STE WILLIAMS

Cybersecurity at the enterprise level is a unique beast, and there’s no better place to meet fellow enterprise security professionals and learn new tricks than Black Hat USA in Las Vegas this August.

There’s a whole Enterprise track of Briefings dedicated to the unique challenges of securely managing the big platforms and processes found in enterprises, including large data centers, Active Directory management and bug bounty programs.

For example, Finding Our Path: How We’re Trying to Improve Active Directory Security is a Briefing to see if you’re someone who regularly works with Microsoft’s Active Directory, as it promises to be rich in practical lessons learned from an experienced cybersecurity researcher.

Whether your network has 50, 5,000, or 500,000 computers joined to Active Directory, you’ll walk away from this Briefing knowing how to greatly enhance your organization’s Active Directory security posture in days or weeks, not years.

Plus, On Trust: Stories from the Front Lines will give you some unique insight into what it’s like to lead the security programs of some of the world’s preeminent companies through times of great change.

Speaker Jamil Farshchi helped rebuild (among others) the cybersecurity systems of both The Home Depot and Equifax after their devastating data breaches in 2014 and 2017. At t Black Hat USA he’ll explore how companies, like people, earn trust and develop character — and discuss why a key determinant of that character is their approach to security and privacy..

In Predictive Vulnerability Scoring System two experienced data scientists will show you why it’s so important to efficiently prioritize your vulnerabilities, what we miss by trusting Common Vulnerability Scoring System (CVSS) scores, and what to take into consideration when focusing on vulnerabilities posing the greatest risks to organizations.

You’ll also gain a fresh understanding of the probability of a vulnerability being exploited, based on researchers’ work studying tens of thousands of vulnerabilities and CVSS scores. The speakers will then show you how they used all that data (as well as billions of in-the-wild events collected over five years) in to create a machine learning model for predicting the probability of a vulnerability being exploited, a scoring system which outperforms CVSS on every metric: accuracy, efficiency and coverage.

For more information about these Briefings and many more check out the Black Hat USA Briefings page, which is regularly updated with new content as we get closer to the event.

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/black-hat-usa-offers-fresh-perspectives-on-enterprise-cybersecurity/d/d-id/1334908?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security and privacy get more attention today than ever before. As professionals in these domains, you are battered by the one-two punch of cyberattacks and an ever-changing regulatory landscape. But deploying technical controls and privacy policies won’t be enough to protect your organization. You’ll need to enlist your employees in the ongoing struggle to keep your data safe and your company in compliance. 

Luckily, when it comes to employee awareness, security and privacy share the same basic goals. Both want employees aligned with the mission to create a more secure, trustworthy, and risk-aware culture. So, it just makes sense to combine security and privacy efforts.

Unfortunately, uniting your efforts is easier said than done. To start, let’s explore how resolving a handful of differences can clear the way for a merger of your security and privacy programs. 

Different Risks
Your mission is probably related to securing personal data. Privacy pros recognize the responsibility to designate secure places to store data, while security pros recognize their responsibility in building and guarding these secure places. A useful simplification, but one that’s complicated by the divergence of risk domains. 

In general, security needs to stop external bad guys, such as cybercriminals and adversarial nation-states, from inflicting harm on your organization. Privacy professionals face a different threat: the mishandling of personal information during day-to-day operations. Even the best employees are fallible, and often privacy-related topics involve questions of ethics and judgment that can be genuinely complicated. 

To you, the privacy or security specialist, these distinctions are clear. But think about average employees. They don’t care about the nuances of which domain or business unit owns which element of data protection … they care about and need the skills to quickly identify and overcome these risks no matter where they originate. The fewer fiddly distinctions, the better.

Different Bad Guys
We have lots of tropes we use as placeholders for external security threats, but most of them evoke a feeling of illicitness or criminality. As a result, security “good guys” tend to emulate law enforcement institutions and use an abundance of military language to describe their work. It’s a simple and direct narrative: We’re the good guys, protecting the innocent and virtuous organization from the bad guys. 

Privacy is different. There’s no one bad guy. Instead, we’re up against a complicated moral landscape where we’re at risk of falling out of compliance with the law and losing the trust of employees and customers. Privacy doesn’t have evil villains, just ill-informed decision-makers and good employees who make preventable mistakes.

If security pros are defenders against outside threats, privacy pros are mentors who must teach the complexities of staying within appropriate boundaries on the collection, use, and storage of data, despite enormous financial pressures to the contrary. 

It’s no surprise that each group sometimes misunderstands the other. “Privacy purists” might judge security advocates to be living in a black-and-white world that is obsessed with technical solutions and an overly defensive posture. “Security strategists,” on the other hand, could see privacy professionals as underestimating threats and being naively dependent on policy to accomplish what should be done with strict controls. 

And we wonder why the employees in the middle tune us out!

Unite and Thrive
The fact is that reaching employees through an awareness program is the best tool available to security and privacy professionals for achieving their common goal. You can begin uniting your training program by doing things like:

• Presenting the business world as it really is, where the company both creates risk and is at risk from outsiders. 
• Focusing on the similarities between the security and privacy disciplines, rather than emphasizing the differences in domains.
• Framing both security and privacy best practices in terms of daily work tasks — whether it’s creating passwords, identifying information that needs special handling, screening email, classifying and storing data, or connecting to networks from outside the workplace. It doesn’t matter which of these are security and which privacy; all are important for protecting the interests of the company and the individual. 
• Deploying regular and ongoing training, supported by a drumbeat of reinforcing communications. 

The result: reduced overlap, a pooling of resources, and a unified message that invites employees to build the knowledge and skills that they will need to help your organization thrive in a rapidly changing digital world. There are no mixed messages when security and privacy unite.

Related Content:

• 7 Privacy Mistakes That Keep Security Pros on Their Toes
• GDPR Drives Changes, but Privacy by Design Proves Elusive
• 4 Benefits of a World with Less Privacy
• Data Privacy Manifestos: Competitive Advantage or the Start of Something Bigger?

Tom Pendergast is MediaPRO’s Chief Learning Officer. He believes that every person cares about protecting data, they just don’t know it yet. That’s why he’s constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it’s … View Full Bio

Article source: https://www.darkreading.com/perimeter/unmixed-messages-bringing-security-and-privacy-awareness-together/a/d-id/1334866?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security Headline Test 

Security Headline Test 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/security-headline-test-/d/d-id/1334764?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Malicious services offered on the Dark Web are more like precision arms than blunt instruments, and they’re taking aim at the biggest of businesses.

New research, conducted by Dr. Mike McGuire of the University of Surrey, shows four in 10 Dark Web vendors are selling targeted hacking services aimed at FTSE 100 and Fortune 500 businesses. Among the information and services McGuire found on the Dark Web, access to corporate networks is sold openly, with 60% of vendors approached by researchers offering access to more than 10 business networks.

Still, sites and messaging facilities on the Dark Web have become havens for those seeking and selling custom-built, highly targeted malware, McGuire writes in “Into the Web of Profit: Behind the Dark Net Black Mirror Threats Against the Enterprise,” the third in a series. If you want to target a particular industry, organization, or executive, it doesn’t take long to find vendors willing to help meet your nefarious needs.

“The rise of customized malware-as-a-service is nothing more than the natural evolution of the commercialization of malware authors and other malicious actors,” says Nathan Wenzler, senior director of cybersecurity at Moss Adams. Online criminal activity has become industrialized, he says, with those on both sides of the transactions treating it just like legitimate business deals.

“Once you’ve reached that point of creating a product, which in this case is malware, the next logical step is to provide the equivalent of professional services to your customers,” Wenzler says.

What we’re seeing in these Dark Web sites is an almost inevitable consequence of the market’s maturity. Ray DeMeo, co-founder and COO at Virsec, points out that the criminal world is become more sophisticated, efficient, and compartmentalized, just like legitimate business. As a result, “Specialists are focusing on specific pieces of the supply chain, such as password theft, memory attacks, ransomware, and selling personal data in bulk,” DeMeo says. “As part of this, many resources on the Dark Web have become Amazon-like, relying on building ‘good’ reputations with high-quality stolen data.”

One of the consequences of malware and attacks heading to the commodity “as-a-service” model is that it now takes much less expertise to launch a relatively sophisticated attack. “[Cybercrime is] becoming more transactional in nature and lowering the barriers to entry for those who may not have the technical skill to develop a new malware variant,” says Harrison Van Riper, strategy and research analyst at Digital Shadows. “Those with less technical skill can still have access to damaging malware for a reasonable price.”

That price, which McGuire found ranged from $150 for a relatively simple piece of malware to more than $1,500 for software designed to target specific ATMs, often includes performance guarantees and sophisticated customer service. Encrypted messaging services like Telegraph are frequently used as the medium for support, though some malware networks have communicated completely in the clear over YouTube, Instagram, or other social network comments.

All of this is possible because malware and attack authors have swung their production to agile development methods, up to and including full DevOps, Wenzler says. “These groups already have automated much of the malware creation and management processes as it is, so creating custom attacks for a higher price is a relatively trivial thing for them to do and comes with the benefit of increasing their financial gains without needing to expend much effort,” he says.

Related Content:

• Demystifying the Dark Web: What You Need to Know
• Cybercrime: Looking Beyond the Dark Web
• Website Attack Attempts Rose by 69% in 2018
• The Dark Web Is Smaller Than You Think
• FIN7 Cybercrime Gang Rises Again

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/dark-web-becomes-a-haven-for-targeted-hits/d/d-id/1334914?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 2012, a group of cybersecurity researchers and social scientists studied the impact of cybercrime and its cost to society, concluding that the money spent anticipating an attack is less effective than money spent responding to an attack.

This week, many of the same researchers released an updated paper at the Workshop on the Economics of Information Security (WIES) conference, in Cambridge, Mass., that looks at direct and indirect damages due to cybercrime, as well as the cost to defend against the crimes. Their conclusion? While people and technology are more interconnected and different platforms have become dominant, the overall impact of cybercrime remains relatively the same.

“One of the lessons of the paper is that, although there’s been huge changes — new platforms, some crime types replacing others, etc. — the overall picture is little changed,” says Richard Clayton, a co-author of the paper, director of the Cambridge Cybercrime Centre, and a security researcher at the Computer Laboratory at the University of Cambridge. “That’s because fixes are not technical but have to do with incentives, economics, criminal justice, sociology, [and] criminology.” 

The latest research attempting to quantify the costs of cybercrime comes as estimates for the market for cybersecurity products and services continue to grow. Largely unsupported estimates of cumulative annual growth vary from 9% to 18%, and estimates vary from $119 billion in 2019 to more than $300 billion in 2024.

Similarly, the cost of cybercrime has been a quantity of much speculation. One firm estimates costs of about $1 trillion annually in 2019, while another estimates a supersized $6 trillion in yearly damages by 2021.

The paper presented at WEIS aims to inject some sanity into all of these estimates, representing the most complete look at the state of cybercrime without relying on data collected by companies that are trying to sell security products, says security expert Bruce Schneier, a lecturer at Harvard University’s Kennedy School of Government.

“It is the best data that we have that isn’t being driven by some corporate agenda,” he says. “To me, that is the key for why this is important. They don’t have a dog in the fight. They are just trying to figure it out.”

For the most part, the paper underscores the unreliability of current data. Among the best data is payment fraud, which has doubled in total volume since 2012 but has decreased as a percentage of the total amount of payments. 

The paper finds that only a dozen or so crimes — such as online credit-card fraud, cryptocrime, ad fraud, and telecom fraud — actually result in more than $1 billion in damages. However, new ways of doing business using connected devices has resulted in new pathways for fraud; the world has changed since the original paper, the authors stressed.

“New apps, such as ride hailing, and new technologies, such as cryptocurrencies, create new targets, while old targets, such as medical records, have migrated to cloud services,” they wrote. “So larger quantities of personal information are kept online and are open to a variety of attacks.”

This leaves the authors with little advice for the average user or small or midsize enterprise (SME), Clayton says.

“It might make sense to replace your Windows machines with Chromebooks because that allows you to eliminate some attack types,” he says. “But, generally, the step change in response is needed by law enforcement, not SMEs.”

The actual economic problem is paying for defenses for every person is extremely inefficient. The cost of securing their systems outpaces the damages caused by cybercriminals. Instead, nations should focus on empowering law enforcement to pursue and punish cybercriminals, the authors argued.

“The core problem is that many cybercriminals operate with near-complete impunity,” the paper states. “We will not get a real handle on cybercrime until we put an end to impunity.”

Yet that remains a difficult, Schneier says.

“That is easy to say and hard to do anything about because it is so international,” he says. “A lot of the impunity comes from the difficulty of reaching into some country in, say, sub-Saharan Africa and exacting penalties.”

In addition, attempts by the United States to hold actors from larger countries accountable has typically failed. In 2018, as part of the Mueller investigation, the US government issued arrest warrants for 12 Russian nationals who allegedly took part in that country’s interference in the US elections. To reduce the cost of cybercrime, such actions need to become more common and effective, the paper stated.

Related Content:

• Certifiably Distracted: The Economics of Cybersecurity
• FBI: Cybercrime Losses Doubled in 2018
• Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
• Can Businesses Stand Up to Cybercrime? Only 61% Say Yes
• Taming the Digital Wild West

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/massive-changes-to-tech-and-platforms-but-cybercrime-not-so-much/d/d-id/1334911?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security researchers at Qualys Common discovered a remote command execution vulnerability in older versions of mail transfer agent (MTA) Exim — a critical, open source piece of the email infrastructure in many organizations.

An MTA functions much like a router dedicated to email. Researchers have found more than 4.1 million systems are potentially vulnerable to the flaw.

Exim’s maintainers acknowledged the vulnerability (CVE-2019-10149) on June 3. Present in Exim 4.87 through 4.91, the vulnerability could allow an attacker to execute commands as root, with no privilege escalation required.

According to researchers at Tenable, no exploits have been seen in the wild, though they expect at least proof-of-concept exploits to appear in the near future. In the meantime, the vulnerability has been patched, though a Shodan scan executed by Tenable researchers on June 6 showed just 475,591 running updated and patched versions of Exim.

Read more here, here and here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/vulnerability-found-in-millions-of-email-systems/d/d-id/1334913?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple