STE WILLIAMS

By all accounts, a mainframe renaissance is here. After years of negativity and predictions about the impending death of the mainframe, the technology is experiencing a resurgence and wide adoption this year, with even greater growth predicted beyond 2019.

Case in point: IBM’s Z series mainframe sales are up 70% year-over-year. And a recent Compuware survey showed that mainframe workloads are increasing. Currently, 57% of enterprises with a mainframe run more than half of their critical applications on the mainframe, but that number is expected to rise to 64% by next year, according to Compushare.

As the face of IT has changed, the mainframe has kept up with trends, with its ever-evolving ability to provide the performance and number-crunching required by technologies such as machine learning and artificial intelligence.

But while mainframe technology has evolved to meet the trends, the security processes and practices needed to keep the platform secure haven’t exactly kept up. It’s not for lack of technology and tools, however. The phenomenon is largely due to a series of misconceptions among IT professionals around mainframe security. Those misconceptions are placing countless businesses — and an enormous amount of sensitive customer data — at serious risk.

Debunking Misconceptions
I’ve spent the majority of my career in mainframe security, and the one mistaken belief I come across consistently is that the mainframe is inherently secure. What I hear is that mainframes have security built into them from the ground up — that through cryptographic hardware acceleration and a secure operating system, mainframes fulfill the critical requirement of keeping data protected. But that’s only part of the story.

If you’re thinking “But one of the main reasons I chose mainframe technology was its reputation for security!” you’re not mistaken. It’s true — the mainframe is arguably the most secure platform. But really, I prefer to think of the mainframe as the most securable platform. Any system comes with weaknesses, and the mainframe is no exception.

Like any other system, mainframes are subject to ransomware attacks, cybersecurity threats, and vulnerabilities that leave them open to serious exposures. Despite the reputation for security, reliability, and scalability, the mainframe requires the same level of attention as any other computing platform when it comes to security.

Widespread Complacency
Unfortunately, I see businesses overlooking mainframe security all too often. This advice isn’t only meant for businesses new to mainframes that might not know any better. It’s also an important reminder to businesses that have long been relying on mainframes to run mission-critical processes and safeguard sensitive customer information.

Overlooking mainframe security is an industrywide issue today. Recent research shows that even though 85% of companies say that mainframe security is a top priority, 67% admit that they only sometimes or rarely factor security into mainframe environment decisions.

In other words, companies aren’t practicing what they preach when it comes to mainframe security. And as we hear about a new data breach seemingly every day, business and consumers alike should be worried about the implications of security complacency.

There’s also a widespread lack of knowledge around how to best protect the mainframe. Executives around the world rank security as the second-biggest challenge today, but they’re not sure how to get started.

Creating a Mainframe Security Strategy
Companies can’t afford a breach: The cost of a data breach is high, averaging $3.86 million globally, not to mention the damage to your business in reputational harm and potential lost business. With that in mind, how can businesses build a successful mainframe security strategy?

Most organizations rely on third-party tools to establish permissions (authentication) and access control (authorization), but that alone isn’t a complete solution. Security exploits are also a major cause of breaches, and organizations need to make sure they’re taking steps to protect against them. A Forrester survey of companies that have experienced a data breach within the last year found that 35% were caused by an exploited vulnerability.

With the threat and vulnerability landscape constantly changing, organizations are under attack across their IT systems. As a result, compliance regulations increasingly require mainframe penetration testing, vulnerability scanning, and ongoing vulnerability management. Consistent testing and evaluation can help uncover known and zero-day vulnerabilities.

A comprehensive security strategy also includes things like automating compliance assessments, penetration testing, scanning mainframe applications and operating systems (OS) for vulnerabilities, and, of course, making sure they have the right resources (both in terms of tools and people) to secure the environment.

In other words, the best defense is a good offense. Organizations need to be proactive about protecting the mainframe not only against known threats but also seeking out the gaps in their systems that might allow unknown threats to creep into their mainframe and compromise customer data.

Ultimately, the mainframe renaissance will equip businesses with the processing power, reliability, and scalability they need to thrive. But for true peace of mind, especially where sensitive customer data is involved, businesses need to be aware of the importance of mainframe security and, just as importantly, prepared to execute on it.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• 9 Things That Don’t Worry You Today (But Should)
• When Perceived Cybersecurity Risk Outweighs Reality
• New Speculative Execution Vulnerability Gives CISOs a New Reason to Lose Sleep
  

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: 5 Things to Know About Cyber Insurance.

Ray Overby is a Co-Founder and President of Key Resources, Inc., (KRI), a software and security services firm specializing in mainframe security. A recognized world authority in mainframe security, risk, and compliance for IBM Z System environments, Ray heads the KRI … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/the-mainframe-is-seeing-a-resurgence-is-security-keeping-pace/a/d-id/1335476?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As businesses ramp up defenses, cybercriminals and advanced persistent threat groups are rethinking their attack strategies to be more collaborative and complex, researchers report.

The more organizations invest in securing their networks and training staff, the harder and more expensive it becomes for attackers to disrupt them, Accenture iDefense analysts say in the “2019 Cyber Threatscape Report.” Instead of backing down, adversaries are targeting victims with layered attacks, new techniques, and intricate relationships to disguise their identities.

“They’ve become more sophisticated; they’ve gone deeper underground,” says Howard Marshall, director of cyber intelligence services, in an interview with Dark Reading. Conventional cybercrime operations remain active: Emotet, Loki Bot, Pony, NanoCore, and Nocturnal were the most common types of malware seen in 2018 and 2019, researchers found. The most common spam attachments deliver malware via weaponized Microsoft Office files.

As traditional campaigns continue to spread, law enforcement takedowns of popular communities, such as Alphabay and Hansa, have motivated attackers to swap open partnerships on underground forums for smaller, close-knit syndicates in order to remain hidden. “There’s loss of visibility – the fact that it’s a lot harder to get into some of these closed-network environments,” adds Josh Ray, Accenture cyber defense lead, pointing to adversary cost.

That attack groups continue to remain operational despite crackdowns highlights a “significant increase” in the maturity and resilience of criminal networks, researchers say. As groups more closely work together, it disguises their identities and makes attribution harder.

Financially motivated campaigns aren’t going away. The report describes an uptick in “big game hunting,” in which cybercriminals launch targeted attacks for financial gain using a broad range of tailored malware or commodity crimeware that can be downloaded or purchased from underground forums. Criminals also conduct targeted attacks using legitimate pentesting tools, including Metasploit, Cobalt Strike, PowerShell Empire (PSE), Meterpreter, and Mimikatz.

Both Marshall and Ray point to the rise of disinformation as a threat to watch. In the report, analysts explain how new technologies can drive the spread of false information. Cybercriminals are likely to take advantage of high-profile global events to sway public opinion, and they have more tools to help, researchers say, citing 5G networks and artificial intelligence. New technologies will prove beneficial to businesses, but they may cause more damage when in the hands of an attacker.

Accenture predicts upcoming global events, including the 2020 Tokyo Summer Olympics, 2020 US presidential election, and events and activities related to NATO expansion, will become leverage for information operations, phishing campaigns, and other more destructive threats.

“Awareness around that activity has heightened,” Ray says. Disinformation tactics can range from outright lies to the selection and distortion of facts to tell a misleading story. Social media remains the battlefield: It’s free, and its presence in everyday life makes it an appealing tool.

“The near omnipresent role of social media in everyday life has positioned online communities as target-rich environments which exist beyond the conventional purview of corporations’ security controls,” researchers write in the report. “This has propelled social networks to the frontlines, as high-yield arenas for manipulation.”

Ransomware: Bypassing Spam Campaigns
Ransomware is by no means a new concern to organizations around the world, but researchers anticipate the threat will be exacerbated. In addition to delivering ransomware via spam campaigns, attackers are also installing ransomware onto business networks by purchasing Remote Desktop Protocol (RDP) access to compromised servers on underground forums. This level of access is typically obtained through vulnerability exploitation and brute forcing.

Analysts predict ransomware will continue to drive cash flow for attackers. The median ransom demand observed in 2018 was around $10,000 per incident, with the highest reaching $8.5 million. But even with profits rising, researchers see mixed motives driving ransomware. Some attackers seek to destroy network environments in addition to, or instead of, making money.

Ransomware’s ability to destroy information, slow performance, and disrupt services can help attackers hide evidence of crimes like espionage or fraud. Campaigns can also interfere with markets by using malware to lower a company’s share price and increase its product cost. A ransomware attack can also send financial and political messages. Analysts point to GandCrab as an example of a threat that avoids targeting victims in certain countries.

What can businesses take from this? With respect to ransomware, researchers recommend maintaining regular backups of storage devices, servers, and users’ information. If malware hits, they should “immediately disconnect” affected systems from the network, reimage infected systems whenever possible, and restore user data from backups. They should not pay ransom.

More broadly, Ray advises security admins to better understand their business’ value chain. “A lot of security professionals don’t understand how their companies make money,” he says. This awareness can help downgrade the effectiveness of a cyberattack or disinformation campaign.

Business-savvy security leaders can also learn why different adversaries would target the firm, he adds. Attackers may focus on crown jewels you don’t expect them to eye; marrying business acumen with threat data can provide a view of how a company appears to attackers.

Related Content:

• 7 Online Safety Tips for College Students
• Why Companies Fail to Learn from Peers’ Mistakes (and How They Can Change)
• You Gotta Reach ’Em to Teach ’Em
• Moving on Up: Ready for Your Apps to Live in the Cloud?

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/stronger-defenses-force-cybercriminals-to-rethink-strategy/d/d-id/1335527?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Trend Micro has patched a couple of security flaws in its Password Manager credential management product that gave attackers a way to escalate privileges and gain persistence on systems running the software.

In a security advisory Wednesday, the security vendor described the issue as involving two DLL hijacking vulnerabilities in the company’s stand-alone version of the product and the version that comes integrated with the latest version of its anti-malware suite.

One of the now-patched vulnerabilities (CVE-2019-14684) would have allowed an attacker to load an arbitrary file with malicious code into the password manager. The other separate but similar vulnerability (CVE-2019-14687), also allowed attackers to load malicious code but using a different DLL.

The flaws existed in Trend Micro’s 2019 versions of Password Manager, Maximum Security, and Premium Security products for Windows computers. The security vendor has issued a patch that is currently available to users who have signed up for automatic updates. Others can get the patch by manually updating their software to the latest build.

“Exploiting these types of vulnerabilities require that an attacker has access (physical or remote) to a vulnerable machine,” Trend Micro said. Even though an exploit would likely require several specific conditions to exist, organizations should still upgrade to the latest build as soon as possible, the company advised.

Attractive to Attackers

Peleg Hadar, security researcher at SafeBreach Labs, the security firm that originally discovered and reported the vulnerabilities, says certain features in Trend Micro’s Password Manager make it interesting for attackers.

For instance, the product runs as the most privileged user account (NT AuthoritySystem) on Windows systems, thereby making it attractive to attackers seeking to escalate privileges on an infected system.

The product also uses a Trend Micro-signed executable. Hackers that find a way to execute code within this signed process have a way to potentially bypass whitelisting controls. Trend Micro’s Password Manager service starts automatically at boot time – which benefits attackers looking for a way to maintain persistence on a system, he says.

The vulnerabilities that SafeBreach discovered would in certain situations have allowed an attacker to drop a malicious file with malicious code on a certain directory in the product, Hadar says. The code would be loaded and executed while signed as an executable under the scope of the Trend Micro password manager, he says. An attacker would have the ability to run under the highest privileges that the operating systems supports.

“This will provide the attacker the ability to do multiple malicious operations on the computer such as stealing sensitive data,” Hadar says. “The attacker will also be able to likely evade security products because it’s running under a process which is signed by Trend Micro.” In the right conditions, an attacker would only need the lowest privilege in order to write a malicious file to a directory, he adds.

Vulnerable Password Managers

Reports of vulnerabilities in security products—including password managers—are certainly not new.

Earlier this year Independent Security Evaluators (ISE), a consulting firm based in Baltimore released a report summarizing the findings from its analysis of popular password managers for Windows systems. The five products tested were Dashlane, KeePass, LastPass, 1Password 7, and 1Password 4.

The research turned up serious security issues in every single product including in some cases those that allowed credentials—even the master password—to be easily extracted from a locked password manager.

Even so, many security researchers advocate the use of password managers because it helps users secure credentials far more effectively than if they had not been using one. Even the researchers from ISE who uncovered the issue concluded that a password manager is generally a good thing.

“Aside from being an administrative tool to allow users to categorize and better manage their credentials, password managers guide users to avoid bad password practices such as using weak passwords, common passwords, generic passwords, and password reuse,” the researchers said.

Related Content:

• Why Password Management and Security Strategies Fall Short
• A Password Management Report Card
• OneLogin Breach Reignites Concerns over Password Manager
• 6 Enterprise Password Managers That Lighten the Load for Security

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/trend-micro-patches-privilege-escalation-bug-in-its-password-manager/d/d-id/1335525?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Phishing — especially phishing involving websites claiming to be from financial institutions — is growing, and criminals are getting better at their craft. A new report shows how attackers are using messages that closely mimic legitimate bank promotions to entice users to open email messages and click on links, then using those clicks and opens as the first step in campaigns that steal credentials, embezzle funds, and plant ransomware or other malware across systems.

The report, “The State of Financial Phishing” for the first half of 2019, demonstrates that one of the principal tools in fighting online fraud — the green “lock” icon that shows the website is protected by encryption — has now been co-opted by criminals to create a false sense of security in their malicious Web traps.

Criminals have found that the same free certificate authorities (CAs) making it easy for legitimate small businesses to protect their websites enhance the look and feel of bogus, criminal sites. Bob Maley, chief security officer at report sponsor Normshield, says that free CAs like LetsEncrypt have helped small organizations but with significant unintended consequences: “The shift to using domains with certificates changes the game,” he says.

According to the report, the first six months of the year saw a 14% increase in domains potentially used in phishing campaigns and double the number of phishing domains that were certified by registrars. That works out to more than 1,900 potential phishing domains that were registered in the first half of 2019.

Maley says the rate of phishing domain registration is increasing, and he expects more than 3,500 new criminal domains will be registered by the end of the year. Many of those, he says, won’t be used quickly; attackers will let them “age” so that protection algorithms designed to protect users from “quick hit” campaigns won’t be triggered.

Those criminal domains are using techniques like TLS or SSL certificates to look more legitimate. The researchers say the 8.5% of phishing domains that used a valid encryption certificate in 2018 will increase to 15% of sites with a legitimate green lock icon in 2019.

“My take on this is that cybersecurity professionals really need to understand that there’s a strategic process being followed by both sides,” Maley says. “OODA — observe, orient, decide, and act — is a war-fighting concept that everyone uses. Some just do it quicker.”

The great danger is that criminals are going through the OODA loop faster than the defenders, Maley says. And he points out that security professionals could take concrete steps to get ahead of their adversaries.

He recommends searching for URLs likely to be used in legitimate business transactions and being vigilant about several critical points. First, avoid clicking on two- or three-letter domain names because they’re so easily spoofed. The same, he says, is true of highly generic site names. Block these in internal Web filter software and, Maley argues, make life a little easier for your peers.

“Identify phishing domains that are applied to your company and take those down” with DMCA and other legal takedown demands, he says.

Related Content:

• 6 Security Considerations for Wrangling IoT
• Rethinking Website Spoofing Mitigation
• US Utilities Hit with Phishing Attack
• Financial Malware Grew 7% in H1 2019, Reaching 430,000 Users
• Keep Your Eye on Digital Certificates

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/financial-phishing-grows-in-volume-and-sophistication-in-first-half-of-2019/d/d-id/1335528?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers with VPNMentor have discovered a massive leak in biometric security platform BioStar 2, which uses facial recognition and fingerprint scanning as part of its means to identify users. Thousands of organizations use the tool to control access to buildings and secure areas.

Suprema, the security firm that built BioStar 2, recently partnered with Nedap to integrate the platform into its AEOS access control system. More than 5,700 institutions across 83 countries, including local businesses, governments, banks, and the UK’s Metropolitan Police, use AEOS.

Noam Rotem and Ran Locar, both Internet privacy researchers, first detected the leak on August 5 while scanning ports as part of a Web-mapping project. Their team hunts for familiar IP blocks and uses them to find holes in a company’s Web system. When these holes are found, the researchers then look for vulnerabilities that could lead to a data breach. During this process, the team found large chunks of BioStar 2’s database unsecured and unencrypted.

The database held “almost every kind of sensitive data available,” researchers wrote in a blog post. They could access more than 27.8 million records and a total of 23 GB of data, including more than 1 million fingerprints; facial recognition data and user images; access to client admin panels, dashboards, back-end controls, and permissions; unencrypted usernames and passwords, records of entry and exit to secure areas; and employee records.

“One of the more surprising aspects of this leak was how unsecured the account passwords we accessed were,” they point out. “Plenty of accounts had ridiculously simple passwords, like ‘Password’ and ‘abdc1234.'” While some users had more complex passwords, the researchers were able to view passwords across the database because they were stored as plaintext files.

Following a rocky disclosure process, BioStar 2 secured the database on August 13.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/biostar-2-leak-exposes-23gb-data-1m-fingerprints/d/d-id/1335521?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The fallout from the Capital One data breach continues, with a recent class-action lawsuit naming the financial giant — and GitHub, the online data repository that has become central to many companies’ agile and devops coding efforts.

The lawsuit, filed in US District Court for the Northern District of California, claims that GitHub (now owned by Microsoft) “actively encourages” hackers,  and that this active encouragement means that it has a higher responsibility than most repositories to scan uploaded files for dangerous or illicit data.

According to the lawsuit, files containing information on the methods used in the breach were uploaded to the site in April, but not removed until July, when GitHub was alerted by Capital One.

In a statement to Dark Reading, GitHub said, “GitHub promptly investigates content, once it’s reported to us, and removes anything that violates our Terms of Service. The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request.”

The suit is depending on a standard of “morally culpable,” as opposed to “legally culpable,” which is a commonly used legal standard. 

For more, read here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/github-named-in-capital-one-breach-lawsuit/d/d-id/1335523?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple