STE WILLIAMS

Businesses are increasingly reliant on cloud-native applications despite the strong, broad perception that use of the cloud will drive security risks. So, where are the security gaps and which issues are top of mind?

The data comes from “The State of Cloud Native Security,” a new study sponsored by Capsule8, Duo Security, and Signal Sciences. Researchers polled 486 senior-level decision makers and security pros from companies generating at least $250 million (50%) or at least $1 billion (50%) in revenue across eight industries, including financial services, tech, education, retail, government, nonprofits, manufacturing, and transportation.

They found 62% of companies rely on cloud-native applications (CNAs) for more than half of their apps, a figure predicted to hit 80% over the next three years. More than half of respondents believe CNAs increase their risk and view security as a barrier for adoption.

Visibility into cyberattacks is one security concern at top of mind: 73% of respondents say they lack actionable insight into threats and ongoing attacks. At a network level, poor visibility leads to spurious alerts, explains Capsule8 CEO John Viega. And as cyberattacks increase, so does the rise of security notifications: Only about one-third of businesses surveyed could addresses more than 75% of alerts their company receives.

False positives are another key issue plaguing IT and security environments: 46% of respondents say more than half of production environment alerts were false positives. Poor analytics is the top driver of false positives, according to nearly half of security and IT experts polled.

Employees in more traditional environments “throw algorithms at the problem” and try to gather and process more data as a means of improving threat detection, Viega explains.

However, in a cloud-native environment, “we’re finding the biggest wins come from first improving the quality of the data before you improve the algorithms,” he says. Instead of evaluating massive amounts of traffic at high speed, companies using CNAs have access to the cloud provider’s API and can analyze data in a way that won’t affect system performance.

As cloud infrastructure and applications take on a bigger role in production environments, security becomes a greater priority. The biggest concerns here are malware on servers (32%), targeted attacks from known threat actors (17%), and zero-day attacks (12%).

Nearly half (48%) of respondents say an attack has done damage to production environments, resulting in system damage (48%), loss of customer data (44%), and loss of financial data (31%).

Motivating the Move to Cloud
Researchers pointed to three primary drivers for the move to cloud-native apps: nearly 40% of respondents say they’re “modernizing the most critical parts of the business.” Thirty-one percent cite new software development, stating this is the way software is built now, and 29% report operational cost savings.

The larger the organization, the more likely it will rely on cloud-native apps for new deployments. For example, 55% of companies with $250 million to $499 million in revenue have most of their new apps running as cloud native. That number jumps to 60% for companies with $500 million to $999 million in revenue, 63% for those with $1 billion to $4.9 billion in revenue, and 71% for those with $5 billion to $9.9 billion in revenue.

However, that’s where things take a turn. Businesses with more than $20 billion in annual revenue are “a bit more on the conservative side,” experts report. Only 61% deploy more than half of their applications as cloud native; 23% use less than a quarter cloud-native apps.

CNA usage also varies by industry. Government institutions, for example, are least likely to extensively use them, and only 46% report the majority of their new apps are native to the cloud. On the other side of the spectrum are education, which reports 70% reliance on CNAs, along with financial services and technology (67% each), and 65% of retail companies.

“The people who are leading are not regulated and build a lot of software,” Viega points out, using media companies and tech companies that grew up in the cloud as examples. Businesses in regulated environments tend to move less mission-critical applications to the cloud first.

“For a large financial institution, the consumer-facing platform might be one of the last things to go because that will get a tremendous amount of oversight,” he says as an example.

Rethinking Security
Companies polled experienced at least twice as many cyberattacks this year compared with last year, researchers found. Viega says the increase isn’t necessarily due to cloud.

“In many respects, the bad guys are the same and using the same techniques,” he explains. Fifteen years ago, applications were made up of 90% custom code and 10% open source — today, it’s about 80% to 90% open source and a little bit of custom code. This “definitely changes the equation a bit,” he adds, as it gives the attacker more visibility into what he might exploit, regardless of whether an application is running in the cloud or not.

He advises companies to rethink security as they adopt cloud and not to “lift and shift” the way they do security in their traditional environments. You’ll find it doesn’t give scalability and cost-effectiveness, he says. In fact, fitting “a square peg in a round hole” can worsen security.

Related Content:

• Websites Attack Attempts Rose in Q2
• The Top 5 Security Threats Mitigations for Industrial Networks
• New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
• 7 Ways Blockchain is Being Used for Security

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/the-security-costs-of-cloud-native-applications/d/d-id/1332840?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A security flaw in a widely used network video recorder technology has put potentially hundreds of thousands of CCTV cameras worldwide at risk of crippling attacks including remote hijacking.

The so-called Peekaboo flaw exists in NUUO Inc.’s NVRMini2, a network-attached storage device that allows organizations to view and manage up to 16 connected CCTV cameras at once. NUUO uses the technology in its own products and also licenses it out to a large number of third-party surveillance system makers and systems integration partners.

Security vendor Tenable, which recently discovered the Peekaboo flaw, said it could potentially impact more than 100 CCTV brands and some 2,500 different camera models installed in industries such as retail, transportation, banking, and government. NUUO was informed of the issue on June 5, 2018, but the China-based surveillance technology vendor had still not addressed the issue as of the morning of Sept. 18, Tenable said.

Peekaboo is another troubling reminder of the risks that organizations face from IoT devices. The Mirai malware attacks of October 2016 were the first to demonstrate how adversaries can take advantage of weakly protected CCTVs, webcams, and other Internet-connected devices to create botnets for launching massive DDoS attacks and distributing malware. Since Mirai, several other IoT-targeted malware tools have become available, including most recently, the GafGyt malware family.

“As more IoT devices like video surveillance cameras are connected to corporate networks, the enterprise attack surface will continue to expand,” says Jacob Baines, senior research engineer at Tenable. “What’s important to remember is that these modern assets introduce new risks that must be dealt with,” Baines says.

To quell risk to these devices, organizations first need to understand their attack surface so it can be protected. While Peekaboo is serious, it certainly is not the first or last vulnerability of its kind, he says.

Peekaboo, which Tenable revealed in an an advisory on Monday, is an unauthenticated stack buffer overflow that could be exploited to carry out activities like tampering with recordings or remotely viewing a camera feed without authorization.

The flaw enables full system access, so attackers can intercept the recordings and feeds of all cameras that might be attached to a vulnerable NVRMini2 video recorder instance. That would allow an attacker to replace live feeds with static images of an area that might be under surveillance, or to tamper with stored footage in order to hide malicious activity.

“For Internet-connected devices, the attack is fairly simple, as the vulnerable code path is accessible to the cybercriminal,” Baines says. But it is considerably harder to exploit the flaw in devices that are properly firewalled on an internal network. That would require an attacker to break into the network in order to access vulnerable devices.

Baines says exploiting the flaw is beyond the capabilities of a novice hacker. At the same time, you don’t need to be a “grizzled vet” to write it, either. “Understanding ARM assembly, Linux memory layout, ROP, and buffer overflows takes time and isn’t trivial. But, the necessary skills are fairly easy to come by in the hacker community,” Baines says.

For now, organizations with the devices must wait for NUUO to fix Peekaboo. OEM vendors and integrators also will most likely need to wait on NUUO to address the vulnerability, he says.

Interestingly, NUUO’s NVRMini2 video recorder also has mystery backdoor built into it. The bug has been rated as medium severity, though, because among other things it’s only enabled when a file with a specific name exists on the system. To create such a file, an attacker would need some form of access to the device either physically or through some other exploit.

If enabled, the backdoor would allow an attacker to list all user accounts on the system, change account passwords, view recordings, or remove a camera from a system entirely, Tenable said. It’s unclear if the code is something that was left behind during development – or whether it was maliciously inserted. “We can’t speculate on how the backdoor ended up in NUUO’s software,” Baines says.

News of the vulnerabilities in NUUO’s technology comes just weeks after President Trump signed into law the Defense Authorization Act of 2019 which among other things prohibits US government agencies, federal prisons, and military branches from buying technologies from some Chinese suppliers. Among the banned items are video surveillance cameras from Dahua Technology Company and Hangzhou Hikvision Digital Technology Company.

Related Content:

• Mirai, Gafgyt Botnets Resurface with New Tricks
• ‘OMG’: New Mirai Variant Converts IoT Devices into Proxy Servers
•  IoT Threats Triple Since 2017
• 7 Serious IoT Vulnerabilities

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/iot/internet-connected-cctv-cameras-vulnerable-to-peekaboo-hack/d/d-id/1332841?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Change is hard — especially when what needs to be changed has made progress against long-pursued goals. Transitions involving digital transformation, cloud migration, and application architecture are disrupting security operations in fundamental ways. Just as orchestration and automation, machine learning, and collaborative defense enable progress for traditional defenses, new challenges of modernizing IT — including increased threat surface area, transient infrastructure, and growing use of apps and the cloud — demand new approaches for the core defense functions of threat detection and investigation.

A large majority of security pros surveyed in our “2018 Global Security Trends in the Cloud” report observe that as their organization transitions to the cloud, there is a corresponding increase in the need for security and operations to collaborate, sometimes awkwardly, during threat detection and investigation. Further, over 80% of respondents note the need to examine threats at both the application and infrastructure layers. While a surprising 93% say current security tools are ineffective for the cloud, many assert that several traditional categories such as security information and event management (SIEM) — which create cumbersome silos of data, analytics, and workflow — should be completely rethought for the cloud.

The interests of the status quo advocate incrementalism to address these issues, such as bringing cloud data into the traditional SIEM, automating manual workflows, and layering additional tools for specialized analytics. But many security leaders see the need for a more disruptive break with the past to address three weaknesses of current security practices:

1. Siloed security can’t understand and respond to the new generation of attacks.
One dilemma in security for cloud and modern application development/deployment is that the knowledge needed to pursue an investigation to its conclusion often is divided between two groups. Security analysts understand the process of investigation and the broad context, but only the operations team is apt to understand the essential specific context — application behavior and customer content, for example — needed to interpret and hypothesize at many steps in a security investigation.

“Dual-ticket” workflows in which cloud and ops teams have unique insight on application and network performance, DevSecOps workflows in which deep knowledge of the application is needed to map vulnerabilities to threat-detection methods, and investigation workflows that demand specific understanding of microservice logging practice are all good examples of where security must be democratized across groups as IT modernizes.

While separate silos for operations and security investigations made sense for classic on-premises systems, modern cloud deployments and application architecture demand a seamless back-and-forth workflow where, at each step, the skills and perspective from both operations and security can properly interpret the results of queries, evidence uncovered, or unfamiliar data. Despite the uncomfortable change on many levels, enabling collaborative real-time workflows is the only real answer.

2. Current-generation security tools lack essential application and cloud context.
Current tools rely too much on comfort zones with traditional infrastructure. Containers, microservices, distributed applications, DevSecOps — all of these trends create massive threat surface areas that demand security defenses have new insights into data. Specifically, much deeper insight into application layer and cloud context is needed for many workflows. Examples include cross-site scripting attacks, mapping microservices to dynamic infrastructure, and external customer behavioral analytics in production security.

Distributed applications in the cloud, container orchestration, and complex hybrid and multicloud use cases will continue to exacerbate the blind spots of traditional infrastructure-focused security. Developing new cloud and application insights with pattern recognition, machine learning, and context capture, and then packaging these insights for practical use, is one of the next frontiers in the evolution of security.

3. Humans and machines must collaborate 100x faster.
Many security operation centers are already at the breaking point with growing backlogs of investigations and reactive triage. An often-quoted statistic is that less than 10% of investigations are completed in a typical security operation.

Cloud and modern application transitions multiply the threat surface many times over, generating staggering volumes of data that need to be rapidly assimilated for insights. Further, cross-enterprise collaboration is requiring new models of distributed knowledge transfer because investigation workflows need to be shared across both security and operations.

Industry hype suggests artificial intelligence, machine learning, and improved automation will rapidly replace humans in every workflow in the next few years, but the reality is that there will be a long transition in which optimizing human and machine collaboration is essential to scale the defense. Although much can be automated, human context is still essential in many security workflows.

Breakthrough innovation in search speeds, data navigation and workflow learning will be needed to connect the dots across large and dynamic data sets. Furthermore, to keep pace, many investigation workflows must compress to minutes from the current hours — and sometimes days — despite the worsening data avalanche problem that is a result of cloud and application transitions.

Many enterprises are rethinking architectures, workflows, and tooling to tackle these challenges. The accelerating rate of the underlying transitions to cloud, digital transformation, and new application architectures is putting pressure on the pace of change.

Related Content:

• 8 Attack Vectors Puncturing Cloud Environments
• Hackers Use Public Cloud Features to Breach, Persist In Business Networks
• Cloud Intelligence Throwdown: Amazon vs. Google vs. Microsoft
• Cloud Security: Lessons Learned from Intrusion Prevention Systems

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dave Frampton is Vice President of Security Solutions at Sumo Logic, the leading cloud-native machine data analytics platform. He leads the development of security analytics solutions that solve the emerging challenges of cloud and modern application architectures. Before … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/overhauling-the-3-pillars-of-security-operations-/a/d-id/1332788?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Government Payment Service (GovPayNet) has been alerted to a leak of more than 14 million customer records dating back to 2012, KrebsOnSecurity reported this week.

GovPayNet is used by nearly 2,300 government agencies in 35 states to process online payments for traffic tickets, bail payments, court-imposed fines, and other fees. The service operates under the Web domain GovPayNow.com, which was found leaking customer data including names, addresses, phone numbers, and the last four digits of credit card numbers.

When users pay the government via GovPayNow, the site displays an online receipt. Up until this past weekend, anyone could view millions of customer records by changing digits in the Web address displayed on each receipt, according to KrebsOnSecurity, which says the leak dates back at least six years. GovPayNet says it “has addressed a potential issue” and updated its online system so only authorized users can view their individual receipts.

There is no indication anyone has used this level of access to cause users harm, the company reports, adding that these receipts don’t contain enough data to process a financial transaction. Further, it says, most of this data is public and can be accessed through other means.

Read more details here.

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/govpaynow-leak-of-14m+-records-dates-back-to-2012/d/d-id/1332837?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Symantec is the latest security vendor to offer pro bono security services to US elections commissions and political parties and candidates amid hacking and disruption concerns in the midterm elections.

The security giant is providing for free its Project Dolphin website spoof-detection and prevention service as well as resources including election security best practices and security training videos for election jurisdictions, poll workers, candidates, and political parties. Project Dolphin can, for instance, detect phishing sites posing as legitimate campaign or state election commission websites.

Election jurisdications and parties who opt for the service would register their domains and login pages with the service so it can detect imposter sites, says Eric Chien, a Fellow with the Symantec Security Technology and Response division. Chien says the company plans to run the service for at least six months, and could expand it to the 2020 elections as well.

State and local election jurisdictions and campaigns traditionally have tight budgets and resources, especially when it comes to security. Security vendors are trying to fill that gap, especially for vulnerable elections websites, with free services for the fall midterms – Cloudflare, Google, Microsoft, Akamai, Synack, Thycotic, McAfee, Cylance, and Valimail, already had announced free services.

Philanthropy aside, the pro bono services also give those vendors a foot in the door for potential future business.

US elections officials are still haunted by the Russian-meddling and hacking activities during the 2016 US presidential election, but many jurisdictions haven’t had the time or funds to make major security upgrades. While voting machine hacking has been in the spotlight since researchers easily cracked multiple machines at the DEF CON conference in 2017 and 2018, security experts say websites are the easier mark for nation-state and other hackers breaking in remotely.

“There are a lot of soft targets, like state election commissions,” Chien says. “Imagine them getting hacked and someone changes all of the polling information … or leaks and wipes [data] or changes an address and you’re not in the voter registration roll anymore.”

Related Content:

• Microsoft Sinkholes 6 Fancy Bear/APT28 Internet Domains
• The ABCs of Hacking a Voting Machine 
• White House Cybersecurity Strategy at a Crossroads
• 8 Steps Toward Safer Elections 

Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/symantec-offers-free-website-security-service-for-midterm-elections/d/d-id/1332836?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In the first half of 2018, more than 120,000 modifications in malware attacked Internet of Things (IoT) devices — triple the total in 2017 and more than 10 times for 2016, according to a new report by researchers at Kaspersky Labs.

The report shows that simple, brute-force attacks on passwords were still the most commonly used techniques to breach IoT security, making up at least part of 93% of the attacks seen. Those attacks compromised a wide variety of devices, which were then used for malicious cryptocurrency mining, DDoS attacks, the inclusion of devices in botnet threats, and more. While 60% of the devices used to hit the Kaspersky Labs honeypots were routers, DVRs, printers — and even 33 washing machines — were in the mix.

To better protect devices, researchers suggested keeping firmware up to date, changing preinstalled passwords, and rebooting devices as soon as any unusual behavior is noted.

Read more here.

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/iot/iot-threats-triple-since-2017/d/d-id/1332839?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Our nation’s critical infrastructure and the industrial control networks that manage them are under constant threat from a host of malicious actors — including nation-states, politically or financially motivated hackers, insiders, and disgruntled ex-employees.

Unfortunately, all industrial control system (ICS) networks share a common weakness: they were built before cyber threats existed and are not designed with built-in external security controls.

A breach of an ICS network can be disastrous and expensive. Consequences range from physical and environmental damage and costly downtime for manufacturing processes to putting lives at risk. In addition, a breach can bring heavy fines from regulators and lawsuits from parties claiming injury or damage, and it can also shake shareholder confidence.

Given these stakes, let’s consider the five most common threats to ICS networks and how to reduce the risk associated with them.

Risk 1. Poor Network Configuration
The weaker the configuration, the greater the likelihood of a successful attack. For example, once a control device has been exposed to the Internet due to a poor configuration, both phases of a breach can occur — the attacker can gain a foothold in the network and exploit a sensitive asset.

Mitigation: ICS devices should never be directly connected to the Internet. Strict network segmentation should be implemented and the integrity of the network should never be sacrificed for the sake of convenience.

Risk 2: No Audit Trail
An audit trail is essential for understanding what’s going on in any network. However, logging mechanisms in some ICS environments do not exist or are incomplete. In many cases, security teams lack the knowledge of operational technologies (OT) to know how to collect logs or where to look for them.

Mitigation: Basic record-keeping is crucial for both the incident response and the forensic investigation of an attack. It is also required for any type of regulatory compliance audit. This begins with understanding the limitations of the environment — what data is being monitored and collected, and what isn’t. One hundred percent visibility, monitoring, and control should be the goal, including the collection and aggregation of all logs.

Most ICS networks have components that generate an audit trail, but too often these capabilities are underutilized. All incidents should be automatically reported to the security incident response team, logged, and correlated via a real-time audit mechanism.

Risk 3: Lack of Control
Many ICS environments do not have basic controls for managing assets that are considered table stakes in IT networks. As a result, security hygiene in OT networks is often an afterthought and lacking in the following ways:

• Patches can’t be easily deployed and usually aren’t.
• There’s no centralized, up-to-date inventory of assets, configurations, software versions, patch levels, etc.
• Internal security policies are not monitored or enforced.
• The security model is based on a “if it works, better not mess with it” paradigm.

Mitigation: Implementing a centralized and automated asset management capability for OT networks is crucial. Without an up-to-date and accurate inventory of ICS assets, especially the controllers responsible for managing physical processes, it is virtually impossible to assess risks, apply patches, and detect unauthorized changes and activity.

Risk 4: Employee Ignorance
Just as in IT environments, employees pose a significant risk to OT network security. Phishing attacks, social engineering, and risky browsing behaviors all threaten to punch a hole that can be exploited by attackers to compromise the IT, OT or both networks via lateral movement.

Mitigation: Security training, network segmentation, and multifactor authentication can all help prevent breaches caused by employee lack of awareness, policy violations, or human error.

Risk 5: Insider Attacks
Insiders in OT environments pose the same security risk as in IT environments. The source can be malicious, such as a disgruntled employee, an insider who is paid to steal or sabotage assets, or an internal account compromise attack by an outsider. An insider threat can also be unintended, caused by human error.

Mitigation: Performing a risk assessment to identify and address vulnerabilities such as over-privileged accounts, insiders with access to resources they don’t need to do their jobs, and orphaned accounts is essential to reducing the attack surface for insider threats. Knowing and monitoring OT attack vectors, which are primarily the network and direct access to devices via serial ports, can also defeat these threats. Network activity anomaly detection and routine device integrity checks can identify malicious activity before it’s too late. Finally, unifying IT and OT security, because both environments are often interconnected, can help protect against attacks that originate on one network and attempt to move laterally to the other.

Despite the cultural divide between IT and OT, both environments share a common set of threats and vulnerabilities. And while the consequences of an OT security breach are decidedly more physical in nature, many of the lessons learned and best practices from IT can help prevent them. 

Related Content:

• 7 Steps to Start Searching with Shodan
• The Role of Incident Response in ICS Security Compliance
• Researchers Release Free TRITON/TRISIS Malware Detection Tools

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Barak Perelman is CEO of Indegy, an industrial security firm that helps critical infrastructure companies operate efficiently and reliably by protecting against cyberattacks. He is a graduate of Talpiot, the elite Israel Defense Forces (IDF) academy where he led several … View Full Bio

Article source: https://www.darkreading.com/endpoint/the-top-5-security-threats-and-mitigations-for-industrial-networks-/a/d-id/1332816?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple