STE WILLIAMS

K1 Investment Management plans to acquire SecureAuth for more than $200 million and merge it with its portfolio company Core Security, SecureAuth CEO Jeffrey Kukowski told Dark Reading.

The merger, announced today, is expected to close within a matter of days pending US government regulatory approval, says Kukowski, who will be CEO of the as-yet-unnamed combined company.

SecureAuth is the sixth company K1 Investment Management plans to merge with Core Security, which last year became an amalgamation of Courion, Core Security, SecureReset, Bay 31, and Damballa.

The merger will bring SecureAuth’s laser focus on authentication to the table and round out Core Security’s offerings, said Frank Dickson, IDC research director, in the announcement.

Core Security has three product lines: Core Network Insight, for advanced threat detection; Threat and Vulnerability Management, for vulnerability testing and assessment; and Identity and Access Management IAM, a suite of governance tools for identity management and access.

“What is exciting to me is that this merger is not just complementary but it completes the view. It finishes that picture,” says Chris Sullivan, CTO and CISO of Core Security.

Core Security has technology to address the network, endpoint and vulnerabilities but lacked an identity piece.

SecureAuth IdP performs single sign-on, multi-factor authentication, and behavior-based authentication. 

Under the merger, the combined companies will address vulnerabilities, identities, networks and endpoints with an identity-based security automation platform, which aims to shorten the time it takes for enterprises to see, respond to and remediate attacks.

When cybercriminals attack, they don’t remain just within one security silo such as a secured network, says Keith Graham, SecureAuth CTO. However, SOCs are not designed to peer into multiple silos to respond to a breach. As a result, the merger’s platform is designed to bring greater visibility to threats.

Customer Expectations

The combined company will have over 1,500 customers, some of which are already customers of both SecureAuth and Core Security. Sullivan says Core and SecureAuth were already familiar with one another prior to the merger announcement. Some of Core’s customers would request identity access technology and, as a result, the sales teams for both companies would jointly meet with those customers.

Little overlap exists between the two companies in products and markets, say Kukowski and Sullivan. They pointed to some duplication in password protection offerings and noted each company has a presence in the healthcare and financial services industries.

The companies will begin integration in the fourth quarter, and over the next three-to five-months a decision will be made as to the name of the merged company and its products, Kukowski says.

SecureAuth’s main product, SecureAuth IdP, will be integrated with Core Network Insight, followed by Core’s Threat and Vulnerability Management, and, then, Core’s Identity and Access Management IAM, Graham says.

“There is consolidation occurring in the security industry where vendors are looking to add new product categories to their portfolio in order to deliver a more complete product suite for their customers,” says Joseph Blankenship, a senior analyst with Forrester Research. “This can be an advantage for the customers who are dealing with product sprawl and multiple vendor solutions.”

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

• The Problem With Two-Factor Authentication
• Authentication + Mobile Phone = Password Killer
• Proof Of Identity: How To Choose Multifactor Authentication

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/endpoint/secureauth-to-merge-with-core-security-/d/d-id/1329931?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Black Hat, the world’s leading information security event series returns to Europe in 2017. This year’s 4-day event will be held at the ExCeL London, December 4-7, 2017. Two days of intense Trainings open the show, followed by two days of Briefings, Business Hall, Arsenal, and more, December 6-7.

As our Black Hat Europe Review Board member continues to work their way through a record number of submissions, we are announcing Briefings selections in batches. Below are the first Briefings, with links to each abstract.

1. A Universal Controller to Take Over a Z-Wave Network

By Loïc Rouch

2. By-design Backdooring of Encryption System – Can We Trust Foreign Encryption Algorithms

    By Eric Filiol and Arnaud Bannier

3. CALDERA: Automating Adversary Emulation

    By Douglas Miller and Andy Applebaum

4. Dealing the Perfect Hand – Shuffling Memory Blocks on z/OS

By Ayoub EL AASSAL

5. Heap Layout Optimisation for Exploitation

    By Seán Heelan

6. How Samsung Secures Your Wallet and How to Break It

    By HC MA

7. How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine

    By Maxim Goryachy and Mark Ermolov

8. Nation-State Moneymule’s Hunting Season – APT Attacks Targeting Financial Institutes

    By Chi-en (Ashley) Shen, Kyoung-ju Kwak and Moonbeom Park

9. The Spear to Break the Security Wall of S7CommPlus

   By Lei Cheng

To search Briefings by specific tracks and read speaker bios, click here.

Article source: https://www.darkreading.com/black-hat/black-hat-europe-2017---first-briefings-announced/d/d-id/1329933?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

For the last five years or so, I have been actively engaging with the security community in academia, industry, and government to better understand the gaps that exist in software assurance. Working within the Department of Homeland Security’s Science and Technology Directorate, I’ve discovered some interesting things about the community’s drive to increase the adoption rate of both state-of-the-art and state-of-practice tools and capabilities. Here are my top 10 observations:

Observation 1: The state of practice is lagging.

• There is no standard way to measure and baseline how well software assurance tools perform. We don’t know what tools can and cannot do … with some certainty.
• The OWASP Top 10 lack the foundational science to advance AppSec practices in organizations, specifically in relation to the methodology for data collection and data analytics in formulating the OWASP Top 10. As Brian Glas from nVisium points out in his blog post “Musing on the OWASP Top 10 2017 RC1:” “The metrics collected for the Top 10 2017 represent what was found by either tools or time-boxed humans. It’s a subset of vulnerabilities that are typically found, but are probably not representative of what is actually out there or the bigger risks that are faced.” There is a lot of room for improvement, and I believe with RC2 and more involvement from the community, we can advance the OWASP Top 10 beyond its intended purpose to have a greater impact on advancing AppSec practices. 
• NIST 800-53 is too network- and system-focused. There are security controls with software assurance applicability not included in any of the baselines (high, moderate, low), which means these security controls are not being tested as part of the certification and accreditation process.  
• Secure coding practices are missing in action and are not being enforced religiously in AppSec programs. 

Observation 2: Threat modeling, when automated, is very powerful.

• There is great potential in leveraging machine learning with threat modeling. This can be used to take a more proactive approach to software development which would help improve security designs and reduce overall security risks. 
• In the future, I believe threat modeling will become the core engine for all security testing.

Observation 3: There are residual risks in using static analysis and security testing tools.

• We don’t know what the tools did not find.
• We don’t know what parts of the code and attack surface the tools were able to cover.
• Static analysis struggles with opaque code. These are parts of the code not analyzable by static analysis. 
• Static analysis tends to be shallow and oversimplified.
• Heartbleed won against all static and many dynamic analysis tools.

Observation 4: False-positives — the proverbial pain in the rear end.

• Many vendors would rather err on the side of caution by building products that tell you something is there versus tell you something is not there but actually is.
• Tools lack context.
• To be sound (low false-negative rate), there’s a trade-off that will generate a considerable amount of noise (a lot of false-positives). This is the interesting trade-off with static analysis.

Observation 5: Patching does not scale — software assurance/secure coding is our first line of defense for protecting software.

• The window of exposure is constantly sliding to the right.
• Poor design and architectural decisions increases the need to patch (as seen with the Equifax Apache Struts breach). Some third-party software (i.e., frameworks) vulnerabilities are difficult to patch.
• Human and social behaviors play a part because people resist change; we become the Achilles’ heel of the software engineering process. Cybersecurity expert Dr. Diana Burley, a professor of human and organizational learning at George Washington University, credits, in part, “the rise of cyber attacks to the failure of the average computer user to take preventative measures — like patching.”
• The Internet of Things and Internet of Everything are proving that patching is becoming a lot harder for many different reasons, such as safety. I think we have more than 465,000 reasons. 

Observation 6: Poor tool performance creates barriers for tool adoption early in the software development process.

• I often wonder why commercial and open source static analysis tools struggle with Juliet test cases.
• An NSA tool study suggests that a given static analysis tool can find around 14% to 17% of weaknesses in Juliet test cases.
• Some open source static analysis tools did just as good as, and in some cases better than, commercial ones on certain weakness classes and programming languages with Juliet.  

Observation 7: There is no uber tool — the sum of many is better than the sum of one…

• Each tool has a sweet spot.
• There are too many programming languages and weakness classes for one tool to be a jack of all trades.
• Different testing methods find different things. 
• I’m seeing a movement that is encouraging the use of multiple tools for security testing. For example, I’m member of a technical committee (Static Analysis Results Interchange Format) initiated by developers at Microsoft to push for a standard format to incorporate multiple tool outputs. 

Observation 8: More code equals more problems.

• New cars today have at least 100 million lines of code — an increased attack surface. Often, more features mean more code, and more code leads to more complexity, which tends to lead to more problems. This is what software engineer Brian Knapp refers to as “software gravity” — the force that pulls features, complexity, and resources toward a software system over time.
• Software is the new hardware.
• With the explosion of IoT, software truly has become ubiquitous.

Observation 9: Technical debt increases software maintenance costs; organizations have no clue about the volume of technical debt they’ve accumulated.

• Many take shortcuts, leading to poor design decisions that ultimately will create vulnerabilities.
• Design debt, defect debt, and testing debt all contribute to the cost to maintain software. 
• Frameworks like Struts require code changes and a considerable amount of testing, which increases the mean time to remediate, which increases the likelihood of technical debt. 

Observation 10: Foundational science is a key to forward-leaning capabilities

• If we are not exploring, we are not advancing the state of art.

In the upcoming installment of this two-part series, Kevin Greene will share innovations that advance the state-of-art and the state-of-practice in application security. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

With more than 17 years of information assurance and security experience in security program management, assessment, auditing, and testing, Kevin Greene brings valuable skills and capabilities to the federal government. Kevin works in the area of research and development, … View Full Bio

Article source: https://www.darkreading.com/application-security/software-assurance-thinking-back-looking-forward-/a/d-id/1329926?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There are many discussions across the security industry today that revolve around the need for companies to leverage artificial intelligence or AI. Finding a vendor that doesn’t claim to do AI is hard – it seems that we all are working at it. 

While it seems like a logical step for the industry to look towards AI, you could also say it is a natural evolutionary step for security teams in order to keep up with the sheer volume and variety of threats that cyber criminals are developing against them. There were 357 million cases of malware attacks in 2016 and that number has grown exponentially over the past five years, according to the 2017 Symantec Internet Security Threat Report. If that trend continues, we could see over 1 billion attacks in a year by 2020.

With such a high number of threats for the security industry to process, AI seems to have become a promised land for the many vendors that are increasingly placing automation and machine learning into their research labs to process and analyze metadata from billions of threats and indicators of compromise from previous attacks. They are undertaking this step in the hope that they can identify malware before it affects their customers. This is a worthwhile endeavor, for sure, but it isn’t going to be enough to defeat malware authors. The industry needs to go beyond simply categorizing threats.

New Approaches and Capabilities
It’s encouraging to know that there are a variety of approaches to AI across the industry. For that reason it’s important for researchers to understand the differences between various approaches, their capabilities, and effectiveness.

Artificial Intelligence is broadly defined as machines that are capable of carrying out necessary tasks in a way that humans would consider “smart.” Before we have true AI, we have machine learning, and before that, we have deep learning.

Machine Learning is a subset of AI that provides computing systems access to large amounts of data which enables them to “learn” and carry out necessary tasks without having to be explicitly programmed, end-to-end. Based on the quality and quantity of data fed into it, machine learning can make statements, decisions or predictions with an increasing degree of certainty. With the addition of a feedback loop, it can sense or be informed about whether its previous decisions were right or wrong. This loop enables “learning,” and can suggest alternative approaches that can be taken in the future. The outcome is a neural network of inputs, connections, probabilities and predictions.

Deep Learning is another subset of AI that supercharges the machine learning process by increasing the layers and the connections while running massive amounts of data through it to “train” it.  The “deep” in deep learning describes all the layers and their interconnections in this neural network.

All three self-learning technologies hold great promise. But the larger issue for organizations is determining how to benefit from one versus the other, and which AI approach will give your security team the results you are after. 

Lee Fisher has been described as a true IT security ‘guru’. It is certainly apt: his knowledge and expertise developed over the course of more than 20 years in IT have helped many customers implement a security strategy that not only safeguards their business and information, … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/juniper/artificial-intelligence-getting-the-results-you-want/a/d-id/1329935?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Mobile devices are not immune to ransomware. Researchers anticipate smartphones and tablets increasingly will be targeted as spying and information theft capabilities are becoming more widely available in the dark Web.

Researchers from SecureWorks’ Counter Threat Unit (CTU) discovered 200 new ransomware variants last year, a 122% increase from the year prior. There is potential for mobile ransomware to become a significant threat, according to the firm’s new 2017 State of Cybercrime Report.

CTU researchers found several types of malware for sale, some advertising the ability to spy on all functions of an Android phone as well as to encrypt files and demand payment, the hallmark of a ransomware attack. One malicious Android package kit (APK) file, containing a bot and ransomware, sells for about $1,000 USD on Russian-speaking forums.

Android devices are at greatest risk for users downloading applications that could potentially be malicious because users can access third-party markets (not Google Android’s) where anyone can upload an app. 

“By virtue of Google’s decision to make a semi-open ecosystem, it’s inevitable they’re going to be most at risk for these types of applications,” says Keith Jarvis, senior security researcher with SecureWorks’ CTU. That said, most mobile ransomware threats are browser-based and affect any device with a built-in browser, he adds.

Mobile ransomware geared toward individuals is a less targeted and smaller-value approach than ransomware targeting businesses – but it could also prove more effective. Individuals don’t have the security knowledge and resources businesses have to defend against ransomware.

“What a lot of people are seeing on mobile is ransomware we saw before 2013 – for example, scareware and popups in the browser saying ‘You’ve got a virus,'” Jarvis explains. “It locks the screen, encrypts files, demands payment.”

Browser-based threats can’t access many facilities on the devices, which is why attackers rely on old techniques like screen freezing. Researchers also saw an increase in SMS phishing, where threats arrive via text. Banking malware Exobot, for example, is a malware/spyware combination targeting Android with SMS messages containing malicious links.

With the rise of SMS phishing and advanced exploit kits, researchers expect there could be a rise of attacks focused on encrypting Android devices and leaving victims with no access to contacts, photos, or other personal information.

While mobile ransomware is a threat to the enterprise, Jarvis says organizations should continue to focus more on desktop-based ransomware. Most employees store business-critical data on their computers and until they begin to do the bulk of their work on smartphones and tablets, their desktops and laptops will be at greatest risk.

“That shift is going to have to happen,” he notes. “Corporations will ask workers to be more mobile.”

Threats in your inbox

It’s expensive to develop exploits for Internet Explorer or Microsoft Edge. As a result, hackers are turning to social engineering and spam, which Jarvis describes as “the most economical way to reach potential victims.

“It’s more about the behavioral aspect,” he explains. “People are always tempted to double-click, to view something that comes through their email.”

A related finding from the report is the growth of business email compromise (BEC) and business email spoofing (BES), which generated $5 billion USD in global losses between October 2013 and December 2016. In May 2017, the FBI stated victims’ losses related to BEC and BES went up 2,370% between January 2015 and December 2016.

Both types of attacks have become more prolific as attackers look for ways to defraud increasingly security-savvy employees.

BEC attacks generated $5.3 billion in global losses between 2013 and 2017, Trend Micro researchers reported earlier this year. Attackers are turning to old BEC techniques, frequently spoofing the company’s CEO and sending fake emails to heads of finance to request money.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

• 1.9 Billion Data Records Exposed in First Half of 2017
• 10 Hot Cybersecurity Funding Rounds in Q3
• New Spam Campaign Literally Doubles Down on Ransomware
• Siemens’ New ICS/SCADA Security Service a Sign of the Times

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/mobile-ransomware-hits-browsers-with-old-school-techniques/d/d-id/1329934?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cisco’s Smart Install (SMI) protocol is leaving network switches exposed on the public Internet at a rate that has remained largely unchanged since researchers began digging for SMI flaws when it was first released in 2010, a new study shows.

SMI provides configuration and image management for Cisco switches and uses a combination of DHCP, TFTP, and a proprietary TCP protocol to help businesses deploy and run them.

Researchers at Rapid7 recently reassessed the public Internet for SMI exposure. Their goal was to highlight changes since the initial publication of SMI research and learn more about why SMI was being exposed insecurely.

Since its debut, several SMI flaws have been discovered and disclosed including CVE-2011-3271, which led to remote code execution, and denial of service issues CVE-2012-0385, CVE-2013-1146, CVE-2016-1349, and CVE-2016-6385.

In 2016, researchers have found a number of new SMI security issues. Experts from Tenable, Trustwave SpiderLabs, and Digital Security presented at the 2016 Zeronights security conference to disclose several problems with SMI that left the entire switch open for compromise if a user left SMI exposed and unpatched, neglecting Cisco’s recommendations for securing it.

Each SMI-related security advisory published by Cisco has recommended disabling SMI unless it’s needed. The company has offered coverage for SMI abuse, updated the documentation to secure SMI, and released a scanning tool so customers can know if they’re affected by SMI problems. It also released SMI-related hardening fixes.

In its new July 2017 reassessment of the public Internet, Rapid7 used a method similar to Zeronights. The Rapid7 Labs’ Sonar scan found a 13% decrease in the number of exposed SMI endpoints compared with the Zeronights research. Countries with a large number of IPv4 IPs and large network infrastructure are the most exposed. The United States was highest with 56,605 nodes exposed, or 26.3% of the total.

“The issue with exposing SMI is that it gives an attacker complete control over the configuration of the target switch,” says Jon Hart, senior security researcher at Rapid7. At the minimum, he explains, there is the possibility of information disclosure, which is likely to include authentication data like usernames, passwords/hashes, firewall/ACL rules, and more.

On the more extreme end, he continues, SMI exposure could let an attacker completely compromise the target switch and load arbitrary switch operating system code. They could execute code of their choosing and modify, redirect, or intercept switch transit traffic.

“Compromising a switch puts an attacker in a very advantageous position offensively,” says Hart. “Being closer network-wise to additional target devices that connect to or through the compromised switch affords an attacker the ability to perform attacks against these additional targets.”

Businesses can protect themselves by updating to newer versions of the relevant code powering these switches, which will likely remove any current risk of being compromised via SMI, he says. It’s an improvement from several years ago, when organizations could have been running and exposing SMI without knowing it.

Related Content:

• Get Serious about IoT Security
• 7 Takeaways From The Equifax Data Breach
• Siemens’ New ICS/SCADA Security Service a Sign of the Times
• Avast CCleaner Compromised Amid Rise in Supply Chain Threats

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/cisco-smi-still-exposing-network-switches-online/d/d-id/1329938?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An Iranian APT group with the ability to carry out destructive attacks has been waging a sophisticated cyber espionage campaign against organizations in the aerospace and energy sectors in the US, Saudi Arabia, and South Korea.

APT33 has been active since at least 2013 and appears focused on gathering information that could help Iran bolster its capabilities in the aviation and petrochemical industries, FireEye said in an advisory Wednesday.

The threat group’s particular emphasis on organizations with aviation-related partnerships with Saudi Arabia also suggests that APT33 is gathering information to bolster the Iranian government’s strategic and military decision making capabilities with regard to Saudi Arabia, the security vendor said.

FireEye security analyst Jacqueline O’Leary says the security vendor has evidence showing that at least six organizations were targeted between May 2016 and August 2017. The targets included a US aerospace company, a Saudi Arabian business conglomerate with interests in the aviation sector, and a South Korean company with stakes in petrochemicals and oil.

It is likely that more organizations were targeted based on additional infrastructure that FireEye identified and attributed to APT33, she says.

In some cases, FireEye observed APT33 related spearphishing activity result in compromise of the target organization. In other cases, the company observed APT33 conduct spearphishing on targets, although it has no evidence whether those campaigns resulted in a compromise.

So far, APT33 does not appear to have carried out any destructive attacks and appears focused only on cyber espionage activity.

But somewhat ominously, one of the droppers used by APT33 — dubbed DROPSHOT — has links to SHAPESHIFT, a destructive Shamoon-like disk-, file-and configuration-erasing tool that has been used in attacks against Saudi Arabian targets. Shamoon was malware that was used to brick some 35,000 Windows PCs at Saudi Arabian oil giant Saudi Aramco about five years ago.

FireEye said it has not seen APT33 actually use SHAPESHIFT to carry out any destructive attacks.  At the same time, APT33 is the only group known to be using DROPSHOT, the company cautioned.

Like many other threat groups, APT33 has been using spearphising to try and get an initial foothold in target networks. Its spearphising emails have contained recruitment-themed lures with links to malicious HTML application files with job descriptions and links to legitimate job postings on legitimate employment websites.

Many of the phishing emails have appeared legitimate, and referenced specific job opportunities and salaries and have even included the spoofed company’s Equal Opportunity Employer disclosure, FireEye said. However, if a user opens one of these documents, it would silently drop an APT33 custom backdoor on the victim’s machine.

As part of its spear phishing campaign, APT33 also registered multiple websites that masqueraded as domains for organizations such as Boeing, Alsalam Aircraft Company, and Northrop Grumman Aviation Arabia.

There are multiple pointers to APT33’s links to Iran and to the country’s government. Code in the malware used by the group contains artifacts written in Farsi, Iran’s official language, FireEye said. Many of the publicly available tools and backdoors that APT33 has used in its campaign so far are available on Iranian threat actor websites. The group’s targeting of organizations suggests it is aligned with Iranian nation-state interests and the timing of its activities coincides with Iran’s workweek and working hours, the security vendor noted.

Code in one of the malware samples that the group has used indicates that it may have been developed and deployed by an individual who was previously employed by the government of Iran, FireEye said.

“APT33 shares some similarities with other nation-state groups in that they rely on publicly available tools with some use of custom malware development, potentially suggesting the threat actors are a part of a greater capability,” says Josiah Kimble, a security analyst with FireEye.

“Like most suspected state sponsored actors, APT33’s targeting of organizations, most closely aligns with nation-state interests,” he says.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

• Why Iran Hacks
• Iranian Groups Conducting Sophisticated Surveillance On Middle Eastern Targets
• Inside The Aftermath Of The Saudi Aramco Breach
• 7 Common Reasons Companies Get Hacked

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/iranian-cyberspy-group-targets-aerospace-energy-firms/d/d-id/1329940?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Federal employees plan to appeal a judge’s decision stating they cannot sue for damages from the 2015 Office of Personnel Management (OPM) data breach, The Washington Times reported this week.

The workers won’t be able to sue because they cannot show the stolen data has been used by attackers, said US District Judge Amy Berman Jackson. Compromised information includes sensitive personal details like financial and health data, taken from about 22 million personnel files. Experts have not been able to determine whether the stolen data was sold or used.

Judge Jackson’s ruling is getting pushback from employee labor unions, which had filed a class action lawsuit to help workers whose data had been stolen and force the government to better protect information. The National Treasury Employees Union announced plans to appeal on Sept. 19; the American Federation of Government Employees National is debating the next steps.

OPM responded to the data breach with new security tools and launched multi-factor authentication for employees. The agency also made plans to hire a cybersecurity advisor.

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/opm-data-breach-lawsuit-tossed-fed-plaintiffs-will-appeal/d/d-id/1329943?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ransomware attacks against small- to midsized businesses (SMBs) are expected to increase over the next two years, according to a survey released today by Datto.

The State of the Channel Ransomware Report, which surveyed 1,700 managed service providers (MSPs) that collectively have more than 100,000 SMBs customers, found 99% of survey respondents say they expect the increase in ransomware attacks will continue over the course of two years.

Nearly 90% of MSPs say their SMB clients were hit with a ransomware attack in the past two years; 15% report their clients faced six or more attacks during the last year; and 26% note their SMB customers experienced multiple attacks in a single day.

SMBs paid out an estimated $301 million in ransom to attackers in the 2016-2017 period, the report shows.

However, one in three SMBs reported their ransomware attack to authorities in the 2016-2017 period, an improvement from one in four during the 2015-2016 timeframe. 

Read more about the survey here. 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/smbs-paid-$301-million-to-ransomware-attackers/d/d-id/1329941?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Distributed denial-of-service (DDoS) attacks have increased, and research shows that on average, a DDoS attack can cost an organization more than $2.5 million in revenue. As a small or medium-sized business owner, you may be thinking “hackers only use DDoS on the big boys” or “I’m not big enough for them to care.” But these disruptive attacks are getting worse, and they’re moving downstream. Today, they affect everyone from the largest organizations to smaller companies that are being hit either directly, or as a by-product of one of their service providers being attacked.

In a sampling of customers, Neustar found in a recent study that 78% of organizations that generate $50 million to $99 million per year had experienced a DDoS attack at least once in the last 12 months, and of those organizations attacked, 86% were hit more than once. Small and midsize companies are tempting targets because often they are armed less with heavy tech investments, services, and staff.

Companies also often overestimate the “protection” offered by ISPs and cloud service providers, such as Amazon Web Services. These organizations can only provide so much protection. Their priorities are protecting their backbone and availability services for all customers, not protecting any specific entity. When DDoS attacks become too large and create collateral impact, all traffic to that targeted host starts getting blocked or “blackholed.” This effectively takes those businesses offline. To add insult to injury, often if you rely on an ISP or cloud service provider, it will not only bring down your site but also charge you for the traffic overages that happened during a DDoS attack. 

Additionally, attackers perform reconnaissance on targeted infrastructures, and it is easy to identify Domain Name Servers (DNS) service providers for online sites. Because of financial and technical acumen factors, many growing businesses opt to provide their own DNS service. This is not difficult and requires little maintenance. The downside is that DNS is an inherently vulnerable service because it needs to be exposed in order to work.

When attackers scout targets, they understand that large DNS providers are highly redundant and highly resilient. In comparison, organizations managing their own service are far more likely to be susceptible to failure and collapse with the right cyber attack. This makes self-managed DNS organizations more-tempting targets, not only because their DNS is easier to attack but also because self-managed DNS often lacks the resiliency and redundancy that make it more difficult to take down and is also likely an indicator of additional (and vulnerable) self-managed security within an organization.

SMBs Are Hot Targets for DDoS Attacks
Neustar research data on almost 200 midsize businesses (organizations that generate $50 million to $90 million per year) found the following in trends in SMB DDoS attacks over the last year:

• 78% of SMBs were attacked at least once in the last 12 months, with 86% of those attacked hit more than once, and 34% of those attacked hit more than five times, indicating they had become tempting targets.
• 38% saw malware activated during DDoS attacks, demonstrating a vulnerability to phishing and coordinated assaults on SMBs by savvy attackers.
• 32% lost customer data records in concert with DDoS attacks, indicating a specific, targeted attack on a more vulnerable target. In many cases, a loss of data required a subsequent disclosure in line with industry regulations (PCI, HIPAA, and other compliance).
• 20% of those attacked also experienced ransomware along with the DDoS attack, resulting in either further ransom payments that had to be made, or additional downtime or other actions required to re-establish services and access to data.
• 52% needed more than three hours to detect and determine a DDoS was underway. Once detected, 43% needed more than three hours to respond to a DDoS attack once identified, likely because of limited investment and resources, and overestimation of protection offered by ISPs and cloud providers.

Because DDoS attacks have grown in severity and scale, small and midsize businesses should be vigilant to the fact that they are increasingly attractive targets. Although cloud and hosting providers can offer some level of protection, these businesses should remember that a hosting provider’s priority will always be to keep its backbone and basic services up, and individual site vulnerability will always come second. These organizations must educate themselves about the variety of DDoS protections available in the marketplace and determine which options can cost-effectively meet their needs.

Here are the top five questions that organizations should ask their DDoS protection providers:

• What layers of protection do you offer? Because no single protection is failsafe, the answer to this question will help an organization understand the methods and technologies being used to protect its site.
• How variable is the cost of prevention? If I’m hit with a really big attack, will the mitigation costs spike to the point that I can’t afford them?
• What is your average response time? Even the largest cloud providers often have a surprisingly slow response times. Smaller organizations in particular should ensure that they won’t be put at the bottom of a priority list in the event of attack, making their likely response times even longer.
• What is the size of your network that’s protecting me? This will indicate how large an attack a provider can withstand.
• Where are your DDoS mitigation facilities located globally? This helps organizations understand if DDoS mitigation capabilities comply with the various regulations that vary by country.

As large enterprises become more sophisticated in their DDoS defenses, small and midsize organizations will continue to become an increasingly attractive target for attackers. Start asking these questions and putting in place protections now, before your brand, reputation, and bottom line take a hit from these attacks. 

Related Content:

• 7 Things to Know About Today’s DDoS Attacks
• ‘Pulse Wave’ DDoS Attacks Emerge as New Threat
• Ultimate Guide to DDoS Protection: Strategies and Best Practices

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Nicolai Bezsonoff is the General Manager of Security Solutions at Neustar. He spearheads the company’s industry-leading DDoS, DNS, and IP intelligence solutions, including its cybersecurity operations.
Previously, he was the co-founder and COO of .CO Internet, a successful … View Full Bio

Article source: https://www.darkreading.com/cloud/why-size-doesnt-matter-in-ddos-attacks-/a/d-id/1329897?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple