STE WILLIAMS

Over the last few months, I’ve had the good fortune to chat with a number of small and medium-sizes businesses about their unique security issues and challenges.  What did I notice during many of my conversations? That most SMBs are extremely well-intentioned about security, but they sometimes aren’t quite sure where to begin. The conundrum for them is that they know they have limited resources, but they aren’t sure of the optimal places to invest those resources  

I don’t profess to have all the answers, but I can point SMB security teams in the right direction with a series of 20 questions to ask themselves. Their answers will determine how to assess where they are, identify gaps that need to be filled, and optimize existing resources. Let’s get started.

1. Do we have the relationship we need with our executives and board, and are we regularly in communication with them?
2. Do we understand the risks and threats that most concern our executives and board?
3. Do we understand the specific risks and threats targeting our industry and/or geography?
4. Do we understand what our customers, partners, and other stakeholders are concerned about and what could cause us to lose their trust?
5. Do we understand which data under our custodianship is the most sensitive and where it resides?
6. Do we understand the different vulnerabilities that exist within our environment and how those vulnerabilities introduce new or exacerbate existing risks and threats?
7. If we do understand the risks and threats facing us from these different perspectives, have we taken time to prioritize them?
8. Have we broken those risks and threats down into goals and priorities and developed a strategic plan to address them?
9. Do we understand how to assess our current security posture and identify gaps that may keep us from meeting our goals and priorities?
10. Do we understand how to benchmark ourselves against our peers or others within our industry, geography, or with similar security budgets to understand how we compare?
11. Do we understand how to leverage the information gained from the benchmarking and assessment process to help us fill gaps and work towards our goals and priorities?
12. Have we formulated meaningful metrics to help us assess our progress towards our goals and priorities?
13. Do we have the budget we need to improve our security posture in accordance with our strategic plan?
14. Do we understand how to show the board the value we currently provide, and how increasing budget will directly translate to mitigating additional risks and threats that the board is concerned about?
15. Do we know how and where to invest our security budget to achieve the optimal results?
16. Do we have the people we need to rise to the occasion to combat new and evolving threats?
17. Do we know what policies and procedures we need to put in place to manage our environment properly?
18. Are we working with the right partners and vendors to achieve our desired results?
19. After the initial assessment, strategic planning, and plan implementation, do we have a plan to run security operations on a continual basis to ensure that the environment is monitored and protected at all times?
20. Are we prepared in the event of a serious incident, and do we know what we would do and how we would handle it?

The time for SMBs to improve their respective security postures came long ago.  Most security industry leaders I know wouldn’t argue with that statement.  At the same time, those same people aren’t quite sure how to help, which is likely why sufficient progress has not yet been made.   

Of course, there is no silver bullet or one-size-fits-all solution. But the security industry has tried sitting back for quite some time, and it’s now time for them to take a more active role in arming SMBs for the battle to improve their security postures.  Once SMBs understand how to get the biggest bang for their efforts, we can move on to the next set of 20 questions for improving SMB security.

Related Content:

• 20 Questions for SecOps Platform Providers
• 20 Questions Security Pros Should Ask Themselves Before Moving To The Cloud
• 20 Questions Smart Security Pros Should Ask About ‘Intelligence’

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, … View Full Bio

Article source: https://www.darkreading.com/20-questions-for-improving-smb-security/a/d-id/1329423?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

We’re excited that you’ll be joining us at Black Hat USA 2017! Here is important event information, including badge pick-up hours, scheduling updates, special programs, and more.

Make sure to follow @BlackHatEvents on Twitter and tweet using the hashtags #BHUSA and #BlackHat to join the conversation and stay up-to-date. Download the official Black Hat USA mobile app to customize your event schedule

Check-in Information
Black Hat USA will take place at Mandalay Bay Resort and Casino in Las Vegas.

Check in at the Registration Counters on Level 2 of the Mandalay Bay Convention Center (using the email address you registered with). Please note, this service is only available for Briefings and Trainings pass holders. If you have any questions about your registration, please email our Registration Team at [email protected].

Registration desk hours are as follows:

Friday, July 21: 14:00 —18:00
Saturday, July 22: 07:00 — 16:00
Sunday, July 23: 08:00 — 18:30
Monday, July 24: 07:30 — 17:00
Tuesday, July 25: 08:00 — 18:00
Wednesday, July 26: 06:30 — 19:00
Thursday, July 27: 08:30 — 17:00

We will also be offering a satellite registration desk near the Mandalay Bay Hotel front desk, across from the Orchid Lounge. You may choose to pick up your badge there, during the days/times listed below.

Satellite Registration Desk Hours:
Monday, July 24: 13:00 — 17:00
Tuesday, July 25: 8:00 — 22:00
Wednesday, July 26: 7:00 — 13:00

Important Note: Please care for your badge. A non-refundable replacement fee will apply to all lost, misplaced, stolen, forgotten and duplicate badge or badge holder requests. If your badge was complimentary, the fee will be the current, on-site rate. Both the badge and badge holder are required for entry at Black Hat and both will incur a replacement fee if a duplicate of either is requested.

Trainings Information
View the Trainings schedule here: Schedules for each day can be accessed at: https://www.blackhat.com/us-17/schedule-trainings.html

Class Requirements: Please be sure to check the “Student Requirements” and “What Students Should Bring” sections for your specific Training at https://www.blackhat.com/us-17/training/schedule/index.html

Laptops and Power Supply: Please bring your own laptop with you to class! Black Hat does not have extra laptops or power cords to lend out. Make sure that your power supply can accept 120V.

Lunch: Lunch during Trainings will be served in Oceanside Ballroom on Level 2. You DO NOT need lunch tickets during Training; however, you MUST have your Black Hat badge in order to enter the lunchroom.

Training Certificates of Completion: If you do not receive a Training certificate or there is an issue, please complete a Certificate Request Form (available from your instructor) and turn it into the Black Hat Certificate Counter located in the main hallway on Level 2. If you do not receive a Training Certificate of Completion, you must request your certificate no later than 48 hours after the end of the conference or you will not receive one. Please note: Black Hat will send you the certificate via email, not US First Class Mail or Federal Express. Black Hat does not replace lost, stolen, or misplaced Certificates of Completion.

Briefings Information
Briefings Schedule: Schedules for each day can be accessed at: https://www.blackhat.com/us-17/schedule.html

Keynote: Please join us for Alex Stamos’ Keynote presentation “Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone” on Wednesday, July 26 at 9:00 am in the Mandalay Bay Events Center. Doors open at 08:00 and early arrival is recommended for best seating. Breakfast will be served in the event center beginning at 08:00.

Lunch: Your Briefings pass grants you access to lunch on both Wednesday, July 26 and Thursday, July 27 in Oceanside ABCD, Level 2. You must have your Briefing badge to enter the lunchroom.

Briefings Evaluations: Your feedback on the quality and relevancy of our Briefings content helps us improve the quality of Black Hat Conference. Please help us make future programs even better by completing an evaluation for each Briefing session you attend. Evaluations will be sent to you by email (from [email protected]) 15 minutes before the end of each session if you opted in to be scanned when entering the session room.

Attendee badges are encoded with the attendee’s first and last name, title, company, and attendee ID number ONLY. Personal contact information is not stored or collected when badges are scanned. The badge scanner captures your attendee ID number which pulls from a database that securely stores attendee emails and sends the evaluation.

Briefings Slides and White Papers: Briefings presentation materials provided by speakers will be made available at the end of each day on the Black Hat website. Presentations can be downloaded here: https://www.blackhat.com/us-17/briefings.html

Briefings Audio and Video: Afraid you’ll miss a session? The Source of Knowledge will be on-site Wednesday, July 26 and Thursday, July 27 to sell audio and video recordings of each Briefings session. These recordings may be purchased on-site at a substantial discount. The Source of Knowledge has two locations: Breakers Registration Desk, Level 2 Top of the escalators, Level 3.

Business Hall Activities
Business Hall Level 1/Bayside AB will feature more than 300 leading security companies providing hands-on learning opportunities and demonstrating the latest products, solutions and technologies. Business Hall Level 2/Shoreline provides access to Innovation City and the hottest security startups, Arsenal open-source tool presentations lead by independent researchers and the Career Zone.

Business Hall Hours
Wednesday, July 26: 10:00 – 19:00 (Reception 17:30-19:00)
Thursday, July 27: 10:00 – 17:00

Join us for the Business Hall Welcome Receptions on Wednesday, July 26 from 17:30-19:00 in Bayside AB, Level 1 and Shoreline, Level 2

Arsenal
Black Hat Arsenal will feature 92 open-source tool demos over the course of two days. Independent researchers will showcase their work while answering questions in a dynamic setting. View the full lineup of Arsenal tools here: https://www.blackhat.com/us-17/arsenal/schedule/index.html

Career Zone
Connecting premier companies with top level talent in the security space. View full list of Career Zone Sponsors: https://www.blackhat.com/us-17/event-sponsors.html#career-zone

Innovation City
Designated area for start-ups to showcase cutting-edge products and solutions and engage with the community. View full list of Innovation City Sponsors: https://www.blackhat.com/us-17/event-sponsors.html#innovation-city

Lounges
Unwind, recharge and network in the many lounges listed below:

Comodo Lobby Lounge (Bayside Foyer, Level 1)
HP Print Security Lounge (Black Hat Blvd, Level 2)
Accenture Networking Lounge (Level 1 Business Hall, Bayside AB)
Microsoft Networking Lounge (Level 2 Business Hall, Shoreline)

Merchandise Store
Get your Black Hat branded merchandise, T-shirts, hoodies, gifts, and more.
Located in the Palm Foyer, Level 3.
Monday, July 24 / 08:00–18:00
Tuesday, July 25 / 08:00–18:00
Wednesday, July 26 / 07:30–18:00
Thursday, July 27 / 08:00–18:00

Code of Conduct
Black Hat has a strict code of conduct that we expect all our attendees to follow. Familiarize yourself with our policies here: https://www.blackhat.com/code-of-conduct.html

Article source: https://www.darkreading.com/black-hat/black-hat-usa-2017---know-before-you-go/d/d-id/1329420?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Tor Project has teamed up with HackerOne to invite hackers to find vulnerabilities in its online anonymization platform used by 1.5 million citizens, journalists, privacy advocates, and dissidents around the globe.

The new public bug bounty program expands on its two-year-old invite-only bug bounty project that doled out a total of $2,200 for seven vulnerability finds, including crash and denial-of-service and edge-case memory-corruption flaws. Under its new public bug bounty program, which Tor announced with the #HackTor moniker, Tor is offering up to $4,000 per bug find, depending on the severity and impact of the flaw.

Tor is hoping the program will help it root out some specific vulnerabilities in its Tor network daemon and browser software: local privilege escalation, unauthorized access of user data, leakages of crypto material of relays or clients, and remote code execution.

“After experiencing the success of the private bug bounty program, we’re electing to open up our program to all hackers willing to comply with the scope of the program on an ongoing basis. The private bounty brought us quality bug reports and helped us fixing issues not only in software eligible under the bug bounty program, but also in other tools we produce or use,” Tor browser team lead Georg Koppen said via an email interview.

Tor’s bug bounty is sponsored by the Open Technology Fund, an organization that supports Internet freedom initiatives worldwide. 

Alex Rice, co-founder and CTO of HackerOne, a bug bounty platform service, says many organizations start with a private bug-bounty program to get their feet wet. “Tor made the decision rather than ramping up rewards to ramp up the number of hackers” searching for vulnerabilities in its software, he says.

Over the past year and a half, Tor had begun inviting more hackers to its closed program and upping the amount of its awards to bug finders, Rice notes.

“The stakes for vulnerabilities in a technology like Tor are so much higher than the average organization,” Rice says. “People using Tor are human rights advocates, privacy advocates, and individuals going to extremes to protect their privacy because often their lives are in danger if that privacy technology reveals them.”

But the flip side to Tor’s popularity is that it’s also used by seedy elements of the Internet world: the infamous AlphaBay Darkweb underground marketplace, for example, which now has gone dark after a massive law enforcement operation, employed Tor to mask the identity of its participants.

Related Content:

• Major Online Criminal Marketplaces AlphaBay and Hansa Shut Down
• Best of Black Hat: 20 Epic Talks in 20 Years
• Cybercriminals Regularly Battle it Out on the Dark Web
• The Drug Dealer In Your Web Browser

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/-hacktor-tor-opens-up-its-bug-bounty-program-/d/d-id/1329419?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A US federal court in Atlanta this week sentenced Russian national Mark Vartanyan to five years in prison for his role in developing, improving and distributing Citadel, a malware kit that was used to steal an estimated $500 million from individuals and financial institutions worldwide.

Vartanyan, who also used the moniker “Kolypto,” had previously pleaded guilty to computer fraud charges in March 2017 after being extradited to the US from Norway last December.

Federal authorities had charged Vartanyan with developing, improving, maintaining, and distributing Citadel while residing in Ukraine and later in Norway between August 2012 and June 2014. During that period, he uploaded numerous files consisting of Citadel software, components, updates and patches all with the intent to improve the malware’s functionality.

Vartanyan was arrested in Norway in October 2014. He will receive credit for time spent in custody since then which means he will be eligible for release in less than three years.

“Mark Vartanyan utilized his technical expertise to enable Citadel into becoming one of the most pernicious malware toolkits of its time,” US Attorney John Horn said in a statement announcing the sentence Wednesday. “For that, he will serve significant time in federal prison.”

Citadel first surfaced in 2011 and was assembled using leaked source code for the Zeus, a banking Trojan. It was initially made available to cybercriminals on an invitation-only basis on multiple Russian-language online forums.

The malware was designed to steal payment card data, personal data, and information for logging into bank accounts. It was typically installed on victim computers in the form of a drive-by-download, though cybercriminals employed multiple other infection methods as well. For instance, the creators of the malware bundled it into pirated versions of Windows XP installed on computers sold in multiple countries. In many cases, Citadel blocked infected computers from accessing antimalware sites making it harder to detect and remove the malware.

In all, cybercrimnals infected some 11 million systems globally with Citadel and turned the systems into remotely controlled bots. The malware’s victims included organizations such as Citigroup, Bank of America, American Express, and Wells Fargo.

In June 2013 Microsoft announced that the company, along with the FBI and law enforcement authorities from multiple countries, had managed to severely disrupt Citadel operations by shutting down more than 1,400 botnets associated with the malware. At the time, Microsoft had noted that cybercriminals were using fraudulently obtained signing keys for Windows XP to bundle Citadel into the operating system.

Even after that cooperative operation though, Citadel continued to be a threat. 

In 2014 for instance, security researchers reported seeing the malware being used to attack the password managers used by many organizations to store and secure their online account credentials. The same year, IBM researchers said they had observed a Citadel variant being use to conduct cyberspying operations against petrochemical companies in the Middle East. Last year, security vendor Heimdal Security said it had discovered the malware being used in a modified form to attack banks in France.

Vartanyan is the second individual sentenced to jail time for activities connected to Citadel malware.

In September 2015, another Russian national, Dimitry Belorossov was sentenced to four-and-a-half years in prison for developing, distributing and installing Citadel on computers worldwide. Belorossov pleaded guilty to operating a Citadel botnet comprising of over 7,000 infected systems including those belonging to multiple US banks, financial institutions, and a federal court in Georgia.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

• New Citadel Attack Targets Password Managers
• Cyberspies Resuscitate Citadel Trojan For Petrochemical Attack
• Russian Developer of the Notorious Citadel Malware Sentenced to Prison
• 21 Biggest Cybercriminal Busts Of 2016

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/russian-national-receives-5-years-in-jail-for-role-in-citadel-attacks/d/d-id/1329422?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

DevOps could be security’s biggest boon for quickly mitigating the kinds of vulnerabilities that will be highlighted next week at Black Hat USA in Las Vegas. And in a departure from the show’s typical doom-and-gloom demos of scary attacks and exploits, one speaker is taking the podium to explain the practicalities of tuning application security practices to DevOps speeds so organizations can finally get the jump on zero-days and other hard problems in vulnerability management.

The rundown will come from Etsy’s former head of security engineering, Zane Lackey, who will explain that the goal is to get faster than the attackers in identifying and fixing security flaws in software. He’ll talk about the online retailer’s transition from Waterfall development to continuous integration/continuous delivery methodologies. He plans to explain what that kind of evolution means for the standard approach for Web application security, especially when it comes to static analysis and dynamic testing.

“What it really means for vulnerability scanning is that the tools need to change,” says Lackey, who since Etsy has moved on to the vendor side of the world, co-founding Signal Sciences. “It’s a real evolution with a focus on speed and consumability of results by non-security experts. The real lesson learned on that side is that modern approaches to security tooling and techniques have to be about empowering the development team and the DevOps team to have visibility and that they’re seeing results directly themselves.”

During his time at Etsy (2011-2014), the firm was establishing itself as a front-runner and thought leader in DevOps operational patterns while at the same time dealing with the increasing risk and compliance concerns that come with the territory of a rapidly expanding retail business. In order to fit security into the Etsy paradigm, Lackey says he and his team had to learn that they were no longer outsourced gatekeepers, but instead more like consultants to help the developers both run tests and use them to guide future actions for fixing flaws.

While the fast pace initially spooked him, what he found was that once the kinks were worked out it actually ended up improving appsec dramatically.

“When I started as head of security at Etsy and they said ‘We deploy to production 20 times a day,’ I thought it was crazy and I thought that would be dramatically less secure,” he says. “What I really learned over the course of my time building a security program there was that moving faster can actually be a net positive on security.”

His observations seem to be reflected in recent statistics. In fact, a survey released earlier this week found that the integration of security into DevOps has helped companies improve their application security risk by approximately 22%.

Lackey will provide some real-world examples of what that kind of quantitative improvement looks like in the real world. He’ll talk through one example where his team was able to move so quickly that the improved visibility and response time made it possible for his team to identify an adversary discovering a real-life vulnerability in production – and were able to fix it before the adversary could do anything with it.

“Any organization can get to this point. By embracing DevOps they’re able to move faster and for the first time potentially move faster than the attackers,” he says.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

• 98% of Companies Favor Integrating Security with DevOps
• DevOps Security: Butting Heads for Years but Integration Is Happening
• How to Integrate Threat Intel DevOps
• The True State of DevSecOps
• 7 Steps to Transforming Yourself into a DevSecOps Rockstar

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/application-security/using-devops-to-move-faster-than-attackers/d/d-id/1329421?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple