STE WILLIAMS

One of the biggest regulatory issues facing U.S. businesses in 2016 is the impact of the European Court of Justice’s invalidation of Safe Harbor—the legal provision under which the cross-border transfer of personal data from the EU to the U.S. was deemed compliant with European privacy law.

The loss of Safe Harbor is a major headache for companies that do business overseas requiring the movement of data to and from the U.S. and Europe. It’s worth noting that such transfers can still take place while a new framework is being negotiated (assuming one is); however, individual companies must make provisions through a Model Contract clause or Binding Corporate Rules with each country’s data protection authority, or figure out workarounds that keep data from crossing international borders. 

While the loss of Safe Harbor raised a number of questions regarding the best approach for businesses in the interim, this new change will mean more work for international privacy and compliance lawyers.

At the same time that all eyes are on Safe Harbor, there is another significant regulatory concern that U.S. companies may be overlooking, and one with more ominous implications—fallout from the Federal Trade Commission’s win in its case against Wyndham Worldwide Corporation, the hotel and resort management company.

By ruling in favor of the FTC, which sued Wyndham under its regulatory authority for conducting unfair and deceptive business practices, the courts set a precedent that gives greater enforcement power to the FTC in cases where consumers’ personally identifiable information (PII) is compromised. The FTC’s action came after a series of data breaches that the commission argued affected Wyndham as a result of the company’s failure to provide proper protection and management of sensitive customer data. 

The court’s decision gives the FTC greater authority to punish companies that it finds are negligent in their responsibility to properly secure data. That means, despite what does or does not happen with pending data privacy or cybersecurity legislation at the state or federal level, we are likely to start seeing more action from the FTC against companies that the commission believes have not made sufficient investments in systems, policies, and processes for securing data. 

Most observers believe that the Wyndham decision will result in an emboldened FTC taking a more activist posture with regard to cybersecurity. If that’s the case—and it would be surprising if it didn’t happen—enterprises would be wise to try to get ahead of the curve where it comes to state-of-the-art data protection, including technology investments and governance policies. 

What does state-of-the-art for cybersecurity look like? What we know is that it looks different today than it did yesterday, and it will look different tomorrow. State-of-the-art means an ever-evolving program that is founded on the principles of the PPT model: People, Process and Technologies. PPT involves constant review and update of best practices weighed against changes to regulatory compliance. A good example of this model would be the programs established under the requirements of Massachusetts’ data protection law 201 CMR 17, which went beyond the California model of notification after a data breach to establishes a baseline for protecting that data in order to mitigate the chance of a data breach in the first place.

Thomas Jefferson said, “Eternal vigilance is the price of liberty.” Thanks to the decision in FTC vs. Wyndham, eternal vigilance is now the price of cybersecurity.

James Bindseil is President and Chief Executive Officer of Globalscape, a leading developer of secure information exchange solutions. He has more than 20 years of experience in the technology industry, including senior leadership roles at Fujitsu, Symantec, and Axent … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/an-ill-wynd-blowing-but-no-safe-harbor/a/d-id/1323575?_mc=RSS_DR_EDT

Jane, the senior fraud analyst in a top-tier bank, was looking at the latest series of reported online banking fraud cases and shook her head. This can’t be right, she decided. The fraudulent money transfer was coming from the victim’s device, which normally indicates some sort of Trojan-induced Man-in-the-Browser (MITB) attack designed to defeat device recognition and geo-location analysis. But these MITB attacks are normally picked up by the state-of-the-art malware detection service used by the bank.

She looked at the list of alerts and double-checked. There was nothing there. Was it some sort of new Trojan that went undetected by the system? If so, the Trojan operators must have known they have safe passage; they spent a long time in the account, and the money transfer they made was enormous. It’s as if they knew it wouldn’t be detected by any of the existing lines of defense. 

They were right about that, Jane thought, and picked up the phone to call the Internet user who reported the fraud. The story she heard made her realize she was facing something totally new… 

Remote Administration Tools, or RATs, started as completely harmless remote support tools, the kind that a help desk would use to support users whose PC needed attention. In fact, every major operating system, including mobile ones, have remote access protocols embedded in the OS level. But while RATs are a relatively new entrant in the growing arsenal of tools available to online banking fraudsters, state-sponsored hackers have been using them for a long time. Since 2009, wave after wave of Advanced Persistent Threats (APT) campaigns used spear phishing to install RATs on employee machines in thousands of corporations worldwide. These attacks create invisible tunnels that allow an outsider to completely control a victim’s device from anywhere. 

RAT capabilities based on VNC back-connect later appeared as a new feature in advanced banking Trojans such as Citadel, as well as a hoard of next-generation Zeus clones. The fraudsters learned from government hackers that RATs are an extremely powerful weapon, allowing attackers to not only harvest information or run automated scripts in browsers, but to actually gain full remote control of a device, and access a victim’s bank account from their own machine. 

Today, RATs are a popular tool commonly used by cybercriminals. Dyre is currently the most widespread Trojan that uses RAT; Dridex, whose operation was recently disrupted by law enforcement, was also heavily using a RAT capability. Other Trojans include Neverquest, Shifu and many Zeus clones that feature VNC functionality with back-connect. Recently, there has been a spinoff of these RAT attacks: Social RATs.

In this rapidly growing social engineering attack, the victim gets a phone call from someone claiming to be from their bank, internet provider, or other trusted third party. The fraudster then gets the victim to download a commercially available remote administration tool, such as TeamViewer, in order to help fix the “problem”. 

Providing a rogue help desk with remote access rights into your PC is not something most readers of this article would do, but good social engineering is, at times, extremely convincing and effective. The banking industry is particularly vulnerable due to its lack of effective fraud detection for remote access attacks.

After the RAT is installed?

While on the phone, attackers instruct victims to go through “security checks” to verify the safety of their accounts by logging into their bank accounts. Even after victims believe themselves to be logged out, an attacker can linger undetected. Part of the reason banks are experiencing a growing number of socially engineered attacks is because they are cheap to execute and offer a huge payoff to attackers; with limited technological training, attackers can send a quick email, or briefly chat over the phone, and access someone’s entire life savings.

A similar problem exists in corporate banking. From a regulatory perspective, there are no requirements for a bank to make a business customer whole if it lost money due to fraud. However, publicity surrounding large fraud cases has made many banks realize that while they do not have the obligation to do so, making customers confident in their online banking usage is in their best interest.

Social RAT attacks stretch this dilemma even further: first, they involve higher-than-usual monetary losses, and second, falling victim to a ploy in which you end up granting someone remote control over your device is viewed by many banks as crossing the line from naiveté to gross negligence. This spells trouble for business banking, as it could set a dangerous precedent where trust between banks and their customers erode quickly.

Two factors contribute to the success of rogue help desk RAT campaigns. First, users are familiar with the concept of help desks that ask permission to take over their device. So, given the right social engineering, they’ll be susceptible to manipulation. The second issue: existing security controls do not detect RATs. 

To help close the gaps, banks can protect themselves by educating customers about social engineering threats. Users should be encouraged to refuse unsolicited help and contact their banks or other financial institutions if they receive suspicious emails, text messages or phone calls.  Moreover, customers should be made aware of ways they can verify conversations with customer service representatives.

Uri Rivner, Co-Founder and Head of Cyber Strategy at BioCatch is recognized globally as an industry expert on cybercrime and advanced threats. He is a regular speaker in the leading security and cyber conferences, and writes a cyber-security blog read by thousands of … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/when-rats-become-a-social-engineers-best-friend/a/d-id/1323576?_mc=RSS_DR_EDT

It’s a great time to be selling security software, but a much harder time to be a CISO. Enterprise security spending has exploded in the race to protect against increasingly advanced and complex cyber threats. Much of that money is spent on modern information security tools – advanced threat detection, sandboxes, intrusion prevention systems, threat intelligence feeds, and more. The spending is growing at such a rate that Gartner predicts we will eclipse the $100 billion mark by 2018, with other industry analysts suggesting $170 billion in annual spending by 2020.

Unfortunately, buying more security software does not equal “more security.” It is not simply a matter of turning on the latest technology and walking away, problem solved. Instead, the larger challenge for security practitioners is not in what to purchase, it’s how to deploy security tools. So much emphasis has been put on product, emerging technologies, and the elusive promise of big data analytics, that there is little discussion about how to architect a secure network.

There are many different ways for deployments to fail—some are conceptual while others are matters of execution. Many organizations look at security tools and initiatives as one-off solutions, without considering the ramification of how they intersect with other initiatives, or whether or not they make sense as part of the larger security architecture. Especially in layered security models, projects that aren’t clearly defined from the outset can fall flat once they are deployed.

For example, let’s consider an organization that is deploying a multi-factor authentication program alongside a network segmentation project. And, for the sake of discussion, the deployment team decides to finish the multi-factor authentication project first. Once it is installed and working, the team pivots to the network segmentation project, but they neglected to account for the location of the multi-factor authentication machine and block its access to the network. Now, they can’t login and fix it because it’s blocked. It sounds silly, but this happens.

Another critical issue organizations must address when deploying new security tools and initiatives is ensuring fast access to data while maintaining optimal performance of various security applications on the network. A common approach to security today is to keep tools separate, with each tool competing for data and bandwidth on the network and lacking visibility into the security workflow as a whole. To ensure a maximum performance – and return on investment – network and data center architectures must be designed in a way that supplies consistent access to relevant data and traffic to security tools, while at the same time avoiding sopping network bandwidth and facilitates security workflows.

With that in mind, here are four steps security leaders can take to improve their information security based deployments.

1. Have a 360 strategy: It can’t be overstated how critical it is to have a conceptual view of your security deployment. Without a single, overarching guide that everyone in the organization can draw from, different project teams are bound to step on each other’s toes.
2. Clearly define your initiatives. Given the urgency created by the data breach epidemic, many security initiatives are happening in tandem. But, security systems are not all discrete, there are interdependencies that need to be accounted for. By ensuring initiatives, metrics and goals are clearly defined at the start, problems will be avoided later.
3. Recognize how tools interact. In the same way that we don’t want project teams getting tangled up, we need to understand how different security tools interact, how they get their data, and how they perform on the network. The overall workflow orchestration should be considered
4. Consider what each addition adds to the whole. There has been a rush to buy the “next-generation” of a security technology to fight off the rising tide of malware. But good information security depends on a holistic strategy, not on an elite lineup of discretely moving parts. Every addition to the security architecture should be considered from the standpoint of what it adds to overall security.

It’s understandable that security practitioners want to move fast; they are surely feeling the pressure from all sides on the data breach issue. But complex problems do not often have simple solutions, and in this case that is especially true. When leaders arm security teams with clear ideas of what needs to be done, well-defined plans, and a more deployment-focused thought process, projects can thrive – and that is what will lead to better overall security.

Simon Gibson is a Fellow Security Architect at Gigamon. He provides direction and roadmaps for the product that secures applications that secure the Internet.
Simon has been working on Internet infrastructure for nearly 20 years from small ISP’s, to developing streaming … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/security-tech-its-not-what-you-buy-its-how-you-deploy/a/d-id/1323599?_mc=RSS_DR_EDT

New cyber threats materialize every day, getting more frequent and more sophisticated.  We all know about the game-changing Stuxnet cyberattack on Iran’s nuclear facilities back in 2010, but there’s no need to look that far back. A much shorter look back to 2014 will show us far worse: increasingly sophisticated attacks such as Flame, Shamoon and Havex that are as equally worrisome as “the Big S.” 

Let’s face it: malware today is quality stuff, polymorphic and highly intelligent. 

Unfortunately, targeted attacks on critical infrastructure rarely make it to the news, and so they are shrouded in mystery to the point where some may even call them mythic. 

There have been incidents, however — major ones. Within just the past year we’ve seen multiple cyber espionage campaigns, including Dragonfly and Black Energy. We’ve seen physical damage occur as the result of a cyber incident, in the case of a German steel mill, widely reported in Wired and other media early this year, where “massive” damage resulted from a cyberattack that prevented the proper shut down of a blast furnace, according to a German report .

The “advanced threat” continues to evolve.  Newer malware has even been able to successfully breach a leading cyber security research lab. Duqu 2.0, which was discovered earlier this summer by Kaspersky Lab, has taken the title and is now being lauded as the “the most sophisticated malware ever seen.”  The cyber-espionage tool was authored by the same team responsible for the original Duqu, which in turn is believed to be a variant of that original Iranian-enrichment-debilitating media darling that threated industrial control environments back in 2010.

We’ve seen three targeted espionage campaigns against industrial environments that I know of; undoubtedly there are more.  Why is espionage so scary? Because espionage is used to gather intelligence that is needed to engineer targeted attacks.

This year at the 2015 Black Hat USA conference, we heard about how to cause physical damage through cyber means from some of the best.  Jason Larsen of IOActive  demonstrated how compromising a process control system is only the start of the work: it’s the physics of the process that can translate cyber manipulation to physical damage. To engineer a cyber-physical attack, you need a lot of information about the control system itself: the assets, parameters and measurements.

Getting back to Dragonfly, it seemed harmless enough: it only scanned the control system, collecting data about the process including assets and parameters.

Even more disturbing, as cybercrime advisor Raj Samani, pointed out at a Honeywell User Group Conference in San Antonio, while information stolen from most espionage campaigns surfaces on the black market, the information stolen by Dragonfly doesn’t seem to have surfaced yet. There’s no way to predict what it’s being used for, if anything. But those who’ve worked in security for a while can’t help but speculate: if understanding the details of a compromised control system is the first step in a difficult attack process; a targeted attack therefore seems the inevitable end result.

The threats are getting more sophisticated as attackers  continue to attempt to manipulate compromised industrial control systems in order to cause physical damage.  Meanwhile, the industry is just playing catch-up.

If we continue to treat the industrial cyber threat as a thing of myth and legend, it will only make the problem more real.

Eric D. Knapp is Global Director of Cyber Security Solutions and Technology for Honeywell Process Solutions. Eric is a recognized expert in industrial control systems cyber security. He is the author of “Industrial Network Security: Securing Critical Infrastructure Networks … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/the-industrial-cyber-myth-its-no-fantasy/a/d-id/1323600?_mc=RSS_DR_EDT