STE WILLIAMS

It’s January 12, 2010. In a blog post, Google publicly discloses that it has been the victims of a targeted attack originating in China. The attack resulted in the theft of intellectual property, but the attackers didn’t stop with Google — they targeted at least 20 different organizations across the globe, in an attack that would later become known as Operation Aurora.

Operation Aurora was a shock for many organizations because it made everyone face a new kind of threat, one that previously was only whispered about around the watercooler. A government-backed adversary, with near-unlimited resources and time, had struck the world’s largest Internet company — and almost got away with it.

No one wanted to be the first to call Operation Aurora a nation-state attack. The possibility was certainly there, but the fear was that by rushing to attribution and getting it wrong could mean the first person to speak would be viewed as Chicken Little for the rest of his or her career.

Later, leaked diplomatic cables would show this attack was “part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government.” With confirmation from several sources all reaching the same conclusion — that Aurora was in fact government sanctioned and sponsored — our beliefs about what constituted reasonable choices for the state of security within the enterprise would never be the same.

Here at Akamai, one of the companies targeted by Aurora, the attacks became a primary driver for change.

Target: Domain Admins
Akamai was affected by the Aurora attacks because a domain administrator account was compromised. From there, the attackers were able to enter any system they wanted, including the system they targeted. Fortunately, while systems were compromised, the specific data the attackers were seeking didn’t exist. So, in a way, Akamai was lucky. Still, there was an incident, and the underlying hazards needed to be addressed.

All across the industry, we talk about trust, but the systems and processes used to establish trust have been broken or abused time and time again. Our journey for addressing this trust challenge began by examining how Akamai managed systems administration.

We started by replacing accounts that could log in to anything with narrow, tailored accounts that were not the principal account for the user. Doing this created a situation where a single error couldn’t lead to the fall of the company, but rather a situation where a series of errors and failures would be required before that can happen.

When people think of blocking and tackling of security, getting domain administration right and implementing the right tools and policies are where you start. But — while not minimizing this task and sweeping change — this was only the beginning. Over the next several years, we migrated further and further away from passwords to point authentication. This was essentially an in-house SSO, but even that was altered to focus on X509 certificates and, later still, push-based authentication.

Lessons Learned
It’s been a nine-year journey. Nine years since Aurora, and we’re still not done changing. We went from a place to where, if you were on the network, you had access to everything to now, when you’re not even on the network. Today, services and applications are only available to those who need access to them. It’s no longer about trusting where you are; it’s about trusting that you’re you. So when you’re compromised, the adversary can access only the tools and services available to you, and nothing else.

Over the last decade, a new concept has started to take hold in the security industry. We call it a number of things — zero trust, BeyondCorp, nano-segmentation, micro-segmentation — but the goal of this idea is to move away from location-based trust on the network. We followed a parallel path, breaking new ground along the way.

We got it right in a lot of places, but there were plenty of lessons to learn. Don’t be afraid to realize that you’ve chased down the wrong path. 802.1x for our corporate network, in the grand scheme of things, was the wrong path. We learned a lot by doing it, and if we hadn’t done that, we’d be in a worse place today. But we’re going to basically throw out all of that hard work in the next few years as we move to an ISP-like model for our physical buildings, and that’s OK.

Change is a constant in the security industry, and being willing to change as needed is one of the key growth factors in any business — large or small. It’s taken nine years to figure out what we wanted and to get to where we are. And we’ve taken this journey so that others can do it more seamlessly going forward.

Related Content:

• Real-World Threats That Trump Spectre Meltdown
• Why Cyberattacks Are the No. 1 Risk
• Threat of a Remote Cyberattack on Today’s Aircraft Is Real

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Andy Ellis is Akamai’s chief security officer and his mission is “making the Internet suck less.” Governing security, compliance, and safety for the planetary-scale cloud platform since 2000, he has designed many of its security products. Andy has also guided Akamai’s IT … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/9-years-after-from-operation-aurora-to-zero-trust/a/d-id/1333901?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Small and mid-sized businesses have most of the same cybersecurity concerns of larger enterprises. What they don’t have are the resources to deal with them. A new initiative, the Cybersecurity Toolkit, is intended to bridge that gulf and give small companies the ability to keep themselves safer in an online environment that is increasingly dangerous.

The Toolkit, a join initiative of the Global Cyber Alliance (GCA) and Mastercard, is intended to give small business owners basic, usable, security controls and guidance. It’s not, says Alexander Niejelow, senior vice president for cyber security coordination and advocacy and MasterCard, that there’s no information available to the small business owners. He points out that government agencies in the U.S. and the U.K. provide a lot of information on cybersecurity for businesses.

It’s just that, “It’s very hard for small businesses to consume that. What we wanted to do was remove the barriers to effective action,” he says, and go beyond broad guidance to giving them very specific instructions presented, “…if at all possible in a video format and clear easy to use tools that they could use right now to go in and significantly reduce their cyber risk so they could be more secure and more economically stable in both the short and long term.”

Improving security for small businesses can have an enormous international impact, Niejelow says. “Around the world, small businesses are critical to people’s economic success and survival. At the same time we as an industry and a group of countries have left small businesses behind when it comes to cybersecurity.”

The GCA has partnered with several organizations, with Mastercard’s sponsorship, to create the GCA Cybersecurity Toolkit. The partners include the Center for Internet Security, the Cyber Readiness Institute, the City of London and the City of New York. According to the announcement of the initiative, The Cybersecurity Toolkit includes a number of specific sections, including:

• Operational tools that help them take inventory of their cyber-related assets, create and maintain strong passwords, use multi-factor authentication, perform backups of critical data, prevent phishing and viruses;
• How-to materials, such as template policies and forms, training videos, and other foundational documents they can customize for their organizations;
• Recognized best practices from leading organizations in the industry including the Center for Internet Security Controls, the UK’s National Cyber Security Centre Cyber Essentials, the Australian Cyber Security Centre’s Essential Eight, and Mastercard.

Phil Reitinger, president and CEO of GCA says that they hope to see a dramatic uptake of information from the toolkit in a very short period of time. “Our stated goal here is to have a broad effect, and the stated goal is we want to reach a million businesses in 1,000 days,” he says.

As for how those businesses should use the information, “We’ve tried to put a bunch of tools together that small businesses can actually use,” Reitinger explains, continuing, “If we make it so simple that the family dry cleaner with a mom, a dad ,and two kids can do what they need to do, then the rest will flow from that.”

“Small businesses individuals are not dumb,” Reitinger says. “They are exceedingly smart people but a truck driver is good at driving a truck; he’s not so good necessarily at securing his own computer.” And Niejelow says that business owners shouldn’t need to be cybersecurity professionals. He explains, “It’s time we reduced the complexity of this issue and start making it more approachable so that our businesses can get back to doing what they do extremely well.”

Related Content:

• Enterprise Malware Detections Up 79% as Attackers Refocus
• Cyber Readiness Institute Launches New Program for SMBs
• 5 Ways Small Security Teams Can Defend Like Fortune 500 Companies
• FTC Offers Small Businesses Free Cybersecurity Resources

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/mastercard-gca-create-small-business-cybersecurity-toolkit/d/d-id/1333914?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

North Country Business Products, a point-of-sale terminal and network provider based in Bemidji, Minnesota, has announced a “data security incident” that impacted more than 120 of its restaurant customers located across the Midwest and West regions last month.

The company said it learned of suspicious activity on Jan. 3 and, after an investigation, found that a third party had access to restaurant customer information between Jan. 3 and Jan. 24. The information disclosed included credit card holder names and numbers, expiration dates, and CVVs.

North Country says it has corrected the issue and is in the process of notifying customers. 

Read more here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/pos-vendor-announces-january-data-breach/d/d-id/1333921?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More business-critical data is finding a new home in the public cloud, which 72% of organizations believe is more secure than their on-prem data centers. But the cloud is fraught with security challenges: Shadow IT, shared responsibility, and poor visibility put data at risk.

These insights come from the second annual “Oracle and KPMG Cloud Threat Report 2019,” a deep dive into enterprise cloud security trends. Between 2018 and 2020, researchers predict the number of organizations with more than half of their data in the cloud to increase by a factor of 3.5.

“We’re seeing, by and large, respondents are having a high degree of trust in the cloud,” says Greg Jensen, senior principal director of security at Oracle. “From last year to this year, we saw an increase in this trust.”

It’s a definite shift from a time in the not-so-distant past when businesses felt the cloud was less secure than their on-prem data centers. Cloud services are no longer nice-to-have elements of IT; they handle core functions related to all aspects of business operations. Software-as-a-service (SaaS) applications, in use among 84% of respondents, help remove cost and complexity of on-prem infrastructure.

Organizations have begun to test business-critical services in the cloud in recent years, Jensen says. Within the past couple of years there has been a “tipping point” at which a large percentage of businesses are diving in. More than 70% of survey respondents say the majority of their cloud-based data is sensitive, an increase from 50% who said the same last year.

The rise of automation has contributed to a change in mindset and businesses’ sense of safety, Jensen continues. And while the cloud brings several benefits, the expectation that it solves all problems is flawed. “Cloud does still take work,” he adds, and does require human effort.

CISOs on the Cloud Security Sidelines
Most (82%) of respondents polled have experienced security events due to confusion in the shared responsibility model. It’s not for lack of effort: Nintey-one percent have formal methodologies for cloud use; however, 71% think employees violate policies and lead to malware and data compromise.

While many cloud security providers offer native security controls, it’s up to the organization to apply and manage those controls or ones offered by third parties. Researchers found the less customers are responsible for, the more confused they are about security responsibilities. For instance, 54% of respondents expressed confusion with how they should be securing SaaS, even though their responsibility is limited to two things: data and user access and identity.

People who should know about this responsibility are in the dark. Only 10% of CISOs polled fully understand the shared responsibility model, compared with 26% of CIOs who reported no confusion. Researchers attribute the gap to CISOs’ lack of involvement in cloud services.

“CISOs are really one of the newer C-level roles of the cyber enterprise today, and they’ve struggled attaching themselves in more of a collaborative way,” Jensen says. And while CISOs, CIOs, data privacy officers, and other executives should share responsibility to protect data, it’s typically the person in charge of security who takes the fall when there’s a major cyberattack.

Of course, it doesn’t help when different cloud providers have different models. Eighty-nine percent of respondents say the varying models have been a “significant challenge,” and 46% have had to dedicate one or more resources to it; 43% are managing with existing resources.

The Problems with Poor Visibility
Visibility remains the top cloud security challenge, report 38% of respondents. Thirty percent say they are challenged by the inability of existing network security controls to provide visibility into public cloud workloads. Jensen says this finding is consistent with 2017 findings.

“What we’re seeing is this issue, very similar to last year, the No. 1 security challenge cloud organizations are dealing with is detecting and reacting to what we call security event telemetry in the cloud,” he adds. Security teams’ inability to detect and respond to events has been at the center of several high-profile data breaches, researchers note in the full report.

Only 12% of respondents can see more than 75% of security event data. Nineteen percent can analyze 61% to 75% of security data, and 27% (the highest percentage) can view 41% to 60%.

Third parties that have access to an organization’s cloud data can drive risk. Business partners, supply chain partners, contractors, auditors, part-time employees, customers, and other individuals all use different devices and operate under different policies than full-time workers. Enterprise file sync-and-share (EFSS) services, one of the most common types of shadow IT applications, are often used to share data inside and outside organizations.

“There are challenges around how companies are losing control of their intellectual property,” which increases their exposure to data breaches, says Jensen. About half (49%) of businesses were hit with malware due to third-party compromise; 46% reported unauthorized data access.

Shadow IT is a key driver of cloud security challenges. Most organizations report having a formal policy to review and approve cloud applications; however, 92% of this year’s respondents are concerned those policies are being violated. Nearly 70% are aware of a “moderate or significant” amount of shadow IT apps in use, and 50% say the use of unsanctioned cloud apps has led to unauthorized access to corporate data.

Related Content:

• 9 Years After: From Operation Aurora to Zero Trust
• ‘Formjacking’ Compromises 4,800 Sites Per Month. Could Yours Be One?
• 19 Minutes to Escalation: Russian Hackers Move the Fastest
• 6 Tax Season Tips for Security Pros

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/as-businesses-move-critical-data-to-cloud-security-risks-abound/d/d-id/1333924?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As you get ready for Black Hat Asia in Singapore next month, organizers want to ensure you don’t miss out on some of the Briefings and Trainings for cybersecurity professionals concerned about the most pressing threats of 2019.

Most notably, veteran cybersecurity expert Mikko Hyppönen will be at the show this year to present the keynote Briefing on “The Next Arms Race.” You’ll want to see Hyppönen examine how many countries are investing in offensive cyberpower; he’ll give you an eye-opening look at the very beginning of a new arms race.

For more intense hands-on training to prepare for today’s cybersecurity challenges, check out the “Tactical OSINT For Pentesters” 2-Day Training. You’ll learn how to use OSINT (Open-Source Intelligence, collected from publicly-available sources) data along with the significance of this data, and how it can be enriched and used offensively for attacking and compromising modern digital infrastructures.

Those who sign up for this Training will be given a framework to manage and prioritize all the data collected during the course along with private lab access good for one month so you can practice skills learned during the training.

“Pentesting Industrial Control Systems” is another fantastic 2-Day Training that offers a similar degree of practical, hands-on training in how to find and exploit vulnerabilities in industrial control systems. Sign up for this Training and you’ll learn everything you need to start ICS pentesting, from the basics of ICS vulnerabilities to the ins and outs of exploiting Windows Active Directory weaknesses to take control of ICS systems, most of which rely on Windows.

The Training will end with a challenging hands-on capture the flag exercise: the first CTF in which you capture a real flag! Using your newly-acquired skills, you’ll try to compromise a Windows Active Directory, pivot to an ICS setup, and take control of a model train and robotic arms.

Finally, close out your time at Black Hat Asia 2019 with “Locknote: Conclusions and Key Takeaways from Black Hat Asia 2019,” the perennially popular end-of-show Briefing that Black Hat founder Jeff Moss uses to close out the event. It features a candid discussion between Moss and members of the Black Hat Review Board, which is a great opportunity to catch up on all the key takeaways of the show and get a condensed overview of what to expect in the year ahead. Don’t miss it!

Black Hat Asia returns to the Marina Bay Sands in Singapore March 26-29, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/prep-for-the-next-cybersecurity-arms-race-at-black-hat-asia/d/d-id/1333909?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Phishing is one of the most effective ways hackers can compromise a network. Instead of requiring the skills and time to target specific organizations, perform reconnaissance, discover vulnerabilities, and select attack vectors, attackers can indiscriminately blast out phishing emails and wait for users to be tricked into submitting their credentials to a phishing site. I recently came across a phishing page that shows the interworkings of a phish and just how easy it is for unskilled and lazy attackers to host a credential harvesting page.

Like any phish, this starts with an email that appears to be from a reputable source and sends the recipient to a malicious site. In this case, the link directs to a page that is designed to look exactly like Microsoft’s online login page, where the user is asked to enter his or her username and password. After all, this is exactly what the attacker wants — the user’s credentials.

So far, this is a standard phishing attack. The attacker sends a link in an email to trick the end user into visiting a phishing site that aims to steal the user’s credentials. But I didn’t stop there. I wanted to see what else could be found on this website, so I navigated to the homepage of the site and discovered the following:

Credential Harvester Directories

Above, we see the directories and contents of the credential harvester left by the attacker on their publicly accessible home page. Drilling into the “new” folder within this directory, I discovered that the attacker left their entire exploit source code in a zip file titled “bless.zip.” Fully extracted, this zip file holds various .php files that contain instructions for the login process on the phishing site and for blocking certain clients from accessing the webpage. Further examination of this source code shows exactly how the attacker siphons user information, and who they’re trying to prevent from viewing their site.

In the action.php file below, we see what happens when a victim submits credentials to this phishing site.

The .php code records the user’s IP address; performs a geolocation lookup on the IP address to determine its country of origin; and records the date and time of access, the user’s browser type, and the username (or phone number) and password that the user submits to the phishing page. The $sent variable reveals the email address where the attacker sends credentials, tailored to this specific phishing campaign to hide the attacker’s personal identity. The email $headers variable contains the sending email address for this credential harvester: wirez[@]googledocs[.]org. A DuoLabs report that analyzes phishing kits at scale suggests that this sender address appears in more than 115 unique phishing kits.

Examination of the other .php files shows additional information about the exploit kit. In the file block.php, the kit specifically checks for keywords in the hostname of clients visiting the site. Terms such as “phishtank,” “google,” “trendmicro,” and “sucuri.net” in the client hostname will result in the exploit kit sending the client to a 404 Not Found page rather than the impersonated Microsoft login site. This code aims to prevent security-oriented organizations from accessing the exploit page and identifying it as a phishing site, and thwart users visiting from cloud-based services from accessing the site. The file includes 568 IP addresses that are blocked from viewing its login page.

The content of the examined .php files and the fact that they were publicly accessible on the homepage of the phishing site demonstrates that this attacker was either not technically savvy or felt that controlling access to their exploit source code and hiding the email account receiving victim credentials was not worthy of their time. In either case, it’s a great example of why phishing is so dangerous: It takes minimal effort and skill on the attacker’s end and only one user to fall victim to the attack to effectively compromise an organization.

There’s no one technical solution that can prevent all phishing attacks from being successful. What’s needed are layers of security structured to prevent the delivery of a phish, detect phishing emails that do make it into an organization, alert security personnel when a phish is delivered, and prevent users from visiting malicious phishing sites.

Most importantly, end users need to be aware of the threat that phishing poses to their organization and empowered with knowledge to determine whether an email is legitimate. When an organization is targeted by an attacker, it will be layers of security and users’ knowledge that ultimately determines whether a phishing email leads to a breach, or if the email is simply discarded by technical controls or an informed end user.

Related Content:

• Credential Compromises by the Numbers
• Lessons Learned from a Hard-Hitting Security Review
• Creating a Security Culture Solving the Human Problem

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jordan Shakhsheer is an information security engineer at Bluestone Analytics. She has extensive experience conducting incident response and digital forensic investigations. Jordan’s work includes eradicating threat actors from critical infrastructure, and producing actionable … View Full Bio

Article source: https://www.darkreading.com/application-security/the-anatomy-of-a-lazy-phish/a/d-id/1333879?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple