STE WILLIAMS

If you work in the security industry, you’ve no doubt heard of Mr Robot. The TV series is a favorite among hackers for an obvious reason: the main protagonist is a cybersecurity engineer pulled into the world of hacktivism.

Mr Robot’s influence on the security community will be on full display at BSidesSF, the event that coincides with the start of RSA Conference 2017. BSidesSF takes place Sunday and Monday at the DNA Lounge and BuzzWorks in San Francisco.

Reed Loden, director of security at HackerOne and a lead organizer for BSidesSF, said:

We’ve tried to incorporate Mr Robot into as much of the conference as possible, including pushing for speakers to include Mr Robot themes in their talks. The Sunday night party is carnival-themed as ‘SF society’ – a play on ‘fsociety’.

Mr Robot fans know fsociety as the Coney Island-based group of hackers led by the mysterious Mr Robot (played by Christian Slater). The name plays on the derelict amusement park building they operate from and their signature message: “f**k society”.

In addition to Slater, the show stars Rami Malek as Elliot Alderson, an engineer in the grip of depression and social anxiety recruited into Mr Robot’s movement.  

It remains to be seen how this year’s speakers will incorporate Mr Robot into their talks. Regardless, the talk descriptions are compelling.

On the agenda

Here are just a few of the presentations scheduled:

• Jason Truppi, a career technologist turned-FBI-agent-and-tech-entrepreneur, will be giving a talk called Illusion vs Reality, which is “an FBI agent’s take on how private-sector realities are masked by government sector illusions of intelligence sharing, public-private partnerships and best practices”. Truppi has worked on hundreds of cyber-incidents and, as the title suggests, his goal is to expose the facts of what organizations are actually experiencing and, ultimately, get government agencies to focus efforts in the areas that will be most useful.
• Detection/response expert Jason Craig will present on how to build an effective intrusion detection program.
• Foxpass founder Aren Sandersen will discuss ways to quickly and easily build an API-driven access control system and eliminate master keys.
• Tim Jarrett, senior director of security strategy at Veracode, will give a talk called Five Keys to Building an Application Security Program in the Age of DevOps.

The full schedule is available on the BSidesSF website.

Career-building exercises

A big part of the Security B-Sides movement has always been about helping people build their careers, and BSidesSF will continue the tradition. Both days will feature resume rewriting sessions.

The event will also include the Lockpick Village, Spymaster Challenge and Capture the Flag competitions.

Expanded venue

This is the first year in which BSidesSF takes place in two venues – DNA Lounge and SF BuzzWorks, which are side by side. The event is usually crowded, so Loden asks that attendees plan accordingly. He warned:

If you don’t already have a ticket, show up early, as we will completely sell out this year.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CtQ9pU8xIeA/

Your daily round-up of some of the other stories in the news

Yahoo hit with class-action suit over breaches

A Texas man has filed a class-action suit against Yahoo claiming that its huge security breaches resulted in his credit card data being stolen.

Brian Neff, who owns an online insurance company, is claiming unspecified damages. Court papers filed in California say that “in addition to paying Yahoo thousands of dollars for services that subjected him to a security breach, Mr Neff was also a victim of actual identity theft following the data breaches”.

Neff was a customer of Yahoo’s web-hosting and email services, and says that fraudulent charges showed up on two cards where the only company linked to them both was Yahoo. He is accusing Yahoo of negligently failing to take reasonable measures to protect his data.

Yahoo said it doesn’t comment on litigation.

 Developer takes on Windows support scammers

If you or someone you know has been targeted by the notorious Windows support scam, where unsavvy users are duped into allowing criminals remote access to their computers, you will be delighted at the latest phone bot from Roger Anderson, who created the Jolly Roger Telephone Company.

The Jolly Roger bot “talks to telemarketers so that humans don’t have to” by answering marketing cold calls. Anderson’s latest project is a bot that will deal with the scammers who convince people that they are from Microsoft and then scaring them into believing their PCs are full of malware. What the caller actually does is get the unfortunate victim to install remote access software and then fleeces them for large sums of money.

Anderson says on his blog: “As fast as you can report fake ‘you have a virus call this number now’ messages to me, I will be able to hit them with thousands of calls from bots.”

He adds a pledge: “I vow to never use this technology for mischief or malice.”  What he’s building is made up of “a lot of moving pieces”, which he says he may turn into a WordPress plugin. Watch this space.

Galaxy Note 7 batteries cause factory fire

Remember the highly flammable batteries that eventually caused Samsung to pull its flagship Galaxy Note 7? It seems those batteries haven’t stopped causing problems, as a factory operated by one of the suppliers of those batteries caught fire on Wednesday.

The Guardian reported that it took 19 fire trucks and 110 firefighters to put out the fire at the Samsung SDI factory in China, which happened in a part of the facility used for waste-processing. Some of the waste it processes was the faulty batteries, according to reports.

Samsung and local emergency services said that the fire was caused by waste products including the faulty batteries. There were no casualties, said Samsung.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NupM6fJ_dtA/

Promo Security professionals still talk about “antivirus defences,” but in the space of a handful of years what is meant by this term has undergone a dramatic shift.

On the surface, things look much as they have always done. Businesses still run what used to be called “AV protection,” reinvented some time ago as the all-purpose “anti-malware.” But underneath the surface, behind the remote management consoles, everything has changed.

With humble viruses long gone and even the term “malware” starting to morph, security clients now behave more like sensors for multi-layered, centralised security systems encompassing not only defence and remediation, but response, forensics, and even data security.

This change might seem like a natural development that parallels how many technologies have evolved since the turn of the millennium, but within cybersecurity it reflects deeper currents. The most important of these is the almost supernatural rise of the professional criminal developing malware at industrial scale. This has not only forced security companies to innovate at an uncomfortable pace, but to integrate the multiple layers of protection necessary to counter such dark innovations.

At the same time, what is being protected now extends way beyond the desktop Windows PC or server. Whether they are laptops or smartphones taken beyond the protection of the firewall perimeter or any one of a multitude of Internet of Things devices, the simpler age of PC security has given way to that of the modern “endpoint.”

Endpoints can be any type of device, and located almost anywhere, taking the perimeter of the network with them as they move. In addition to PCs and smartphones, endpoints now include printers, surveillance cameras, point-of-sale terminals, smart sensors, in-car interfaces, local network devices such as wireless access points, and cloud-emulated systems. BYOD means they can even be personal devices.

But as the old reactive model of anti-malware defence has proved inadequate, protection is now about anticipation, says Sophos senior VP and GM, enduser network security group, Dan Schiappa.

“Old world anti-malware was based on some prior knowledge of malware, meaning that defences were created after malware had been analysed. This is a reactive way to do endpoint security.

“Next Gen technology is more proactive and can have defences for malware that have never been seen before, using more algorithmic and behaviour-based approaches.”

That doesn’t mean that anticipating malware isn’t incredibly difficult. How can security professionals preempt something their systems might never have seen before?

It follows from this that static AV signatures are now a much smaller part of anti-malware because it is a concept that depends on what is already known. The new emphasis is on spotting behaviours, an idea that stretches back to the early days of AV heuristics in the 1990s. Today, however, it is not simply about profiling broad behaviours but analysing and tracking often complex interactions and relating them to “anomalous” events.

Consider the range of threats that face endpoints. Some of these are mundane, such as the way attackers target unpatched vulnerabilities – including unknown ones such as “zero days” – across a vast array of software. That requires diligent and indefinite patching regimes, assuming a patch is always available. This imposes huge stresses on software companies and customers alike, who are forced to consciously balance security with the potential disruption caused by constantly updating software.

Others are more novel, such as the way ransomware has emerged to attack not systems but data itself. An interesting example offered by Sophos’ Schiappa is memory-resident or “fileless” malware that never saves a trace of itself to storage.

“The biggest trend we are seeing is malware running in memory exploiting vulnerabilities in legitimate software, such as browser, java, and office documents,” he says.

The challenge is that these look much the same as other programs, doing the same things such as accessing files and resources. They don’t stand out until it is too late.

According to Schiappa, this similarity to everyday software risks false positives, and management complexity of the sort that overloads admins. He describes the need for multi-layered detections that can risk-score behaviours in a number of ways.

“We actually use the various components to suppress false positives. We have many aggressive detections in our pre-execution scanning, but we can use reputation to suppress false positives. That is one of the advantages of having an ensemble of next-generation technologies.” In effect, protection must have a sense of what is “normal” for a given endpoint and network, and focus on deviations from that pattern.

Doing it differently

The expression of the Sophos philosophy is Intercept X, a neat summary of the state of-the-art protection that all companies are trying to develop atop their current and often more traditional anti-malware software.

Its design defends files against ransomware by watching which processes are interacting with them, running an anti-exploit layer that monitors for common techniques hitting zero days, and even coming up with what the company calls “root cause analysis,” a method for analysing what malware was doing before it was detected. The company is also looking at machine learning as part of the overall solution – although Schiappa rates it as “too immature and too false-positive prone to be an effective technology alone.”

When it matures, the key will be to integrate it into the protections that already exist rather than rely on it as a “magic bullet,” in his words. It is possible to imagine defenders assembling these diverse components from a collection of new endpoint protection companies that have sprung up on the back of the money pouring into cybersecurity. However, it’s obvious from even a cursory description of these layers that they require a huge amount of integration from the vendor to work effectively.

Schiappa points out that what security managers don’t want is a new generation of endpoint agents to manage, and more complexity to cope with. This is how security got itself into such a mess in the first place. As far as cornerstone endpoints such as Windows machines are concerned, this renders redundant the old “best of breed” versus single platform argument: without the integration that comes from a single platform, no matter how good it is at a single ability, protection will always be partial and potentially compromised. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/09/reinventing_endpoint_security/

Hackers are menacing Apple Mac users with Word documents laced with malicious macros that install malware.

Security researchers spotted a rash of poisonous files doing the rounds earlier this week, one of which was titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm.” Apple fans who opened the document on a Mac are prompted to enable macros.

If enabled, the file executes a function, coded in Python, that downloads a malware payload to infect the machine. The Python code is taken from the open-source EmPyre project, a pure Python post-exploitation agent. The tactic is used to push persistent malware onto compromised Macs.

The IP address from which the documents were spread is geo-located in Russia and has previously been associated with malicious activities such as phishing, according to a write-up by security researcher Patrick Wardle.

“Overall this malware sample isn’t particularly advanced. It relies on user interaction (to open a malicious document in Microsoft Word (not Apple’s Pages)), as well as needs macros to be enabled,” Wardle concludes, adding that the reliance on macros rather than a software vulnerability means that the exploit can’t be blocked by patching systems.

Separately, security researchers have spotted macOS malware targeting the defense industry, and reported elsewhere to have been used against a human rights advocate. The MacDownloader nasty attempts to pose as both an installer for Adobe Flash and the Bitdefender Adware Removal Tool.

Researchers reckon the malware is a work in progress – still lacking the ability to survive a reboot on infected systems (ie, persistence) – and is ultimately geared towards extracting data from compromised systems. The Iranian hackers suspected in the Mac raid have previously developed Windows and Android keystroke-logging and data exfiltrating spyware. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/09/mac_malware_rash/

Administrators of Hadoop Distributed File System (HDFS) clusters have evidently not heeded warnings that surfaced last month about securing software with insecure default settings.

Attacks on Hadoop clusters have wiped the data of at least 165 installations, according to GDI Foundation security researchers Victor Gevers, Niall Merrigan, and Matt Bromiley. The trio report that 5,300 Hadoop clusters are presently exposed to the internet, some of which may be vulnerable.

“The default installation for HDFS Admin binds to the IP address 0.0.0.0 and allows any unauthenticated user to perform super user functions to a Hadoop cluster,” the group’s report states. “These functions can be performed via a web browser, and do not prevent an attacker from destructive actions. This may include destroying data nodes, data volumes, or snapshots with terabytes of data in seconds.”

A previous round of attacks hit Hadoop clusters, via port 50070, last month, as The Register noted.

At the time, one attacker was spotted erasing file directories and adding a new directory titled, /NODATA4U_SECUREYOURSHIT.

Those conducting the current round of attacks have also deleted data while placing a directory titled /PLEASE_README.

This would be an obvious place to put a ransom note that promises to restore deleted data in exchange for payment. Gevers told El Reg he couldn’t find a ransom note so this attack looks like vandalism. “Or this last attack only created an empty directory and they forgot to place the note,” he added. “We have seen these misfire attacks before on MongoDB.”

The researchers suggest that while attackers may demand ransom payments, they don’t have anything to offer in return. “Victims who have paid ransom prices have not received data in return, and are often left without a means to recover,” the report states.

The Hadoop attacks echo those that have affected MongoDB and Elasticsearch instances.

The researchers predict it will not be long before HDFS is subject to more intensive ransomware attacks.

They advise turning on Hadoop Secure Datanode, Safemode, and service level authentication (via Kerberos). They also recommend blocking port 50070 from untrusted IPs, adding IAM control and network segmentation via some form of OpenVPN, and implementing a reverse proxy, such as Knox, to defend against unauthorized access.

Or you could just leave the door open and hope no one walks away with your data. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/09/hadoop_clusters_fked/

Attackers are hijacking compute power in order to pull off their other crimes.

What’s the hottest commodity cyberthieves are going after these days? Credit card numbers? Medical records? Politicians’ emails?

Those may be big, attractive targets. But more and more, attackers are going after unwitting organizations’ compute power. That’s what lets them steal all those other things in volume and commit all manner of online crimes.

We’re witnessing a resurgence in compute power hijacking — what the thieves call “harvesting” — for a variety of nefarious purposes. A big driver is the trend toward ever-larger-scale data theft. Why break into an individual’s laptop to steal one credit card number when you can break into a retailer’s data center and steal millions? Another driver is the surge in cryptocurrency mining, a rapidly growing source of illicit profits.

To exfiltrate multiple terabytes of data at a time requires enormous computing power. To get it, bad actors are targeting legitimate enterprise data centers across all industries and company sizes. Once sophisticated hackers gain a foothold within a data center, they can dwell undetected for months. Indeed, the average “dwell time” for a successful breach is around 150 days, according to Mandiant’s 2016 M-Trends report. And hijackers need only a fraction of the host’s computing power to carry out their schemes. Consequently, their harvesting goes unnoticed.

Uncovering a Hidden Mine
Here’s an example of the damage hijackers can do. Last year, a midtier insurance firm came to our company with a problem. It suspected its data center had been compromised, but couldn’t confirm it. We sent analysts in to investigate. Sure enough, the company had a problem — beyond its wildest suspicions. Not only had the insurer been breached, but the attackers had set up shop, changed the firewall and DNS rules, and were running a massive botnet operation out of the data center. This security-conscious company had become the unwitting “botlord” of some 10,000 machines worldwide.

Our team shut down the operation and cleaned up the infected systems. In the process, we discovered what the attackers were really doing and why they needed all that compute power: Monero mining.

Monero is a form of cryptocurrency, a derivative of Bitcoin. Monero or Bitcoin mining refers to discovering, capturing, and processing Bitcoin transactions floating around the Internet. It’s effectively a competition that favors miners with the most computing power. Right under our customer’s nose, the attackers were using hijacked computing power to run a Monero mining bank to collect transaction fees.

Harvested compute power can be used to fuel any kind of illicit online activity. This includes ransomware or distributed denial-of-service attacks. A clever attacker can initiate a DDoS attack in one country using compute power from another, making the attack harder to trace and easy to deny.

Locks Are No Help Once the Thief Is in the House
What can enterprises do to protect their valuable computing power from hijackers? Perimeter defenses such as firewalls and intrusion prevention systems are essential, but compute harvesting takes place within the data center, after the “walls” have already been breached. Organizations must face the fact that they can’t stop every attack, and redirect some of their security efforts to vulnerabilities inside the data center. 

And in today’s highly virtualized, cloud or hybrid data centers, those vulnerabilities are often easy to exploit. Server and network virtualization, combined with ever-increasing traffic, network speed, and server density have created an enormous visibility gap. Administrators simply can’t “see” what’s going on deep in their data centers, at the process level. That’s why sophisticated malware can move laterally almost indefinitely until it finds an opening.

Enterprises must take new measures to secure assets within the data center from threats that have successfully breached the perimeter. There are a number of techniques in a growing, emerging market (including GuardiCore as well as other vendors) gaining traction today that security teams can deploy to fight attackers 

Distributed deception, also known as dynamic deception, is a significant advancement over conventional “honeypots” planted as bait for attackers. In traditional static deception designs, honeypots are placed throughout a company’s environment. This is resource-intensive to implement, configure, and maintain. Using a distributed deception approach, suspicious reconnaissance behavior is detected throughout the environment, then tunneled away from the production network to centrally located honeypots. By centralizing the honeypots, and relying on other techniques to detect and redirect the attackers, distributed deception is easier to implement and maintain, has fewer false positives, and provides a better containment area for investigation and threat confirmation.

Reputation analysis, the ability to recognize something that doesn’t belong, is another emerging threat-detection tool. It typically relies on having access to a threat intelligence network that’s tracking suspicious IP addresses, domain names, or file hashes associated with known malicious activity.

Visualizing data center applications and workflows and then wrapping policies around them is also essential. Micro-segmentation refers to the ability to implement and enforce security controls around individual or groups of applications within the data center. Any policy violation automatically triggers an alert to initiate an investigation. Of course, this requires deep visibility into data center activity, down to the process level, which is a challenge. But with today’s visualization tools, administrators can map their data center applications and processes, making micro-segmentation more practical for more organizations.

Related Content:

• Talking Cybersecurity From A Risk Management Point of View
• The Interconnected Nature Of International Cybercrime
• 3 Things Companies Must Do Before A Data Breach

Dave Klein is Regional Director of Sales Engineering Architecture at GuardiCore. He has over 20 years of experience working with large organizations in the design and implementation of security solutions across very large scale data center and cloud environments. At … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/harvest-season-why-cyberthieves-want-your-compute-power/a/d-id/1328088?_mc=RSS_DR_EDT

Notable cases of internecine cyber squabbles.

Image Source: Adobe Stock

While most cybercriminals tend to set their sights on siphoning valuable data from poorly protected enterprises, there’s no limit to the kinds of targets they’ll seek out. There’s no honor among thieves, so it shouldn’t be a surprise that with the right kind of motivation, malicious hackers will happily attack other black hat and grey hat hackers.

Sometimes the attacks are purely mercenary: rivals know they can hit pay dirt very quickly if they find an easy way to tap into data stores of already vetted stolen identities or financial information. Similarly, certain kinds of cyber skirmishes are initiated to take competitors out. And then there are the attacks that are a little more personal: to show someone up, settle a score, or otherwise make a philosophical stand.

Regardless of the motives, these kind of squabbles offer up a satisfying dose of schadenfreude for cybersecurity pros beleaguered by the bad guys. It’s nice to watch them fight amongst themselves every once in a while. So, pull up a chair, grab some popcorn and read on. 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/when-hackers-hack-hackers/d/d-id/1328095?_mc=RSS_DR_EDT

Tech expertise and business engagement are critical for CISOs who want to strengthen security but lack authority in their organizations.

CISOs promise to protect critical business data, but many lack the influence they need to be effective. High-performing infosec teams combine technical expertise and organizational engagement to do their jobs well.

This is the key takeaway of a new research report from IANS entitled “CISO Impact: The 5 Secrets of High-Performing CISOs.” For more than two years, researchers collected diagnostic data from more than 1,200 businesses to assess their security posture.

Diagnostics were structured by two best practice models: 8 Domains of Technical Excellence and 7 Factors of Organizational Engagement. The expansive collection of data was boiled down to 75 best practices shared among high-performing businesses and their leaders.

In this report, IANS takes a step back from the granular details of its research and highlights five high-level lessons CISOs should adopt as they aim to build greater influence within their organizations.

Cloud growth is driving the importance of security, says Leonovus CEO Michael Gaffney, but CISOs don’t have enough influence to drive change. Most report to CIOs, which are usually trained in basic security but may not be fully up-to-speed on web-based security.

“Security pros don’t have enough of a seat at the table,” he says. “Boards of directors want to hear from more than the CIO; they want to hear from someone about what’s going on. If you’re not at the table from a security perspective and the C-suite doesn’t recognize it, that’s a vulnerability.”

Despite this concern, most infosec pros have to accept they will need to lead without authority, says Stan Dolberg, chief research officer at IANS. Most security managers aren’t given full access to the staff, processes, and technologies they need to fully protect data.

“The CISO and security team make a promise to safeguard critical assets, but they have little control over the resources to make it happen,” he explains. “Security isn’t an isolated function. It stretches over every operation.”

Security leaders can build authority by building alliances for a risk-based approach to security through which the business owns risk. All high-performing organizations in the study hold business leaders accountable for the risk of their actions, says Dolberg.

CISOs must connect the dots across businesses, goals, strategies, and results, and handle situations at the technical and negotiation levels. These skills are important because CISOs need to inform boards of exposures, collaboration, and steps taken to secure assets. This data is owned by the business, and CISOs must convince them to work together.

The second key is to embrace the role of change agent. CISOs and their teams are responsible for changing many things; for example, how software is developed, or how people click on emails. It’s important to prepare for pushback.

“Change encounters resistance,” says Dolberg. “People don’t like to change. It costs money; it takes time. Embrace the role of change agent, otherwise you’re going to get very frustrated.”

Engagement is also important here as security pros have to build relationships to understand what motivates other parts of the business. They can use this research to introduce more informed change recommendations.

IANS’ third lesson is to be responsive and demonstrate the importance of security. Organizations don’t instinctively know infosec must be integrated into the business, so security pros have to step up, teach them, and prove its value.

“The CISOs who make a difference understand people won’t open the door and say ‘give me a makeover,'” Dolberg explains. “You have to be proactive and can’t just sit back.” Few CISOs will be hired into organizations that already recognize the danger. The rest can employ tactics like fake cyberattacks to demonstrate the reality of cybercrime.

“You experience real emotions in a mock situation,” he notes. Faking a DDoS attack on the main website, for example, will give business leaders a sense of how it feels to lose customer data and put their reputation at risk.

Most (84%) high-performing CISOs develop a “cyber cadre” or cohesive team of employees who convey the same messages to everyone in the business. This requires proficiency in interpersonal skills, a theme of the first three lessons.

“It takes a lot of effort on the part of the CISO to hire people with the right technical skills and build a cohesive team,” explains Dolberg. “This way, when they’re out there in the day-to-day grind of the business, they’re all telling the same story.”

The fifth lesson is patience; getting organizations to value their security teams takes time. It typically takes high-performing organizations five to seven years to build their teams, their cadres, and invest in their credibility before they were viewed as integral to the business.

Related Content:

• Harvest Season: Why Cyberthieves Want Your Compute Power
• Organizations In 40 Countries Under ‘Invisible’ Cyberattacks
• Facebook Aims To Shape Stronger Security Practices

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/infosec-teams-share-keys-to-ciso-success/d/d-id/1328096?_mc=RSS_DR_EDT

Nearly 80% of the respondents in a LinkedIn poll said that threat hunting already is, or should be a top-level initiative.

Threat hunting appears to have become a top of mind issue for security executives at many organizations. But a relative lack of security staff and technology tools are limiting their ability to fully build out such programs.

The Information Security Community on LinkedIn recently polled its members on the state of threat hunting in their security operations centers. The poll, sponsored by several security firms including Cyberreason, Javelin Networks, Tenable, and Sqrrl, elicited responses from 330 members.

About 60% – or 6 in 10 of the respondents – claim to have a moderate to high degree of awareness of threat hunting, while 79% indicate that threat hunting either should, or will be, their top security initiative this year.

Several factors appear to be driving interest in the practice. The survey shows that executives at many security operations centers feel inadequate about their ability to detect hidden, unknown, and emerging security threats. Seventy percent for instance, point to their inability to detect threats as their top challenge. About 6 in 10 (59%) cite a lack of skills availability for threat mitigation as their biggest stumbling block.

Not surprisingly, only 26% feel somewhat to very confident in the ability of their security operations centers to uncover advanced threats.

“Over the last nine months, the concept of threat hunting has taken off,” says Matt Zanderigo, director of marketing at Sqrrl. With four in five security executives saying that threat hunting needs to be a top initiative, organizations are beginning to allot budgets for it, he says. “It’s hard to say what percentage. It usually comes out of a SOC budget for improving threat detection,” he notes.

Threat hunting is a term that is generally used to describe the practice among security organizations to proactively search for and weed out threats on their network instead of waiting to discover them after an attack has materialized. It a practice based on the premise that organizations simply cannot prevent every single intrusion from happening on a network, and therefore the focus needs to be equally on finding the ones that do slip through the defenses.

For many, threat-hunting practices are not just about chasing down alerts from a piece of technology, but also about applying human skills to tease out deeply hidden threats on their networks that may not always have been flagged yet by their security controls. Organizations that have implemented successful threat hunting programs have often pointed to the emphasis on human skills as a major contributory factor.

Security operations centers that have implemented hunting practices have reported substantial gains in their ability to spot and weed out threats. For example, respondents in the LinkedIn survey that had implemented a threat-hunting platform say they were able to detect and investigate threats in substantially less time than they were able to without it.

Without a threat-hunting platform, it took organizations in the survey an average of 38 days to detect a threat on their network, and 26 days to investigate it, compared with 15 days and 14 days for those with threat hunting.

A survey of 494 IT professionals by the SANS Institute last year showed that 86% had engaged in threat hunting activity. About three quarters of those who had, said they reduced their attack surface substantially, while 59% said that threat hunting had significantly enhanced incident response times

Despite the interest in threat hunting, many organizations appear hampered by skills availability and time constraints. The survey showed that less than 2 in 10 (14%) of the employees in a security operation center are deployed in a threat-hunting role. Four in five believed that not enough time was being invested in the practice.

“Cybersecurity incident responders are often hampered by lengthy processes necessary to access data needed to conduct investigations,” Zanderigo says.

Investigating a threat often requires investigators to pull data piecemeal from multiple systems and make sense of it. “Investigators often needed to fetch, join, and normalize disparate data in order to answer specific questions.”

Related stories:

• Threat Hunting’ On The Rise
• 5 Things To Consider With A Threat Hunting Program
• Why It’s Always Cyber Hunting Season ( What To Do About It)

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/threat-hunting-becoming-top-of-mind-issue-for-socs/d/d-id/1328100?_mc=RSS_DR_EDT

Sharing is caring, perhaps – but when it comes to your website’s files and directories, it’s not a good idea, as Denuvo found out this week.

A few curious surfers found out that Denuvo, which makes digital rights management (DRM) software to prevent video game piracy, hadn’t locked down all their website’s directories from public view and prodding. That means the website’s private directories and all their files were open for snooping around.

This may not sound like a big deal, but it’s akin to handing over the casino blueprints to the crew of Ocean’s Eleven. The more an attacker knows about how your website is set up and where files are stored, the easier it is for them to find out where sensitive files are held and discover exactly what kind of software runs your website. That kind of detail makes it easier for an attacker to determine what kind of vulnerabilities your site’s software is likely to have, helping them to devise a focused – and likely more successful – attack.

Right now, it doesn’t look like the company’s intellectual property has been put at risk by this mistake, but some harm has already been done by the unintended exposure, and many people are still poking around to see what they can find.

Thus far, snoopers have found that one of the open private directories contains large executable files, proprietary business presentations, as well as logs of private business emails with Capcom and Google and customer support emails going back to 2014. Still, for a company that deals in something that’s controversial among some video game consumers, this kind of exposure is unfortunately being met with some schadenfreude by those who wish DRM would go away.

These kinds of incidents aren’t rare, unfortunately. Just last month, a sex club made a similar mistake, exposing thousands of its members – and their personal data and private profiles – to the open internet.

We’re not exactly sure how this incident happened, but there is a likely theory. From the leaked images of the open directories, it appears that the Denuvo website runs on an Apache web server, and if Apache is not correctly configured some directories can be accidentally left open for public access.

If Apache was correctly configured, there’s also the possibility that the site was using an .htaccess file, which is a kind of configuration file that can overwrite locally the server’s general settings, and it was either not set up correctly or forgotten after some site changes.

Given that, by some approximations, Apache software runs about half the publicly accessible websites on the internet, there’s ample opportunity for Apache misconfigurations to rear their ugly heads.

Basic website security tips

If you run your own website, there’s a long list of settings to check for your site’s security, but if you’re looking for a place to start, here are a few recommendations:

• Don’t allow open directories (to prevent the situation referenced above!)
• Never use default passwords, and don’t use easy/non-unique passwords for any administrative panels or logins for website maintenance
• Change any “admin” usernames to something unique
• Keep your website’s software patched and up-to-date
• Protect your website’s inputs – like search boxes and  comment areas – from SQL injection attacks
• Use HTTPS and SSL, especially if your users are logging in to anything or giving you any kind of personal or financial information

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IK_eGYDgbf0/