STE WILLIAMS

This article explains how the CryptoLocker ransomware works, including a short video showing it in action.

The article tells you about prevention, cleanup, and recovery.

It also explains how to improve your security against this sort of threat in future.

CRYPTOLOCKER – WHAT IS IT?

CryptoLocker, detected by Sophos as Troj/Ransom-ACP, is a malicious program known as ransomware.

Some ransomware just freezes your computer and asks you to pay a fee. (These threats can usually be unlocked without paying up, using a decent anti-virus program as a recovery tool.)

CryptoLocker is different: your computer and software keep on working, but your personal files, such as documents, spreadsheets and images, are encrypted.

The criminals retain the only copy of the decryption key on their server – it is not saved on your computer, so you cannot unlock your files without their assistance.

They then give you a short time (e.g. 72 hours, or three days) to pay them for the key.

The decryption key is unique to your computer, so you can’t just take someone else’s key to unscramble your files.

The fee is $300 or EUR300, paid by MoneyPak; or BTC2 (two Bitcoins, currently about $280).

To understand how CryptoLocker goes about its dirty work, please see our step-by-step description.

→ Our detailed article is suitable for non-technical readers. It covers: how the malware “calls home” to the crooks, how the encryption is done, which file types get scrambled, and what you see when the demand appears. You may want to keep the article open in another tab or window to refer to while you read this page.

WHAT DOES CRYPTOLOCKER LOOK LIKE?

CryptoLocker reveals itself only after it has scrambled your files, which it does only if it is online and has already identified you and your computer to the encryption server run by the criminals.

We therefore recommend that you don’t try the malware out yourself, even if you have a sample and a computer you don’t care about, because you can’t easily test it without letting your computer converse with the crooks.

However, we know you would love to see what it does and how it works, so here is a video made by a our friend and colleague Mark Rickus, of Sophos Support.

We recommend this video because Mark has pitched it perfectly: he doesn’t rush; he doesn’t talk down to you; he lets the facts speak for themselves; and he brings an air of calm authority with just a touch of wry humour to what is a rather serious subject:

→ Can’t see the details in the video on this page? Watch directly from YouTube.

HOW DO I DETECT AND REMOVE IT?

You can use the free Sophos Virus Removal Tool (VRT).

This program isn’t a replacement for your existing security software, because it doesn’t provide active protection (also known as on-access or real-time scanning), but that means it can co-exist with any active software you already have installed.

The Virus Removal Tool will load, update itself, and scan memory, in case you have malware that is already active.

Once it has checked for running malware, and got rid of it, then it scans your hard disk.

If it finds any malicious files, you can click a button to clean them up.

If CryptoLocker is running and has already popped up its payment demand page, you can still remove it and clean up, but the Virus Removal Tool cannot decrypt your scrambled files – the contents are unrecoverable without the key, so you may as well delete them.

Even if you don’t have CryptoLocker, it is well worth scanning your computer for malware.

The criminals are known to be using existing malware infections as “backdoors” to copy CryptoLocker onto victims’ computers.

We assume their reasoning is that if you have existing, older malware that you haven’t spotted yet, you probably won’t spot CryptoLocker either, and you probably won’t have backup – and that means they’re more likely to be able to squeeze you for money later on.

CAN CRYPTOLOCKER SPREAD ON MY NETWORK?

Fortunately, CryptoLocker is not a virus (self-replicating malware), so it doesn’t spread across your network by itself.

But it can affect your network, because it searches extensively for files to encrypt.

Remember that malware generally runs with the same permissions and powers as any program you choose to launch deliberately.

So, any file, on any drive letter or network share, that you can locate and access with a program such as Windows Explorer can be located and accessed by CryptoLocker.

That includes USB drives, network file shares, and even cloud storage folders that are made to appear as a drive letters by special software drivers.

A Naked Security reader just commented that from a single infected computer, he was “faced with 14,786 encrypted files over local and mapped network drives.”

So, if you haven’t reviewed the security settings on your network shares lately, this would be a good time to do so.

If you don’t need write access, make files and folders read only.

SHOULD I PAY UP?

We’ll follow the police’s advice here, and recommend that you do not pay up.

This sort of extortion – Demanding Money with Menaces, as a court would call it – is a serious crime.

Even though CryptoLocker uses payment methods (MoneyPak, Bitcoin) that keep you and the crooks at arm’s length, you are dealing with outright criminals here.

Of course, since we don’t have 14,786 encrypted files, like the reader we mentioned above, we acknowledge that it may be easier for us to say, “Don’t pay” than it is for you to give up on your data.

Obviously, we can’t advise you on how likely it is that you will get your data back if you do decide to pay.

IS IT THE WORST VIRUS EVER?

We don’t think so, although that is cold comfort to those who have lost data this time round.

Losing files completely is a terrible blow, but you can lose data in lots of other ways: a dropped hard disk, a stolen laptop or just plain old electronic failure.

The silver lining with CryptoLocker is that the criminals don’t actually take your data – they just leave it locked up where it was before, and offer to sell you the key.

In many ways, malware that isn’t so obvious and agressive, but which steals your files, or monitors your keyboard while you login to your bank, or takes snapshots of your screen while you’re filling out your tax return, can be much worse.

In those cases, the crooks end up with their own duplicate copies of your data, passwords and digital identity.

If you have a recent backup, you can recover from CryptoLocker with almost no consequences except the time lost restoring your files.

Identity theft, however, can be a lot harder to recover from – not least because you have to realise that it’s even happened before you can react.

Even if all you have on your computer is zombie malware of the sort that crooks use to send spam, doing nothing about it hurts everyone around you, and imposes a collective cost on all of us.

That’s why we are urging you to DO THESE 3 security steps, and TRY THESE 4 free tools, even if you haven’t been hit by CryptoLocker.

HOW DO I ENSURE THERE’S NO “NEXT TIME?”

Here are five “top tips” for keeping safe against malware in general, and cyberblackmailers in particular:

• Keep regular backups of your important files. If you can, store your backups offline, for example in a safe-deposit box, where they can’t be affected in the event of an attack on your active files. Your backups will be rendered useless if they are scrambled by CryptoLocker along with the primary copies of the files.
• Use an anti-virus, and keep it up to date. As far as we can see, many of the current victims of CryptoLocker were already infected with malware that they could have removed some time ago, thus preventing not only the CryptoLocker attack, but also any of the damage done by that earlier malware.
• Keep your operating system and software up to date with patches. This lessens the chance of malware sneaking onto your computer unnoticed through security holes. The CryptoLocker authors didn’t need to use fancy intrusion techniques in their malware because they used other malware, that had already broken in, to open the door for them.
• Review the access control settings on any network shares you have, whether at home or at work. Don’t grant yourself or anyone else write access to files that you only need to read. Don’t grant yourself any access at all to files that you don’t need to see – that stops malware seeing and stealing them, too.
• Don’t give administrative privileges to your user accounts. Privileged accounts can “reach out” much further and more destructively both on your own hard disk and across the network. Malware that runs as administrator can do much more damage, and be much harder to get rid of, than malware running as a regular user.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vZwBExabVvE/

The same crooks who pilfered Adobe’s source code used an Adobe ColdFusion exploit to breach the PR Newswire press release service, security journalist Brian Krebs reported on Wednesday.

The data was stolen from PR Newswire on or after March 8, 2013 and reportedly included partial website source code, configuration data, and a database of PR Newswire customers.

The stolen code was found on the same servers as Adobe’s source code, Krebs reports.

More evidence, dated 13 February, 2013, points to a large-scale attack targeting the news service’s networks, hitting more than 2,000 IP addresses with ColdFusion exploits.

Krebs reports that the co-location of PR Newswire’s and Adobe’s stolen data suggest that the same attackers went after both targets.

PR Newswire on Wednesday sent a statement to customers, saying that it’s conducting an extensive investigation and has notified appropriate law enforcement authorities. It is also forcing users to change their passwords:

As a precautionary measure, we have implemented a mandatory password reset for all customers with accounts on this database. As a general practice, we recommend that our customers use strong passwords and regularly update them, not just on PR Newswire but on any website requiring login credentials. From an internal perspective, we continue to implement security improvements and additional protocols to help further protect user portals and customer and proprietary information.

Based on its preliminary review, PR Newswire said in the statement, it doesn’t believe that customer payment data were compromised.

Follow @LisaVaas

Follow @NakedSecurity

Image of hole in fence courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cRf1Ofi0zQI/

This week’s theme for National Cyber Security Awareness Month is education, so there’s been a focus on teaching people how to be more secure.

Both end users and IT professionals can benefit from knowing more about combating the threats they face, but there are other people who have something to learn: the marketers whose attempts at putting across their messages stray over the line into spamming, and the communications people whose irresponsible use of email risks undoing the good work of educators in training us to spot scams and cons.

Social engineering, phishing and spamming

Phishing and social engineering are at the heart of a lot of cybercrime.  We regularly hear of smart new phishing campaigns, like the recent fake Microsoft update phish, or an institution that’s had data leaked thanks to its staff falling for phishing emails – one of the latest being Saint Louis University (why is it always universities?) which allowed someone access to health data on 3,000 individuals.

These are criminal activities of course, and occasionally lead to prosecution and imprisonment for those behind the campaigns, as in the recent case of a UK resident locked up for five years for his part in a bank phishing campaign which netted £750,000.

We have spam and web filters to help protect people from their attacks, and there are email standards designed to help filters recognise when emails are from a legitimate source.

For the most part we rely on teaching people how not to fall for the scams. We pick out common tell-tale signs, such as spoofed email details or disguised links, and show people how to spot them. We urge them to act with caution and try to avoid being rushed into poor decisions.

But after years of hammering these points home, as scientific studies keep showing, we’re still not good at spotting scams. The phishing methods still work, and as new technologies appear, so do different avenues of attack.

Recent stats from the Australian Communications and Media Authority (ACMA) show another rise in SMS spam, and they’ve had to fine a nightclub for texting 50,000 people without proper opt-out info.

The ACMA also hit back at an online retailer hit with a record fine for spamming its customer lists. That’s a fair bit of activity for just one country, in just the past week or so.

Legitimate spamming?

You may notice something different about these last two cases though: these are legitimate businesses trying to market their products.

But they’ve gone about it in a way which contravenes spam laws, which in itself implies they’ve gone well beyond what most people would consider intrusive – spam laws tend to be designed not to get in the way of marketing activity too much.

If we are constantly bombarded with mass mails from everyone we’ve ever dealt with, and anyone they feel like sharing their address lists with, we come to normalise all this spam. This makes harder for us, with our limited attention spans and rushed-off-our-feet modern lifestyles, to remain alert to cleverly crafted tricks and scams.

Banks and other institutions handling our sensitive data also fail to heed good advice, and send out mails warning us of problems with our accounts while providing helpful links to take us to the login page.

We’re trying to teach people to be wary of such emails and always use a known-good bookmark or type in an address manually rather than following a link, so having examples of what we’re warning against prove to be legitimate and genuine only serves to dim the value of the educational effort.

Another group with similar problems are application developers whose apps demand more rights than strictly necessary. We’re trying to teach people not to blindly approve requests for access to their network connection, their contact lists, or their location. When apps are always asking for access to these things, how are users supposed to tell the legit ones from the scams and cons?

Finally, of course, there are social network providers who rely on hoovering up as much personal information as they can to sell on to advertisers. While these may be something of a lost cause, perhaps one day they’ll learn that overly-complex privacy settings and aggressively harvesting people’s information isn’t going to win them any friends.

Lessons to be learned

So if you’re one of these people, please heed the educational message too.

OK so you’ve got things to sell, you’ve got messages you need to get eyes on, but please think about what you’re doing.

• If you’ve got a marketing message you want to show someone, make it clear that’s what you’re doing. Make sure you only mail people who’re OK with that, and make sure you provide means for them to tell you if they change their mind.
• Don’t try and lure people to your website with promises of wonders and delights, then try and scrape as much personal information out of them as you can.
• If you’re a bank and need to get an urgent message to your customers, maybe email is a good technique, but make sure your customers have agreed to be emailed ahead of time. And try not to make your emails look like every fake phishing scam in the book.
• Make it clear that people should always be wary and distrustful of emails. Make them type in an address or use a bookmark. Don’t give them a link however much easier you think you’re making things for them.
• If you’re building an app and need to have it supported by ads, that’s fine, just make sure they’re not intrusive, or demand device or data access that you don’t really need. If you need access to features or information, make that clear at every opportunity, and explain why.

If people with legitimate messages stick to legitimate techniques, don’t try to trick or scam people and never ask for more than they really need, then it’s going to be easy to spot when someone is asking for something we shouldn’t give them.

Follow @VirusBtn
Follow @NakedSecurity

Image of business woman courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lBWUrEDTQrc/

Supercharge your infrastructure

NSA whistleblower Edward Snowden has claimed he taught a course in “cyber-counterintelligence” against China and has access to data on every active operation mounted against the People’s Republic by the US spy agency.

In a lengthy interview with the New York Times, Snowden revealed more about his time at the National Security Agency and addressed US government concerns that Russian or Chinese spies may have compromised the classified documents he pilfered before fleeing to Hong Kong.

The docs never even made it to Russia – instead Snowden left them with journalists he met in Hong Kong before flying to Moscow, he said.

Snowden told the paper, apparently using encrypted online comms, that there was a “zero per cent chance” any of the documents had found their way into China’s hands because he was effectively able to second guess Chinese intelligence.

This is because his last role as an NSA contractor was working on Chinese targets, he said.

As a result, Snowden has a treasure trove of information which will certainly have sparked Beijing’s interest – “access to every target, every active operation” by the NSA against China.

The PRISM-poppper also declared that despite public criticism of him, NSA officials know very well that the information he stole has not been compromised by Chinese or Russian spies.

“If that was compromised, NSA would have set the table on fire from slamming it so many times in denouncing the damage it had caused. Yet NSA has not offered a single example of damage from the leaks,” he told the NYT.

“They haven’t said boo about it except ‘we think’, ‘maybe’, ‘have to assume’ from anonymous and former officials. Not ‘China is going dark’. Not ‘the Chinese military has shut us out’. ”

Snowden’s not saying if he plans a release of the “full lists” of info he claims to have on those China operations.

The mere mention of the list’s existence adds weight to Beijing’s argument that the People’s Republic has always been a target, not a perpetrator, of state-sponsored cyber crime. ®

Free Regcast : Microsoft Cloud OS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/18/snowden_china_spy_documents/

Another calendar quarter is behind us, so it is once again time to wade into our spam traps and work out the latest SPAMPIONSHIP standings.

That’s where we look at the sources of spam in order to calculate the Dirty Dozen spam sending countries.

If your country is on the list, we’re not saying that you’re spammers.

But we are saying that you are spam senders.

Spammers versus spam senders

There’s a big difference, because spammers generally don’t send their own spam in bulk any more.

That hasn’t worked for a decade or so, because if you send 10,000,000 unwanted emails as fast as you can from the same server, or even the same data centre, you make an easily-identified target.

So 1,000,000 of the messages might get loose before either the data centre (if it cares, and reputable ones most definitely do) or the majority of your recipients, or both, say, “No more!”

Not only are you blocked from sending the remaining 9,000,000 emails from your truncated campaign, you probably can’t use those same servers again for days, weeks, months, perhaps ever.

How spam is delivered

Enter the botnet, or robot network.

That’s an unwitting collection of surreptitously co-operating zombie computers – in homes, at offices, in coffee shops, at the mall, by the beach – that regularly call home for instructions to servers that the criminals control.

The crooks can send each bot in the network a list of email addresses, and then command the entire botnet to start a giant spam campaign.

Using bots, those 10,000,000 spams can be sent, say, in 10,000 batches of 1000 emails at a time, presenting a much less obvious pattern to those who defend against spam. (And sticking those 10,000 bot-infected users with the cost of the bandwidth, if you don’t mind.)

Why spam matters

I used the words “unwitting” and “surreptitious” above because, although some users may knowingly participate, the majority of botnet spam senders don’t even realise they’re doing it.

That’s why we publish the SPAMPIONSHIP tables: not to lay wholesale accusations of cybercriminality against entire countries, but to raise awareness of something we’ve said a number of times recently, since it’s Cyber Security Awareness Month:

If you don’t make an effort to clean up malware from your own computer, you aren’t part of the solution, you’re part of the problem.

We’re not pointing fingers here at anyone who ever made a mistake and ended up infected by malware, but we do want you to be mindful of the consequences of inaction.

For as long as you fail to do anything about spambot malware on your computer, you’re actually helping the crooks to make money, and putting the rest of us, no matter how modestly, in harm’s way.

The SPAMPIONSHIP tables

And with those firm-but-fair words behind us, here are the latest figures showing spam by volume on a country-by-country basis:

As you can see, the top of the table is surprisingly consistent, with the countries in the first five places having all been in the Dirty Dozen throughout the year.

Of course, you probably expected to see India and China in the list: they each have populations exceeding 1 billion people, so it would be surprising not to see them near the top.

Nor is is surprising that the USA is in the Number One spot yet again, this time sending nearly three times as much spam as second-placed Belarus.

After all, the US has 30 times the population of Belarus, and internet access is much more strongly established, so you would expect a higher proportion of Americans to have their own computers and to use the internet regularly.

It’s when we turn the SPAMPIONSHIP into a per capita comparison that things get interesting:

Here, the numbers next to each country denotes the average spamminess per person compared to the USA.

In other words, we divided each country’s spam total by its population, then divided every country’s spam-per-person value by the figure for America.

Obviously, that makes US = 1.00, and tells us that the average computer in Belarus was eleven times more likely to send spam than if it were in the USA.

Israelis, whose propensity for sending spam sneaks the Middle Eastern country into twelfth place on chart for the first time this year, were 1.8 times as likely as Americans to be spam senders.

The per capita chart doesn’t do any favours to small countries, which tend to hide near the bottom of volume-only lists, even if their computers are awash with zombie malware.

US neighbour The Bahamas, for example, made it to eighth spot, with double the likelihood of its computers spamming compared to the US.

Luxembourg got up to fourth spot, with a spammishness 2.7 times than of the US, up from sixth in Q2 and seventh in Q3.

→ We excluded countries with populations below 300,000 so small nations that experienced a one-off spam blip wouldn’t confusingly shoot to the top. Bahamas and Luxembourg made the cut, having just over 300K and 500K inhabitants respectively.

What next?

In some ways, the SPAMPIONSHIP charts are just a bit of fun.

But the countries at the top of the per capita chart don’t paint a good picture.

The Top Three, Belarus, Uruguay and Taiwan, have earned eight of the nine podium finishes this year.

And, Luxemburgers, what’s up with you guys?

Why not DO THESE 3 and TRY THESE 4?

(The “four,” by the way, are our free tools. They’ll help you get rid of zombies, and stop them coming back.)

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FcNf1dawxAI/

Supercharge your infrastructure

Cryptographer Adi Shamir – the “S” in the RSA encryption algorithm – says “heavy-handed” bureaucracy has prevented from attending today’s NSA-backed Cryptologic History Symposium.

And he warned other scientists will be put off from visiting America if they face a similar struggle, which will effectively drive experts to Europe and China.

Shamir, who just before all the Snowden leaks kicked off warned of a post-crypto world, submitted a paper for the conference and was accepted onto its program months ago.

The award-winning cryptographer had planned to journey from his native Israel to the US to attend the Symposium in Maryland, stopping off at the Crypto 2013 conference in Santa Barbara, California, in August, as well as several universities and research institutes to meet colleagues and give lectures. Shamir founded the Crypto conference 32 years ago and was keen to attend this year.

The whole trip was scheduled to take months, yet as a frequent visitor to the US who has previously enjoyed extended stays, Shamir didn’t anticipate any problems when he applied for a J-1 visa: he filed his paperwork in late May, two and a half months before he planned to fly to the US.

However even after “applying some pressure and pulling a lot of strings”, Shamir said he only had his visa stamped into his passport on September 30, exactly four months after filing his application, and way beyond the requested start date of his visit. His passport was stamped right on the eve of the US government shutdown, narrowly avoiding further delays.

By this point Shamir’s travel plans had been thrown into disarray. The president of the US National Academy of Science, of which Shamir is a member, tried to intervene on the crypto-guru’s behalf, but without success.

Shamir’s paper, titled The Cryptology of John Nash From a Modern Perspective was, we’re told, pulled from the Cryptologic History Symposium programme in July after he informed the organisers there was an issue with his visa and asked them for help. Shamir remained determined to visit the US anyway and accepted invitations to speak at MIT and give a lecture this week.

In an abrupt turn, the organisers of the Cryptologic History Symposium apparently invited Shamir back to their event, but by this time he was committed to travelling to Massachusetts to visit MIT instead. Shamir wrote emails to his academic peers explaining why he couldn’t be at the conference in Maryland.

Scientists will avoid the US in future, says research centre president

The distinguished computer scientist fears his experiences are far from isolated. The president of the Weizmann Institute of Science in Israel, where Shamir lectures, wrote to the US ambassador in the Middle East nation in July complaining that boffins are being given a far harder time than ordinary folks when obtaining a visa.

The academic chief warned these difficulties could force experts to avoid visits the US or even encourage them to refuse to collaborate with American scientists. Shamir shares the same sentiments in the conclusion of his “personal apology” email to delegates at the Cryptologic History Symposium, republished by Federation of American Scientists’ Secrecy News blog.

“The heavy handed visa bureaucracy you have created seems to be collapsing under its own weight,” Shamir wrote of Uncle Sam’s administration. “This is not a security issue – I have been to the US close to a hundred times so far (including some multi-year visits), and had never overstayed my visas. In addition, the number of terrorists among the members of the US National Academy of Science is rather small.”

Shamir concluded by warning that America’s red tape may prompt scientists to stick to conferences in Europe and Asia, in particular China, where they are welcomed with open arms and minimal fuss.

“As a friend of the US I am deeply worried that if you continue to delay visas in such a way, the only thing you will achieve is to alienate many world-famous foreign scientists, forcing them to increase their cooperation with European or Chinese scientists whose countries roll the red carpet for such visits. Is this really in the US best interest?” he wrote.

US cryptographers reacted with disbelief on hearing of the saga experienced by one of the godfathers of the industry.

“If Adi Shamir can’t get a visa to present a scientific paper at the NSA’s invitation, our laws are really broken,” said Matthew Green, a cryptographer and research professor at Johns Hopkins University, in a Twitter update. Green lectures at the same Maryland university where the 2013 Cryptologic History Symposium will take place today and tomorrow. ®

Free Regcast : Microsoft Cloud OS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/17/crypto_guru_shamir_red_tape_bungle/

BETHESDA, Md., Oct. 17, 2013 /PRNewswire-USNewswire/ — SANS announces results of its inaugural health care information security survey, in which 373 health care IT professionals answered questions about their digital health initiatives, awareness and concerns over risk, and how they are (or are not) managing this risk. The survey was sponsored by Oracle, Redspin, Tenable Network Security and Trend Micro.

The majority of respondents represented IT staff working in some form of clinical setting, including a hospital (32%), physician group practice (12%), rural or critical access hospital (8%) and individual provider (6%). There were also several ancillary services represented, including health plan/payer (17%) and lab and radiology (12%).

“While these respondents primarily represented the IT side of health care, their biggest driver for information security is regulatory compliance,” says survey author Barbara Filkins. “There was also a common theme on ‘securing the human,’

emphasizing a need for technical, clinical and compliance staff to work together for effective risk management and compliance.”

In the survey, concerns over negligent insiders were a primary among 65%, followed by lack of investment in user awareness (53% selected this option as among their top three concerns). When asked about the effectiveness of their controls, only 40% rate “workforce training and awareness” as effective, while nearly 30% consider it their least effective control.

Respondents are also concerned about the security of their electronic medical records/electronic health records as well as personal health record or PHR systems. PHRs can be “untethered” from the more regulated electronic health record systems and not subject to the same regulatory protection and control.

“Despite these concerns, organizations are accepting the risks for the convenience of mobile and cloud technologies in delivering care to patients,”

Filkins adds.

Results will be pre-released during the SANS HealthCare Cyber Security Summit, at the Hyatt Fisherman’s Warf in San Francisco, Oct. 23, 2013.

There will also be a webcast for those not attending the summit on Wednesday, October 30, at 1 PM EDT, where SANS releases the full set of results. Register for the webcast at http://www.sans.org/info/141255

Those who register for the webcast will be given access to an advanced copy of the associated report developed by Barbara Filkins.

The SANS Analyst Program, www.sans.org/reading_room/analysts_program, is part of the SANS Institute.

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest source for world-class information security training and security certification in the world, offering over 50 training courses each year. GIAC, an affiliate of the SANS Institute, is a certification body featuring over 25 hands-on, technical certifications in information security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community.

(www.SANS.org)

Article source: http://www.darkreading.com/government-vertical/sans-announces-results-of-its-inaugural/240162804

As IT organizations seek to make better risk-based decisions about security practices, perhaps the number one component for success is the IT risk assessment. However, even when organizations actually conduct a risk assessment, they frequently fall prey to mistakes that can greatly devalue the exercise. Here are some of the most common blunders to avoid.

1. Forgetting To Assess Third Party Risk
Most IT risk experts agree that most enterprises today simply don’t work to gauge the level of IT risk posed by vendor and other partner infrastructure that touches their most sensitive data.

“One area that many companies are not doing enough on is managing their relationships with third party vendors they use,” says Brad Johnson, vice president of consultancy SystemExperts. “Often, once the lawyers have finally signed off on an agreement, both parties tend to have a very hands-off approach with each other and forget the details of making sure things are staying on course. ”

When organizations fail to really do their due diligence—both before and after a contract is signed—they’re bound to miss critical details that will drastically change how the real risk exposure looks.

“For example, a client company may not be aware that a vendor is storing their regulated data in a public cloud,” says Natalie Kmit, senior information security advisor for security consultancy Sage Data Security.

2. Making Assessments Too Quantitative
True, analytics and numbers are really important for evaluating risk and how it could materially impact the bottom line. But organizations need to understand that the numbers game doesn’t have to be perfect to be effective, especially when it comes to estimating breach impact.

“Ranges of impact to make it easier to get on with the discussion and focus on how you’ll mitigate risk, rather than spending a lot of cycles debating about whether the impact is $20 million or $21 million,” says Dwayne Melancon, CTO of Tripwire. ” Once you figure out whether the impact of a realized risk is catastrophic, painful, inconvenient, annoying, or not a big deal, you can have a good conversation about how much you want to spend to mitigate the most serious risks.”

Melancone says that going overboard with analytics in general can bog down the assessment process and that organizations should be wary of taking so long on things like classifying risk that they are lengthening the assessment cycle to the point of ineffectiveness.

Besides, says Manny Landron, senior manager of security and compliance at Citrix ShareFile’s SaaS Division, there are also qualitative risk factors that organizations need to find a way to incorporate into the assessment.

“Quantitative assignments should be well defined and the cost-benefit assessment should have a qualitative counterpart at each turn,” he says. “Having too narrow a focus, using strictly quantitative measurements, not having a framework to work against and not having sufficient periodically scheduled risk assessments are all mistakes risk executives should aim to avoid.”

3. Letting Assessment Suffer From Myopic Scope
It’s the rule rather than the exception that most large organizations overlook key assets and indicators in their risk assessments, says Jody Brazil of firewall management firm FireMon.

“Among the most frequent issues are those related to identifying vulnerabilities as ‘risks’ without any greater qualification such as exposure to available access or exploitation,” he says. “There’s also the labeling of individual threats as ‘risk,’ and the failure to properly assign values to specific assets-most often exemplified by treating all hosts or underlying systems as equal.”

Mike Lloyd, CTO of RedSeal Networks agrees, stating that most organizations just don’t keep good enough track of their infrastructure assets they own to properly assess them.

“Most organizations have lost track of the assets they own,” he says. “Performing a risk assessment on the asset inventory system can be like the drunk looking for his keys under the lamp post, even though he dropped them in the alley, because the light is better under the lamp post.”

What’s more, even with complete data sets they’re frequently assessed in separate silos, making it difficult to understand interdependencies.

“Sometimes, an assessment focuses on a very specific application, but fails to embrace the entire infrastructure,” says Gregory Blair, senior director of operations for FPX, a company that develops price quoting software. “For example, the assessment might look only at an application focused on securing a database and misses the general computing controls that are used in a specific industry – things like encryption, firewall, authentication and authorization.”

4. Assessing Without Context
IT risk assessments are all about context, whether it is systems context as mentioned above or business context. Organizations that fail to put vulnerabilities and threats in context of the information assets and their importance to the business can’t truly develop a good risk assessment or a way to apply it back to IT practices.

“When assessing risks, many times CISOs lack the context to the business. In
other words, they need to ask “What’s being assessed and how does it affect
the business?'” says Amad Fida, CEO of big data risk analysis firm Brinqa. “Results that are analyzed without business context provide a “technology” view but not a “business + technology” view.”

[Your organization’s been breached. Now what? See Establishing The New Normal After A Breach.]

5. Failing To Fold IT Risk Assessment Into Enterprise Assessments
Similarly, businesses want to understand how IT risks interplay with all the other risks set in front of other business units. More often than not, organizations treat IT risks as their own category without considering their broader impact.

“More risk-aware organizations recognize that IT is an integral part of their business success and work to make sure IT is engaged in the business risk conversation,” Johnson of SystemExperts says. “A number of organizations I work with have cross-functional teams that look at risk holistically to better understand dependencies, and these teams make recommendations about which risks the company should focus on from a business perspective.”
6. Falling To Assess And Forget Syndrome
Organizations today simply do not do risk assessments often enough, experts warn. It’s the only way to keep up with the changing threat landscape, says Luke Klink security consultant for Rook Consulting.

“Executing regular risk assessments enables business executives to put their security budgets to efficient use,” he says. “With some investment of work upfront by performing detailed risk assessments, no longer will we have to rely on the “spray and pray” protection approach, but execute true management of risk in a tactical and surgical manner.”

According to Torsten George, vice president of marketing and products for integrated risk management vendor Agiliance, the most progressive organizations are following NIST guidelines for continuous monitoring to inform better situational awareness and improved assessment intervals.

“This approach provides increased risk posture visibility, improved response readiness and minimizes overall risk,” George says. “In reality, security risk assessments should be conducted continuously and even embedded into an organization’s incident response management process, whereby each incident triggers an automatic high-level risk assessment. If a highly critical risk is discovered, a more detailed risk assessment can be conducted.”

7. Relying Too Heavily On Assessment Tools
But automated tools that help enable continuous monitoring of IT assets shouldn’t be the end-all, be-all of risk assessment. There are some risks that simply can’t be identified without more in-depth digging offered by manual penetration testing, says Benjamin Caudill, co-founder and principal consultant at Rhino Security Labs.

“Often the most vital risks are those which can only be found through dedicated, manual analysis,” he says, pointing to logic flaws in web sites as a solid example. “The reason this should be on the radar of CISO’s and other executives is the concept of exclusively tool-based risk assessments give management a false sense of security, and can’t identify a number of vulnerabilities.”

8. Conducting Vulnerability-Centric Assessments
As organizations assess the technological vulnerabilities that contribute to risk, they often fail to keep in mind that it is the security or insecurity of the data itself that is the risk factor rather than the system holding the data.

“(Risk assessment) is often vulnerability-centric, rather than data-centric,” says Barry Shteiman, director of security strategy for Imperva. “Often IT will choose to protect platforms that contain data, without actually understanding which kind of data is in the systems and who is accessing or have access to this data.”

Enterprises should keep in mind that a vulnerability risk factor on a piece of internal network infrastructure may not have the same impact as the risk posed by a user accessing IP and compromising it.

9. Forgetting To Gauge The Human Risks
Similarly, organization must also remember that systems and software vulnerabilities are only one component of a risk assessment, says Joseph Steinberg, CEO of Green Armor Solutions.

“Concerns about social engineering or the increased likelihood of human error when complex technologies are used in an organization often take a back seat to technological risks when assessments are performed,” he says.

Failing to account for behavior patterns within the organization can actually lead to invalid assumptions in the final assessment.

“For example the assessment may verify that only the correct people have access to sensitive data,” says Chris Baker, owner of CMB Computers, a technology consultancy. “However, the assessment may not verify training of employees to protect data.”

10. Leaving Out Facilities
As enterprises run their assessments, one big point that often falls off the radar is physical security. Quite often the security of facilities will directly impact the technology assets contained within, says Jim Mapes, CSO of BestIT, stating it goes beyond simply locking down data centers and server rooms.

“Physical is not only a potential risk for the safety of employees and the loss of equipment or hardcopy data assets, but may also be used to plant clandestine devices to allow for follow-on attacks launched from a remote location,” Mapes says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/risk/10-pitfalls-of-it-risk-assessment/240162808

News has been spreading that Twitter is slowly introducing changes to how it handles direct messages (DMs) and controlling the types of links that can be sent through DMs from non-verified accounts.

These changes could have far-reaching implications for Twitter users’ security and privacy.

My first thought when reading this news was “Wow, what an odd way of admitting defeat in the fight against spam.”

Twitter has not rolled out these changes to all users, but it would appear that links in DMs to URLs other than Facebook, Twitter and Instagram will be blocked.

I might strongly recommend against clicking links in email, but Google, Yahoo!, Microsoft and AOL don’t remove links from email messages.

A frighteningly high number of blogs might be compromised by cybercriminals, but I wouldn’t suggest Chrome, Firefox, Safari and Internet Explorer render links unclickable.

Restricting the ability to send private links rather than filtering out spammy or malicious ones could discourage users from sharing content on Twitter rather than other private messaging services like SMS, Facebook Chat or MSN Messenger.

I wouldn’t normally object to policy changes that could prevent users from being exposed to unwanted messages or malicious content, but this seems to be an extreme response to a largely solvable problem.

The second change appears to be the ability for users to receive direct messages from users they do not themselves follow. This is being rolled out slowly though a new account setting.

This might be particularly useful for organizations that provide customer service and technical support via Twitter and want to have private communications with customers without already having had to follow those users.

At the time of this writing, none of these changes are available on my accounts, but some are writing about the changes being implemented on their accounts.

This is likely a very bad idea for regular everyday Twitter users though. It is a bit of a blanket invitation for unwanted solicitations.

Other services that allow for private messaging have had to implement the blocking of unsolicited messages. If Twitter changes this option to be the new default it will likely end in tears.

Bottom line? Nothing earth shattering.

Check your Twitter settings and be sure “Receive direct messages from any follower” is unchecked once it is available in your profile.

If Twitter blocks you from sending links to your friends through DMs, use another medium. It isn’t really such a bad thing to avoid clicking shortened links when you don’t really know where they might lead you anyhow.

Look on the bright side, at least they aren’t trying to use your profile to promote products or removing privacy choices.

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Az5Rq_lYa_0/

Another calendar quarter is behind us, so it is once again time to wade into our spam traps and work out the latest SPAMPIONSHIP standings.

That’s where we look at the sources of spam in order to calculate the Dirty Dozen spam sending countries.

If your country is on the list, we’re not saying that you’re spammers.

But we are saying that you are spam senders.

Spammers versus spam senders

There’s a big difference, because spammers generally don’t send their own spam in bulk any more.

That hasn’t worked for a decade or so, because if you send 10,000,000 unwanted emails as fast as you can from the same server, or even the same data centre, you make an easily-identified target.

So 1,000,000 of the messages might get loose before either the data centre (if it cares, and reputable ones most definitely do) or the majority of your recipients, or both, say, “No more!”

Not only are you blocked from sending the remaining 9,000,000 emails from your truncated campaign, you probably can’t use those same servers again for days, weeks, months, perhaps ever.

How spam is delivered

Enter the botnet, or robot network.

That’s an unwitting collection of surreptitously co-operating zombie computers – in homes, at offices, in coffee shops, at the mall, by the beach – that regularly call home for instructions to servers that the criminals control.

The crooks can send each bot in the network a list of email addresses, and then command the entire botnet to start a giant spam campaign.

Using bots, those 10,000,000 spams can be sent, say, in 10,000 batches of 1000 emails at a time, presenting a much less obvious pattern to those who defend against spam. (And sticking those 10,000 bot-infected users with the cost of the bandwidth, if you don’t mind.)

Why spam matters

I used the words “unwitting” and “surreptitious” above because, although some users may knowingly participate, the majority of botnet spam senders don’t even realise they’re doing it.

That’s why we publish the SPAMPIONSHIP tables: not to lay wholesale accusations of cybercriminality against entire countries, but to raise awareness of something we’ve said a number of times recently, since it’s Cyber Security Awareness Month:

If you don’t make an effort to clean up malware from your own computer, you aren’t part of the solution, you’re part of the problem.

We’re not pointing fingers here at anyone who ever made a mistake and ended up infected by malware, but we do want you to be mindful of the consequences of inaction.

For as long as you fail to do anything about spambot malware on your computer, you’re actually helping the crooks to make money, and putting the rest of us, no matter how modestly, in harm’s way.

The SPAMPIONSHIP tables

And with those firm-but-fair words behind us, here are the latest figures showing spam by volume on a country-by-country basis:

As you can see, the top of the table is surprisingly consistent, with the countries in the first five places having all been in the Dirty Dozen throughout the year.

Of course, you probably expected to see India and China in the list: they each have populations exceeding 1 billion people, so it would be surprising not to see them near the top.

Nor is is surprising that the USA is in the Number One spot yet again, this time sending nearly three times as much spam as second-placed Belarus.

After all, the US has 30 times the population of Belarus, and internet access is much more strongly established, so you would expect a higher proportion of Americans to have their own computers and to use the internet regularly.

It’s when we turn the SPAMPIONSHIP into a per capita comparison that things get interesting:

Here, the numbers next to each country denotes the average spamminess per person compared to the USA.

In other words, we divided each country’s spam total by its population, then divided every country’s spam-per-person value by the figure for America.

Obviously, that makes US = 1.00, and tells us that the average computer in Belarus was eleven times more likely to send spam than if it were in the USA.

Israelis, whose propensity for sending spam sneaks the Middle Eastern country into twelfth place on chart for the first time this year, were 1.8 times as likely as Americans to be spam senders.

The per capita chart doesn’t do any favours to small countries, which tend to hide near the bottom of volume-only lists, even if their computers are awash with zombie malware.

US neighbour The Bahamas, for example, made it to eighth spot, with double the likelihood of its computers spamming compared to the US.

Luxembourg got up to fourth spot, with a spammishness 2.7 times than of the US, up from sixth in Q2 and seventh in Q3.

→ We excluded countries with populations below 300,000 so small nations that experienced a one-off spam blip wouldn’t confusingly shoot to the top. Bahamas and Luxembourg made the cut, having just over 300K and 500K inhabitants respectively.

What next?

In some ways, the SPAMPIONSHIP charts are just a bit of fun.

But the countries at the top of the per capita chart don’t paint a good picture.

The Top Three, Belarus, Uruguay and Taiwan, have earned eight of the nine podium finishes this year.

And, Luxemburgers, what’s up with you guys?

Why not DO THESE 3 and TRY THESE 4?

(The “four,” by the way, are our free tools. They’ll help you get rid of zombies, and stop them coming back.)

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/b04AnS79XQ8/