STE WILLIAMS

Question: I have alert fatigue from all these security alerts. What’s my solution? More tools?

Anthony Diaz, division VP of emerging services at Optiv: You’re not alone. Alert fatigue is becoming a universal problem, and it’s mainly due to a reactionary cybersecurity marketplace where security operations teams are challenged with transforming their approaches to keep pace with the innovations that are being applied to continuously evolving business models.

Traditional, non-integrated SOCs are not designed to address the dynamic nature of today’s businesses, the accelerating volume of alerts per hour, or the thousands of raw events per second coming from monitoring and detection products. Solving these operational concerns requires a shift in thinking that focuses on the root cause problem rather than reacting to the symptoms.

Adding more tools can actually add more complexity and gaps, increasing risk. It is always important to make sure every tool is implemented and utilized correctly.

We recommend that businesses:

1. Create a strategy around detection and response, including critical/high-value assets so teams can first focus on what matters most and then expand coverage.

2. Follow a framework and process around content management (rules in SIEM/tools) that govern the curation of content so you can have alerts/detections that are fresh and don’t create false positives.

3. Consider adding security orchestration, automation, and response (SOAR) capabilities, if you haven’t already. The security services integrator can focus on Tier 1-3 analysis, and your team can focus on escalation, investigation, and remediation.

What do you advise? Let us know in the Comments section, below.

Do you have questions you’d like answered? Send them to [email protected].

Anthony Diaz is Division VP of Emerging Services at Optiv. View Full Bio

Article source: https://www.darkreading.com/theedge/how-do-i-handle-security-alert-fatigue/b/d-id/1335649?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Newly discovered threat group Lyceum has been spotted attacking critical infrastructure firms in the oil and gas, and possibly telecommunications, industries with the goal of gaining and expanding access inside target networks, Secureworks’ Counter Threat Unit researchers report.

Lyceum may have been active as early as April 2018, when domain registrations indicate an attack on South African targets. One year later, after developing and testing its toolkit against a public malware-scanning service, Lyceum launched a May 2019 campaign against oil and gas businesses in the Middle East. It prioritizes organizations in strategically important industries.

Attackers typically use password spraying or brute force to gain credentials they need to break in. They use access to compromised accounts to send spearphishing emails containing malicious Excel attachments, which install DanBot malware to deploy post-intrusion tools. DanBot is one of several attack tools researchers have observed in Lyceum’s arsenal, they write in a blog post.

Spear-phishing emails are usually sent from compromised accounts to specific executives, human resources staff, and IT personnel. Targets are more likely to open emails from internal accounts, and each of these groups could further attackers’ access to sensitive data: HR personnel may have information that could prove useful for future spearphishing attacks, and IT personnel have access to high-privilege accounts and data specific to the firm’s environment.

The group is an emerging threat to energy organizations in the Middle East, researchers say, but organizations should assume Lyceum will branch out to other sectors. Critical infrastructure firms should pay particular attention, they caution. The group doesn’t appear to have demonstrated an interest in industrial control systems or OT staff thus far; however, there is a possibility attackers could leverage access to IT environments to spread into the OT environment.

Lyceum’s tactics are similar to activities from other groups Cobalt Gypsy and Cobalt Trinity, but none of the malware or infrastructure linked to Lyceum has been directly linked to other groups. Researchers say there isn’t enough technical evidence to support attribution.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “‘Culture Eats Policy for Breakfast’: Rethinking Security Awareness Training.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/new-lyceum-threat-group-eyes-critical-infrastructure/d/d-id/1335662?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

CrowdStrike has established a $20 million fund for coinvesting in early-stage cybersecurity startups that are building applications to work with the company’s cloud-hosted Falcon endpoint protection platform.

The fund has been set up in partnership with Accel, a venture capital firm known for its investments in several successful high-tech firms, the most notable among them being Facebook.

CrowdStrike’s Falcon Fund will invest in startups that are using Falcon to develop products that simplify security and IT operations for enterprises, according to the vendor.

Products from these companies will become available through CrowdStrike Store, an online venue that the company announced earlier this year and from which CrowdStrike’s customers can purchase endpoint security applications from trusted third parties. The company has described the online store as giving customers the ability to select apps of their choice that extend and add on to CrowdStrike’s own technologies without having to worry about installing agents for each one of them.

CrowdStrike’s move is similar to one that Symantec took two years ago when it launched Symantec Ventures. That effort also is aimed at helping startups accelerate delivery of products that work with and extend Symantec’s own products. Unlike CrowdStrike, though, Symantec has not disclosed how much it has set aside in venture capital for funding early-stage startups.

To qualify for investment consideration under CrowdStrike’s Falcon Fund, a startup must have already attracted interest from other lead investors. It must also have an experienced team in charge and be working on marketable endpoint security analytics or endpoint enforcement technology, according to the company.

Falcon is CrowdStrike’s suite of cloud-delivered endpoint protection technologies. The platform includes antivirus services and services for endpoint threat detection and response, managed threat hunting, and threat intelligence. CrowdStrike has positioned Falcon as a single-source replacement for multiple products, including standalone AV tools, host intrusion prevention, and host intrusion detection products.

The goal in creating the fund is to give startups that are leveraging CrowdStrike Falcon a way to accelerate delivery of their products while eliminating the need for them to build their own endpoint agents, says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. “The fund will also allow us to further increase the CrowdStrike Store ecosystem by providing companies with funding to build on our platform,” he says.

Customers will benefit by getting access to more third-party endpoint protection applications from within CrowdStrike’s app store. “The CrowdStrike Store is where customers are able to discover, try, buy, and deploy trusted and certified our own and third-party applications and add-ons that extend their investment in the CrowdStrike Falcon platform,” Alperovitch notes.

CrowdStrike’s online store has garnered considerable interest from third-party app developers since its spring launch. So far, apps from two partners are available via the store, and the goal is to keep expanding the partner base over the next quarter and through 2020. “The Falcon platform was built as a true-API model, and through the Store ecosystem, we are committed to finding partners with applications that complement the cloud-native architecture of Falcon,” Alperovitch says.  

CrowdStrike announced revenue of $96.1 million in the first quarter of 2019 — up 103% over the same quarter last year. The company went public in June with an IPO valued at $34 per share and is currently valued at over $17 billion, or over $84 a share. The company is considered one of the biggest players in the endpoint security space — a market that is expected to grow from $11.8 billion last year to around $20 billion by 2024.

Related Content:

• Symantec Launches Venture Capital Arm
• 7 2019 Security Venture Fund Deals You Should Know
• First Women-Led Cybersecurity Venture Capital Firm Launches
• 20 Cybersecurity Vendors Getting Venture Capital Love

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “‘Culture Eats Policy for Breakfast’: Rethinking Security Awareness Training.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/cloud/crowdstrike-launches-fund-for-early-stage-endpoint-security-startups/d/d-id/1335664?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Imperva has announced that the cloud web application firewall product formerly called Incapsula suffered a data exposure that allowed unauthorized access to customer data. The company said that a third party informed it on August 20 of the exposure, which existed through September 15, 2017.

According to the notice posted on the CEO’s blog, a subset of Incapsula customers had email addresses, hashed and salted passwords, API keys, and customer-provided SSL certificates exposed. The blog post notes that the company is taking a variety of actions addressing the exposure, from engaging forensics experts and informing affected customers to forcing password rotations.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “‘Culture Eats Policy for Breakfast’: Rethinking Security Awareness Training.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/imperva-customer-database-exposed/d/d-id/1335665?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As though prioritizing patches isn’t hard enough, how much worse will it be when the unpatched machine can stalk over to your desk, fold its arms, raise an eyebrow, and ask why its vulnerability is still waiting for a fix? 

Right now, artificial intelligence (AI) is just a tool — a tool we’re barely using — but science-fiction always has its way. We already carry the “Hitchiker’s Guide to the Galaxy” in our pockets; soon enough we’ll be throwing build-day parties for our robot co-workers.

And it won’t be long before we consider embodied AI as a form of “life.” Robots will be granted certain rights and held to certain responsibilities. And that will have a variety of paradigm-shifting, somewhat irritating, and potentially hilarious impacts on the daily lives of cybersecurity and privacy professionals.

‘Alive’? Really?
When trying to define “life,” scientists use qualifications such as autonomy, a need for energy, or an ability to replicate, make decisions, and adapt to an environment. An embodied, self-replicating neural network that uses electricity, performs automated functions, and learns from its mistakes is certainly well on its way to fulfilling these requirements.  

You can quibble over how much of this is truly “autonomous” and how much is “programmed,” but really you’d just be retreading the same “nature vs. nurture” territory that sociologists have trod for years: How much of what we do is a product of how we’re built, and how much is a product of what we’re taught?

Regardless, humans are likely to imbue certain embodied robots with the “concept of “life.” Example: In 1984, tragedy struck, right in the middle of Saturday morning cartoons. Rosie, The Jetsons’ sassy robot housekeeper, swallowed a faulty lugnut, turning the orderly Rosie into an out-of-control shoplifter. But did the Jetsons reboot, reformat, or replace the used basic economy model robot? No. The family planned an intervention.

“Now, we’ve got to handle this with sympathy and understanding,” said Jane. “She may need professional help,” said George. And once her hardware was completely wrecked, the whole family huddled in the robot hospital anxiously, while the robot surgeons lamented,”Oh my, this is an old one. How will we ever find original parts?” 

Good news: Rosie came out OK.       

But it seemed perfectly natural to worry about Rosie’s well-being, just like we do Baymax and Wall-E and L3-37. And just like we apologize for speaking too harshly to Siri, Alexa, and Garmin.

As AI and robotics grow ever more sophisticated, people will feel the same about the robot bear that cares for their elderly parents, the robotic household assistant who helps them in the kitchen and mopes if it’s ignored, the realistic sex doll they pose with in vacation photos, and perhaps one day Unit 224 (“Tootsie,” to her friends), the malware detection and removal specialist. 

The Impact on InfoSec 
So what does that mean to the security team? 

• Software companies will need to rethink backward compatibility: A robot’s right to life will mean that unless Apple wants Amnesty International on its case, it won’t be able to wantonly discontinue programs and remove phone jacks. And if Microsoft thought the rage over ending support for Windows XP was bad, it has no idea what might come next. 

• Patch management will be less risk-based: Low-priority vulns ohe CEO’s personal assistant bot could suddenly be deemed critical, while a truly critical remote code execution bug has to wait.

• Cyber insurance will be workman’s comp: If a machine is “injured” on the job, you want to be covered. No one wants to think about going up against an AI-powered legal team. 

• Ransomware takes on a new meaning: The stakes change when ransomware operators are not just holding data systems for ransom, but lives. 

• Robots will need a TON of GDPR training: AI systems are sure to be handling heavy amounts of data. Either they or their human overseers will be held responsible for privacy violations.  

• No more skills shortage? Some of those vacant security jobs might finally be filled, and infosec pros might get to do some of that threat hunting they never have time to do — unless they’re better at threat hunting. ??

Related Content:

• 5 Ways to Improve the Patching Process
• To Pay or Not To Pay? That Is the (Ransomware) Question
• 5 Things to Know About Cyber Insurance
• 10 Low-Cost (or Free!) Ways to Boost Your Security AI Skills

(Image Source: Adobe Stock)

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/the-right-to-be-patched-how-sentient-robots-will-change-infosec-management/b/d-id/1335614?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When Craig Williams’ refrigerator broke, he was surprised by how common “smart” technology had become: The majority of appliances he found were Wi-Fi enabled with computers built in.

Typically, appliances are designed to last 10- to 15 years, but Williams — a director of security outreach at technology giant Cisco — did not want a device with a built-in computer, which tends to reach obsolescence much more quickly. In addition, he worried about security: Appliance manufacturers are typically not focused on updating their software nor adequately securing their systems.

For the average consumer, there are just too many unknowns with Internet-connected devices in the home, he says.

“For consumers, you have this computer sitting in your kitchen, you don’t know what technology it is running,” he says. “You don’t know what version of Linux it is running. It’s running an OS version you don’t know about, with libraries that you don’t know about, and at a patch level you don’t know about.”

The digital lives of workers and consumers are increasingly complex and companis more often than not have failed to step up with security solutions. Security firms continue to push consumers to secure the devices they use and the data they put out in the world, but consumers do not always have good options to protect themselves.

The data breach of Capital One put 106 million customers’ financial information, including self-reported income, credit scores, and payment histories, at risk. Meanwhile, vulnerabilities in Internet of Things (IoT devices, from Nest cameras to home routers, continue to proliferate, leaving devices and homes open to attack. And social engineering attacks against workers and consumers continue to be perniciously effective. 

For security, “[p]eople’s active participation is a necessity,” says Travis Witteveen, CEO of security firm Avira, adding that most people just need to follow some “simple Internet rules that have more to do with common sense than with technical knowledge.”

Take updating software, for example. 

Cisco found eight significant vulnerabilities in the IoT devices from Google’s Nest Labs. A popular camera for tech-enabled homes, the Nest Cam IQ, uses a Nest-created technology called Weave. Cisco researchers discovered a smattering of programming errors in the IoT protocol, a pair of which could allow attackers to remotely execute code on the devices, the researchers stated in an alert published last week.

Consumers are at low risk from these issues: Google, which owns Nest Labs, quickly patched the issues and an update is already available. More importantly, Nest devices automatically update, downloading and applying the latest security patches. 

Yet, while Nest devices are set to auto-update by default, other IoT devices, especially older hardware, are often not set to apply security patches. In addition, the manufacturers of the devices often do not respond quickly to issues found by security researchers.

This puts the burden of security on the consumer. While the vendor, in many cases, is adding computational capabilities to devices to gather data on the consumer, the consumer is paying the security cost. In its latest privacy report, Avira found more than 10 devices connected to the average home wireless network in the US, a large digital surface area that needs to be secured. Using network scanners that can detect vulnerable devices is now necessary, the company says.

This applies to data as well. The number of ways that attackers can monetize the information, and even combine the information for more effective attacks, had dramatically increased, says Avira’s Witteveen.

Breaches have become more common, and because consumers have dozens of accounts, almost everyone has had at least one set of account credentials compromised, he notes. In addition, phishing attacks through e-mail have become increasingly sophisticated, with language and scenarios that are seemingly legitimate and often incorporating the data from breaches to make them more convincing.

“A phishing attack specifically crafted for a certain user, factoring in his interests, browsing behavior and personal data — such as name and marital status — has a much higher chance to succeed in getting the user to give away their credentials or download and execute malicious components,” Witteveen says. “We expect attackers to already do profiling in order to find groups of people that are especially gullible for phishing attacks.”

Vendors Must Step Up

Admonishing consumers to set their devices to auto-update only works if the devices have a complete set of security features and the vendor quickly patches. A decade ago, the makers of a smartphone based on Android would fail to patch quickly because updating the device’s software required a complex process of creating a patch, getting approval from the device maker for the software change, and then submitting the patch to the mobile carrier. Smartphones more than two years old would often never see new updates. But that is not the case anymore, as most Android phones provide automatic software updates.

Consumers need to make security part of their buying decisions, experts say. 

“When you pay a premium, you get that security that the device will be supported,” said Cisco’s Williams. “Consumers have not recognized that premium for security until the last couple of years. There was a time when a consumer would buy the cheapest device available, but now they are buying more expensive devices for the security and support.”

Related Content

• Capital One Breach: What Security Teams Can Do Now
• Mirai-Like Botnet Wages Massive Application-Layer DDoS Attack
• You Gotta Reach ‘Em to Teach ‘Em
• How Hackers Emptied Church Coffers with a Simple Phishing Scam

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “‘Culture Eats Policy for Breakfast’: Rethinking Security Awareness Training.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/iot/consumers-urged-to-secure-their-digital-lives/d/d-id/1335652?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft made news recently at the annual Black Hat conference in Las Vegas, generating a lot of buzz about its discovery of a malicious Russian hacker group using common Internet of Things (IoT) devices to carry out widespread attacks on corporate networks.

Microsoft says hackers compromised several kinds of Internet-connected devices — including a voice-over-IP phone, a Wi-Fi office printer, and a video decoder — to gain access into enterprise networks. The attacks, according to Microsoft, were carried out by a group called Strontium — also known as Fancy Bear or APT28 — which has links to GRU, Russia’s military intelligence agency.

There will be more than 14 billion IoT devices in use in homes and businesses by 2020, according to Gartner. Given Microsoft’s news, now is the time to review security risks in firmware, the specific class of software that provides the low-level control for the hardware of an IoT device. Widely recognized as a pressing cybersecurity issue, firmware is a commonly unprotected attack surface that hackers use to get a foothold in a network. An unsecured IoT device is essentially an unlocked front door, which means that once attackers take over an IoT device, they can move laterally into a corporate network.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “‘Culture Eats Policy for Breakfast’: Rethinking Security Awareness Training.”

Hackers actively exploit weaknesses in IoT security not to attack the devices themselves, but as a jumping off point for all kinds of malicious behavior, which could include distributed denial-of-service attacks, malware distribution, spamming and phishing, click fraud, and credit card theft, among others. So, before a device breach leads to revenue loss, a lawsuit, damage to your company’s reputation, or worse, it is important to be aware of the eight most common firmware vulnerabilities to make sure you haven’t left the front door open to your network.

1. Unauthenticated access: One of the most common vulnerabilities in firmware, unauthenticated access allows threat actors to gain access to an IoT device, which makes it easy to exploit device data and any controls provided by it. 

2. Weak authentication: Threat actors can easily gain access to devices when the firmware has a weak authentication mechanism. These mechanisms can range from single-factor and password-based authentication to systems based on weak cryptographic algorithms that can be broken into with brute-force attacks.

3. Hidden backdoors: When it comes to firmware, hidden backdoors are a favorite hacker exploit Backdoors are intentional vulnerabilities that are planted into an embedded device to provide remote access to anyone with the “secret” authentication information. Although backdoors are potentially helpful for customer support, when they’re discovered by malicious actors, they can have severe consequences. And hackers are great at finding them.

4. Password hashes: The firmware in most devices contains hard-coded passwords that users are unable to change or default passwords that users rarely change. Both result in devices that are relatively easy to exploit. In 2016, the Mirai botnet, which infected more than 2.5 million IoT devices around the world, leveraged default passwords in IoT devices to execute a DDoS attack that took down Netflix, Amazon, and The New York Times, among others. 

5. Encryption keys: When stored in a format that can be easily hacked, like variations of the Data Encryption Standard (DES), first introduced in the 1970s, encryption keys can present a huge problem for IoT security. Even though DES has been proven to be inadequate, it’s still in use today. Hackers can exploit encryption keys to eavesdrop on communication, gain access to the device, or even create rogue devices that can perform malicious acts.

6. Buffer overflows: When coding firmware, problems can arise if the programmer uses insecure string-handling functions, which can lead to buffer overflows. Attackers spend a lot of time looking at the code within a device’s software, trying to figure out how to cause erratic application behavior or crashes that can open a path to a security breach. Buffer overflows can allow hackers to remotely access devices and can be weaponized to create denial-of-service and code-injection attacks.

7. Open source code: Open source platforms and libraries enable the rapid development of sophisticated IoT products. However, because IoT devices frequently use third-party, open source components, which typically have unknown or undocumented sources, firmware is regularly left as an unprotected attack surface that is irresistible to hackers. Often, simply updating to the latest version of an open source platform will address this problem, yet many devices are released containing known vulnerabilities. 

8. Debugging services: Debugging information in beta versions of IoT devices equips developers with internal systems knowledge of a device. Unfortunately, debugging systems are often left in production devices, giving hackers access to the same inside knowledge of a device.

As companies quickly bring new IoT products to market, and enterprises move just as quickly to capitalize on the many benefits of IoT deployment, the prioritization of speed does not necessarily need to trump concerns about security.

The good news is that the most common IoT exploits outlined above are avoidable and can be remedied without any additional cost to the manufacturer. A good initial set of best practices when it comes to IoT security includes:

1. Upgrade the firmware on your IoT devices and change the default passwords.

2. Compile an inventory of IoT devices on your network so you have a complete picture of your risk exposure.

3. Contact the manufacturers of the IoT devices deployed on your network and ask if they’ve accounted for the common vulnerabilities outlined above. If not, demand that they implement secure coding practices in their firmware and IoT devices. 

Related Content:

• The State of IT Operations and Cybersecurity Operations
• 7 Malware Families Ready to Ruin Your IoT’s Day
• 6 Security Considerations for Wrangling IoT
• Why the Network Is Central to IoT Security
• Yes, Your Database Can Be Breached Through a Coffee Pot

Terry Dunlap is the Co-Founder and Chief Strategy Officer of ReFirm Labs, a provider of proactive IoT and firmware security solutions that empower both government agencies and Fortune 500 companies. A former teen hacker, Dunlap worked as a global network vulnerability … View Full Bio

Article source: https://www.darkreading.com/risk/unsecured-iot-8-ways-hackers-exploit-firmware-vulnerabilities/a/d-id/1335564?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source:Adobe Stock: Space_Cat

The bad news doesn’t stop for travel and hospitality companies.

A long list of breaches have been widely reported in the past year. On the hotel front, there’s Marriott/Starwood, Radisson, and the most recent Choice Hotels breach. High-profile hacks on airlines include British Airways, Air Canada, and Cathay Pacific.

David Dufour, vice president of engineering at Webroot, says airlines and hotels are prime targets because they’re not typical businesses at which employees are locked into a single corporate location.

“The employees at airlines and hotels handle a lot private information, and there’s a lot of turnover in those industries,” Dufour says. “People don’t spend long careers at the front desk of a hotel.”

Airlines and hotels also have branch offices in hundreds of cities around the world, so the sheer volume of their operations creates a high degree of exposure, Dufour adds.

“As a frequent traveler, when I go into an airport lounge, I want them to have all my information on hand, but from a security perspective these situations are ripe with opportunity,” Dufour says. “As a customer, I expect the service, but the reality is that potentially every open area is a vulnerability.”

The struggle to achieve that balance between customer convenience and security continues for travel and hospitality companies. Here are six tips they can follow to help lock down privacy and security.  

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/risk/6-ways-airlines-and-hotels-can-keep-their-networks-secure--------------------/d/d-id/1335620?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple