[metaslider id=2951] … Read More
Archives for February 2015
The Internet of Things may be getting ahead of itself when it comes to security
The Internet of Things has been touted as the centerpiece of many innovative devices as it grows to encompass nearly every type of product imaginable. Already, appliances, cars and even buildings are being equipped with the capability to access Wi-Fi and wired networks. This has led to new efficiencies and data-driven opportunities for enterprises across the board.
Even as the benefits of connectivity grow more apparent, enterprises mustn’t lose sight of their security objectives. Before IoT devices and equipment make their way into routine business operations, decision makers should ensure that they are adding the layers of security necessary to incorporate these products in a safe way.
Individual devices’ security not yet up to par
According to Network World, Earl Perkins, research vice president at Gartner, believes that manufacturers of IoT-connected devices have put their own business goals ahead of ensuring that their products are secure from cyberattacks.
Perkins stated that this will change for the better moving forward, citing the trend of IoT device manufacturers acquiring software security firms to help shore up their products’ defenses, the news source reported. He noted that because businesses are increasingly concerned about their own cybersecurity, they will prefer solutions that come equipped with pre-loaded software-defined security measures. Essentially, it’s in the manufacturers’ best business interests to meet these needs.
Until a time arises where IoT products’ security features come standard, however, enterprises will need to be very careful about what they let connect to their networks.
IoT breeds complexity, which makes security difficult
Beyond the individual devices’ shortcomings, the IoT introduces a lot of moving parts into the network, as each individual device becomes an endpoint unto itself. These devices will be generating, receiving and transmitting data in large quantities, and while that level of interconnectivity can be a boon for business efficiency, it can also be an opportunity for hackers to break in.
Unsecured devices that have network access are easy targets for hackers who can penetrate into enterprise networks through a device. As ZDNet explained, each device that gets added to the network makes the overall structure more complex, as an individual product has its own vulnerabilities that must be accounted for by another part of the structure.
In light of this, enterprises will come to depend on cybersecurity solutions that scale and offer automated, machine-speed detection and response tools to keep up with the deluge of data and increasingly complex structure of their networks.
Sophos wins Best Usability Award from AV-Test
We’re pleased to announce that Sophos has been recognized with the AV-Test Best Usability 2014 Award!
AV-Test regularly tests endpoint protection products, including the Windows component of our Endpoint Protection product, which we call Endpoint Security and Control.
Across multiple tests in 2014, “Sophos Endpoint Security and Control excelled consistently and thus earned the 2014 Award in the category of Usability,” said Andreas Marx, CEO of AV-Test.
Our tagline is “Security made simple,” and part of delivering on that statement is creating products that are highly usable for our customers.
We also understand, though, that usability is only one reason why people choose Sophos.
We’re leaders in the industry because we combine simplicity with ongoing innovation on the endpoint and, more broadly, in protection of end users across all devices and platforms.
In addition to our AV-Test award, we’ve been recognized in the Leaders Quadrant of Gartner’s Magic Quadrant for Endpoint Protection Platforms for eight years in a row.
Plus, we’ve been named as Champions in the Info-Tech Research Group’s 2014 Vendor Landscape: Endpoint Protection.
Older Vulnerabilities Top Enabler of Breaches
SC Magazine – Adam Greenberg, Reporter
Accounting for 33 percent of identified exploit samples in 2014 is CVE-2010-2568, a popular Microsoft Windows vulnerability that was used as one of the infection vectors for Stuxnet, Jewel Timpe, senior manager of threat research at HP Security Research, told SCMagazine.com on Monday.
The report shows that CVE-2010-0188, a vulnerability in Adobe Reader and Acrobat, accounted for 11 percent of exploit samples in 2014. Six Oracle Java bugs identified in 2012 and 2013 also made the top ten list, as well as two Microsoft Office flaws – one identified in 2009 and the other in 2012.
“Our biggest message here is that we have got to start learning from our past,” Timpe said, going on to add, “We know software has vulnerabilities and vendors patch them, and when those patches are made available, they need to be applied. The best patch in the world won’t help your software if you don’t apply it.”
Timpe admitted that patching everything is not easy.
Patch management is a challenge for organizations because it is expensive and resource intensive, she said, adding that launching new applications may negatively affect existing infrastructure and could even result in regression in other software – meaning previously patched vulnerabilities are possibly reintroduced.
Timpe suggested taking the stance of the “assumed breach,” and explained that organizations – big or small – should implement technologies that identify breaches quickly and shut incidents down. She added that companies should identify what assets are most valuable and assess how to protect it.
Another significant issue noted in the report is server misconfigurations.
“This year we saw the bulk of them are really misconfigurations that are allowing unnecessary access to files and directories that they should not be allowing access to,” Timpe said, going on to add, “These configurations are giving adversaries a new way to get in.”
According to the report, penetration testing coupled with internal and external analyses of configurations can help in identifying issues.
In 2015, Timpe said she expected to see more open source vulnerabilities, more SCADA attacks, and more of a focus on infrastructure. Additionally, she said that attackers will continue to have success by exploiting older bugs.
Timpe – who urged organizations to update if they are running older systems that have reached or are nearing end of support – said that cooperation and working together will help reduce the threat posed by attackers.
“If we talk more, share more, and gain a thorough understanding of imminent threats, it will continue to increase the cost the attacker has to spend to be successful,” Timpe said.
Kaspersky Lab Unveils ‘Equation’: the Grand Daddy of APT Groups
Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine
Kaspersky Lab has uncovered what appears to be one of the most sophisticated cyber-attack groups in history – in operation for at least 14 years and which even had access to some of the exploits used in the Stuxnet and Flame campaigns.
The Equation Group had related C&C servers registered as far back as 1996 and has been infecting potentially tens of thousands of victims globally since 2001 in areas ranging from government to telecoms, nuclear energy, nanotechnology, Islamic activists, and encryption companies.
Iran, Russia, Pakistan, Afghanistan, India , China and Syria top the list of victim countries.
The group is so-called “because of their love for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations,” Kaspersky Lab said in a lengthy Q&A document.
It is said to have a vast C&C infrastructure of over 300 domains and more than 100 servers spread across multiple countries. Kaspersky Lab said it is sink-holing two dozen of these servers.
This highly sophisticated and well resourced group is said to have used a wide variety of bespoke trojans, or ‘implants’ as it calls them.
These include ‘Fanny’ – a computer worm created in 2008 to gather info on targets in the Middle East and Asia.
The vendor explained further in a blog post:
“Fanny used two zero-day exploits, which were later uncovered during the discovery of Stuxnet. To spread, it used the Stuxnet LNK exploit and USB sticks. For escalation of privilege, Fanny used a vulnerability patched by the Microsoft bulletin MS09-025, which was also used in one of the early versions of Stuxnet from 2009.
It’s important to point out that these two exploits were used in Fanny before they were integrated into Stuxnet, indicating that the Equation group had access to these zero-days before the Stuxnet group. The main purpose of Fanny was the mapping of air-gapped networks. For this, it used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks.”
Although Kaspersky Lab falls short of attribution, this tie-in to Stuxnet and Flame, as well as the group’s use of virtual file systems similar to those found in Regin, and many other links, make the United States National Security Agency a prime suspect.
The group’s most powerful tool is said to be a module known as ‘nls_933w.dll’ which enables it to reprogram the firmware in hard drives made by over 12 different big name brands including IBM, Maxtor, Western Digital, Toshiba and Seagate.
“This is an astonishing technical accomplishment and is testament to the group’s abilities,” said Kaspersky Lab.
For the record, the Russian security vendor claimed it first discovered evidence of the Equation Group when investigating Regin. A victim machine in the Middle East was apparently also infected with one of the group’s malware platforms, EQUATIONDRUG.
Brian Honan, special advisor to Europol’s Cybercrime Centre, argued that aside from “conversation fodder,” the news of Equation Group’s discovery will not have a major impact on day-to-day operations for most organizations.
“From a CISO perspective the key take-away is that defense should not focus just on prevention but also on detection and response,” he told Infosecurity.
“Organizations need to develop their capabilities in detecting unusual or suspicious behaviour on their systems and networks and have the ability to respond appropriately.”
Next-Generation Enduser Protection – Sophos
Better device and data security through innovation and integration
Background
The endpoint has changed. No longer are endpoints just Windows workstations operating within a corporate perimeter and accessing servers that are inside the same perimeter. Instead, organizations are faced with a diverse set of workstation and mobile device platforms that are used everywhere and that routinely access data stored on the network, in the cloud and on the devices themselves.
While attackers have taken advantage of these changes, adapting to new platforms and developing more sophisticated attacks, endpoint security has been slower to evolve. In most cases, the focus is still primarily on preventing malicious files from infecting Windows endpoints. It’s no wonder, then, that businesses are struggling to keep up with the latest threats and to protect their sensitive data.
The Sophos Approach
Sophos is taking a different approach to building security for businesses, anchored by three core beliefs:
- Security must be comprehensive. A solution must include all the capabilities required to satisfy a customer’s needs.
- Security can be made simple. That simplicity must be reflected in everything about the solution, including deployment, management, licensing, support and the overall user experience.
- Security is more effective as a system. New possibilities emerge when technology components communicate and cooperate, instead of each functioning in isolation.
Next-Generation Enduser Protection is our vision of applying these principles to deliver better security for enduser devices and data through the integration of innovative endpoint, mobile and encryption technologies. Imagine a system that collects suspicious events from all your devices, correlates the data to identify a compromised system, alerts the administrator, temporarily locks down the system — and access from that system to sensitive network and cloud data — and removes the detected threat, all automatically. That’s what Next-Generation Enduser Protection will make possible.
Next-Generation Enduser Protection represents a fundamental change to how we approach security. Traditional antivirus starts and ends with preventing infected files from running on a computer. If an infected file does run, the attacker is now in a position to cause damage or steal data without being detected. In contrast, we’re looking not just at whether a file is infected, but whether the computer is exhibiting behaviors that indicate the system is under attack or already compromised. We can then bring all our technology to bear on stopping and removing the threat. By focusing on prevention, detection and remediation of the entire system, we can give organizations peace of mind that they will suffer fewer infections and have a lower risk of data breaches and other security incidents.
What’s new
The first next-generation feature to reach the endpoint is Malicious Traffic Detection, which catches compromised computers in the act of communicating with attackers’ command and control servers. Similar technology available in next-generation firewalls — including ours — can alert administrators to the presence of a compromised system on the network. But because we integrate the feature into the endpoint, we can go further by detecting a compromise on or off the network, identifying the specific malicious file, and cleaning up the infection. For customers, this means better detection rates and less time investigating and manually cleaning compromised systems.
Also released is the new Sophos System Protector, which is the “brain” of our updated endpoint agent. It correlates information from the Malicious Traffic Detector and other components to identify threats that might not be deemed “bad” by any one component on its own. This results in better protection against advanced threats, with fewer false positives.
Both Malicious Traffic Detection and Sophos System Protector are rolling out in January 2015 in our Sophos Cloud Enduser Protection and Sophos Cloud Endpoint Protection Advanced products. We expect to introduce both features into the corresponding on-premise products in the first half of 2015.
Download the datasheet or contact us for more information