[metaslider id=2951] … Read More
The two most important ways to defend against security threats
By Roger A. Grimes – CSO – February 7, 2018
Patching and security training programs will thwart attacks more effectively than anything else. You’re already doing them. Here’s how to do them better.
An average of 5,000 to 7,000 new computer security threats are announced each year. That’s as many as 19 every day. The rate at which new threats appear make it difficult to decide which ones require your attention. It might surprise you that, while your competitors waste money on high-tech, expensive, and sometimes exotic defenses, you can get far more value by concentrating on just two things you already do. You can spend less money and nothing you do otherwise will provide a better defense.
The two things you need to do better are not a secret. You already know you need to do them. You know from your own experience that what I’m saying is true. The data in favor of doing them is overwhelming. Still, most companies don’t do them well enough.
Change your security focus
Most computer security defenders focus on the wrong things. They focus on specific threats and what they did after hackers broke in, not how they broke in. There may be hundreds of thousands of unique software vulnerabilities and hundreds of millions of unique malware families, but they all share about a dozen different ways that they initially exploited an environment, including:
- Unpatched software
- Social engineering
- Password attacks
- Physical attacks
- User errors
- Denial of service
Focusing on and reducing these root exploitation causes will help you significantly defeat hackers and malware.
If you want to minimize computer security risk the fastest, identify the biggest root exploitation causes in your company that allow threats to do the most damage to your environment. Stop the biggest root cause and you stop every threat that uses that root cause.
So, what are the biggest root exploitation causes in most environments? Unpatched software and social engineering.
Without a doubt, these two root causes are responsible for the most successful and damaging attacks in most companies and have been for decades. One of these root exploitation methods has likely been behind any big attack that has made news in the mainstream media. In my experience, when a company of any size or even the military suffers a big attack, it’s can be traced to one of those two root causes.
Your company’s experience may vary, and if it does, you can ignore this article. The biggest problems for the majority of readers are unpatched software and social engineering. If they fix those two things, it will do more to decrease security risk than all the other things they could do combined.
SnoopWall Named one of the 10 Fastest Growing Security Companies for 2017
Silicon Review Recognizes SnoopWall as Rapidly Growing Breach Prevention Company
NASHUA, N.H., June 5, 2017 /PRNewswire/ — SnoopWall, Inc. (www.snoopwall.com), the world’s first breach prevention company, on the heels of being named as the Top Ranked Security company, three years in a row, by the CyberSecurity 500, has been named one of the 10 Fastest Growing Security Companies for 2017, by the prestigious Silicon Valley publication, The Silicon Review.
“We’re active throughout the globe in more than 32 countries, helping small to medium size enterprises (SME’s) defend against breaches in the most cost-effective way, through our trusted channel partners. It’s truly an exciting growth phase for SnoopWall,” said Mark Bermingham, Global Vice President of Worldwide Channels.
Online related article: http://thesiliconreview.com/magazines/securing-valuable-confidential-information-and-checking-on-cyber-threats-for-organizations-through-its-award-winning-patented-appliances-snoopwall/
“This award is given to a select group of tech companies each year based upon customer adoption and growth metrics. We’re pleased to include SnoopWall, a fast-growing breach prevention security company,” said Editorial Team of The Silicon Review.
“After keeping the pace of 300% growth rate, year over year, we’re thrilled to be named one of the 10 Fastest Growing Security Companies for 2017,” said Gary S. Miliefsky, CEO of SnoopWall, Inc. Miliefsky was also recently named to the Owler Top 100 High Tech CEOs of 2017 of more than 2,200 surveyed.
Have a question about SnoopWall – give us a call
‘Insider Sabotage’ among Top 3 Threats CISOs Can’t yet Handle
These five steps can help your organizations limit the risks from disgruntled employees and user errors.
Although insider sabotage is among the top three security threats companies face, 35% of chief information security officers in the US still lack the best practices to handle it properly, according to a Bitdefender study.
Insider sabotage – whether by a former employee who still has network access and is bent on sabotage or a careless staff member who clicks on phishing links when using company devices, or even a contractor or associate – can be particularly devastating because it’s usually not detected until the damage is done.
As the bring-your-own-device (BYOD) to work trend becomes even more widespread, CISOs should conduct regular security trainings to make current employees vigilant toward cyber hacks and schemes. Did they receive a suspicious email? Then they shouldn’t click on any URL or download attachments. Because hackers can expertly impersonate company email addresses and templates, employees need to be trained about address typos that could signal a scam.
Increasing cloud adoption raises other concerns about cloud security for a growing number of companies that have lost proprietary data across a longer timeframe by disgruntled former or current employees, who should have to think twice about acting out against their employers.
If caught, those who deliberately harm a business may be in for some tedious prison time. A sysadmin from Baton Rouge, for example, was sentenced to 34 months in federal prison for causing substantial damage to his former employer, a Georgia-Pacific paper mill, by remotely accessing its computer systems and messing with commands. Obviously, access from all systems and networks associated with the company should have been revoked when the man was fired.
“To limit the risks of insider sabotage and user error, companies must establish strong policies and protocols, and restrict the ways employees use equipment and infrastructure or privileges inside the company network,” recommends Bogdan Botezatu, senior e-threat specialist at Bitdefender. “The IT department must create policies for proper use of the equipment, and ensure they are implemented.”
Here are five steps CISOs can take to avoid insider sabotage:
- Enforce a strict information security policy, and run regular training sessions with employees to prevent malware infection of company networks.
- Immediately revoke all access and suspend certificates for former employees to prevent them from leaving the company with backups and confidential data, or from making administrative changes before leaving the company.
- Keep a close eye on internal systems and processes, and set up notifications for any changes that should occur.
- Implement role-based access control to restrict access to unauthorized employees.
- Never rely solely on usernames and passwords to safeguard confidential company data. Instead, implement multiple authentication methods such as two-factor, two-person or even biometric authentication.
4 Reasons Why You Should Take Ransomware Seriously
From Dark Reading – Dan Larson
The threats keep getting more sophisticated and the stakes keep getting higher. Is your organization ready to meet the challenge?
According to a recent ransomware report from the Institute for Critical Infrastructure Technology (ICIT), 2016 saw a wave of ransomware attacks that were increasingly sophisticated and stealthy. The FBI forecast that the haul from ransomware would reach a billion dollars last year, and it seems as if no industry is safe from being targeted. As ICIT reports, even critical infrastructure entities such as healthcare organizations have become prime targets, with hospitals in the US and Germany paying ransoms rather than risk their patients’ lives.
Why is this alarming increase occurring? ICIT argues that it’s due to the highly profitable nature of ransomware attacks coupled with inadequate enterprise defenses. Combined, these two factors are attracting a more advanced breed of cybercriminal who is motivated by the potential of a bigger payout, faster and more anonymous – and thus less risky – than the advanced persistent threat exploits often used to steal credit card numbers and other sensitive data.
Compounding these challenges is the fact that law enforcement agencies have not provided a unified response to the ransomware threat, in some cases advising victim organizations to pay the ransom to retrieve their data. At the same time, criminal hackers have developed ways to circumvent standard security measures such as sandboxing and intrusion prevention systems.
If that’s not enough to convince you, here are four more reasons to take ransomware seriously:
- Standard security solutions may not protect you. Ransomware’s ability to quickly change and mutate utilizing polymorphic or fileless malware has exponentially increased opportunities for ransomware to find its way into your organization. Conventional endpoint protection that relies on signature-based detection isn’t up to the task of finding ransomware before it strikes. Adding solutions such as whitelisting, the ability to detect indicators of compromise, or machine learning can increase your protection, but in some cases will be unable to prevent an attack. And unlike malware infections that slowly exfiltrate your data so that postinfection detection may minimize loss, in the case of ransomware, prevention is often your only recourse. Once ransomware enters undetected, your data is immediately encrypted and inaccessible, or your systems are locked down.
- Compliance may be at stake. Most organizations retain sensitive data that is subject to regulatory legislation mandating its protection. When a breach happens and data is exposed, the victim organization must inform its customers and partners, and can incur substantial fines if regulations are affected. Ransomware attacks may not result in protected data being stolen, but organizations are still responsible for alerting all their constituents if an attack occurs. This can cause significant damage to an organization’s brand. As Dark Reading reports, the Federal Trade Commission (FTC) has come down hard on companies that fail to protect their customers’ data. FTC Chairperson Edith Ramirez recently suggested that a company’s failure to take action to prevent a ransomware attack could result in enforcement action – even if the company hasn’t been the victim of an attack.
- Data recovery can be complex and costly. The cost and complexity of recovering files after a ransomware attack are why many companies, particularly smaller organizations, choose to pay the ransom. Granted, most disaster recovery services ensure that there’s a robust backup and recovery plan in place, to tackle these kind of cases. But, even with a comprehensive backup system, in today’s widely distributed organizations, files can be located across hundreds of devices. Though the attack may begin on one laptop, the ransomware could have access to other systems connected to the laptop, resulting in a costly drain on IT resources as they struggle to map and contain the damage. Even worse, if you’re the victim of a new ransomware variant that’s able to delete your backup files, recovery won’t be an option.
The Best Defense Against Ransomware
To combat the escalating level of ransomware sophistication, organizations need a multifaceted approach with complementary prevention and detection methods. One important method is to focus on indicators of attack (IoAs), a form of behavior-based detection that looks at the underlying actions taken by the threat rather than trying to pattern-match a new file to a signature. An IoA can prevent multiple variants and versions of ransomware families, including new ones not detectable by known signatures or features. Coupled with endpoint detection and response, machine learning, and proactive threat hunting by security experts, organizations can ensure that they have the prevention capabilities in place to alert teams of ransomware attempts before encryption can be initiated.
Call centre agents warned about malicious email attachments from potential customers
by Howard Solomon – IT World Canada
Contact centre agents should be warned about allowing alleged customers sending them email with attachments after a security vendor discovered a new wave of attacks against three customers including North American hospitality companies, attacks similar to ones from the Eastern European based Carbanak crime group
In a blog posted Monday, Trustwave said it came to that conclusion after investigating incidents.
In one instance an attacker called a customer contact line saying that they were unable to use the online reservation system so wanted to send their information to the agent by email attachment, said the report. The attachment was a malicious Word document that contained an encoded .VBS script capable of stealing system information, desktop screenshots, and to download additional malware. The malware replaced text in a Word document with that of its own, which to the agent looks like a request for information from the hotel for a corporate function.
The malicious VB Script will use macros to search for instances of Microsoft Word running on the system, if found, it will clear the existing text and replace it. “This malware was capable of stealing significant system and network information,” says Trustwave. “It was also used to download several other reconnaissance tools to map out the network.” Downloaded tools have included Nmap, FreeRDP, NCat, NPing, and others.
Beaconing messages are sent out to 18.104.22.168 via standard HTTP GET requests every five minutes, said Trustwave, to let a command and control server know a system has been compromised. “Using this simple methodology allows the beaconing to hide very well within standard corporate network traffic.” However, the report adds, its uniformity of structure also allows analysts to identify it relatively quickly as well.
If not stopped, however, the process downloads malware that executes a new iteration of svchost.exe and injects its malicious code into this running process. This hides the malware within the svchost.exe process. It then searches Kaspersky antivirus processes and terminates them if running on the victim system.
It then downloads kldconfig.exe, kldconfig.plug, and runmem.wi.exe, which Trustwave says are all well-known Carbanak malware tools. Variations of them were used in the banking intrusions in 2015. Additionally, the decrypted code references “anunak_config” which is the encrypted configuration file that it downloads from its control server. The Anunak crime group is generally believed to be synonymous with Carbanak.
“This malware is very multi-functional as it can enable remote desktop, steal local passwords, search user’s email, target IFOBS banking systems (which Carbanak used so effectively in recent banking attacks), or install completely different remote desktop programs, such as VNC or AMMYY … Finally, this malware, like so many others, is designed to target credit card data by scraping memory on Point-of-Sale systems., which is presumably the end goal.”
In short, “the attacker uses social engineering to gain their foothold in the victim network, downloads reconnaissance tools to scan the network and move laterally into the card holder data environment, and then infects systems able to process card transactions.”
“The persistence, professionalism, and pervasiveness of this campaign is at a level rarely seen by Trustwave.” says author Brian Hussey, the company’s director of global incident readiness and response. “The malware used is very multifaceted and still not caught by most (if any) antivirus engines. The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement is rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient.”
Have a question on how to protect yourself – give us a call 866-431-8972.