STE WILLIAMS

Several developments this week recentered the security spotlight on some of the enterprise’s most critical business systems as cybersecurity experts deal with the reality that enterprise resource planning (ERP) software needs heightened attention.

On the vulnerability front, SAP this week patched a new, highly critical vulnerability for SAP HANA with one of the highest severity ratings available. Meanwhile, a new survey report shows that security professionals are finally waking up to the fact that attackers are looking to leverage vulnerabilities like these, with indicated expectations of increased ERP attacks in the near future.

SAP HANA is an in-memory data platform used by enterprises to crunch data from across their business software stacks. Organizations use it to perform advanced analytics that inform critical business processes and fuel innovative applications, and as such it contains some of the most sensitive data pertaining to customers, business processes and intellectual property.  

The major vulnerability was discovered by ERP security firm Onapsis in SAP HANA’s User Self-Service component and scored a CVSS vulnerability rating of 9.8, garnering a Hot News designation in this month’s SAP Security Notes. If exploited, it would allow full remote compromise without access to any credentials.

“This level of access would allow an attacker to perform any action over the business information and processes supported by HANA, including creating, stealing, altering, and/or deleting sensitive information,” says Sebastian Bortnik, head of research for Onapsis. “If these vulnerabilities are exploited, organizations may face severe business consequences.”

According to Alexander Polyakov, CTO of ERPScan, this is definitely a big issue – but enterprises prioritizing ERP vulnerabilities should take the news with a grain of salt.

“The risk of these SAP HANA vulnerabilities is critical indeed,” he says. “However, the likelihood of mass-exploitation is low as SAP HANA User Self-Service which contains the most dangerous issue is enabled only on 13% [of] Internet-exposed SAP systems according to a custom scan” by ERPScan, he says.

SAP patched the problem in this month’s round of SAP Security Notes, which included 35 vulnerabilities across its portfolio. Among them there were eight vulnerabilities with a high priority rating.

Polyakov says his researchers are planning on drawing additional industry scrutiny on a critical vulnerability in the SAP GUI client, which he says has a much broader install base and could impact millions of SAP users. He says they’re waiting to disclose technical information to enable SAP customers time to patch the vulnerability, but that the industry can look for details to come out of Troopers, a European security conference next week that will feature a special track on SAP security.

While there is a lot of work left to go, ERP security has increasingly hit the radar of enterprise security teams in the past few years.

“Just a few years ago, ERP security associated with separation of duties only and was hardly known even among cybersecurity experts,” Polyakov says. “Nowadays, leading analysts consider it as an increasingly important topic and ERP vulnerabilities are covered by the international media.”

Last year, the threats posed by these vulnerabilities tipped over from the theoretical realm to one of documented reality when US-CERT released a report that warned of at least 36 organizations worldwide impacted by attacks that leveraged a vulnerability in SAP’s Invoker Servlet functionality running on SAP Java platforms.

This week, a new report from Crowd Research Partners found that 89% of security experts anticipate more attacks against ERP systems. Approximately 1 in 3 experts expect a significant increase in these attacks.

As things stand, most enterprises are still dreadfully unprepared for any attacks, let alone an increased volume of them. A report last year from Ponemon Institute showed that more than half of enterprises admit it would take their firm a year or longer to detect a breach in the SAP platform.

Related Content:

• 10 Tips for Securing Your SAP Implementation
• 5 Reasons SAP Security Matters
• Awareness Improving But Security Still Lags For SAP Implementations
• 6 Critical SAP HANA Vulns Can’t Be Fixed With Patches

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/application-security/database-security/erp-attack-risks-come-into-focus/d/d-id/1328418?_mc=RSS_DR_EDT

The heightened level of attention to the proliferation of cyberattacks has yielded many outcomes, but none more notable than the recognition that responsibility for cyber risks no longer lies solely within the realm of IT. It now sits squarely in the domain of the C-suite and business leaders, with responsibility for oversight of management’s performance in cyberrisk identification, defense, mitigation, and response resting with the corporate board of directors.

The National Association of Corporate Directors (NACD) has been a leading voice advocating for board-level cyber risk oversight since the initial release of the NACD Director’s Handbook on Cyber-Risk Oversight in 2014. The handbook was the first non-government resource to be featured on the U.S Department of Homeland Security’s US-CERT C3 Voluntary Program website. Along with providing guidance for directors in companies of all sizes and sectors, the handbook helps boards understand management’s responsibilities around cyber preparedness and, more pointedly, provides questions directors should be asking of the senior executive team. Earlier this year, the handbook was re-issued with updated information on the evolving cyberthreat environment, and a host of new tools for boards such as cyberrisk profile assessments and cyber dashboards. 

