STE WILLIAMS

If money were no object, and you didn’t have to worry about bureaucracy or politics, what would you have your organization do to make a difference in the public-private sector discourse on cybersecurity? How would you improve tactics and techniques?

“The thing I’d love to be able to do is share in real time,” said Neal Ziring, technical director for the National Security Agency’s Capabilities Directorate. The question was posed to him, and two other panelists from the public and private sectors, in the RSA Conference panel “Behind the Headlines: A Public-Private Discourse on Cyber-Defense,” last week in San Francisco.

Ziring explained how if policy were not an issue, he would want to take NSA’s foreign intelligence and turn it into actionable warnings in real time. “That’s not easy. We’re trying to work in that direction,” he said, adding that there are “considerable policy obstacles to that right now.”

Defenders are overwhelmed with an onslaught of threat data, user error, poor endpoint protection tools, and myriad other factors making their jobs harder. This discussion brought together security experts to put the spotlight on which threats should be prioritized and how the government and private sector can better improve their relationships to address them.

John Felker, director of the DHS’s National Cybersecurity Communication Integration Center (NCCIC), outlined the security threats that are top-of-mind for government. China, he said, is a big one: It continues to engage in cyber espionage despite a 2015 agreement to stop. Industrial theft is a primary concern as China’s long-term strategy is to improve its economy, he said.

“We’ve seen lots and lots of threats from Iran,” Felker continued. Iran is now heavily focusing on oil and gas, primarily in the Middle East. “We believe they’re posturing for future activity.”

Next up: Russia. “Part of the Russia threat relates to keeping their economy strong and the things they want to participate in to allow their form of government to continue,” he explained. There is “significant potential for mischief” as there remains a possibility Russia will segregate itself from the Internet as a threat. Finally, Felker pointed to North Korea, which is primarily financially motivated and needs funds to develop domestic IT infrastructure and industry.

A Call for Info Sharing
Information sharing was a key theme of the talk, and all panelists emphasized a greater need for the public and private sectors to share threat intelligence. “It doesn’t do us any good to exchange business cards in the middle of a cyber incident,” Felker said. He encourages organizations to reach out if they’re hit. “Make sure someone knows it’s OK to do that,” he added.

While the NSA doesn’t have the public facing role the DHS does, Ziring noted the organization does interact with the public and business communities. His advice: “If we go to the trouble to publish advice, take it,” he said. “We don’t publish all that frequently, and when we do there are really good reasons behind it.”

He also advised businesses to collaborate with the NSA on a technical level. “The goal we’re trying to achieve is shared visibility into the cyberspace where we all have to operate,” Ziring continued. Threat actors have visibility over all of us; it would help businesses to do the same.

Security teams need to establish trust before an attack takes place. Part of building relationships involves conducting internal and external exercises across the organization so senior leadership knows what’s happening and what to do. If you implement a security framework, blog about it, said Curtis Dukes, executive vice president and general manager for the Security Best Practices and Automation Group at the Center for Internet Security.

“You are a target – it’s not if but when you’re attacked,” Dukes explained. “Communicate ‘here’s what happened and why.’ That way, we all learn from your misfortune, but more importantly we can protect ourselves.”

Modern C-suites are more aware of cybersecurity and the effect it can have on a business, he added. Major incidents have taught them how poor security can affect a bottom line, and now they’re asking for board members who have cybersecurity expertise.

However, “where we’re falling short is we still haven’t done an adequate job of translating cyber-risk to business risk,” he added. Businesses will place high value on certain business processes but fail to recognize the impact of losing that process in a cyberattack.

Related Content:

• 6 Tips for Getting the Most from Your VPN
• IT Security Administrators Aren’t Invincible
• Shifting Attacks Put Increasing ID Fraud Burden on Consumers
• DHS: No Investigation Planned for Electrical Grid Incursions

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/nsa-dhs-call-for-info-sharing-across-public-and-private-sectors/d/d-id/1334130?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cryptominers continue to dominate the malware landscape, just as they did all of 2018. But a decision by cryptocurrency mining service Coinhive to shut down last week could change that soon, security vendor Check Point Software said in its latest malware threat report, released Monday.

Coinhive has topped Check Point’s global threat index for 15 straight months, including this February.

Coinhive’s software is designed to give website owners a way to earn revenue by using the browsers of site visitors to mine for Monero cryptocurrency. The software itself — like many other cryptominers — is not malicious. However, cybercriminals have been using Coinhive extensively to surreptitiously mine for Monero on hacked websites, making it a top threat to website operators globally in the process. Many websites that have installed Coinhive also have done so without explicitly informing site visitors about it.

“For now, I assume that Coinhive’s shutdown will only cause its disappearance from the top 10 list,” says Maya Horowitz, threat intelligence and research director at Check Point. Other coin-mining tools will likely remain a threat or become more widely distributed as criminals start using those tools instead of Coinhive, she says. Check Point’s report shows that at least two other coin miners — Cryptoloot and Authedmine — moved up in the top 10 malware rankings last month, compared with January 2019.

However, the declining values overall of major cryptocurrencies (such as Monero and bitcoin) could soon begin affecting the will of threat actors to use miners, Horowitz notes. This could result in fewer cryptomining attacks overall and a greater focus by threat actors on more lucrative targets such as scalable cloud environments. Attackers could also start “finding new, yet unknown, paths to monetize on their attacks,” Horowitz says.

In a blog post last Friday, security vendor Avast said Coinhive’s decision to discontinue its service is not entirely surprising given the declining value of cryptocurrencies and the fact that security vendors were routinely blocking the software because of misuse.

The big question now is whether or not browser-based cryptojacking will decline altogether or whether some other crypto tool will rise to replace Coinhive. “Ultimately, Coinhive going out of business is a good thing for security, privacy, and transparency,” according to the Avast blog post.

Totally, five of top threats in Check Point’s global index currently are cryptomining-related. The other threats in the index include the GandCrab ransomware tool and two banking Trojans that have been around for some time — Ramnit and Emotet.

According to Check Point, its researchers have observed several campaigns distributing a new version of GandCrab widely in Canada, Germany, Japan, and Australia. The new version incorporates a key encryption change that renders ineffective a decryption tool that was developed for previous versions of the malware, Check Point said. One reason for GandCrab’s growing popularity is the fact that the ransomware is offered as a service and is thus easily available to attackers, Horowitz says.

Check Point’s report also shows that the most actively targeted vulnerabilities last month were once again issues that were disclosed and patched some time ago. One of the vulnerabilities in February, for instance, was an information disclosure flaw in Open SSL (CVE-2014-0160; CVE-2014-0346) that was first disclosed and patched in 2014.

“Threat actors often use the least sophisticated solution that would work,” Horowitz says. So as long as many users do not patch their servers for these vulnerabilities, they would keep exploiting them. “Our yearly security report demonstrates that only a third of the attacks during 2018 exploited vulnerabilities disclosed in 2017–2018,” she says.

Related Content:

• In 2019, Cryptomining Just Might Have an Even Better Year
• 5 Steps to Fight Unauthorized Cryptomining
• When Cryptocurrency Falls, What Happens to Cryptominers?
• 7 Cryptominers Cryptomining Botnets You Can’t Ignore

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/cryptominers-remain-top-threat-but-coinhives-exit-could-change-that/d/d-id/1334131?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

IT security administrators, who often have titles such as director of cybersecurity or director of security operations, are mid- to senior-level managers who typically report directly to the CISO, CSO, or CIO. They usually manage a team of security analysts or security managers, and their core responsibilities often include managing the operations of the organization’s security operations center, managing network, application, cloud, and systems security; vulnerability and risk management; penetration testing; and employee security awareness. They’re expected to work closely with IT, security leadership, compliance, legal, and other stakeholders. They act as interpreters between technical analysts and non-technical executives, and they have access to organizational infrastructure, tools, and technologies.

Common Mistakes
Security directors are in the middle of everything security-related, and it can be a major challenge to balance all of the responsibilities, especially on a limited budget. Because security directors are stretched so thin, they often must rely on the dashboards from their security products to provide their key performance indicators (KPIs) and metrics, and they limit technology purchases to familiar brands instead of conducting merit-based evaluations, perhaps of lesser-known products and companies.

Security teams strapped for time struggle to perform comprehensive evaluations of all available products that include non-functional but critical issues such as how successful the product is at its given function, its impact on system performance, how it works in the production environment, and how it compares with other vendors’ offerings. And while security directors may be responsible for evaluating security technologies, security may not be their specialty; therefore, taking a risk on a startup with more advanced technologies may not seem prudent.

Additionally, security directors sometimes have a good understanding of infrastructure but lack in-depth understanding of cyberattacks and insight into how modern adversaries operate. Without clearly understanding the threats their organization faces and why, security directors may have a myopic view of operations and not properly look at long-term strategy.

Repercussions
Because of time concerns, budget constraints, inexperience with security, or lack of proper evaluation criteria, security directors may select tools that don’t properly address their organization’s needs. Whether they choose according to brand, price (as in inexpensive solutions that fit the budget or expensive options that represent perceived value), or pressure from senior leadership, the result is a product purchase that may not best suit their organization’s concerns. The solution may be ineffective or overly complicated or create a security stack with too many products, increasing the administrative overhead and likelihood of interoperability issues.  

Security directors who depend on out-of-the-box KPIs that provide “safe” metrics may not accurately assess the security posture of the organization — or all the hard work that the security team does. This can result in incorrect prioritization, inaccurate allocation of resources, and a complete misunderstanding of the organization’s security posture. Combined with a lack of long-term vision, the organization won’t be able to improve the situation.

Minimize Mistakes
Security directors must work with leadership to determine their organization’s risk profile and security posture before making new technology investments. They must also have and deploy the resources necessary to ensure due diligence and thorough product evaluations (including proof-of-concept trials). Considering the plethora of vendors and products, organizations must assess which products will have the biggest impact and yield the best return on investment to strengthen security posture.   

Security directors should also be able to bring in outside help for such assessments. Only a few organizations are equipped to measure non-functional requirements such as efficacy, impact on system performance, and false positives. Experienced third-party professionals can conduct such evaluations. Less-sophisticated organizations with limited budget and resources can refer to neutral third-party evaluations to determine whether vendors have performed consistently well in multiple tests. Security directors should also advocate for professional services budgets to ensure correct deployment and configuration as well as proper use based on vendor-recommended best practices.

When it comes to setting KPIs for the security team, security directors must make time to create both metrics for leadership that indicate the organization’s security posture, and the team’s efforts, as well as metrics that provide honest insight into how operations are running so that the KPIs become a basis for where improvements can be made. Suggested KPIs might combine data from several products using some type of automated collection and/or calculation to make the process of retrieving the numbers on a regular basis manageable.

Change the Paradigm
We must dispel the notion that more products equal more security. Organizations need a layered approach that incorporates operational simplicity, minimal redundancy, integrated management, and interoperability.

It’s also important for security directors to continue in their education. We must recognize that security directors — and the teams that evaluate, purchase, deploy, and manage security technologies — must stay up-to-date on the cybersecurity landscape — and technology advancements like machine learning and big data analytics — to properly consider all options for the purchase and management of security products and services and effectively run security operations.

In addition, we must accept the fact that improving an organization’s security posture does not happen exponentially or even linearly. For many reasons, KPIs may not improve quarter over quarter. Security directors must be able to report such KPIs without fearing the perception of failure. KPIs may appear disappointing because the security director made a decision that turned out to be off-target. But remember, these KPIs provide an opportunity to course-correct. And that needs to be acceptable because security directors make mistakes, too. What separates successful organizations from the rest is the ability to identify and correct their mistakes.

Keep a lookout for the fifth perspective in our series: programmers. Previously, we’ve covered end users, security leaders, and security analysts.

Related Content:

• Your Employees Want to Learn. How Should You Teach Them?
• Cybersecurity and the Human Element: We’re All Fallible
• Security Leaders Are Fallible, Too
• Security Analysts Are Only Human

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/it-security-administrators-arent-invincible/a/d-id/1334067?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Jackson County, a rural area of Georgia located about 60 miles from Atlanta, has paid $400,000 to regain access to systems and data locked down in a recent ransomware campaign.

The cyberattack was first confirmed by officials on March 1. It shut down the county’s network and knocked computers, email services, and websites offline. While the website and 911 emergency system were reportedly unharmed, Jackson County was mostly disconnected.

“Everything we have is down,” said Sheriff Janis Mangum to StateScoop. “We are doing our bookings the way we used to do it before computers. We’re operating by paper in terms of reports and arrest bookings. We’ve continued to function. It’s just more difficult.”

Following the attack, Jackson County alerted the FBI and a cybersecurity response consultant, who communicated with the attackers and negotiated a $400,000 price for the decryption key.

Paying ransom is a controversial topic among cybersecurity experts. Businesses that pay are still subject to downtime, incomplete transactions, and unhappy customers following a ransomware attack. Further, the return of data isn’t guaranteed, and payment encourages criminal activity.

Still, in this case and many others, the ransom is a small price to pay compared with the cost of rebuilding the infrastructure from scratch. “We had to make a determination on whether to pay,” said Jackson County manager Kevin Poe to OnlineAthens. “We could have literally been down months and months and spent as much or more money trying to get our system rebuilt.”

Read more details here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/georgias-jackson-county-pays-$400k-to-ransomware-attackers/d/d-id/1334124?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As if applying to college wasn’t nerve-wracking enough: Last week hackers broke into a system that houses prospective students’ application data, then promised students access to their files — for the price of a single Bitcoin.

More than 900 colleges and universities use Slate, owned by Technolutions, to collect and manage information on applicants. Three colleges were affected by the breach: Oberlin College in Ohio, Grinnell College in Iowa, and Hamilton College in New York. Prospective students were sent emails promising access to confidential information, including comments from admissions officers  and tentative acceptance decisions, upon payment of a Bitcoin. Later emails offered limited subsets of student files for $60.

No other universities were affected by the breach, Technolutions said. Oberlin, Grinnell, and Hamilton advised prospective students not to pay the attackers and said they are working with law enforcement on the case.

Read here and here for more.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/hackers-break-into-system-that-houses-college-application-data/d/d-id/1334125?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple