STE WILLIAMS

It’s estimated that by 2025, more than 30 percent of all Internet of Things (IoT) devices will be dedicated to the realm of healthcare – more than in retail, transportation and the personal security sectors combined. Already today, practitioners are using IoT tech to conduct portable monitoring, enact electronic record keeping initiatives, and to apply drug safeguards – all efforts that are streamlining operations and delivering safer, more comprehensive care to patients.

Through 2018, the healthcare industry is expected to save more than $100 billion in operating costs thanks to connected devices. But operational expediency is only part of the larger story of how IoT tech is having such a huge impact on this industry.

There’s a hazard that comes with introducing any new element into patient care whether that’s a new drug or a connected device. Consequently, caregivers need to view new technologies through the same lens they do with the medicines or techniques they adopt by only changing methods and tools once they’ve been vetted and assured to actual deliver a benefit to patients.

But it’s a bit more complicated where healthcare IoT is involved since it’s not just the ability of these devices to operate effectively that’s a concern for patients and doctors. There are also serious questions around how secure these IoT tools are from outside threats, threats that could jeopardize patients’ wellbeing and personal security.

Here are four steps security teams can should follow before introducing IoT devices onto their healthcare networks.

Step 1: Decide whether you want devices to use the same connectivity of the larger healthcare network, or if it makes sense to architect and manage a dedicated IoT network to support these new technologies. Depending on the scope of the existing network, it may be preferable to task a separate IT team with managing the IoT network, leveraging dedicated secure web gateways and defenses to parse the “high-volume” traffic that characterize IoT communications.

Step 2: Before introducing a device onto the network, teams should ensure that they are installing a two-factor authentication system, which is a standard for meeting HIPAA compliance as well as a best practice in the realm of Health IT.

Step 3: Intensive encryption is a must for IoT, especially considering the spontaneous nature of IoT communications, in that a device could be at rest for long periods of time before suddenly “waking up” and sharing data with a beacon or sensor in transit. As we explained in a recent article on the topic, full disk encryption won’t cut because it doesn’t protect data in motion. This leaves important data vulnerable to bad actors.

Step 4: While an inventory of all the IoT devices on the network is a must, teams would be wise to take it a step further by flavoring this list with greater context. As IoT adoption ramps up, security teams should be able to easily reference where data resides in a “data bible,” or “data dictionary” showing where data originates, where it travels and the transmission capabilities of each device.

Healthcare IoT can be transformative in seemingly endless ways, from automating mundane tasks to simplifying the most complicated ones. But these tools are only as useful as they are secure, and implementing best practices on day one is the smoothest path to reaping IoT’s rewards. 

Chris Park brings more than 13 years of experience in corporate network security to his position as CIO at iboss, where he is responsible for creating and driving the company’s IT strategy. As resident expert in all aspects of iboss solutions and infrastructure, Chris is … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/iboss/getting-started-with-iot-security-in-healthcare/a/d-id/1331090?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More than 60% of CEOs believe malware is the biggest threat to their organization, but just one-third of CISOs, CIOs, and CTOs agree. 

It’s just one data point in a new study by identity management company Centrify that shows a major disconnect on this and many other security issues between CEOs and their technical officers (TOs), which include CIOs, CTOs and CISOs. 

CEOs and TOs also diverged on whether they knew if their organization had experienced a breach. Only 55% of CEOs say their organization experienced a breach, while 79% of TOs say so. On the technology front, 62% of CEOs say two-factor authentication technologies are difficult to manage, while only 41% of TOs concur with that statement. 

“Part of the problem is that the technical people tend to try to keep the breach quiet,” says Tom Kemp, CEO at Centrify. “I think overall, the TOs need to do a better job managing up, because with SEC regulations and various state breach notification regulations, organizations really do have to report if they have been breached today.”

Kemp points out that 42% of TOs point to identity breaches as one of the primary threats to their organizations. And 68% of executives whose companies experienced significant breaches indicate it would most likely have been prevented by either privileged user identity and access management or user identity assurance. Only 8% of all executives whose companies experienced a significant breach say that anti-malware technology would have prevented the more significant breaches with serious consequences.

Frank Dickson, an IDC analyst who focuses on identity and access management, points out that the 2017 Verizon Data Breach Investigations Report found that 81% of hacking-related breaches leveraged stolen and/or weak passwords.

“Our goal is not to eliminate malware, our goal is to eliminate breaches,” Dickson says. “By strengthening authentication, it lets us build security into the network,” and potentially eliminate the vast majority of breaches.

Lawrence Orans, a research vice president at Gartner who focuses on network security, says he doesn’t think it’s helpful to set security up as a choice between identity management versus malware detection.

“For example, malware could be used to steal credentials and execute an even broader attack,” he says. “And it actually makes sense that there would be a disconnect between the CEO’s understanding of new security technologies versus the TO’s: that’s what the CEO has the technical people for in the first place.”

Centrify’s Kemp maintains that TOs need to educate their CEOs on identity management issues, citing the three main tenets of so-called zero trust security:

• Verify users. Companies can do this with single sign-on software that’s layered in with two-factor authentication.
• Validate devices. Have a procedure for determining if the devices are enrolled with the IT department with the right OS versions, patch levels, and antivirus software. IT must also check past usage, including a user’s geography. (A user can’t be in New York one minute, then San Jose five minutes later).
• Limit access and privileges. Companies should move to a least-privilege model in which users only gain access to a system if they need it for their jobs, and only for a defined time period.

The study was based on a survey of 800 senior executives conducted in November 2017 by Dow Jones Customer Intelligence, a unit of the Wall Street Journal/Dow Jones Advertising Department. More than 75% of the executives surveyed are CEOs, CTOs or technical officers such as CIOs, CTOs and CISOs; the rest are their direct reports.

Related Content:

• Facebook Aims to Make Security More Social
• 2017 Smashed World’s Records for Most Data Breaches, Exposed Information
• 7 Ways to Maximize Your Security Dollars
• Doh!!! The 10 Most Overlooked Security Tasks 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/endpoint/c-suite-divided-over-security-concerns/d/d-id/1331098?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Advanced nation-state and cybercrime groups increasingly are hiding behind legitimate Microsoft Windows functions to mask their hacks – and their latest method ups the ante in abuses of the basic command prompt.

The FIN7, aka Carbanak, cybercrime gang known for attacking banks and most recently, the hospitality and restaurant industries, last year was spotted by FireEye  exploiting the cmd.exe Windows binary. The unique use of their technique inspired Daniel Bohannon, senior applied security researcher for Mandiant, a FireEye company, to create a tool that helps organizations better defend against attackers who hide their payloads behind the legitimate Windows commands.

Bohannon will release his new Invoke-DOSfuscation framework tool next month at Black Hat Asia in Singapore, where he will present his research on how attackers like FIN7 use the relatively basic cmd.exe to slip malware into their targets’ systems. 

“The way they used the [command process] blew my mind, so from that point forward, I started looking at command-execution obfuscation,” Bohannon says of FIN7’s activity.

The command prompt obfuscation method is another twist in what researchers refer to as “living off the land,” or fileless malware attacks, where attackers use native Windows tools on a victim’s machine to hide their activity and malware from detection-based security tools and whitelisting. “Attackers don’t need to drop custom malware on disk. They can use native tools and run everything in memory,” Bohannon explains.

PowerShell and Windows Management Instrumentation (WMI) tools were used in more than half of all attacks last year, according to a recent report from Carbon Black. Many organizations can only detect attacks when the file is written to the disk, so in-memory attacks using legitimate Windows tools mostly go unnoticed. Attackers also use the tools to move around and laterally to avoid getting caught in the act.

Living off the land attacks can span the initial intrusion to the full compromise of a system, Bohannon notes. An attacker can send a malicious Word file via email that spawns commands and PowerShell execution, he says.

In Command

In his Black Hat presentation next month, Bohannon will detail the entire process he pieced together on how attackers such as FIN7 are using the basic command-line function to hide their activity. FIN7 employs a string removal/replacement method as well as some unique encoding methods in system memory, using cmd.exe.

“I’m sharing the whole process because defenders need to be informed about why these [techniques] work. They [attackers] do a lot that’s never seen [being] used in the wild, and I expect them to change” their tactics once the Invoke-DOSfuscation gets released, he says.

The caret (^) and quote-mark (“”) symbols, for example, are placed in the command string to obfuscate their payloads. So if an attacker inserts quote marks around his malicious string, it evades detection because it “breaks rigid detection rules,” Bohannon explains.

FIN7 traditionally had been known for hiding LNK shortcut files in DOCX and RTF documents, which allowed their phishing attacks to slip by most traditional security measures. Bohannon and his team last June discovered the group also hiding behind JavaScript and cmd.exe. The attackers tweaked the string to “Wor” + “d.Application” in stead of “Word.Application,” for example, and other replacement characters in cmd.exe in order to fly under the radar.

Bohannon says his homegrown Invoke-DOSfuscation tool lets intrusion detection investigators and red teams perform the steps attackers are taking to hide their payloads behind cmd.exe. It allows them to input any cmd.ex or PowerShell command and then create different levels of obfuscated output commands. That in turn helps them improve their detection methods, he says. “A defender can take any command and obfuscate it. They are able to plug in detection rules, and [check] ‘did I detect all these commands?'”

If not, they can tune their detection rules, he says.

“[It] allows defenders to generate hundreds and even thousands of unique obfuscated commands to test their defenses against,” basically automating the detecting testing process, he says. The goal is to get organizations “in front of” the command obfuscation method before it hits them.

Bohannon also previously released other PowerShell obfuscation frameworks, including Invoke-Obfuscation and Invoke-CradleCrafter, and a detection tool, Revoke-Obfuscation. The new Invoke-DOSfuscation tool represents his first cmd.exe obfuscation tool. “Invoke-DOSfuscation automates the application of numerous kinds and levels of obfuscation to any arbitrary input cmd.exe command,” he notes.

Meanwhile, advanced hacking teams are using more open-source tools both to hide in plain sight, and to save on the labor and cost of writing custom malware. “It’s fascinating seeing nation-state actors using off-the-shelf open-source tooling because … they don’t have to spend RD and build custom stuff” when they go open-source, Mandiant’s Bohannon says.

See Mandiant’s Daniel Bohannon demonstrate these advanced obfuscation methods at Black Hat Asia next month. Go here for more information on the conference and to register.

Related Content:

• Fileless Malware: Not Just a Threat, but a Super-Threat
• 17 Things We Should Have Learned in 2017 But Probably Didn’t
• Cybercrime Gangs Blend Cyber Espionage And Old-School Hacks In Bank Heists
• Carbanak’s Back And Using Google Services For Command-and-Control

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/researcher-to-release-free-attack-obfuscation-tool/d/d-id/1331093?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In the security industry, we all tire of hearing how the latest malware or vulnerability is “the big one.” Previous widely publicized vulnerabilities — such as Heartbleed or Shellshock — could be patched and managed with relative ease, though that’s still a daunting task for some large enterprises because of the number of systems that must be evaluated.

While superficially just another large vulnerability, Meltdown and Spectre represent an entirely new class of threat that dramatically escalates the need for effective security programs and practices.

These vulnerabilities will likely take years for large organizations to fully remediate, if they ever are before being made obsolete by equipment turnover. Businesses are struggling to understand the true scope of the issue. They are trying to decipher conflicting guidance from vendors, as well as manage the impact the patches have on applications.

With Meltdown and Spectre, we are witnessing the next evolution in security vulnerabilities and threats, one with a scope and spread that is nearly impossible to estimate today.

From Bacterial to Genetic
Malware has been rapidly evolving for as long as microprocessors have existed. In the early days, we had what I call “bacterial” threats, because, similar to bacteria, they were self-contained and did damage through multiplication and spreading. These were relatively simple malware — such as Slammer or Blaster — which, while they caused widespread disruption, were not too difficult to fix. The growth of malware led to the parallel evolution in tools designed to detect and prevent its execution, such as antivirus and intrusion-detection systems.

As malware evolved, the emphasis shifted from the direct execution of malicious software to the use of malware to exploit vulnerabilities in operating systems and applications. I call this the “viral” age of threats. Viral threat malware is usually singular and works through the exploitation of vulnerabilities, similar to how viruses infect vulnerable cells and hijack them for their own purposes.

With these viral threats — such as Poodle, Heartbleed, and Shellshock — the emphasis on the protective side led to new tools to understand the IT environment, discover vulnerabilities, and patch them in a timely manner. As the continual stream of publicly announced breaches demonstrates, we still have a long way to go in meeting this basic bar for protecting information and IT-driven business processes.

With Meltdown/Spectre, I believe we have seen our first large-scale example of a “genetic” threat, or a vulnerability in the processing hardware that lies at the heart of our IT ecosystem. The unforeseen consequences of hardware designs have us facing a problem unlike anything we’ve ever seen, not only in scope (almost the entire computing universe), but also in scale (the effort required to remediate these issues).

Fight Back
Hardware and software vendors and researchers are working furiously to try and understand the impact of these vulnerabilities and how to fix them. Early announcements to replace the affected CPU chips have rightfully been supplemented with more practical advice to apply appropriate patches as they’re released. However, that directive hides a host of issues unlike anything seen in dealing with prior vulnerabilities, no matter how widespread.

Addressing the Meltdown/Spectre vulnerabilities will likely require an exponential increase in the level of effort required for remediation, largely due to the number of patches required, the complexity of putting the right patch on the right system, and the testing required to understand the performance and stability impacts of the patches.

We are still in the early stages of this triage. Exploits are actively being developed; in fact, researchers have already found over 130 malware samples designed to exploit Meltdown and Spectre. Companies must focus on building or enhancing the critical aspects of their security program that are needed to address this issue, in particular:

• Asset management: Beyond knowing what systems are tied to what applications in what locations with what data, companies will likely need to understand what operating systems, CPUs, and possibly motherboards are in use in these systems to apply the right patches to the right systems. In addition, with the extensive use of cloud and SaaS solutions, companies must understand what their vendors are doing in terms of remediation, and the effects this can have on the performance and stability of the applications and business processes they have deployed in the cloud. 
• Threat and vulnerability management: Companies must leverage threat information channels to keep up-to-date with new vulnerabilities, threats, and countermeasures, so they can apply patches quickly, correctly, and appropriately. Orchestrating the variety of patches across the variety of hardware, operating systems, and CPU models is a complex challenge that makes the simple patches of the past seem like a walk in the park. 
• Risk management: Continual management of risk is the key to a successful information security program and is vital to the successful remediation of this issue. Beyond the simple calculation of ensuring that the most business-critical systems are patched first, additional consideration needs to be given to possible compensating controls that can be implemented if patches are not available, or have a detrimental impact on system or application performance and stability. These risk calculations need continual updating as the threat profile changes and as exploits for these vulnerabilities are announced.
• Testing: Because patches addressing Meltdown/Spectre affect the CPU of the systems, organizations need to perform more comprehensive testing than in the past. The traditional approach of a virtualized test environment that is not the same as the production environment may lead to issues where it is impossible to know what effects patch application will have on performance and stability. Creative testing scenarios should be developed to possibly leverage segments of production systems or disaster-recovery systems to test patches properly.

If companies have not elevated the discussion around IT and information security risks and actions to boardroom levels, now is the time. IT health is critical to any modern organization’s success, and Meltdown/Spectre is the perfect example to use in discussing the risks and challenges in cyber-risk management. This function cannot be limited to a “black box” to be managed and cared for with little board- or executive-level oversight. This is a bedrock component to any company’s success, and leaders among technology and security disciplines should have a seat at the table.

Related Content:

• Fallout from Rushed Patching for Meltdown, Spectre
• Hardware Security: Why Fixing Meltdown Spectre Is So Tough
• Meltdown, Spectre Likely Just Scratch the Surface of Microprocessor Vulnerabilities
• Doh!!! The 10 Most Overlooked Security Tasks

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Michael Lines is Vice President, Strategy, Risk, and Compliance Services for Optiv, a security solutions integrator. He is responsible for leading Optiv’s security experts in helping companies develop and run the security programs that meet their business, risk, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/meltdown-spectre-the-first-large-scale-example-of-a-genetic-threat/a/d-id/1331071?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In an attack reminiscent of the one on Bangladesh Bank in 2016, attackers this weekend made $2 million in unauthorized transfers from India’s City Union Bank via the SWIFT financial network, Reuters reports. One of the transfers, for $500,000, was stopped.

The attack comes on the heels of a Friday report that an unnamed Russian bank had suffered a $6 million theft via the SWIFT network last year, and reports last week that insiders at India’s Punjab National Bank had conspired in a $1.8 billion fraud case. 

The unauthorized transfers from City Union Bank – which were being made to lenders in Dubai, Turkey, and China through City Union Bank’s correspondent financial institutions – were discovered by a private lender Saturday. 

City Union’s CEO N. Kamakodi told Reuters there is “so far no evidence of any internal staff involvement,” but said “we are very clear now the account holders are part of this conspiracy.”

The Committe on Payments and Market Infrastructure, in September, called for greater security of inter-bank messaging services like SWIFT.  

For more information, click here.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/swift-network-used-in-$2-million-heist-at-indian-bank/d/d-id/1331092?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Facebook’s user base of 2.13 billion poses for the social media giant both a challenge and an opportunity to secure a massive number of accounts while also educating users on best security practices. 

Other social media platforms, including LinkedIn, Twitter, and Instagram, also have the chance to enforce and foster strong security among users. But are they capitalizing on that opportunity?

“Getting people to care about their online privacy and security is always a challenge,” says Paul Bischoff, privacy advocate with Comparitech. “Users are responsible for meeting Facebook halfway, but adjusting security and privacy settings is usually an afterthought that most of us put off for far too long.”

It’s an area where most social media companies could stand to improve, says Nick Hayes, senior analyst serving security and risk professionals at Forrester.

“There’s a lot more social networks can be doing for security to help users improve their overall security posture,” he explains. “Looking at the main social networks, there are different aspects of security we should be breaking into.”

Facebook has a broad reach and its two billion users provide insight on how their ongoing security strategy is working. Hayes notes Facebook has done interesting and helpful things to boost user security, such as its early adoption of two-factor authentication.

“The one thing that we’ve definitely learned at the scale of two-billion-plus users is that there’s really no one-size-fits-all approach,” says Scott Dickens, product manager with the Facebook Account Integrity team, who led the redesign of Facebook’s Security Settings page last year.

Redesign with Security in Mind

“There’s a design focus on making sure users can easily identify and find the most important security tools,” Dickens explains. Its facelift included a top-level menu for security and login, and stronger focus on frequently used features.

“Change password,” the most common security function among users, is prioritized at the top so users can more easily access the option to set a cookie to remember their credentials. Most would prefer to access their accounts by tapping a photo of themselves, says Dickens, rather than entering their password every time they log in.

“We try to work on making security settings super easy to understand,” he continues. “We wanted to take away as much jargon as possible and make it accessible to all of our users, not just the security experts.”

For example, he says, Facebook used to use “login approvals” as the term to access multi-factor authentication settings. The team later learned people were searching for those settings by entering “two-factor authentication,” and adjusted its terminology to match user behavior.

“We actually didn’t get that right,” Dickens admits. “It was one of those cases where, in trying to make it accessible, we may not have make it accessible to the audience who wanted to find two-factor authentication.”

Login security continues to be a focus. Last year Facebook acquired Confirm.io, an identity verification startup specializing in tech that confirms user identities using photos of driver’s licenses or other forms of ID. Facebook has so far had little to say about its plans for Confirm and how the new company will fit into its strategy going forward.

“Confirm.io’s technology will most likely be used to improve and expand upon Facebook’s two-factor authentication function,” Bischoff predicts. It could improve security when logging in from unfamiliar devices and recovering accounts when someone loses credentials. “A biometric verification, such as a fingerprint or face scan, could serve as a more secure alternative.”

Facebook’s security initiatives include a new tool, also added in December, which helps verify phishing emails. You can view “recent emails about security and login” from the Security Settings page, where Facebook publishes security-related emails it sends to users. The idea is to prevent people from clicking fake login pages and entering credentials on malicious websites.

“It’s a way to better understand which emails Facebook sent you, versus which mails might look like they’re from Facebook but are not,” says Dickens. This was an area where Facebook noticed other online services taking action, and added the feature to match the rest of the industry.

Balancing Business with Security

Hayes says while these recent security features are key steps, there is more Facebook could do to protect its audience. For example, its emails about account notifications don’t contain much context, a move intended to get people to log into their accounts so they can view new messages. However, if emails had more context, it would be harder for attackers to replicate them.

The goal is to get people back on Facebook’s platform, Hayes continues, pointing to a tricky problem: while the company needs to protect users, it’s also a business that relies on consumer data to profit. The more people on Facebook, the more data and revenue it generates.

Identity and access management is an area where platforms could focus more on protecting users’ connections with followers, social media accounts for brands, and the users interacting with company social accounts, which could put them at risk if compromised, he adds.

“They could be doing a lot more to help people understand where users and followers, and the connections they have with others, are legitimate,” Hayes explains.

A recently added Facebook feature called “Protect,” located in the app’s navigation menu on iOS, redirects users to a download page for VPN service Onavo Protect, which Facebook acquired in 2013. According to the App Store page, Protect warns users when they visit potentially harmful sites. However, it also lets Facebook track users’ activity.

“Like most VPNs, Onavo encrypts all the Internet traffic traveling to or from a device and routes it through an intermediary server in a remote location,” says Bischoff. This does harden security, particularly on public WiFi, and can prevent Internet service providers (ISPs) from monitoring users’ activity.

However, most VPN providers don’t monitor or record users’ traffic. Onavo’s description says it’s used to “improve Facebook products and services, gain insights into the protects and service people value, and build better experiences,” he continues. Instead of ISPs tracking your activity, Facebook will do it instead.

Going forward, Hayes says there is an opportunity for Facebook to be more transparent in identifying security issues, and partner up with security companies to offer additional protection for users who want it. Not everyone has the same risk profile and the same risk tolerance, and people who want tighter security should be able to add it.

Related Content:

• 3 Tips to Keep Cybersecurity Front Center
• Fileless Malware: Not Just a Threat, but a Super-Threat
• AI and Machine Learning: Breaking Down Buzzwords
• Can Android for Work Redefine Enterprise Mobile Security?

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/endpoint/facebook-aims-to-make-security-more-social-/d/d-id/1331063?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple