STE WILLIAMS

DNS protection could prevent approximately one-third of the total losses due to cybercrime – which translates into billions of dollars potentially saved.

According to “The Economic Value of DNS Security,” a new report published by the Global Cyber Alliance (GCA), DNS firewalls could annually prevent between $19 billion and $37 billion in losses in the US and between $150 billion and $200 billion in losses globally. GCA used data about cybercrime losses from the Council of Economic Advisors and the Center for Strategic and Internation Studies as the basis for its GCA’s estimates of how much DNS protection, such as a DNS firewall, could save the economy.

“The benefit from using a DNS firewall or protective DNS so exceeds the cost that it’s something everyone should look at,” says Philip Reitinger, GCA president and CEO. In many cases, he says, the DNS protection service or DNS firewall will be available at no cost to purchase or license.

But could any cost, no matter how small, be offset by the difficulty in deploying or managing the protection? Not likely. “In most cases, it will be extremely easy to do. There’s no new software here,” Reitinger says. When it comes to protecting endpoints, it could be as simple as changing the address used for DNS resolution in the computer’s network settings. And for some companies, the adoption will be only slightly more difficult.

The only real difficulty, Reitinger says, comes if the firewall begins generating false-positives, blocking traffic to destinations that serve a legitimate business purpose. Should that happen, firewall rules will need to be manually overridden. “If you see people trying to going out to various services, you get to write the rules that allow or block the destination in spite of the firewall,” he says.

One legitimate point of concern is the data on DNS traffic that the protection provider might collect, Reitinger adds. Knowing about an organization’s traffic patterns provides a great deal of information about the organization itself, he says. In this case, asking serious questions of the provider before signing a contract or changing a resolution server address can prevent privacy concerns in the future.

Related Content:

• Website Attack Attempts Rose by 69% in 2018
• How a Nigerian ISP Accidentally Hijacked the Internet
• Nation-State Hacker Group Hijacking DNS to Redirect Email, Web Traffic
• Ongoing DNS Hijack Attack Hits Consumer Modems and Routers
• 7 Recent Wins Against Cybercrime

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/network-and-perimeter-security/dns-firewalls-could-save-companies-billions/d/d-id/1334965?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 1992, the film Sneakers introduced the term “Red Team” into popular culture as actors Robert Redford, Sydney Poitier, Dan Aykroyd, David Strathairn, and River Phoenix portrayed a team of security experts who hire themselves out to organizations to test their security systems by attempting to hack them.

This was a revolutionary concept at the time — the term “penetration test” didn’t even exist yet, and the idea of a friendly security team trying to break through a company’s defenses wasn’t exactly commonplace. Today, penetration testing is an important part of any cybersecurity system, and both internal and external Red Teams play a critical role in that process.

But they don’t do it alone. Organizations often employ “Blue Teams,” referring to the internal security team tasked with defending against both real and simulated attacks. If this raises your curiosity about whether and how closely Red Teams and Blue Teams collaborate in security testing, then you’ve pinpointed the fast-rising cybersecurity trend of “Purple Teaming.”

What Makes Purple Teaming Different?
For years, organizations have run penetration tests similarly: The Red Team launches an attack in isolation to exploit the network and provide feedback. The Blue Team typically knows only that an evaluation is in progress and is tasked to defend the network as if an actual attack were underway. 

The most important distinction between Purple Teaming and standard Red Teaming is that the methods of attack and defense are all predetermined. Instead of attacking the network and delivering a post-evaluation summary of finding, the Red Team identifies a control, tests ways to attack or bypass it, and coordinates with the Blue Team in ways that either serve to improve the control or defeat the bypass. Often the teams will sit side by side to collaborate and truly understand outcomes.

The result is that teams are no longer limited to identifying vulnerabilities and working based on their initial assumptions. Instead, they are testing controls in real time and simulating the type of approach that intruders are likely to utilize in an actual attack. This shifts the testing from passive to active. Instead of working to outwit each other the teams can apply the most aggressive attack environments and conduct more complex “what-if” scenarios through which security controls and processes can be understood more comprehensively and fixed before a compromise.

How Deception Technology Adds Value to Penetration Testing
Part of what makes Red Teaming and Purple Teaming so valuable is they provide insight into the specific tactics and approaches that attackers might use. Organizations can enhance this visibility by incorporating deception technology into the testing program. The first benefit comes from detecting attackers early by enticing them to engage with decoys or deception lures. The second comes from gathering full indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) into lateral movement activity. This significantly enhances visibility into how and when attackers circumvent security controls, enriching the information that typically results from these exercises.

Cyber deceptions deploy traps and lures on the network without interfering with daily operations. A basic deployment can easily be completed in under a day, providing the Blue Team an additional detection mechanism that blends in with the operational environment. This creates more opportunities to detect when the Red Team bypasses a defensive control, forcing team members to be more deliberate with their actions and making simulated attack scenarios more realistic. It also offers a truer test of the resiliency of the organization’s security stack and the processes it has in place to respond to an incident.

The rise of Purple Teaming has changed the way many organizations conduct their penetration tests by providing a more collaborative approach to old-fashioned Red Team vs. Blue Team methodology. The increased deployment of deception technology in cybersecurity stacks has further augmented the capabilities of both the Red and Blue teams by allowing them to adopt a more authentic approach to the exercises.

Related Content:

• Effective Pen Tests Follow These 7 Steps
• Think Like An Attacker: How a Red Team Operates
• Inside the Criminal Businesses Built to Target Enterprises

Joseph Salazar is a veteran information security professional, with both military and civilian experience.  He began his career in information technology in 1995 and transitioned into information security in 1997.  He is a retired Major from the US Army … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/the-rise-of-purple-teaming/a/d-id/1334909?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google now has extended its Android-based two-factor authentication to Google applications on iOS devices like iPads and iPhones.

The authentication app uses a certificate built into Android that responds to a challenge issued by a specific, enterprise-enabled website for authenticating both the user and website during login. Google apps or an account on the Google cloud presents a challenge screen to the user on their Android phone, asking them to verify it’s really them logging into the account.

The company in May first introduced the Android-based 2FA mechanism for log-in to Google and Google Cloud services from ChromeOS, Windows 10, and MacOS devices. Now, it can also be used to protect login attempts from iPads and iPhones. 

Google’s authentication is based on FIDO (Fast ID Online) security keys, which leverage public-key cryptography to verify both the user and login page URL, making it more difficult for an attacker who has stolen user credentials to abuse them.

Among the differences between the desktop environments and iOS systems is in the way the authentication appears to the user. To authenticate from a desktop, the user must launch a Chrome browser window to begin the login and initiate the 2FA process. In the iOS implementation, the Google Smart Lock app provides authentication for Google and Google Cloud applications.

Related Content:

• The 2019 State of Cloud Security
• Researchers Finds Thousands of iOS Apps Ignoring Security
• Google to Replace Titan Security Keys Affected by Bluetooth Bug
• Adware Hidden in Android Apps Downloaded More Than 440 Million Times
• New Android Trojan Targets 100+ Banking Apps

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/cloud/google-adds-two-factor-authentication-for-its-apps-on-ios/d/d-id/1334958?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Last summer, the US Federal Bureau of Investigations (FBI) sounded a loud alarm for organizations about the growing danger of business email compromise (BEC) scams. At that time, the FBI said BEC fraud had cost organizations worldwide $12 billion in losses since 2013.

Since then, the threat has continued to grow more dire. Security industry researchers have shown BEC scams are increasing in scope and complexity as attackers perfect their attack playbooks to target an increasing number of victims around the globe.

Here, Dark Reading takes a look at how BEC scams work, the latest statistics on BEC prevalence, and some recent BEC horror stories that should help security professionals and users prepare themselves for this growing class of fraud.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/7-truths-about-bec-scams/d/d-id/1334961?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Industry reports vary, but experts estimate that the modern CISO uses somewhere between 55 and 75 discrete security products. Vendors are often guilty of overpromising and underdelivering — the reality rarely lives up to the marketing. This puts CISOs in an ironic situation — often, the tool they bought to make their lives easier ended up causing more headaches.

This is an endemic issue, but what do you do when you have too many tools that integrate poorly, require different expertise, and provide too much data but not an overall view to the security risk level? Consolidation sounds attractive. After all, what CISO wouldn’t want to reduce clutter, cut costs, and simplify procedures — but where to start?

Begin with Data Quality
CISOs know there is no perfect solution for security. Clearly, multiple security solutions are needed to cover the security controls. However, CISOs should strive to maximize the value of each investment and reduce the number of tools. To cut through the noise and data coming from tools (specifically, those that identify vulnerabilities and control failures), a great place to start is by increasing the confidence that data coming out them is complete and accurate.

By taking measures to ensure that the data is accurate, CISOs can drive remediation more efficiently and know what to fix first to get the greatest ROI on their security investments. It also leads to getting access to automated analytics and reducing the need to manually work through multiple reporting processes for different tools.

Approaching Consolidation
A key reason that CISOs have too many tools is that they have continued to buy tools and rarely decommission any; this results in in overlapping functionality but doesn’t always close all gaps in coverage.

We need to consolidate/reduce the number of security tools we use, and we need to establish discipline around the process of adding new security solutions. This is not as simple as going through each of the tools and deciding if it adds value or if its function is or can be provided by another tool. Instead, we need to determine which security tools are needed by using two core fundamentals: Each security tool should align with a significant risk in the security framework, and each tool implemented should reduce risk to the company, be able to measure the reduction in risk, and be capable of sustaining that risk reduction.

Aligning with a Security Framework
By developing a security framework based on National Institute of Standards and Technology or some other standard, and then selecting a set of security controls around each category of security, a comprehensive view of your security landscape can be developed. From that view, we can take each significant area of security and begin to develop systems and processes that achieve those controls.

Only after developing these processes do we begin to select tools that help implement and control the processes. Each tool should fulfill a specific need in the security controls framework. For example, let’s take the area of system vulnerability management. We shouldn’t start picking our tool to scan our systems until we understand all of the controls that manage the process to patch our systems on a timely and complete basis. We should only select the appropriate tool(s) once we understand what it or they must achieve.

How to Approach Consolidation
The objective of having security systems is to lower the risk of an event that negatively affects the company (e.g., financial, reputational, or regulatory risk). We must keep this in mind when designing processes and selecting security tools. As we implement security processes and tools, we should ensure that the end solution does the following:

• Covers the entire intended landscape across the company. For example, if we scan only 70% of the environment for system vulnerabilities, we may not adequately reduce risk to the company.
• Provides sufficient information to act. For example, if we select a system vulnerability scanner and it provides great detail on the vulnerability and inherent risk but does not provide context to the importance to the company or context as to the owner of the system, then the tool/system is not providing sufficient information to reduce the risk sufficiently.
• Sustains the control, meaning it should automate the control and monitoring processes. Otherwise, the risk will grow again after expending efforts and monies to remediate.

To further refine the approach to security tools, we also need to address risk. All systems and tools do not provide the same level of risk reduction. By focusing on those security domains that carry the highest risk, one can prioritize the selection and implementation of security tools.

By taking this risk-based, end-to-end, and sustainable approach to implementing security processes (and their related tools), we can begin to permanently solve areas of security that historically have remained despite all the tools and money we have thrown at them. Armed with this newly available knowledge, we can permanently solve some longstanding areas of security.

Ultimately, with enhanced data quality and automation plus the consolidation of tools, CISOs can confidently enhance their company’s cyber-risk posture.

Related Content:

• 7 Steps to Start Your Risk Assessment
• 6 Security Scams Set to Sweep This Summer
• The Minefield of Corporate Email
• When Security Goes Off the Rails

Nik Whitfield is the founder and CEO at Panaseer. He founded the company with the mission to make organizations cybersecurity risk-intelligent. His  team created the Panaseer Platform to automate the breadth and depth of visibility required to take control of … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/the-cisos-drive-to-consolidation-/a/d-id/1334910?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

“Hacking back,” the largely controversial concept by which organizations can target intruders on their network, has reappeared in a bill poised to be the subject of arguments in Washington.

Rep. Tom Graves, R-Ga., is today reintroducing a bill that would let businesses monitor for, locate, and potentially target cyberattackers. This isn’t the first time Graves has attempted to making “hacking back” legal, CyberScoop reports. It had previously been found to violate the Computer Fraud and Abuse Act (CFAA), which prohibits computer access sans authorization.

So why try again? Graves, who says businesses are already targeting intruders, points to a lack of rules around the practice. If the bipartisan bill is passed, he hopes businesses will share intelligence on cyberattacks with the government. The bill does not currently enforce this.

While the US Cyber Command has recently been given the go-ahead for more offensive cyber operations, there are myriad reasons security experts think “hacking back” is a bad idea. For starters, cybercriminals often take several steps to disguise their identities; as a result, it’s difficult to determine who was actually behind an attack. Federal government officials, and many security researchers, don’t think companies will be able to ascertain who targeted them.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/perimeter/congress-gives-hack-back-legislation-another-try/d/d-id/1334963?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple