the risks associated with such a trend – “With our corporate perimeters
expanding and even disappearing entirely, and the prevalence of personally owned devices in
our work environments, businesses should concentrate on protecting the contents, not the
containers, and identify critical data.”
Phil Cracknell will talk as part of the Cyber Security Summit at 3:30pm on 16 November, with his
address Measuring Success: Metrics for Cyber Security Strategy. He is speaking alongside
senior public and private sector figures, including Mark Sayers, Deputy Director of Cyber and
Government Security at the Cabinet Office, and Chris Ulliott, Chief Information Security Officer
at the Royal Bank of Scotland.
Author: David Roberts, Event Director at GovNet, organizer of the 16th November Cyber
Security Summit and Expo, and co-located GDPR Conference at the London Business Design
Centre.
Global optical transport networks have a little-known secret that keeps cybercriminals up at
night: It’s called analytics. Every time an attack is launched, whether it is theft of Equifax user
data or one of an estimated 4,000 ransomware attacks that occur daily, malicious actors leave a
trail of data that could be used to uncover their activities. Analytics derived from the physical
transport network can be employed to give cyber threat hunters an advantage in collecting this
data.
Cyber intelligence officials often don’t see the data that could identify criminal activity because it
is typically obscured by contemporary monitoring methods that strip away and discard
information that could be used to locate malicious activity.
Additionally, rapid technology changes occurring across long-haul transport networks are
making it more difficult to search for cyber threats. As transmission speeds accelerate and the
volume of traffic expands exponentially, it further impedes efforts to gain real-time visibility
across the all of the pipes that feed into modern optical transport networks.
That could all change as analytics and orchestration take a large role in in network access and
monitoring technology. Providing greater information on where and when attacks occur could
lead to the type of intelligence that turns the table on cyber terrorists.
Modern cyber intelligence applications hunt down aggressors and malicious activity. Successful
solutions should proactively and iteratively search through networks or datasets to discover and
react to advanced threats that evade traditional rule or signature-based security solutions.
This search starts with comprehensive traffic visibility because cyber intelligence agents cannot
find what they cannot see. Trained cyber analysts will rely on automated tools that correlate
information from data collected across multiple platforms to provide actionable intelligence. A
combination of skilled professionals and capable tools provides the necessary backdrop for
successful threat hunting.
Discovery starts by analyzing each of these data points across an entire monitored network or
unique network segments. These network parameters can be used to characterize the optical
network and may be tracked over time to gather historical trends over days, weeks, months or
years.
With access to current and historical information, network monitoring applications can identify a
baseline for how the network is expected to operate. More importantly, it presents the
opportunity to detect abnormal network behavior and provide early warning of a network attack
or threat. This visibility is provided through the collection of data across the network by
orchestrating the monitoring tools used to access each optical transport layer. The data can be
used to expose network trends, unusual events and provide comprehensive, real-time
understanding of the monitored network.
By providing continuous visibility through complex multi-layer transport networks, this advanced
cyber threat-hunting capability offers automated responses to network provisioning changes and
removes the need for costly on-site engineers and additional equipment.
The application of analytics in this situation offers flexible alarm reporting where an end user
can create thresholds based on various network parameters including traffic types, transport
overhead information and monitored traffic bandwidth. Each threshold setting can be used to
trigger alarms notifying surveillance operations centers of configuration changes to the
monitored network. Armed with this information, cyber intelligence agents can then initiate the
appropriate response.
Modern cyber intelligence missions require comprehensive optical network analytics to pair with
their current cybersecurity tools to conduct real-time and in post-mortem analysis to best protect
networks from future attacks.
Cyber warfare has clearly become more dangerous as it matures. Enterprises and government
agencies are increasingly seeking improved methods for identifying threats by using data from
advanced network monitoring applications.
However, cyber intelligence tools focused only on IP traffic analysis often miss valuable
information from the physical transport network. Use of progressive optical network analytics
can reveal anomalies that can enhance cyber threat hunting tasks. Cyber intelligence missions
are pairing these comprehensive optical network analytics with current cybersecurity tools to
maximize success.
With an incredibly active threat landscape today there are a plethora, and even perhaps
overwhelming, number of options to consider to ensure your company’s cyber safety. One of the
first “basic” items on your security check list should always be to have the proper SSL
certificates in place.
SSL certificates offer the strongest encryption to ensure your website is protected. Customers
and visitors to your site will be confident knowing their browsing session is safe and that
information such as payment details and personal information are secure and encrypted.
Security professionals understand that, among the varying levels of certificates, Extended
Validation (EV) certificates are the “gold standard”. They activate the browser padlock and https,
and shows a company’s corporate identity, which assures your customers that you take security
very seriously. They also lend more credibility to a website.
All certificates should be obtained from a reputable Certificate Authority (CA). Research
carefully and do be wary of lower level certificates, such as Domain Validation (DV) certificates
that are free, as some have been linked to dangerous phishing scams.
What’s got lots of tongues wagging these days is related to the fallout from Google’s dispute
with Symantec.
This began two years ago when Google engineers discovered Symantec accidentally mis-
issued 127 SSL certificates. The issue rose to prominence again in March of this year when
Google announced that it had uncovered more concerns with Symantec’s certificates, alleging
the company had mis-issued more than 30,000 certificates. Then in August, Symantec decided
to exit the web certificate business and sell it to Digicert.
The end result is that by mid-April 2018, all Symantec-issued certificates obtained prior to June
1, 2016, will be marked as untrusted by Chrome 66. Then by the end of October 2018, all
certificates that are chained to Symantec's pre-December 2017 rooted infrastructure will be
untrusted by Chrome 70.
With the sweeping changes being implemented by Google (and Mozilla by extension), some
companies may be considering making a switch to a new SSL service provider.
While it’s not necessarily an extremely complex process, it will be necessary to plan this out. It
is also strongly recommended you give yourself enough time to determine whether you want to
remain with your current CA, or if you do indeed want to jump to a new one.
If you’re strongly considering making a switch, following are some important steps to consider.
At the outset, it will be important to survey and access your existing certificates, your company’s
needs as well as your usage. You should also be inventorying everything so you know what
needs replacing once you decide to make a switch. In addition, it will be necessary to identify
which of your team members will manage your new account. Making sure you train these
individuals on the new GUI (Graphical User Interface) is key, and you should factor any training
time into your transition timeline.
Also important during the certificate authority switch is API integration. If you have one with your
current CA, there will need to be a similar integration with your prospective new CA who should
have satisfactory API documentation, and be able to provide support and guidance throughout
the on-boarding process.
Another critical element in this process will be estimating the costs involved of a switch. You
should be thinking about everything from capital and operational expenditures to annual costs,
product definitions and any set-up fees you’ll incur with the new CA.
During this process you should insist on a solution that includes comprehensive SSL certificate
management. This service helps customers discover, inventory and manage all SSL certificates
across their network and cloud services. Most CA’s today offer this to reduce risk, respond to
threats but also to control SSL costs.
Finally, when comparing managed SSL providers, be sure you place an importance on the fact
that you are essentially picking a business partner, not just a product, as this is a relationship
that goes well beyond just its delivery. Your organization will have a dependency on the CA long
after they have issued your certificates.
Your prospective new CA should also be able to provide you with the highest security, feature-
rich SSL Certificates. They should also be able to provide sound advice on security initiatives,
take your business needs into consideration when making recommendations, and provide you
with tools in order to verify that your web server configuration has been optimized to guarantee
maximum security.
For years, we’ve heard the same things over and over again about the challenge of
cybersecurity. Attackers will always be one step ahead of organizations. The amount of
malware they’re producing is overwhelming and increasing every day. Compromise is
inevitable.
But with the adoption of machine learning, security technologies are providing organizations
with new ways to tackle this seemingly intractable problem. Models can process extremely large
datasets and be trained to identify similarities in malware samples that make them distinct from
good software. Retraining the models can also be automated to keep pace with the massive
influx of new and changing samples that overwhelm traditional solutions.
There are however, a couple of caveats that present challenges to machine learning, and limit
the level of accuracy these models can achieve.
● Caveat #2: Models need to be constantly refreshed: Attacks evolve. New techniques and
new malware appear constantly. As a result, as time passes, machine learning models
designed to detect malware gradually deteriorate. Their accuracy suffers, with new malware
samples slipping past them and updates to legitimate software triggering false positives. To
compensate, some vendors use whitelisting and blacklisting, which increases management
costs and doesn’t solve the underlying problem. It’s not until a model can be retrained on new
samples that accuracy can be restored. And then the cycle begins anew.
With these caveats in mind, it’s worth noting the adoption of machine learning for security
purposes is still in its early stages. As analysts point out, many models lack refinement and
currently serve as “coarse-grained filters” that operate with a clear over-sensitivity to malware
versus goodware. That’s because the vendors behind them have often found themselves facing
a difficult choice between providing wider coverage (blocking more malware) or more accurate
coverage (making sure malware is the only thing getting blocked). In those cases, wider
coverage wins nearly every time. As a result, false positives have become the accepted price of
protection, even though they are well understood to be a prohibitive barrier to effective roll-out
and come at considerable cost.
As more security vendors turn their attention to successfully harnessing machine learning,
however, significant advances are being made that may eventually make that “necessary”
sacrifice a thing of the past.
Cyber Defense eMagazine – November 2017 Edition
74
Copyright © 2017, Cyber Defense Magazine, All rights reserved worldwide.
A DIFFERENT APPROACH THAT INCREASES ACCU RACY
To maximize coverage and accuracy, the approach to machine learning we take at Barkly
involves nightly training of our models (which keeps protection up-to-date) as well as the
creation of organization-specific models trained against each company’s unique software profile.
Not only does that allow our models to be more current and responsive to the newest threats, it
also allows them to be less reactive to the legitimate goodware deployed in each environment.
Here’s how it works: Each night, we collect thousands of samples of new malicious software,
and we combine those samples with up-to-the-minute data on the known-good software
organizations are running. We then re-train and redistribute the updated models, which have
been tailored and optimized specifically for each organization. Thanks to that cadence, we’re
able to provide more accurate, maximized protection that maintains its strength over time.
We believe this new, responsive approach represents an exciting step forward in the way
security providers can apply machine learning. But the truth is we still have a very long way to
go before we tap the technology’s full potential. As adoption of machine learning becomes more
prevalent we’re eagerly anticipating more breakthroughs that tip the scales against attackers.
A report from Lloyd’s of London recently claimed that a global cyber attack could result in up to
$53 billion in losses, putting the potential financial impact of a cyber incident on par with that of
a major natural disaster. The cybersecurity events that took place around the world this year
demonstrate how very real those predictions may become. Some companies are still reeling
from the NotPetya attack in June, with several claiming they may never completely recover from
the damage to their systems. The three largest cyber attacks this year – WannaCry, NotPetya,
and Bad Rabbit – all involved the use of ransomware, which will continue to hit private and
government networks around the globe.
These and other incidents indicate that malicious actors are gaining rapid momentum and
becoming increasingly sophisticated. In 2018, cybersecurity professionals can surely expect to
see more of the same from this past year, along with a handful of new challenges. In order to
prepare for the next wave of emerging threats, organizations should look closely at the top
trends expected to hit the global cybersecurity landscape. These include:
1. Increasing IoT issues: The threat landscape is increasing at an incredible rate, with
connected devices in the workplace and in our homes playing a big role in that evolution.
Security isn’t typically built into Internet of Things (IoT) devices, autonomous vehicles,
and other ‘smart’ technology, making them uniquely vulnerable to malicious threat
actors, as we’ve seen with several high-profile distributed denial-of-service (DDoS)
attacks. In October of last year, hackers launched the Mirai botnet to execute a massive
DDoS attack on Internet domain provider Dyn, using infiltrated connected household
devices such as DVRs and cameras. Many mainstream websites, including Twitter and
Spotify, were impacted. Attacks are already wide-reaching across the globe, with no
specific region as a primary target. The new year will likely bring further attacks involving
hijacking of connected technology, and organizations will need to work diligently to
ensure they are resilient against this breed of threat.
2. Mounting cyberwarfare and malware activity: Cyberspace has become the new
battlefield for modern warfare, providing state-sponsored malicious actors with an
inexpensive, highly-effective, and globally-accessible platform to steal money and wreak
havoc. Cybersecurity researchers are increasingly reporting on malicious activity that
they suspect is state-sponsored, including the use of ransomware. Infrastructure is also
being targeted. Dragonfly, a group that is believed to be nation-state-run, has
successfully intruded networks that control elements of U.S. power infrastructure and is
conducting increasingly sophisticated multi-stage attacks. The CrashOverride malware
used to cause the 2015 and 2016 power outages in Ukraine is another red flag that
demonstrates the types of targets politically-motivated malicious actors are pursuing.
Cyberwarfare is starting to spill over into private industry and businesses must be
prepared for critical areas such as healthcare and other public safety systems to become
targets.
Cybersecurity is a dynamic field, and it is difficult to predict exactly what we’ll face tomorrow, let
alone in a year. But implementing holistic programs that are intelligence-led and built on lessons
learned from previous incidents is the most effective approach to ensuring a more secure and
resilient future. Proactive intelligence gathering is also critical in evolving cybersecurity
programs in parallel with evolving threats. Sharing of intelligence between private industry,
government, and international partners is another important step to prepare for the implications
of cyberwarfare, privacy regulations and other challenges on the horizon. By taking these
steps, businesses can be sure they are ready to face the cyber threats of 2018.
While this fear might seem logical, the reality is the Grinch of fraudulent orders is unlikely to
steal the yuletide bounty. This is because e-commerce fraud rates actually significantly
decrease during the holiday shopping season - not because fraudsters are taking a break, but
because of the huge influx of legit shoppers during this time. This is especially true for the three
kings of Cyber Monday, Black Friday, and New Year’s Eve.
Since the percentage of all orders which are fraudulent drop during this time, online merchants
face a higher risk of turning down legit orders unless they adjust their fraud prevention systems.
Declined legit orders mean lost revenue, not only for that particular order, but also any future
online orders which will now be diverted to your competitors because your crude fraud filter
seriously dampened that shopper’s holiday spirits by mis-labeling them as a criminal. This is
precisely why many etailers are switching to more advanced e-commerce fraud protection
solutions, like the machine learning-based service offered by Riskified.
Not only is there a danger in overreacting to the actual fraud risk, e-commerce companies can
also make costly mistakes when it comes to manual review of suspicious orders. The huge
surge of shoppers during this time results in a large volume of orders which need to be manually
reviewed by analysts who then accept or decline the order. This in turn forces online merchants
to add seasonal hires to their fraud review team as well as increase the workload on permanent
staff, both of which can result in inaccurate, rushed decisions (especially if the seasonal hires
are new to fraud prevention).
Help bring joy to the world: don’t falsely decline international orders
Rushed decisions and fear of chargebacks often result in more false declines and thus lost
revenue. What compounds this problem of false declines during the holiday shopping season is
not only the already discussed quantity of orders, but also their quality, because perfectly
legitimate holiday e-commerce shopping can have one or more indications of a fraudulent order.
One of these is a mismatch between the billing address of the card used and the shipping
address of the gift, which can indicate a fraudulent order. It can also indicate, however, a
consumer shopping for friends or family and choosing to have the merchandise shipped directly
to them. The fact that many online merchants offer gift wrapping before shipping makes this all
the more convenient.
This could also be a legitimate international shopper using a reshipping address because the
merchant doesn’t ship products globally, but they still want jump on a great deal. This example
combines the billing/shipping address mismatch of the previous example with international
factors - foreign card and use of a reshipper—which often raise red flags and thus can get
falsely declined.
By responding to the actual size of e-commerce fraud risk, switching to more sophisticated fraud
prevention solutions, and optimizing their manual review policies, online merchants can both
boost their revenue and minimize their losses from fraudsters this holiday season.
This past September, Deloitte was hit by a cyber-attack, compromising the emails of some of its
blue-chip clients. Hackers had access to information including usernames, passwords and IP
addresses. It’s been reported that the hacked account only required a simple password. Hacks
such as Deloitte and others underline the utmost need to ensure the safekeeping of information.
Enter biometrics. By leveraging your face, voice, eyes and behaviors, biometrics is upending
our world and is helping us reclaim our right to our rightful identity. So much so that biometrics
has entered the mainstream in today’s society, being adopted by big companies such as Apple
(new Face ID) and Amazon (Alexa).
In order to implement biometric systems, there are do’s and don’ts that need to be considered.
In the end, the most important thing is the consumers. They need to feel safe and trust
biometrics to be their new form of identity and there are certain steps that can do just that.
1. Take a platform approach: The best way to incorporate biometrics into an existing
infrastructure is to take a platform approach to the consumption of biometrics into
applications – meaning that you don’t just focus on one type of biometric or one piece of
hardware. Whether you’re a financial institution or data center, by taking a platform
approach, biometrics can continue to innovate and evolve. Many might fall into the
pattern of using simple point-to-point integration which only causes a piece of code to
become frozen in time and bound to a single biometric. Developers will pick a favorite
biometric and stick with it, but by using a platform approach, systems can integrate one
biometric and then easily add on additional methodologies.
3. Use a hybrid approach to store data: When it comes to storing biometric data, there is
a common debate on whether the server (i.e., the Cloud) or local storage systems
should be deployed. As a best practice, BioConnect recommends that companies utilize
a hybrid approach as there are positives and negatives to both. But more importantly,
enterprises need to consider not only where they store their data but how. One method,
asymmetric cryptography, uses public and private keys to encrypt and decrypt data, with
one key that can be shared with everyone and another key that is kept secret. This
practice offers increased security.
4. Education: The best practice above all is education. The challenge we face today is that
people are skeptical of biometrics because they don’t fully understand what it is and how
it works. Every day, efforts are made in the right direction as more and more people
adopt biometrics. With the introduction of biometrics in the mobile phone industry,
physical security has moved forward as Acuity Market Intelligence forecasted that all
smartphones shipped will have biometrics included within its software by 2020. The
responsibility of education falls on the manufacturers and providers to educate the public
on how biometrics can simplify and protect one’s identity.
In the not-so-distant future, passwords will go the way of cassette tapes, CD players and other
devices that have been retired from everyday use. And I for one cannot wait. I envision a world
where a person is no longer tethered to a plethora of passwords that they need just to access
their own information. In the next few years, we will begin to shift away from passwords to the
point where an individual can simply be themselves to prove their identity. We will wipe out the
need to memorize different passwords and sequences, and instead we’ll rely on our eyes, voice,
hands, face –qualities that are unique to you and you alone—to protect our rightful identity.
In a market driven by highly skilled professionals, it’s essential organisations attract the best
talent to help fight cyber crime and prevent future breaches. According to the National University
of Singapore ‘Cyber Crime is predicted to cost the global economy $6 Trillion by 2021.’
Therefore, investment is needed to help secure many organisations. This includes investing in
education and ensuring any future skill gaps are addressed before it’s too late. As breaches
become more frequent and complex it’s important companies use skilled recruiters to be
matched with the best talent.
The Commission on Enhancing National Cyber security suggested training over 100,000 cyber
security practitioners by 2020 will prevent the risk of skill shortages. However, 9 out of 10 CSO
and CISO’s admit these are skills their organisations require immediately. Palo Alto commented
on the lack of cyber talent in their predictions for 2017 - suggesting that as the number of cyber
security professionals increases across all industries, recruiters need to look for top talent
outside technology companies and ‘the need for non-technical security professionals will also
increase.’
So, what does this mean for the job market? Unfortunately, if you’re already in a cyber security
role your workload is set to increase dramatically if your company can’t add resources and
personnel to your team. However, with these skills being in demand it means salaries are
increasing and will continue to do so above the market average for the next few years. With a
median salary of approximately $100K, there are many opportunities for cyber security
professionals across both international organisations and start-ups. This means companies
have to work a lot harder to attract and retain employees. For example, last week Goldman
Sachs relaxed their dress code for all tech employees to try to compete with Tech Giants such
as Apple and Google.
With a market led by skilled candidates how can a good recruiter affect your business? Firstly
you’ll have access to the best candidates within the market, those both actively looking for new
roles and passive job seekers. Also a good head-hunter has the ability to influence and advise
C-suite stakeholders, communicating technical information and statistics into real time facts for
business leaders. Therefore, helping them make informed decisions about the resources they
need to secure their business.
➢ Engineers
➢ Security administrators
➢ Analysts
➢ General IT staff
These are not just within technology companies but also across all industries. Some industries
in particular are becoming prime targets, such as banking, governments and healthcare sectors,
which is driving the need for a consistent level of cyber security measures. Some of the world’s
largest international banks and government bodies are doubling their cyber security budget as it
becomes apparent that no industry or individual is safe! At Cognatio we have the ability to
become an extension to your business, dedicating time and resources to fully understand
challenges you face and create in depth solutions tailored to your needs in a timely manner.
I have accumulated thousands of contacts on my journey, all of which have something to offer
my network and my clients. From support in contracts, outsourced payroll, creating entities in
new territories to introducing partners/suppliers and distributors who can help your
products/services reach new target customers. To that end I endeavor to raise awareness of
your brand via my network via regular updates, news feeds, market releases and relevant
material that can increase your social media footprint in new territories. Reach me at
will.bourne@cognatiosolutions.com.
.......
In recent years, media coverage and public perception of identity theft risk management has
begun to be overshadowed by reports of cyber-security threats and responses. Large-scale
data breaches have grown as identity thieves and other abusers of sensitive information have
become more sophisticated and have used high-tech means to exploit weaknesses in hardware
and software applications.
In this context, cyber security is a relative latecomer, but it’s clear that IT solutions have taken a
central role in defending against cyber hackers. Where is this going? To respond, it’s
important to address the question “Why do hackers hack?”
Repositories of big data are the new banks. There are principally three types of hackers, and
their exploits mirror those of garden-variety identity thieves.
1. Hacking for financial gain. This includes the sale of sensitive information, which may
sell for pennies (like Social Security numbers) or tens of dollars (like medical records
and insurance information, and many other elements of Personally Identifiable
Information (PII) for in-between prices.
3. Thrill-seekers. No longer limited to the skateboard set living in Mom’s basement, but
other sophisticated criminals who apparently experience enjoyment and peer
adulation by stealing sensitive information and causing general online havoc.
To some extent, it is tempting to “fight fire with fire,” and respond to cyber threats exclusively
with cyber defenses. In a perfect world, this would seem to make sense. In some cases, that
works even in the real world, and an application or software fix or patch can often overcome a
specific cyber security exploit or technical vulnerability.
However, beyond cyber-based data breaches, schemes to gain access through non-technical
individuals have proliferated, resulting in growth in both the number and costliness of cyber-
attacks. In the midst of all this threat spectrum, human vulnerability is still the leading entry
point of identity theft and data breaches. Numerous recent surveys report that the vast majority
of data breaches are rooted in phishing exploits and are successful due to human failure.
Schemes such as social engineering and other manipulations designed to inveigle individuals
into launching malware or executable files, and accessing bogus web sites, are often the means
used by cyber criminals. Think of a seemingly innocuous e-mail request to update account
information for an active account, but with a link to a similar-sounding web site controlled by the
cyber criminals, in actuality the means to capture the username and password of the victim.
Regardless of the illicit objectives, the necessary defenses must include both IT responses and
education of the broader population of organizations and consumers. Without getting all non-IT
users to practice good “cyber hygiene,” it is unlikely that the cyber defense system will be
successful. As long as there is a human being with a keyboard and a mouse, and access to the
system, cyber defenses alone will leave vulnerabilities.
This state of affairs has been referred to as “asymmetrical warfare,” in which the opposing sides
play by different rules and have different standards of success. The defenders must prevail
100% of the time, while the attackers need only enjoy the occasional success to win.
In practice, the most successful cyber defense is a thoughtful combination of IT methods and
education of employees and other users who may have access to sensitive systems and data.
One example is the human factor in failing to keep all software programs up to date with
important patches to combat perceived and discovered vulnerabilities. Another is the
importance of keeping all users up to date on the latest methods used by cyber criminals and
identity thieves. The established methods of managing the risks of identity theft, especially
through education, are the most likely to be used successfully in conjunction with cybersecurity
applications.
Looking ahead, it’s important to remember that the internet as a system was not originally
intended to serve as a platform for commercial transactions and a system to carry all types of
private and personal communications, much less as a command-and-control facility.
Essentially, today it’s a leaky ship with a fast-growing number of holes, and the patches amount
to a crazy-quilt of Band-Aid fixes. Until the entire platform can be separated or replaced with
one or several more suited to the kind of integrated security systems that can assure that
human failure is not possible, there will be no end to cyber exploits.
One further observation is in order about the future of identity theft and cyber attacks: Current
projections of up to 2 million new cybersecurity jobs will be created in the next 4-5 years. How
many of these may be made redundant by AI applications? Are we preparing to fight the last
war? How will identity theft risk managers work together with cybersecurity professionals to
meet this growing threat, now and in the future?
“Look Dave, I can see you're really upset about this. I honestly
think you ought to sit down calmly, take a stress pill, and think
things over.”
The ICFE’s Certified Identity Theft Risk Management Specialist ® XV CITRMS® course is now
available both in printed format and online. See: http://icfe.info/Certifications/CITRMS.shtml
The Textbook and Desk Reference edition of the course book is also available at
https://www.createspace.com/6176952 . Bulk pricing and discounts for veterans and students
available. Inquire at yan.ross@icfe.info
Yan Ross is ICFE's Director of Special Projects, and the author of the
Certified Identity Theft Risk Management Specialist ® XV CITRMS®
course.
The ‘Tech Smart Conference’ held alongside COMEX will explore the
potential of the ‘Internet of Things’ & ‘Artificial Intelligence’ across various
industries in Oman while COMEX Shopper taking place from 24th- 28th April
2018 will be a haven for homeowners hoping to invest in smart homes &
consumer electronic products that offer new & smarter ways to live. New
Pavilions at Shopper this year include a Smart Home Zone, AR & VR Zone &
Gaming Zone.
OUR EDITOR PICKS HIS FAVORITE OPEN SOURC ES YOU CAN PUT TO W O RK TODAY
There are so many projects at sourceforge it’s hard to keep up with them. However, that’s not where we are going
to find our growing list of the top twenty infosec open sources. Some of them have been around for a long time
and continue to evolve, others are fairly new. These are the Editor favorites that you can use at work and some at
home to increase your security posture, reduce your risk and harden your systems. While there are many great
free tools out there, these are open sources which means they comply with a GPL license of some sort that you
should read and feel comfortable with before deploying. For example, typically, if you improve the code in any of
these open sources, you are required to share your tweaks with the entire community – nothing proprietary here.
1. TrueCrypt.org – The Best Open Encryption Suite Available (Version 6 & earlier)
2. OpenSSL.org – The Industry Standard for Web Encryption
3. OpenVAS.org – The Most Advance Open Source Vulnerability Scanner
4. NMAP.org – The World’s Most Powerful Network Fingerprint Engine
5. WireShark.org – The World’s Foremost Network Protocol Analyser
6. Metasploit.org – The Best Suite for Penetration Testing and Exploitation
7. OpenCA.org – The Leading Open Source Certificate and PKI Management -
8. Stunnel.org – The First Open Source SSL VPN Tunneling Project
9. NetFilter.org – The First Open Source Firewall Based Upon IPTables
10. ClamAV – The Industry Standard Open Source Antivirus Scanner
11. PFSense.org – The Very Powerful Open Source Firewall and Router
12. OSSIM – Open Source Security Information Event Management (SIEM)
13. OpenSwan.org – The Open Source IPSEC VPN for Linux
14. DansGuardian.org – The Award Winning Open Source Content Filter
15. OSSTMM.org – Open Source Security Test Methodology
16. CVE.MITRE.org – The World’s Most Open Vulnerability Definitions
17. OVAL.MITRE.org – The World’s Standard for Host-based Vulnerabilities
18. WiKiD Community Edition – The Best Open Two Factor Authentication
19. Suricata – Next Generation Open Source IDS/IPS Technology
20. CryptoCat – The Open Source Encrypted Instant Messaging Platform
Please do enjoy and share your comments with us – if you know of others you think should make our list of the
Top Twenty Open Sources for Information Security, do let us know at marketing@cyberdefensemagazine.com.
JOB OPPORTUNITIES
Send us your list and we’ll post it in the magazine for free, subject to editorial approval
and layout. Email us at marketing@cyberdefensemagazine.com
This magazine is by and for ethical information security professionals with a twist on innovative
consumer products and privacy issues on top of best practices for IT security and Regulatory
Compliance. Our mission is to share cutting edge knowledge, real world stories and
independent lab reviews on the best ideas, products and services in the information technology
industry. Our monthly Cyber Defense e-Magazines will also keep you up to speed on what’s
happening in the cyber crime and cyber warfare
arena plus we’ll inform you as next generation
and innovative technology vendors have news
worthy of sharing with you – so enjoy.