STE WILLIAMS

About two years ago, our company found itself in late-stage service contract negotiations, and a mandatory security review as part of the process, with a Fortune 500 technology company in the Bay Area. This engagement turned out to have a significant influence on our thinking about security. At the time, Druva already had undergone almost all major cloud security compliance and certifications, including ISAE 3402 and the infamous FedRAMP (FedRAMP has authorized only slightly over 30 software-as-a-service products). However, this experience changed our outlook on security.

Information security is of increasing importance not only to all industries but the nation. If recent breaches have taught us anything, it’s that security is all about the weakest link. Even if you’re confident in your own technology, security can be a challenging learning experience and raise questions you’ve never thought about before. After being in such situations with some of the largest Fortune 500 companies, I’ve also learned it can be an opportunity to build a long-term competitive advantage.

Most security reviews consist of very similar (and sometimes rudimentary) questions around encryption, penetration testing, and compliance. In short, I was not worried about the extensive security review we were asked to undergo.

But when this particular review took longer than expected to complete, I started to get personally involved and was pleasantly surprised to see some really thorough questions. Some of them I still vividly remember:

• Who has the authority to delete customer data?
• How do you prioritize customer patching for zero-day attack?
• What systems does the CEO have access to?
• How many AWS region failures can your software tolerate?
• How can you guarantee data durability over five years? How do you handle bit-rotting?

Security is all about the weakest link. And clearly, this customer had gone through practice challenges around security and was asking questions beyond the usual ones relegated to software.

While we had accounted for most of these situations in our product architecture, it was a great learning curve for us and helped improve our thinking. We went through almost 100 of these questions and then discovered that doing so just meant we had qualified for the real test. For the next phase, we met with the security team, which tested us thoroughly on software architecture.

There was one conversation that I distinctly remember:

Security expert: What information can I get if I physically access memory of Druva’s servers?
Druva rep: We run on AWS and any physical access is not possible.
Security expert: What if I use liquid nitrogen to freeze memory?
Druva rep: Not possible.
Security expert: What if I show you?
Druva rep: Sure … I will give up all my Star Wars collection.
Security expert: Show me the process to handle Linux kernel dumps, and if they are encrypted.
[Weird, awkward silence.]Druva rep: You win.

Finally, when we thought we were done, we got a surprising call from the company’s purchasing department. The team told us further review and validation were needed. We tried to explain that we had just passed the security test, but they insisted we meet them regarding some of their findings.

I would admit that we were slightly arrogant going into the meeting, but what we saw surprised us again. They had done a detailed analysis (through third-party software) of Druva’s corporate security and had some tough feedback and questions:

• Druva Wi-Fi needs to be secured by radius/identify access.
• Why do some of the execs have weak personal passwords?
• Do you have endpoint security?
• What processes do you have to guard against phishing?
• Is there a background check in place for most employees?

What did we learn from this experience? It crystalized the idea that security is a corporate posture and must be managed at all levels: systems, software, personnel, and all the key processes. This customer truly took control of its security through an extensive vetting process, and applied the same principles to all its vendors.

A company that does not approach security holistically as part of its corporate culture will continue to put itself, its technology, its customers, and its partners at risk. At Druva, we manage hundreds of petabytes of customer data, and as a result of all the lessons, we have improved over the years. The main lesson? Security should be a part of every organization’s corporate DNA, and we’ve tried to live up to that.

This still does not mean we think that Druva can never be hacked. As former FBI Director Robert Mueller said, “There are only two types of companies: those that have been hacked, and those that will be.” But checks and balances build the corporate immunity toward external and internal threats and greatly limits the exposure of any one such incident.

Related Content:

• 7 Tips For Communicating With the Board
• A Secure Development Approach Pays Off
  
• In AppSec, ‘Fast’ Is Everything

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jaspreet Singh, Founder and CEO of Druva, brings a combination of product vision and general manager experience that has allowed Druva to be one of the fastest-growing companies in the $28 billion data protection and management market. His entrepreneurial spirit enabled him … View Full Bio

Article source: https://www.darkreading.com/cloud/lessons-learned-from-a-hard-hitting-security-review/a/d-id/1333822?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

LandMark White (LMW), a commercial and residential property valuation firm based in Australia, was discovered to be exposing troves of consumer data via an unprotected online service.

The data appears to contain 57,000 client invoices with names, addresses, phone numbers, and email addresses, along with full property valuation notes, banking data, and other details typically included in property valuations, says Hack Notice founder Steve Thomas.

A report from the Sydney Morning Herald states up to 100,000 people may have been involved in the incident. However, each invoice could contain multiple people, which Thomas says could account for the discrepancy. There were also scans of signed contracts, which could have additional parties involved, and identities of agents were leaked — another number not included in the invoice count.

Hack Notice, a data breach notification service, regularly conducts reconnaissance and gathers threat intelligence to see what hackers are posting. Researchers discovered files containing LMW data on a Dark Web server and began indexing the information so they could alert clients. They soon learned the pool of data they were analyzing had more data than they thought.

“As we were looking, we started to get more concerned,” Thomas explains. “[There were] 57,000 people who had recently purchased a home or were about to purchase a home, which is a time hackers really like to commit fraud.”

The data was reportedly exposed from an internal file service at LandMark White, which may have set it up to facilitate information-sharing between agents and clients, he continues. A source says the web service did not require authentication, rendering the data vulnerable. Thomas explains there was a collection script in the Dark Web server that hackers could have used to collect the information, which they posted and shared via an Onion link.

As for the information exposed, some of the earliest files go back to 2015, Thomas says. The most recent dates go up to January 25, 2019. From what researchers can tell based on current findings, the data downloaded from the exposed service is all data from the past five years.

“This looks like it’s been replicated from the company’s site,” says Troy Hunt, Microsoft regional director and creator of HaveIBeenPwned. “It looked like HTML pages, [which] would imply someone has had access to an interface somewhere.” It seems someone gained access to an internal system, made requests, saved responses, and posted them, he explains. This data didn’t come from a database; it was scraped from a website or portal.

Files show the service exposing the data has been shut down, and the hacker who posted the data took the server down this weekend. They posted a message stating they planned to update with a new Dark Web server; however, they have yet to do so.

Details, Ties, and Implications
While that pool of clients is not insignificant, researchers are still working to ascertain the total number of people affected. Hack Notice reports 5 million files exposed. “It really is a wealth of information,” Thomas adds. “We’ve been looking at those records trying to figure out the amount of risk clients would face.”

Commonwealth Bank of Australia (CBA), Australia’s biggest lender, as well as ANZ Bank, have both suspended LMW from their panels of valuers, the SMH report explains. “The customer information that was disclosed relates directly to the valuations completed by LandMark White and includes customer name; contact details such as phone or email address; and details about the valued property,” CBA officials said in a statement.

CBA states no bank account information has been disclosed but is in the process of contacting more than 20,000 customers to share what happened. ANZ is still working to determine how its clients are affected, though as of now it appears to be “a very small percentage of customers” who had valuations done between November 2015 and December 2018, the bank reports.

This is limited to a small number of people, Thomas says, but it’s a “very concerning” event for those affected. After all, buying a home is among the largest purchases anyone undertakes. Further, the buying and selling of real estate is a major business for cybercriminals, he adds. Those whose information was exposed are vulnerable to phishing campaigns and wire fraud.

“We don’t know how it’s been used, or if it’s been used, but data like this is a fairly lucrative price for a hacker if they’re looking to commit fraud,” he notes.

LMW has hired external security firms to launch an investigation. “We are working closely with experts in IT and cybersecurity as well as our corporate partners, to achieve the best possible outcome for our clients,” LandMark White chief executive Chris Coonan said in a statement.

Hunt says he doesn’t see a relationship between this breach and other security incidents; this is likely standalone. “It’s yet another trove of data floating around,” he adds. He also doesn’t see a connection between this incident and LMW’s October 2018 acquisition of Taylor Byrne.

However, he does warn companies to be cautious when entering into MA agreements. In many cases, data breaches become apparent only after the acquisition has been finalized and due diligence completed. While the breach is usually coincidental and unrelated to the purchase, it should be top of mind for businesses buying other companies.

Related Content:

• Experian: US Suffers the Most Online Fraud
• 6 Reasons to Be Wary of Encryption in Your Enterprise
• We Need More Transparency in Cybersecurity
• New Zombie ‘POODLE’ Attack Bred from TLS Flaw

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/up-to-100000-reported-affected-in-landmark-white-data-breach/d/d-id/1333859?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers at DigiCert, Utimaco, and Microsoft Research this week announced the successful test of a newly created algorithm named “Picnic,” with digital certificates used to encrypt, authenticate, and provide integrity for Internet of Things (IoT) devices.

The test used certificates issued by DigiCert using the Picnic quantum-safe digital signature algorithm developed by Microsoft Research. To implement the algorithm and issue certificates, DigiCert used an Utimaco Hardware Security Module.

The test is seen as a crucial step toward development of security solutions that will protect the IoT from advanced threats posed by quantum computing.

Scientists and engineers fear that quantum computers will provide the compute horsepower necessary to brute force many encryption schemes in a relatively short period of time, rendering devices that depend on digital keys, certificates, and strong passwords far less secure.

Read more here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/iot/picnic-passes-test-for-protecting-iot-from-quantum-hacks/d/d-id/1333855?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

First of a six-part series.

We are only human; we all make mistakes sometimes. Until the day when both the offensive and defensive sides of cyberattacks are conducted entirely by machines, we need to factor in human error as part of the cybersecurity process. Generally, when the topic of the human element is discussed, it focuses exclusively on the actions of the end user. But there is far more to the story than that. Every aspect of securing, defending, and attacking has a human element, an element that profoundly affects all the other components and guarantees that there can be no silver bullet in cybersecurity.

In this six-part series, we will address cybersecurity and the human element from the perspectives of fallibility: end users, security leaders, security analysts, IT security administrators, programmers, and attackers. For each perspective, we will explore common mistakes and the underlying issues that cause mistakes to happen, the repercussions of these mistakes, the processes and organizational changes needed to minimize mistakes on the defense side, and the fundamental changes the industry needs to reshape the current paradigm.

End Users
We begin with a look at the group that is often disparaged as the “weak link” in cybersecurity defense: the end users. These are the people who use our organization’s network, software, and hardware on a regular basis to do their jobs. Some are technology-savvy, others know only the very basics of how to use their devices, and many are somewhere in between. Most end users, including the technology-savvy, lack knowledge about cybercrimes.

Common Mistakes
We have all seen numerous occasions in which end users fall prey to typical attack scenarios. End users enter their user credentials on phishing sites, click on malicious links and malware attachments in spear-phishing emails, visit malware-laden websites in waterhole attacks, plug infected thumb drives into their machines, or leave laptops or mobile phones unattended (or have their devices stolen). Sometimes end users are just not thinking about security and make rookie mistakes, sometimes the attacks are stealthy and trick end users into believing they are legitimate, and sometimes the attacks are so sophisticated that only a trained eye would be able to catch them.  

Repercussions
The result of end-user error varies based on the type of attack, but a common outcome is a malware infection if the threat is not detected and remediated by the endpoint security software running on the end user’s system. If sensitive data resides on the end user’s system, a malware infection could lead to a data breach or business disruption. Stolen credentials can be used to access or destroy data on the network. Malicious attachments or websites can infect the endpoint, leaving it susceptible to data exfiltration, data destruction (as in the case of ransomware), and lateral movement that could lead to further compromises on the network. Some incidents can be resolved with a straightforward technique, such as a reimaging the infected system, but every case still requires review by the security team, which increases incident investigation and response costs.

Minimizing Mistakes
Naturally, one of our priorities is to minimize the end user’s exposure to malicious emails, websites, and the like so that there is less room for end-user error. This means implementing and continually fine-tuning the proper prevention technologies that weed out as many of the malicious attacks as possible (endpoint protection, email security, firewalls/web proxies, mobile device management, etc.).

It also means providing end users with training on why cybersecurity is important, and how they can be the “human firewall” who identifies cyberattacks, particularly email-based ones such as phishing/spearphishing attacks. This way, the end users not only refrain from clicking but also report incidents to us so that we can investigate and gain threat intelligence and prevention measures from it. Moreover, we need to deal with the inevitability of end user error by encrypting end user devices whenever possible so that data breaches do not occur when devices are lost, and by having solid incident response plans in place so we are ready to handle the infections that result from an erroneous click.

Change the Paradigm
We can’t view our end users as stupid or as “enemies” who are the obstacle to our work. Like us, they’re just trying to do their jobs. We cannot expect them to be able to identify malicious emails and websites as well as we can; that’s not their skill set. So, we have to be understanding when they, as expected, make mistakes. When we adjust the way we think about our end users, it improves the way we interact with them. This can go a long way toward improving the dynamics between the security team and end users. We certainly don’t want our end users to view us as the “enemy” who is the obstacle to their work. Improved relations begin with mutual respect. By  working together we can help turn the “weak link” in cybersecurity defense into part of the solution.

Join us next time to discuss the second perspective in our series: security leaders. 

Related Content:

• 7 Real-Life Dangers That Threaten Cybersecurity
• KISS, Cyber the Humble but Nourishing Chickpea
• Creating a Security Culture Solving the Human Problem
• The Case for a Human Security Officer

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/cybersecurity-and-the-human-element-were-all-fallible-/a/d-id/1333789?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An unknown attacker appears to have deleted 18 years’ worth of customer emails, along with all backup copies of the data, at email provider VFEmail.

A note on the firm’s website Tuesday described the attack, first reported by KrebsOnSecurity, as causing “catastrophic destruction.”

“This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can,” the note read. VFEmail was established in 2001 and provides free and paid email services, including bulk email services in the US and elsewhere.

The attack, described in a series of tweets from the firm, seems to have occurred on Monday and had targeted all VFEmail’s externally facing servers across data centers. Though the servers were running different operating systems and not all shared the same authentication, the attacker managed to access each one and reformat them all the same.

The firm apparently caught the perpetrator in the middle of formatting a VFEmail backup server hosted in the Netherlands. But by that time, the attacker had already managed to form all disks on every other VFEmail server. “Every VM is lost. Every file server is lost, every backup server is lost,” according to one of the company’s tweets.

The attacker sent no ransom notes and appears not to have made any attempt at contacting VFEmail. The motive seems to have been “just attack and destroy,” the company said.

Restoration

An update posted late Monday afternoon said the firm had restored webmail and was once again delivering incoming mail to users of its paid services. Mailboxes were being created upon new mail delivery. “There is currently no delivery mechanism for free accounts,” the update said.

The system used in the attack on the server hosted in the Netherlands had an IP address belonging to a service provider in Bulgaria. But besides that scrap of information, VFEmail did not appear to have any other information on the attacker or the attacker’s motives.

Several security experts are viewing the attack as an example of the devastating consequences of not having a well thought-out strategy for secure data backup and recovery.

“This raises questions of what disaster recovery strategy was in place and why data wasn’t backed up into cold storage, thus making it unavailable to attackers,” said Fausto Oliveira, principal security architect at Acceptto. Companies with a strategy in place for dealing with such attacks should have been able to recover at least a substantial part of the deleted data, Oliveria said.

Chris Morales, head of security analytics at Vectra, said attacks that have such extreme consequences are rare and highlight the value of maintaining offline backups and archives of data.

“Offline backups might not give a full restore to the exact date data was lost, but it would prevent the complete loss of all historical user data,” he said. Many organizations have begun using offline backups to counter potential loss from ransomware, he noted.

Such attacks also highlight the need for proper authorization controls for access to critical data, says Balaji Parimi, CEO at CloudKnox Security, told Dark Reading. “Just having a backup and disaster recovery plan is not sufficient,” he says.

Organizations should also take care to avoid providing a single identity with complete administrative privileges on both primary and backup data, or having the ability to wipe data from multiple servers, he says. “Proper authorization controls need to be in place to mitigate these types of risks and reduce the blast radius,” Parimi says.

Related Content:

• Are You Listening to Your Kill Chain?
• Advanced Phishing Scenarios You Will Most Likely Encounter This Year
• Client-Side DNS Attack Emerges From Academic Research
• 6 Ways to Anger Attackers on Your Network

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/devastating-cyberattack-on-email-provider-destroys-18-years-of-data/d/d-id/1333857?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Software makers Microsoft and Adobe both released large updates for their regularly scheduled Patch Tuesday releases today, with each company closing more than 70 security holes in their products.

Among the issues patched by Microsoft are a privilege escalation vulnerability in Microsoft’s Exchange server. The vuln allowed a security researcher to combine two other issues, creating an exploit that allows any mail user to become any other user or take control of the domain. The exploit for the flaw is already considered to be in the wild.

“This bug allows a regular user to escalate privileges to any other user on an Exchange server,” said Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative. “They could take over an account to send mail as a part of a phishing campaign, or they could just escalate and take over the server. Taking over an Exchange server would be the more likely scenario.”

The nearly 150 security issues fixed by the two companies could hint at another banner year for vulnerability research. In 2018, more than 16,500 vulnerabilities were disclosed, up 13 percent from the previous year, according to the National Vulnerability Database.  

The number of security issues that each company patched is large, but not unprecedented, according to Trend Micro’s Childs, who noted that the last few Adobe Reader patches have had a similar number of issues. 

“December and January are historically ‘light’ patch months for Microsoft, so the volume of patches this month isn’t that surprising,” he said.

Microsoft patched 47 issues in January and 39 issues in December.

One of the major issues identified by experts is a flaw in Microsoft’s DHCP server, which dynamically assigns network addresses to devices when they join a particular network. Such servers use the Dynamic Host Configuration Protocol (DHCP) to assign addresses from a local network subdomain. In a blog post on the updates, Trend Micro added “[i]f you have a DHCP server on your network, and chances are you do, this patch should be at the top of you[r] list.”

“Most enterprises will have their DHCP server isolated from the Internet, so that adds some protection,” Trend Micro’s Childs said. “As far as I know, there are no workarounds for this bug. Patch quickly.”

Such servers are ubiquitous, but often the DHCP server is built into networking hardware such as routers. 

Security firm Tenable had the same advice for users of Microsoft’s Exchange server.

“If exploited, the vulnerability would give an attacker Domain Administrator privileges that would allow them to access domain user credentials,” Satnam Narang, senior research engineer at Tenable, said in a statement. “Given the severity and publicity of the vulnerability, organizations should patch immediately.”

Security firm Ivanti recommended that the patches for Microsoft’s operating system, browser, and its Office productivity suite be made a priority, as some of the Windows and Internet Explorer flaws are actively being exploited. The company also warned that Adobe Flash, Acrobat and Reader should all be patched quickly, as all are often targeted by attackers for compromise.

Adobe’s update patched 71 issues in Adobe’s PDF software, Acrobat and Reader, and another four issues in other software, such as Flash and ColdFusion. While the company said it is not aware of any exploitation of the issues, at least one of the vulnerabilities has a detailed technical analysis posted online.

While the number of vulnerabilities publicly reported through bounty programs is typically under 5 percent, almost a quarter of the security issues patched by Adobe were reported through the Zero Day Initiative, according to data from Adobe’s advisory. 

“The worst of the bugs fixed could allow an attacker to execute their own code on a target system,” ZDI stated on its blog.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/endpoint/microsoft-adobe-both-close-more-than-70-security-issues/d/d-id/1333858?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple