[metaslider id=2951] … Read More
Archives for March 2017
Phishing Your Employees for Schooling & Security
Dark Reading – Corey Nachreiner, March 22, 2017
Your education program isn’t complete until you test your users with fake phishing emails.
Imagine this fictional scenario: A student, hoping to become a surgeon, attends hours of medical courses. She never misses a class, always listens, and takes copious notes. Finally, after receiving the years of training necessary, the student receives her medical degree having never taken a test. Would you let this surgeon operate on you?
I sure hope not! Testing is a crucial part of any form of education, for both teachers and students.
That’s why I believe your phishing education program isn’t complete until you phish your own company’s tank. By that, I mean sending fake (but realistic) phishing emails to all your users to see if they fall for them. There are plenty of tools and services that can do this for you. To me, this is the real test of your phishing and user awareness security training.
I’m assuming those of you reading this already have a security education program that includes a phishing curriculum. Some information security experts don’t believe user education works. I’m not one of them. There’s significant evidence that the right kind of education does work. In fact, for phishing specifically, the Ponemen Institute found that user education had a staggering 50x return on investment. If you aren’t already educating your users through training, that number alone should convince you to start. So, let’s talk about how you can improve your general security education program, and why phishing your users is such a valuable piece of the puzzle.
- Practical tests are the best measure of understanding. Most security awareness training I’ve seen ends with a basic multiple choice test. These tests are only a partial measurement of whether or not the pupil can put that knowledge to use in the real world. Take a driving test, for instance. Sure, there’s a written test, but you wouldn’t allow a teenager on the road until after he passed the practical one, too.
- Practical assessment can reveal training gaps. By sending fake phishing emails, you can learn which ones your users fell for most often. Was there a certain type of email that contained a certain “lure” that tricked your employees? Perhaps that might be a missing piece you can add to your next phishing training, or a concept you haven’t covered in enough detail.
- They help employees recognize their own level of understanding. Your fake phishing emails should immediately inform the user when they clicked on a bad link. The goal isn’t to shame the user — that’s detrimental to education. Rather, the goal is to let the user know they missed something, so they realize that they have a gap in their practical understanding, and don’t overestimate their preparedness.
- They provide another training opportunity. The best training involves repetition. Besides informing a student they’ve made a mistake, fake phishing emails allow you to immediately share training with the user that specifically addresses the mistake they just made. For instance, say a user clicked a link that obviously went to a domain having nothing to do with the email. After informing the user of their mistake, your phishing link could forward the user to a training page specifically telling them what to look for in URLs. In fact, these fake phishing exercises provide an easy way to regularly reintroduce training materials to your users (at least the ones making mistakes), without having to repeat a training course.
- Practical tests are more likely to change behaviors. The true measure of security education is if its recipients change their bad behaviors. One reason some security pundits complain that training is ineffective is because of a certain type of user that knows the right behavior but continues to do the wrong one when it’s easier. Failing these internal phishing tests regularly should eventually get even the most stubborn users to change their behavior, simply because they know their boss might be watching.
- They help you measure the actual value of your training. I believe that security training is effective, but not all training is equal. Phishing your own tank measures your training’s efficacy. Send out fake phishing emails before your trainings and record the results. Then send similar emails out after the training and compare the results. Give your organization at least two cycles of training to really understand the long-term trends. (Education takes some time!) However, if you aren’t seeing a change in behavior, then perhaps you should cancel that particular training course and identify one that works better. In any case, you’re not going to be able to calculate this risk vs. efficacy vs. cost equation unless you actually measure how well your users do against phishing emails — and the only way to do that is to phish your company’s tank.
Contact us for more information on security training.
Threats Evolve – Your Security Should Too
Threats evolve. One of the first companies I was working for was hit by a ‘denial of service’ attack, an email was sent to a friend of mine which had a script that made sheep dance all over your screen. It was pretty amusing so she decided to send it to the distribution list in the office. Let’s just say that the system administrators were not amused, as it brought the network down completely, and took the afternoon to bring everyone back up. This was in 1995. Now security did evolve to a certain extent, this type of attack would have been caught by either your UTM, email security appliance or end point solution. Over the course of several years, security solutions did evolve – firewalls, end point, network access control and logging. In the early 2000’s, the terms SIM, SEM and SIEM were the rage, and the next best thing for organizations to battle against threat actors, as it was a great solution to review all of the events from your network in one centralized location. That was also when you could back up your logs to a CD.
Fast forward to today, we have embraced BYOD, Cloud technology, IoT devices, and no one actually picks up the phone any more – email or texting is the communication tool providing immediate gratification. (anyone remember what a telex machine is). This explosion of technology, and reliance on said technology, has completely altered the threat landscape. Organizations are subject to ransomware, trojans, APT’s, insider threats and more – which ‘can’ make it through your defenses, and be hard to detect and remediate.
In a recent article from Dark Reading by Kelly Sheridan, it identifies that the current SIEM systems have flaws, and while reading this, I was not surprised. Almost any product that collects event logs identifies themselves as an SIEM, and some SIEM’s now promote the security analytics more than logging portion of the product. In addition, the introduction of a new acronym – SOAPA – which stands for security operations and analytics platform architecture (Network World, November 29, 2016), was created to distinguish themselves from SIEM.
Advances for the SIEM is not moving at the same speed as the threats, or taking into account different threat vectors. Typically event data is sent from the host devices, using either standard syslog or through the use of an agent, to a repository of some sort. This event data is then queried using a set of correlation rules, that will then initiate an alert or a response of some sort. While most SIEM’s identify that they have huge libraries of pre-built reporting, they need to be refined to accommodate your organization AND they need to be regularly reviewed to ensure that any new “threats” will be discovered, and alerted on or have a response of some sort created.
While for some attacks the SIEM will most definitely be advantageous to the organization, and of course, if you are required to collect and monitor logs for a compliance requirement it is a necessity, however the threats today take into account how these platforms work. The threat actors are meticulous; and look at ways to evade the traditional security platforms.
The growth in products that are deemed to include security analytics/behavioural analysis can assist organizations in determining if network activity is malicious. The products look at the typical activity of a network over time, baseline it, and then can provide a relatively good assumption when the activity deviates that there is a potential issue at hand.
By combining behavioural analysis/security analytics, machine learning and threat intelligence, an organization will be provided a more comprehensive review of activity on your network. Using a system that is not based on rules, but rather looking holistically at all of the users, devices, applications and how they all interact, running it through algorithms and machine learning techniques – this will provide a more accurate detection of a threat.
To find out more, contact us.
To find the best endpoint security tools, focus on these features
Finding the best endpoint security for your enterprise is a complex, ever-changing task. Learn what features tools offer now to protect endpoints touching the enterprise systems.
When McAfee was formed in 1987 to sell the first commercial antivirus package, it set a baseline approach that has persisted to this day: Have a list of character strings that are unique to particular viruses and then scan files (and those files in memory) for the strings. Generally, if the scanner found one of the strings (the virus’s signature), it had very probably found a virus.
As other vendors emerged, they battled over their effectiveness at various aspects of this passive scanning approach. They focused on compiling the biggest, most comprehensive database of virus and malware signatures. The best endpoint security software available simply scanned for “bad” signatures every time a file was downloaded or opened. We use custom software development services so we know we’re getting the best software that we need for our business. Vendors would boast about having better research teams to catch more viruses.
A number of additional virus-hunting techniques were introduced over the years — heuristic scanning to deal with polymorphic viruses that purposefully avoided having consistently scannable signatures, allowing the software to run but cordoning off its requests to the operating system to watch for malicious behaviors, and the introduction of reputation-based ratings to score the likelihood that a given executable could be relied on to be safe. But the basic pattern held: A monolithic software package at the endpoint watched all the new files and called out known bad actors.
Recently, though, the enhancements have begun to overtake the core static scanning components of antivirus software. “Next-gen” endpoint security tools have emerged as a new product category with specific characteristics.
Real-time a defining trait of next-generation endpoint security
Signature files are static and threats are dynamic. At a certain point, it simply became impractical (if not impossible) to update signature files incessantly and instantaneously in an attempt to contend with zero-day threats. These are by definition threats that no virus collector has yet catalogued as of the moment they are launched.
So, if anything, “real-time” is the defining characteristic of the best endpoint security offerings in the next generation of tools. For many products, this means jettisoning the endpoint-resident signature file altogether and using different means to ferret out viruses and malware.
Analysis replaces signature matching
In next-gen tools, the best endpoint security offerings replace signature matching with analysis (in real-time, of course). Different products, naturally, will analyze different aspects and attributes to determine if a piece of code represents a threat to the endpoint.
Some of the analysis techniques have evolved from traditional endpoint products. For example, reputation analysis has been in use for a number of years. This technique generally involves searching a database containing lists of known “bad actor” IP addresses and websites that have been confirmed to be sources of malware.
For some traditional vendors, moving to next-gen tools means taking various techniques that they have developed over the years within their traditional product line and integrating to provide a more effective solution.
Many security products will evaluate multiple attributes of a piece of code. Each piece of information would be used to build a risk score that, ultimately, would help the tool determine whether the code should be blocked. One next-gen vendor claims to have developed over six million possible indicators of malware and uses that information to determine whether a given piece of code is malware.
Isolation aids analysis
Another variation of analysis involves simply letting the suspect code run on your system, to analyze what it does. If it tries do something bad, like erase files or make outbound network contact without authorization, then by definition it is malware and should be contained.
This approach, known generally as sandboxing, is not new. What is new is the implementation: One vendor leverages the high-performance virtualization features built into most PC hardware these days. That vendor creates a micro VM that can be termed a one-sample sandbox. The code is run, its behavior analyzed, a threat decision is made and the VM is discarded. Every sample gets its own fresh VM within which to run and be analyzed.
Even best endpoint security tools can’t do it all
In the realm of next-gen endpoint security, niche vendors are continually coming up with new takes on the issue. There are always new features being added. But it’s also important to understand what next-gen endpoint security is not. It is not a one-size-fits-all solution to your endpoint security woes. Nor is it a “me, too” list of vendors all doing the same thing. And, importantly it is not necessarily meant to be a total replacement for traditional endpoint security. It is simply a means to obtain the best endpoint security possible which is, in turn, a key element of an overall approach to keeping your systems secure.
Anti-malware is imperfect but still necessary. Here’s why
Doctors sometimes make mistakes that harm the patient. Police often fail to protect and serve. When that happens, people rightly demand the failures be analyzed and fixed. But no one ever calls for the elimination of all doctors and police.
Why then, do some call for the end of antivirus and anti-malware when failures happen? It’s a question that has vexed us for a long time.
Researchers uncover vulnerabilities in security products on a regular basis. A recent example is Trend Micro, which faced scrutiny in January after researchers reported some 223 vulnerabilities across 11 of the vendor’s products. Tavis Ormandy, a prolific and gifted Google Project Zero researcher who most recently discovered Cloudbleed, regularly targets security products, including those produced by Sophos and such vendors as Kaspersky and Symantec.
Along the way, someone either declares it the end of antivirus, anti-malware, and endpoint protection, or calls for its demise. Last year, during another disclosure of Trend Micro vulnerabilities, security experts even declared antivirus a threat to security.
Can we all do better? Absolutely. Like all technology created since the dawn of time, antivirus sometimes falls short of its mission. As an industry, we need to continue to find weaknesses and fix them as quickly as possible.
Does doing better mean we set aside antivirus and anti-malware, just as some believe vaccines should be shelved? Hardly.
To help frame the issue, I sat down with Sophos CTO Joe Levy.
Iatrogenesis happens, followed by schadenfreude
“In responding to the occasional question about the claims of harm from endpoint security products, it occurred to me how strikingly similar such a belief system is to the anti-vaxxer movement. Both mean well, but unfortunately have the potential to do more harm than those they indict. Nonetheless, those who point out problems with antivirus make valid points,” Levy said. “All software has flaws.”
Levy offers two other observations:
- This is a case of yelling ‘iatrogenesis‘ (harm caused by the healer) in a crowded theater. It is particularly sensational because of the irony, and in many cases, a source of schadenfreude (pleasure derived from the misfortune of others).
- The attack surface of security software is often enlarged by the level of privilege needed to operate efficiently (i.e. in the kernel) and to do the kind of work that it needs to (file/network interception, process termination, system cleanup, etc.)
Just as patients sometimes develop complications after surgery, security technology sometimes fails, creating unintended harm for the user, Levy said. When that happens, detractors love to swoop in and bludgeon the offender.
Levy noted that when medical care goes wrong, we don’t see the masses calling for the end of doctors and hospitals. In that situation, people may go to a lawyer that caters to medical malpractice cases (click here to learn more). Similarly, sometimes police make mistakes and do harm in the line of duty. When that happens there’s public outrage, but no one calls for the end of police.
Like modern medicine and law enforcement, the security industry has a very high obligation to protect their users from harm. That means not only demonstrating effectiveness against attacks targeting operating systems and applications but also against attacks targeting themselves. In light of this, prevalent security software, as well as healthcare and law enforcement software that stores large amounts of data, should be protected from malware attacks and cyberattacks.
But just as we still need hospitals and police officers, we still need those security tools, Levy said. While Microsoft continues to make great strides in the security of their operating systems and applications year over year, a look at the number of Microsoft vulnerabilities per year illustrates the continuing need for additional protections. Microsoft security holes between 2009 and 2016, as catalogued on the Common Vulnerabilities and Exposures (CVE) website, are as follows:
- 2009: 74
- 2010: 106
- 2011: 103
- 2012: 83
- 2013: 106
- 2014: 85
- 2015: 135
- 2016: 155
In five of the last eight years, Microsoft released more than 100 security bulletins in a 12-month period. The number of bulletins each year haven’t fallen below 75 since 2009. Antivirus remains the first line of defense when attackers work to exploit vulnerabilities in either software or the software’s human operators.
“We take our obligation to protect very seriously, and we make continuous investments in the tools and programs to improve the security of our products, from our SDLC (secure development lifecycle), to static/dynamic/runtime security tools, to our bug bounty program, to name a few,” Levy said. “We are genuinely grateful to those security researchers who practice responsible disclosure. All of us in the security industry, whether software vendors or researchers, seek to make information systems more secure.”
He added: “We should all take a sort of Hippocratic Oath to do no harm, and that means both holding ourselves to a higher standard for building secure software, as well as putting end users before glory or sensationalism. Failure at either is a form of negligence, but calls for extermination are silly and irresponsible. The focus should not be on kicking the other when they’re down, but on making each other better.”
Threats Converge: IoT Meets Ransomware
March 6, 2017 – Dark Reading – Javvad Malik
Ransomware is already a problem. The Internet of Things has had a number of security issues. What happens when the two combine?
Ransomware had a breakout year in 2016, making headlines as it affected everything from hospitals to police stations. At the same time, attacks against Internet of things (IoT) devices — home appliances, toys, cars, and more, all brimming with newly exploitable connectivity — have continued to proliferate.
Most information security professionals agree that ransomware and IoT hacks will continue to increase in frequency, but one less obvious development that could be on the horizon is a convergence of both of these attack methods. So, what could the implications of an IoT ransomware attack be?
To answer this question, we first need to consider the potential target of an IoT ransomware attack. Ransomware usually goes after computers and networks that house the mission-critical data necessary to maintain the day-to-day operations of a business. Such targeting ensures that once this data has been encrypted and rendered useless, the organization has adequate incentive to purchase the cryptocurrency (typically Bitcoin) being demanded by the hacker to release its data.
Luckily for us, many IoT devices don’t qualify as mission critical, as I doubt any parent is going to fork over a ransom to unlock their child’s Hello Barbie. But there are certain devices that perform critical functions and therefore could meet this criterion. As IoT becomes more widespread and increases in sophistication, the number of potentially lucrative targets will only increase. Unlike with traditional ransomware, attackers that hijack IoT devices can not only compromise the data collected through a device’s sensors, but could also render a critical device’s physical functions inaccessible — greatly increasing the chances that a victim will pay up.
One device that is currently ripe for exploitation is the connected thermostat. Products like Nest and Ecobee remotely monitor and regulate the temperatures of homes. If compromised by hackers, they could be used to blast the air conditioning during a blizzard or crank up the heat in the middle of a July heatwave. Although this may seem like an inconvenience rather than a catastrophe for a typical homeowner, when applied to business environments, the stakes are raised. For example, an attacker who gains control of the HVAC systems of a large building could theoretically increase an organization’s electricity bill to the point where paying a ransom becomes a practical and cost-effective alternative.
The same reasoning behind the thermostat example can be applied to a wide range of other IoT devices. It wouldn’t be difficult to imagine a hijacked smart lock taking on a mind of its own or a connected lightbulb refusing to illuminate. However, one can also imagine more disturbing scenarios arising from advanced IoT use cases, such as connected cars and smart cities. In such cases, a successful ransomware attack could extend well beyond a minor inconvenience, exposing affected victims to potentially dangerous or even life-threatening consequences.
However, IoT isn’t a lost cause altogether. As with any emerging technology, IoT device vendors need to work out the security bugs in their products, and they’re already beginning to do so. For every snooping Barbie discovered and connected car hacked, the industry moves one step closer to achieving the level of security that enterprise customers need. Similar to how the Target breach was a wake-up call for retailers, the IoT industry will inevitably be hit with an attack of a similar scope, whose repercussions will in turn serve as a major catalyst for industry-wide change.
Until we see this change, though, IT teams tasked with deploying connected devices must become more aware of the issues around IoT security and keep these in mind when deciding which devices to buy and deploy in their organizations. If your business can survive the next couple of years without going all in on IoT, it might be worth postponing purchases until the technology, especially the security, of these devices has evolved.
But if you absolutely can’t wait, there are several considerations that are critical when purchasing a new device. These include:
- Assess how easy it is to change default credentials. Many IoT-enabled devices, such as the Internet-enabled cameras that made up the Mirai botnet, are insecure because their owners never think to change the password. You wouldn’t do that with your new laptop, would you?
- Disable any insecure protocols. Not all devices are created equally, and device makers that fail to invest in secure protocols must be avoided. Right now, there is a lack of standards for what makes an IoT device secure, so it’s up to buyers to assess what makes the device tick. For example, many vulnerable webcams were reported in 2016, due to a Real Time Streaming Protocol that enabled video sharing but didn’t require a password for authentication.
- Evaluate the recovery process. Many devices can have factory settings reset with one click, while others may require manufacturer involvement. Worse yet, in some cases, recovery may be impossible, forcing users to pay the ransom as a last resort. It’s up to buyers to understand the recovery process for the devices they own, and to create a contingency plan should one of them be compromised.
Whether you end up making the plunge into IoT or waiting until the kinks are worked out, the threats posed by Internet-connected devices are real. That being said, IoT is here to stay, so it’s up to us to ensure it isn’t allowed to compromise the security of our future.