STE WILLIAMS

A new survey illustrates how security executives are forced to embrace conundrums, conflicts, and confusion, in their jobs.

The report, from Glasswall Solutions, based on interviews with senior-level security executives in the US and UK, found that 85% rely heavily on employees as part of their defense and 40% consider employees are the sole “last line of defense” for the company – but 40% say employees are a significant source of vulnerabilities.

Some 82% say that the network perimeter is where they most need to continue security investment; meanwhile, attention across the industry is shifting to cloud architectures and post-breach detection and response.

Another irony: 96% say they’ll continue to invest in antivirus solutions, but just 9% say that they have complete confidence in the those products.

For more, read here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/survey-shows-a-security-conundrum--/d/d-id/1334522?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

All APIs are different inside, even if they’re using similar frameworks and architectures, such as REST. Under whatever architectural “roof,” the data protocols are always different — even when the structure is the same.

You’ve likely heard of specific protocol formats, such as REST, JSON, XML, and gRPC. These are actually data formatting and transportation languages that act as APIs’ spokes. Inside those formats is a lot of variation. These formatting languages are less “language” and more like airplanes that carry ticketed passengers that move through airports to get where they need to be. The languages passengers speak and their individual cultural details are highly different.

From a security perspective, the protocol itself does nothing. To be effective, security needs to translate the language and intention of each person coming through, not just let the passengers navigate freely.

Here are five challenges in API protection.

No Two Applications Are Alike
To protect an API, we also need to know how it was initially designed. It’s not just reading the code or the coding nuances. It’s reading and sorting through layers and permutations of codes that are influenced by technological complexity and human variation.

It’s impossible to imagine how exactly a particular developer designed a particular app. We know that one of the common underlying API frameworks, such as XML or gRPC, will be used in many cases. Still, the types of data, markups, and the application logic itself will be different.

Parsers are challenged by variation. To address how an app was specifically designed, parsers can require a lot of data to decode. To decode the more sophisticated cases, data may have to be decoded two or three times. You may find JSON inside one layer, but another iteration of code somewhere else. These chains and layers of code can be vast.

Poor Communication Is Clogging Pipelines
To put in place rules for API protection, security teams need to understand what exactly a particular API endpoint should do and how it should be done. This information is supposed to come from the developers/DevOps team but often gets lost in cross-functional communication.

To understand how an API is supposed to function, security relies on documentation. Yet getting developers to write documentation for APIs and document carefully can be impossibly hard. That makes documentation unreliable.

When documentation is unreliable, aligning security with business goals for the API is difficult. Without the API’s business purpose, security can block or allow the wrong things. Imagine the API is supposed to communicate shipping details. The security team may assume that the data in the API will be the name and the street address of the receiving party. If an API includes a UPS or carrier stripe-code on the shipping label, the security solution is likely to block it as a potential attack because a postal address cannot technically look like that.

Internal APIs Also Need Protection
In addition to using APIs to connect two different systems, APIs are going internal, responding to the pace and scale of API evolution and new tech. It’s practically intuitive. Let’s say that you choose to develop your app in Kubernetes. A set of internal APIs will be used to manage the individual microservices from the Kubernetes controller and to send the data back and forth between the individual containers. This creates new security considerations and may require an overhaul of your security landscape.

Your security needs to now protect both this internal API and front-facing APIs. Within management APIs, you can add users and keys or grant access to any server there — making internal APIs a huge area for vulnerability. These internal APIs can also be more mission-critical. Together, this means handling their security and how they behave in relation to other APIs have to be given equal or higher consideration as the externally facing connections.

Service APIs Create Additional Challenges
Modern times find us moving from physical servers to cloud services. Many of these cloud-based services (SaaS) allow consumers to connect via their browsers, like checking your email on a desktop. Many more SaaS are only available via APIs. These are service APIs. And they have added security challenges based on their high data volume and the total variations of security and authentication models. 

With service APIs, the two ends of the connection belong to two different businesses. Because they can’t trust one another, different security and authentication models need to be developed to protect each party.

APIs Are Not Web Apps
APIs behave completely different than human requests from web apps, demanding new ways of thinking through security landscapes.

Imagine we want to protect a login API against credential-based static attacks and we want to block all bots. However, all the clients of the API are designed as automated tools. That technically makes them function as bots. For example, an e-commerce organization might want to have logins for its retailers, distributors, or other end users. Now, to protect the API, the security solution has to be able to identify normal, legal bots (customers using automation) from illegal bots. On the surface, they look and behave the same from traditional security perspectives.

Mobile access, which faces a lot of traffic from technical bots, adds to the growing problem of distinguishing “good” versus “bad” bots. To boot, those bots only come from a handful of external IP addresses based on the provider. Bot protection for APIs may seem like a simple process, but in reality, it is an enormous undertaking.

The challenges in security stem from how APIs have evolved quickly from simple, front-facing APIs. They are no longer simple, nor only front-facing. APIs are nuanced and totally smudged with human fingerprints. And they are more layered every day. As API security becomes increasingly complex, it will be important for developers and security practitioners to consider these challenges as they move forward.

Related Content:

• 6 Ways Mature DevOps Teams Are Killing It in Security
• Cloudy with a Chance of Security Breach
• A New Approach to Application Security Testing
• Third Parties in Spotlight as More Facebook Data Leaks

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Ivan Novikov is CEO of Wallarm, a provider of AI-powered application security. He is also a white hat security professional with over 12 years of experience in security services and products. He is an inventor of memcached injection and SSRF exploit class as well as a … View Full Bio

Article source: https://www.darkreading.com/5-security-challenges-to-api-protection/a/d-id/1334475?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers from Cyberint have attributed a string of recent attacks against retailers and financial institutions in the United States and elsewhere to TA505, a financially motivated, Russian-speaking threat group known for distributing banking malware, exploit kits, and ransomware.

The security vendor’s conclusion is based on its analysis of indicators and behaviors associated with a spear-phishing campaign that targeted US-based retailers between December 2018 and March 2019 — and subsequent attacks on financial institutions in Italy, India, Chile, and elsewhere.

The attacks have leveraged a legitimate remote administration software product and long-familiar infection tactics to try and steal from targeted victims.

For enterprise organizations, the TA505 attacks are another reminder of how cyberattackers don’t always have to be very sophisticated to be very effective, says Jason Hill, lead cybersecurity researcher at Cyberint. “This is very much a case of a threat actor continuing to use tried-and-tested tactics because they work,” Hill says. “They’ll continue to do this so long as someone keeps falling for it.”

In a recent report, Cyberint said that TA505’s attacks on US-based retailers and organizations in the food and beverage industry last December began with a spear-phishing email containing a malicious Word document. When opened, the document would encourage the recipient to disable Microsoft Office’s security features and try to eventually get them to download a copy of Remote Manipulator System (RMS), a legitimate remote administration tool from Russian software vendor TektonIT.

RMS is available in both a commercial and a free version and is designed to give administrators a way to remotely access and manage Microsoft Windows and Android devices. By default, the tool, like most remote admin tools, is set up to alert users when it is being installed on a system, Hill says.

But like other remote admin tools, it also gives administrators the ability to completely switch off alerts, icons, and any other indicators of its presence on a system. In its attacks, TA505 actors have been doing exactly this and making RMS as silent as possible on infected systems, Hill notes.

Eli Salem, a security analyst at Cybereason, which is also scheduled to publish a report on TA505’s activities this week, says the remote admin tool gives attackers the ability to do enormous damage. “Once the attackers are inside, they can do whatever they want,” Salem says. This includes extracting data, stealing credentials, downloading additional malicious payload, and lateral movement. “Once the door is open, they just need to choose what they want to do with it,” he adds.

The TA505 group itself has been taking advantage of a feature in RMS that allows them to set up their own remote utilities server for communicating with and controlling infected clients. The server acts as the command-and-control (C2) server for the infected devices.

But TektonIT’s RMS product also includes a feature that allows attackers to achieve the same control without having to set up a separate C2 server — which has made the software particularly popular among nonsophisticated attackers, Hill says. In fact, Cyberint has observed several other unsophisticated threat groups using RMS in attacks similar to the ones that TA505 has been executing because of how easy it is to abuse the remote admin tool.

Double-Edged Sword
Because RMS has legitimate uses, it is unlikely that antivirus and antimalware tools would typically flag its presence on a system as being necessarily malicious, he says. In addition, because of the manner in which attackers are using it, there is a possibility that some antivirus tools may detect it as potentially unwanted. Organizations can also block file hashes and communications associated with the remote admin tool, Hill says.

Cyberint researchers have also observed TA505 leverage a backdoor called ServHelper in targeted attacks against US financial organizations. Email security vendor Proofpoint reported on the threat earlier this year. ServHelper, like RMS, is downloaded via malicious macros in spear-phishing emails and comes in two forms: one that enables remote desktop functions and another that acts as a downloader for additional malware.

For enterprise organizations, the advice is the same as it has been with any phishing-related threat for the past several years.

“As an initial preventive measure, organizations must inform employees not to open any mail they receive because social engineering is still a very powerful tool that attackers tend to use,” Salem says. “Second, organizations need to keep an eye on any activity that seems out of the norm, even in seemingly legitimate and certified files or in processes that are legitimate in nature.”

Related Content:

• New Malware Campaign Targets Financials, Retailer
• New Threat Group Using Old Technique to Run Custom Malware
• Necurs Botnet Goes Phishing for Banks
• 7 Malware Families Ready to Ruin Your IoT’s Day

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ta505-abusing-legit-remote-admin-tool-in-string-of-attacks/d/d-id/1334526?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft’s April security update continues to cause problems with Windows computers running third-party antivirus software, with at least five companies’ products suffering slow start-up times or even an inability to boot the system.

McAfee is the latest security company to confirm that the Windows update is causing problems for its customers. Since April 18, the company has issued multiple advisories for its Threat Prevention 10.x, Host Intrusion Prevention 8.0, and VirusScan Enterprise 8.8 software, warning that a patch to Microsoft’s Client Server Runtime Subsystem (CSRSS) caused a deadlock with its software.

“We’re continuing to investigate the issue’s cause and updating our customers on our latest findings,” a company spokesperson said. “McAfee’s support team is providing customers a workaround until a solution can be identified, developed, and delivered.”

The problem first became apparent soon after the regularly scheduled “Patch Tuesday” update on April 9. Six days later, security firm Sophos warned that computers running older versions of Windows — not Windows 10 or Windows Server 2016 — will freeze at boot time if its Sophos Windows endpoint security software is installed.

“Sophos has received reports of computers failing to boot,” the company stated in an advisory. “Sophos is actively investigating this issue and will update this article when more information is available.”

Meanwhile, security firm Avast has issued a “micro-update” that fixes the issues its software has with the updates to Windows 7 and Windows 8.1, a spokesperson stated. 

“Upon reports of frozen login screens, we released micro-updates via our emergency updater tool to resolve,” the company said in a statement sent to Dark Reading. “Avast users need only boot their machine and let stand at the login screen for approximately 15 minutes while the updater runs in the background. Then, reboot the machine and it should now operate normally even with the aforementioned Windows updates installed.”

Security software makers Avira and ArcaBit were also impacted by the issue, according to Microsoft’s advisory.

This is not the first time that Windows has disagreed with major antivirus programs. In early 2018, Microsoft warned that the January 2018 update to various versions of Windows had caused compatibility issues with certain antivirus software. Antivirus developers often use undocumented functions to get around certain roadblocks put in place by Microsoft. The software giant blamed the antivirus firms for making “unsupported calls into Windows kernel memory.”

“We continue to require that AV software be compatible, and in cases where there are known issues of AV driver compatibility, we will block those devices from updates to avoid any issues,” Microsoft said in the advisory issued at the time. “We recommend customers check with their AV provider on compatibility of their installed AV software product.”

Two factors are likely converging to cause the issues for antivirus companies on Windows systems, says Nick Fritts, a senior software engineer with security firm Endgame. First, antivirus software runs at a privileged level on the system and in the critical path of many system operations. Second, Microsoft is updating the core components of Windows more frequently than in the past.

“Due to the nature of antivirus and security products, they are more likely to run into problems than other software,” Fritts says. “I think Microsoft is trying to strike a balance between keeping their operating system updated and not impacting customers. So far they’ve probably been too aggressive with update cycles, and that may be why they’ve added the new feature to allow for scheduled or declined version upgrades.”

It’s unclear how the increasing incidents of incompatibility will impact antivirus makers’ products. Microsoft has its own antimalware software, and late last year announced it is running in a sandbox, making it less likely to be the target of a privilege escalation attack and further protecting the system.

Antivirus firms’ continued reliance on undocumented function calls to give their software an advantage in scanning the operating system could cause future incidents of incompatibility, says Gabe Landau, principal software developer with Endgame.

“While antivirus companies can test for compatibility against past, current, and upcoming patch versions of Windows, it’s always a risk when assumptions are made about undocumented Windows behavior because that behavior can change, breaking assumptions,” Landau says. “Microsoft has no formal obligation to leave undocumented behavior of their software unchanged indefinitely, yet security companies cannot protect their customers using only the documented interfaces that Microsoft chooses to expose. It’s a hard problem.”

Related Content:

• Microsoft Patches Critical Flaw in Malware Protection Engine
• Windows Defender: First Full Antivirus Tool to Run in a Sandbox
• Triton/Trisis Attack Was More Widespread Than Publicly Known
• Learn New Malware-Fighting Tools Techniques at Black Hat Asia
• Windows 10 Update Aims to Block Attackers’ Behavior

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/microsoft-windows-antivirus-software-at-odds-after-latest-update/d/d-id/1334512?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Sixth and final installment in a series about the human element in cybersecurity. 

As we close out this series, we look outside of organizations to explore the human weaknesses of attackers. Unlike previous articles, in which we looked introspectively at the defenders and how to reduce mistakes, this installment examines the other side of the equation and how we can use attacker mistakes to our advantage.

Attackers
Attackers are humans just like defenders and so are subject to the same errors and imperfections that we are. They can be single operators, members of a larger crime syndicate, nation-state actors, rogue organizations, or any one of a number of other “hackers.” Their intent can be financial gain; retribution to an organization, individual, or employer; disruption or destruction; global dominance; or a variety of other motives. In this article, we use “attackers” to refer to the malware authors who develop the malware used in attacks, and the human hackers at the keyboard who utilize malware, social engineering, and other techniques to conduct cyberattacks on infrastructure, networks, applications, servers, data, and devices.

Common Mistakes
From the defender’s perspective, one of the most advantageous mistakes that attackers make is writing a bug, error, or vulnerability into their code. Malware authors, who are programmers like the ones we discussed in our previous article, are not perfect. Prime examples of their imperfections include the “kill switch” found in early WannaCry ransomware malware and, more recently, exception handling errors in LockerGoga ransomware.

In addition, attackers often rely on the same or similar attacks. Attackers who are constrained by resources, time, or capabilities may turn to standard exploit kits and regularly use the same malware. Even when the malware files differ, segments of the malware code are often recycled and reused. Different malware files often point to the same infrastructure, such as the same command and control IP in multiple attacks. Moreover, even when entirely novel malware is used, attackers consistently use the same tactics, techniques, and procedures (TTPs).

Repercussions
When attackers make mistakes, they sometimes simply fail at achieving their desired goals of stealing, spying, exploitation, or disruption and are forced to spend more resources on a given attack. Furthermore, they provide a weakness that defenders can use to their advantage to better prevent, detect, and respond to attacks.

Maximize Mistakes
While our series has been focused on helping defenders understand how to minimize their mistakes, now we want to turn the tables and maximize attacker mistakes.

We can best capitalize on attacker mistakes of coding errors, malware, and TTP reuse and recycling by aggregating and sharing this threat intelligence. With the right data, defenders can build dossiers on threat actors, identify attacker motives and means, and then use this knowledge to limit attacker opportunity through threat modeling. While organizations can, and often do, develop their own threat intelligence, the fast and frequent exchange of threat intelligence among defenders amplifies the positive impact of this work.

For example, if an organization hit with an attack immediately shares that information with its peers, it can essentially help create a “cyber vaccine” that prevents other organizations from falling victim to the same attack. This can be particularly critical in cases of attacker coding errors because identifying these errors often requires malware analysis. Many organizations lack those advanced capabilities and must rely on more sophisticated teams for that analysis. Some security vendors have already begun to incorporate this exchange. When one customer sees a new attack, the associated threat intelligence is extracted and then incorporated into the product for the benefit of every customer.

Organizations can also encourage attacker mistakes and make the cost of an attack higher for the attacker by deploying advanced capabilities such as deception technologies and moving target defenses, which force the attacker to run in circles looking for the target and allow defenders to learn attacker TTPs in the process. Overall, by understanding attackers and their attack profiles, defenders can create an environment where attackers must invest more to make an attack successful.

Change the Paradigm
While society is beginning to understand that cybersecurity attacks are common and difficult to prevent, some organizations are still reluctant to reveal attack details out of fear that doing so would reflect poorly on the organization. As the subject matter experts on cybersecurity, we defenders have the responsibility to educate non-cybersecurity folks on the inevitability of attacks — and breaches — so that both are viewed as part of the cost of doing business in today’s environment, and not weaknesses that were a result of someone dropping the ball. Organizations must be able to speak freely about attacks and incidents, without legal counsel restricting information-sharing out of concern that the data can and will be used against the organization in the future. With information sharing, we can collectively make the most out of attacker mistakes.

Conclusion
Cybersecurity is like an arms race. As we grow ever more dependent on technology and billions of interconnected devices, while generating an exponentially increasing volume of data (2.5 quintillion bytes of data at our current pace), we know that attackers will evolve and advance. Therefore, we defenders must evolve and advance as well. And we can make great strides toward doing so, toward getting better at our game and leveling the playing field, by recognizing and minimizing the inevitable human error of end users, security leaders, security analysts, IT security administrators, and programmers — and maximizing inescapable attacker error.

Related Content:

• Your Employees Want to Learn. How Should You Teach Them?
• Cybersecurity and the Human Element: We’re All Fallible
• In Security, Programmers Aren’t Perfect
• Security Analysts Are Only Human

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/attackers-arent-invincible-and-we-must-use-that-to-our-advantage/a/d-id/1334437?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple