Wednesday, December 17, 2014

Crimeware-as-a-Service Banking Malware

SophosLabs researcher James Wyke analyzed the malware family Vawtrak used primarily to steal money from victims’ banking and other financial account. The analysis indicates that the people behind the malware are running the crimeware-as-a-service, targeting specific geographic regions and institutions including Bank of America, Wells Fargo, Capital One, Citigroup, Chase, and Fidelity banks. Banks in Canada include TD Bank, Scotia Bank and Desjardins.

Sophos found Vawtrak was the second most popular malware distributed by web-based exploit kits between September-November 2014 representing 11% of all malware replacing Zbot as the leading banking malware botnet. Vawtrak operators are setting up the botnet to deliver crimeware-as-a-service, rather than following a more traditional kit-selling model that older families such as Zeus or SpyEye once employed.

Monday, December 15, 2014

2015 Security Forecasts

These just keep on coming in. I'm interested in your response to these. Agree? Disagree?

2015 Security Predictions: Retail Repeats, Ransomware, and More  by Tom Cross, Director of Security Research, Lancope, Inc.
Six Enterprise IT Predictions for 2015 by David Gibson, VP, Varonis Systems

Security Threat Trends and Predictions 2015 Report by James Lyne, Global Head of Security Research, Sophos

What Was, What Is, and What Should Never Be: A Look at Security in 2014, 2015 and Beyond by Stephen Coty, Chief Security Evangelist, Alert Logic

Wednesday, December 10, 2014

Game Changer: Court Rules that Target Is Liable for Not Preventing Breach

From Brian Foster, CTO of Damballa:

Almost one year to the day after Target suffered a breach during peak 2013 holiday shopping, a Minnesota court just handed them a lump of coal. In a ruling announced on December 2, 2014, the court said that Target can be sued for failing to prevent their data breach. Their rationale was: Target can be viewed as negligent for failing to heed warnings from its FireEye prevention system and for disabling the inline blocking feature.

Let that sink in a moment.

As an enterprise security professional, ask yourself, Do you immediately take devices off your network when you receive an alert from a prevention tool? Do you ever automatically block a device because of one alert?

I assume you answered “no” to both questions. If I’m wrong, I would love to meet you and understand how you manage the herculean feat of not grinding your network to a halt and handcuffing business operations. 

In a brand new, not-yet-published, security survey conducted by the Ponemon Institute, respondents said they receive an average of 17,000 alerts per week and only 19% are reliable. The rest are false positives.

Put yourself in Target’s shoes. They paid $1.6 million for a system that was supposed to prevent advanced attackers. What they got was a lot of alerts lost in a sea of other alerts –meaningless unless correlated with other pieces of evidence.

Again, ask yourself, which one of 17,000 alerts would you know with certainty to pay attention to?

While comments from a vendor defending themselves and their ability to spot the malware may have made Target's security team seem like the Keystone Kops, fumbling around, carelessly not investigating alerts, this is hardly the case. According to Ponemon, the average sized security staff involved in malware detection and contain is 17.1 full-time headcount. And those staff on average have 7.9 years of professional experience in their field. It’s difficult to view this highly skilled group as clueless and purposefully negligent.

I’m certain the security team at Target would have prevented their attack if it were at all humanly possible. They had lots of expensive tools. They had a full-time Security Operations Center. Apparently, what they lacked was any degree of certainty that the alerts fired by their prevention tools were actionable.

The discussion about prevention versus detection has become escalated this year. The Target court ruling will likely make the discussion a lightning rod. Security experts will tell you they know their prevention system can’t stop advanced threats. They are designed to identify potentially suspicious activity by known ‘bad’ entities, not the unknown. Cyber criminals learned to outsmart those systems with ease.

Ask any CISO what keeps them up at night and they will tell you it’s the ‘unknowns.’ I imagine today’s court ruling will cause many CISOs to lose a few hours more sleep tonight.

Tuesday, December 9, 2014

"On the American reader's need for bright flashing lights ..."

While researching books on internal audit, a new publishing area for us, I came across Joseph Giordano's review of a book. What struck me is how his comments about readers, based, I'm guessing, upon observing his own students, reflects what we've been discussing internally about changing reader habits.

Being a publisher makes this a very important issue. How do we publish detailed technical material in a format that will stimulate purchase and use? Or had the horse left the barn? Maybe the days of a book delivered as a series of tweets isn't so far off, provided Twitter can support multimeda.

From Joseph Giordano:

"I reviewed this book last summer and would love to adapt it into my classes, but I know that my students would NEVER read this. This book is littered with important and insightful tidbits of information. At least 100 times I stopped and said "wow, I never thought of it that way." The fact that I kept falling asleep while reading the book reflects more on the American reader's need for bright flashing lights and inability to process the dry, than the quality of the material. I'm sad that I've become someone who need pictures and graphs and captions and text and even occasional bold type in order to enjoy a well written, well researched tome ... Overall I would call this required reading for auditing instructors, audit nerds, and people who love dry British literature. If he ever comes out with a dumbed down version with end of chapter questions, mini-cases and a test bank then I'm using this book because it is far superior to the competition."

New Survey Shows Widespread Employee Access to Sensitive Files Puts Critical Data at Risk

It's been 18 months since Snowden demonstrated the inability of the Puzzle Palace to identify and mitigate internal threats. Now, a new survey from Varonis Systems and the Ponemon Institute suggests--not surprisingly--that most organizations are having difficulty balancing the need for improved security with employee productivity demands. Employees with needlessly excessive data access privileges represent a growing risk for organizations due to both accidental and conscious exposure of sensitive or critical data.

Friday, December 5, 2014

Varonis Perspective on the Sony Breach

This is an amazing story. It's all about not paying attention in Security 101. In the following unattributed analysis, Varonis adds detail and insight on this breach. 


While we have few details on the Sony Pictures attack itself, this very public breach—or pwning in hacker slang--has shown the extent of the actual exposure—it is massive. The always informative Krebs knows, at this point, as much as the rest of us—possible North Korean connection and perhaps the use of destructive erase-all malware. That’s not to say this incident hasn’t revealed significant insights about our collective data security practices: don’t think the Sony incident doesn’t apply to you!

Krebs provides a link to the sprawling Sony directory hierarchy. This should definitively settle any doubt about the scope of this thing.

There are a few points to make. 

Unlike the big-box retailer incidents, this breach is not, for the most part, about personally identifiable information or PII. Certainly, there are employee social security numbers, email addresses, passwords, and health identifiers that are now out there for the world to see. But the Sony breach does not involve millions of consumer records and the subsequent issuing of new credit card numbers along with subscriptions to credit monitoring services.
This incident, though, is centered on sensitive data, perhaps even valuable IP, which was found in the 25 gigabytes of file data scooped up by the hackers. The leaked information should look all too familiar to any worker in a larger organization: readable files and emails, or, as we like to refer to it, unstructured, human-generated data.  So we’re talking employee salaries, financial data, internal presentations, company information under NDA, legal memos, the CEO’s private notes, and on and on. 

We should add that plain-text user passwords were found in files named, um, passwords. They certainly violated the "prime directive" on credentials.

From a broader perspective, we expect this is just one very public instance of a problem that can be found in enterprises globally. The amount of human-readable formation is growing exponentially. These documents live in file shares, intranets and in email as attachments, where far too many people have far more access than they really need, and usage is rarely monitored or analyzed for abuse.

No one should be casting any stones: we have all been or are Sony.

As we’ve seen in other breaches, the compromise of one employee email account can expose troves of sensitive data.  It’s likely the hacker harvested credentials —not necessarily of privileged admins or power users-- through PtH and other techniques. With their group memberships and access rights, combined with a loosely permissioned file system, they had a panoramic view of the Sony data landscape.

How did the situation get to be so dire?  Consider these two very common business-as-usual scenarios:

Scenario 1: A folder, containing sensitive data, becomes accessible to large group of people
A folder on your network share is used by your HR department—it might even be someone’s "home drive." At some point, someone makes the folder accessible to a broad group of people (this happens a lot), and it’s forgotten. Usage information about this folder (who is opening, creating, deleting, changing, moving files) isn’t tracked or analyzed (this is the norm).

Over time, sensitive files—say salaries, financial data, etc.—accumulate in these publicly sharable folders. No one really thinks about it, but everyone knows that a certain presentation or spreadsheet is just there so there's no need to formally request the data from the relevant owner. It's a data exposure incident waiting to happen, requiring a hacker to gain access to an average users' credentials—a simple phish mail often will do.

Scenario 2: Company emails become web browser enabled and gets hacked
You’ve enabled web browser access to your email system (try or if you're wondering), so anyone can log into their email from anywhere with only their password. Usage information about your email system is not tracked or analyzed (you can’t see who is sending or reading email or reading and marking them as unread, etc. – this is also the norm). The hacker gains the password of the email account—maybe by just guessing it.  Now the attacker can log in and read all the executive’s email (including the attachments) without leaving his home – and no one will know. Again, very valuable information—merger talks, new customers—in readable formats.

Another Teachable Moment
As Sony’s hackers gained access to more than just passwords, but movie budgets, salaries, social security numbers, health care information and so much more, the Sony breach provides us with yet another teachable moment. It reminded us all the importance of proper access controls, identification of sensitive data – who has access, who is using it, where it’s overexposed to the everyone group and who it belongs to, as well as implementation of real-time alerts.

Forged Best Buy Emails Distribute Malware

AppRiver have tracked phishing emails dressed as Best Buy store updates carrying a Trojan downloader commonly referred to as Kulzuoz or Zortob. At the time of analysis, this program was pulling down what appears to be software geared toward data theft, although this malware has been used extensively to infect users with FakeAV malware.

You can find details here.

Wednesday, December 3, 2014

Top 3 Enterprise Software and Security Trends for 2015

It's the time for prognostications for 2015. Cirius is first out of the gate. Here's what it foresees as significant trends developing in enterprise software and security. 

1. Data jurisdiction and data sovereignty will impact the growth of Office 365 and Azure. 
Satisfy local, grow global: Enhanced national privacy legislation introduced in Australia, Singapore, Germany, Malaysia, as well as the EU Data Protection Directive, is the sign of what is to come. In many cases opinion trumps facts and products like Office 365 and Azure need to demonstrate aggressively that they understand the privacy and security  concerns of partners and resellers. Addressing domestic privacy and data jurisdiction concerns will help facilitate global growth

2."Cloud" will no longer be perceived as a security threat compared to on premise solutions.
The future of security is in the cloud: Cloud solution providers have had to deal with the perception the cloud was "unsecure" from day one. As a result cloud solution providers historically had to over deliver to be a viable alternative to on premise solutions. The reality is that security and compliance are not the core competency of most I.T. departments  and they lack the internal resources to meet compliance requirements and evolving security threats. 
3. Data Loss Prevention will become a hot issue for business leaders.
Who saw what when: Businesses need to know where their business critical information is at all times. Flagging content and communication before it leaves the office is a good start but it is not enough. Machine learning, pattern recognition, and "post-send" message controls are the next wave of DLP functionality that will protect employees, clients and increasingly the brand.

Tuesday, December 2, 2014

Report Connects Iran to Global Critical National Infrastructure Hacks

Reports are starting to come in today that security firm Cylance has published an 86-page report on Operation Cleaver, which discusses Iran's hacking capabilities and motivations to attack global interests beyond the U.S. and Israel, long thought to be behind Stuxnet, and espionage campaigns using Flame and Duqu malware.

"Ask yourself how connected your life has gotten over the last 5 years; how connected businesses and governments have gotten over the last 5 years," said TK Keanini,  Lancope CTO. "In turn, crime and nation-state threats have also become more connected and their capabilities are expanding.

"Regardless of revenge or any other motivation, all nations need to be at a state of readiness and the investment in defense must at the very least match the investment being made in attacks by the adversaries.

"This statement is only bone chilling if you are not paying attention. The threat is real and defenses are in a constant co-evolutionary spiral."

Conflict and Cooperation in Cyberspace: The Challenge to National Security,  edited by Panayotis Yannakogeorgos and Adam Lowther, brings together some of the world’s most distinguished military leaders, scholars, cyber operators, and policymakers in a discussion of current and future challenges that cyberspace poses to the United States and the world. Maintaining a focus on policy-relevant solutions, it offers a well-reasoned study of how to prepare for war, while attempting to keep the peace in the cyberspace domain.

The discussion begins with thoughtful contributions concerning the attributes and importance of cyberspace to the American way of life and global prosperity. Examining the truths and myths behind recent headline-grabbing malicious cyber activity, the book spells out the challenges involved with establishing a robust system of monitoring, controls, and sanctions to ensure cooperation amongst all stakeholders. The desire is to create a domain that functions as a trusted and resilient environment that fosters cooperation, collaboration, and commerce.

5 Pitfalls of Project Management Software Implementation

Project Insight project management software has published its most recent blog post on "5 Pitfalls of Project Management Software Implementation."

Click here to check out Auerbach's project management books.