STE WILLIAMS

On the Border, a border-style Mexican food chain known for “chips as big as your head,” has given notice of a data breach in a payment-processing system serving restaurants in 28 states. The company says that some customer credit card information could have been compromised on visits between April 10 and August 10, 2019.

According to On the Border, malware was installed on the payment-processing system, which then harvested information including names, credit card numbers, credit card expiration dates, and credit card verification codes. Customers who ordered through delivery services or bought catering from the company were not affected. Investigation of the incident is ongoing, and On the Border reports that it is cooperating with law enforcement.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Home Safe: 20 Cybersecurity Tips for Your Remote Workers.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/on-the-border-warns-of-data-breach/d/d-id/1336467?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Malware threats don’t have to have a high profile to be extremely dangerous. Sometimes, even the more common strains can pose big problems.

A case in point is “Dexphot,” a cryptomining tool that Microsoft has been tracking for the past year and which the company says exemplifies the complexity and fast-evolving nature of even the more everyday threats that organizations now face.

Dexphot first surfaced in October 2018 and has since then infected tens of thousands of systems but has received little of the attention that some malware threats receive. Microsoft researchers initially observed the malware attempting to deploy files that changed literally every 20 to 30 minutes on thousands of devices.

The company’s subsequent analysis of the polymorphic malware showed it employs multiple layers of obfuscation, encryption, and randomized file names to evade detection.

Like many other modern malware tools, Dexphot was designed to run entirely in memory. It also hijacked legitimate processes so defenders couldn’t easily detect its malicious activity. When Dexphot finally did get installed on a system, it used monitoring services and a list of scheduled tasks to reinfect systems when defenders tried to remove the malware.

The authors of the Dexphot have kept upgrading and tweaking the malware in the year since it was first detected, according to Microsoft. Most of the changes have been designed to help the malware evade detection.

What makes Dexphot especially troublesome for defenders is the malware’s use of legitimate processes and services for carrying out its activity. In fact, except for the installer that is used to drop the malware on a system, all other processes that Dexphot uses are legitimate system processes, according to a Microsoft blog post.

Among them is a process for running programs in DLL files (rundll32[.]exe), another for extracting files from ZIP archives (unzip[.]exe), one for scheduling tasks (schtasks[.]exe), and PowerShell for task automation.

Dexphot also employs “process hollowing,” a tactic in which the malware is hidden inside a legitimate process such as svchost[.]exe, tracert[.]exe, and setup[.]exe. Malware hidden in this manner can be hard to find, which is why threat actors have increasingly begun using it, Microsoft says. “This method has the additional benefit of being fileless,” according to the blog post. “Not only is it harder to detect the malicious code while it’s running, it’s harder to find useful forensics after the process has stopped.”

Malware employing such living-off-the-land tactics have become a big and growing problem for enterprise organizations. A recent report from Rapid7 identified several legitimate processes that attackers are increasingly using to hide malicious activity. Rapid7 found that PowerShell is easily the most abused executable. Other popular processes include cmd[.]exe; ADExplorer[.]exe; procdump64[.]exe, rudll32[.]exe, and schtasks[.]exe.

“The continued focus on using built-in Windows functions allow the attackers to persist mostly unnoticed after their initial bypass of security controls,” Rapid7 notes in its report. Since few security tools are designed to look for threats in administrative tools and legitimate processes, the vendor explains, organizations need to monitor for known usage patterns for Windows utilities used by attackers.

Related Content:

• Ransomware Surge Living-Off-the-Land Tactics Remain Big Threats
• Destructive Malware Attacks Up 200% in 2019
• Who Made the List Of 2019’s Nastiest Malware?
• 6 Top Nontechnical Degrees for Cybersecurity

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Home Safe: 20 Cybersecurity Tips for Your Remote Workers.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/dexphot-a-sophisticated-everyday-threat-/d/d-id/1336469?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Despite concerns over software security, many companies have not assigned a cybersecurity leader to help secure their applications — a problem that will only worsen as demand for technical security experts deepens worldwide.

In data published on Nov. 21, software security firm WhiteHat Security found that three-quarters of developers are worried about the security of their applications, and about seven out of eight consider security to be an important development consideration, but only half of these teams have a dedicated cybersecurity expert. The “Developer Security Sentiment Study,” which produced the data, found that about 49% of development teams lack a dedicated cybersecurity leader and 43% prioritize deadlines over secure coding.

“While developers’ concerns about securing their code are on an upward trajectory, it’s clear the industry has a long way to go,” said Joseph Feiman, chief strategy officer for WhiteHat Security, in a statement. “Developers are on the front lines when it comes to protecting their organizations from cyberattacks, and they need the right tools and training to handle this burden.”

Holes in software security reflect the impact of companies’ shift toward more agile programming methodologies. In the past, most IT dollars were spent by the actual IT organizations, and while that’s still true, the budget of non-IT groups, such as DevOps, are growing, says Greg Young, vice president of cybersecurity at security firm Trend Micro. 

In 2020, businesses will be either a “have” or a “have-not” when it comes to security, he says.

“AppSec, cloud security, and securing DevOps are very doable, but they take new models, not just new tools,” Young says. “The ‘haves’ will manage AppSec well, such as building security into DevOps by providing container and workload security automatically and managing cloud security postures even when they are in cloud spaces the company didn’t know they owned. The ‘have-nots’ will continue to try and force DevOps into older security models, rather than adapting themselves, and miss out on innovation opportunities while getting hacked.”

Adding to the pressures on companies and their ability to incorporate security into their development and operations is the general shortage of knowledgeable cybersecurity workers. Organizations that integrate security into their development life cycles generally have better security outcomes, but the shortage in workers means they have to pay a high price to do so, says Anthony Bettini, chief technology officer for WhiteHat Security.

“Companies that are able to pay for experienced AppSec people do,” he says. “Companies whose budgets do not permit this either assign the role to someone internally or hire more junior folks from outside. The best approach likely depends on the organization based on their budget and time scale for the outcomes they desire to achieve.”

Unsurprisingly, more than half of security professionals — 52% — have burned out at their job, according to the WhiteHat report.

Companies also have to worry about newer threats that affect software development, such as locking down their application programming interfaces (APIs) from abuse and security threats. More than a quarter of companies have detected reconnaissance attempts on their API servers, which make data and services available to Web and mobile applications, according to a survey of 100 attendees conducted by CloudVector at the Cyber Security and Cloud Expo. Another 16% do not know whether they have been attacked.

“The reality is likely [that the number of attacks is] much higher given that most organizations lack the capability to detect these threats,” said Ravi Balupari, vice president of engineering and threat research at CloudVector, in a blog post. “The lack of visibility into API payloads is a major blind spot.”

Developing in-house expertise in these cybersecurity threats does not seem to be a priority either. Only 30% of developers have received some sort of security certifications in their current or previous jobs, according to the WhiteHat survey. 

There is good news, however. The vast majority of development teams — 82% — said they scan their software at least monthly, the survey found.

Related Content

• A Security-First Approach to DevOps
• White-Hat Bug Bounty Programs Draw Inspiration from the Old West
• Why Hackers Are in Such High Demand, and How They’re Affecting Business Culture
• DevSecOps: The Answer to the Cloud Security Skills Gap
• AppSec ‘Spaghetti on the Wall’ Tool Strategy Undermining Security

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Home Safe: 20 Cybersecurity Tips for Your Remote Workers.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/application-security/an-alarming-number-of-software-teams-are-missing-cybersecurity-expertise/d/d-id/1336470?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Late last week the security industry learned that a trove of public data had been exposed in an unsecured server, compromising 4 terabytes of information, or about 1.2 billion records.

The leak was discovered by security researcher Vinny Troia and first reported by Wired. All of the data exposed was publicly available: Profiles of hundreds of millions of people included home and mobile phone numbers, related social media profiles (Facebook, Twitter, LinkedIn, Github), and work histories seemingly pulled from LinkedIn profiles. Troia found nearly 50 million unique phone numbers and 622 unique email addresses, all easily accessible online.

Dave Farrow, senior director of information security at Barracuda Networks, was dismayed when he first heard mention of a security incident last week. A data breach would mean his team would have to mobilize, he says, and at the time he knew little information about the incident. Farrow initially guessed the news would be another exposed Elasticsearch cluster or Amazon S3 bucket, a fairly common occurrence he describes as “a prominent and easy mistake to make.”

When he learned more about the data leak, Farrow was relieved. The employees and customers he’s tasked with protecting “weren’t any more exposed that day than they were the day before,” he says. While data enrichment makes him “a little bit uneasy,” he adds, there wasn’t much of a change in security posture for anyone whose data was exposed in the leak.

A security incident that generates conversation typically involves a breach or exposure of comparatively more sensitive data. But this unprotected server didn’t store personally identifiable information like Social Security numbers, nor did it contain passwords or payment card data. So why did the exposure of publicly accessible data have people talking?

The amount and type of information exposed, and the way it was organized, could give cybercriminals the tools they need to assume other identities or launch spear-phishing attacks. As Wade Woolwine, Rapid7’s principal threat intelligence researcher, puts it: “Data in aggregate is always worth something to someone … large sums of data are worth their weight in gold.”

You Are for Sale
The server seemed to contain four separate data sets. Three were labeled to indicate they held data from San Francisco-based People Data Labs, which claims to sell contact, resume, social, and demographic data for more than 1.5 billion people. Its website advertises more than 1 billion personal email addresses, 420 million LinkedIn URLs, and 1 billion Facebook URLs and IDs.

The fourth dataset was labeled “OXY,” which is believed to contain information from data broker Oxydata, Troia told Wired. Its website claims to sell information on more than 380 million business professionals, including contact info, social profiles, industry, and education.

Data enrichment is a legal but controversial practice. “The industry exists for the purpose of influencing people and giving you access to people you want to influence,” says Farrow, who says he has heard both sides of the argument. On one hand, employees often use this data to ensure they’re not sending mailers to or cold-calling the wrong people. They could get the same information themselves on Facebook or LinkedIn; data aggregators speed up the process.

At the same time, it “feels like an intrusion on our privacy,” he says. Cybercriminals can use this leaked data to influence victims to their advantage. A leak like this gives attackers access to organized and meaningful information, as opposed to a broad data dump. It forces those affected to think twice about who they trust — about whether a message is legitimate or malicious.

Further, there is a difference between this data leak and other security breaches in which credit card numbers or passwords are stolen. “In those types of breaches, there is a clear call to action,” Farrow says. “The people whose data is leaked actually need to go out and do something.” Stolen passwords can be changed, and stolen credit cards replaced. When people give up so much personal data to tech platforms, there isn’t much they can do about how it’s used.

Responsibility to Protect Data
There are steps that can be taken to protect this data. The question is, whose job is it?

“Any company that’s holding data that might even be remotely valuable is potentially at risk of having it stolen,” Woolwine says. “It gets progressively worse as sensitivity of the data goes up.”

There are certain businesses in which the customer’s security posture has a direct impact on the organization, and this is certainly true for data aggregators, Farrow adds. Sean Thorne, co-founder of People Data Labs, told Wired that customers are responsible for securing data on their servers. While the company does free security audits and consultations, it isn’t accountable.

Woolwine suggests it may be time for the government to get involved with helping the industry move forward in implementing penalties for securing information. “I don’t think that without some kind of authoritative oversight, the smaller players are going to get their act together to secure that data,” he explains.

In the meantime, security practitioners should chat with their business colleagues about the best practices involved with data handling. Most business professionals know sensitive data must be encrypted, he says, but the process for handling less-critical information – like that exposed in this leak – should also be evaluated. A scenario like this could prove damaging to a company’s reputation if customers learn their data is mishandled or left exposed on the Web.

“An event like this should be a wake-up call to everybody that handles sensitive data to make sure they coordinate with their security teams to ensure the controls most teams are tasked with putting in place are actually applied so an accident like this doesn’t happen,” Farrow says. “There are all good reasons to protect it, and no good reasons to expose it.”

Related Content:

• When You Know Too Much: Protecting Security Data from Security People
  
• 6 Top Nontechnical Degrees for Cybersecurity
  
• DDoS: An Underestimated Threat
• Tushu, Take Twoshu: Malicious SDK Reappears in Google Play

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Home Safe: 20 Cybersecurity Tips for Your Remote Workers.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/application-security/the-implications-of-last-weeks-exposure-of-12b-records/d/d-id/1336471?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 1964 the world learned that a spoonful of sugar helps the medicine go down. It was not the first time a key principle of gamification was said out loud, but it might well be the catchiest. In 2019 tidying up has changed hands from Mary Poppins to Marie Kondo, but the idea that making a task enjoyable makes it more likely to be done has been embraced by the business world — and cybersecurity training.

Merriam-Webster defines gamification as “The process of adding games or gamelike elements to something (such as a task) so as to encourage participation.” And for many responsible for turning new hires from security vulnerabilities into security assets, it’s a key strategy in keeping them focused on their training.

“There are numerous studies that show that gamification not only increases engagement but it increases learning retention,” says Hewlett Packard Enterprise (HPE) cybersecurity awareness manager Laurel Chesky. She says that HPE has increased the degree to which it uses gamification in cybersecurity training because it has seen positive results with the technique.

Within HPE, Chesky says, there is mandatory basic cybersecurity training but much more training is available on an optional basis. “We want them to come and engage with us and consume the common-sense information,” she says. “If we aren’t doing that in a fun and engaging way they simply won’t come back to us. So we have to do that through gamification.”

How to Keep the Fun Factor Up

Moving training to a gamified basis can be effective but, like anything, it can become rote and routine if done poorly, say some. “Gamification is great, but you need variety,” says Colin Bastable, CEO of Lucy Security. “Variety is the spice of life. So I think that gamification is very valuable as part of a broader strategy.”

“I think our training metrics definitely reflect the larger engagement,” Chesky says. “We started off in a very grassroots, DIY type of gaming, with a web-based trivia game that we created. It’s very simple. It’s set up like Jeopardy and we can go online and pick a question for 200, 400, 800, or a thousand points. It’s very, very simple to create and we did it in-house,” she explains.

Joanne O’Connor, HPE cybersecurity training manager, created a different game called “Phish or No Phish” that uses the Yammer collaboration system as a platform. She will post an image on a channel and ask participants whether or not it’s from a phishing email intercepted by the company’s cybersecurity team. Employees providing the correct answer are able to win recognition points exchangeable for various prizes.

These games address the kind of training that Bastable believes is most suitable for gamification. “I would say that it works better for the short, sharp, pointed awareness training as opposed to a long and detailed course,” he explains. “Generally, I would say that what you want to do is is create an environment that engages rapidly and that engages people where another format might not.”

O’Connor says that many of their games are designed to be completed within about 20 minutes — experiences that allow the employee to engage deeply to learn a single facet of cybersecurity.

The Science of Fun

Some academic research, like that of Michael Sailera, Jan Ulrich Henseb, Sarah Katharina Mayra, and Heinz Mandla, explores the reasons that gamification can be effective in training. They point out that self-determination theory says that three psychological needs must be met: The need for competence, the need for autonomy, and the need for social relatedness.

In their research, the researchers found that, “…the effect of game design elements on psychological need satisfaction seems also to depend on the aesthetics and quality of the design implementations. In other words, the whole process of implementing gamification plays a crucial role.”

Bastable says that there’s a common assumption that gamification is something that is effective for younger employees and less so for older workers. He says the reality is that it can be effective for all employees, though different individuals may respond to different types of game mechanics (the way the game looks and is played).

O’Connor agrees. “It’s something that we think about a lot with our new employees being, of course, younger folks and we need to reach them. But really we think it reaches everybody,” she says.

Chesky believes that the tide has turned toward gamification in all types of enterprise training. “I think you see it now in a lot of corporations on an industry level,” she says. “I think you’ve definitely seen most corporations and of course the industry moving towards that for all different kind of mandated company training because it works,” Chesky says. “It’s all about engagement.”

Related content:

• How HR and IT Can Partner to Improve Cybersecurity
• How Data Security Improves When You Engage Employees in the Process
• How Gamers Could Save the Cybersecurity Skills Gap
• 3 Tips for Driving User Buy-in to Security Policies
• Email Threats Poised to Haunt Security Pros into Next Decade

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Home Safe: 20 Cybersecurity Tips for Your Remote Workers.”

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/gamification-is-adding-a-spoonful-of-sugar-to-security-training/b/d-id/1336472?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple