STE WILLIAMS

It takes a significant effort by security teams to build robust metrics that serve the organization well and add value. But keeping that framework strong over time is also an area that requires strategic investment. Unfortunately, it’s an area that is often overlooked.

Here are 10 tips to help you maintain the value of your security metrics framework.

Tip 1: Check in with your audience. Metrics are developed to provide important information to the security organization’s audiences, not for the sake of the metrics themselves. As such, it’s critical to ensure that what you report addresses your audiences’ information needs, questions, and concerns. Check in with stakeholders regularly to solicit, accept, and incorporate their feedback. Your audiences aren’t a drag on your metrics, they’re the reason for them.

Tip 2: Stay alert and attuned. Don’t just report metrics — analyze, understand, monitor, and adjust them. If you see that one or more metrics are trending in an uncomfortable manner, dig deeper to understand why that’s the case and what the ramifications are for the business. When you monitor metrics on a continuous basis, you will ensure that the risk those metrics measure does not rise to unacceptable levels. If risk levels do rise too high, you can course correct to effectively manage that risk.

Tip 3: Ensure data accuracy. A framework is only as good as the data underlying it. You may have the most relevant and timely metrics, but if the data used to calculate them is inaccurate, inconsistent, and/or flawed, the metrics will be as well. Reliable data serves as an input to reliable metrics while unreliable data, by default, produces unreliable metrics.

Tip 4: Experiment with different models and aggregations. Maybe the way you modeled your framework and aggregated your metrics worked well for you last year. But perhaps things have changed since then and that approach will no longer work. If you’ve built your metrics modularly, you’ll be able to leverage them across a variety of different models and aggregations. Find the one that works for your present-day business environment.

Tip 5: Keep after controls. A mature metrics framework includes proper mapping back to controls. Keep after this mapping. Over time, controls may change in substance, importance, and/or priority. Further, mappings may evolve to be incorrect. Ensuring accurate mapping between controls and metrics allows the security team to continually assess and measure the efficacy of controls to the overall security posture of the business.

Tip 6: Keep after risk. Risk is not static or distinct. It is continuous, dynamic, and fluid. Keeping an eye on the changing risk landscape allows an organization to focus on mitigating the organization’s most important and relevant risks, while reducing time and resources spent on less important and relevant issues. This allows finite security resources to be applied to the maximal risk mitigation.

Tip 7: Mind your ranges. When a metric is designed and measured, it creates a data point. Usually that data point is a number or a percentage, which, in and of itself, tells very little of the overall picture and offers no context. To add important context to the risk equation, you need to set an acceptable range and acceptable deviations from that range. Over time, those ranges may require adjustment to reflect changes in the evolution of the business environment and the threat landscape which will affect the tolerance level for the various data points that you measure. Minding your ranges will ensure that your tolerances are in line with acceptable risk levels.

Tip 8: Leverage intelligence. In addition to aiding and informing preventative and detective capabilities, intelligence can also inform metrics. Good intelligence can help you stay informed of existing threats and become aware of new threats. This in turn helps you to continually assess whether or not your metrics have addressed the right set of threats to your organization.

Tip 9: Stay connected. Peer organizations, industry groups, and experts can help an organization see where it lies relative to other organizations of similar size, industry, and geography. These connections can provide essential information that will keep your metrics framework strong.

Tip 10: Be efficient. No metrics framework is sustainable if the process of putting together and reporting the metrics is a headache in and of itself. In order for metrics to be practical and to provide value on a continual basis, they need to be scalable. Consolidate data required for metrics into as few systems as possible. Leverage automated reporting and dashboards to simplify the process of generating metrics when required, ideally automatically and in near real-time. This ensures that metrics will always be fresh. It also reduces your investment in to creating, designing, developing, and generating new metrics, which will, in turn, encourage innovation, creativity, and forward-thinking.

Related Content:

• 7 Free Tools for Better Visibility into Your Network
• How to Get the Most Out of Your Security Metrics
• 5 Tips for Keeping Your Security Team on Target

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “C-Level Studying for the CISSP.”

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/keeping-a-strong-security-metrics-framework-strong-/a/d-id/1336962?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Crypto AG, a Switzerland-based communications encryption firm, was secretly owned by the CIA in a classified partnership with West German intelligence. For years, it sold rigged devices to foreign governments with the intent of spying on messages its users believed to be encrypted.

In an account published by the Washington Post and German public broadcaster ZDF, reporters dive into the details of a decades-long arrangement through which the United States and allies made millions selling encryption equipment to more than 120 countries into the 21st century. Crypto clients included Iran, India, Pakistan, Iraq, Nigeria, Saudi Arabia, Syria, even the Vatican.

Governments relying on Crypto devices to protect their communications did not know they were designed so intelligence officials could easily break the codes used to send messages. The operation, first known as “Thesaurus” and later “Rubicon,” intercepted correspondence that informed them of global military operations, hostage crises, assassinations, and bombings.

“It was the intelligence coup of the century,” as stated in a CIA report, one of the documents obtained by the Post and ZDF as part of their investigation. “Foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries.”

The Swiss government has officially opened an investigation into Crypto, according to SwissInfo, the International Service of the Swiss Broadcasting Corporation. The general export license for Crypto devices has been suspended “until open questions have been clarified.”

Read the full report here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Is a Privileged Access Workstation (PAW)?.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/cias-secret-ownership-of-crypto-ag-enabled-extensive-espionage/d/d-id/1337016?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Question: What are some foundational ways to protect my global supply chain?  

Rick Holland, CISO, Digital Shadows: Assessing supply chains is one of the more challenging third-party risk management endeavors organizations can take on. A global company can easily have more than 1,000 firms in its supply chain. In the age of digital transformation, much of the supply chain consists of SaaS providers that are easier to replace than the traditional on-premises vendor. The result is a transient supply chain that continually evolves. To add even more complexity, the more mergers and acquisitions activity a firm undertakes, the more complicated its supply chain becomes. All of these factors make supply chain risk management a daunting task.

Two common deficiencies of cybersecurity supply chain programs are a lack of understanding of the types of data and access the third party possesses, as well as a prioritized list of suppliers. This is why security teams need to have robust processes in place that include both the lines of business that leverage supply chain providers and the procurement teams that handle the logistics of assessing and onboarding the vendors. The security and privacy teams must have questions that can be inserted into assessments. They should include items that give insights into what data a third party has access to, where that data resides, and who has access to it. Once an organization understands the criticality of the data a third party has access to, it can then prioritize the risk around a supplier based on the classification of that data.

With today’s technology and complexity, it isn’t pragmatic for a cybersecurity supply chain program to monitor “all the things.” However, it becomes more feasible with a prioritized list of vendors that have data or access to data that could represent a material risk to the business if stolen or abused.  

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/what-are-some-foundational-ways-to-protect-my-global-supply-chain/b/d-id/1337015?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The average computer running the Mac operating system encountered 11 threats in 2019, nearly twice as many as the average Windows system, representing a quadrupling of threats for Apple systems, according to cybersecurity firm Malwarebytes’ annual threat report, published on February 11. 

While malware accounted for more than a quarter (28%) of the threats encountered by Windows systems, that most severe category accounted for less than 1% of the unwanted programs encountered by Mac systems, the company said. Most programs — almost two-thirds on both platforms — were “potentially unwanted programs” (PUPs), applications that are surreptitiously installed or that have questionable features. Adware accounted for the rest of the threats — nearly a third on Macs, but only 7% on Windows.

“The majority of what we detect on the Mac is adware and PUPs — these lower-level threats,” says Adam Kujawa, director of Malwarebytes Labs. “The threats themselves are not as dangerous, for sure. But the number has been increasing steadily, which is surprising for us to see.”

The increase in potentially unwanted programs and adware on Mac systems is only one trend that the company saw in 2019, the firm stated in its “2020 State of Malware” report. 

A significant shift documented by the firm is that attackers are focusing more often on businesses, while the attacks on consumers — which account for the majority of attacks — have slightly declined. The number of threats detected by consumers shrank by 2%, compared with an increase of 13% for businesses and organizations, Malwarebytes stated in the report.  

“The volume of consumer detections still far outweighs that of businesses, but this trend has been reversing since 2018, when many threat actors began to shift focus to development of malware families and campaigns aimed at organizations where they could profit from larger payouts,” the company stated in the report.

Businesses faced both a surge in adware, with a 13% increase to almost 17 million detections, and an even larger jump (42%) in threats using common network security and penetration-testing tools, which topped 3 million detections.

The popular combination of Emotet and Trickbot, two Trojans, both dramatically affected businesses in the first quarter of 2019. Both often lead to ransomware infections, such as Ryuk. Emotet weighed in at No. 2 and Trickbot at No. 4 on the list of most active threat families targeting businesses.

“There really is this triple threat,” Kujawa says. “Emotet infections that lead to Trickbot infections that lead to Ryuk. We are seeing many different variations of that [attack chain] during the year.”

In 2019, the services industry, which saw a 155% increase in attacks, became the most attacked economic sector, surpassing the education sector — the most attacked industry in 2018, the company said. Among the top targeted services segments are managed service providers, because their networks are a gateway to compromise an entire client base, Malwarebytes stated.

“[Managed service providers] are becoming increasingly juicier targets for compromise in their own right, as well as for gaining a foothold into larger enterprise networks,” the report stated. “Often a victim of their own negligence, MSPs have been attacked through weaknesses introduced via mishandling of administration credentials, failure to update software vulnerabilities, poor asset management, and lack of appropriate log analysis tools.”

Attacks are also increasingly utilizing tools commonly used by red teams and penetration testers to check the security of networks. These hacking tools, such as the password collection utility MimiKatz, surged 42% among business detections, Malwarebytes stated.

“Our detections of hacking tools found on endpoint have jumped in the last year,” Kujawa says. “These freely available penetration testing tools — which we have developed to help secure use — are being used against us in the attackers’ operations.”

The company predicts that the proliferation of attack vectors will lead to ransomware becoming even more of a problem for companies in 2020, while attacks on websites that aim to steal user data will only continue to increase as well.

Related Content

• Emotet Preps for Tax Season with New Phishing Campaign
• Ransomware Used in Multimillion-Dollar Attacks Gets More Automated
• New MacOS Malware Discovered 
• Researchers Finds Thousands of iOS Apps Ignoring Security
• Windows Executable Masks Mac Malware

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Is a Privileged Access Workstation (PAW)?“

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/macs-see-more-adware-unwanted-apps-than-pcs/d/d-id/1337018?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Phishing attacks are growing less popular as cybercriminals learn they don’t need to manipulate targets to gain access to their accounts. Instead they are breaking in with stolen credentials and known vulnerabilities, both of which are more difficult for enterprise victims to detect.

This trend is one of many highlighted in IBM’s “X-Force Threat Intelligence Index 2020,” which aims to provide an overview of the threat landscape to security pros often caught in the weeds of day-to-day alerts. The report emphasizes today’s popular attack vectors, the evolution of malware, commonly exploited flaws, and intensified activity against operational technology.

Phishing made up 31% of attacks in 2019, a notable drop from about half of attacks the year prior, according to the report. Exploits of known vulnerabilities came in second, spiking from 8% in 2018 to 30% in 2019. In third place were incidents using stolen credentials, a technique close behind at 29% of attacks.

“From a response perspective, those are generally harder for organizations to detect,” says Wendi Whitemore, vice president of IBM X-Force Threat Intelligence, of the latter two tactics.

They’re also not hard for attackers to pull off. Ideally, every business will have patched every system, Whitemore continues, but “the reality is, most organizations are struggling.” More than 150,000 vulnerabilities have been disclosed to date, IBM reports. Flaws in Microsoft Office and Windows Server Message Block were still seeing “alarming rates” of exploitation in 2019.

Attackers are especially fond of remote code execution flaw CVE-2017-0199 and CVE-2017-11882, which was a favorite delivery mechanism in the second and third quarters of 2019. Both are patched and account for nearly 90% of flaws attackers tried to exploit via spam campaigns.

Those who choose to break in using stolen credentials will find no shortage of them. More than 8.5 billion records were exposed in 2019, at least triple the amount compromised in 2018. Much of this was due to misconfigurations, which increased nearly tenfold in the same time frame and made up 86% of records compromised in 2019. Last year brought a decrease in the overall number of misconfigurations, indicating each one exposed more data.

“There’s so much data that attackers can leverage,” Whitmore says, and it’s easy and cheap for them to get it. Credentials are often stolen from third-party websites or taken in a phishing attack against a target business. They help attackers blend in with legitimate traffic and make them harder to find.

Ransomware Ramps Up as Malware Shifts
About half of the attacks IBM observed in the first half of 2019 were related to ransomware, compared with 10% in the second half of 2019. The fourth quarter of 2019 brought a 67% increase in ransomware incidents compared with the fourth quarter the previous year. Researchers attribute the surge to the increase in attackers and campaigns targeting a variety of organizations in 2019; in particular, municipal and healthcare providers were caught unprepared.

Attackers often use downloaders like Emotet or Trickbot to deploy ransomware on a target system. From there they use multiple stages to infect victims, a technique that gives them better control over the system so as to evade detection and controls and convince victims to pay.

Data from Intezer, which worked with IBM X-Force on the report, indicates attackers are invested in developing new code to expand their capabilities. In 2019, there was a strong focus on evolving codebases of banking Trojans and ransomware while building cryptominer strains.

Banking Trojans had the highest level of new code (45%) in 2019, followed by ransomware (36%). Researchers believe these malware families will target enterprise users in 2020. “[This activity] means attackers are dedicating time to rebuilding code, rebuilding infrastructure, because these are attacks are so effective,” Whitmore explains.

Most of these code changes are not significant, she adds. Attackers are primarily trying to evade detection, so they’ll do a “cheap quick fix” so code slips past security tools. Still, their investment in changing code likely means we’ll see these attacks taking place for a long time. 

Targeting Operational Tech  
IBM X-Force data shows a 2,000% increase in incidents targeting operational technology (OT) since 2018, which could indicate a greater interest in attacking industrial control systems (ICSs) in 2020. Most of these incidents leveraged a combination of known flaws in SCADA and ICS hardware, in addition to password-spraying attacks using brute-force login against ICS targets.

Researchers report the overlap between OT and IT infrastructure; for example, programmable logic controllers (PLCs) and ICSs posed a risk to firms relying on these infrastructures in 2019. This kind of hybrid infrastructure enables attacks on IT to also target OT devices that control physical assets, they explain. This can significantly increase the cost of recovery from an attack.

“There are more systems than awareness of those systems,” says Whitmote of OT environments. “There are more of them out there now … and that’s an area we have a lot of concern for.” She anticipates we’ll see a broader attack surface as criminals take advantage.

Related Content:

• 6 Factors That Raise The Stakes For IoT Security
• Day in the Life of a Bot
• From 1s 0s to Wobbly Lines: The Radio Frequency (RF) Security Starter Guide
• Researchers Reveal How Smart Lightbulbs Can Be Hacked to Attack

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “From 1s 0s to Wobbly Lines: The Radio Frequency (RF) Security Starter Guide“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/cybercriminals-swap-phishing-for-credential-abuse-vuln-exploits/d/d-id/1337019?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ransomware is now a billion-dollar enterprise for cybercriminals, and — as in any industry — it has evolved over time to become more efficient and maximize profits. Hackers have transitioned away from launching ransomware attacks indiscriminately in bulk and are now specifically targeting high-value targets within the companies and industries most likely to pay higher ransoms for the safe return of their files. As attackers continue to refine their tactics to bring in more money, I believe the next generation of ransomware will target cloud-based assets, including file stores, Amazon S3 buckets, and virtual environments.

When ransomware first hit the scene in 2013 with CryptoLocker, attackers targeted anyone and everyone, from CEOs to senior citizens. Even if just a small percentage of victims paid the relatively small ransom, attackers were sending out such a high volume of ransomware that they’d still make money. This broad, “shotgun blast” approach fell out of fashion in 2016 and 2017 as ransomware success rates decreased due to improvements in antivirus protections. Instead, attackers began targeting industries in which businesses can’t function with any downtime, most prominently healthcare, state and local government, and industrial control systems. Attackers picked their targets more carefully, devoted more time and effort to breaking in, and asked for larger ransoms. In short, they adapted their tactics to maximize profits.

Looking ahead, I believe ransomware will target the cloud for three reasons. First, the cloud has been left largely untouched by ransomware so far, so it’s a new market opportunity for attackers.

Second, the data and services stored or run through the cloud are now critical to the day-to-day operations of many businesses. Five years ago, a company might have been able to function without its cloud deployment in the short term, so the pressure to pay a ransom wouldn’t have been as high. Now, most businesses will be crippled if they lose access to their public or private cloud assets. That creates the same intense pressure to restore services quickly that we’ve seen with hospitals, city governments, and power plants over the last few years.

Third, the cloud offers an attractive aggregation point that allows attackers to access a much larger population of victims. Encrypting a single physical Amazon Web Server could lock up data for dozens of companies that have rented space on that server. As an example, several attacks in the first and second quarters of 2019 involved bad actors hijacking multiple managed service providers’ management tools and using them as a strategic entry point from which to spread Sodinokibi and Gandcrab ransomware to their customer rosters. The same principle applies here — hacking a central, cloud-based property allowed attackers to hit dozens or hundreds of victims.

Cloud Security
To prevent cloud ransomware attacks, businesses need cloud security. Many smart IT people believe they don’t need to worry about securing data in an infrastructure-as-a-service (IaaS) deployment because Microsoft or Amazon will handle it for them. This is only partially true.

While most public cloud providers do supply basic security controls, they may not include all of the latest security services needed to prevent more evasive threats. For example, most IaaS providers offer some form of basic anti-malware protection, but not the more sophisticated behavioral or machine learning-based anti-malware solutions available today. WatchGuard research has found that between a third and half of all malware attacks use evasion or obfuscation techniques to bypass traditional, signature-based antivirus solutions. Without more proactive anti-malware, modern ransomware could skirt right past basic cloud security controls. Fortunately, you can get a virtual or cloud version of most network security solutions on the market today, and I suggest using these to secure your cloud environments.

Finally, misconfigurations and human mistakes made while setting up cloud permissions and policies create weak spots that attackers can exploit to deliver ransomware. Every organization using a public or private cloud should harden these environments by properly securing S3 bucket configurations, closely managing file permissions, requiring multifactor authentication for access, and more. There are many “cloud hardening” guides that can help with this, and I recommend that anyone new to the cloud look into them.

As cloud services become increasingly critical to more businesses’ daily operations, ransomware authors will follow to maximize profits. The good news is that the cloud can be secured with many of the same best practices that apply to physical networks. Make every effort to keep your cloud deployments safe and secure today. In the future, you might be glad you did.

Related Content:

• 8 Head-Turning Ransomware Attacks to Hit City Governments
• 15% of Ransomware Victims Paid Ransom in 2019, Quadrupling 2018
• New Ransomware Tactic Shows How Windows EFS Can Aid Attackers
• Online Malware and Threats: A Profile of Today’s Security Posture

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Is a Privileged Access Workstation (PAW)?“

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, … View Full Bio

Article source: https://www.darkreading.com/cloud/why-ransomware-will-soon-target-the-cloud-/a/d-id/1336957?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Israel’s entire voter registry was exposed after the Likud party uploaded a huge file to the Elector voting app, leaving the personal details of nearly 6.5 million Israelis, including prominent individuals and top politicians, open to anyone with a Web browser — no user ID or password required.

The Elector app has been known to have security issues and other flaws, according to Engadget. While the database configuration was changed roughly a day after the exposure was disclosed, it was open long enough to have allowed significant data leaks. Some officials fear the data could be used for espionage, identity theft, voter intimidation, and other crimes.

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Is a Privileged Access Workstation (PAW)?.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/israels-entire-voter-registry-exposed-in-massive-incident/d/d-id/1337011?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple