STE WILLIAMS

Somewhat unexpectedly, the overall volume of malware attacks leading up to and through this year’s Thanksgiving holiday weekend was actually substantially lower than for the same days last year.

Security vendor SonicWall, which tracks threat data on a continuous basis, says its customers encountered a total of 91 million attacks overall in the days preceding Thanksgiving and those immediately after: Black Friday, Small Business Saturday, and Cyber Monday.

The number represented a 34% decrease, or a third fewer attacks, compared with the same period in 2017. The decline was especially sharp on Cyber Monday, which by all early accounts was record-breaking both in terms of the number of online shoppers and sales.

Compared with the 22.6 million attacks that SonicWall shoppers encountered on Cyber Monday 2017, this year the number of malware attacks was 47% lower, at just under 12 million.

Each of the other days starting from Black Friday through Cyber Monday recorded smaller but still significant declines in malware attack volume. Malware attacks on Black Friday — when online purchases topped a record-breaking $6 billion — were 40% lower than in 2017.

SonicWall says one reason could simply be that cybercrooks are becoming more focused in their attacks. Instead of hitting consumers with an overly broad range of malware, they are narrowing their focus to the most profitable types of attacks.

One data point to support this theory was the sharp increase in ransomware attacks overthe online holiday shopping days. SonicWall says it recorded over 889,900 ransomware attacks on customers in the period between Nov. 19 and Nov. 27, a 432% increase over the 167,380 it recorded in 2017. The increase was especially dramatic on Black Friday (about 4,100 in 2017 versus over 113,300 this year) and Small Business Saturday (10,170 versus 103,600).

Phishing and cryptojacking attacks also increased this year compared with a year ago, SonicWall says.

Significantly, despite the decline in malware attacks during the Thanksgiving shopping season, malware attacks for 2018 as a whole are substantially higher than in 2017. Through the end of October 2018, SonicWall says, the total number of malware attacks was 44% percent higher than 2017 at the same point.

Related Content:

• Ransomware Attack Forced Ohio Hospital System to Divert ER Patients
• Retail Fraud Spikes Ahead of the Holidays
• 7 Holiday Security Tips for Retailers
• Anti-Botnet Guide Aims to Tackle Automated Threats

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/overall-volume-of-thanksgiving-weekend-malware-attacks-lower-this-year-/d/d-id/1333373?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There were no grades, scores, or rankings, but today’s official release by MITRE of the results from its tests of several major endpoint security products could signal a major shift in the testing arena.

MITRE, a nonprofit funded by the US federal government, in its inaugural commercial tests pitted each product against the well-documented attack methods and techniques used by the Chinese nation-state hacking group APT3, aka Gothic Panda, drawn from MITRE’s widely touted – and open – ATTCK model.

Endpoint detection and response (EDR) vendors Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA, and SentinelOne played blue team with their products against a red team of experts from MITRE. Unlike traditional third-party product testing in security, the ATTCK (Adversarial Tactics, Techniques, and Common Knowledge) approach uses open standards, methods, and the vendors perform live defenses with their products.

The testing operates in a collaborative manner. “They invited the vendors in to help them drive the tool and show how they find [attacks],” says Mark Dufresne, vice president of research for Endgame. “MITRE was sitting right there, and the product wasn’t just chucked over the wall” and tested like in many other third-party tests.

“It was a collaborative and conversational, versus transactional, model,” he says.

MITRE tracks and documents how the tools are tuned and configured, and how they do or don’t detect an offensive move by its “APT3” red team, for example. The results get published on MITRE’s website for anyone to see and study.

“We really want this to be a collaborative process with the vendors; we want them to be part of the process,” says Frank Duff, MITRE’s lead engineer for the evaluations program. The goal is both to improve the products as well as share the evaluations publicly so organizations running those tools or shopping for them can get an in-depth look at their capabilities, according to Duff.

MITRE chose APT3’s methods of attack, which include credential-harvesting and employing legitimate tools used by enterprises to mask their activity. Each step of the attack is documented, such as how the tool reacted to the attacker using PowerShell to mask privilege-escalation.  ATTCK is based on a repository of adversary tactics and techniques and is aimed at helping organizations find holes in their defenses. For security vendors, ATTCK testing helps spot holes or weaknesses in their products against known attack methods.

The collaborative and open testing setup represents a departure from traditional third-party testing. Vendors and labs traditionally have had an uneasy and sometimes contentious relationship over control of the testing process and parameters. Longtime friction in the security product test space erupted into an ugly legal spat in September, when testing firm NSS Labs filed an antitrust lawsuit against cybersecurity vendors CrowdStrike, ESET, and Symantec, as well as the nonprofit Anti-Malware Testing Standards Organization (AMTSO), over a vendor-backed testing protocol.

The suit claims the three security vendors and AMTSO, of which they and other endpoint security vendors are members, unfairly allow their products to be tested only by organizations that comply with AMTSO’s testing protocol standard.

“The whole testing landscape is a real mess,” Endgame’s Dufresne says. “[But] as a vendor, it’s important to be there.”  

NSS Labs, which is a member of AMTSO, was one of a minority of members that voted against the standard earlier this year; the majority of members support it and plan to adopt it. “Our fundamental focus is if a product is good enough to sell, it’s good enough to test. We shouldn’t have to comply to a standard on what and how we can test,” said Jason Brvenik, chief technology officer at NSS Labs, in an interview with Dark Reading after the suit was filed.

Traditional third-party tests, such as those conducted by NSS Labs, AV-Test, and AV-Comparatives, focus mainly on file-based malware, Endgame’s Dufresne explains, looking at whether the security product blocks specific malware. “We do participate in those … but they truly miss a huge swath of overall attacker activity.”

MITRE’s Duff says there are different security product tests for different purposes. ATTCK is all about openness and providing context to the evaluation, he says. “All different testing services have their own purpose, value, and approaches. This is our approach, and we are hoping it resonates to the public.”

Even so, malware-based testing isn’t likely to go away. “I think some buyers like to see a number” like those tests provide, Endgame’s Dufresne says.

Greg Sim, CEO of Glasswall Solutions, says third-party testing was overdue for a change. Even when they garner high scores from the antimalware testing labs, some products continue to fail in real-world attacks, he says. “I think there’s going to be a different model,” he says, noting that his firm has run tests with MITRE, which it considers an example of a reputable third party for testing.

Another security vendor executive who requested anonymity says MITRE’s entry into the testing arena came just at the right time. “Emulating tradecraft of a known adversary, nation/state – for us on the vendor side, we’re saying, ‘Hallelujah, they are doing it the right way,'” he says.

MITRE’s new testing service represents new territory for the nonprofit, but that doesn’t mean its federal government work will subside. Vendors pay a fee, which MITRE would not disclose. “MITRE historically has focused on doing testing of solutions for US government customers or sponsors. That role is not going anywhere,” Duff notes.

MITRE hasn’t yet set a timeframe for its next series of tests, he adds, but the team will pick another APT group to emulate. 

“We are just trying to get at the ground truth on these tools,” Duff says.

Related Content:

• Mastering MITRE’s ATTCK Matrix
• Threat Hunting: Rethinking ‘Needle in a Haystack’ Defenses
• NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
• 7 Cool New Security Tools to be Revealed at Black Hat Europe 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/mitre-changes-the-game-in-security-product-testing/d/d-id/1333374?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dunkin’ Donuts has alerted DD Perks account holders to a security incident after learning an unauthorized party accessed some of their usernames and passwords, NBC News reports.

DD Perks is a rewards program that lets Dunkin’ customers purchase food and beverages for pickup and receive free drinks via rewards points and on their birthdays. On Oct. 31, a security vendor detected a third party accessing users’ accounts. It believes these actors stole usernames and passwords from other companies and used them to attempt DD Perks logins.

Information exposed varies from user to user, depending on what was in their accounts. Dunkin’ reports third parties may have been able to access first and last names, email addresses (which are used as usernames), the 16-digit DD Perks account numbers, and DD Perks QR codes.

Dunkin’ reports its security vendor successfully blocked most of the attempted logins, but it is possible some accounts were accessed. It has launched an internal investigation and forced all potentially affected DD Perks users to reset their passwords and log back in with new ones. It has also taken steps to replace any stored DD Perks cards with new account numbers while retaining the cards’ values. Law enforcement is helping identify the parties responsible.

Users are advised to create unique passwords for their DD Perks accounts, as well as all online accounts, and to never use the same password twice.

Read more details here.

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/dunkin-donuts-serves-up-data-breach-alert/d/d-id/1333367?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The term “zero trust” was coined by Forrester in 2010. The concept was also central to the BeyondCorp architecture that Google was designing around the same time. Traditionally, companies assumed their corporate networks were secure. Google provocatively stated that the corporate network was no more secure than the public Internet and that every organization needed a security architecture that did not take trust for granted. Forrester described it less as myth-busting about network security and more as a necessary framework for data and computing outside the perimeter.

Whether corporate networks are secure or not, it is true that the traditional arbiters of trust — next-gen firewalls, VPNs, web gateways, network access control, network data loss prevention, locked-down PCs — have minimal value outside the perimeter. This is a growing issue because all new enterprise application innovations happen in the cloud, not on-premises, so a company that cannot compute outside the perimeter will rapidly get left behind.

Every company must find its answer to the zero-trust problem.

What Is Zero Trust, Really?
Trust is based on visibility. If I can see where my data is going and assess the corresponding risk, then I can make an appropriate decision about whether to allow access to my data in that environment. If I have zero visibility, however, I must assume zero trust. I cannot trust what I cannot see.

Because traditional security solutions provide minimal visibility outside the perimeter, organizations have a rapidly growing blind spot as data spreads across an information fabric that spans mobile endpoints and cloud services.

Our goal should not be to merely accept zero trust but to gain the visibility required to be able to establish trust in what otherwise would be a zero-trust world. Without trust, you cannot enable your users. Without enablement, they cannot do their jobs. The challenge is to enable them with the services they need without putting your business data at risk.

Every company must implement a new model of trust.

Is User Trust Enough?
Outside the perimeter, there is one element of trust that traditional security infrastructure can still (mostly) validate: user trust. I can usually establish whether users are who they say they are. But is that enough? No.

User trust is an essential element of the modern trust model. It is necessary, but not sufficient. The reason is that a trusted user in an untrusted environment should not have access to company data. Context matters.

Here’s an example: Let’s say I owe you $1,000. We can decide where to meet so I can give you that money. We can meet at my home or we can meet on a street corner in a dangerous part of town. You, the person standing across from me, are still the same, trusted individual. But my willingness to hand you that money should absolutely be different in those two environments. In one, the transaction will be successful. In the other, you’ll likely get mugged within a block. User trust is not enough. Context is critical to establish trust in a zero-trust world.

3 Steps to Get Started
Risk and trust balance each other. Don’t assume that more risk means less access, because the outcome will be that your users won’t be able to do their jobs. The more risk that exists in an environment, the harder you must work to establish enough trust to justify access to corporate data.

Like almost everything else in security, starting with basic hygiene and establishing a foundational process and architecture are the most important steps:

Step 1: Start with the user.
Technology is secondary. First, understand the environment in which business users want to do their work, not the environment in which you want them to do their work. Otherwise, you will end up establishing trust in an environment that no one is using, while the real work and actual data flows are outside your vision, completely unprotected.

Step 2: Respect the edge.
Mobile devices and apps have become a primary means for employees to consume data and access business services. That means data will be resident on a constantly growing number of mobile devices. Organizations must establish a data boundary on the device that prevents business apps from leaking data to consumer apps while also protecting the privacy of personal information.

Step 3: Assume constant change.
Think of it as a “dynamic-trust” world instead of a “zero-trust” world. Context is dynamic in modern computing. Change is the nature of both mobile and cloud: Devices move across networks and locations; new apps are downloaded; and configurations are modified. The key is to establish an automated and tiered compliance model that monitors for contextual changes and then automatically takes appropriate actions, such as notifying the user, asking for a second factor, expanding or blocking access, and provisioning or retiring apps.

Establishing True Trust
Your goal is to protect data across an increasingly fragmented information fabric outside the comfort zone of traditional security approaches. The modern access decision requires constant assessment because context is constantly changing. The path forward is moving to this dynamic model of modern security versus the static “I’m in, you’re out” model of the traditional firewall.

True trust is the combination of user trust with contextual trust: OS, device, app, network, time, location. Establishing true trust in a zero-trust world as the centerpiece of an automated compliance model gives users the freedom they need to get on with their work without losing company data.

Related Content:

• 7 Real-Life Dangers That Threaten Cybersecurity
• Enabling Appropriate User Access in a “Zero Trust” World (video)
• ‘Zero Trust’: The Way Forward in Cybersecurity
• Forrester Pushes ‘Zero Trust’ Model For Security

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Ojas Rege is Chief Strategy Officer at MobileIron. His perspective on enterprise mobility has been covered by Bloomberg, CIO Magazine, Financial Times, Forbes, Reuters, and many other publications. He coined the term “Mobile First” on TechCrunch in 2007, one week after the … View Full Bio

Article source: https://www.darkreading.com/network-and-perimeter-security/establishing-true-trust-in-a-zero-trust-world/a/d-id/1333353?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dell has reset passwords for all customers of its online store following a data breach in which the names, email addresses, and hashed passwords belonging to an unknown number of people may have been exposed.

In an advisory this week, the computer maker said it had detected unauthorized activity on its network Nov. 9 involving an attempt to steal customer data. While there’s no conclusive evidence the attackers succeeded, it is possible that at least some information was removed from the Dell network, according to the company.

To mitigate risk, the vendor has implemented a mandatory password reset for all registered Dell.com users. Next time these users attempt to login to their Dell accounts, they will be prompted to change their passwords. The hardware maker is also asking users to reset passwords on any other accounts protected by the same password they had used for Dell.com.

On a newly established customer update website, Dell described the incident and the password reset as primarily impacting customers of Dell.com, Dell.com, Premier, Global Portal, and support.dell.com.

The attackers do not appear to have targeted credit card and other sensitive customer information. The incident did not impact any of Dell products or services either, the hardware maker said.

Dell’s statement provided no information on how many users of its online site might have been impacted by the incident. But based on Dell’s actions, the number could be quite large, says Ilia Kolochenko, CEO of High-Tech Bridge.

“Usually, a mass password reset is a hallmark of a data breach impacting all customers,” Kolochenko says. “If it’s not the case, it should be clearly explained and emphasized.” Leaving customers in the dark about any breach involving personal data is never a good idea, he says.

The mass password reset could also be an indication that Dell is not fully confident about the resilience of the hashed passwords against brute-force cracking attempts.

Typically, password hashing should make passwords unusable to criminals. But a lot depends on the strength of the algorithm that is used for the hashing, says Jarrod Overson, director of engineering at Shape Security. “Without details, it’s safer to err on the side of caution, which, in this case, is that the hashes were generated with an algorithm that is quickly crackable, like MD5,” Overson says. With such hashing, a hacker could use a free, open source tool like Hashcat to automate the testing of common or generated passwords, he says.

Ideally, organizations should consider storing password hashes generated by an algorithm such as bcrypt, which is generally considered to be very resistant to brute-force hacking, Overson notes.

Email account data and passwords have become increasingly hot commodities in underground markets. Because many users tend to use the same password across multiple accounts, attackers have been increasingly using breached username and password pairs to try and break into as many accounts as they can.

Credential-stuffing attacks, where criminals automatically enter large volumes of leaked credentials into e-commerce and other websites, have become increasingly common in recent years. In fact, underground chatter related to compromised accounts increased 150% year over year on Black Friday and Cyber Monday, according to new holiday shopping season cyberthreat stats from Cyberint. Chatter about attack tools, predominantly for credential stuffing, increased 20%, according to the vendor.

The trend has focused growing attention on the need for strong password and user authentication measures. Hashing and encryption are increasingly seen as basic steps to ensuring password integrity in the event of a data breach.

Since Dell has said the passwords for Dell.com users were hashed, it is likely the company is merely being extra careful in resetting them anway.

“It’s a matter of how sophisticated their hashing technique was and how unusable the passwords could be for cybercriminals,” says George Wrenn, CEO and founder of CyberSaint. “Regardless, the fact that Dell pushed for a password reset would ideally block that risk. It is clear that Dell is aggressively dealing with the incident.”  

Related Content:

• Inside the Two Types of Account Takeover Attacks
• Fight ‘Credential Stuffing’ with a New Approach to Authorization
• 48% of Customers Avoid Services Post-Data Breach
• 12 Trends Shaping Identity Management

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/dell-forces-password-reset-for-online-customers-following-data-breach/d/d-id/1333369?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Council to Secure the Digital Economy (CSDE) and Consumer Technology Association (CTA) today announced the International Anti-Botnet Guide, a new publication intended to help organizations block botnets and other automated, distributed cyberattacks.

USTelecom and the Information Technology Industry Council (ITI) were also involved in building the guide, which is the product of nine months of collaboration. IT stakeholders can use the guide for basic and advanced practices to reference when defending against bots. These aren’t mandates or requirements, the guide points out. IT and security leaders can use them according to the circumstances, processes, and teams specific to their organizations.

No single stakeholder controls the connected economy, where bots have been both damaging and expensive. As the number of people, businesses, and devices grow, so does the potential for botnets to drive phishing, ransomware, distributed denial-of-service (DDoS_ attacks, and other digital threats. With the Internet of Things (IoT) poised to reach 20 billion devices by 2020, the global cost of cybercrime could reach trillions of dollars, researchers state in their report. Botnets are a driver of these losses.

“The botnet threat is more severe today than at any previous point in history,” researchers point out, referring to threats ranging from the Storm Worm botnet of 2007 to the 2016 Mirai botnet that gained access to nearly 400,000 devices, including video cameras and recorders. While most botnets don’t quite reach this scale, smaller attacks can disable websites and services, spread disinformation on social networks, and distribute ransomware.

“A host of bad actors are exploiting a target-rich attack surface,” said Robert Mayer, senior vice president of cybersecurity at USTelecom, at an event held for the report today. Two elements are needed to “address this plague,” he added: government and industry players working together, and all ecosystem stakeholders adopting measures to make the Internet resilient.

It’s a threat that poses myriad challenges throughout the IT ecosystem. Report writers argue infrastructure providers could do more to protect customers, and smaller providers need guidance and resources. Increased software security drives bad actors to build more complex exploits. Many connected devices aren’t built, configured, or installed with security in mind.

“There is no higher cause we all share than to address the challenges of our digital economy,” said Jonathan Spalter, president and CEO at USTelecom. “We understand this is a shared responsibility across our industries … a compliance-led regulatory model is not going to get us closer to the security that we all seek. This is proof of concept that industry … is ready to lead.”

Dean Garfield, president and CEO of ITI, emphasizes the need to get everyone on the same page sans regulation.

“The threat is asymmetric,” he says of botnets, which are constantly evolving. “If you define a solution that’s fixed in time, it’s unlikely to be as flexible and fluid as the threat.”

The botnet mitigation guide breaks its practices down into five types of provider, supplier, and user stakeholders in these categories: infrastructure, software development, devices and device systems, home and small business systems installation, and enterprises.

As an example of the guidance provided in the report, consider its subsection on botnet risk and mitigation among cloud and hosting providers, as part of its infrastructure section: “Because cloud networks are decentralized, they can typically withstand the disruption of numerous network components,” experts explain. “This architectural feature makes the cloud more resilient to highly distributed botnets and provides additional mitigation capabilities.”

Cloud services offer an added layer of security outside the ISP’s infrastructure, they continue, and this protection is increasingly handy as the scale of botnet attacks continues to escalate.

Overall, for infrastructure providers planning to defend against bots, the guide advises first identifying which assets need to be defended and the potential vulnerabilities leaving them exposed. Companies should stay up to date on exploits for each flaw they identify. As for advanced practices, they add, infrastructure providers with access to more resources may have security researchers on hand to analyze heuristics and behaviors to detect malware.

There are additional baseline and advanced practices for signature analysis, heuristic analysis, behavioral analysis, packet sampling, and honeypots under the “Detect Malicious Traffic and Vulnerabilities” section for infrastructure providers, as well as similar levels of guidance for mitigating against distributed threats with filtering, traffic shaping, blackholing, sinkholing, scrubbing, and BGP flowspec. Stakeholders across categories can find similar detailed guidance.

Related Content:

• Google, White Ops, Industry Players Dismantle 3ve Ad Fraud Operation
• Data Breach Threats Bigger Than Ever
• Who’s the Weakest Link in Your Supply Chain?
• 7 Holiday Security Tips for Retailers

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/anti-botnet-guide-aims-to-tackle-automated-threats/d/d-id/1333371?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple