STE WILLIAMS

It’s almost the end of the year, a time when many DevOps teams take some downtime and start planning improvements for the new year. With application breaches and never-ending development framework vulnerabilities dominating headlines recently, they’re looking for ways to stay out of the news.

Many teams hope they can improve their overall security posture just by introducing new security tools earlier in the development cycle. The truth is that organizations can’t make these reforms with new technology alone, so we don’t need to shift left — we need to race left!

Racing left isn’t simply a metaphor for speed alone, but a comment on all of the preparation that goes into racing. It’s a term inspired by Williams College professor Duane Bailey, who said racing is “the constant search for the weakest link.” Racing left in the DevSecOps means building new processes while understanding the need for constant development, deployment, and testing.

A Race with No Finish Line
The idea that security should be deeply entrenched with the DevOps teams seems like common sense, but it doesn’t usually happen. A generation of applications has been built using practices that fall far short of most common security standards, often using tools that are themselves outdated or vulnerable.

Many teams simply are not given the time, because they are in a never-ending sprint (see what I did there?) of adding new features and bug fixes for existing code. This growing development backlog keeps teams busy, but that is not the only barrier to success. There are other arguments against reforming these practices with security in mind, most of them come down to a trade-off between agility and security.

Thinking Speed Equals Winning
Time to market is a serious concern for any company developing apps. There may be competitors working on similar products, or venture capitalists eyeing the burn rate nervously. There is an immense pressure to get the latest build shipped. Inevitably, that means less time spent in quality assurance testing.

If You Are Reactive, You Are Losing
Security teams have worked as responsive teams since their invention, handling issues as they come up. Racing left requires rearranging cycles and redesigning workflows for a big chunk of the team. If you are responding to issues more than preventing them you are behind the curve.

No More Hero Mode
While management and metrics go hand-in-hand, if your security team is catching vulnerabilities in the development process before they are pushed to production, it may have a clear benefit to the app, but your team may go unnoticed in the boardroom because it will not cause the usual ripples of visibility that a found vulnerability will.

Getting Faster Is Expensive
Companies are buried in technical debt, with no realistic way out.

If the security team suddenly finds itself embedded in the development team, who is left to handle the overload of past promises? Organizations that have shifted left have had to choose between pulling support from reactive security and hiring new teams.

These roadblocks are huge (have you tried to hire an application security pro lately?), but there are huge reasons to shift left.

Let’s Think of This as a “Rebuilding Season”
Racing left requires organizations to draw a red line between the past and the future. It offers a clean break from the past and frees teams from the burden of dealing with accumulated technical debt. It’s an admission that the team is never going to be able to catch up. Once the decision is made to shift left, teams can finally look forward instead of backward.

Spend Minutes Now and Save Hours Later
At many development shops, the code might get all the way through development and beta testing before the first static application security testing or dynamic application security testing tools are run against it, causing the code to go back to the development team if an issue is found, or in the worst case pushed to production with a known issue. Redoing the work and retesting code takes the time that could be devoted to other things. Shifting left clearly creates more work early in the process. The long-term time savings might be hard to quantify, given the lack of clear metrics, but it stands to reason that it exists.

Racing Left Results in a Better Product
If you build apps to a documented security standard, your product is less likely to be the entry point for a devastating hack. Just look at the Equifax breach, where the vulnerability that was exploited was built atop an out-of-date framework.

Placing security teams within the workflow of continuous deployment models is long overdue. The shift left started decades ago and has proven to be a tremendous success. Though there will be internal resistance to changing the way apps are made, the long-term benefits are clear.

Related Content:

• 6 CISO Resolutions for 2019
• ‘Shift Left’: Codifying Intuition into Secure DevOps
• From DevOps to DevSecOps: Structuring Communication for Better Security
• DevSecOps: The Importance of Building Security from the Beginning

Jerry Gamblin’s interest in security ignited in 1989 when he hacked Oregon Trail on his 3rd grade class Apple IIe. As a security evangelist, researcher and analyst, he has been featured on numerous blogs, podcasts and has spoken at security conferences around the world. When … View Full Bio

Article source: https://www.darkreading.com/endpoint/forget-shifting-security-left-its-time-to-race-left/a/d-id/1333452?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Phishing attacks in Q3 2018 most frequently targeted Microsoft (19%), PayPal (17%), and Google (9.7%), report researchers from Comodo Threat Research Lab.

Email phishing is the most popular attack vector, and phishing scams represent one out of every 100 emails an enterprise receives, according to Comodo’s “Global Threat Report 2018 Q3.” Data shows phishing URLs, seen in 40% of these emails, are growing in popularity. Malicious attachments, which have the majority in 60% of scams, are still the most commonly used.

Taking a closer look at subject lines, the most popular is “Your account will be locked” (PayPal), which was seen in 40% of attacks. “Info” (FedEx) came in second at 10%, followed by the “August Azure Newsletter” from Microsoft (8%).

The latter, according to researchers, reflected an “uptick” in quality because it was harder for recipients to realize the associated risk. The email, disguised as a survey related to a Microsoft Azure newsletter, contained a seemingly authentic URL and logo. It also lacked grammar and spelling mistakes that often give away phishing emails. But anyone who clicked the “Take the survey” button was directed to a malicious website.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/microsoft-paypal-google-top-phishings-favorite-targets-in-q3/d/d-id/1333470?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Arctic Wolf Networks has announced its acquisition of RootSecure Corp. in a move that brings risk assessment capabilities to the “SOC-as-a-service” Arctic Wolf portfolio.

In the announcement, Arctic Wolf noted that the RootSecure continuous risk assessment services will be offered either in conjunction with the Arctic Wolf SOC-as-a-service or separately.

Financial terms of the purchase were not announced. The acquisition closely follows Arctic Wolf’s $45 million Series C funding round.

For more read here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/network-and-perimeter-security/arctic-wolf-buys-rootsecure/d/d-id/1333472?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Mac users may have known in their hearts that this was coming: For the first time, Mac-based malware appeared on WatchGuard’s Top 10 list of the most common types of malware for Q3 2018. 

The latest “Internet Security Report” report, which analyzed the 100,000 most visited websites on Alexa.com, also found that 6.8% of those sites still support insecure versions of the SSL encryption protocol.

On the Mac front, users can no longer assume that the operating system offers more effective security, says Corey Nachreiner, WatchGuard’s CTO. The Mac malware — which came in sixth on the security vendor’s list — is primarily delivered via email and tries to trick victims into installing fake cleaning software.

“Mac users that haven’t installed a security suite on the endpoint need to do so,” Nachreiner says. “The days where Mac users can go to airports, coffee shops, and use home networks without added protections like a firewall and IP reputation services are over.”

Marc Laliberte, senior security analyst at WatchGuard, says while it’s true Apple designs security into the MacOS, the market dynamics have shifted.

“Hackers look for where they can get the most ROI, and for several years it was with Windows machines,” Laliberte says. “Over the last five years, Mac laptops have become very popular, which is why we believe there is a surge in Mac malware.”

Websites Need to Upgrade to TLS
As for the sites that still support insecure versions of the SSL, it’s time for them to consider upgrading to TLS, Nachreiner says.

In fact, for organizations that don’t collect sensitive information, it may make more sense to run an insecure site because running the website with https:// gives users the impression that the site is secure when it’s not, he adds.

“The last thing you want to do is give people a false sense of security,” Nachreiner says. “We recommend that organizations running websites with sensitive information use TLS 1.2 or TLS 1.3.”

The WatchGuard report found that 5,383 websites in the top 100,000 websites visited on Alexa.com still accept SSL 2.0 and SSL 3.0 encryption. SSL 3.0 has been outdated since 2015, while SSL 2.0 was deprecated in 2011. The report also found that 20.9% of the top 100,000 websites do not use encryption at all.

Related Content:

• Apple Issues Security Fixes Across Mac, iOS
• Top 5 Security Tools for Mac OS X
• Apple (Finally) Removes MacOS App Caught Stealing User Browser Histories
• 5 Things the Most Secure Software Companies Do (and How You Can Be Like Them)

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/mac-malware-cracks-watchguards-top-10-list-/d/d-id/1333474?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Deception technology is offering defenders the ability to finally gain a rare advantage over adversaries by doing something that other forms of defense can’t: provide early and accurate detection by planting a minefield of attractive decoys to trip up attackers. We’ve seen examples of this type of defense used by the FBI and other top law enforcement to catch criminals such as child pornographers and, more recently, egregious financial theft.

Decoys are designed to catch early-stage activity as the adversary looks to understand the network and how to find its target. I call this early stage of an attack “casing the joint,” and my research has shown that interrupting this stage — ultimately, reducing the dwell time of a potential attack — is crucial to protecting data. Defenders can watch what is happening, learn more about the nature of the attack, and better understand the way that the attacker is moving through a network or even a cloud-based file share.

More organizations are starting to look at deception as a way to plug the gaps of existing deployed security solutions such as data loss prevention, encryption, access management, and user behavior analytics. But how can security teams determine which form of deception is the right one for their organizations? It’s up to each organization to determine which deception approach makes the most sense for them.

Defining “Honey” Environments
Currently, most offerings in the deception market are focused on the buildout of complex honey environments, designed to lure attackers into fake systems to distract and track their behaviors.

A honeypot is a network-adjacent system set up to lure adversaries and to detect, deflect, or study hacking attempts. There are various types of honeypots, classified by the level of interaction they conduct with an intruder. When designed properly, honeypots are meant to prevent adversaries from accessing protected areas of an organization’s operational network. A properly configured honeypot should have many of the same components of an organization’s production system, especially data. Their most significant value is the information they can obtain on the behavior of the adversary and what the intent of the attacker is. Data that enters and leaves a honeypot allows security staff to gather information, such as the attacker’s keystrokes or their attempted lateral moves throughout the fake honeypot system.

A honeynet is a network of multiple honeypots designed to simulate a real network. Essentially, they are large-scale network decoys that mimic a collection of typical servers that might be found on a business network. According to the SANS 2017 report, “The State of Honeypots: Understanding the Use of Honey Technologies Today,” “Honeynets connect and interact in the same way a real network would — none of the connections between systems are emulated.” On a scale of 1 to10, with 10 being the most effective, users of honeypots surveyed in this SANS report rated honeynets at 7.5 in terms of overall effectiveness. Like honeypots, the biggest value of a honeynet deployment is the intelligence security teams can gather on attacker behavior.

When properly built and maintained, honey environments can provide valuable information about how the attacker moves around in a network in search of data to exfiltrate. But only if the attacker enters the honeynet. 

Honey Hardships
There are some significant challenges and shortcomings that make honey environments difficult to deploy, manage, and maintain. Before investing, you need to conduct a serious costs-benefit analysis. 

First, while honey environments are built and maintained outside of the enterprise’s operational environment, honeynets still require hackers to gain initial entry through the operational environment. Organizations must then hope that the breadcrumbs leading to the honey environment are convincing enough to actually lure the hacker. Also, once a hacker leaves the fake environment, there is no way of knowing if he or she re-enters the operational environment to continue an attack or what data they may have exfiltrated prior to tripping over a breadcrumb.

Second, the cost and resources required to create these environments can put a strain on security teams that are already overwhelmed by the number of security alerts and investigations they do on a daily basis. Organizations must establish an environment that mimics the operational environment in order to have any chance that attackers will believe it is real. Then, that environment must be maintained to keep it realistic. This level of investment and upkeep to make a honeynet work is no small commitment.

Third, there are limits to the usefulness of the data that honey environments can provide on adversaries. It’s true that they are a good method for learning more about how attackers move throughout a system in search of data to steal, but they reveal little about the actual hacker and what happens to data once it has been stolen.

Finally, adversaries have become increasingly sophisticated in identifying “tells” in honey environments. Hackers who present any serious threat will often target specific IP addresses that they know are valid machines. If a hacker wants to identify any honeypots sitting on a corporate network (a process known as “fingerprinting”), it is easy to do because the machine will either have no outbound traffic, or the deceptive traffic will be contrived and not follow a normal usage pattern. For a honeynet to have any value, an intruder shouldn’t be able to detect that he or she is on a fake system. The goal is to give the adversary a false sense of reality and a false sense of security that his or her actions are not being noticed or monitored.

Deception in the Real World
Deploying deception technology within operational and cloud environments allows security teams to detect and deceive attackers in the direct path to sensitive data instead of hoping they are lured away. Deployment of believable decoy documents inside operational networks provides all of the same benefits of honeypots and honeynets but negates the need to create and maintain fake environments.

Deception that does not depend on honey environments can also be used to proactively fight back against hackers and leakers. Attackers rely on various tools for anonymity, and these tools often contribute to the success of bold attacks. Deception techniques not limited by fake environments can be used to pierce these tools and reveal attackers, often without their knowledge. This provides a unique advantage for organizations and law enforcement to hold hackers and leakers accountable.

Related Content:

• 7 Real-Life Dangers That Threaten Cybersecurity
• The Difference Between Sandboxing, Honeypots Security Deception
• Deception: Why It’s Not Just Another Honeypot

Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has … View Full Bio

Article source: https://www.darkreading.com/perimeter/deception-honey-vs-real-environments-/a/d-id/1333464?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A cyberthreat group using malware tied to the Sony Pictures hack of late 2014 is attacking nuclear, defense, energy, and financial companies in what appears to be a campaign to gather information for future exploitation.

In October and November alone, the malware has appeared on systems belonging to at least 87 organizations, most of them in the US, McAfee said in a report this week.

The actors behind “Operation Sharpshooter,” as McAfee is calling the campaign, are distributing the malware via malicious Word documents purporting to be job recruitment-related. All of the malicious documents have English-language descriptions for jobs at unknown companies and have been sent from a US-based IP address and via the Dropbox service, the security vendor said.

“From what we were able to gather, the malicious documents were sent to target persons at organizations involved with key programs the actor was looking to gather data on,” says Ryan Sherstobitoff, senior researcher at McAfee.

McAfee has not been able to determine with certainty how the attackers are delivering the rogue Word document to target individuals, Sherstobitoff says. “But we suspect it was delivered via spear-phishing with a link to the site that hosted the maldoc,” he says.

The malicious document contains a weaponized macro that uses embedded shellcode to inject the Sharpshooter downloader into Word’s memory, McAfee said.

Sharpshooter initiates a four-step process to download “Rising Sun,” a second-stage implant that also runs in memory and collects intelligence about the machine. The second-stage binary is downloaded to the infected endpoint’s startup folder to ensure persistence on the system. Sharpshooter also downloads a second — benign — Word document from the control server, most likely as a decoy to hide the malware, McAfee said.

Rising Sun’s capabilities include collecting network adapter information, computer name, user name, IP address information, OS information, drive and process information, and other native system data. The malware is designed to then encrypt the harvested data using the RC4 algorithm and encoding the encrypted data with Base64 before sending it off to the control server. The control servers being used in the campaign are located in the US, Singapore, and France.

The Rising Sun implant supports 14 different backdoor capabilities in total, including the abilities to terminate processes, clear process memory and write files to disk McAfee said in its report.

Shared Code and TTPs
What makes Rising Sun noteworthy is that it uses source code from Trojan Duuzer, a backdoor that North Korea’s infamous Lazarus Group used in its attack on Sony in late 2014 and early 2015.

There are several other similarities as well, McAfee said. The documents that are being used to distribute Rising Sun contain metadata indicating they were created using a Korean-language version of Word. Both malware tools use the same techniques for constructing and decoding library names and API names, and both have a nearly identical set of capabilities. Other tactics, techniques, and procedures used in the Sharpshooter campaign are also similar to those employed by the Lazarus Group in its Sony campaign, McAfee said.

However, the connections between the two campaigns are so obvious that it is quite possible the threat actors behind Operation Sharpshooter are planting false flags to make attribution more difficult, McAfee noted.

Rising Sun’s communication mechanism and encoding schemes are two areas where it differs from Duuzer. “[Rising Sun] is more sophisticated in terms of the implementation of the command code structure as well as the decoding scheme,” Sherstobitoff says. The encryption method it uses is more advanced than Duuzer, too. “There is clear indication this implant is not just an upgraded version of Duuzer,” he says.

But for all the sophistication of the malware itself, Operation Sharpshooter is yet another reminder of the threat companies face from employees opening attachments or clicking on links that they should have avoided.

“Phishing is one of the oldest techniques in the book,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies. In most cases, phishing emails lack sophistication or are moved automatically to the spam folder. But with sophisticated campaigns such as Sharpshooter, even large companies are vulnerable, she said.

“Phishing emails play on a person’s emotions, providing a level of incentive for opening a file or clicking on a link,” Galloway said. The risk associated with phishing can be reduced through proper user awareness training, she said.

Related Content:

• The ‘Opsec Fail’ That Helped Unmask a North Korean State Hacker
• Lazarus Group, Fancy Bear Most Active Threat Groups in 2017
• Phishing Campaign Underscores Threat from Low Budget, Low Skilled Attackers
• Cybercrime: A Black Market Price List From The Dark Web

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-defense-critical-infrastructure-companies-targeted-in-new-threat-campaign/d/d-id/1333478?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Current and future cybersecurity professionals are using bug bounty programs to gain skills they can use to become security analysts, CISOs, or, in some cases, full-time vulnerability hunters.

As part of its 2018 “Inside the Mind of a Hacker” report, researchers at Bugcrowd polled 65,000 hackers from around the world to better understand who they are, what motivates them, and the sustainability of a hacker career. Most (81%) respondents credit bug hunting with helping them land a job in the security field, and many continue to use it to supplement full-time roles.

Five to 10 years ago, there weren’t enough bug bounty programs to turn the practice into a full-time position, says Jason Haddix, vice president of researcher growth at Bugcrowd. Now there is more opportunity: The top 50 hackers’ average yearly payout is $145,000, with over 600 valid submissions. The average payout per bug across the platform is $783.

Still, more people prefer to bug hunt on the side while working other jobs or attending university. Students spend 10 to 20 hours per week on ethical hacking, Haddix explains, and 66% of all Bugcrowd respondents spend up to 10 hours per week bug hunting. The practice is giving them valuable skills they can use to help fill the growing security talent gap.

“One of the things that was cool about this report was the amount the hunters are using this experience – finding vulnerabilities and bug bounties – to find jobs in security,” Haddix says. It’s an interesting educational path in a field where traditional college programs struggle to keep up.

Nearly 41% of bug hunters teach themselves and 43% use blogs and online resources to learn the skills they need. It’s a highly motivated group: Nearly 32% want to be full-time bug hunters, 15% aspire to be security engineers at major tech companies, and 6% are training to be CISOs.

The Best Education Is Experience
You don’t need a lot of experience to get into ethical hacking, Haddix points out. While 41.5% of hackers polled have three or more years of professional security experience, close to 30% only have one to two years, and 14.3% have no security experience at all. Bugcrowd’s hackers are relatively young, with nearly all (94%) between the ages of 18 to 44 and 71.5% between the ages of 18 and 29.

Higher education is still popular; 80% of respondents have attended college. But the percentage of those with a master’s degree (18%) matches the percentage of those who have a high school education or less. “Formal education is becoming the road less traveled,” Bugcrowd reports. Bug hunters have both the skills and experience companies look for in security job candidates.

“It’s powerful to say, ‘Instead of taking a certification or class, I found a critical vulnerability on a Fortune 500 company,'” Haddix explains. What’s more, they can offer proof of their expertise with a bug disclosure or status on a leaderboard. It goes “leaps farther” than a certification, he says.

The most prominent skill bug hunters learn is Web application hacking, which Haddix says makes up the biggest portion of today’s bug bounties. For those getting started, learning Web application testing is a good gateway into ethical hacking – and where the most opportunity is. Most university courses don’t dig into Web hacking, he adds, and online resources provide wannabe hackers with fake vulnerable applications they can dig into for practice.

“Practical experience is the one thing you seem to lack in today’s security researchers,” Haddix adds. “We need people with experience. New people are having a hard time getting into security.”

Related Content:

• Higher Education: 15 Books to Help Cybersecurity Pros Be Better
• 49% of Cloud Databases Left Unencrypted
• Attackers Using New Exploit Kit to Hijack Home Small Office Routers
• How Well Is Your Organization Investing Its Cybersecurity Dollars?

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/bug-hunting-paves-path-to-infosec-careers/d/d-id/1333479?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When it comes to security, there are many things humans do badly. A new end-of-the-year list provides a new batch of evidence that passwords are among the worst.

The “Worst Password Offenders of 2018,” assembled by password management vendor Dashlane, goes from the ridiculous to the horrifying.

The No. 1 offender on the list is the former, Kanye West, who shared his password — 000000 — on television as he unlocked his iPhone to show the screen to President Trump during an Oval Office meeting.

The remainder of the top 10 offenders lean heavily toward government or quasi-government agencies, with the second offender one of the most worrying: the Pentagon. A Government Accountability Office (GAO) audit found that many system admin passwords could be guessed in as few as nine seconds, and ” … software for multiple weapons systems was protected by default passwords,” according to Dashlane. Those passwords, the GAO noted, could be found by anyone with a knowledge of the systems’ manufacturers and a working understanding of how Google works.

“Unfortunately, changing the default password wouldn’t make a huge difference,” says Emmanuel Schalit, CEO of Dashlane. He notes that the most significant issue is a limitation of the human brain. “The most important thing you can do as an individual is to never reuse passwords,” he says. “Always have a different password for every different service.”

That reuse becomes challenging, Schalit explains, because “the average consumer has 200 passwords, and it’s impossible to manage them all without technology to help manage the digital identity.”

Other offenders on the list include Cambridge University, for exposing records of thousands of experimental subjects because a password was left in a Github repository, and Nutella, for suggesting that its Twitter followers use the word “Nutella” as their passwords as a “helpful” suggestion on National Password Day.

Some have promoted the use of two-factor authentication (2FA) as a way to reduce the impact of poor password hygiene. Schalit, too, says two factors should be used wherever possible, though its overall effectiveness is limited by two major factors. The first is that 2FA isn’t available for many services, he points out.

Second, even where it is available, 2FA frequently uses SMS as part of the second factor, and ” … it only costs a few dollars to buy the text messages of an individual,” Schalit says.

It’s important that individuals work to improve their digital practices, he adds, because the issues with secure digital identities go beyond personal finance. “It’s not an individual issue anymore — it’s a global issue,” he says. “Whenever one of us is breached or compromised, that doesn’t just impact the individual. It starts to erode the very fabric of the Internet when it becomes too dangerous, too risky.”

Related Content:

• ‘Highly Active’ Seedworm Group Hits IT Services, Governments
• Windows 10 Security Questions Prove Easy for Attackers to Exploit
• 4 Lessons Die Hard Teaches About Combating Cyber Villains
• Phishing Attacks Exceed 137 Million in Q3: Kaspersky Lab
• 10 Steps for Creating Strong Customer Authentication

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/worst-password-blunders-of-2018-hit-organizations-east-and-west/d/d-id/1333480?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

2018 might be remembered as the year security truly made its entry into the minds of enterprise Internet of Things (IoT) users. As a consequence, device manufacturers have learned to appreciate the value that security brings to their brand and its impact on their sales, while customers — specifically, enterprise users — have started to use the power of their wallets to demand security be baked into the products they buy.

Earlier this year, Bain Company reported that enterprise IoT customers would be willing to pay 22% more for and buy 70% more of IoT devices if security was better. For an industry valued at $157 billion just over a year ago, the economic growth that could follow improved security would be astronomical.

But it isn’t only the manufacturers who see security as a key source of increased income; attackers have begun to understand the profits that lie in the current lack of security. Cybercriminals are noticing the security flaws in the ever-growing connected devices world that can lead to handsome profits.

Ransomware, the Proven Route
It seems every discussion about the profitability of cybercrime starts with ransomware, and with good reason. In the first half of 2018 alone, a total of 181.5 million traditional ransomware attacks took place. Furthermore, the average duration of an attack is now 23 days, leading most to believe the situation couldn’t get much worse. However, IoT ransomware is only now starting to take flight, meaning that those numbers could still grow considerably.

IoT ransomware is different than its IT counterpart. While ransomware installed in a computer usually leverages the risk of data loss to compel victims to pay, most IoT devices upload their data to the cloud continuously, forcing attackers to rethink what will force the victim’s hand. If past attacks are any reference, cybercriminals are learning that different devices require different approaches. For example, an attack on smart TVs can be performed at any time but has relatively low value, as seen by the late 2016 breach of LG TVs, in which victims were asked to pay $500 to free infected TVs. While an attack on a hotel should be done at peak season to maximize impact, such as in 2016 when an Austrian hotel paid 2 bitcoins to open its rooms’ hacked smart locks.

Although ransomware has proven fairly profitable over time, it has multiple downsides. Two main things are that the attacker’s malware is revealed upon performing the attack, making it difficult to replicate, and the uncertainty as to whether the victim will actually pay. As a result, we might be reaching the dawn of a new age, one of cryptocurrency miners aimed at IoT.

Cryptocurrency Mining
Miners leverage computers’ processing power to mine for cryptocurrencies, so the more processing power, the more crypto that can be mined. As such, attackers prefer leveraging high-power devices such as computers, but they come with a higher risk of detection. IoT devices, on the other hand, usually lack user supervision for CPU usage, making them even better targets. In the first half of 2018, total cryptomining detected attacks grew to a reported 787,000 from only 74,547 in 2017’s first half.

For enterprises and users, the damage done by a cryptocurrency mining malware comes from the additional energy consumption and devices’ burnout, which reduces lifespan, leading to faster renewal cycles and increased costs. For cybercriminals though, the rewards can be incredibly high. Reports earlier this year estimated that a compromised device could generate $0.28 in Monero, a cryptocurrency, per day. Although this number might seem low, an attack such as the one on MikroTik routers from this past August, where over 200,000 routers were infected, could generate a tidy $56,000 per day. And with attacks going unnoticed, this healthy revenue stream could go on for days at a time.

Reducing IoT Cybercrime Profitability
Cybercriminals targeting IoT devices have begun to uncover the benefits described above, and that is before even discussing data theft, where something such as a single electronic medical record could be worth $1,000 in the black market. Ransomware, crypto-mining or data theft attacks are having greater repercussions for the victims and rewards for the attackers. And this might only be the beginning, as attackers find new creative ways to leverage the existing flaws for their personal gain.

To reduce IoT cybercrime, its profitability must be reduced as well. However, as the current landscape is proving, the solution doesn’t lie at the enterprise or user level. It must lie with the manufacturers of the connected devices. Only when these manufacturers begin to build truly secure-by-design products that follow standardization guidelines and best practices, will we begin to see the trends reversed and cybercrime reduced.

Related Content:

• Mirai Authors Escape Jail Time – But Here Are 7 Other Criminal Hackers Who Didn’t
• The Grinch Bot Before Christmas: A Security Story for the Holidays
• 5 Emerging Trends in Cybercrime
• 95% of Organizations Have Cultural Issues Around Cybersecurity

Ariel Kriger joined VDOO from Palo Alto Networks, where he headed the global Channel G-T-M strategy and management for the company’s entire emerging technologies portfolio. He previously led the global channels for Cyvera, which was acquired by Palo Alto Networks in April … View Full Bio

Article source: https://www.darkreading.com/endpoint/the-economics-fueling-iot-(in)security-/a/d-id/1333463?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new report evaluating cybersecurity for 17 US industries puts the education sector in last place, sparking concern as businesses in the space collect and store more students’ data.

Researchers at SecurityScorecard analyzed 2,393 education-focused organizations with a footprint of 100-plus IP addresses between April and October. They found three key areas of poor performance: application security, patching cadence, and network security. It’s driving concern as educational institutions house not only student data, but intellectual property.

Student records include names, addresses, Social Security numbers, test scores, behavioral assessments, personal health data, and more information that’s valuable to cybercriminals. In addition, research universities are often targeted for sensitive project data.

Organizations store all of this information on-premises and in the cloud, where it’s often accessible to third parties. “Securing these networks and protecting this information is essential to protect the future of innovation and privacy,” says Sam Kassoumeh, COO and co-founder of SecurityScorecard, in a release on the news.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/perimeter/education-gets-an-f-for-cybersecurity/d/d-id/1333484?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple