STE WILLIAMS

Supercharge your infrastructure

Multiple NASA websites were defaced last week by a Brazilian hacktivist who may have misread the sites’ URLs, because he wasn’t protesting about the US space agency giving joyrides to inhuman stowaways – he was protesting against NSA spying.

“BMPoC” hit kepler.arc.nasa.gov and 13 other sites with messages protesting against US spying on Brazil, as well as a possible US military intervention in Syria.

It’s hard to believe anyone would confuse the NSA spy agency with NASA, the space agency, except for satirical purposes or to mock script kiddies in some way, so we can only guess that the hackers behind the attack hit NASA because it’s a US government agency whose systems are noted for being insecure.

NASA is at one level a scientific research agency with numerous links to universities. The notoriously weak security practices in much of academia have spilled over to the space agency. NASA’s less than stellar information security practices have been repeatedly criticised by government auditors.

The defacement messages themselves are all over the place, grammatically, and less than coherent logically.

NASA HACKED! BY #BMPoCWe! Stop spy on us! The Brazilian population do not support your attitude! The Illuminati are now visibly acting!

Obama heartless! Inhumane! you have no family? the point in the entire global population is supporting you. NOBODY! We do not want war, we want peace!!! Do not attack the Syrians.

A list of the defaced domains along with links to entries on defacement archive Zone-h can be found on Pastebin.

The hacked domains are maintained by various scientific missions within NASA such as the Kepler Mission, Ames Academy for Space Exploration and NASA’s Office of Planetary Protection, Virtual Astrobiology, a NASA recruitment domain, NASA Lunar Science Institute among others, CyberWarZone reports. Brief checks suggest most of the domains were returned to service by Monday morning.

A NASA spokesman played down the significance of the digital graffiti attacks, telling Fox News that everything was under control.

“A Brazilian hacker group posted a political message on a number of NASA websites. … Within hours of the initial posting, information technology staff at the Ames Research Center discovered the message and immediately started an investigation, which is ongoing,” he said. “At no point were any of the agency’s primary websites, missions or classified systems compromised.”

The same hacker/hacking group also hit NASA back in April, HackRead reports. Last time around the defacement had no politically-related content.

“NASA might be picked on simply because it represents low-hanging fruit,” writes Lisa Vaas, in a commentary on the hacking on Sophos’ Naked security blog. “Somebody ought to tell BMPoC that he/she/they are bullies kicking sand in the face of rocket scientists who have better things to do than mop up after an attack that’s spurred by a head-scratcher of a so-called rationale that’s unrelated to NASA’s mission.” ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/17/defacers_hit_nasa_in_nsa_protest/

Supercharge your infrastructure

The NSA bought specialist computer hacking tools and research from French security outfit Vupen, according to documents unearthed using the Freedom of Information Act.

A contract shows the American spooks paid for a year’s supply of zero-day vulnerability information and the software needed to exploit those flaws to attack electronic systems.

The paperwork, obtained by government transparency and accountability site MuckRock, show that the US intelligence nerve-centre signed up to a one-year subscription to Vupen’s “binary analysis and exploits service” last September.

Vupen prides itself on advanced vulnerability research as well as selling software exploits for unpatched flaws in systems – known as zero-days – to governments. Several US defence contractors and security startups, such as Endgame Systems, are also in the business of privately researching and selling information about software vulnerabilities and associated attack code.

That US government organisations may be among Vupen’s customers is not a surprise. The NSA, even though it has advanced offensive cybersecurity capabilities, not least in the shape of its Tailored Access Operations cyber-espionage unit, might still find it valuable to tap into external help from commercial providers such as Vupen.

“Likely reasons for NSA subscription to Vupen’s 0day exploits: know what capabilities other govs can buy, and false flag, deniable cyber-ops,” writes Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union in an update to his personal Twitter account.

“There are times when US special forces use AK47s, even though they have superior guns available. Same for NSA’s Vupen purchase. Deniability,” he added.

Soghoian, who delivered a presentation about the exploit vulnerability marketplace at the recent Virus Bulletin conference, has previously likened the trade in software exploits to a trade in conventional weapons – think bullets, bombs and rockets. ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/17/nsa_vupen/

Supercharge your infrastructure

Belgian telco Belgacom – which operates vital undersea communications cables – says its internal network was compromised, possibly by foreign spooks.

Phone and data connections from international hot spots, such as Syria and Yemen, pass through submarine fibre lines handled by Belgacom International Carrier Services (BICS).

Security experts suspect the Belgian biz was been infiltrated by state-backed hackers – and NSA and GCHQ have emerged as the prime suspects. Journalists in Belgium – writing here, here, here, and here – cite sources who reckon Belgacom’s systems may have been compromised for two years by a foreign intelligence agency.

Well-known security researcher Eddy Willems of antivirus biz G Data told El Reg that Belgacom admitted on TV that 5,000 of its internal machines were infected with sophisticated malware, which may have cyber-espionage purposes.

“I don’t have a sample of the malware but am hoping to acquire it,” Willems explained. “The circumstances look that it might be cyber-espionage but it might be something completely unrelated.”

BICS – a joint venture between Belgacom, Swisscom and South Africa’s MTN – provides wholesale carrier services to mobile and fixed-line telcos around the world. It is among a group of companies that run the TAT-14, SEA-ME-WE3 and SEA-ME-WE4 cables connecting the United States, UK, Europe, North Africa, the Middle East and Singapore to the rest of the world.

Blighty’s eavesdroppers at GCHQ run a programme called Tempora which taps data flowing through undersea fibre-optic lines of major telecommunications corporations – and BICS’s cables may be a target. Stuffing malware into the telco’s network could allow spooks to monitor the submarine communications, but how exactly that would happen is unclear.

In a statement issued yesterday Belgacom admitted its internal systems were invaded, but sought to reassure its customers that their records and other information stored in the systems were not affected. It said the intrusion, which did not compromise the “delivery” of communications, is under investigation by law enforcement:

This weekend, Belgacom successfully performed an operation in the light of its continuous action plan to protect the security of its customers and their data and to assure the continuity of its services.

Previous security checks by Belgacom experts revealed traces of a digital intrusion in the company’s internal IT system. Belgacom has taken all appropriate actions to protect the integrity of its IT system and to further reinforce the prevention against possible incidents.

For Belgacom, the protection of the customers and their data is a key priority. At this stage there is no indication of any impact on the customers or their data. At no point in time has the delivery of our telecommunication services been compromised.

Belgacom strongly condemns the intrusion of which it has become a victim. The company has filed a complaint against an unknown third party and is granting its full support to the investigation that is being performed by the Federal Prosecutor.

Security experts – such as Costin Raiu, a senior security researcher at Kaspersky Lab – have drawn parallels between the breach within Belgacom and the compromise of systems at Norwegian carrier Telenor. Analysis about the Telenor attack by infosec firm Norman pointed the finger of blame towards India.

In the case of Belgacom, the GCHQ and NSA is suspected given this year’s revelations of the two agencies’ global internet surveillance operations. “It’s still too early to make conclusions that NSA is involved, however the likelihood is high if you look at the monitoring opportunities,” G Data’s Willems told El Reg. ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/17/belgacom_mystery_malware/

Imagine that you have a jailbreak for iOS 7 up your sleeve.

All you have to do is wait a while, until iOS 7 ships, and announce your jailbreak then.

You’ll soon be enjoying the adulation of the whole jailbreaking scene, a writeup on Naked Security, and the prospect of a job/lawsuit (or both!) with/against Apple.

Or you could try for $50,000 from HP instead.

That’s just part of the prize money that’s up for grabs at the second Pwn2Own competition of the year, Mobile Pwn2Own, announced last week by HP’s Zero Day Initiative.

We covered what you might call the regular-sized Pwn2Own earlier this year, from the announcement of its $500,000 in prize money to the day by day results.

The outcome was a series of victories for the hackers, with HP ultimately paying out $480,000.

(The official rules limited the payout for a particular target to the first to pwn it, but HP ended up agreeing to pay all four of the entrants who “popped” Java, at $20k, ahem, a pop.)

The mobile competition

The Mobile Pwn2Own won’t be pitting vendor against vendor, so it isn’t a question of Android versus Windows Phone, or Safari versus Chrome, or Blackberry versus Nokia, aka Microsoft.

Instead, the prize money is divided up by attack vector, based on how you break in:

• Via physical proximity (prize: $50k)

You can use a wireless or a wired attack, using one (or, presumably, more) of Bluetooth, Wi-Fi, USB or NFC.

A successful attack “must require little or no user interaction,” so a dialog such as the one iOS 7 will soon be popping up to inhibit rogue USB connections would be a satisfactory mitigation:

Earlier in the year, of course, researchers at showed at BlackHat how a booby-trapped iPhone charger could silently hijack your USB connection given the absence of such a pop-up warning.

• Mobile web browser (prize: $40k)

Some user interaction will no doubt be allowed here – someone has to decide to browse somewhere to get started, after all – but you won’t be allowed to assume the user will agree to or click on anything else.

There is no requirement in the rules for persistence, where the exploit remains active after the browser exits.

In any attack category, all you need to is one of the following: exfiltrate (i.e. steal and send to the outside world) information you aren’t supposed to get; silently make a long distance phone call; or eavesdrop a conversation.

→ The rules don’t say if “eavesropping a conversation” applies to cellular calls only, or even only to voice. If you are planning on eavesdropping to win a prize, you probably want to check in advance whether logging an instant messaging chat would count, or whether HP wants to see you listening in to phone calls made over the cellular voice network.

• Mobile Application/Operating System (prize: $40k)

Since each device will be in its default setup and configuration, with all available patches applied, you won’t be able to rely on third party apps that might or might not have been installed by the user, no matter how prevalent they might be.

• Messaging Services (prize: $70k)

You can attack by means of any of these: Short Message Service (SMS), Multimedia Messaging Service (MMS), or Commercial Mobile Alert System (CMAS).

The rules don’t say, but with “limited user interaction” permitted, it’s probably reasonable to assume that an attack can rely on users actually reading a booby-trapped message, but not on them following any instructions given in it.

• Baseband (prize: $100k)

Loosely put, the baseband is the part of a device that makes it a phone, or at least capable of connecting to a cellular network, so this vector of attack doesn’t apply to Wi-Fi only devices.

The value of this prize presumably reflects the comparative difficulty of coming up with a method to break in via the mobile network itself, rather than via USB cable or over the internet.

Choose your weapon

One you’ve picked your attack vector, you can choose to mount the attack using any one of an eclectic list of devices:

• Nokia Lumia 1020 running Windows Phone
• Microsoft Surface RT running Windows RT
• Samsung Galaxy S4 running Android
• Apple iPhone 5 running iOS
• Apple iPad Mini running iOS
• Google Nexus 4 running Android
• Google Nexus 7 running Android
• Google Nexus 10 running Android
• BlackBerry Z10 running BlackBerry 10

Entrants in each category go in to bat in randomly chosen order, designate the device on which they wish to mount their attack, and then have 30 minutes to pwn the chosen device via their chosen method.

The first to succeed in each category wins that category’s prize – and since there are five categories but nine devices, at least four devices will remain unowned.

What we may never know, if there’s a device (or an operating system) that no-one chooses for any attack, is whether it was avoided due to a lack of interest, or due to its recognised strength.

Pwn2Own, like many security tests, is good at telling you if a product has a security weakness, but doesn’t say much about each product’s strengths.

Oh, by the way, to enter, you need to be registered as a delegate at PacSec 2013 Conference in Tokyo, Japan, which takes place from 11-13 November 2013.

Follow @duckblog

NB. Yes, the organisers have thought about the effect that demonstrating telephony-related exploits might have on the real world. Any exploit attempts that use radio waves must “be completed within the provided RF [radio frequency] isolation enclosure.”

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ybiSa5yLDGg/

Crooks can now purchase a low-cost, booby-trapped bank card reader bundled with a suite of money-stealing support services that make fraud crimes even easier.

The replete package of goods and services now available on the digital underground:

• Rigged card reader that can feed stolen account data to a laptop via serial cable or to a phone outfitted with a SIM card,
• Participating “grey” merchants who provide illegal cash-outs of dumped PINs, and
• Hire-purchase agreement that allows criminals to buy the package for $2,000, in exchange for sharing 20% of pilfered proceeds.

Then again, criminals who don’t feel like sharing the profits can simply buy a working kit outright for $3,000.

The finding comes from cybersecurity consultants Group-IB, a company that’s detected criminals who have started to sell modified Verifone VX670 POS Terminals (GSM) that intercept tracks 1 and 2 from the magnetic stripes on the back of swiped bank cards.

In other words, crooks are able to purchase rigged card readers with which they can swipe a card (can you imagine how often store clerks or wait staff do that every day?) and get your account number, your name and your PIN code.

Andrey Komarov, head of international projects at Group-IB, told The Register that the fraud takes less than 3 hours.

The new approach is being used by various cybercriminals against the Russian bank Sberbank, Komarov said.

In this video demonstration (courtesy of The Register’s YouTube channel) of a Point-of-Service (POS) device that Group-IB apparently downloaded from an underground market, a card is swiped through a tampered POS device, and a PIN is entered – the same as would happen in a typical card transaction.

After a series of key-presses, the data is transferred to a laptop via serial cable, and the computer screen displays account numbers and other sensitive information. The data can also be texted to a mobile phone that’s outfitted with a SIM card reader.

That evidence leads Group-IB to believe that the vendor of the fraud bundle is based in Russia, he said:

On video demonstration, it is possible to detect the “Sberbank” credit card in the example (national and the leading russian bank). The criminal extract the intercepted information from device by USB/COM port and demonstrates intercepted data on the PC. For sure, the vendor of the service is with Russian-speaking roots, because of the previous fact with “Sberbank” card.

Crooks have been hacking and selling tampered POS systems for some time.

Case in point: In March, a pair of former Subway franchisees from California were charged with cyberfraud after allegedly selling pre-compromised POS systems that allowed them to plunder gift card credits.

Fortunately for us good, law-abiding consumers, POS fraud is tough. ATM skimmers are “really hard to sell and to use,” Komarov says, given how much attention banks have given the problem, with the result of improved physical security around the devices.

POS malware is another new trend, but it’s hard to find vulnerable card readers and merchants, not to mention the difficulties around installing the malware, which requires the use of insider help.

All that means the crooks are going to just eat this new bundle right up, Komarov said, given its low cost and ease of use:

It is easy to [figure] out that it is cheap, and such kind of service will have great popularity in the black market, [given that] tampered devices such as this… [are] very easy to use with the help of [insiders] in restaurants and [in the] retail sector.

It might sound quite appealing to the criminal set, but they should bear in mind that getting caught is no fun.

It might be tough to track down and prosecute cross-border criminals who steal bank-card data, but it most certainly isn’t impossible.

That was evidenced by the case of a Romanian payment card crook, who was sentenced in January to 21 months jail time in the US for hacking POS systems at Subway and other businesses.

Prison time can be a pretty serious string attached to this good-sounding fraud deal.

Follow @LisaVaas

Follow @NakedSecurity

Image of POS device courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/76tqVKdgkQs/

Oracle Java, easily the most attacked and successfully exploited browser plugin, is on my radar again after finding new ways to fail at security.

The first sign of trouble recently was posted on Jerry Jongerius’s site, Duckware. He described the embarrassingly broken code signing implementation in the Java Runtime Environment (JRE).

The purpose of code signing is to cryptographically ensure that you can identify who created a program and that it hasn’t been tampered with by any third parties.

For example, Oracle offers a test applet (applets are Java programs that run in your browser) to determine whether your version of Java is update to date.

When you download the applet with Java, you are prompted to run the applet with a warning that Java applets can be dangerous, the name of the applet, the publisher and the URL serving it to you.

While the name can be anything, it is usually there to remind you of why you want to run this Java program.

The publisher should provide a clue as to whether it is from the expected source and the URL verifies that it is coming from the expected site.

What Jerry discovered is that you can forge both the application name and the URL to be anything you want. In essence, they’re doing it wrong.

Similar to the Android “Master Key” key flaw this summer, flaws in application signing could be used by malware authors to load malicious applets.

Even worse, signed Java applets run with full privileges, largely removing all the security advantages of the language’s much touted sandboxing technology.

Now Oracle is rolling out another misguided attempt at shoring up Java security.

Because they intend on discontinuing one of the most popular versions of Java (1.6) in April 2014 (a bad month for Java 1.6 Windows XP users) they decided to build a bit of a bridge for enterprise users called “Deployment Rule Sets”.

Oracle’s concept is that enterprises who have a certificate for signing Java applets will be able to sign a policy for their outdated applets that allows them to continue to operate insecurely, even if the device is running a more modern version of Java that prohibits these behaviors.

Wow.

What a dream for attackers who deliver malicious applets as a means of delivering malware to your PC/Mac.

It’s a way to disable security warnings that in no way deters cybercriminals, but is too complicated for most organizations to manage and deploy.

This feature of course offers no security benefits at all to normal Java users and arguably very little for corporate customers.

Worse yet, everyone’s Java installation (if you are running a recent enough version) will be vulnerable to attackers exploiting the “feature.”

All you need to do is digitally sign a package containing a policy to disable most security restrictions.

There is a long history of both wrongly issued certificates and stolen certificates being used to sign malware.

These signatures aren’t just valid inside your company; if they are included in a Java applet they can apply anywhere.

The only possible penalty for deploying one of these policies in the wild to do harm is the revocation of your signing certificate.

If you’re a crook and have either stolen a certificate from an infected PC or have convinced a certificate authority you might want to publish legitimate apps you’ve got nothing to lose.

This addition to the crazy maze of security options present in varying versions of Java is enough to make your head spin.

If we have learned anything over the years, complexity is the enemy of security. We must design security technologies that just “do the right thing” and don’t require Byzantine security processes by the user.

Unfortunately, Oracle has chosen a different path.

So, I stand by my advice to disable Java whenever possible. If you haven’t already, read our post on how to disable Java in your browser.

Want to know more about Java, Javascript and what Duck and I think you should do to stay secure? Listen to our podcast: Techknow – All about Java:

Play now:

(31 August 2012, duration 16’19”, size 11MB)

Download for later:

Sophos Techknow – All about Java (MP3)

If you have any remaining doubts about Oracle’s commitment to security, consider how it is still trying to install the Ask toolbar when you download updates to Java.

Apparently $37.2 billion in revenue isn’t enough to not clutter your browser’s toolbar and increase the attack surface of your browser in the process.

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/v3TjdqVqAUY/

Argentinian police have arrested a teenager, dubbed “the superhacker”, who was allegedly bleeding $50,000 (£31,500) per month out of international money transfer and gambling websites.

According to the BBC, police said that the 19-year-old man was working out of a bedroom in the Buenos Aires home of his father, a computer expert himself.

Police haven’t named the alleged hacker.

A search reportedly turned up high-capacity computers in the suspect’s bedroom.

Police further claim that the hacker unleashed malware attacks to build a network comprising thousands of zombie computers, which was in turn used to whisk money from accounts, leaving virtually no trace.

The setup was so zombie-rific that an extensive manhunt, begun in 2012, was dubbed, appropriately enough, Operation Zombie.

According to The Independent, police were tipped off last year when a website hosting service provider said that he had discovered a remote hacker sneaking into his servers to intercept money transfers.

A federal investigation found that one person was stealing from a number of sites that had been targeted by a virus hosted on a server for downloading online gaming applications.

The zombie computers would launch denial of service attacks against targeted servers, preventing users from accessing their accounts, around the time the money was being siphoned out.

Police said it took a year to nab the suspect – a period of time that allowed him to allegedly shore up his bank account with some $600,000 (£380,000) in purloined funds.

The so-called superhacker was arrested in July following five police raids in the capital and one in the city of Rosario. Six alleged accomplices have also been identified.

If convicted, the young man could be facing more than 10 years in prison.

Follow @LisaVaas

Follow @NakedSecurity

Image of hacker courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/o3MxcSt5y6w/

A free Android app for sending encrypted text messages was released today amid a climate of escalating privacy concerns over recent revelations that the NSA overstepped its authority in its capture of communications and may have worked to weaken encryption standards.

Wickr’s announcement followed that of Silent Circle, which earlier this month began offering a similar free app for its subscribers. Both companies already had offered an iOS version of encrypted text-messaging, but now have added Android secure texting to the mix. Wickr’s Android texting app is free. The new apps could potentially propel encrypted texting to the mainstream, experts say.

The new Android encrypted messaging services come on the heels of the shutdown of two encrypted email services—Lavabit, which closed its doors altogether, and Silent Circle, which dropped its Silent Mail service in the fallout from the Edward Snowden leaks about the NSA’s spying programs. Ladar Levison, owner and operator of encrypted email company Lavabit, said he shuttered his business after being faced “to become complicit in crimes against the American people,” a statement experts say indicates Lavabit may have been pressured to give up customer information, or faced an eavesdropping warrant by the feds.

The New York Times reported last week that the Snowden documents “suggest” the NSA “generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — which contains a back door for the N.S.A.”

[The NSA’s systematic crypto-cracking and other tactics have changed the data-protection game for enterprises. See Keep Calm, Keep Encrypting — With A Few Caveats .]

While some encrypted email services have struggled to find a way to survive commercially post-Snowden leaks, secure text-messaging now is available to the masses.

Nico Sell, CEO and co-founder of Wickr and r00tz, says Wickr agrees with Lavabit’s farewell message: don’t trust any U.S. company with your personal information. “We agree completely. This is why we built Wickr to be a zero-knowledge system. We have no keys and no information,” Sell said in an email interview. “With this type of architecture, the U.S is the best place to be to offer private communications to the world. It is also the best place to keep our servers.”

Wickr anonymizes users’ contacts and can’t read the text messages or any content sent by the user. “Therefore, no criminal or rogue government can take them from us,” says Robert Statica, co-founder CTO of Wickr, today in a blog post announcing the new Android service. “It is our commitment to keep our users communications between only them and the intended recipient.”

Silent Circle’s Silent Text works similarly: no logging of user metadata, and encryption keys reside on users’ devices. Both apps also auto-delete messages to leave no trace.

One of the challenges of private, anonymous texting is the interface with user contact lists. Sell says Wickr doesn’t use address books like many other messaging apps do. “The next update will have an automated connect system that is responsible. We hope this to be a model for all future apps,” she says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/post-nsa-leaks-android-encrypted-texting/240161384

Even while mobile, cloud, and software services are blurring the lines of corporate IT boundaries through deperimeterization, enterprises still continue to spend increasing amounts of security budget on perimeter protection. The question is, are they wasting their money? It’s one of the most contentious questions in security — perhaps only behind the one about the usefulness of antivirus. So it is no surprise that the answers are varied.

Hardliners, of course, have been hammering on the death of the perimeter for a long time now.

“Perimeter security is no longer relevant to enterprises. With the mobilization of the workforce, it’s very hard to define the perimeter of any organization because mobile-enabled employees are connecting to the network from all over the world on devices of their choosing,” says Thevi Sundaralingam, vice president of product management at Accellion. “Next-gen security needs to focus keeping content safe, not on defining a network perimeter.”

Then there are the cynical abandoners.

[Is IPS in it for the long haul? See The Future of IPS.]

“In my opinion, perimeter security is not dead — it just has been handled incorrectly for so long people are giving up,” says Alex Chaveriat, a consultant at SystemExpert, of this crowd.

But others believe perimeter protection still has plenty of relevance for enterprise IT, even if it means rethinking the role of the perimeter and how these defenses are deployed.

“The perimeter will never die, it will just get more focused,” says Corey Nachreiner, director of security strategy for WatchGuard. “Sure, our workforce is getter more mobile, which means we need to incorporate new security solutions. But let’s not fool ourselves. The perimeter will never go away.”

Instead, he says, it will focus on server infrastructure and data centers, rather than endpoint users. As he puts it, the industry will eventually realize that it will always have to operate in a hybrid environment. That means recognizing the need for additional security innovations bolstering perimeter security rather than replacing it.

“Just because people are using mobile devices and cloud services doesn’t mean they won’t still have local servers and assets behind a relatively static perimeter,” Nachreiner says.

Additionally, organizations need to maintain perimeter defenses not just for the traditional ingress monitoring, but also for egress visibility — crucial to pinpoint large-scale breaches.

“Ultimately, the bad guys need to pass through the perimeter in order to complete the exfiltration of the data they are trying to steal,” says says Michael Patterson, CEO of Plixer International. “Monitoring behaviors is playing a significant role in this area as is the reputation of the site being connected to. ”

Patterson also explains that perimeter defense doesn’t necessarily have to be placed as a border wall defense at the edge — in fact, it may have more relevance inside the network as organizations monitor and block threats as they try to move laterally within the organization. It’s for this reason that Mike Lloyd, CTO of RedSeal Networks, says that rather than dying, the perimeter has actually grown in recent years.

“Think of the brooms versus Mickey Mouse as the Sorcerer’s Apprentice. Companies have more and more perimeters that are getting smaller and smaller,” he says. “Regulation drives it: PCI demands internal “zones” of segregation. BYOD drives it: Once you let zany uncontrolled endpoint devices onto your network, you have to build zones to keep them away from internal assets. Security drives it: We’ve talked about defense in-depth for years, but people are finally doing it.”

As a result, Lloyd says, security practitioners have more opportunities for controls. This, though, can be a blessing and a curse.

“The downside is complexity, more controls in more places,” he says. “The aspirin for that headache is automation. Make sure that all the enclaves you designed are actually set up and maintained properly as change happens.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/perimeter/is-the-perimeter-really-dead/240161375

New York, NY and Annapolis, MD, September 10, 2013. Secure Mentem, an industry leader in the human aspects of cyber security, today announced a strategic investment from Blackstone (NYSE:BX), a leading asset management and advisory firm, to help the company launch Security Awareness as a Service. The service provides a turnkey, comprehensive security awareness program, tailored to diverse corporate cultures, in order to change employee security behaviors.

Secure Mentem also announced their National Cyber Security Awareness Month (NCASM) Support Package, which provides a comprehensive security awareness program for organizations during October 2013.

“With more than 700,000 employees within our portfolio companies, Blackstone recognizes that security awareness is a top priority. Secure Mentem’s unique ability to deliver Security Awareness as a Service provides a clear and practical business value,” said Jay Leek, Chief Information Security Officer for Blackstone. “Secure Mentem combines decades of experience and research to deliver a scalable and effective awareness program.”

“Blackstone’s investment is a validation of our core belief that there is a market beyond “Check the Box” security training. Security Awareness is about changing security related behaviors, while enabling business,” said Ira Winkler, CEO of Secure Mentem. “We’ve applied decades of experience, while investing in extensive research to determine how to create strong security cultures. Blackstone’s support and resources will allow us to invest in further research and patents, while ensuring our programs become more valuable for our customers.”

About Blackstone

Blackstone is one of the world’s leading investment and advisory firms. We seek to create positive economic impact and long-term value for our investors, the companies we invest in, the companies we advise and the broader global economy. We do this through the commitment of our extraordinary people and flexible capital. Our alternative asset management businesses include the management of private equity funds, real estate funds, hedge fund solutions, credit-focused funds and closed-end funds. Blackstone also provides various financial advisory services, including financial and strategic advisory, restructuring and reorganization advisory and fund placement services. Further information is available at www.blackstone.com. Follow us on Twitter @Blackstone.

About Secure Mentem

Secure Mentem focuses on security awareness related services. Founded by world-renowned experts in the human aspects of security, Secure Mentem integrates their ongoing research efforts into delivering world-class awareness, social engineering, and related security services. Secure Mentem is dedicated to changing employee security behaviors by addressing all aspects of human security, and provides both custom services as well as the flagship on demand Security Awareness as a Service solution. More information is available at www.securementem.com. Follow us on Twitter @SecureMentem.

Blackstone Contact:

Article source: http://www.darkreading.com/end-user/blackstone-makes-investment-in-secure-me/240161394