STE WILLIAMS

A vulnerability in Amazon’s Ring Video Doorbell Pro IoT device could have allowed a nearby attacker to imitate a disconnected device and then sniff the credentials of the wireless networks when the owner reconfigured the device, according to a report issued by security firm Bitdefender.

The issue, which was fixed by Amazon in September, underscores the impact of a single insecure Internet-of-Things device on the organization in which it is deployed. While the vulnerability may only occur in a single network device, the result of the flaw could be leaked information — the wireless network password, for example — which  would have far more serious repercussions.

“IoT is a security disaster, any way you look at it,” says Alexandru Balan, Bitdefender’s chief security researcher. “Security is not the strong suit of IoT vendors — only rarely, do we see vendors who take security seriously.”

The discovery of a serious vulnerability in a popular IoT product comes as businesses and consumers increasingly worry about the impact that such devices may have on their own security. Only about half of security teams have a response plan in place to deal with attacks on connected devices, according to recent report from Neustar. Even critical-infrastructure firms, such as utilities that have to deal with connected operational technology, a widespread class of Internet-of-Things devices, are ill-prepared to deal with vulnerabilities and attacks, the report says.

Vulnerabilities in IoT devices can have serious repercussions. In July, a team of researchers found widespread flaws in the networking software deployed in as many as 200 million embedded devices and found millions more that could be impacted by a variant of the issue in other real-time operating systems.

The issue with Amazon Ring is not as serious but it is a reminder that vulnerabilities can still be easily found in the devices by attackers paying attention, says Balan. “We tend to look at the popular devices, and those tend to have better security than the less popular devices,” 

The rest of the Ring device’s communications are encrypted and secure, according to Bitdefender. The mobile application only communicates with the device through the cloud, even if the app and device are already on the same network, the company’s analysis stated. Cloud communications are conducted over encrypted connections to API services using Transport Layer Security (TLS) and certificated pinning. 

The device’s initial connection with the local network is the only time that it sends data without encryption, Balan says. “This is a proximity based attack, so its not that big of a threat on a global scale. You need to be with a hundred meters or so to issue the deauthentication packets and force the user to reset the password.”

The existence of the vulnerability is not an indicator of the commitment of Ring’s security team, Balan adds, noting that within a few days Amazon responded and two months later closed out the report. By September, the company issued a patch — within three months after the initial communication, according to Bitdefender’s disclosure timeline. As of November, all affected devices had been patched, which Balan says is a better outcome then the majority of disclosures that Bitdefender works on with other IoT vendors.

“Amazon is one of the few that take security seriously,” he says. “Inherently everything has some flaw that will be discovered. The only challenge with IoT is whether you take that disclosure seriously.”

The trend that more vulnerabilities are being discovered in popular products is a sign that the manufacturers are paying attention and responding to researchers, Balan observes. “If someone does not have vulnerabilities disclosed in their product, then that is likely the most risky product, from a security perspective. If the vulnerabilities were discovered, then props to them — that’s a good thing.”

Related Content

• Utilities’ Operational Networks Continue to Be Vulnerable
• Millions More Embedded Devices Contain Vulnerable IPnet Software
• What Do You Do When You Can’t Patch Your IoT Endpoints?
• The Etiquette of Respecting Privacy in the Age of IoT
• 6 Security Considerations for Wrangling IoT

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/iot/ring-flaw-underscores-impact-of-iot-vulnerabilities/d/d-id/1336304?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ransomware attacks and data breaches targeting hospitals may cause a higher mortality rate among heart patients in the months and years after an incident, Vanderbilt University researchers report, as breach remediation time interferes with patient care and outcomes.

Researchers with Vanderbilt’s Owen Graduate School of Management analyzed healthcare data breaches recorded by the Department of Health and Human Services (HHS). They investigated patient mortality rates at more than 3,000 Medicare-certified hospitals between 2012 and 2016, 10% of which had reported a data breach. They found attackers are not directly controlling medication; rather, hospitals’ approach to breach remediation is slowing down doctors, nurses, and other healthcare practitioners responsible for cardiac care, according to an article on PBS NewsHour.

Specifically, the researchers wanted to know two factors: the time it takes for a patient with chest pain to get from an emergency room to receiving an electrocardiogram (EKG) reading, and the 30-day mortality rate for heart attacks. They learned the time it takes for someone to receive an EKG increased by up to 2.7 minutes after a breach. Further, this delay stayed as high as two minutes even three to four years after a breach occurred.

At the hundreds of hospitals in this study that reported data breaches, there were as many as 36 additional deaths per 10,000 heart attacks each year. It’s worth noting heart attacks are among the most common medical emergencies in the US: According to PBS, 735,000 Americans suffer one every year. The number of healthcare institutions affected by data breaches rose 20% in 2019, affecting medical records of 30 million health care customers – the most since 2015.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/hospital-cyberattacks-linked-to-increase-in-heart-attack-mortality/d/d-id/1336306?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Crowdsourced bug disclosure programs are popular. The latest evidence is Bugcrowd, which in October alone paid out $1.6 million to some 550 white hat hackers from around the world who collectively reported a total of 6,500 vulnerabilities in products belonging to companies signed up with the platform.

More than $513,000 of those payouts was made just last week—a record in a 7-day period for Bugcrowd since it launched in 2011. The biggest payout of $40,000 went to a hacker who disclosed a bug in an automotive software product.

Over 300 of the 6,500 valid bug submissions to Bugcrowd in October were classified as P1 under Bugcrowd’s vulnerability rating taxonomy. These are bugs that are most critical in nature.

Examples include privilege escalation bugs, remote code execution flaws, and bugs that enable financial theft or expose critically sensitive data such as passwords, says David Baker, CSO and vice president of operations at Bugcrowd. “Some recognizable examples of a P1 vulnerability are EternalBlue, BlueKeep, and Apache Struts, the vulnerability that led to the massive breach at Equifax.”

Bugcrowd’s numbers for October are considerably higher than five years ago, when it paid about $30,000 to 85 hackers. Just five of the bugs reported in October in 2014 were critical.

According to Bugcrowd, bug bounty payouts for 2019 so far is more than 80% higher than last year’s payouts, meaning that security researchers are finding and reporting a lot more bugs than ever under the program. “In a matter of a five-year span, we’ve exponentially multiplied payouts, Crowd engagement, and critical findings,” Bugcrowd said in a statement Friday. “To say we’re excited is an understatement.”

Managed vulnerability hunting and disclosure programs like Bugcrowd, HackerOne, and Synack have become popular in recent years. Many organizations—across industries and companies of all sizes—have signed up with these platforms and let freelance bug hunters poke and prod at their products for security vulnerabilities. The goal is to give organizations a way to find bugs in their software that they might have otherwise missed—and more cheaply than if they were to hire their own security researchers for the job.

As is to be expected a majority of the bugs that security researchers find and report to Bugcrowd are of the medium to low severity type, Baker says. “As a rule, there’s always going to be fewer critical issues than there are medium- or low-severity findings—simply by the fact that they’re harder to find,” he notes. “That said, the most dollars have gone out for medium-priority findings, compared to high or critical vulnerabilities,” he notes.

On average, bug submissions on Bugcrowd can fetch around $900. But high-severity and critical P1 bugs can garner around $3,000 on average and much more in some cases. “Car hacking skill tends to be a pretty lucrative skillset,” for instance, Baker says.

Since launch, security researchers have reported over 300,000 vulnerabilities to the Bugcrowd platform. Over the last year alone, submissions increased nearly two-fold, Baker says. Currently, hundreds of thousands of security researchers from around the world are signed up with the platform.

About 30% of them are from the United States. India hosts the second largest group, followed by Great Britain, Baker says. Over the last couple of years, crowdsourced security activity has really accelerated in India, he says. “We are seeing not just an increase in researchers but also a gradual increase in skills as people learn from and teach others.”

Related Content:

• Bug Bounties Continue to Rise, but Market Has Its Own 1% Problem
• US Air Force Bug Bounty Program Nets 54 Flaws for $123,000
• Planning a Bug Bounty Program? Follow Shopify’s Example
• 8 Tips for More Secure Mobile Computing 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/bugcrowd-pays-out-over-$500k-in-bounties-in-one-week/d/d-id/1336307?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In crafting your organization’s incident response (IR) plan, you thoroughly accounted for appropriate timelines, public relations, and a recovery strategy. But have you considered the food? Because the food is also important.

“We don’t think about the care and feeding of the incident-handling team,” says Cindi Carter, CSO at healthcare analytics provider MedeAnalytics. “Bring them some food. You need to make sure people are appreciated. Whether big or small, they are part of the effort, and these kinds of gestures go a long way.”

Indeed, once a breach is discovered or a security incident has disrupted operations, the IR team has their work cut out for them – often working nearly around the clock to both identify the cause of the threat and to get things running again. According to a poll earlier this year from NTT Security, the majority (59%) of organizations admitted they were not confident their companies could resume”business as usual” after the first 24 hours. Asked about their No. 1 focus in the first 24 hours after a security incident, nearly two-thirds (64%) of respondents said mitigating the threat was the main priority, while 36% said it was about identifying the cause. 

In this high-stress environment where just about everyone is nervous and the need for information is relentless, keep in mind these several critical considerations when helping your IR team stay productive and avoid burnout.

Sequester Your Team to Minimize Disruptions
Andrew Morrison, cyberstrategy, defense, and response leader and principal in Deloitte’s Risk Financial Advisory, says one of the most challenging aspects to working IR is that the need for information outpaces the actual supply of what’s coming in. Morrison’s team is the one heading into a client engagement to work IR – what he calls “every client’s worst nightmare.” The focus is almost always squarely on how to get out of the situation as soon as possible.

“Every executive wants to know what happened and in a time frame when it is difficult to determine,” Morrison says. “It is really a tug of war, and the investigator is at the heart of that. Innocently, the executives are asking for updates and status, and it distracts from the work.”

To deal with these requests, Morrison recommends the team assign a point person and then agree on a daily time for updates so that requests don’t come in all day.

Todd Borandi, a security industry veteran and previously CISO with the National Renewable Energy Laboratory, suggests the security manager give the team its own space so it can be separated from distractions.

“The last thing a high-functioning team needs is the shadow of their boss, or their boss’ boss, looming over them,” Borandi says. “Let them do what they have been trained to do and stay out of their way while they are trying to do it.”

Foster a Culture of Care and Courtesy
When it is obvious the stakes are high, IR team members will almost always remain committed to the work and not want to walk away. But Carter says it is important to remember the team comprises people who have lives that have also been disrupted by this demanding work.

“Encourage them to be able to say, ‘Hey, can someone pick up my kids from school?'” she says. “You have to think through those scenarios. These are people who have lives that don’t always have alternatives. You may have single parents, for example. You need to think about the outside needs of your team.”

Morrison says his teams tries to follow a work-by-the-sun model, bringing in off-shore teams who can pick up for a few hours while the on-the-ground team gets some rest.

“You need to guard against burn out,” Morrison advises. “Trying to work 24 hours isn’t productive either.”

However, even when security leaders want to give IR a break, their level of commitment may make them hesitate to take it.

“Some people have FOMO [fear of missing out] and want to be part of solution,” Carter says. “But they need to understand that through their work, they already are part of the solution, even if it didn’t happen on shift.”

Reward Them When the Dust Settles
Once the fire-drill-like environment is gone and the threat has been discovered and contained, you’ll want to ensure IR team members understand their work is appreciated, even after it’s over.

“When time is slow and the job is done, ensure you have the flexibility to offer these folks compensation for the marathons they will have to endure,” Borandi says.

Constantly striving to consider both the professional and personal needs of those who are called on under the most difficult situations will be key to smoothing the way the next time the IR team may be needed, Carter adds.

“We’re human beings,” she says. “We have to make sure in times of crisis that we take care of each other.”

Related Content:

• Building a Cybersecurity Culture: What’s Love Got to Do With It?
• Why Every Organization Needs an Incident Response Plan
• What Has Cybersecurity Pros So Stressed — And Why It’s Everyone’s Problem
• 2019 State of the Internet / Security: Media Under Assault (Akamai White Paper)

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/4-ways-to-soothe-a-stressed-out-incident-response-team/b/d-id/1336308?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Good passwords are messy. They’re long, chaotic, and very difficult to memorize. That’s what makes them so strong. To keep them good and useful, though, requires a tool — a password manager.

The idea at the core of most password managers is simple: A database that matches user names and passwords to login pages is stored under the protection of a single strong password. When a login page is encountered, the password manager springs into action, filling in the necessary fields when unlocked with the master password.

With a password manager, the security best practice of a different strong password for every account can be followed, and changing those passwords on a regular basis becomes much less traumatic.

Any password manager worthy of consideration will perform this basic task well, though differences exist in how it is performed, how credentials are protected, and how the tool integrates with other security, directory, and network management components. These differences are especially critical for small businesses. Since smaller companies tend to have smaller budgets for IT staff, the need is high for a password manager that has features to fill in the blanks left by other products, is easy to integrate into existing infrastructure, and protects passwords for users who might have access to significant caches of critical data.

What products fit the bill? Dark Reading scoured the Internet for user comments, professional opinions, and published reviews of password managers of use to small business IT. We found half a dozen candidates that span a wide range of capabilities and prices.

As you click through the list, you’ll notice there are no free or open source options. That’s because all of the options in those categories are most suited to individual consumers, are quite complex to integrate into business infrastructures, or both.

We’d also like to know: Which password manager do you use for your small business? Do you worry about integration, or do see password management as a purely end-point issue suitable for a free-for-all solution? Let us know in the Comments section, below.

(Image: beebright VIA Adobe Stock)

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/operations/identity-and-access-management/6-small-business-password-managers/d/d-id/1336242?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Complexity has become a significant issue. Enterprises suffer from overcomplicated cybersecurity environments that are underutilized, undermanaged, undermonitored, and laced with misconfigurations.

Complex environments cause a number of problems. They aren’t cost-efficient, it is impossible to optimize them, they significantly lengthen the incident response process, and they act as a barrier for innovation, often turning small requirements for technical changes into large-scale projects.

While cybersecurity threats are constantly rising, security professionals are expected to achieve more with the same amount of resources. This means choosing simplicity over complexity, making cybersecurity environments easy to manage, control, change, and maintain.

Follow these nine principles to simplify your cybersecurity environment:

1. Automation
Automation is the key to the future of cybersecurity. Many companies have already implemented various automation products, such as security orchestration, automation, and response (SOAR) and breach and attack simulation (BAS). But automation is not a product, it’s an approach. There are numerous activities that security teams can automate.

Action Items

• Define “automation” as a strategic goal.
• Ask each security team member for three ideas for tasks or processes that can be automated.
• If possible, assemble an automation task force that will identify opportunities for process automation and simplification.

2. Utilization
Underutilization of security products is a global epidemic. Companies tend to purchase new solutions without realizing that they could have utilized existing ones.

Action Items

• Make sure your team is familiar with your products to feel comfortable administrating them. (If they are not, the team will probably push to buy a new product instead of trying to utilize the current one.)
• Ask your vendors to provide you with product training and inform you about new product features.
• Learn from your peers about better ways to use the product.

3. Suites Over Individual Products
Companies should prioritize purchasing product suites over buying several separate point solutions, even if that means compromising, to some extent, on product quality.

Action Item

• When possible, purchase suites instead of several separate solutions.

4. Managed Services
Depending on your specific situation, it might be highly preferable and cost-effective for you to use managed security services. Such services could shift some of the complexity to the service provider, allowing you to maintain a lighter technological environment.

Action Item

• Consider managed services as an alternative for current solutions.

5. Overcome the Cross-Units Barrier
In most enterprises, it is almost impossible to implement and utilize a particular solution when more than one department wants to use it. In such cases, it is common for such projects to face issues such as “which unit is going to finance this?” and “who will get the credit?”

As an undesired consequence, in many cases, a relevant department will try to avoid such an issue either by implementing it without involving other potential stakeholders, or, worse, by passing on the product purchase altogether.

Action Items

• Figure out if you can utilize solutions that are already implemented within the company.
• Find out whether other departments can also benefit from your existing security products.
• Overcome organizational barriers and look for cross-departmental solutions.

6. Cybersecurity Approach
A company’s approach toward cybersecurity is influenced by many factors, such as organizational culture, risk appetite, the CISO’s personal approach, and so on. Some approaches are much simpler to maintain compared with others. For example, a zero-trust strategy can save you a lot of time by creating a unified access methodology for employees, suppliers, and/or partners.

Action Item

• Be smart about devising your strategy. Make sure it contains achievable goals.

7. Training and Knowledge Management
The more trained your security team is, the simpler it will be for team members to manage your security environment.

Action Item

• Invest in workforce training!

8. Life-Cycle Management
When evaluating a new product, make sure to assess its entire life cycle. Sometimes, the product implementation seems straightforward, but then the organization discovers that the day-to-day operation of the product consumes an unacceptable amount of resources. This can happen for various reasons: The vendor issues critical patches frequently, the product’s documentation is lacking, the vendor has a poor support mentality, etc.

Action Item

• Evaluate the product’s entire life cycle. Ask the vendor questions regarding product maintenance, patches, upgrade/update mechanism, documentation, etc.

9. Back to Basics
This is a hype-oriented industry. It’s easy to get excited about the next-generation-AI-powered-autonomous-anomaly-detection-prevention-response-and-remediation-system with smart-integration and advanced-data-visualization that runs on dedicated-quantum-computing-chip. But it is imperative to remember that the basic security controls are still the most important ones: Patch management, permissions, network segmentation, USB restrictions, etc.

Action Item

• Don’t get swept away by new buzzwords. Make sure your foundations are strong.

As the quote often attributed to Einstein goes, “Everything should be made as simple as possible, but not simpler.” Simplification should become a strategic goal for every security team. Nevertheless, it’s not a one-size-fits-all situation. Simplify as much as you can, but no more than that.

Related Content:

• 8 Trends in Vulnerability and Patch Management
• Quantifying Security Results to Justify Costs
• 9 Ways Data Vampires Are Bleeding Your Sensitive Information
• Why Cloud-Native Applications Need Cloud-Native Security

Menny  Barzilay is a strategic adviser to leading enterprises worldwide as well as states and governments, and he also sits on the advisory boards of several startup companies. Menny is the CEO of Cytactic, a cybersecurity services company, and the founder of the … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/9-principles-to-simplify-security/a/d-id/1336253?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple