STE WILLIAMS

WordPress version 5.2.3 has just appeared on the download pipe featuring half a dozen security fixes and software enhancements.

It doesn’t look as though any of the flaws have been publicly disclosed or identified with CVEs, but admins who are confident about compatibility will still want to apply it.

As usual, the dominant theme is fixing cross-site scripting (XSS) issues, including two reported by Simon Scannell of RIPS Technologies, who was credited with discovering the major cross-site request forgery (CSRF) flaw fixed in March 2019’s WordPress 5.1.1.

Those relate to in-post previews and stored comments, to which should be added separate XSS flaws affecting media uploads, shortcode previews, the dashboard, and relating to a URL sanitisation issue.

Older WordPress installs also get the update for jQuery added to WordPress 5.2.1 in May 2019.

Plugin misery

Arguably, WordPress security releases, which appear three or four times a year and are applied automatically, have become the most straightforward part of keeping WordPress secure.

This contrasts with the Sisyphean task of fixing the steady stream of critical holes that pop up among the platform’s 54,922 plugins (at time of writing), even if many of these are only used by small numbers of sites.

For example, the recent campaign to backdoor WordPress sites – which attempts to create rogue admin accounts on the back of one several vulnerable plugins (Coming Soon Page Maintenance Mode; Yellow Pencil Visual CSS Style Editor; Blog Designer; and Bold Page Builder).

The evidence from continued exploitation in this suggests that many sites fail to update quickly enough (or at all) making them vulnerable to campaigns that simply scan for unpatched targets at scale.

In March 2019, we saw two significant plugin flaws, one in Easy WP for SMTP, plus a second in Abandoned Cart for WooCommerce. Another, WP Live Chat Support, suffered two significant flaws in a matter of weeks.

(Watch directly on YouTube if the video won’t play here.)

And it’s not only plugins. Cybercriminals can use botnets to force open the front door using brute force attacks on credentials – as was the case in December 2018 with one that infected 20,000 sites.

This, of course, is only the latest example of the general targeting of CMSs that’s been going on for years with WordPress at the head of the list.

Updating

WordPress 5.2.3 can be downloaded from Dashboard Updates, clicking on Update Now (sites supporting background updates should already be updating).

And don’t forget to look out for the next WordPress update, version 5.3, which is due to appear on 12 November 2019.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/j-xSSrxRMDU/

Roundup Here’s a look back at some of the latest security bits and bobbles besides the stuff we already covered over the past week.

That’s the way the Cook, he grumbles

Apple isn’t taking too kindly to Google’s decision to disclose a family of security vulnerabilities that were under active attack by Chinese authorities seeking to monitor targeted groups within the country.

On Friday the Cupertino phone flinger issued a statement to criticize Google over the Project Zero report on the flaws and the way it described issues Apple says it long ago addressed.

“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case,” Apple said.

In response, Google issued its own statement in defense of its research team and their decision to issue the report.

“Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies,” Google said.

“We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities.”

Neither statement made mention of the targeted populations in China who were subjected to years of government monitoring.

Con-man Casanova cuffed, charged in $2m dating scam

A man from New Jersey has been charged for allegedly scamming more than $2m out of people on dating websites.

Rubbin Sarpong, 35, was said by prosecutors to have run the scheme in combination with conspirators in Ghana who helped lure the victims to splashing out cash and then process the payments. Sarpong and his crew are accused of duping more than 30 victims, each time by playing with their emotions via dating sites.

“After establishing virtual romantic relationships with victims on the online dating platforms and via email, the conspirators asked them for money, often for the purported purpose of paying to ship gold bars to the United States,” prosecutors allege. “Although the stories varied, most often Sarpong and the conspirators claimed to be military personnel stationed in Syria who received, recovered, or were awarded gold bars.”

The scam worked so well that it is alleged the crew made more than $2m, of which $823,386 was deposited directly into Sarpong’s own bank accounts. He faces one charge of conspiracy to commit wire fraud and, if convicted, could spend up to 20 years behind bars.

XKCD forums hacked

A bit of an embarrassing turn of events for beloved nerd comic XKCD: the site says its forums have been hit by hackers who were able to make off with some basic user details.

“The xkcd forums are currently offline. We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashed passwords, and in some cases an IP address from the time of registration,” the site said.

“We’ve taken the forums offline until we can go over them and make sure they’re secure. If you’re an echochamber.me/xkcd forums user, you should immediately change your password for any other accounts on which you used the same or a similar password.”

While the passwords were encrypted, it wouldn’t be a bad idea to make sure those credentials were not reused for other sites.

Still haven’t patched BlueKeep? Now would be a great time

The Windows RDP vulnerability known as “BlueKeep” just got a bit more dangerous, thanks to the release of a MetaSploit module that will make the flaw even easier for attackers to exploit in the wild. Other researchers, notably controversial British talent Marcus Hutchins, have also published research.

Having the bug included in the exploit kit will lower the bar for targeting the flaw and will make it easier for criminals to go after end users. If you haven’t updated your PC to patch the bug, now would be a good time.

NHS loses 2,000 records from gender identity clinic

The Guardian reports that an NHS-run gender identity clinic in London has managed to lose the email addresses of some 2,000 patients currently in the process of transitioning. While no other patient details were lost, the disclosure of email addresses alone are cause for concern given the personal nature of the clinic’s practice.

Man pleads guilty in hare-brained Trump tax hack scheme

Andrew Harris, one of the two college students caught trying to hack President Donald Trump’s tax records back in 2016 has pleaded guilty to two counts of computer fraud. He could face up to two years in prison when he is sentenced later this year.

Harris and co-conspirator Justin Hiemstra were cuffed in 2016 when they tried to get hold of the US president’s tax records by setting up a fraudulent financial aid application for one of his family members.

Hiemstra pleaded guilty to the same charge last month.

Monster partner leaks CV data

Job-hunting site Monster says one of its clients is to blame for the disclosure of CVs for job seekers.

Apparently one company that had purchased access to CVs from job seekers left some of the files out in the open, only to be stumbled upon by researchers looking for exposed storage buckets. Seeing as CVs are, by nature, handed out to complete strangers all the time this isn’t a huge deal, but it’s definitely not a good look for Monster.

Facebook Android app caught scooping device details

Not that we’re surprised anymore when Facebook is caught digging into user devices for info, but the Social Network is the subject of a report from security pro Jane Manchun Wong, who found that the Android version of the Facebook mobile app was collecting diagnostic information from hundreds of Android libraries.

As Wang notes, the collected information is mostly technical data from various phone components, not personal information or media files. This may not be a huge violation of privacy, but the app certainly is a bit more nosy than most people would like. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/09/security_roundup_060919/

Symantec shares have jumped almost 5 per cent following reports that it is close to offloading its consumer business to a pair of private equity investors.

Exactly a month ago, Symantec confirmed the sale of its enterprise business and brand name to chip firm Broadcom for $10.7bn. Early negotiations put a price tag of $15.5bn on the security firm but Broadcom balked at such a bill.

According to the Wall Street Journal, Symantec is edging closer to agreeing a $16bn deal to sell its consumer business, including the Norton antivirus and Life Lock anti-ID theft brands, to Permira and Advent, both private equity investors. The offer is reportedly for between $26 and $27 a share, which pushed Symantec’s stock price up to $24.52.

When the chips are down, buy a software biz: Broadcom snaffles Symantec for $10.7bn

READ MORE

Agreement for the consumer unit will preserve the sale of the enterprise business to Broadcom, but it is not clear whether that would happen before the private equity takeover or after. Sources told the paper the deal could be structured in a way that would reduce Symantec’s tax bill.

Broadcom and Symantec haggled over the price of its enterprise business to eventually settle on the $10.7bn price tag. The buy is expected to boost Broadcom’s shift from chips to a broader tech infrastructure strategy.

Permira and Advent were also in the running to snap up all of Symantec before being pipped to the post by Broadcom, the WSJ claimed.

This latest divestment would cap an eventful few weeks for Symantec, which has spent much of the last year sorting out allegations of dodgy accounting and fighting off related shareholder lawsuits.

We’ve contacted all three companies and will update in the event that we hear back from them. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/09/symantec_consumer_biz_sale/

The vulnerability in Exim could allow an attacker to remotely execute code with root privileges.

Exim, the mail transfer agent used by more than half the email servers on the Internet, has a vulnerability. The flaw, found in versions from 4.80 through 4.92.1, allows a malicious actor to use an encrypted TLS connection to remotely execute code with root privileges.

The vulnerability, designated CVE-2019-15846, was discovered by researcher Zerons in late July. It takes advantage of the TLS ServerName Indicator (SNI), a feature that allows TLS to serve different certificates for various websites on a single server. A buffer overflow triggered by a relatively simple SNI request followed by a counterfeit client certificate are enough to exploit the vulnerability.

Responsible disclosure procedures were followed and a patch for the vulnerability has been made available in Exim 4.92.2.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “8 Ways To Spot an Insider Threat“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/mail-system-vulnerability-delivers-root-privileges/d/d-id/1335755?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

APT3 quietly monitored an NSA attack on its systems and used the information to build a weapon of its own.

Chinese threat actor APT3 quietly monitored the US National Security Agency’s use of a highly sophisticated cyber attack tool and then reverse engineered the code to build an advanced Trojan of its own called Bemstour.

That conclusion, by Check Point Software, is based on the security vendor’s analysis of Bemstour after Symantec in May reported on APT3 using it in attacks on targets in multiple countries, including Belgium, Hong Kong and the Philippines.

Symantec had described APT3 as using Bemstour to deliver a variant of a backdoor called DoublePulsar on target systems. Symantec said its analysis showed both tools appeared to be variants of attack software built by Equation Group, an operation affiliated with the NSA’s Tailored Access Operations unit.

Symantec said it was unclear how APT3 had obtained the NSA tools. But it ruled out the possibility that the Chinese threat actor had obtained the weapons from the large trove of NSA cyber weapons that hacking outfit Shadow Brokers publicly leaked in 2017.

According to Symantec, its analysis showed that APT3 was using Bemstour and DoublePulsar well before the Shadow Brokers data dump. The two variants also had differences in code that made it very clear they did not originate from the leak, Symantec had noted.

Check Point’s analysis of Bemstour shows that the exploit is in fact APT3’s own implementation of EternalRomance, a tool that the NSA developed to break into Windows 7, Windows 8, and some Windows NT systems, the security vendor said.

APT3 developed the exploit by reverse-engineering EternalRomance, but then tweaked it so it could be used to target more systems. APT3’s Bemstour leveraged the same Windows zero-day as the one used in EternalRomance (CVE-2017-0143). In addition the group also created an exploit for another Windows zero-day (CVE-2019-0703). Both flaws have been patched.

“What we found out is that in terms of the software vulnerabilities targeted by the underlying exploit they were identical to those leveraged by EternalRomance,” says Mark Lechtik, lead security researcher at Check Point.

“This is no coincidence – finding the exact same set of bugs in order to create an exploit that provides remote code execution capabilities is very unlikely,” he says. At the same time, there are enough differences in Bemstour to indicate the exploit was re-engineered and built from scratch, rather than copied wholesale. That is what led Check Point to conclude that an NSA exploit was used in some way as a reference, he notes.

Close Monitoring

During the analysis of Bemstour, Check Point researchers found evidence suggesting the Chinese group had closely monitored systems under its control that the NSA had managed to compromise. APT3 members then captured traffic related to those attacks—including information on how the NSA was moving laterally on the compromised networks—and then used that as a reference to reverse-engineer the NSA’s exploit.

This allowed them to build an exploit tool that looked and worked remarkably similar to the NSA’s exploit, but with less effort and cost. Instead of purchasing from a third party or investing in its own in-house team, APT3 built its malware by collecting and using the NSA’s own attack data.

“The main takeaway is that we see evidence for the first time of a nation-state collecting and reusing foreign attack tools to recreate their own,” Lechtik says. “We heard of that happening in theory; now we [have] facts that support it.”

Lechtik says it’s unclear if other Chinese APT groups and state actors have adopted a similar approach. But from their point of view, the approach would make sense. “If they can catch a tool and repurpose it, they cut the costs on finding it themselves,” he notes. “If we see they did it once, it would be likely they have done it on other instances and keep doing it today.”

The question of whether other countries are doing the same thing is harder to answer, he says. Pulling off something like what APT3 did requires the ability to deliberately monitor domestic systems, collect and analyze a lot of information all with the hope of finding one usable tool.

“Not all nation-states would go down this road in the first place, and indeed a lot don’t use exploits, not to mention zero-days, almost at all,” he says. “Instead, they try to abuse human weaknesses through phishing, for example—an opportunistic but very cheap alternative. Iran and North Korea are examples for exactly that.”

Related Content:

• APT3 Threat Group a Contractor for Chinese Intelligence Agency
• Shadow Brokers Offers Database Of Windows Exploits For Sale
• The Shadow Brokers: How They Changed ‘Cyber Fear’
• 8 Head-Turning Ransomware Attacks to Hit City Governments 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “8 Ways To Spot an Insider Threat.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/chinese-group-built-advanced-trojan-by-reverse-engineering-nsa-attack-tool-/d/d-id/1335758?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On Tuesday, Facebook said that it’s dumping “tag suggestions” – the technology it’s used since 2015 to automatically recognize people’s faces and suggest to their friends that they tag them.

For most users this used to be all that Facebook’s facial recognition technology was used for. But it’s replaced one-trick-pony tag suggestions with the multi-purpose “face recognition” setting. It’s available to all users, along with an option to opt out.

Facebook introduced facial recognition in December 2017. The feature spots users when their likeness crops up in photos, even when they haven’t been tagged. It also spots if someone uses your picture as their profile photo. At the time it rolled out the feature, Facebook described it as a way to manage your appearance in tag suggestions, and to keep us safe from things like identity thieves.

Here’s Facebook AI researcher Srinivas Narayanan:

Starting today, people who newly join Facebook or who previously had the tag suggestions setting will have the face recognition setting and will receive information about how it works.

The tag suggestions setting, which only controls whether we can suggest that your friends tag you in photos or videos using face recognition will no longer be available.

If you turn off face recognition, Facebook (according to the information found in Settings)…

… won’t use face recognition to suggest that people tag you in photos. This means thats you’ll still be able to be tagged in photos, but we won’t suggest tags based on a face recognition template.

Ups and downs of Facebook’s face recognition

After backlash from Canadian and EU citizens and regulators, Facebook in 2012 turned off its first incarnation of the tag suggestion feature in Europe and deleted the user-identifying data it already held.

It’s taken the US a while to catch up with the EU on privacy matters. A class-action lawsuit against Facebook for its alleged violation of users’ privacy rights vis-a-vis facial recognition has been churning through the courts since 2015, and it’s not done churning yet.

The class-action lawsuit claims that Facebook violated its users’ privacy rights in acquiring what it describes as the largest privately held database of facial recognition data in the world.

Tag suggestions, which used face recognition only to suggest to users that they tag friends in photos, is at the center of that lawsuit.

The suit claims that Facebook violated Illinois privacy laws by “secretly” amassing users’ biometric data without getting consent from the plaintiffs, collecting it and squirreling it away in its “world’s biggest” facial recognition database.

The Illinois law in question – the Illinois Biometric Information Privacy Act (BIPA) – is the broadest of its kind in the US. It bans collecting and storing biometric data without explicit consent, including “faceprints.”

The 2015 lawsuit – which got yet another go-ahead last month from the courts, in spite of Facebook fighting it tooth and nail – is one of the first tests of the powerful biometrics privacy law. (For what it’s worth, another test of BIPA is a class action suit, proposed in September 2018, brought against the US fast-food chain Wendy’s over its use of biometric clocks that scan employees’ fingerprints to track them at work.)

Facebook’s facial recognition technology also got put through the wringer during the Federal Trade Commission’s (FTC’s) investigation into the company’s privacy practices – an investigation that led to the $5 billion wrist slap that the FTC gave Facebook in July 2019.

According to the FTC’s complaint, Facebook “misrepresented the extent to which users could control the privacy of their data related to a form of technology that raises particular concerns for many consumers: facial recognition.”

From the complaint:

In an April 2018 update to its Data Policy, Facebook represented to consumers, ‘Face recognition: If you have it turned on, we use face recognition technology to recognize you in photos, videos and camera experiences.’ The complaint alleges that this statement was deceptive to tens of millions of users who have Facebook’s facial recognition setting, ‘Tag Suggestions,’ because that setting was turned on by default and the updated Data Policy suggested that users would need to opt-in to having facial recognition enabled for their accounts.

The FTC’s order requires Facebook to give clear notice of how it uses facial recognition data and requires that it get consumers’ express consent before “putting that data to a materially different use.”

In sum, goodbye, tag suggestions, o ye feature that’s been at the center of both litigation and regulation. Hello, face recognition, and may you deliver an actual, bona fide opt-in choice for using our faceprints.

How to turn face recognition on or off

In Facebook, go to Settings Privacy Settings Under ‘Privacy’ tap Face recognition and select Yes or No next to the prompt ‘Do you want Facebook to be able to recognise you in photos and videos?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/E2d_NAvFEnQ/

YouTube can’t track kids online anymore without their parents’ permission, says the FTC – as it just fined the Google-subsidiary $170m to demonstrate just how serious it is.

The penalty follows a complaint filed by the FTC and the New York Attorney General that YouTube had violated the Children’s Online Privacy Protection Act (COPPA) Rule. Passed in 1998, the legislation advanced new rights for children under 13. It forced service providers to tell children what information they’re collecting and how they will use it, and get parental consent to do so. They must also enable parents to review the information collected and to prevent its further use.

YouTube failed at this. It used cookies to follow kids around the internet without getting consent from their parents to do so. This only happened with the regular YouTube service and not with YouTube Kids, the exclusively child-targeted service it launched in 2015.

The problem for YouTube was that some of its channels were specifically aimed at children and it marketed this to advertisers. It told Mattel:

YouTube is today’s leader in reaching children age 6-11 against top TV channels.

It bragged to Hasbro, referring to YouTube as “the new Saturday Morning Cartoons”, and also told the company:

YouTube was unanimously voted as the favorite website for kids 2-12

However, it also told another advertising company that fretted about COPPA:

We don’t have users that are below 13 on YouTube and platform/site is general audience, so there is no channel/content that is child-directed and no COPPA compliance is needed.

Under Wednesday’s settlement, YouTube must create a system for YouTube channel owners to designate their channels as targeting children. It must also train employees who deal with those channel owners in COPPA compliance. The company also has to notify parents that it wants to collect their children’s information and get their consent. The FTC also says that YouTube can’t use the information that it collected through child-targeted channels.

In a year, YouTube must report back on how it has prevented the tracking of children (including passive tracking, and the means for people to opt out of tracking). It also has to demonstrate how parents can review the information collected from their children, and how it lets them prevent the use of that data.

YouTube CEO Susan Wojcicki blogged that in four months the company will start treating data from anyone watching children’s content on YouTube as children’s data. It will limit data collection on those videos to just what’s needed to support the operation of the service, she said, and won’t deliver personalised ads on kid’s channels. She added:

We’ll also use machine learning to find videos that clearly target young audiences, for example those that have an emphasis on kids characters, themes, toys, or games.

Finally, the company will also spend $100m in the next three years on creating better children’s content on YouTube and YouTube kids.

Under the deal, Google will pay $136m to the FTC and $34m to the state of New York. $170m is a big chunk of change, and it’s the biggest fine that Google has shouldered to date, but it isn’t the company’s first tussle with the FTC. In 2012, it paid the agency $22.5m in a settlement over lying to Apple Safari users about not tracking them. And in 2011, it settled with the FTC over deceiving consumers and violating its own privacy policy during the launch of its social network, Google Buzz.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1ObwzofWsMw/

A researcher has stumbled on a publicly exposed database containing the telephone numbers of hundreds of millions of Facebook users.

According to TechCrunch, Sanyam Jain of research non-profit the GDI Foundation recently found the unprotected database containing 419 million user records on a web host.

He wasn’t able to identify who put it there, but the recently exposed records contained each user’s unique Facebook ID along with their mobile or mainline phone number.

After TechCrunch checked the records, some contained users’ name, gender and location. The countries which appeared most often in the data were the US with 133 million numbers, Vietnam with 50 million, and the UK with 18 million.

Facebook later confirmed the breach, claiming to The Guardian that once duplicate records were removed, the total number of users in the database was 210 million.

According to Facebook’s Jay Nancarrow, the database appeared to have been ‘scraped’ before privacy changes implemented in 2018:

This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers.

The data was now no longer accessible, and it was still investigating who might have collected it. The company had seen no evidence it had been used to compromise accounts, he added.

Telephone numbers matter

If there was ever a time when exposing telephone numbers could be viewed as a minor privacy breach, those days are long gone. These days, telephone numbers are hugely valuable to cybercriminals.

Numbers can be abused in two ways, the most obvious of which is to fuel the recent epidemic of SIM swap fraud whereby criminals phone up carriers pretending to be the SIM owner asking for a replacement chip.

When they receive and activate the new SIM, the genuine user’s phone goes dead, a sign that their number has been taken over to bypass security layers such as SMS-based two-factor authentication.

Telephone numbers also offer a route into internet accounts that allow SMS messages to be used to confirm credential resets.

According to Jain, the database also contained the profiles and associated telephone numbers of celebrities.

What to do

Assuming a Facebook ID/number was part of this database (and third parties got hold of it somehow), the only quick fix is to change that number. Most people will be reluctant to pull that plug because it comes with the inconvenience that nobody can contact you until you tell them the new one.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1g5AlsbhrXc/

The good news is most insider threats derive from negligence, not malicious intent. The bad news is the frequency of negligence is already ahead of where it was in 2018.

When the challenge of battling inside threats arises, it’s tempting to dismiss the process as little more than identifying the rogue employee(s), along with reviewing and refining permissions, controls, and authorizations to prevent recurrence. Depending on the industry, some public apologies may need to be made and some regulatory fines may need to be paid.

The good news and the bad news with insider threats? The good news is most insider threats derive from negligence, not malicious intent, as Katie Burnell, global insider threat specialist at security vendor Dtex Systems, explained in a November Dark Reading webinar about the insider threat. The bad news, she said, is the frequency of negligence is already ahead of where it was in 2018.

Compounding the problem is the fact there are more networks, more devices, and, of course, more data to monitor and secure. Organizations understand they can’t equally secure it all. One approach has been to prioritize the monitoring of those users with the highest privileges, perhaps aided by the use of privileged access management (PAM) tools.  

Our list of insider threats identifies the “who,” but what about the “how” of detection? Log files and SIEM data may offer some forensic footprints to see who accessed which servers, databases, and individual files. But the volumes of monitoring data are too great to do this for all users, security experts agree. This has opened the door to user and entity behavior analytics (UEBA), which flags anomalous behavior by user. Some security vendors are starting to push the idea of “identity as a perimeter,” according to ESG analyst Doug Cahill, rather than using the more traditional physical perimeter of the network. “So you monitor who has access and whether they do anything anomalous,” Cahill explains.

Vendors are also talking about adding artificial intelligence and machine learning to the security equation. While those implementations remain rather basic, you don’t need an algorithm to see this is where security managment is headed. Detecting and stopping malicious insiders will need this extra oomph, which automates tasks otherwise left to humans.

Do you have any experience with the kinds of malicious insiders tagged here? We’d love to hear your war stories in our “Comments” section. 

(Image Source: vivali via Adobe Stock)

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full Bio

Article source: https://www.darkreading.com/theedge/-8-ways-to-spot-an-insider-threat/b/d-id/1335746?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Increasing awareness about the critical importance of DNS security is the first step in improving the risk of being attacked. It’s time to get proactive.

US businesses are hemorrhaging — bleeding money, data, time, reputation, and more — because they continue to experience cyberattacks at the DNS level. This is according to our annual “Global DNS Threat Report,” which looks at the causes and effects of DNS attacks on businesses across the world.

DNS attacks are on the rise and literally costing millions. The report, which was conducted in partnership with IDC, revealed the worst trends in its five-year history. Businesses averaged more than nine DNS attacks in 2018, an increase of 34% year-over-year. Costs went up significantly, too — the average cost of a DNS attack came in at $1.27 million worldwide. When 70% percent of businesses in America were attacked, they lost per incident upward of $100,000. Almost half (48%) lost at least $500,000, and close to 10% lost over $5 million.

These costs are not sustainable. Neither is the time it takes to fix an issue — an entire business day in most cases. Companies can’t afford to take any part of their business offline for over eight hours. The repercussions can be disastrous. In most instances, in-house applications were the most affected (65% of the time), though almost half of respondents (45%) had their website compromised and one-quarter (27%) experienced downtime as a direct consequence. These could all lead to serious Network and Information Security Directive penalties.

The types of attacks are also shifting. Once flooding the DNS mostly with large, high-traffic attacks to a targeted network in an effort to overwhelm its bandwidth, cybercriminals have shifted to be equal opportunity attackers and diversified their approach to include more stealth, low bandwidth tactics, such as phishing and malware-based attacks into the mix.

As attackers get smarter, why do businesses continue to fail when it comes to prioritizing DNS security? First, lack of awareness. Over a quarter of US organizations continue to think that protecting DNS is only moderately important, but the reality is that DNS is critical to service continuity, data confidentiality, and security. By nature, DNS is an open service to the network, and its mission-critical role for routing application access makes it both a primary attack vector and a target for hackers. Eighty-two percent of global businesses suffered a DNS attack last year, and DNS attack numbers are in the double digits for many.

The bottom line: When the DNS is affected, so are the applications that run a business. Imagine that a large manufacturer loses access to its supply chain management system — a chain reaction is set off that could affect the entire company.

Second, adaptive countermeasures aren’t properly in place. When under attack, companies can’t shut down the entire business, but they can contain the risk. Retaining service, availability, bandwidth, and control — all elements crucial to network integrity — are a must. Disaster recovery and avoiding single points of failure must be part of the mitigation process. This is where adopting a zero-trust strategy is critical.

Organizations need to take a micro rather than a macro approach. Perimeter security is not enough, especially when most threats come from inside of the enterprise network in the form of malware and phishing invitations. Businesses are getting better at building intermediate zones to allow and control inbound flows, but this enterprise network security topology relies on macro-segmentation principles that are no longer appropriate. The architecture must be scaled down into micro segments — as small as a single client or server. This requires an entire re-imagining of the network, relying on the fact that there are no longer any trusted or untrusted zones. Everything is treated as a threat as a default.

Having a granular view of users and applications becomes a standard approach, not an exception. Almost all Internet connections are initiated through DNS, meaning DNS sees 95% of traffic going through the network. Analyzing the behavior of each user brings valuable data for detecting potential menaces hidden in the traffic. This surveillance of each client at such a detailed level is key to successful zero-trust strategy. Plus, administrators also should know the status of the network in real time at all times.

Increasing awareness about the critical importance of DNS security is the first step in improving the risk of being attacked. Moving to a more proactive approach will add even more protection. No business can afford to hemorrhage money — that’s management 101. It also can’t afford to lose precious data, experience time offline, and reputation, all three of which lead to lost revenue. Addressing DNS weaknesses now will help keep companies solvent in the future. 

Related Content:

• The State of IT Operations and Cybersecurity Operations
• 6 Ways Airlines and Hotels Can Keep Their Networks Secure
• Securing Our Infrastructure: 3 Steps OEMs Must Take in the IoT Age
• Capital One Breach: What Security Teams Can Do Now

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “8 Ways to Spot an Insider Threat.”

Ronan David develops the strategic direction for EfficientIP, which delivers fully integrated network security and automated solutions for DDI (DNS-DHCP-IPAM). He oversees EfficientIP’s customer and partner relationships, resulting in corporate growth and development within … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/why-businesses-fail-to-address-dns-security-exposures-/a/d-id/1335678?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple