STE WILLIAMS

Under intense political and market pressure in the wake of reports that its software was used by Russian nation-state cyberspies to steal US National Security Agency secrets, security firm Kaspersky Lab today announced it will allow independent third parties to review its source code as well as its internal processes and business operations.

The initiative follows a pledge made by Kaspersky Lab chairman and CEO Eugene Kaspersky in early July to share his firm’s source code with the US government as a show of good faith. The Trump administration last month ordered US federal agencies to uninstall Kaspersky Lab software and services from their systems due to US national security concerns due to possible ties between “certain Kaspersky officials and Russian intelligence and other government agencies” as well as Russian law that allows intelligence agencies there to “request or compel” help from the security firm to intercept communications across Russian networks.

Eugene Kaspersky and his firm have vehemently denied helping the Russian government with any cyber espionage efforts, and said it had no knowledge of a recently reported breach of an NSA employee’s home computer via the Kaspersky AV software running on it. The software was used to steal classified information and tools from the US spy agency, according to the reports, which allege the firm was complicit by either assisting in the heist or by selling software that was abused by Russian hackers.

The new transparency program indicates that the security firm has no plans to fade away under intense pressure by US officials and loss of commercial sales outlets such as Best Buy, which recently pulled the software from its shelves after the various reports of possible Russian government ties.

Kaspersky Lab did not name the third parties who will be performing its code reviews, but said it’s looking for experts with experience in software and assurance testing. The reviews will entail technical audits, code base reviews, vulnerability assessments, architectural risk analysis, and secure development lifecycle process reviews, according to the company. “Taking a multi-stakeholder approach, we welcome input and recommendations from interested parties at [email protected],” the company said in response to questions about the new program, which it calls the Global Transparency Initiative.

The first phase of the program includes the kickoff of an independent review of Kaspersky Lab’s source code by the first quarter of 2018, and subsequent reviews of updates and threat detection rules to then get similar vetting. The company also will launch an independent analysis of its secure development lifecycle processes and its software and supply chain risk mitigation practices during the first quarter.

Kaspersky Lab in Q1 also will work with an outside party to develop additional controls for its data processing practices, and also will set up the first of three Transparency Centers where “trusted partners” can inspect code, software updates, threat detection rules, and related operations by Kaspersky Lab. The centers will be based in Asia, Europe, and the US, and will be completed by 2020.

By the end of this year, Kaspersky Lab also will up its bug bounty awards to $100,000 for the most critical vulnerabilities.

Chris Wysopal, CTO of Veracode, which offers source code analysis, says the code and development process inspection announced by Kaspersky Lab is “good news” and should be adopted by all security vendors for their software. “Security software requires an enormous amount of trust from its users because of the privileged access that is granted security software for it to work,” he says. “Add in dynamic software updates and dynamic rule updates and you have allowed an external party complete access to your computer.”

Because software today gets updated on a continuous basis, a third-party review should occur for each update, he says, which Kaspersky has announced it will do. “A third-party review of the integrity of the SDLC and software supply chain is something all vendors should be providing to their customers, as almost all software is putting customers at varying levels of risk from vulnerabilities or backdoors.”

When asked if Veracode was one of the third parties that will inspect Kaspersky Lab’s code, Wysopal said he could neither confirm nor deny it was working with the security firm. Veracode typically has nondisclosure agreements with customers, for example, he says.

Fidelis Cybersecurity’s John Bambenek says Kaspersky Lab’s new program may help, but the allegations by Israeli intelligence reported that hackers searched for classified information in Kaspersky Lab’s telemetry were especially damaging. He says the new controls Kaspersky Lab has planned for how data gets processed “might” address those allegations, but it’s not yet clear.

“It certainly is a bold step Kaspersky is taking, and that they don’t plan to retreat from the North American market quietly,” says Bambenek, Fidelis’ threat systems manager. “What this actually shows is that there might need to be best practices and rules all cybersecurity companies adhere to worldwide because the accusations against Kaspersky by the US today could easily be the accusations against a US company by another country tomorrow.”

He says transparency and specific rules on how to handle user information by AV firms has been “long overdue.”

Veracode’s Wysopal concurs that the Kaspersky Lab program makes sense. But code-vetting still won’t stop nation-states from abusing software and networks via backdoors and covert channels, which can be more difficult to police. “Due to the nature of software and networks, I don’t think the risk can be entirely eliminated through transparency when it is nation-state risks we are dealing with,” Wysopal says.

When asked how the transparency program addresses recent concerns about Kaspersky Lab’s alleged relationship with the Russian government, Kaspersky Lab provided this statement: “Recent allegations aside, Kaspersky Lab company understands that as nations compete in cyberspace, IT security vendors must independently validate the assurance and integrity of their products in addition to their efficacy and effectiveness. As a cybersecurity company in operation for over 20 years, Kaspersky Lab has launched its Global Transparency Initiative to reiterate its industry leadership on not only providing great cybersecurity products and solutions, but also to demonstrate its continued willingness to go above and beyond to protect its customers.”

Eugene Kaspersky says the new initiative is all about showing the firm’s openness and transparency. “We’ve nothing to hide. And I believe that with these actions we’ll be able to overcome mistrust and support our commitment to protecting people in any country on our planet.”

He also called for curbing “attempts to introduce national boundaries in cyberspace” because cybersecurity requires multinational cooperation and “has no borders.”

Related Content:

• Kaspersky Lab and the AV Security Hole
  
• Russian Hackers Pilfered Data from NSA Contractor’s Home Computer: Report
• 8 Notorious Russian Hackers Arrested in the Past 8 Years
• Kaspersky Lab Faces More U.S. Scrutiny Over Potential Russian Govt. Influence

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/kaspersky-lab-offers-up-its-source-code-for-inspection/d/d-id/1330195?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft unlocked a host of new security and management features in the Windows 10 Fall Creators Update, which started rolling out last week. One of its new tools, Windows Defender Exploit Guard (WDEG), aims to protect businesses from ransomware by blocking common attacker behaviors.

Several studies point to the growth of ransomware hitting enterprise victims. Dark Reading found 35% of businesses were hit with ransomware in the past year, and only 27% believe current anti-malware tech is effective in preventing ransomware.

It’s not uncommon for victims to get tricked twice. An ESG Research Insight Report found many organizations have a recurrence of ransomware attacks, with 22% of 300 IT and security pros saying the same ransomware re-infected the same endpoints, and 38% claiming the same ransomware affected other endpoints within the business. Nearly half (46%) had been hit.

Microsoft is aiming to shrink the attack surface for next-gen malware with Windows Defender Exploit Guard, a suite of intrusion prevention tools shipping with the Creators Update. The set includes four parts created to block a range of attack vectors and actor techniques:

• Attack Surface Reduction (ASR): Controls that block Office-, script-, and email-based threats to prevent malware from getting on the machine
• Network Protection: Blocks outbound processes to untrusted hosts/IP via Windows Defender Smartscreen to defend against Web-based threats
• Controlled Folder Access: Blocks untrusted processes from accessing protected folders with sensitive data
• Exploit Protection: Exploit mitigations replacing EMET that can be configured to protect the systems and applications

Peter Firstbrook, Vice President at Gartner, says the idea is to get at the root cause of how attackers launch ransomware. Currently, AV systems mitigate ransomware by detecting and eliminating malicious files once they are on the endpoint. The problem is, attackers evade these technologies with new tactics to compromise endpoints and execute ransomware without writing anything to disk.

“Attackers are a pretty creative bunch,” he explains. “They may just move on to different types of applications and files, or find a way around it … we need to make it harder for attackers, and that’s really the key theme here with Windows.”

Instead of building security tools to react to new forms of malware, Firstbrook points out how companies like Microsoft, CrowdStrike, and Carbon Black are creating more proactive systems that anticipate hackers’ behavior and defend against it.

ASR, one component of WDEG, was built on the idea that email and Office apps are common attack vectors and let actors distribute fileless attacks. It can block behaviors that malicious documents use to execute; for example, it can block Office apps from injecting into process.

Controlled Folder Access, another, locks down critical folders so only authorized applications can access files. Unauthorized apps, like malicious and suspicious files, DLLs, and scripts, will be denied even when they are running with administrator’s privilege.

The Controlled folder protects common folders, which contain documents and important data, by default. It’s flexible, though, and admins can add other folders they want to be protected. This also allows trusted apps, such as a unique or custom app, to access protected folders. Users are alerted when unauthorized apps attempt to access or change files in protected folders.

“These are more durable changes than the traditional signature-based antivirus approach where we say, ‘Is the file good or bad?'” says Firstbrook. “Instead of issuing a new signature, [Microsoft] is saying ‘Why are they successful, and let’s deal with the root cause.'”

The decision to push automatic updates will also ultimately benefit companies in the fight against ransomware. “With continuous updates, and focus on security, they’re responding quickly to changing attack patterns on the OS they weren’t before,” he adds.

Microsoft isn’t the only company buckling down on endpoint security. The growth of ransomware has motivated businesses to think beyond traditional antivirus and host intrusion prevention systems, and build next-gen tools that don’t rely on signatures to detect malware.

Related Content:

• ‘BoundHook’ Technique Enables Attacker Persistence on Windows Systems
• New Locky Ransomware Strain Emerges
• ‘Hacker Door’ Backdoor Resurfaces as RAT a Decade Later
• 10 Social Engineering Attacks Your End Users Need to Know About

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/endpoint/windows-10-update-aims-to-block-attackers-behavior/d/d-id/1330194?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Nation-state actors are trying to gain access to vital industrial control systems (ICS) at US energy companies and other critical infrastructure organizations via the networks of their suppliers and trusted third parties, the United States government has warned.

In an advisory issued late last week, the Department of Homeland Security (DHS) and the FBI said the threat activity has been ongoing since at least May 2017 and appears to be the handiwork of the Dragonfly advanced persistent threat (APT) group.

The group has been using a combination of tactics and techniques to break into victim networks including information harvesting using open-source reconnaissance, spear-phishing emails from compromised legitimate accounts, credential-gathering, and using watering-hole domains for hosting malware. Once on a victim’s network, the attackers have focused on finding and browsing information pertaining to Supervisory Control and Data Acquisition (SCADA) systems and control systems.

Dragonfly, also known as Energetic Bear, is a Russia-linked group that is suspected of numerous attacks on organizations in the manufacturing, pharmaceutical, industrial, and construction sectors globally since 2011. Symantec in September had warned about renewed attacks by the group against energy sector targets in the US and Europe. The DHS/FBI alert basically confirms the findings in the report, while noting that the campaign has included targets across multiple critical infrastructure sectors – not just the energy sector.

“This is the first time we are seeing such a widespread campaign that is specifically targeting industrial control systems which are responsible for managing and controlling the physical processes in nuclear, water, aviation, and critical manufacturing sectors,” says Dana Tamir VP of market strategy for Indegy.

The DHS and FBI advisory, which includes indicators of compromise and other pointers, described Dragonfly’s activity as an ongoing “multi-stage intrusion campaign.” The threat actors are targeting small and relatively low-security partner and peripheral networks to gain access to high-value asset owners in the energy and other sectors.  

The initial, or “staging,” victims are not opportunistic targets. Instead, they are carefully chosen for their pre-existing relationships with the intended victim. Their networks, once compromised, are being used as malware repositories and as pivot points for gaining access to the network of the final intended victims, the DHS and FBI said.

Nearly 50% of the known watering holes being used in the campaign to serve malware on target networks are trade publications and informational websites related to critical infrastructure, ICS and process control the advisory said.

There is little evidence that the attackers are using any zero-day vulnerabilities, or particularly sophisticated tools to gain access to their intended victim’s network. Rather, they have been using publicly available information to identify intended targets and craft customized spear-phishing campaigns for gathering credentials and information.

In instances where the threat actors managed to obtain a legitimate user’s credentials, they have used the credentials to gain access to the victim’s network and to download malware on it from remote servers. In some cases the malware created a user account and attempted to convert it to an administrator account with privileged access rights. The malware also disabled the host-based firewall on the compromised system and opened ports that would allow an attacker remote access to the system.

In addition to energy companies, others being targeted include organizations in the government, nuclear, aviation, water, and critical manufacturing sectors. The threat actors have succeeded in penetrating the networks of at least some of the intended targets, the advisory said.

“Threats to industrial control systems and critical infrastructure networks are definitely on the rise,” says Patrick McBride, chief marketing officer at Claroty. “We’ve arguably seen more threat activity in this space in the past four- to five months than the past three years.”

So far, the attacks have not caused actual physical disruption. But the theoretical is becoming reality, McBride says. “We need to recognize that nation-states are going to continue laying the groundwork for potential disruption in these networks. It is a logical action as a component of any potential conflict.”

Phil Neray, vice president of industrial cybersecurity at CyberX, says the FBI and DHS warning highlights the urgent need to address security weaknesses in US industrial control networks. Real-world network data that CyberX collected over the past 18 months from 375 industrial networks worldwide shows that operational technology (OT) networks are riddled with vulnerabilities.

CyberX’s data, contained in a soon-to-be published report, showed that industrial networks are not as air-gapped and isolated as many might imagine, with some one-third of them connected to the Internet. More than 75% of the sites had obsolete Windows technology such as XP and Windows 2000; 60% had plain-text passwords traversing their control networks; and 50% of the sites used no antivirus software at all.

“The data we’ve collected from real-world OT networks shows that once the adversaries get into the OT, it’s relatively easy for them to move around and compromise industrial devices that control physical processes such as assembly lines, mixing tanks, and blast furnaces,” he says.

Related Content:‘Dragonfly’ APT Now Able to Disrupt US Power Grid Operations, Symantec Warns

• Russian Cyber Espionage Under The Microscope
• First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage
• 10 Social Engineering Attacks Your End Users Need to Know About

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-critical-infrastructure-target-of-russia-linked-cyberattacks/d/d-id/1330196?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Many financial services employees are toting around unpatched mobile devices, putting their companies and customers at risk of a data breach, a recent report found.

More than 25% of mobile devices used by financial services employees had unpatched vulnerabilities, according to Symantec’s Q2 2017 Mobile Threat Intelligence Report: Mobility and Finance.

The data, gleaned from Symantec’s endpoint mobile security software and other sources, also found that 15% of employees’ mobile devices at financial services institutions had been exposed to a malicious network, while three in every thousand devices were infected with malware.

“If I read this report and I was Procter Gamble, I would be asking my bank, what you are doing to protect my data when your executives are connecting to suspicious WiFi networks, or how many of your employees have phones with malware?” says Varun Kohli, a senior director at Symantec. “I would be asking these questions because my data is at risk.”

And although corporate customers may find there is little they can do to protect themselves from the actions – or lack of actions – that their financial services company is taking, Kohli says that may change in the future.

“I hear enterprises are asking their software vendors to take certain steps to protect their information, but I have not heard this of the banks,” Kohli says. “But companies need to also ask this of their business partners, too.”

Patching Problem

Although Apple and Google may regularly patch vulnerabilities, employees at financial institutions may be unaware of the patch notifications. In part, Apple is able to push its patches out relatively easily since it controls both the hardware and software, whereas the task is more challenging for Android.

When Google issues a patch, it has to be delivered to the device manufacturer, which then performs its own version of the update if it decides to issue a patch for the flaw at all, Kohli says. 

Other findings in the report include a general lack of good mobile security hygiene. For example, more than 13% of mobile devices used by financial services employees lack the latest major OS version, while 99% do not have the latest minor update issued by Google or Apple, the report found.

Some 4.6% of iOS users in this sector have yet to install the latest mobile operating system, compared to 47.8% for Android, according to the report.

Despite those results, the financial services industry as well as the healthcare sector tend to institute more frequent updates than all industries overall, Kohli says. He notes both industries suffer the most attacks because of their valuable information and data and, as a result, more is spent to secure those industries and the devices they use.

“They are early adopters of security; but even then, we are seeing problems,” Kohli says. “I was very surprised at the results. I would have expected the number in the financial services industry to be lower.”

Related Content:

• Apple iOS Malware Growth Outpaces that of Android
• Enterprise Android Vs iOS: Which is More Secure?
• Key New Security Features in Android Oreo
• 10 Steps for Writing a Secure Mobile App

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/unpatched-bugs-rampant-on-mobile-devices-in-financial-services-firms/d/d-id/1330197?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple