STE WILLIAMS

Intel’s unusual advisory yesterday urging its customers and partners to refrain from applying some of its firmware patches for the so-called Meltdown and Spectre flaws in its microprocessors illustrated just how pressured patching can backfire.

Navin Shenoy, executive vice president and general manager of Intel’s Data Center, in a post called for customers and OEMs to halt installation of patches for its Broadwell and Haswell microprocessors after widespread reports of spontaneous rebooting of systems affixed with the new patches. Intel now plans to issue a fix for the Meltdown-Spectre fix, according to the company.

It’s the latest in a string of missteps in the wake of the major disclosure earlier this month of critical flaws in most modern microprocessors: a common method used for performance optimization could allow an attacker to read sensitive system memory, which could contain passwords, encryption keys, and emails, for example. The vulnerabilities affect CPUs from Intel, AMD, and ARM.

Microsoft also has experienced problems with its operating system patches that provide workarounds for the microprocessor vulnerabilities, specifically its updates for Windows 10 on AMD microprocessor platforms. The vendor yesterday came out with new updates that resolve booting issues the original patches had caused. That came after compatibility problems with antivirus programs running on Windows that hadn’t been updated for the Meltdown and Spectre workarounds.

The recently discovered Meltdown and Spectre hardware vulnerabilities allow for so-called side-channel attacks. With Meltdown, sensitive information in the kernel memory is at risk of being accessed nefariously; with Spectre, a user application could read the kernel memory as well as that of another application. The end result: an attacker could read sensitive system memory containing passwords, encryption keys, and emails — and use that information to help craft a local attack.

Both Intel’s and Microsoft’s patching problems underscore the downside of applying patches under pressure. “We’ve been telling our clients ‘don’t panic patch,'” says Neil MacDonald, vice president and distinguished analyst at Gartner.

Organizations such as cloud providers and large server farm environments were among the first to install the Intel and other vendor patches because they were at higher risk. Cloud providers, for example, had obvious concerns about customers suffering attacks via their servers, MacDonald notes. But some early adopters “got burned” with Microsoft’s antivirus incompatibilities and locked AMD machines with the Windows patches, and unexpected reboots from the new Intel patches, he says.

Most enterprises can afford to hold off on fully patching for Meltdown and Spectre for now until the patches are fully vetted, however. The good news is there are no known attacks in the wild, which allows for a more risk-based rollout of patches, he notes.

“People who rushed to patch are getting penalized,” MacDonald says.

Gartner is advising its clients to prioritize the systems they patch. If performance penalties with the updates are one of the side effects, then in some cases it’s best not to patch at all, or to just apply operating system and browser patches. For some endpoints, for example, it makes more sense to patch the OS now and then the firmware later. “You’ll get at least partial protection,” MacDonald says.

Servers should be locked down, too, to mitigate the attacks. “They should not [be able] to execute arbitrary code, or do email … so servers should go to whitelisting,” which would provide “significant” protection from a Spectre or Meltdown attack, he says.

Some systems may not merit patching at all, such as I/O-heavy network appliances, storage appliances, and security appliances, where the Meltdown/Spectre code update’s performance hit would be detrimental. “In some cases, the appropriate risk-based decision is not to apply the patch because of performance implications,” MacDonald says.

The performance hit with the patches is especially painful for the industrial environment, which is both a juicy target for attack as well as highly disruption-averse. “In the world of critical infrastructure, where safety and availability are paramount, updates that carry this kind of baggage are simply not applied immediately,” says Eddie Habibi, founder and CEO of PAS Global. “The first option for facilities right now is to validate existing security controls and consider adding new ones only where risk is perceived as outsized.”

Intel, Microsoft, Linux, and browser vendors’ security updates and patches for Meltdown and Spectre are mainly workarounds and mitigations. A real fix requires a brand-new generation of microprocessors, a development that realistically is a year or two away at best, Gartner’s MacDonald says. “There is no easy fix. These [patches] are all workarounds until new hardware is released.”

Intel’s patch glitches are due to its rushing them out without fully testing them for a cloud provider’s environment of millions of servers, for example, he notes.

Meantime, Linux creator Linus Torvalds isn’t happy with Intel’s approach to working around the design flaw. In a post on the Linux Kernel Mailing List this week, he unleashed his frustration with Intel’s workaround, calling it “garbage.”

Related Content:

• Critical Microprocessor Flaws Affect Nearly Every Machine
• Vendors Rush to Issue Security Updates for Meltdown, Spectre Flaws
• Meltdown, Spectre Likely Just Scratch the Surface of Microprocessor Vulnerabilities
• Microsoft Confirms Windows Performance Hits with Meltdown, Spectre Patches

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/cloud/fallout-from-rushed-patching-for-meltdown-spectre-/d/d-id/1330887?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An advanced persistent threat (APT) group operating out of a building belonging to a Lebanese intelligence agency in Beirut has stolen hundreds of gigabytes of data from Android devices and desktop systems belonging to thousands of victims in over 20 countries, including the US.

Targets of the global cyber-espionage campaign by the so-called Dark Caracal group have included government and military personnel, defense contactors, activists, and journalists in North America, Europe, and Asia, researchers from Lookout and the Electronic Frontier Foundation said in a report last week.

The two organizations described Dark Caracal’s activities as targeting multiple platforms globally but being especially noteworthy for its unprecedented focus on mobile devices. “This is one of the first publicly documented mobile APT actors known to execute espionage on a global scale,” Lookout and EFF said in the report.

Michael Flossman, lead of security research at Lookout, says available data suggests Dark Caracal began operations in 2012 and that some of its campaigns were still operational through the fall and winter of 2016 and into 2017. However, significant portions of Dark Caracal’s infrastructure no longer appear to be live, he says.

“Attackers are increasingly going after mobile devices because of the access to both personal and corporate data these devices contain or can grant access to,” Flossman says. “When it comes to malicious actors creating and deploying an Android surveillance capability, the barrier to entry is low and a high technical sophistication is not a prerequisite for success.”

Lookout and EFF have released more than 90 indicators of compromise associated with the Dark Caracal threat. The list includes 11 Android indicators of compromise (IOCs) and 26 IOCs for desktop malware targeting Windows, Linux, and Mac systems.

A lot of the data that Dark Caracal has stolen was obtained from Android devices using Trojanized versions of popular applications like WhatsApp and Signal. Instead of using zero-day and other exploits, the group simply relied on targets making mistakes and downloading malicious apps on their devices.

The type of data the group has stolen includes location information and call records, text messages, contact information, photos, and audio recordings from infected devices.

The group’s mobile attack malware includes Pallas, a custom-developed Android surveillance tool and a previously unseen lawful-intercept mobile surveillance software product from FinFisher.

Dark Caracal uses phishing as its primary attack vector, Flossman says. “We uncovered a number of Facebook groups as well as text messages that would phish a user into visiting a third-party party Android App Store called Secure Android,” he says.

From here the user would install a working copy of apps such as WhatsApp, Signal, and Telegram, which would work exactly like the real thing but come embedded with the Pallas data-stealing tool. There’s also evidence to suggest that in some cases Dark Caracal infected devices by gaining physical access to them, Flossman says.

While mobile devices appear to be the primary target, Dark Caracal also has tools for breaking into and stealing from Windows and other desktop systems. The group has extensively used Bandook, a Trojan for remotely controlling compromised Windows desktop systems. It also has been using CrossRAT, a previously unknown, multiplatform tool designed to target Windows, OS X, and Linux systems, Lookout said in its report.

Many other threat groups have used, and are continuing to use, portions of the same infrastructure that Dark Caracal used for its cyber-espionage campaign, suggesting that the group could be managing the infrastructure, Lookout and EFF said.

The mixed use of the infrastructure has made attribution very difficult. The seemingly unrelated campaigns originating from the same infrastructure have resulted in security researchers misattributing Dark Caracal’s work to other threat groups in the past, EFF and Lookout said. One example is EFF itself, which in 2016 attributed a Dark Caracal campaign to Indian cybersecurity firm Appin.

Most organizations likely do not have to worry about the specific threat posed by Dark Caracal because of how targeted it is, EFF said in a blog post. And the group’s data-stealing tools for mobile devices are a threat only to individuals who make the mistake of downloading the Trojanized Android apps from unofficial app stores.

Even so, Dark Caracal has wide-reaching implications for how state-sponsored surveillance and malware works. “Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life,” EFF said in a separate release.

So far, there is no evidence to suggest that Dark Caracal has gone after iOS users, probably because it does not have the capabilities or the resources needed to break into and steal from iOS devices, Flossman adds.

“Importantly, they haven’t needed to target iOS,” he says. “Their espionage campaigns targeting Android have been very successful and considering, geographically, where their targets likely reside, it makes sense that they have an Android focus.”

Related Content:

• Mobile Malware Incidents Hit 100% of Businesses
• Malware Pre-Installed On Over Two-Dozen Android Smartphone Brands
• In Mobile, It’s Back to the Future
• 6 Ways To Keep Androids Safe

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/mobile/dark-caracal-campaign-breaks-new-ground-with-focus-on-mobile-devices/d/d-id/1330885?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

(Image: LidiaLydia via Shutterstock)

If you handle enterprise security, chances are good you’ve purchased – or at least researched – cyber insurance coverage. After all, it’s not a matter of “if” you’ll be breached, but “when,” and it’s important to know you’ll be covered when the time comes.

Cyber insurance is a relatively new field and coverage is evolving as the threat landscape shifts. Depending on your policy and the threat you’re addressing, there are subtleties in your policy that may not be evident at first but are important to ask about when you’re purchasing.

“Unlike your auto policy, which is pretty standard wherever you buy, there is very little continuity in the cyber insurance marketplace from policy to policy,” says David Bradfod, chief strategy officer and director of strategic partner development at Advisen.

While you may know the basics of insurance policies, it’s more difficult to navigate the details of each one. Which costs will be covered in the event of a data breach or cybeattack, and which won’t? It’s the kind of information you don’t want to learn after an incident occurs.

“You always have to read the fine print and make sure you actually got the coverages you were expecting,” says Samit Shah, insurance solutions manager at BitSight.

Roman Itskovich, co-founder and chief risk officer at cyber insurance startup At-Bay, points out that most brokers and insurers don’t really know exactly how much coverage is needed in a specific event. Many break down policies so each aspect of a breach (legal, forensics, etc.) is covered for a certain amount. Other policies cover one amount to split amongst these services.

The trend is toward broader, more expensive coverage instead of restrictive policies. Even so, many costs related to cyber events still aren’t covered by cyber insurance policies. Here’s a rundown of things you may think are covered, but actually are not.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/risk/10-costs-your-cyber-insurance-policy-may-not-cover/d/d-id/1330888?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When it comes to embracing innovation, we are all a little cautious by nature. For example, we know electric cars are the future, but the infrastructure to fully support them isn’t ready yet. So sales of hybrid gas/electric cars are booming — giving drivers the benefits of new technology combined with long-established, proven systems.

It’s the same with the hybrid cloud. It offers greater agility, rapid scalability, and cost-savings, as well as the promise of working seamlessly alongside organizations’ current, on-premises networks. As such, it’s no surprise that enterprises have embraced the hybrid cloud model. Nearly 50% of organizations we surveyed now run up to 20% of their workloads in public clouds, and another 25% used the public cloud for up to 40% of their workloads, according to our recent report, “The Hybrid Cloud Environments: The State of the Security“.

Despite this, the survey reveals that enterprises still harbor significant concerns about security in public clouds, holding them back from wider adoption. Companies that are running business applications in public clouds say that their biggest worries are the risks of cyberattacks, breaches, and outages, and the complexity of managing security effectively across hybrid environments. So what’s causing these cloud security concerns and challenges, and how can enterprises address them? 

Bumpy Road
Our survey shows that cloud security issues typically begin when enterprises start the process of migrating applications to public clouds: 44% of respondents say they had difficulties in managing security policies in the cloud after migration, and 30% report their applications didn’t work at all post-migration. Fewer than one in five say they’d had no problems during the migration process.

This isn’t surprising: migration is complex and error-prone, requiring detailed preparation if it’s to be done smoothly without compromising security or compliance. 

Before starting any migration process, have a detailed map of the connectivity flows for the application that you plan to move. Making this map isn’t easy. There’s usually little or no documentation on existing application connectivity, and it can take weeks to gather all the information, understand the connectivity that’s needed, and then migrate and update every rule and access control list for each security device to the new environment. 

It takes just one mistake in this process to cause an outage or to create security holes or compliance violations — which is why most enterprises have problems during migration.

Poor Visibility Affects Security
Even after successfully navigating problems encountered during migration, enterprises find new security challenges. Nearly two-thirds of survey respondents say the greatest obstacle they faced when trying to manage their hybrid environments was a lack of visibility into security and managing security policies consistently. Other problems were demonstrating compliance with relevant industry regulations, and managing a mix of firewalls consistently across their hybrid networks. 

A key reason for these problems is that organizations are using a range of different security controls to protect their environments: 58% of survey respondents say they used the public cloud provider’s native controls, while 44% say they also use third-party firewalls deployed in their cloud environment.

This leads to fragmented security management processes: 20% of enterprises are using manual processes to manage their security devices, and 26% say they use cloud-native tools. Nearly half of enterprises are working with multiple, different security controls separately — adding complexity, duplication of effort, and management overhead to their security processes. 

How can enterprises address these challenges to make migrations and security management across hybrid clouds environments more automated and consistent? Here are the five key steps:

1. Get clear visibility into all your networks. A lack of visibility in the cloud is the biggest security challenge cited by our survey respondents. As such, the first step is to gain visibility across not just the different environments but also across the security controls that exist both on-premises and in the cloud.
2. Use single-console management. With organizations using a mix of their cloud providers’ own security controls as well as host-based and on-premises firewalls, managing policies consistently is a huge challenge. The ability to manage all of these diverse security controls from a single console, using a single set of commands and syntax, enables security policies to be applied consistently and avoids duplication of effort and error-prone manual processes. 
3. Automate security processes. Managing security policies consistently across their hybrid environment isbthe second-biggest security challenge cited in our survey. Alongside visibility, security automation is fundamental to managing a hybrid network environment efficiently, and orchestrating change processes across a complex mix of security controls. Companies that used automation benefited from speed and accuracy when managing security changes across their environments, accelerated cloud migrations, and were better able to enforce and audit regulatory compliance. It also helped these organizations overcome staffing limitations.
4. Map apps before you migrate. To streamline the migration process, enterprises need to map all their existing applications, connectivity flows, and dependencies before the migration starts. With this set of application maps, connectivity flows in the cloud can be easily defined and all the underlying security policies can be adjusted to support the infrastructure and security devices used in the cloud.
5. Tie cyberattacks to business processes for faster mitigation. Cyberattacks are one of the greatest concerns survey respondents cite for organizations running applications in the cloud. Policy management solutions that integrate with SIEM tools help address this challenge. Threats such as malware can be covertly active for months on enterprise networks, moving laterally from on-premises to the cloud or vice versa. When a threat is detected by the SIEM solution, a policy management solution can identify all the applications and servers it affects (or potentially affects) and map the lateral movement of the attack. A policy management solution can then mitigate the threat’s risk by isolating any affected servers or devices from the network.

These five steps to improve security visibility and standardize and automate security management across a hybrid environment will help enterprises achieve a smoother, faster, and safer hybrid cloud journey. 

Related Content:

• 10 Major Cloud Storage Security Slip-Ups (So Far) This Year
• A Pragmatic Approach to Fixing Cybersecurity: 5 Steps
• Why Network Visibility Is Critical to Removing Security Blind Spots

Avishai Wool co-founded AlgoSec in 2004 and has served as its CTO since its inception. Prior to co-founding AlgoSec, he co-founded Lumeta Corporation in 2000 as a spin-out of Bell Labs, and was its Chief Scientist until 2002. At Lumeta, Dr. Wool was responsible for … View Full Bio

Article source: https://www.darkreading.com/cloud/5-steps-to-better-security-in-hybrid-clouds/a/d-id/1330838?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple