STE WILLIAMS

(Image: AntonKarlik)

In 1880, Prussian Field Marshal and military theorist Helmuth von Moltke the Elder wrote what can be translated in English as, “No plan of operations reaches with any certainty beyond the first encounter with the enemy’s main force.” He meant that all plans are great until they run into reality.

That statement resonates today in cybersecurity. Many security professionals vet their security plans with reality via a penetration test, aka pen test, where a red team of white-hat hackers does their best to defeat the defenses established by the blue team of security. It is frequently an eye-opening experience for the blue team and their managers.

While virtually every security plan for an organization of any size calls for pen testing, these exercises tend to be expensive and frequently disruptive. It pays to make them as effective as possible. So what’s the difference between a costly pen test that puts a tick in a check box versus one that’s a legitimate tool for improving security?

Putting in the work to properly prepare for a pen test can lead to solid security benefits for the organization. More than half of the steps to a solid pen test occur prior to when the testing begins. That’s not terribly unusual – aphorisms about practice, planning, and perfection are common – but it reinforces the idea that pen testing is not the sort of activity that can be taken lightly. And if it’s going to be most effective for the organization, it can’t be taken as an activity just for the sake of making auditors, regulators, or insurers happy.

The following steps for a successful pen test were gathered from personal experience, conversations with professionals including Tod Beardsley, director of research with Rapid7, Yonathan Klijnsma threat researcher at RiskIQ, and Stephen Boyer, founder and CTO of Bitsight Technologies, as well as numerous discussions with researchers at Black Hat USA and DEF CON 2018.

Have you been part of a pen test that has been highly valuable – or not? What steps did you find critical to making the pen test matter? Let us know in the comments section below.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/analytics/8-keys-to-a-successful-penetration-test/d/d-id/1332843?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There are two fundamental truths for anyone working in security. The first is that there is an increasingly sophisticated threat landscape, making it impossible to be 100% secure. The second is that humans are human, and mistakes will be made, but potential errors have increasing impacts.

Combine these two truths with rapid technological change and the need for organizations to stay relevant in the digital age, and the role and importance of the CISO must evolve significantly. Without doubt, cybersecurity is now a boardroom discussion. If you’re a CISO,  you’ve been hired to make an impact, and with any new leadership role, it’s difficult to balance the business, your goals, and the relationships you’re forming. The following will help set you up for continued success.

1. Use and Automate Data 
Don’t fly blind. You want quick clarity on security performance and the measures, controls, and frameworks you’re using to define this. Don’t assume any person or system is able to give you the full picture. There are several options available, all of which come with pros and cons. Audits from large consultancy firms are popular but will only give you a single snapshot in time, meaning that the conclusions will be out of date almost immediately. 

And of course, static manual audits aren’t automated. Any reporting to show improvement, monthly status requests, or even ad hoc insight requests from your board will require your team to deliver manual updates or another audit. This route is expensive. You could see much of your hard-won budget going toward audits or manual reporting rather than improving security.

Be aware of the manual reporting process. Gathering, cleansing, and unifying data to connect the dots isn’t straightforward. The battle to find out what information has been missed is never-ending. The result is information that may or may not give you an accurate view, and quickly, you could be back where you started. Automation brings tangible benefits: speed, reduction in error, and greater insights as computers may well capture things teams can’t see in the pressure to complete the task. 

2. The Devil Is in the Inventory
Understanding what you have and should be protecting seems obvious, but this often is a challenge. Clarity on what you have (devices and apps), where it all is (region or business line), and who is using it (identity) is critical for making fast, accurate decisions. Make sure your approach leverages and cross-references data from across HR, business, security, and IT to capture as many devices as possible. 

It’s essential to have a breakdown of devices by, at least, technology and business attribute aligned to your business strategies, such as region or product line, to understand your exposures and measure your risk

3. A Risk-Based Approach 
Without insight into your risk appetite, you can’t start to drive a risk-based approach to security or even begin to understand if you have the right budgets or ROI measures in place.

Once you’ve established this risk appetite, determine your level of acceptable cybersecurity risk, and what controls you need in place to support this. To do all of this effectively, you must break down communication silos and connect the dots across the executive suite to security and IT. The goals are getting alignment against agreed acceptable risk, and creating an operation plan that focuses your limited resources on the areas of remediation where there is the most significant return.

4. Remember Relationships 
As the role of CISO evolves, it’s becoming a key conduit between the business, IT, and risk teams. It’s inherently an interdepartmental/interdisciplinary role and, due to the nature of the relationships, one that tends to govern by influence. This requires trust. Working off a single source of trusted data becomes critical to building that trust.

All teams that touch the security process need to be aligned behind and feeding into a single source of trusted data. If not, time and effort will be wasted on arguing over the validity of the data, creating setbacks in any security improvement process. 

5. Spokesperson for Cybersecurity
You will elevate your role within the business if you can communicate the plain facts about security, risk, and compliance with confidence to get buy-in for your plan and strategy. When providing information to the C-suite, it’s vital to remember this team is accountable, too, and can help ensure that the entire company is appropriately prioritizing your initiatives. Make sure you have the technology and procedures in place to be able to provide timely, accurate, and appropriate information to stakeholders. The last thing you want to do is report improved results to the board only to retract this information at the next meeting because you didn’t have the full picture due to incomplete data.

Three key indicators will help you avoid pitfalls: timeliness, accuracy, and appropriateness. You can’t be 100% secure, but you can be 100% sure of your position.

By solving the data challenge and moving to a risk-based approach, modern CISOs address the basics of enterprise cyber hygiene and drive a more aggressive approach. An ever-improving cycle of data gathering, insight, and efficient use of resources will create a machine that will automate improvement and improve security, allowing you to build key relationships based on trusted, accurate data.

Related Content:

• Why CISOs Should Make Friends With Their CMOs
• DevOps Demystified: A Primer for Security Practitioners
• Why Automation Will Free Security Pros to Do What They Do Best
• Data Privacy Careers Are Helping to Close the IT Gender Gap

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Nik Whitfield is the founder and CEO at Panaseer. He founded the company with the mission to make organizations cybersecurity risk-intelligent. His  team created the Panaseer Platform to automate the breadth and depth of visibility required to take control of … View Full Bio

Article source: https://www.darkreading.com/endpoint/5-steps-to-success-for-new-cisos-/a/d-id/1332797?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The FBI’s Internet Crime Complaint Center (IC3) reports a wave of social engineering attacks aiming to steal employees’ login credentials so they can break into online payroll accounts.

Attackers send their targets phishing emails designed to capture login credentials, the IC3 states. They use these to access employees’ payroll, change their bank account data, and add rules so the victim doesn’t receive alerts regarding direct deposit changes. From that point, money is redirected to an account controlled by the attacker; usually a prepaid card.

IC3 advises companies to alert employees about the rise of this scheme and educate them on preventative and reactive measures. For example, they should know to hover their cursor over hyperlinks in emails so they can view the URL and ensure it’s related to the company from which it claims to be. They should know to never provide login data or personally identifiable information in response to any email.

Payroll login data should differ from credentials used for other purposes, the report continues, and greater scrutiny should be applied to bank information provided by employees who request to update their direct deposit information.

Read more details and guidance here.

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/fbi-phishing-attacks-aim-to-swap-payroll-information/d/d-id/1332845?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Internet began without an identity layer and has suffered since with a password retrofit, but new open, standards-based innovations for protecting log-ins to applications on the web, desktop, and mobile devices are ready for service providers and end users hoping for better access controls.

Two modern authentication innovations born from collaboration between the World Wide Web Consortium (W3C) and the FIDO Alliance now offer cross-platform standards that enable strong authentication based on battle-tested public key cryptography.

These authentication upgrades, combined with a palatable user experience, are today’s hope that tomorrow begins to end reliance on passwords as a security construct.

The standards, known under the banner FIDO2, offer protection against account hacking, credential theft, and phishing attacks that have plagued the Internet to the tune of billions of credentials stolen over the past few years. In addition, FIDO2 privacy principles protect users by guarding cryptographic keys and preventing sharing of user data among website operators.

This effort is not about more security add-ons, third-party helper apps, or unfamiliar user requirements. It’s about native authentication technology built into native platforms, web browsers, operating systems such as Windows and Android, and devices, including hardware-backed credential protection using technologies such as a Trusted Platform Module (TPM).

FIDO2 represents the building blocks to go beyond basic log-in and specify the first strong authentication standard for the web — thus providing users secure credentials that resist attack.

What Is FIDO2?
Simply put, FIDO2 has two pieces that can work together or separately: an application programming interface (API) and a set of rules for transmitting data between devices (a protocol). Both were introduced in April before the annual RSA conference.

The Web Authentication API (WebAuthn), developed by the W3C, is already part of Google Chrome (since version 67), Firefox (since version 60), and, recently, Microsoft Edge. WebAuthn is now a native feature of modern browsers, and authentication is no longer an Internet retrofit or add-on.

The WebAuthn API allows an end user to register a public key credential with a specific website using a FIDO-based authenticator, and for that same user to subsequently use that credential to log in to that website. Registration operations can be repeated on an infinite number of websites, each one creating a new set of public and private keys bound to a specific website.

The second piece of FIDO2, the Client to Authenticator Protocol (CTAP), allows for device-to-device strong authentication over USB, NFC, or Bluetooth. FIDO2, developed by the FIDO Alliance, lets users authenticate on one device (for example, a smartphone) and use that authentication to log in to web apps or operating systems running on a different device.

CTAP adds new authentication schemes to the FIDO palette, including user verification on a device, authenticating to a local device (such as a laptop), or authenticating a user to an online service being accessed from another local device.

Where Is This Headed?
FIDO2’s goal is a standardized, universal authentication platform with password-less, biometric, and device-based authentication options to support any number of consumer or business use cases.

The W3C builds standards for web browsers, which means WebAuthn will become the foundational underpinning for a standard authentication mechanism that works across platforms.

The target audience is consumers and enterprises that want strong authentication for protecting access to resources and data on the web or other computing platforms. In addition, FIDO2 embraces developers by eliminating the complexity of building security and strong authentication into their apps. The requirement now is just an API call.

What to Expect
Today, the W3C has WebAuthn approved for implementation and is working toward formal standardization. Hurdles to worldwide adoption exist, however, including building support among website operators and igniting a cultural shift among end users looking to replace breach fatigue with stronger authentication.

The FIDO Alliance is continuing to expand. It has incorporated its second-factor specification, called Universal Second Factor (U2F), into CTAP version 1 and is nearing completion on a CTAP version 2 that will add PIN capabilities for operations such as transactions. FIDO’s Universal Authentication Framework (UAF) also is aligning with FIDO2 principles.

The W3C is adding depth and breadth to the opportunity with a palette of Web specs for security, cryptography, and payments that can integrate WebAuthn for secure authentication.

The goal is that the current trend of stolen credentials via phishing or man-in-the-middle attacks will fade for those who adopt FIDO2 capabilities. And regulations such as General Data Protection Regulation and PSD2, while rooted in Europe, will affect the authentication choices of website operators and end users around the world.

With the first core tenets of FIDO2 already available, and fine -tuning underway for WebAuthn and CTAP, the adoption barriers are lowered and the promise of a more secure Internet is well within sight.

Related Content:

• Cracking 2FA: How It’s Done and How to Stay Safe
• Identity Management: Where It Stands, Where It’s Going
• Military, Government Users Just as Bad About Password Hygiene as Civilians

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

John Fontana tracks authentication and identity standards for Yubico. He also sits on the FIDO Alliance Board and is the co-chair of the W3C WebAuthn Working Group. Previously, he followed all things identity for Ping Identity. He spent 15 years as a tech journalist for a … View Full Bio

Article source: https://www.darkreading.com/endpoint/webauthn-fido2-infuse-browsers-platforms-with-strong-authentication/a/d-id/1332817?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Three men charged with creating and managing the Mirai botnet have pleaded guilty to conspiracy to violate the Computer Fraud Abuse Act and have been sentenced to a five-year period of probation and 2,500 hours of community service. They also have been ordered to pay restitution in the amount of $127,000 and have voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation.

Paras Jha, 22, of Fanwood, N.J.; Josiah White, 21, of Washington, Pa.; and Dalton Norman, 22, of Metairie, La., were sentenced after cooperating extensively with the FBI. As part of their sentences, the three must continue to cooperate with the FBI, law enforcement, and researchers on cybercrime and cybersecurity matters. According to court documents, the defendants have provided assistance that substantially contributed to active complex cybercrime investigations and broader defensive efforts by both law enforcement and cybersecurity researchers.

Jha and Norman also pleaded guilty to the same charge in relation to the Clickfraud botnet. The defendants’ involvement with Mirai ended in the fall of 2016, when Jha posted the source code for Mirai on a criminal forum. Noting the defendant’s relative youth, Jeffery Peterson, special agent in charge of FBI’s Anchorage Field Office, said, “This case demonstrates our commitment to hold criminals accountable while encouraging offenders to choose a different path to apply their skills.”

Read more here.

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/mirai-hackers-sentence-includes-no-jail-time/d/d-id/1332849?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple