Monday, June 29, 2015

How Can Hospitals Protect Their Medical Equipment from Malware?

The challenges in protecting hospitals from cyber attacks are very similar to those faced in ICS and SCADA environments; the equipment used in hospitals is not user-serviceable and therefore often running out-of-date software or firmware. This creates a dangerous situation. The medical industry isn't alone in fighting this threat. As this article explains, they don't have to invent new techniques for preventing infection, they simply need to adapt the proven strategies employed by other industries.

Thursday, June 25, 2015

GAO: Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies

Seems obvious, doesn't it? The GAO has identified a number of challenges federal agencies face in addressing threats to their cybersecurity. In an effort to bolster cybersecurity across the federal government, several government-wide initiatives, spearheaded by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB), are under way. While these initiatives are intended to improve security, no single technology or tool is sufficient to protect against all cyber threats. Rather, agencies need to employ a multi-layered, "defense-in-depth" approach to security that includes well-trained personnel, effective and consistently applied processes, and appropriate technologies.

Wednesday, June 24, 2015

86 Percent of Energy Security Professionals Believe They Can Detect a Breach on Critical Systems in Less Than One Week

Tripwire survey compares cybersecurity views of 400 energy executives and IT professionals

PORTLAND, Ore. – June 25, 2015 – Tripwire today announced the results of a survey conducted by Dimensional Research. The survey examined the views of over 400 energy executives and IT professionals in the energy, oil, gas and utility industries on cybersecurity and compliance initiatives. Overall, energy security professionals were extremely confident in their ability to detect a cyberattack on critical systems, with 86 percent stating they could detect a breach in less than one week.

The Tripwire survey found that 49 percent of all respondents believe their organization could detect a cyberattack on a critical system within 24 hours. Energy executives were found to have the highest levels of confidence, with 61 percent claiming their organization could detect a critical system breach in less than 24 hours. However, according to Mandiant's M-Trends 2015 report, the average time required to detect an advanced persistent threat on a corporate network is 205 days, and in the 2015 Data Breach Investigations Report, Verizon reported that 66 percent of cyberattacks took months to detect.

"Cybersecurity within energy companies is stronger than it has ever been, yet growing bodies of evidence indicate that it's still far too easy to compromise the energy infrastructure," said Mark Weatherford, principal at The Chertoff Group. "Confidence at the executive level is certainly critical and necessary for success, but over-confidence can lead to a potentially dangerous false sense of security. Interestingly, a survey conducted last year by the Ponemon Institute found that 31 percent of 160,000-plus IT security professionals in 15 countries never speak with senior company executives, which might explain why Tripwire's survey found that energy executives have such a high level of confidence in their organization's ability to detect a critical systems breach. Therefore, it's a legitimate question to ask if executive confidence is misplaced."

Additional findings from the Tripwire survey include:
• 94 percent of executives agree that their organization is a target for cyber criminals.
• 83 percent of respondents believe a cyberattack could do serious physical damage to their infrastructure.
• Only 3 percent of respondents believe it would take more than one month to detect a cyberattack on a critical system.

"Cybersecurity in the energy industry is focused on protecting the availability and reliability of the critical infrastructure on which our nation relies," said Rekha Shenoy, vice president of business and corporate development for Tripwire. "The good news is that energy organizations are increasingly aware of cybersecurity risks and are investing more resources into reducing these risks. The bad news is that many of these organizations are still underestimating the sophistication, persistence and evasive technology of the attackers who are targeting them. The reality is that most organizations need a continuous view of their entire attack surface in order to detect a breach quickly and respond before damage is done."

Friday, June 12, 2015

Amazon Themed Malware Targets Crypto Currency

AppRiver issued a warning about a stream of malicious emails attempting to pose as legitimate Amazon purchase confirmations but that actually injects malware, identified as the Fareit malware family. Once unleashed, it begins pilfering the target machine for just about every type of Crypto currency in existence.

Troy Gill, manager of security research at AppRiver confirms, "Over the past week we have been monitoring (and blocking) a stream of malicious emails attempting to pose as legitimate Amazon purchase confirmations. The messages simply state that ‘your order has been confirmed’ and contains a small amount of details. The user being targeted is directed to an attached .doc file for the shipping and tracking details."

In order for the .doc (MD5sum=998692c0e93d4821c069aa96ddff800c) to actually infect the user’s machine they must have Macro’s enabled for MS Word.

Troy continues, "The malware contained in these messages is identified as part of the Fareit malware family. This family of malware is often distributed via Word documents with malicious macros embedded and has been known to drop multiple malware variants on the target machine. In this particular case the malware quickly goes to work attempting to steal the Outlook password along with website passwords from various browsers such as Firefox, IE, Chrome and Opera. It then attempts to harvest account credentials for a lengthy list of FTP and multiple file storage programs. In addition it begins pilfering the target machine for just about every type of Crypto currency in existence. This behavior (stealing Crypto currency) is something we have been seeing with more frequency as of late. The anonymous nature and lack of regulation in the Crypto Currency market make it more akin to stealing actual cash than to committing wire fraud by raiding someone's online bank accounts. But in this case the cybercriminals are okay with that, too. The last observed behavior was to drop a copy of the Zeus Trojan to be used to capture and steal bank related information."

Thursday, June 11, 2015

'Zombifying' Cyber-attack Could Affect +50 Million Internet Users

More than 50 million people per month could be at risk of a mass-scale 'malvertising' cyber-attack that turns computers into Zombies, according to researchers at Websense, reports Lara Lackie of Eskenzi PR. The attack routes through advertising platforms to target popular websites, with researchers noting breaches on Bejewelled Blitz on Facebook, CNN Indonesia, the official websites of Prague Airport and RTL Television Croatia, as well as Detik and AASTOCKS.

It was discovered that the attack utilizes open advertising platform OpenX, which sees up to 100 billion impressions per month, to compromise and inject malicious code which is spread to multiple websites. The injected code leads to a redirect which has been seen to lead to the highly prevalent Angler Exploit Kit, which exploited the latest Adobe Flash Player vulnerability (CVE-2015-3090), distributed CryptoWall 3.0, Bedep and Necurs, as well as a Trojan known as 'Bunitu.' The Bunitu malware dropped by Angler 'Zombifies' computers, by causing infected machines to act as a proxy. This enables it to be used for subsequent malicious activity and allows cybercriminals to hide behind legitimate users’ machines to avoid detection by the authorities.

Carl Leonard, principal security analyst at Raytheon|Websense, said, "Advertising networks are an increasingly popular focus for cybercriminals, as they open up avenues to infect millions of users with minimal effort. The growing nature of evasion, stealth and variation employed in the malicious code means that it's more important now than ever to deploy a security solution capable of stopping threats at multiple points in the kill chain."

TK Keanini, Lancope CTO, added, "I think this quote from Websense says it all, and let me call out a few things here to highlight the salient points.

"These methods are popular for cybercrime because they require minimal effort, which means lowering their operational costs. We, in turn, need to ensure that we are doing everything thing to raise their operating costs. Business leaders understand these economics, and until we treat this as a business problem, cyber crime will continue to operate at a low cost and high profit meaning their business is growing and they are expanding.

"He also says that we need to do everything to stop their operations along the kill chain. This kill chain terminology limits us in our discussion, and I prefer to call it the attack continuum because then we can, in the same thought process, speak about a defense continuum which describes perfectly the strategy we must instrument and operate. The defense continuum captures the defender's tactics, techniques and procedures that raise to the cost to the attacker's operation and objectives."

Monday, June 8, 2015

Who Knows More about You – The US, or China?

While I suspect China lags the US in knowing about its citizens, China might be catching up quickly.

In light of last week's 4 million strong data breach, described as one of the largest thefts of government data ever seen, TK Keanini, CTO at Lancope, offers the following.

"Last Thursday night, U.S. officials said that the Office of Personnel Management (OPM) had suffered a breach. Data from four million current and former federal employees, across numerous government agencies, may have been stolen by Chinese hackers. It does not take a security expert to see a pattern taking place here. Most of the attacks allegedly from China over the past few years have gone after the personal information of US citizens, and there is no sign that this trend will diminish. It is fair to assume at this point in the game, China may have more accurate information on US citizens than the US itself. 

"The OPM manages security clearances for various government organisations. During that process, employees must provide extreme detail to every aspect of their life – which is in turn stored and kept in the same systems that were breached.
"Organizational confidence takes a long-time to build, but can (and is) eroded much more quickly. Governmental breaches put these trusted government organizations in the same light as all the recent private company breaches (like Target, Home Depot). Much like your personal medial history, the big difference here is the government has much more sensitive data about their victims, and the victims have no choice in sharing that data.

"This attack once again exemplifies the need for more security resourcing in the federal government and the need for a different more comprehensive approach to incident detection and response. The current methodologies have lead to this breach – not avoided them. Attacks are being detected much too late in the attack continuum. Effective security these days means detecting these threat actors as they operate and before they exfiltrate data. You can't win all the battles but all of these headlines suggest that we are still on the losing side.

"In particular, organizations need to categorize and isolate what they need to protect, place additional controls around that information, and meticulously log & monitor access to that encrypted data.
For example, some past advanced attacks have targeted Windows administrative accounts. Smart organizations have realized this, and created a separate isolated set-up for domain admin accounts, with additional security controls around them (like dual factor authentication, jump boxes that are the only place domain admin activity can occur and logging and monitoring of that separate set-up). This isn’t fast, easy or cheap, but organizations have been pushed into adding these controls by ongoing attacks.

"In addition, organizations need to leverage telemetry, and leave hackers no place to hide. If there is a blind spot on your network, someone will be hiding there. Find them and remove them in a way that they can't get back in. These types of incident detection and response approaches have been vastly under-funded in the past, but as these hacks increase, we will see a shift in focus. Until organizations get better at doing this, we can guarantee that the Chinese will continue to have better data on US citizens than anyone in this country does and this information superiority is what scares me the most."

Thursday, June 4, 2015

Call for Chapters: Information Security Management Handbook, Seventh Edition

Information Security Management Handbook, Seventh Edition

We've updated the Call for Chapters for the new edition of the handbook, which is following the National Cybersecurity Workforce Framework.

Securely Provision
Operate and Maintain
Protect and Defend
Collect and Operate
Oversight and Development

If interested in participating in this new edition please contact Rich O'Hanley ( or Peter Stephenson (

Monday, June 1, 2015

Why Insider Threats Are Succeeding

Why Insider Threats Are Succeeding

As corporate networks expand in scope and geographic area, it has become easier for insider threats to access sensitive data and inflict catastrophic damage. While the malicious insider comes with a different set of challenges than other security concerns, organizations can protect themselves with the right tools and mindset. In this article, Lancope CTO TK Keanini explains why early detection of these attackers can keep a security event from becoming a high-profile data breach.