STE WILLIAMS

Many UK ecommerce sites allow ‘password’ for logins – report

Many of the UK’s most popular ecommerce sites have unsafe password practices, according to a new study, with four in five not requiring the use of a capital letter and a number/symbol.

Also, 16 per cent of sites accept the ten most common passwords, including “password”, according to security management outfit Dashlane. This means users on sites such as Wickes, River Island, and Asda Groceries can use easily guessable passwords, such as “abc123” and “123456”.

Testers also found that 56 per cent of sites allow users to have a password less than eight characters long, including IKEA, Amazon UK, and eBay.

However, it isn’t all bad news and some consumer-focused sites do get it right on password security. For the third time in a row, Apple received a perfect score and was the highest ranked site in the study.

Apple requires long, complex alphanumeric passwords, and does not accept easily hackable passwords. Several notable sites also have strong password requirements, including Boots, John Lewis, and Very.

Improving password practices would not require wholesale changes. Retailers shouldn’t be letting their security fall at the first hurdle, especially in the crucial run-up to the Christmas and January sales, Dashlane argued.

“It is extremely easy for even the most basic website to implement strong password requirements, yet some of UK’s largest online retailers are leaving their users exposed due to weak password requirements,” the firm said.

Dashlane chief exec Emmanuel Schalit explained: ”A strong password is one that is at least eight characters long, and contains letters, as well as numbers and or symbols. This complexity is what keeps hackers from easily guessing your password and accessing your account.”

Dashlane’s E-Commerce Security Roundup looked at the password security practices of the top 25 ecommerce sites used in the UK. The study comes in the aftermath of recent high-profile security breaches, such as the TalkTalk hack, and days after UK Chancellor George Osborne’s speech at GCHQ on the government’s measures to stop cyber criminals.

The roundup is Dashlane’s second major security study in the UK following a larger inaugural study in the spring of 2014. This time around Dashlane examined 25 popular ecommerce websites. Each site was analysed based upon a set of 21 criteria.

Things have improved in some categories since its initial study. For example, the number of sites that allow 10+ brute force logins decreased from 57 per cent to 40 per cent. The number of sites that accept the ten worst passwords decreased from 42 per cent to 16 per cent.

Another improvement was seen in the percentage of sites that require a letter and/or number or symbol that increased from 42 per cent to 72 per cent. Two examples of this were eBay and House of Fraser, whose scores both rose because their password requirements became stricter.

“It is encouraging to see positive password security trends in the world of ecommerce,” Schalit concluded. “Yet, while the numbers indicate retailers are moving in the right direction, much work remains.”

“Given that it’s 2015, no website, regardless of how large or small it is, has an excuse for not implementing security policies that will better secure their users, as well as maintain the integrity of the brand by protecting the company from malicious attacks,” he added. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/password_security_retail_survey/

  • 20/11/2015
  • adm

Introducing ‘RITA’ for Real Intelligence Threat Analysis

SANS’ free, new framework can help teams hunt for attackers by extending traditional signature analysis to blacklisted IP addresses and accounts that have multiple concurrent logons to multiple systems.

There is often a huge disconnect between what attackers do and what we as defenders do to detect them. There is currently a huge push to develop better and better indicators of compromise (IOC) or better threat intelligence. But if we sit back and think about these advancements in security, it becomes clear that we are still stuck in the process of trying to build better and bigger blacklists, still stuck believing we can somehow define evil away by building systems to find and neutralize it.

This will not work. 

We continue to look for the easy button. We continue to seek out automation of our security infrastructure. 

This will not work.

The reason these things will not work is because our defenses are static and accessible to all. All it takes is for an adversary to acquire these technologies and figure out how to bypass them before they sling a single packet at your network. This is one of the key reasons we work so hard to develop active defense approaches. But active defense will only go so far.

There is a new development in security called “hunt teaming.” This is when an organization puts together a team of individuals to actively look for evil on a network. It takes some big assumptions on the part of the defenders. The first is that security automation has failed somewhere. The second is that existing technologies will not be sufficient to find the bad guys. Even more critical, “hunt teaming” requires a fundamental shift in how we approach detecting attacks.

Traditionally, our approach has involved a set of simple signatures. For example, one of Black Hills Information Security’s (BHIS) tools, called VSagent, hides its command-and-control (C2) traffic into __VIEWSTATE parameter, which is base64 encoded.  Further, it beacons every 30 seconds. Unfortunately, attackers can easily modify the backdoor to bypass any simple signature you throw at it. It also represents many of the nasty C2 techniques we have seen over the past few years.

A new framework for hunt teaming
How then, should we approach malware like this? The question asks us to not just look at individual TCP streams but rather look at the communication as it relates to much larger timeframes. To help with this, SANS has released a free new tool, Real Intelligence Threat Analysis or (RITA). (Note: The password for the ht user account is !templinpw! Because it is in OVA format it is portable to other VM environments.) 

Currently, there are a number of different frameworks for pen testing, like Metasploit, SET, and Recon-ng. The idea behind RITA is to create a framework that it is extensible; it allows people to continuously add additional modules to it.  

Let’s take a few moments and walk through the current modules in RITA.

  • First, to start RITA we just need to fire up the run.py script in the /home/ht/Documents/RITA directory.
  • Then, open a browser and surf to http://127.0.0.1:5000.
  • Next, we are going to enter an example customer where the example data is stored on this VM:

The beaconing module will use Discrete Fast Fourier Transform (DFFT) to move the connections leaving your network from the time domain to a frequency domain.

Why? When we think about events, we tend to think of events as a series in time. When we look at things, it’s in terms of first, second, and third. However, we can also look at time in terms of frequency. For example, if we have connections connect at regular intervals, it will show up very clearly as a DFFT. So, when we run this module it will create graphs showing likely beaconing behavior.

Detecting a two-second beacon
The graph below shows a two-second beacon. This means there is a detectible frequency of two-second intervals between two hosts. This type of signature analysis is very difficult on standard security devices like IDS and IPS.

But we can go further. We can also look for systems connecting to blacklisted IP addresses, potential scanning behavior, long duration connections (good for data exfiltration), and accounts that have multiple concurrent logons to multiple systems. 

The beautiful thing about RITA is that the data can be exported to the desktop, but can also be visualized via Kibana. For example, if you run the concurrent module, this module will show all accounts which are logged in concurrently to multiple systems. This is great for detecting lateral movement. By running this module, it will run the module and load the data into Kibana for visualization. (To see the results, you’ll need to select the results tab at the top.)

To load some results, you start by editing the time it reviews in the upper right hand corner.  It should say “Last 15 minutes.”

  • Then, select “Last 5 years”
  • In the middle box, type “result_type=”
  • It will show you some autocomplete some options 
  • Select result_type=concurrent
  • This will show the systems with multiple concurrent connections

As you will see, the targetUserName of Fire_Phreak is logged on to multiple systems at the same time. That should give you a first start with the RITA VM.  Good luck!

John Strand is a senior instructor with the SANS Institute. He teaches SEC504: Hacker Techniques, Exploits, and Incident Handling; SEC560: Network Penetration Testing and Ethical Hacking; SEC580: Metasploit Kung Fu for Enterprise Pen Testing; and SEC464: Hacker Guard: … View Full Bio

Article source: http://www.darkreading.com/introducing-rita-for-real-intelligence-threat-analysis/a/d-id/1323244?_mc=RSS_DR_EDT

  • 20/11/2015
  • adm

Android’s accessibility service grants god-mode p0wn power

Michael Bentley of security-through-analytics outfit Lookout has found android malware that does not require user permission to install.

Bentley, Lookout’s head of response, says the Shedun malware accomplishes the feat using the Android’s accessibility features.

When installed the malware will use the accessibility service to gain god-mode like access to install apps and spew advertising across phone functions.

“These families root the victim’s device after being installed and then embed themselves in the system partition in order to persist, even after factory reset, becoming nearly impossible to remove,” Bentley says.

“By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.”

Shedun lies about the capabilities of the accessibility service in a bid to get users to approve the initial installation claiming that users should ‘feel at ease’ about approving the accessibility service request.

Legitimate apps like LastPass and the popular Tasker use the accessibility service for functions like application password filling and to grant expanded capability to phone tinkerers. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/shedun_adware/

  • 20/11/2015
  • adm

US ‘swatting’ Bill will jail crank callers for five years to life

A loophole in US law could make it harder for criminal hackers to call in false high-profile threats to police if an anti-swatting Bill introduced this week gains traction.

Swatting is the name given to the act of calling in to police false reports of high-risk emergencies. Criminal hackers and gamers are notorious for swatting as a jape, calling in a fake hostage situation at a rival’s home address where armed police will charge down doors with guns raised.

The FBI registers about 400 swatting calls a year with bills running up to US$100,000 per incident.

The Interstate Swatting Hoax Act of 2015 (PDF) will amend US law to make it a criminal violation to phone in a fake emergency response to police.

The Bill was introduced by representatives Katherine Clark (D-Mass) and Patrick Meehan (R-PA) and could see perpetrators fined and jailed for up five years if no injury results.

Hoax callers face 20 years if serious bodily injury results and life behind bars if the swatting incident causes death.

Civil penalties can also result.

YouTube is littered with swatting videos where police have been called against live-streaming gamers.

Clark and Meehan say the Bill it will crimp the dangerous swatting trend.

“Perpetrators of these hoaxes purposefully use our emergency responders to harm their victims,” Clark says in a statement.

“These false reports are dangerous and costly, and have resulted in serious injury to victims and law enforcement.”

Meehan says law enforcement are already “struggling” to protect the public, adding that swatting costs additional time and tax dollars.

“Swatting cases divert attention from serious situations that require the attention of highly trained personnel and puts innocent civilians at risk.”

Police agencies across Australia have told this reporter swatting is not an issue Down Under, however anecdotal rumour of it happening exist. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/us_swatting_hoax_act/

  • 20/11/2015
  • adm

NCC Group sowing the seeds of disruption in the cyber security industry

Competition It’s 2015, the cyber attacks keep on coming, and the bad guys appear to be winning – some may argue this is because devastating data breaches are more newsworthy than businesses upping their security defences. We see a relentless battle between businesses trying to protect themselves and those with malicious intent attacking corporate systems to cause damage or steal information.

The need for robust security is obvious and no-one can rest on their laurels. But to stay ahead of the bad guys, the cyber security industry needs to inject new ideas into the mix now and again – and that means getting talented students and security “amateurs” to consider a career in this sector.

Global cyber security heavyweight NCC Group has designed The Cyber 10K competition specifically to spark new ideas, generate new solutions to combat malicious threats and encourage people to join the industry.

Professor Tim Watson, director of the cyber security centre at the University of Warwick, said: “The nature of this industry means that the ‘good guys’ must advance at the same rate, if not quicker, than those trying to cause harm if we are going to protect both consumers and businesses.”

“It’s important that we have a fresh view of the threats we face and it’s often new blood and the younger generations who can offer these new perspectives. That’s why competitions like Cyber 10K are so important – they provide an incentive for security amateurs to think critically about issues and develop real-life effective solutions to the problems we are facing.”

Cyber 10K is a superb opportunity for students and security “amateurs” to test their security chops. Entrants are asked to devise a proof of concept and the winning contestant receives £10,000 and expert advice from NCC Group to develop their own security solution. The competition closes for entries on 30 November – so hop to it! Details below:

Entry criteria

  • Description of the problem you are trying to solve.
  • Description of your solution and how it addresses the problem.
  • In addition to the above for an entry to qualify you must include a working prototype – a functional solution which can be used to demonstrate the idea in a reliable manner that accurately shows the idea working.
  • It is recommended that you also include: a video of no more than five minutes, summarising the problem and solution, including a demo Design documentation for the solution

Categories

  • There are no strict categories. Anything goes as long as it hits the entry criteria, but some areas that you might want to think about include: cloud security, cyber incident response and clean-up, IoT and mobile security, consumer and user awareness, training and support, and cyber security on small budgets

The judging panel includes the following experts:

  • John Leyden, security reporter, The Register
  • Professor Steve Schneider, director, Surrey Centre for Cyber Security
  • Professor Tim Watson, director at University of Warwick’s cyber security centre
  • Alex van Someren, managing partner at Amadeus Capital Partners
  • Paul Vlissidis, director of the .trust division at NCC Group

The Register is a media partner of Cyber 10K. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/ncc_group_is_sowing_the_seed_of_disruption_in_the_cyber_security_industry/

  • 20/11/2015
  • adm

Tech goliaths stand firm against demands for weaker encryption after Paris terror attacks

Tech giants claim they are standing firm in their refusal to allow government agencies to backdoor their cryptography – or to weaken encryption in their products.

The Information Technology Industry Council (ITI), which bills itself as the “global voice of the tech sector” and contains such giants as Apple, Google, and Microsoft, put out a statement Thursday in which it was unequivocal in its continued support for encryption.

“Encryption is a security tool we rely on every day to stop criminals from draining our bank accounts, to shield our cars and airplanes from being taken over by malicious hacks, and to otherwise preserve our security and safety,” said ITI president and CEO Dean Garfield.

“We deeply appreciate law enforcement’s and the national security community’s work to protect us, but weakening encryption or creating backdoors to encrypted devices and data for use by the good guys would actually create vulnerabilities to be exploited by the bad guys, which would almost certainly cause serious physical and financial harm across our society and our economy. Weakening security with the aim of advancing security simply does not make sense.”

The statement comes as a number of politicians in the US and Europe tried to reopen the conversation on encryption – something that just a week earlier was thought to have been effectively killed off when even the FBI’s top lawyer admitted that adding backdoors required a level of “magical thinking” because it assumed others would not find them.

Political pressure

UK prime minister David Cameron has been especially vocal about the refusal by tech firms to purposefully limit their products’ security, an argument given greater vehemence by the fact that his government has proposed a new law that would give security services the ability to access the browsing habits of all UK citizens.

Meanwhile, US senator Dianne Feinstein (D-CA), who chairs the US Senate Intelligence Committee and has been criticized repeatedly in the past few years for her defense of the security services, said on MSNBC: “If you create a product that allows evil monsters to communicate in this way, to behead children, to strike innocents – whether it’s at a game in a stadium, in a small restaurant in Paris, take down an airline – that is a big problem.” Manhattan’s district attorney Cyrus Vance joined the call with an opinion column in the New York Times that argued that “encryption blocks justice.”

The ITI statement reflects the opinion made publicly by a number of top tech executives, including Apple CEO Tim Cook, but following the Paris attacks they are understandably less excited to be going head-to-head with politicians.

Earlier this year, President Obama made it clear that his administration would not be seeking new laws over encryption and law enforcement access. However, law enforcement is still hoping to persuade tech companies into working with them informally. So far, at least, that call has fallen on deaf ears, thanks in large part to the revelations by Edward Snowden that the security services were actively breaking into those companies’ networks to access their data. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/tech_companies_against_weaker_encryption/

  • 20/11/2015
  • adm

How TV ads silently ping commands to phones: Sneaky SilverPush code reverse-engineered

Earlier this week the Center for Democracy and Technology (CDT) warned that an Indian firm called SilverPush has technology that allows adverts to ping inaudible commands to smartphones and tablets.

Now someone has reverse-engineered the code and published it for everyone to check.

SilverPush’s software kit can be baked into apps, and is designed to pick up near-ultrasonic sounds embedded in, say, a TV, radio or web browser advert. These signals, in the range of 18kHz to 19.95kHz, are too high pitched for most humans to hear, but can be decoded by software.

An application that uses SilverPush’s code can pick up these messages from the phone or tablet’s builtin microphone, and be directed to send information such as the handheld’s IMEI number, location, operating system version, and potentially the identity of the owner, to the application’s backend servers.

Imagine sitting in front of the telly with your smartphone nearby. An advert comes on during the show you’re watching, and it has a SilverPush ultrasonic message embedded in it. This is picked up by an app on your mobile, which pings a media network with information about you, and could even display followup ads and links on your handheld.

How it works … the transfer of sound-encoded information from a TV to a phone to a backend server

“This kind of technology is fundamentally surreptitious in that it doesn’t require consent; if it did require it then the number of users would drop,” Joe Hall, chief technologist at CDT told The Register on Thursday. “It lacks the ability to have consumers say that they don’t want this and not be associated by the software.”

Hall pointed out that very few of the applications that include the SilverPush SDK tell users about it, so there was no informed consent. This makes such software technically illegal in Europe and possibly in the US.

There are similar systems in use already. Ratings agency Nielsen has an audio system that does just this to measure the size of radio station audiences, but it’s something people have to agree to use and get paid to do so.

In addition, this sort of thing doesn’t just need to be used for advertising. What if a repressive regime decided to use it to track the phones of dissidents, he posited.

Of course, none of this matters if you don’t have an app listening out for the sounds of SilverPush. But initial research found almost 30 applications using the SilverPush SDK, predominantly shopping apps run by Indian or Far Eastern firms.

As the news about SilverPush spread, Kevin Finisterre of security consultancy Digital Munition decided to take a look at the code. He has since published his findings on GitHub.

He found that the software assigned letters of the alphabet to high-pitch tones, eg: an 18kHz sound translates into an ‘A’, and 19.125kHz is a ‘P’. Pairs of these characters are used to identify TV ads: ‘AP’ is used to recognize a Geico ad and display an image and link to the insurance biz, we’re told. Sound-playing online adverts appear to use a fingerprint of five characters.

The logical next step is to see if these signals can be disrupted. Finisterre played around with trying to spoof the sounds the apps are looking for and send them junk data. It would also be possible to write a program that randomly sent out ultrasonic tones to disrupt the system, although this would “probably piss your dog and a bunch of other animals off,” he told The Reg.

“I would try to block this at the audio driver level, not at the browser level. Any other app can implement the same type of tech,” he said.

“There are lots of possibilities. It really depends on which aspect of it you are trying to protect against. The audible beacon triggers themselves (audio driver-based protections, spoofing tones, etc), or the data collection process (think blocking the IPs of the servers), or the monetization of the data collection (think spoofing randomized invalid data at the backend).” ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/silverpush_soundwave_ad_tracker/

  • 20/11/2015
  • adm

And Now, A Cyber Arms Race Towards Critical Infrastructure Attacks

As traditional explosives give way to ‘logic bombs,’ the need to protect our industrial networks and systems has never been more important.

Over the past several years sophisticated code has been used for nation-state espionage in order to minimize risk to military personnel or costly equipment. Similar techniques are now being applied to the development of next-generation cyber weapons. These will allow troops to remotely launch cyber code designed to destroy physical equipment, cause severe damage to critical infrastructure, and impact not only military targets but also civilian lives.

There is a cyber arms race going on. Nation-states and terrorist organizations are spending billions of dollars to build the cyberbombs. According to U.S. government contractors and former Pentagon officials, a new half-billion-dollar U.S. military contract will sponsor the development of lethal cyberweapons. The goal of this United States Cyber Command project, according to various news reports, is to develop capabilities that will allow troops to launch logic bombs instead of traditional explosives and essentially direct an enemy’s critical infrastructure to self-destruct.

While governments and adversaries are investing in the development of cyberarms, very little is being done to protect our critical infrastructure, leaving energy and manufacturing companies, for the most part, to fend for themselves against the growing threat of cyberattacks. Industrial facilities have become attractive targets for several reasons:

  • Industrial processes are part of every nation’s critical infrastructure and therefore a successful attack may cause both physical and psychological damage.
  • Most industrial facilities and networks were designed many years ago, before the threat of cyber-attacks existed. As such, no security controls were implemented to defend operational networks, which contain both design and code vulnerabilities that can be exploited by adversaries.
  • To achieve automation and efficiency improvements, these traditionally disconnected networks have been opened up to the external world and that increases their risk exposure.

The Visibility Control Challenge
One of the main challenges industrial facilities face is the lack of visibility and security controls over SCADA (Supervisory Control and Data Acquisition) systems, which automate industrial processes and manage remote equipment. Within these systems, the most sensitive and critical elements are the programmable logic controllers (PLCs).

Introduced in the late 1960’s, PLCs are dedicated industrial computers that make logic-based decisions to control industrial processes. They are found in every industrial environment, and play a critical role in complex industrial processes like power generation, oil transportation, management of electrical and water utilities and various manufacturing processes. A cyberattack that reaches these controllers, changes their logic, or takes them out of commission, can have devastating physical results.

PLCs are designed to be ruggedized and require little on-going maintenance. Therefore it is not uncommon for PLCs implemented decades ago to still be in operation. Although many documented PLC vulnerabilities can be exploited, most of these are never patched due to stability concerns. Given the complexity of the processes they automate, any disruptions to PLCs can cause downtime, reliability issues or other operational problems.

Since PLCs were deployed decades ago and rarely undergo maintenance, it is virtually impossible to maintain an accurate inventory that details where devices are located and what logic they actually run. In addition, logs commonly used in IT systems to monitor configuration changes or last known good configuration, do not exist in PLCs. As a result, in the event that a cyberattack successfully alters PLCs, there are no efficient recovery mechanisms in place.

Monitoring the network activity and searching for signatures and indicators of compromise has proven challenging as well. The “open architecture” of the Internet age does not exist in industrial networks. Since every industrial equipment vendor implements their own proprietary network technology, most of which are not well documented, it is difficult to understand all the activity on the network.

To add even more complexity, it is common for multiple vendor technologies to be implemented in the same industrial network. This complexity and the lack of adequate monitoring tools create blind spots that can allow sophisticated code, or insiders with malicious intent, to go undetected and compromise PLCs.

Collateral Damage
The threat of cyberweapons goes beyond their direct impact on industrial facilities since successful attacks can produce massive and unintended collateral damage beyond their initial target. That’s because they are attacking a technology that is ubiquitous across the industrial sector. Attack code could easily spread to infrastructures and industries that weren’t originally targeted, yet they would still suffer from its consequences.

Another serious concern is the possibility that these new cyberweapons will end up in the wrong hands, “leaked” by disgruntled employees or through security breaches. It’s worth mentioning that contractors bidding for the United States Cyber Command contract include companies like Boeing and Lockheed Martin, both of which were victims of information theft by Chinese hackers in recent years.

Cyberattacks targeting critical infrastructure are not theoretical; they are real and pose an even greater threat in the wake of new classes of cyberweapons being developed to exploit design issues and vulnerabilities in industrial networks. The lack of security controls and vulnerabilities in PLCs, combined with insufficient visibility and control over operational networks, is a problem that can’t be addressed too soon.

Barak Perelman is CEO of Indegy, an industrial security firm that helps critical infrastructure companies operate efficiently and reliably by protecting against cyberattacks. He is a graduate of Talpiot, the elite Israel Defense Forces (IDF) academy where he led several … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/and-now-a-cyber-arms-race-towards-critical-infrastructure-attacks/a/d-id/1323225?_mc=RSS_DR_EDT

  • 19/11/2015
  • adm

US-China Security Review Commission Discusses ‘Hack-Back’ Laws

Commission’s annual report to Congress recommends a closer look at whether companies should be allowed to launch counterattacks on hackers.

The U.S.-China Economic and Security Review Commission released its annual report to Congress Wednesday, outlining the challenges of cybercrime attacks launched between China and the U.S.

Among the Commission’s recommendations was to further the conversation about whether or not the private sector should be able to legally go on the offensive — either directly or through an official intermediary — and launch counterattacks against threat actors that have compromised their systems. From the report, the Commission recommends:

“Congress assess the coverage of U.S. law to determine whether U.S.-based companies that have been hacked should be allowed to engage in counterintrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks. In addition, Congress should study the feasibility of a foreign intelligence cyber court to hear evidence from U.S. victims of cyberattacks and decide whether the U.S. government might undertake counterintrusions on a victim’s behalf.”

The report discussed the role countermeasures play in “deterrence,” quoting U.S. Defense Secretary Ashton Carter stated, who said: “[Deterrence] works by convincing a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States and by decreasing the likelihood that a potential adversary’s attack will succeed.”

Read the full report here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/us-china-security-review-commission-discusses-hack-back-laws/d/d-id/1323226?_mc=RSS_DR_EDT

  • 19/11/2015
  • adm

4 Tricks For Getting The Most Out Of User Behavior Analytics

First thing’s first: establish what ‘normal’ metrics look like.

While most security programs today collect data around application event logs and firewall and network devices to form the bedrock of their security analytics programs, in many cases they’re still not tracking that to users. According to the recent SANS Analytics and Intelligence Survey, only about one-third of organizations today collect user behavior monitoring data. But that’s expected to change–about three-fourths of respondents say they’d like to start collecting this data in the future.

User behavior analytics can offer a ton of value on a number of fronts. Not only do these metrics offer visibility into potential insider threats, but they can also show early red flags for when accounts have been compromised by external attackers. The key is remembering that these metrics are most useful when they’re measuring change of behavior–which means that the foundation of a behavior analytics program is understanding what normal behavior looks like before seeking out anomalies.

“While most compromises take only minutes to execute, they can remain undetected for days, weeks, and months after the fact,” wrote Rapid7’s Tod Beardsley, security research manager, and Roy Hodgman, data scientist, in a best practices guide they recently developed about user behavior analytics. “IT security administrators should be alert for some tell-tale compromise events, but this is difficult to do without first establishing a baseline of what is to be expected in a particular network.”

According to the pair, there are four important areas organizations should focus on when establishing baselines and measuring changes in user behaviors.

 

Differentiate Between Humans And Machines

“Normal” behavior for accounts used by humans will look very different than that of service accounts used to carry out automated application activity and the like. These machine accounts usually have more permissions but are much more predictable than human-run accounts. At the same time, the volume of activity is likely to be much higher than human accounts.

“Incident responders looking to identify account takeovers through user behavior analytics must know what type of account they are looking at when deciding what constitutes abnormal behavior,” Beardsley and Hodgman say.

 

Use These 3 Measurements To Get A Baseline Cloud Usage Reading

To start understanding the extent of cloud usage and get a handle on how users are interacting with cloud accounts, organizations should start first by examining web proxy, DNS records and firewall data to establish which applications are used most.

“Once services and their associated users are identified, you have great data to start a conversation with particular teams within the organization on which cloud services are required for productivity and how to provide these services, or alternatives, securely,” Beardsley and Hodgman write.

That benchmark having been established, these metrics can also be used to track how well shadow IT is being contained in the future.

 

Take Advantage Of Mobile Device Location Data

Mobile devices may be a pain in the neck for security pros in many respects, but their ubiquity actually presents a really great opportunity for tapping into the power of user behavior analytics.

“Forward-looking security programs are using the location of smartphones as a data point in user behavior analytics to flag any situation where an authentication is coming from a different physical location than the location of the smartphone,” they write.

Keep Tabs On Local Machine Admin Accounts

Enterprises are wont to leave themselves open to a huge analytics blind spot if they only watch Active Directory accounts without keeping track of local machine administrator accounts. That’s because the bad guys tend to leverage these local accounts to move laterally until they can find a really juicy vulnerability to exploit in a more critical account.

“This is especially fruitful in companies that use a standard, golden image for rapid desktop deployment and keep all local domain administrator passwords identical to simplify helpdesk requests,” Beardsley and Hodgman write.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/analytics/4-tricks-for-getting-the-most-out-of-user-behavior-analytics/d/d-id/1323234?_mc=RSS_DR_EDT

  • 19/11/2015
  • adm