STE WILLIAMS

Organizations can’t just rely on diverse and cutting-edge technologies to fight adversaries. They will also need people with diverse expertise and backgrounds.

A number of converging factors are changing enterprise cybersecurity, and as a result, we must change the way we approach it.

First, cybercriminals are becoming much better at penetrating organizations using nontechnical means. With social engineering and phishing techniques, they can bypass organizations’ increasingly advanced defenses by manipulating insiders to gain access. Research shows that phishing and social engineering were the most common methods of compromise in 2018, serving as the conduit to the initial point of entry in more than 60% of security breaches in both cloud and point-of-sale environments, as well as in 46% of corporate and internal network breaches.

Second, the volume of data in organizations is growing exponentially and is increasingly stored in a more decentralized manner, making it difficult to ensure it’s being optimally protected. Research firm IDC predicts the volume of data worldwide will grow tenfold by 2025 to 163 zettabytes, with the majority being created and managed by enterprises. This growth is being driven by the proliferation of artificial intelligence, the Internet of Things, and other machine-to-machine technologies in enterprises across all industries. This increase in new technologies means a larger attack surface, new attack vectors, and more points of vulnerability for organizations to secure.

Amid these challenges, organizations are also facing a global shortage of skilled cybersecurity talent able to address the rapidly evolving threat landscape and manage the myriad of security technologies employed by their organization. The recent (ISC)² Cybersecurity Workforce Study revealed a worker shortage of nearly 3 million for cybersecurity positions around the globe. In the US, it takes organizations an average of three to six months to fill an open security position — leaving businesses and their valuable data vulnerable to increasingly sophisticated threats. 

Nontraditional Skill Sets Could Be the Answer
To address these challenges, organizations must cast a wider net and be open to looking beyond the typical cybersecurity persona to recruit individuals from nontraditional disciplines and backgrounds. One of the biggest faults in our industry is that for far too long we’ve looked for only a certain, specific type of person to serve as cybersecurity professionals. By doing so, we find ourselves in this workforce shortage and risk developing a groupthink mentality as an industry. Instead, we must look to recruit, mentor, and advance the sharpest minds and individuals who bring a different approach, regardless of their educational background or previous professional experience.

For example, the skill sets we need to hire for are not necessarily technical. Instead, they are characteristics such as curiosity, tenacity, an aptitude for spotting patterns others miss, or an ability to put oneself in the mind of a nefarious person and anticipate what they will do next. Bringing together a collaborative group of people with a wide variety of skills, experience, and education will remain essential for keeping pace with the criminal mind. Some of the nontraditional disciplines that make for excellent additions to top-level cybersecurity teams include:  

• Data scientists: The growth of enterprise data has made data scientists more important than ever. These individuals are familiar with using machine learning to parse through vast volumes of data to look for usual patterns or anomalies that may indicate a breach.
• Statisticians: Cybersecurity is not a problem to be solved but a risk to be managed and mitigated. It’s no longer a matter of if an attack will occur, but when, and how will we manage it. Statisticians and mathematicians excel at gauging organizational risk tolerance and determining incident probabilities, and their calculations are an increasingly important part of broader enterprise risk management strategies.   
• Investigators, law enforcement, and military: People with a background in law enforcement, military service, or other types of investigators are experienced threat hunters, able to adopt a black hat mindset, build criminal profiles, and establish modus operandi. They are able to participate in Dark Web communities, conduct reconnaissance investigations, and accurately predict what the enemy will do next.  
• Liberal arts: Any number of different liberal arts fields can bring value to a cybersecurity team. From communications to psychology, philosophy to sociology, these fields help us understand the human side of the equation, and individuals with a background in the liberal arts naturally leverage creative and abstract thinking to match the minds of black hats.

The Future of Cyber Teams
To contend with adversaries who are becoming more abstract in their attack planning and execution, security teams must blend traditional disciplines (computer science, network engineering, coding, etc.) with nontraditional skills. Some of the most important qualities in the future cybersecurity analyst are critical soft skills — such as curiosity and an ability to handle stress and chaos.

Moreover, diversity on your team is key. Not every individual on your team may think alike, but they’re all working toward a shared goal: to protect critical data and organizations that house that data — and that’s invaluable. To put up a true fight against adversaries, organizations can’t just rely on diverse and cutting-edge technologies. Organizations will need to also put their faith in people with diverse expertise and backgrounds with a common goal and team mindset to survive in this next generation of cyber threats.

Related Content:

• 7 Types of Experiences Every Security Pro Should Have
• Cyber Talent Gap? Don’t Think Like Tinder!
• Why Fostering Flexibility Is a Win for Women Cybersecurity
• Killer SecOps Skills: Soft Is the New Hard

Chris Schueler is senior vice president of managed security services at Trustwave where he is responsible for managed security services, the global network of Trustwave Advanced Security Operations Centers and Trustwave SpiderLabs Incident Response. Chris joined Trustwave … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/tomorrows-cybersecurity-analyst-is-not-who-you-think/a/d-id/1334912?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The $300 million investment is being led by KKR.

KnowBe4, a security simulation and training company, has announced it will receive a $300 million investment round, raising its total valuation to $1 billion.

The latest round of funding is being led by KKR, through its Next Generation Technology Fund, with participation from existing investors Elephant and TenEleven Ventures.

In a statement announcing the investment, KnowBe4 said it anticipates using the new funds for global growth initiatives and platform development.

KnowBe4 provides a platform for training employees to recognize phishing messages and other social-engineering attacks.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/new-funding-values-knowbe4-at-$1-billion/d/d-id/1334950?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The endpoint security firm raised $612 million ahead of today’s public debut.

CrowdStrike today marked its first day of public trading, opening at $63.50 after pricing its IPO at $34 per share and exceeding the expected range of $28 to $30 per share, analysts report.

The cloud-based endpoint security firm, operating on the Nasdaq under the symbol “CRWD,” raised $612 million ahead of its debut with its initial public offering of 18 million Class A shares priced at $34 each. If it had stuck with the high end of its original range, CrowdStrike would have raised more than $600 million, according to its preliminary prospectus.

According to Bloomberg, shares rose as much as 97% from their initial price to hit $67, and stock was up 83% before noon – putting CrowdStrike at a valuation of about $12.2 billion.

The company was founded in 2011 by chief executive George Kurtz and chief technology officer Dmitri Alperovich, who wanted to address the inefficiencies of legacy security tools on the market. It most recently completed its Series E and has raised a total of $481 million in funding. CrowdStrike was valued at $3 billion in its last private funding round of $200 million last June.

When it was founded, relying on the cloud was risky, Kurtz notes. “Betting big on the cloud – widely considered risky at the time – allows us to ensure a rapid and seamless delivery of innovation and new features to always stay a step ahead of emerging threats,” he said in a statement.

Revenue has been ramping up at CrowdStrike, which reported $249.8 million in revenue in the 2019 fiscal year ending January 31, with a net loss of $140.1 million. That’s up from $118.8 million in reveneue and a net loss of $135.5 million during the same period a year prior. Customers include 44 of the Fortune 100 companies and nine of the top 20 major banks, CrowdStrike says.

Lead underwriters on CrowdStrike’s offering include Goldman Sachs, J.P. Morgan, Bank of America Merrill Lynch, and Barclays.

Hank Thomas, CEO of Strategic Cyber Ventures, has been excited about CrowdStrike’s IPO “since before they announced it,” he says.

“CrowdStrike proved to me they were the best in the business years ago when they became the gold standard for incident response for mega breaches,” he explains. Its threat intel, talent, and marketing have made them stand out, he added. There will only be a few major players emerging in cybersecurity, Thomas predicts; CrowdStrike will be one of them.

The offering is expected to close on Friday, subject to customary closing conditions.

But what’s coming next for cybersecurity IPOs this year? Now that “the ice has been broken,” as Thomas explains, he anticipates more. “The market and timing [are] right, and with rumors of a looming recession there [is] increased pressure to go public now.” In addition to more IPOs, Thomas predict we’ll continue to see cybersecurity acquisition news throughout 2019.

Related Content:

• Predicting Vulnerability Weaponization
• Massive Changes to Tech and Platforms, But Cybercrime? Not So Much
• Tomorrow’s Cybersecurity Analyst Is Not Who You Think
• GDPR’s First-Year Impact By the Numbers

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/crowdstrike-prices-ipo-above-range-at-$34/d/d-id/1334951?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Images of travelers and license plates that a subcontractor copied from a database maintained by the US Customs and Border Protection (CBP) to his own network have been ripped off by hackers, the agency confirmed on Monday, adding yet more reasons for critics to warn about the perils to privacy that come with the government’s burgeoning use of facial recognition (FR) surveillance technologies.

A CBP spokesperson told news outlets that the agency learned on 21 May 2019 that the subcontractor “transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”

That transfer was done in “violation of CBP policies and without CBP’s authorization or knowledge,” the spokesperson said.

First hop: improperly copied to the contractor’s network. Second hop: hacked away by malicious actor(s). The CBP spokesperson:

The subcontractor’s network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.

All eyes turn to Perceptics

If it’s got any more details, the CBP isn’t giving them out. The agency hasn’t publicly named the subcontractor, nor exactly how many photos were involved.

However, it sounds like a dead ringer for the Perceptics breach confirmed last month. Perceptics is one of the US’s most widely used vehicle license plate reader (LPR) companies and designed the license plate imaging systems used at the US border crossings with Mexico and Canada.

The Washington Post reports that on Monday, its reporters received a Microsoft Word document of CBP’s public statement that included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”

An anonymous US official told the newspaper that the Perceptics breach is being described inside CBP as a “major incident.” That official also said that Perceptics was attempting to use the data to refine its algorithms to match license plates with the faces of a car’s occupants, which is outside of CBP’s sanctioned use. The Post’s source said that the data involved travelers crossing the Canadian border.

When it reported about the Perceptics breach last month, Motherboard’s Vice noted that a Perceptics slide presentation from 2016 described how its readers and cameras are designed to be combined with federal “biographic/passport data” of passengers in vehicles passing through border crossings.

Not for sale – yet

We don’t know whether the breach announced by the CBP on Monday does in fact involve Perceptics. What we do know is that the images haven’t been put up for sale on the Dark Web… yet.

From the CBP’s statement:

As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident.

Though the data wasn’t up for sale as of Monday, the breach shows that this type of data is of interest to hackers.

A CBP official told The Hill that initial reports indicate that the breach involved images of fewer than 100,000 people in vehicles coming and going through a few specific lanes at a single port of entry into the US over the past one-and-a-half months.

The breach didn’t involve those people’s identifying information, nor their passport or other travel document photos. The official said that no airline passengers’ photos were involved in the breach.

Critics: Slow down your FR roll

Last week, the General Accountability Office (GAO) said that the FBI’s FR office can now search databases containing more than 641 million photos, including 21 state databases – a number that’s ballooned from the 412 million images the FBI’s Face Services unit had access to at the time of the report the GAO did three years ago.

During those three years, the FBI has failed to implement all but one of six recommendations the GAO had regarding privacy protection, FR data quality, and determining whether facial database searches actually lead to enough positive matches to warrant the technology’s use.

Neema Singh Guliani, a lawyer with the ACLU, said in a statement that the breach announced on Monday is further proof that the government should be throttling its lust for FR:

This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers. This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.

For his part, Senator Ron Wyden said in a statement that if the government’s going to collect this data, it should be responsible for protecting it, whether the data resides in its own systems or in those of its contractors.

These vast troves of Americans’ personal information are a ripe target for attackers.

Anyone whose information was compromised should be notified by Customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ayoUv2geWYo/

Well, bless your heart, the band Radiohead said after it was hacked and asked to pay a ransom for 18 hours of unheard music – a request that it eschewed, instead releasing the music on Bandcamp in order to aid Extinction Rebellion.

Want it? Here you go. It will cost you an £18 (around $23) donation to aid the climate advocacy group.

The extortionist demanded $150,000 after stealing 18 hours of music last week, according to a tweet from Radiohead guitarist Jonny Greenwood on Tuesday. It was stolen from Radiohead frontman Thom Yorke’s archive from around the time of the release of the 1997 album OK Computer.

radiohead.bandcamp.com
rebellion.earth https://t.co/OepiMlEL73

—
Jonny Greenwood (@JnnyG) June 11, 2019

Act fast: this offer won’t last. Greenwood said it’s good only for the next 18 days.

So for £18 you can find out if we should have paid that ransom.

Though the music wasn’t intended for public consumption and is only “tangentially interesting,” Greenwood said, some clips did reach the cassette in the OK Computer reissue. Not only is it not particularly interesting, it’s also “very, very long,” he said – “not a phone download.”

One last blasé shrug from Greenwood:

Rainy out, isn’t it though?

What to do if you’re not Radiohead

While Radiohead may have had good reason to believe their extortionist was genuine, most threats are bogus.

Some emails threaten to wreck your website’s reputation by sending millions of emails from your domain, leave boatloads of derogatory reviews about your site, and understandably alarm business owners.

Whether it’s your business or personal reputation under fire, if there’s no proof (and no, just revealing your password doesn’t count) accompanying the email, it’s a fake. Ignore it. A real extortionist will try again, next time with something tangible to get you to pay up.

While it’s a treat to see a hacker get slapped like a mosquito, many victims of genuine digital extortion don’t feel they have the luxury of that type of go-jump-off-a-cliff response.

Those can be frightening prospects, but you have to bear in mind that going along with the crook’s demands is no guarantee that they’ll actually, say, delete the material they’re dangling over your head, or release systems seized in a ransomware attack. There’s no guarantee that if you do pay a ransom, the crooks won’t come back for more.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Bysjp6da8fE/

Would you trust a website simply because the connection to it is secured using HTTPS backed by the green padlock symbol?

Not if you’re informed enough to understand what HTTPS signifies (an encrypted, secure connection with a server) and doesn’t signify (that the server is therefore legitimate).

This week the FBI issued a warning that too many web users view the padlock symbol and the ‘S’ on the end of HTTP as a tacit guarantee that a site is trustworthy.

Given how easy it is to get hold of a valid TLS certificate for nothing, as well as the possibility that a legitimate site has been hijacked, this assumption has become increasingly dangerous.

Unfortunately, cybercriminals have spotted the confusion about HTTPS, which accounts for the growing number of phishing attacks deploying it to catch people off guard. The FBI alert confirms:

They [phishing attackers] are more frequently incorporating website certificates – third-party verification that a site is secure – when they send potential victims emails that imitate trustworthy companies or email contacts.

How we got here

Today, all competently managed websites use HTTPS, a big change from even a handful of years ago when its use was limited overwhelmingly to sites either allowing password login or conducting transactions as required by the industry PCI-DSS card standard.

What supercharged the use of SSL/TLS certificates and HTTPS was Google’s insistence from 2015 that its presence would become a positive signal for its search engine algorithms.

Suddenly, not having an HTTPS site became a negative. In 2018, Google’s Chrome and many other big-name browsers including Firefox and Edge started dropping even more forthright hints by marking non-HTTPS sites as ‘not secure’ in the address bar.

Website owners got the message and so, in a mangled way, did web users – HTTPS was henceforth good and the lack of it at best lazy and perhaps even downright bad.

Predictably, criminals took the hint, which explains the surge of phishing sites that started using HTTPS in their domains around 2017.

That’s the frustrating thing about the FBI’s latest warning – criminals laundering their sites using the cover of HTTPS is nothing new. Two years on from those early red flags and the problem has simply got worse.

One could argue that the confusion is a problem of the industry’s making because it spent years pushing the idea of the security benefits of HTTPS without properly explaining its limits.

The worry now is that attackers are moving beyond this crude ruse and are on to abusing domains backed by legitimate certificates.

Only days ago, security company AppRiver documented how attackers have started abusing Microsoft Azure’s Custom Domain Name registrations to host what are, in effect, fully credentialled phishing sites.

It’s important to make clear that HTTPS remains a good thing because it secures traffic from prying eyes. It’s simply that, as with the related problem of rogue VPNs, the presence of an encrypted connection should not be understood as a security guarantee on its own.

Beating the phishers

Beyond not blindly trusting HTTPS domains, the FBI recommends checking for misspellings in domain names.

We’d add that users should be wary of any link that arrives in an email and defend themselves from losing credentials by turning on multi-factor authentication (2FA) everywhere it’s offered.

It’s also a good idea to use a desktop password manager which checks the validity of domains before offering to autofill credentials. If it doesn’t present credentials, that could be a giveaway that something isn’t right about a site.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BhTLAcjwQEs/

The June patch Tuesday is out, featuring 88 CVE-level fixes, including 21 rated critical. Adobe, meanwhile, fixes several critical vulnerabilities, including a flaw in Adobe Flash Player marked critical because it could be exploited remotely. 

Adobe published a patch for a Flash Player bug  (CVE-2019-7845), affecting versions 32.0.0.192 and earlier, that lets an attacker exploit the program through a malicious website or an ActiveX control. A successful attacker could run their own code remotely as the current user. The bug affects the Flash Player desktop runtime on Windows, macOS and Linux, along with the Google Chrome, Microsoft Edge, and IE 11 Flash Player plugins.

Also out from Adobe on Tuesday was a fix for critical vulnerabilities in its ColdFusion rapid web application development product. CVE-2019-7838 enables an attacker to bypass a file extension blacklist when uploading a file, while CVE-2019-7839 is an unspecified command injection vulnerability. The third, CVE-2019-7840, is a bug that allows for deserialization of untrusted data (deserialization means unpacking data from a format used to send it somewhere efficiently).

Finally, Adobe patched a critical vulnerability in its Campaign product for marketing professionals which could allow for remote code execution via a command injection flaw. It fixed this vulnerability (CVE-2019-7850) along with several other flaws rated either moderate or important.

Microsoft Edge

Microsoft’s other critical bug this month was in the scripting engine underpinning Microsoft Edge. This is the program that processes scripting languages like JavaScript. The engine doesn’t handle objects properly when running scripts in the Edge browser, meaning that a malicious website could cause it to spill its memory contents.

This bug (CVE-2019-0990) is considered critical on Microsoft Windows 10, and exploitation is likely, the company said. Versions of the bug also affect ChakraCore, Microsoft’s open source JavaScript virtual machine project.

All Microsoft browsers

A memory handling bug in Microsoft browsers could enable attackers to snoop on memory by persuading the user to view malicious content on a website. The bug, CVE-2019-1081, is ranked as important but exploitation is less likely, Microsoft says.

Jet Database

Microsoft fixed a remote code execution (RCE) bug in the Jet database, which underpins several Windows-related services and products. This bug (CVE-2019-0904 through 0909) allows an attacker to compromise a system by persuading someone to open a specially crafted file. It affects Windows 7 through 10, along with Windows Server 2008 through 2019. It gets an ‘important’ severity ranking and is less likely to be exploited, the company said.

Windows GDI

The Windows graphics device interface (GDI) is an intermediary between applications and graphical output devices like the video display and the printer. When software wants to display or print graphics, it does so via the GDI.

The bug, (CVE-2019-0968, 0977, 1009-1013, 1015-1016 1046-1050), causes the GDI to reveal what’s in its memory if given a suitably-crafted document or web page. Microsoft ranks it as important, but exploitation is unlikely. Products ranging from Windows 7 to 10 are vulnerable.

Sharepoint

Microsoft’s Sharepoint collaboration server sometimes fails to sanitize web requests. This can lead to cross-side scripting (XSS) attacks, Microsoft warned, enabling an attacker to run their own scripts as the current user. They could read and delete unauthorized content, change permissions, and inject malicious content into the user’s browser.

This bug has an ‘important’ severity rating but exploitation is less likely, according to the technical notes. Versions of it (from CVE-2019-1031 through 1033 and 1036), affect various SharePoint-related releases, and Microsoft Project Server 2010.

Word

This memory-handling vulnerability in Word (CVE-2019-1034 through 1036) enables attackers to run arbitrary code by persuading users to open a specially-crafted file or website. Although it’s an RCE bug, Microsoft still only gives it an ‘important’ rating and says that exploitation is less likely.

Windows Kernel

A memory bug in the Windows kernel enables an attacker with the right code to snoop on memory in a user mode process running in the kernel space. This could provide information leading to further compromise of the system, Microsoft warns, but exploitation is less likely. The bug, CVE-2019-1039, gets an ‘important’ rating.

Windows Event Viewer

Microsoft fixed a bug in the Windows Event Viewer, which is the Windows utility that shows logs of application and system messages. The Viewer includes a function that reads XML files. An attacker that sent a specially-crafted XML file could read arbitrary files on the host. This one gets a ‘moderate’ severity rating.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8DKL8NpAaMs/

Advances in data science are making it possible to shift vulnerability management from a reactive to a proactive discipline.

Keeping pace with the endless deluge of security vulnerabilities has become one of the truly Sisyphean tasks for enterprise IT and security teams. Every operating system, device, and application is a potential source of vulnerabilities. This can include the traditional laptops and servers that power an organization but also extends to virtual machines, cloud-based assets, Internet of Things, mobile devices, and the list goes on.

To make matters worse, the rate at which new vulnerabilities are being discovered has accelerated. A quick check of the National Vulnerability Database (NVD) shows that historically the industry would expect to see around 5,000 to 7,000 common vulnerabilities and exposures (CVEs) released each year. However, in 2017 that number spiked to 14,649, continued to climb to 16,515 in 2018, and shows no signs of slowing down. These numbers are likely underrepresenting the total number of vulnerabilities in the real world given that many platforms are not covered by CVE Numbering Authorities (typically, these are vendors or researchers that focus on specific products).

Weaponization Is the Key
However, not every vulnerability becomes weaponized (abused by an exploit or malware). In fact, most don’t. Of the more than 120,000 total vulnerabilities tracked by the NVD, fewer than 24,000 have been weaponized. As a result, many organizations are turning to analytics and risk-based vulnerability management to prioritize those that are weaponized and have the highest impact.

Even this approach is somewhat reactive in that it relies on the attackers making the first move in the wild. New innovations are starting to change this equation. By applying data science and machine learning to vulnerabilities, researchers are increasingly able to predict which vulnerabilities will be weaponized even before threats are seen in the wild.

Let’s take a look at how it works.

The Art and Science of Predicting Weaponization
Needless to say, the details underlying predictive models of weaponization can get quite complex. However, we can understand the basic logic behind them without diving into the specific algorithms and analysis.

First, it’s important to curate the right data set. Simply having large amounts of data is not enough — we also need to have broad context around a vulnerability. For example, we will want to know a variety of details underlying a vulnerability such as the traits that contributed to its risk score, the underlying weakness that led to the vulnerability itself, how it would be abused in the context of an attack, the types of assets that it is likely to affect, and more.

For instance, Common Vulnerability Scoring System (CVSS) scores rely on a variety of base metrics to rate a vulnerability. Likewise, Common Weakness Enumeration (CWE) data provides insight into the underlying weakness of a vulnerability, and Common Platform Enumeration (CPE) gives similar insight into the platform. Each of these perspectives can be highly predictive in their own right but become far more powerful as we learn to correlate across them. 

Exploitability and Impact
CVSS scores are built on a few base metrics that provide insight into the difficulty of exploiting a vulnerability and the impact that an exploit would have on a target. Obviously, from an attacker’s perspective, the fewer constraints on an exploit and the higher the impact, the better. For example, a vulnerability that can be exploited remotely over a network is more valuable than one that requires the attacker to be on the local network or that requires user interaction in order to execute. 

Likewise, low attack complexity can greatly increase the chances that a vulnerability will be weaponized. Low complexity typically means that the attack simply works without that attacker needing to perform additional steps such as collecting local information. Privileges also play an important role. Many exploits will simply maintain the privileges of the targeted user or application.

However, vulnerabilities that can escalate the attacker’s privileges to an admin or system level become highly strategic for an attacker. Identifying low-complexity attacks that either have remote code execution or privilege escalation is often a good start to predicting if a vulnerability will be weaponized.

Feeding the AI Engine
With a data set established, we need analytical models to gain predictive insights. By looking at historical weaponization trends, we can train algorithms to look across diverse types of data and identify the combination of traits that best predicts which vulnerabilities will be weaponized by attackers in the wild. Just as importantly, this approach can predict the speed at which a given vulnerability is likely to be weaponized. 

The end goal of this analysis is to allow security and IT teams to prioritize patching the few vulnerabilities that will actually become threats. Put another way, the goal is to find needles in the haystack before they even become needles.

Ultimately, predictive models should not be considered a perfect answer on their own. They can, however, help make vulnerability management a much more proactive discipline, where instead of constantly playing to catch up to attackers, defenders gain a first-mover advantage.

Related Content:

• It Takes an Average 38 Days to Patch a Vulnerability
• There May Be a Ceiling on Vulnerability Remediation
• Selecting the Right Strategy to Reduce Vulnerability Risk

Dr. Srinivas Mukkamala is co-founder and CEO of RiskSense and a former advisor to the U.S. Department of Defense and U.S. Intelligence Community. He is an expert on malware analytics, breach exposure management, web application security, and enterprise risk reduction. Dr. … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/predicting-vulnerability-weaponization/a/d-id/1334919?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Imagine Game of Thrones’ Daenerys Targaryen, Arya Stark, and Cersei Lannister on the front lines in the real-world battleground of enterprise security.

Season 8 of the award-winning and critically acclaimed HBO Game of Thrones series ended a long, exciting saga spanning almost a decade, keeping viewers spellbound by the citizens of Westeros and Essos. It was dominated by three powerful women: Daenerys Targaryen, Arya Stark, and Cersei Lannister. Each of these fictional leaders has a lesson for us in the real world of cybersecurity.

Lesson 1: Security policies shouldn’t lay waste to user productivity.
First is Daenerys Targaryen. As Daenerys evolves through the series — and gets kicked around by everyone — she finally gives in to her worst instincts. In the end, she unleashes her most formidable weapon, Drogon, her last dragon, in an epic example of overkill, burning to the ground the very center of power she coveted: Kings Landing and the Iron Throne. Cybersecurity leaders, who live day to day with the frustrations of managing enterprise security, can take a lesson from Daenerys in how to avoid implementing heavy-handed policies.

For example, if an employee triggers a security incident by opening an Excel file from an unknown email sender, you would never implement a total ban on the use of Excel. Similarly, punitive measures against users who repeatedly fail a phishing test would likewise not be a productive response. Nor would you excoriate the user for their stupidity, however tempting. You want the organization on your side, including your most valuable allies in the various lines of business and the C-suite. After all, you don’t need stealth IT to rise from the ashes of a scorched earth policy or an army of disgruntled users attacking your rear flank. Rather than chastising users or calling them out, help them by reinforcing the value of security training.

Lesson 2: Value your eccentrics and white hat hackers.
Up next is Arya Stark, who wields a small sword in her left hand, is wolf-blooded, impulsive, and “always difficult to tame.” She offers a metaphor for staffing challenges in the face of ever-more-sophisticated criminals probing your attack surface with innovative new types of malicious code and delivery mechanisms. As defending your corporate networks becomes more and more of a black art, you need the small players and specialists like Arya who was bored by embroidery and other “lady-like” pursuits. These brilliant minds may be fascinated by cyber war and training in the use of technical arms. Also, like Arya, they may not care about the throne. They may not be ready for leadership roles but their specialized skills can be invaluable in key individual contributor roles.

What’s more, when you embrace diversity and welcome the nonconformist into your team, it could pay handsomely in knowledge and the building of problem-solving tools. An unconventional employee, for example, might be the penetration tester who saves you when hackers launch what amounts to your cyber battle of Winterfell. Seek out the strengths of your analysts; that person may have the ability to think like a criminal or a bad actor, and may even have the cybersecurity equivalent of a Valyrian steel dagger up her sleeve when it’s needed.

Lesson 3: Be careful when you engage your adversary by hacking back.
Hail Cersei Lannister, the First of Her Name and Protector of the Seven Kingdoms — and our third and perhaps strongest woman leader in GoT. Well, at least she was until she made the fateful mistake of provoking Daenerys to attack King’s Landing by killing her friend, Missandei. We know that didn’t work out so well. It’s the same mistake many IT professionals make when they embark on offensive security: They underestimate the will and tenacity of the enemy, who often has little to lose.

The popularity of offensive hacking — counter-attacking a hacker as deterrence — is betrayed by the lack of offensive hacking courses available. So, consider well before taking your armies down this road. First of all, there are legal issues around hacking anyone — even a criminal or part of your own organization. An even more important consideration when triggering your cyber enemies: You have only a few people who are most likely already stretched thin defending a large attack surface. And on the other side of your firewall? There may be a provoked adversary with time, numbers, technology, and persistence on their side. Once you engage them, be prepared to survive an onslaught. Cersei, too, had a wall. But it didn’t offer much protection against a flying, fire-breathing dragon, and an endless stream of the Unsullied and Dothraki.

Related Content:

• GoT Guide to Cybersecurity: Preparing for Battle During a Staffing Shortage
• GoT the Inside Threat: Compromised Insiders Make Powerful Adversaries
• Breaches Are Coming: What Game of Thrones Teaches about Cybersecurity

Orion Cassetto, senior product maester at Exabeam, has nearly a decade of experience marketing cybersecurity and web application security products. Prior to Exabeam, Orion worked for other notable security vendors including Imperva, Incapsula, Distil Networks, and Armorize … View Full Bio

Article source: https://www.darkreading.com/cloud/what-3-powerful-got-women-teach-us-about-cybersecurity--/a/d-id/1334906?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Patch Tuesday Microsoft, Adobe, Intel, and SAP have all emitted their latest Patch Tuesday batch of security fixes. Users and admins are encouraged to test and install the updates as soon as humanly possible.

For those running Windows and Windows Server, you’ll be interested in as many as 88 CVE-listed flaws that need addressing in Microsoft’s products.

According to analysts at the Zero Day Initiative, a priority for admins should be a collection of four elevation-of-privilege vulnerabilities found in Windows Shell (CVE-2019-1053), Task Scheduler (CVE-2019-1069), and Windows Installer (CVE-2019-0973), and AppX Deployment Service (CVE-2019-1064).

None of the four holes are being actively exploited by hackers, according to Microsoft, though exploits are public, hence ZDI flagging them up. (SandboxEscaper has been releasing exploit code attacking Task Scheduler and other Windows components to achieve privilege elevation, and these patches shut four of those exploits down.)

There are also patches for critical remote code execution bugs in Edge and Internet Explorer, a Patch Tuesday staple. A dirty dozen of RCE holes are cleaned up in the Chakra Scripting Engine and Microsoft browser scripting engine used by Edge and IE. Each bug can be potentially abused by miscreants to execute code on a vulnerable machine simply by having the user view a poisoned webpage.

Also catching the eye of security experts is CVE-2019-0941, a denial-of-service vulnerability in Microsoft’s IIS web server that would potentially allow an attacker to knacker the service by abusing the software’s request filtering feature. Though DoS bugs are not usually considered serious flaws, the fact IIS servers face the public internet makes this programming blunder an irritating concern.

“Note that it would not take down the entire server,” explained Dustin Childs of the ZDI. “Still, if the page attacked handles a critical function – like payment processing – the exploit affects could be significant. IIS security bugs aren’t as common as they once were, but don’t let that fact delay rolling this patch out to affected servers.”

Speaking of annoying denial-of-service bugs… Google Project Zero has released a proof-of-concept security certificate that when processed by Windows will cause the code to go into an infinite loop, requiring a reboot in certain circumstances. No patch exists for it right now.

Google reported the vulnerability privately to Microsoft with a 90-day deadline to fix it. Redmond planned to release a fix this month, within Google’s time limit, then pushed the update back to July for more testing, thus missing the deadline. And so Google went full disclosure today.

“I’ve been able to construct an X.509 certificate that triggers the bug,” noted Googler Tavis Ormandy. “I’ve found that embedding the certificate in an S/MIME message, Authenticode signature, schannel connection, and so on will effectively DoS any Windows server (e.g. IPSEC, IIS, Exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”

This means it’s possible to knacker Windows-based PCs and servers by asking them to process an attacker-supplied certificate. We await Microsoft’s update next month.

Three security holes (CVE-2019-0620, CVE-2019-0709, and CVE-2019-0722) were patched in Hyper-V that, if exploited, would allow an attacker to escape their virtual machine and run malicious software on the host server.

Office was not spared this month, either. Microsoft posted fixes for two (CVE-2019-1034, CVE-2019-1035) code execution flaws in Word that would be triggered by convincing a victim to open a booby-trapped Office file.

Finally, Microsoft posted a series of three advisories for flaws in Bluetooth Low Energy, HoloLens, and Exchange Server.

Adobe patches Flash, ColdFusion, and Campaign

For those who haven’t yet gotten around to removing Adobe’s notoriously bug-prone Flash Player from their machines, June brings a fix for CVE-2019-7845, a use-after-free() vulnerability that can be exploited for remote code execution.

Adobe Campaign Classic, a business marketing tool, has been patched to kill off seven CVE-listed vulnerabilities. The most serious of the bugs, CVE-2019-7850, allows for code execution via command injection. Five others can lead to information disclosure, and another can be exploited to achieve arbitrary file-read access.

ColdFusion-using developers will want to make sure they have June’s update to protect against three CVE-listed vulnerabilities (CVE-2019-7838, CVE-2019-7839, CVE-2019-7840), all potentially allowing code execution.

SAP addresses HANA, Solutions Manager

For those running SAP platforms, June brings with it 11 security notes, including Note 2748699 describing an information disclosure bug in Solution Manager that could allow an attacker to create new privileged accounts and Note 2637997, a cross-site scripting flaw in BusinessObjects.

“A remote unauthenticated attacker could craft a malicious URL capable of running arbitrary JavaScript code in the victim’s web browser, potentially allowing the attacker to have administrative access,” explained Sebastian Bortnik, director of research with Onapsis, a security company specializing in tools and services for SAP.

Finally, while you are updating your Adobe, Microsoft, and SAP software, it’s a good idea to check mobile devices for the latest Android security updates posted last week. ®

And finally, finally… Intel has a bunch of security fixes available from today tackling vulnerabilities ranging from denial-of-service to escalation of privilege.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/11/patch_tuesday/