STE WILLIAMS

When the audience files into a keynote session at a computer industry conference, they can be primed to hear many different words. “Moral imperative” are rarely among them. But those are exactly the words that were part of the opening at last week’s Gartner SYMposium.

Mbula Schoen, senior principal analyst for Gartner, was charged with talking about business’ role in a digital society, which she defined as “the sum of all our interactions between human and technology.” As part of the responsible business role, she says that companies must invest in a safe digital society while protecting the enterprise.

And just to put a point on it, she told the audience that, “Security is a moral imperative in a digital society.” That moral imperative covers the responsibility the company has to society at large, as well as to all of the organization’s stakeholders — partners, employees, customers, as well as shareholders.

But what does that imperative look like when turned into action? Schoen had several examples of issues IT security teams should be looking for in their work. One of the first she talked about was inappropriate use of technology.

Big, splashy examples of inappropriate technology use aren’t hard to find. Schoen pointed to the drones that were sighted near England’s Gatwick airport, closing it for 33 hours in December 2018. More insidious cases, she pointed out, could be in bias introduced in AI systems.

Researchers have known that those AI biases are a potential issue for years. But the impact of bias took on heightened urgency when it was recently shown that some AI models favored white patients over black patients for healthcare treatment. When Gartner data shows that 30% of organizations will use AI to make decisions by 2022, the potential for those critical biases to increase reaches a critical level.

In another example, Schoen pointed to the increasing collection of personal data for use by businesses. The data is being collected, processed, and stored, often without the understanding of the customer. And each of those steps requires security.

“Finding data to collect isn’t hard, but society is skeptical about how it’s being used,” she explained. As a result, “There is more regulation of privacy than ever before, and less privacy.”

ISC(2), the organization of CISSP and other cybersecurity certifications, also sees moral and ethical components to cybersecurity.

“I think [morality is] very relevant today. It’s about doing the right thing for society,” said COO Wesley Simpson in an interview at the ISC(2) Security Congress, in Orlando this week. “For every one of our 145,000 members, it’s not just about passing an exam or getting endorsed. The third component is that you have to accept, abide by, and live up to our ethical canons. That gets to the moral obligation of our members.”

Simpson pointed out that ISC(2) has, and will continue to, revoke the certification of members found to have violated moral or ethical standards within cybersecurity.

Back at Gartner SYMposium, Schoen said finding data to collect is easy, but society has become skeptical about how that data is being used and secured. To build great trust, she said, companies must institute solid information governance and provide greater transparency regarding security and privacy controls.

Finally, Schoen said every organization should institute “three Ds” regarding using and protecting user data:

• Decide to manage security and risk to protect all stakeholders
• Design to be a responsible custodian of customer data
• Drive to identify and build a societal value proposition

Here at the Edge we’re curious: How important is the moral component in your cybersecurity work? Is it the driving factor in what you do, or is morality a word best left out of the conversation among cybersecurity pros? Let us know what you think in the Comments section, below.

Related Content:

• Turning Vision to Reality: A New Road Map for Security Leadership
• 10 Steps to Assess SOC Maturity in SMBs
• GitHub Named in Capital One Breach Lawsuit
• The War for Cyber Talent Will Be Won by Retention not Recruitment
• Unmixed Messages: Bringing Security Privacy Awareness Together 

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/cybersecuritys-moral-imperative/b/d-id/1336206?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Phishing kits are growing more sophisticated as their life spans grow shorter: More than 60% of kits monitored were active for 20 days or less, Akamai researchers found in a new report on the threat. All the while, attackers rely on enterprise-based strategy to fuel their criminal business.

High-profile tech companies were the hottest phishing targets, they found in their latest “State of the Internet” research, published today. Microsoft was the most affected brand, with 62 kit variants across 3,897 domains targeting Microsoft users. PayPal fell in second place (14 kit variants across 1,669 domains), followed by Dropbox (11 kit variants across 461 domains).

Researchers followed the life cycle of each kit from the first time it was observed until the kit stopped triggering detection rules. “The fact that the average life cycle of a kit is only 20 days — from the time it goes live until it’s detected and pulled offline — shows a lot of proactiveness on the part of security teams and defenders,” says Akamai security researcher Steve Ragan.

The window of opportunity for most phishing kits is growing smaller. In a 60-day period, researchers observed more than 2 billion unique domains commonly associated with malicious activity. Of those, 89% had a lifespan of less than 24 hours; 94% lasted less than three days. Short-lived top-level domains (TLDs) (for example, .gq, .loan, .tk) have a median lifespan of 24 hours. Availability of cheap name registration for TLDs such as these is a “boon to criminals,” researchers say, as it makes detection by defenders more difficult as the names so briefly live in traffic.

For phishing kits, age is more than just a number. New domains, less than a month old, are often flagged by security tools as suspicious. Researchers track domain registrations and often report domains that raise red flags. However, criminals can take advantage of TLDs at a given registrar, buy them in bulk, and rotate through them during a campaign. This lets them operate even if one, or several, of their domains is flagged or removed, researchers explain. Of the 1.8 billion .com domains detected, 96.6% had lifespans of three days or less, which they attribute to names used for botnet traffic. Large numbers of new names are used daily, researchers say.

A campaign lasting a few days could yield hundreds of victims, but even a few hours can generate net profit. That’s all an attacker would need to cover the initial costs of domains, phishing kits, and perhaps hosting. Once they make that money back, everything else is profit.

Unpacking a Phishing Kit
Phishing kits are rarely consistent in their development; however, researchers detected a few patterns in their distribution. For starters, kits usually focus on gaming, banking and finance, and retail and consumer products. Kits may follow a development pattern, but individual kits have many variations due to development style, technical enhancements, and evasion tactics. Those used in spearphishing attacks are usually one-off creations designed for a specific task.

Developers design phishing kits to resemble target websites, a tactic usually seen in campaigns that target Apple, Microsoft, Amazon, PayPal, financial institutions, and retail companies. Criminals hope to be convincing enough to prompt a victim to enter credentials or provide data. Kits usually contain quality code, says Ragan, and the sophisticated ones are well-constructed. Attackers invest time and effort to learn development and the software development life cycle, educating themselves so they can make improvements and adjustments to the kit over time.

“It’s interesting to see how some of these kits go from basic concept all the way up to a finished product,” says Ragan. “A lot of the criminals who do phishing-as-a-service … to them, it’s a legitimate business. And they run it like one.” Operators take bug reports, fix bugs, and check the product against security services, which forces security companies to constantly update.

This “rat race,” as Ragan calls it, has forced criminals to focus on evasion. Many kits layer evasion tactics to remain hidden for longer periods of time, researchers say. Common elements include geographic limiters, which allow victims only from certain regions to access the kit, and real-time text obfuscation to block crawlers from finding a landing page. Some kits filter based on USER-AGENT and DNS resolution to exclude visitors from Tor or vendor-related addresses.

Developers may also include an IP-based blacklist to block connections from visitors coming from pre-configured IP sets belonging to security organizations like Kaspersky, Symantec, and Trend Micro. They also do the same for large Internet companies such as Google and Amazon.

“It takes a lot of manual work sometimes to find a lot of these kits because they’re getting really good at hiding them,” says Ragan of attackers’ evolving techniques. 

The proliferation of phishing kits has driven the need for attackers to get creative, he explains. As generic kits spread throughout the market, they also made it easier for less-savvy criminals to launch phishing campaigns. “You don’t need to have a lot of technical knowledge,” Ragan continues. “You just need to be able to point and click.” Further, he says, when you flood the market with a product, it becomes easier to spot and gives defenders an advantage.

Related Content:

• State of SMB Insecurity by the Numbers
• Email Threats Poised to Haunt Security Pros into Next Decade
• Old RAT, New Moves: Adwind Hides in Java Commands to Target Windows
• The Real Reasons Why the C-Suite Isn’t Complying with Security

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/as-phishing-kits-evolve-their-lifespans-shorten/d/d-id/1336220?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As a staunch privacy advocate, I am excited that law enforcement now has access to tools to decrypt locked smartphones! But, wait! Isn’t that the opposite of privacy? Well, no, if you consider the bigger picture.

There is a battle raging right now with many governments wanting to broadly undermine privacy by weakening allowable algorithms so they can decrypt communication messages over networks and undermine device protections. The primary justification for this has been to track down terrorists and prosecute criminals. Governments contend that without any other means, bad people would be able to communicate and do illicit activities without law enforcement able to gather necessary evidence. The downside is that all people, including the innocent, would be surrendering their privacy and greatly weakening the security of everyday information.

Many people, including political representatives, are openly maneuvering to enact such laws, which, in my opinion, would weaken everybody’s privacy because all communications could remotely be captured, analyzed, and stored. Additionally, purposely weakening encryption algorithms would undermine the necessary digital security controls that protect our personal, financial, health, employment, and intellectual property. We all need the best security on the Internet to keep cybercriminals at bay. These proposed laws are far-reaching and represent a very dangerous path to pursue as the world continues to embrace digital technology. To intentionally weaken encryption opens the door to many unintended consequences. As Ben Franklin opined: “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”

The argument by proponents of more rigid security controls is that society must choose to either to weaken everybody’s privacy or let criminals run rampant. This is a false argument because there are other options. We currently have laws and checks and balances that allow law enforcement to monitor suspects when sufficient evidence has been presented and approved by the judicial branch of government. Wiretaps, search warrants, and evidence collection are a few allowances, but these are very specific powers and must be granted with oversight and accountability. We don’t let police invasively surveil the entire general populace and inspect their property without due cause and approval. However, we do let them investigate individuals when probable cause is present. The key is that they investigate only those who are doing something suspicious and not infringing upon law-abiding citizens.

Tech to the Rescue
With today’s technology, law enforcement has the tools to conduct pinpoint investigations and gather evidence from devices they collect during the normal investigative process. This largely invalidates the need for broadband surveillance as it restores their powers to previous limits. They can get a warrant to search and seize evidence, including bypassing locks on smartphones, to further their investigation.

Cellebrite, the infamous Israeli company that specializes in hacking hardware that can unlock smartphones, has been providing devices to law enforcement that can unlock all Android and iPhones since last year, including the latest versions, according to some reports. This allows police departments to hack into phones directly for forensic investigation, even when they are locked. In the past, for the devices that could be hacked, agencies had to send the phones directly to Cellebrite but with the new premium hardware, law enforcement agencies are able to do the work themselves, under controlled conditions. This opens up a whole new level of flexibility for criminal investigations.

This capability also has natural boundaries, which limits the potential of abuse. The agencies are vetted, so distribution is limited. The cost is somewhat prohibitive, so there will not be too many devices out there. Additionally, as a requirement from the vendor, the agency must agree to have a designated secure room where the decryption will take place. This means patrol cars won’t have them and wouldn’t be able to break into your phone during a traffic stop, for example.

Most importantly, the phone must be in the physical possession of the agency. This is not a tracer, bug, or surveillance capability that will remotely monitor thousands or millions of users on a continuous basis. Decryption is directly tied to a specific phone in possession by law enforcement.

We all want and have a right to privacy, but we also want law enforcement to be able to investigate suspected criminals and have the ability to gather the necessary evidence to prosecute them.

The solution is clear: Keep encryption strong for everyone but allow law enforcement officers the tools to investigate pinpoint situations — for example, where they have a suspect’s phone in custody as part of a legitimate search and seizure. In doing so, we avoid unnecessarily expansive surveillance capabilities and all the problems that accompany weaker digital security for our privacy, finances, and information security. The balance of freedom, justice, and liberty must be preserved.

Related Content:

• 6 Actions That Made GDPR Real in 2019
• Data Privacy Protections for the Most Vulnerable — Children
• ‘Phoning Home’: Your Latest Data Exfiltration Headache
• Privacy 2019: We’re Not Ready

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Real Reasons Why the C-Suite Isn’t Complying with Security.”

Matthew Rosenquist is a cybersecurity strategist who actively advises global businesses, academia, and governments to identify emerging risks and opportunities.  Formerly the cybersecurity strategist for Intel Corp., he benefits from 30 years in the security field.
He … View Full Bio

Article source: https://www.darkreading.com/risk/-hacking-phones-how-law-enforcement-is-saving-privacy-/a/d-id/1336167?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Source: J4vv4D 

What security-related videos have made you laugh? Let us know! Send them to [email protected].

Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/10-secure-ways-to-start-a-conversation/b/d-id/1336203?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As organizations begin to plan their cybersecurity strategy for 2020 and beyond, email security will certainly be high on leadership’s agenda. That’s because phishing attacks continue to increase in sophistication and frequency, and email remains the number one vector for all cyber incidents. In fact, 90% of all cyberattacks begin with email, and the breadth of phishing detection, prevention, and response has become the ultimate SOC team burden.

As such, one thing is clear: Enterprises are losing the email security battle. This unpopular truth exists partially because of the complex email threat landscape. After all, it’s almost impossible for any organization to proactively defend against 130 million phishing attacksper quarter, not to mention the tens of thousands of permutations associated with each. Another contributing factor is the proliferation of payload-less, social engineering-driven phishing, such as business email compromise (BEC) and account take over (ATO), which enable attackers to bypass traditional server-level email security tools and trick human defenses with relative ease.

Presently, when it comes to phishing mitigation, the industry is guilty of holding the same conversations that it’s had for the past several years. Comparing and contrasting secure email gateways. Evaluating both the real and perceived benefits of phishing awareness training. Debating the pros and cons of authentication and encryption protocols. While all three tactics remain popular, they are decreasing in effectiveness.

Thus, as we approach the next decade, it’s time to move away from the trivial arguments of yesteryear and focus on what’s needed to defeat the phish of 2020 and beyond. From decentralized threat intelligence sharing and greater public-private collaboration to automatic incident response and mailbox-level security, these safeguards are better suited to combat the future of anti-phishing because they rely on human and technical controls working together 24/7/365. 

Evolution of email security
Looking back over the past decade, email security has, admittedly, come a very long way. Eight years ago, organizations relied almost entirely on spam filters and antivirus software to protect against Nigerian scams. Eventually, antivirus products were rejected as the sole line of email defense, as attackers found creative and cost-effective ways to defeat these controls.

Phishing technique advancements prompted secure email gateways (SEGs) to enter the market, and this technology remains the most common phishing prevention method. Around the same time as SEGs, security training became part of the corporate lexicon, and employers attempted to gain some advantage over attackers by using employees to identify and corral suspicious messages. 

Unfortunately, attackers responded to the increased employee awareness and SEG technology by creating new attack techniques that bypass common email security controls. In response, many enterprises have added gamification to their security training as a means to bolster employee situational awareness while also implementing authentication and encryption protocols such as DMARC.

While such counter maneuvers are surely effective from time to time, attackers continue to have the upper hand while enterprises look toward 2020 for a silver bullet. Unfortunately, one is not going to appear.  

Email security challenges that elevate risk
The email security industry is in the midst of an intense debate over what technology, standards and protocols can deliver the most protection and reduce the most risk. The common arguments are a bit ironic when considering that successful cyberattacks continue to cost enterprises more than $1 million per incident.

The most common arguments include:

• Robust email security requires two-factor authentication.
• Adoption maintenance of protocols like DMARC are essential.
• Phishing awareness training should be mandatory for all organizations.
• Encrypt all email messages.
• Incident response requires automation. 

While none of these trending arguments are wrong per se, they all assume that email security is some sort of linear challenge that can be eradicated with a singular solution driven by either technology or people. But if history has taught us anything it’s that attackers will evolve and find a way to defeat whatever human and technical controls and enterprise deploys. 

That’s why, as we move into 2020 and a new decade, the conversations surrounding email security must evolve from comparing anti-phishing and email security tools, protocols, and trainings to resolving non-phishing email security challenges that are at the center of elevating risk. This includes the need to address SOC burden and educate the next generation of the cybersecurity workforce; decentralizing threat intelligence sharing so that organizations of all resources can protect their assets, promoting ubiquitous interoperability so that solutions can better integrate for analysts; and having an industry-wide agreed upon definition of what actually defines incident response.

Such a transformation of the email security industry will enable organizations to focus on effective anti-phishing techniques that actually address the root causes of the industry’s problems, and not just the effects. For example, by encouraging decentralized threat intelligence, organizations’ SOC teams can have access to hundreds of thousands of trending threats worldwide, allowing them to be proactive in defense instead of reactive. It’s a power of the pack mentality that suggests industry is stronger together than it is apart. 

As it stands now, attackers will continue to have the means and motives to evolve faster and more efficiently than technological advancements. But when human controls and technological controls work together to decentralize threat intelligence, automate rapid response and encourage employee collaboration, their advantage can shrink to a much more manageable level. 

Related Content:

• 4 Ways to Fight the Email Security Threat
• Email Threats Continue to Grow as Attackers Evolve, Innovate
• The Minefield of Corporate Email
• Leaderboard Shows Adoption of DMARC Email Security Protocol

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Real Reasons Why the C-Suite Isn’t Complying with Security.”

Eyal Benishti has spent more than a decade in the information security industry, with a focus on software RD for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the … View Full Bio

Article source: https://www.darkreading.com/operations/email-threats-poised-to-haunt-security-pros-into-next-decade/a/d-id/1336192?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Black Hat Europe kicks off in London this December and while we’re still months away there’s already a cornucopia of interesting and practical Enterprise Briefings which shine a light on some of the most intriguing enterprise security research done to date.

Exploiting Windows Hello for Business promises to reveal several new attack vectors in the current implementation of Windows Hello for Business that might lead to privilege escalation and persistence attacks. Plus, you’ll learn about a new type of persistent Active Directory backdoor and other weaknesses, as well as get up to speed on a new toolset that can be used to scan corporate environments for the aforementioned vulnerabilities, and resolve any issues found.

In Implementing the Lessons Learned From a Major Cyber Attack you’ll have the opportunity to hear directly from a representative of Maersk about what security professionals learned in the wake of the company’s 2017 data breach. This is a rare opportunity to find out what it’s like to be on the receiving end of a major notpetya cyber-attack, and get practical advice on safeguarding your own projects against similar threats.

If you or your clients use smartcards for security reasons make sure to check out Bring Your Own Token (BYOT) to Replace the Traditional Smartcards for Strong Authentication and Signing. In this session  you’ll see what Cisco accomplished by replacing traditional hybrid smartcards (used for both facility access and IT authentication) with a “Bring Your Own Token (BYOT)” model of enterprise security. You’ll discover how users can bring their own USB tokens (compatible with Personal Identity Verification [PIV] and Chip Card Interface Device [CCID] standards) to self-provision the digital identities they need to enable strong authentication, signing and other cryptographic functions.

Get more information on these and lots of other cutting-edge content in the Briefings schedule for Black Hat Europe, which returns to The Excel in London December 2-5, 2019.

For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/black-hat-europe-brings-enterprise-grade-cybersecurity-insights-to-london/d/d-id/1336218?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security professionals consider cloud applications more vulnerable to insider attacks and say insider threats are more difficult to detect since migrating to the cloud, new survey data shows.

In a survey of more than 300 security pros conducted by Cybersecurity Insiders and sponsored by Securonix, 70% report insider attacks have become more frequent in the past year and 21% have experienced more than five insider attacks in the same time frame. More than half (56%) say monitoring, detecting, and responding to insider threats is “somewhat effective” or worse.

Many seem to think cloud applications are to blame: Thirty-nine percent identified cloud storage and file-sharing apps as the most vulnerable to insider attacks, and 56% believe detecting insider attacks has grown “significantly” or “somewhat” harder since they migrated to the cloud. Despite the perceived risk, only 40% monitor user behavior across their cloud environments.

Nearly 70% of respondents said they feel “moderately” to “extremely” vulnerable to insider threats, the top motivations for which are fraud, financial gain, IP theft, corporate sabotage, and espionage. When asked about individuals who pose the greatest risk for insider attacks, 59% pointed to privileged IT users or admins, followed by contractors/service providers/temp workers (52%).

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Is Voting by Mobile App a Better Security Option or Just ‘A Bad Idea’?.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/security-pros-fear-insider-attacks-stem-from-cloud-apps/d/d-id/1336215?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple