[metaslider id=2951] … Read More
Archives for March 2015
itGovernance Blog – by
March has been an interesting month. There haven’t been any major data breaches like last month’s incident at Anthem Inc., but a number of data breaches across the globe may have gone unnoticed.
As always, this list is incomplete owing to the vast number of breaches and how easily things are hidden. Please leave a comment if you have a story that you believe should be in this list.
Payment card information
Network World –Networking Nuggets and Security Snippets
By Jon Oltsi
In a recent ESG research report, enterprise security professionals were asked to identify the primary objectives associated with their organization’s network security strategy (note: I am an ESG employee). It turns out that 40% of organizations plan to move toward continuous monitoring of all assets by utilizing edge computing solutions and related technologies offered by companies such as Vantiq, while 30% plan to capture more network traffic for security analytics.
This data supports a general trend – many organizations are rapidly increasing their activities around network security data collection, processing, and analysis. Of course, this isn’t exactly news. Many enterprises have used security analytics tools based upon NetFlow for many years. Security analysts also have a history of including full-packet capture (PCAP) tools for their investigations. Many use open-source software like TCPdump or Wireshark. NetWitness astutely recognized this use case a few years ago, built a successful business around PCAP collection analysis, and ultimately cashed in when RSA Security came calling.
Why all the security focus on the network? Network security is crucial for business world because without proper network security, they might not be able to protect themselves against data theft, hacks, and sabotage. This is one of the many reasons why IT network teams often have to be vigilant and keep an eye out for network abnormalities with help of technological solutions like dynamic maps (network mapping) offered by firms like NetBrain Technologies. It can help them to visually recognize every aspect of their network and find any potential threats to the network.
Anyway, as the old network security adage states, “the network doesn’t lie.” Yes, networks may hold secrets within encrypted traffic, but network traffic analysis can inevitably expose the Tactics, Techniques, and Procedures (TTPs) used in cyberattacks. If you look at network traffic from L2-7 and understand the connections, protocol, Meta data, and content contained in the packets, you have almost everything you need to detect and respond to cyberthreats.
Yup, organizations are already bolstering their network data collection, processing, and analysis, but in my humble opinion, we are just scratching the surface of this trend. I truly believe that network traffic analysis will increase precipitously over the next few years, driven by:
- The use of packet-broker technology. Packet-broker technology from companies like Gigamon, Ixia, Netscout, and VSS Monitoring have become a staple within large enterprise and service provider networks. Security teams will likely take full advantage of packet brokers as this type of overlay network can capture and route network data to centralized security analytics engines – a much more efficiently method than installing probes, tapping into span ports, or analyzing network data on a segment-by-segment basis.
- SDN. As SDN proliferates, networks will come with basic packet broker technology built in. This too will encourage greater collection, centralization, and analysis of network traffic. SDN may also accelerate the integration of security analytics and network security infrastructure to automate remediation actions. In fact, after consulting with experts providing Cisco security advisory services, many businesses have already begun to use the Cisco Application Centric Infrastructure (ACI) solution to be defined based upon network policies – simplifying, optimizing, and accelerating the application deployment lifecycle.
- Cloud visibility. Aside from internal network security data, large organizations need similar visibility as they move more and more workloads to the cloud. Startups like Evident IO, Netskope, Threat Stack, and vArmour are intent on monitoring cloud activity while IBM, McAfee and Trend Micro are extending current products to place security eyes and ears in the cloud.
- NIC innovation. Vendors like Emulex and Solarflare can capture and process data at the NIC card level based upon rules and triggers. This capability can help security analysts filter through the noise at lightning speed so they can focus their investigations so it’s likely that this NIC card technology will gain traction – especially with cloud service providers.
- Bundled offerings. IBM, Lancope and LogRhythm are already adding network forensics to their existing security analytics offerings while vendors like FireEye, Hexis Cyber Solutions, and RSA Security offer analytics solutions that dig into security data across endpoint forensics, network forensics, and external threat intelligence. Splunk is also more than willing to gather and examine network traffic for security and IT operations purposes.
It’s not likely that enterprises will copy and store every packet that ever crosses their network, but I have no doubt that they will collect, process, and analyze more and more network traffic each year. This will should help improve security analytics as it ignites new market opportunities for security analytics, network hardware/software, storage devices/services, network management vendors, and MSSPs.
Guests at hundreds of hotels around the world are susceptible to hackers because of routers that many hotel chains depend on for their Wi-Fi networks.
Researchers have discovered an authentication vulnerability in the firmware of several models of InnGate routers made by ANTlabs, a Singapore firm whose products are installed in hotels in the US, Europe and elsewhere.
An exploit could cause extensive damage. It would allow an attacker to distribute malware to guests, monitor and record data sent over the network (like credit card information). Also, the perpetrator could possibly gain access to the hotel’s reservation and keycard systems.
“If you’ve ever used Wi-Fi in a hotel, you’re familiar with these types of devices as they are typically tied to a specific room number for billing purposes,” said Cylance researcher Brian Wallace, in an advisory.
There’s also danger for the hotel itself. He added, “In some cases, we observed InnGate devices that were integrated into Property Management Systems (PMS). In cases where an InnGate device stores credentials to the PMS, an attacker could potentially gain full access to the PMS itself.”
As Wallace points out, the amount of information that can be compromised is rather breathtaking: PMS systems automate hotel functions like guest bookings, guest details, online reservations, point of sale, telephone, accounts receivable, sales and marketing, banquets, food and beverage costing, materials management, HR and payroll, maintenance management, quality management and other amenities.
Hotel property management systems may interface with central reservation systems and revenue or yield management systems, front office, back office, point of sale, door-locking, housekeeping optimization, pay-TV, energy management, payment card authorization and channel management systems.
The news gets worse. While a vulnerability that allows for full file-system access that can easily lead to a complete compromise of the system would logically need an advanced exploit, this unfortunately is not the case.
In actuality, any *nix system which has the rsync command available is capable of exploiting this vulnerability in just a few keystrokes.
“Remote access is obtained through an unauthenticated rsync daemon running on TCP 873,” said Wallace. “Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux-based operating system without restriction.”
He added, “Once full file system access is obtained, the endpoint is at the mercy of the attacker.”
Cylance uncovered vulnerable devices in 29 countries including the United States, Cuba, Australia and Italy. ANTLabs said that it is releasing a patch, which should be applied immediately. Wallace said that the vulnerability can also be mitigated by blocking the unauthenticated RSYNC process from internet access, a simple inbound TCP-DENY on port 873 on the upstream network device from the affected InnGate device.
Please be advised that there have been updates to the Snare Product Suite:
Snare Agent for Windows – Version 4.2.11 – Snare For Windows Release Notes
Snare Epilog for Windows – Version 1.7.10 – Snare for Epilog For Windows Release Notes
Snare for MS SQL – Version 1.3.3 – Snare for MS SQL Release Notes
Snare Server Version 7.0.1 – Snare Server Release Notes
HANOVER, Md., March 12, 2015 –Hexis Cyber Solutions (Hexis), a wholly-owned subsidiary of The KEYW Holding Corporation (NASDAQ: KEYW) and a provider of advanced cybersecurity solutions for commercial companies and government agencies, today announced that HawkEye G has been selected by key members of the United States Intelligence Community as part of an integrated Active Cyber Defense (ACD) solution, protecting federal agencies’ networks against nation-state adversaries. As a core component, HawkEye G provides the only automated advanced threat removal capability available today. The ACD solution, referred to by the name SHORTSTOP, is provided as a turn-key system or as a reference design to federal agencies seeking best in class cyber defense. SHORTSTOP facilitates a convergence of commercial security technologies including HawkEye G and products from Palo Alto Networks, FireEye, and Splunk.
“The Intelligence customers that built this system understand the capabilities of today’s best cyber security products, and how to combine them to find previously undetectable attacks and remove them at machine speed. They are taking advantage of HawkEye G to sense at the endpoints, provide threat detection, pinpoint attacks, reduce false positives, and use automation to remove the threats,” said Chris Fedde, President of Hexis Cyber Solutions. “The SHORTSTOP architecture is consistent with the capabilities developed over the last three years by our engineers. As a result, government and commercial organizations can execute policy-driven threat mitigation in real-time to combat against advanced cyberattacks.”
HawkEye G is a next-generation cyber security platform that provides advanced threat detection, investigation and automated response capabilities. Security teams can continuously detect, investigate and remove advanced threats from within the network before adversaries can steal sensitive data, compromise intellectual property or cause critical process disruption. HawkEye G provides endpoint and network sensing, threat detection analytics, automated countermeasures that remove network threats, and a flexible policy engine that enables users to govern actions using both micro and macro policy controls.
According to research published by leading industry analysts, current forms of advanced persistent threat (APT) malware can live on a network host undetected for months. During this time, organizations are losing billions of dollars and in the case of many government entities, exposing highly sensitive intellectual property and data. With it becoming increasingly clear that perimeter and traditional endpoint solutions are failing to keep up with threats and that manual responses allow threats to compromise networks, government and commercial organizations are recognizing the need to automate decision-making and response.