Board-level Cyber Literacy is Low, Discomfort High
NACD’s most recent annual governance survey of public-company directors highlights the ongoing discomfort board members experience when it comes to cyber literacy. According to the survey, only 19% of directors believe they have a high-level understanding of the risks associated with cybersecurity, and 59% find it difficult to oversee those risks. 

These statistics speak to a larger problem: cybersecurity needs to be prioritized and approached holistically as an organization. The reason for this is simple. Cyber risks have an impact well beyond technology: they affect new business plans, product and service offerings, mergers and acquisitions, supply chain and purchasing decisions, major capital investment decisions such as facility expansions and upgrades, RD processes, and HR policies. For that reason, cybersecurity should be woven into boardroom discussions on all of these topics. If business leaders and directors continue to view cybersecurity as mainly a matter for the IT department, they will leave their companies – and, in turn, the U.S. economy – exposed to significant risks.

As part of the effort to strengthen investor trust and public confidence in board-level cyber risk oversight practices, NACD has created the first credentialed course dedicated to board member cyber literacy. The NACD Cyber-Risk Oversight Program was launched in concert with Ridge Global —led by former Governor Tom Ridge, first US Secretary of Homeland Security — and the CERT Division of the SEI, a federally-funded research and development center sponsored by the Department of Defense, based at Carnegie Mellon University. The program is a first-of-its-kind online course that goes in-depth on issues such as cybersecurity leadership, effective security structure, and the role of the board. Leaders who complete the course and pass the exam earn the CERT Certificate in Cybersecurity Oversight, issued by Carnegie Mellon.

Securities and Exchange Commission leaders have called cybersecurity “the biggest risk to the financial system,” also noting that “boards that choose to ignore, or minimize the importance of cybersecurity oversight responsibility, do so at their own peril.” NACD-s cyber-risk oversight program addresses this call to action; the certificate demonstrates to investors, customers, employees, and regulators that participating directors are committed to staying cyber-literate.

A common saying in the security world is that “there are only two types of organizations: those that have experienced a breach, and those who aren’t aware that they’ve been breached.” While no organization is 100% protected, the board plays an important role in assessing a company’s cyber preparedness. The intent of the NACD Cyber-Risk Oversight Program is not to turn board members into technologists; it’s to ensure the board is aligned with management in setting the company’s cyber risk profile, and maintaining the organization’s cyber resiliency. 

Related Content:

• What Your SecOps Team Can (and Should) Do
• In Cybersecurity, Language Is a Source of Misunderstandings
• Talking Cybersecurity From A Risk Management Point of View

Peter Gleason is president and CEO of the National Association of Corporate Directors (NACD), the only national association devoted exclusively to serving the information and educational needs of corporate directors. He also serves as Treasurer for the NACD Board of … View Full Bio

Article source: http://www.darkreading.com/risk/in-cyber-who-do-we-trust-to-protect-the-business-/a/d-id/1328245?_mc=RSS_DR_EDT

University of Michigan researchers have shown that sound waves can be used to hack into devices that use a commonly deployed piece of silicon called a MEMS accelerometer. Fitbits, smartphones, and a variety of medical devices and GPS locators all rely on accelerometers.

The bad news is that the sound-wave hack can be used to control an emerging class of autonomous devices such as drones, self-driving cars, and anything attached to the Internet of Things. The good news: The hack requires physical proximity, expertise in both mechanical and electrical engineering, and above-average programming skills, the researchers tell Dark Reading.

They also admit the actual threat is slight. “We’re not saying the sky is falling,” says Tim Trippel, one of the researchers and a PhD candidate in the computer science and engineering department at the University of Michigan. “But we need to think about software security and how the hardware can be stimulated environmentally with sound waves and [electromagnetic interference]. If attackers can craft the right type of vibration, they can make a device behave the way they way want it to.”

Trippel says the research builds on a paper presented at a 2015 USENIX conference that showed how an acoustical blast could register on a drone as a gust of wind. But rather than just interfere with the accelerometer, the Michigan researchers are taking this to the next level with command-and-control capability.

To demonstrate the acoustical hack, the researchers played a YouTube video from a smartphone that prompted the phone to spell out the word walnut. “We laced a music video with the tones, demonstrating that the interference remains effective even when combined with videos and music that could be automatically played from websites, email attachments, Twitter links tapped on a smartphone,” the researchers say in their paper, which will be presented at an IEEE security conference next month in Paris.

The Michigan researchers were also able to use audio tones to disrupt a Fitbit device, artificially adding steps to the device’s daily tally. “We also took it a step further to see if we could steer a vehicle, which we did with a toy car,” Trippel says.

But infosec professionals don’t need to rush out and download a patch or swap out hardware. “This exploit is academic in nature and presents no real-world risk,” says Mike Murray, VP of security research and response at mobile security vendor Lookout. “Accelerometer data isn’t usually used for any significantly risky purpose.”

Trippel says the acoustic attack requires more sophistication than just flooding a network with server requests like a distributed denial-of-service attack, for example. “Attackers would need some knowledge of the algorithms of the sensor data and the signal they’re trying to spoof,” he adds. “And they’d need physical proximity as well.”

The researchers also alerted five chipmakers whose sensors they tested and found vulnerable: Analog Devices, Bosch, InvenSense, Murata Manufacturing, and STMicroelectronics. While acknowledging there’s no fundamental flaw, Trippel would like to see the manufacturers alert component customers, who tend to automatically trust sensor data. “It’s good hardware that does what it was designed to do,” Trippel says, but manufacturers need to make customers who buy them aware so they know when they might fail.

“We’re not trying to say all these devices are broken. But going into the age of autonomous systems, we need to be security-aware with hardware and software, and the information fed to those algorithms,” Trippel says. With growing reliance on sensors to collect data for industry and consumers, the vulnerability needs to be addressed.

Related Content:

• Innovative Attacks Treat Mobile Phones As Sensors
• FitBit, Acer Liquid Leap Fail In Security Fitness
• Data Manipulation: An Imminent Threat
• 5 Things Security Pros Need To Know About Machine Learning 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full Bio

Article source: http://www.darkreading.com/sound-waves-used-to-hack-common-data-sensors/d/d-id/1328422?_mc=RSS_DR_EDT

The US Department of Justice indictments, announced yesterday, of Russian FSB agents working alongside notorious cybercriminals in the massive breach of Yahoo underscored how businesses now face more organized and coordinated cyberattacks than ever before.

These first-ever US indictments of Russian spies for hacking exposed how the government in Russia works hand-in-glove at times with its notorious cybercrime underground as a subcontractor. But meantime, there’s also been an overall shift in sophistication of attacks by well-oiled financial cybercriminals using the same types of tools and attack techniques as nation-state actors, according to Mandiant, the incident response and forensics arm of FireEye.

Mandiant in its annual M-Trends Report published this week revealed real-world trends from its breach investigations cases last year: the client engagements revealed that organized cybercrime gangs are operating in more clandestine ways like their nation-state counterparts do. Financial cybercriminals used custom backdoor Trojans that contained unique functions for each system they compromised, and relied on more bulletproof command-and-control channels that exploit the Domain Name System (DNS). The attackers also used anti-forensics methods to cover their tracks.

Bottom line: you can’t associate financial cyberattacks as “smash and grab” operations anymore, according to Mandiant. Their goal is to fly under the radar undetected for long periods of time to steal more information and money, akin to how nation-states typically operate in order to spy or steal intellectual property, for example, an aerospace firm’s ongoing product development of an aircraft engine design.

“The techniques are starting to look a lot more similar from an organized crime perspective with state-sponsored” groups, says Charles Carmakal, vice president at Mandiant and lead of its security incident response team.

That’s bad news for defenders. The machinations of the nation-state and cybercriminal suspects behind the Yahoo breach were eye-opening not just for the collusion between the Russian government and known criminals, but also in how much more difficult it’s getting to protect yourself against such powerful attackers, security experts say.

“This is what they [organizations] are up against,” says Ed McAndrew, a former US attorney who served for 10 years as a cybercrime prosecutor and National Security Cyber Specialist for the DoJ. “Actors ranging from nation-state agents down to cybercriminals who may be working alone, or often with others who are engaged in a full range of criminal activities for multiple purposes,” says McAndrew, who is co-chair of law firm Ballard Spahr’s Privacy and Data Security Group.

While the MO of cybercriminals traditionally has been to break in, steal credit card and debit card information quickly, and then get out and dump it onto the black market for sale, Mandiant is now seeing these groups remain quiet – and persistent in victims’ systems. “They steal data over longer periods of time,” Carmakal says.

And unlike their traditional use of basic hacking tools that were relatively noisy and detectable on the network, and relied on conspicuous command-and-control server communications, they’re now relying on methods like hiding behind DNS for command-and-control. One big shift Mandiant’s IR team found: some financial cybergangs are modifying the Volume Boot Record (VBR) in Windows systems, which provides them cover for long-term infiltration.

They basically load their backdoor via the VBR, so they don’t get caught by IR tools using the Windows API. The malware loads before the OS so it doesn’t get caught out. VBR abuse increased over 2016, according to Mandiant’s findings. “This marks a change as targeted attackers have often relied on the host operating system for persistence due to its ease of use and stability. The downfall of relying on the host operating system for persistence was that it created forensic artifacts that make even the most sophisticated backdoors detectable using indicators of compromise (IOCs) or hunting techniques. VBR modification does not have that drawback,” the M-Trends Report said.

Carmakal says Mandiant’s team at first was taken aback by the VBR technique. “When we first identified VBR malware, we didn’t understand exactly what was going on … We weren’t aware you could hide in the VBR.”

They spotted a few financial cyberattack groups as well as state-sponsored attackers abusing the VBR to lay low. “It’s not easy to build VBR malware,” he says. “It’s not something we see” a lot, but it’s a new technique, he says.

Dwell Time

Interestingly, Mandiant also found that its clients overall are improving slightly on identifying they’ve been breached. The global median time from compromise to discovery was 99 days in 2016, down from 146 days in 2015. And some 53% found on their own that they had been breached, while 47% learned from a third party such as a law enforcement agency.

“Over the years, organizations are just getting better at detecting breaches themselves because they are buying more [effective] technology, building more processes, and getting more threat intelligence,” Carmakal says.

Another factor here, he says, is that some attacks aren’t so long-term stealthy, and are more in-your-face. “We’ve seen more destructive breaches over the years,” he says. These are attackers wiping disk drives, or threatening to leak sensitive information of their victims in extortion schemes where they demand $50,000 or $1 million to not leak data publicly. “They’re nuking servers in some cases and destroying OSes,” he says. 

Related Content:

• What Businesses Can Learn From the CIA Data Breach
• Iran Intensifies Its Cyberattack Activity
• Organizations In 40 Countries Under ‘Invisible’ Cyberattacks
• 10 Essential Elements For Your Incident-Response Plan

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/mandiant-financial-cybercriminals-looking-more-like-nation-states/d/d-id/1328426?_mc=RSS_DR_EDT

HTTPS inspection tools are, in essence, a security team’s authorized man-in-the-middle attacker: they intercept encrypted SSL/TLS traffic, in order to, for example, search it for malware that uses HTTPS to connect to malicious servers. However, in an alert today, US-CERT warned that HTTPS interception weakens TLS security, advising that organizations “carefully consider the pros and cons of such products before implementing.”

Normally, a Web browser will alert a user to weak ciphers, deprecated protocol versions, or other reasons that certificates should not be trusted and connections might be dangerous. Once an HTTPS interception tool is introduced, however, the user must put all its trust in the tool.

From the US-CERT alert:

“Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties.”

Unfortunately, researchers have found these products lacking when it comes to those validation practices. For example – as noted in works cited in the advisory, “The Risks of SSL Inspection” and “The Security Impact of HTTPS Interception” – some HTTPS inspection products do incomplete validation of upstream certificates, others conduct complete validation but fail to convey the results back to the client, and others will complete communication to the target server before issuing warnings to the user.   

HTTPS interception capabilities are built into a wide variety of security tools, including firewalls, secure web gateways, data loss prevention products, and other applications. A partial list of potentially affected applications is available here. 

US-CERT recommends that organizations use the testing resources at BadSSL.com to determine whether or not their HTTPS interception applications are properly validating certificates and preventing connections to sites using weak cryptography.

“At a minimum,” states the alert, “if any of the tests in the Certificate section of badssl.com prevent a client with direct Internet access from connecting, those same clients should also refuse the connection when connected to the Internet by way of an HTTPS inspection product.” 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/us-cert-warns-that-https-inspection-tools-weaken-tls/d/d-id/1328423?_mc=RSS_DR_EDT