STE WILLIAMS

Meager access controls on folders and file systems are leaving organizations wide open to the lateral movement of attackers and malware, according to a new report.

Security firm Varonis analyzed data risk assessments performed by its engineers on 130 companies and 5.5 petabyes of data through 2017. What concerns Varonis technical evangelist Brian Vecci most is that companies left 21% of all their folders open to everyone in the company.

“That’s absurd,” he says, noting that this openness enables attackers and malware to penetrate one user and spread laterally throughout a network. “In a world where businesses are being taken down by ransomware, how could you possibly let a fifth of your file system be taken down by any one user making a mistake?”

Sensitive folders and files are among the overexposed. Thirty percent of companies leave more than 1,000 sensitive folders accessible to all employees, and 41% have more than 1,000 sensitive files accessible to all employees, according to the report. 

Adding to the risk of attackers’ lateral movement is the prevalence of user accounts that are “stale” – inactive, out of use – but still enabled. The Varonis assessments found that 34% of all users fall into this “ghost user” category; almost half (46%) of companies have over 1,000 ghost user accounts. 

Not only are users inactive, but the data is as well – more than half (54%) of companies’ data is stale, according to the report. Not only could this be a needless storage expense, but it puts organizations at higher risk of breaches and regulatory compliance violations.

“You ask anyone if they have data retention and destruction policies, everyone raises their hands,” says Vecci, “but if you ask ‘do you apply these policies to your file systems,’ the answer is almost always no.” 

His advice is to scan for sensitive data, map all access controls, and turn on monitoring. “In other words, know what you’ve got,” says Vecci. “If you just do these three things, companies would be so much further than they are right now. And it doesn’t need to be a big project.”

Related Content:

• 7 Deadly Security Sins of Web Applications
• Panera Bread Leaves Millions of Customer Records Exposed Online
• Putting the S in SDLC: Do You Know Where Your Data Is?
• Back to Basics: AI Isn’t the Answer to What Ails Us In Cyber

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/operations/identity-and-access-management/one-third-of-internal-user-accounts-are-ghost-users/d/d-id/1331443?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A spate of bad news for former retail giants like Toys ‘R’ Us and mall-staple Claire’s has cast a dark shadow over the state of brick-and-mortar retail. But the truth of the matter isn’t that retailers will be abandoning their physical footprints going forward. It’s indicative of a larger trend toward more digital, mobile and distributed operations that has been upending processes across industries – and changing how consumers interact with brands in the physical world, rather than retiring the brick-and-mortar storefront altogether.

In fact, rumors started circulating not long after Toys ‘R’ Us announced they’d be shuttering their entire network of more than 400 stores stateside that Amazon – the company most-cited as the death knell for brick-and-mortar – would be swooping in to purchase a wide swath of the toy seller’s former real estate at bargain-basement prices. The goal would be to both expand Amazon’s number of physical storefronts – from Whole Foods grocery stores, to bookstores, to Amazon Go ‘bodegas’ – while also supporting online shopping operations by creating a larger network of micro distribution centers.

What’s really happening is that retail is becoming omnichannel, which means retailers need to be everywhere. It’s not a binary choice between brick-and-mortar or online shops but having a play in both arenas PLUS on social media and an array of IoT interfaces. The bad news is that retailers who  haphazardly dive into the omnichannel world can leave their businesses open to significant cybersecurity vulnerabilities, which could send brands down the same path of Claire’s or Toys ‘R’ Us despite their best efforts.

Managing Distributed Networks Requires a Unique Touch
A retailer’s network infrastructure needs to support all of the brand’s omnichannel efforts, which will be distributed to the point where the network perimeter is nearly impossible to track as brands adopt more outreach channels, for example, online stores. This will require robust gateway defenses that assure that all the traffic crossing the network threshold to access sensitive corporate data is legitimate.

This will be an especially difficult challenge for retailers given the diversity of data – in volume, size and sensitivity – that security teams will be tasked with securing, and the many different levels of access that will need to be assigned.

Point-of-sale systems (POS), for instance, are already becoming much more than just transaction terminals. The wireless devices that many companies are adopting for POS have access to inventory information within the store, in far-off warehouses and other branch locations to assure that no shopper leaves the building unsatisfied, even if that means the item they planned on walking out with is instead shipped to their home. At the same time, these devices will be processing sensitive customer payment information that requires a much higher level of security than inventory data (which, by design, should be transparent and widely accessible).

Security teams need to be able to have an active directory of users and devices with assigned permissions that their web gateways can quickly reference to immediately identify potentially suspicious traffic. From there, they need to set a baseline of what is expected/normal traffic based upon device types – frequent traffic between a POS tablet and a warehouse on a busy Saturday, for instance. This will make it easier to identify which activities would immediately appear anomalous, or if an unidentified user/device is attempting to cross the perimeter in the first place.

Separate the Most Sensitive Data
From there, transaction information and other sensitive traffic needs to be vetted through dedicated tools that isolate this information from less-sensitive data, such as inventory figures. This means that retailers should leverage dedicated gateways or paths into the network for transaction data, and similarly separate gateways and pathways for more innocuous information passing in and out of the network.

Inevitably, this will make cybersecurity a more delicate dance than it had been in the past for security and network administrators. That isn’t to say that an organization has to create more splintered operations simply because teams will need distinct capabilities to secure different kinds of traffic. Cloud-based security solutions, for instance, usually enable management of network information through a single console or interface, whereas hardware may require separate management per-device. On the flip side, businesses with sensitive data need to be wary about the information they send into shared-cloud environments, as it may be more prone to breaches by shared parties. The shift to omnichannel will require brands to weigh their priorities and the nature of their data to find a solution that fits best for their interests.

By being able to clearly isolate traffic, identify high-priority data, and secure it all cohesively, brands can more easily transition into an omnichannel future without inadvertently opening themselves up to business-killing data breaches.

As president and co-founder of iboss, Peter Martini has played a major role in developing iboss’ innovative technology, and has helped shepherd iboss’ phenomenal growth, since its founding. He has been awarded dozens of patents focused on network and mobile security, and with … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/iboss/securing-retail-networks-for-an-omnichannel-future/a/d-id/1331417?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Facebook has removed 70 Facebook accounts, 138 Facebook pages, and 65 Instagram accounts controlled by the Russia-based Internet Research Agency (IRA), chief security officer Alex Stamos reported this week.

Of the pages with content, 95% were written in Russian and directed toward Russian-speakers both within Russia and around the world, including bordering countries Azerbaijan, Uzbekistan, and Ukraine. About 1.08 million Facebook users follow at least one of the pages deleted, and about 493,000 users follow at least one of the 65 Instagram accounts, Stamos writes in a blog post.

The pages and accounts were removed solely because they were controlled by the IRA and not because of their content, he explains. Topics included commentary on domestic and international political issues, and promotion of Russian culture and tourism.

In February 2018, the IRA was one of three Russian entities indicted by US Special Counsel Robert Mueller for interference in the 2016 US presidential election. The indictment also accused 13 Russian nationals for influencing the results using social platforms Facebook, Instagram, Twitter, and YouTube. They allegedly concealed their identities and IRA affiliation by using stolen data including Social Security numbers and birthdates of real American citizens.

“The IRA has consistently used inauthentic accounts to deceive and manipulate people,” Stamos writes. “It’s why we remove every account we find that is linked to the organization — whether linked to activity in the US, Russia or elsewhere.” He says he anticipates more IRA-linked accounts will be discovered and if they are, they too will be taken down.

Read more details and view samples of the Pages here.

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/facebook-removes-russia-based-internet-research-agency-controlled-pages-/d/d-id/1331449?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

You could be forgiven for believing the World Wide Web is the Wild Wild West. The pervasiveness of cyberattacks certainly makes it seem as if we are living in a lawless period. Yet we are not without law enforcement. The FBI Cyber Crimes division and its Internet Crime Complaint Center (IC3) have a proven track record when it comes to investigating and reporting on cybercrime.

Many major cybercriminals have been brought to justice over the years, from TJX hacker Albert Gonzalez to Mirai botnet developers Paras Jha and Josiah White. We must give credit to the authorities for their ability to close these cases. While some of us working in the security realm have suggested that law enforcement doesn’t have sufficient resources to deal with cyberattacks, the real challenge is that most organizations are unprepared to share information in a timely manner (if at all). For example, business email compromise attacks reported in the first 24 hours can often be reversed. True, cybercrimes are difficult to track and attribute, but it is even harder when attacks are not reported.

Why then, is there such resistance to the Active Cyber Defense Certainty Act? Why would we want to prevent organizations from joining in the fight against malicious actors?

The Active Cyber Defense Certainty Act is not without precedent. In our physical world, many states already recognize “Stand Your Ground” laws and the Castle Doctrine to protect ourselves and our property from coming to harm. And when it comes to cyberspace, security researchers have long used honeypots to capture information about unauthorized intrusions.

In a similar vein, Internet marketers have long tracked user activity with cookies and beacons that share where we are, what we are doing and what we are reading. If honest citizens can be tracked online, then why should we restrict the ability to track attackers? If we could apply similar techniques to attacks and our attackers, then we suddenly have a powerful source of information for our law enforcement agencies. And if we acknowledge that law enforcement agencies are under-resourced, then why wouldn’t we want to provide them this resource?

Isn’t it possible that so many cases go cold because law enforcement doesn’t find out about the attack until long after it happened? Isn’t it possible that a lack of solid attribution is what makes it so difficult for law enforcement to prioritize an effective response? This all just goes to show the inherent value of the Active Cyber Defense Certainty Act if it is approached with a positive intent.

Fears about ‘Hacking Back’ Are Overemphasized
The real challenge for the Active Cyber Defense Certainty Act is that the security industry has developed a straw-man argument around “hacking back” that is filled with slippery slopes. The fears are that the Active Cyber Defense Certainty Act will unleash a Pandora’s box of hacking. Whereas responding to attacks with malware could have such effects, that is not what the Active Cyber Defense Certainty Act suggests. Malware can “escape” the systems on which it is unleashed— Stuxnet, for example — but no other security measures have this control problem: think tracking, automated interaction with criminals, honeypots. They are all very strong on the control aspect. I fail to understand why a responsible organization would “unleash” a hack-back technique beyond its control. I trust the focus and judgment of my colleagues in the security profession.

Suggesting that organizations should not be able to deploy resources to track down who is attacking them is to deny those very same resources to law enforcement by proxy, since the evidence extracted by security controls would be fed to law enforcement. It is short-sighted advice.

Certainly, some organizations will not have the internal resources to gather counterintelligence, but that just suggests the need for external security controls that help them perform this task in a controlled and auditable manner.

This is where the focus of the discussion should be: how can organizations without sufficient internal resources to track attacks outsource the task, obtaining threat intelligence in return, and helping feed data to law enforcement that helps their activities? I am confident that the information security community is prepared to help fill the need for active cyber defense, to the benefit of organizations and law enforcement, as well as preventing potential future victims.

This commentary was written in response to Hacking Back the Digital Wild West, by Levi Gundert.

 Related Content:

• New Tool Debuts for Hacking Back at Hackers in Your Network
• Is a Good Offense the Best Defense Against Hackers?
• 6 Personality Profiles of White-Hat Hackers

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. In his role at Agari, he leads the company’s security research with a … View Full Bio

Article source: https://www.darkreading.com/perimeter/active-cyber-defense-is-an-opportunity-not-a-threat/a/d-id/1331420?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Of the four new advanced persistent threat (APT) groups christened by FireEye last year, three were out of Iran.

Mandiant, the incident response services arm of FireEye, witnessed a major increase in nation-state hacking activity by Iranian attackers in 2017, especially on the cyber espionage side of things. Iranian groups now are maintaining and keeping a foothold in victim organizations for months and sometimes years, demonstrating their sophistication, according to Mandiant’s newly published M Trends Report on its incident investigations in 2017.

“In a way, it felt like Iran was the new China,” notes Charles Carmakal, a vice president at Mandiant. “There were so many Chinese threat actors in operations [in previous years], it felt like everyone had at least one Chinese actor” attacking them, he notes.

This time, it was Iran, which was one of the most prolific and pervasive nation states last year, he says. “In 2017, it felt like Iran was all over the place.”

Security researchers and incident responders from various organizations have been well aware of Iran’s increasing sophistication and expansion of its cyber operations. It’s come a long way from its unsophisticated yet effective distributed-denial-of-service (DDoS) hacktivist-style attack MO that came to a head in late 2011 through 2013, when a DDoS campaign crippled US bank networks. The DDoS campaign hit a crescendo in September of 2012, in some cases reaching 140-gigabits-per-second of unwanted data traffic to the banks’ networks, resulting in hundreds of thousands of banking customers unable to access their bank accounts online. The attacks cost victims tens of millions of dollars.

“When I first started tracking Iran groups in 2012, it felt like we were dealing with a bunch of amateurs with no real technical capability. They could have been confused with Anonymous … their weapon of choice was DDoS,” Carmakal says. “Today, they’ve figured out how to organize, fund, and develop tools and are very successful in their offensive operations.”

Adam Meyers, vice president of intelligence at CrowdStrike, says it’s not so much that Iran is employing more sophisticated cyberattack weapons: they are just more savvy in how they employ them. “It’s the sophistication around their tradecraft, methodologies, and operations,” he says. “Their weapons are not that much more advanced. It’s the way they use them [now].”

Iranian attackers in 2012 deployed the data-destruction Shamoon attacks on two Middle East targets including Saudi Aramco, which was the first signs of a more aggressive and evolving Iranian threat, he says. Today, the geopolitical cloud of questions over whether the US will continue the Iranian nuclear deal or reinstitute sanctions against Iran could ultimately elicit more destructive attacks against US financial organizations if things don’t go Iran’s way. “If they want to hurt us, they want to go after financial” institutions, Meyers says.

Mandiant now considers Iran nation-state groups on par with other nation-states in terms of the pace and scale of their attacks, including employing Web server attacks that gather multiple victims. “Rather than relying on publicly available malware and utilities, they develop and deploy custom malware. When they are not carrying out destructive attacks against their targets, they are conducting espionage and stealing data like professionals,” according to the M Trends Report.

Carmakal says it’s known that some Iranian groups have access to Western organizations, so the US could be next in line as a target of a destructive-type attack from Iran. 

That’s something that Tom Kellermann, chief cybersecurity officer at Carbon Black, is predicting to occur in the wake of the Trump administration’s tough rhetoric and possible policy changes against Iran. “Iran and North Korea never had true A teams,” he says, but Iran’s operations have evolved and could well be turned on US targets in the near-term.

Iran’s destructive bent is where it’s very different from Chinese APTs, which typically focus on cyber espionage and stealing intellectual property.

APT35

Mandiant investigated a security incident targeting an energy company early last year that illustrated Iran’s more strategic cyber espionage capabilities. APT35 – aka Newscaster and newly added to Mandiant’s list of APT groups – was the culprit. APT35 typically gathers intel from US and Middle Eastern military, as well as diplomatic, government, media, energy, defense industrial base, engineering, business services, and telecommunications sector targets.

In the energy company attack, APT35 infected the target via a spear phishing email with a link to a phony resume that was hosted on a compromised, but legitimate website. The resume was infected with the PUPYRAT backdoor, and the attackers dropped a custom backdoor called BROKEYOLK onto the compromised system that allowed the attackers to use the victim’s VPN credentials to log into their company systems. In all, APT35 stole credentials from 500 systems in the victim’s network.

The hackers also used Microsoft Exchange Client Access “cmdlets” to alter mailbox permissions in the target’s email system and remain under the radar in the organization’s Outlook Web Access portal. “Mandiant observed that the attacker had granted compromised accounts read access to hundreds of mailboxes with the ‘Add-MailboxPermission’ cmdlet,” Mandiant said in its report.

That was all APT35 needed to read emails and steal data on Middle East organizations that they later targeted in data-destruction attacks, according to Mandiant.

“Like Chinese [APTs], they stole gigabytes of data,” Carmakal says. It wasn’t clear why they stole some of the information, however, he says.

In addition to APT35, Mandiant also named two other Iranian threat groups officially last year, APT33 and APT34, plus one out of Vietnam, APT32 aka Ocean Lotus.

Whack-A-Mole

Another telling trend from Mandiant’s IR cases: nearly half of its clients with at least one high-priority attack discovery were hit again within a year. Some 56% of all managed detection and response customers whose IR cases Mandiant investigated were hit again by the same threat group or another group going after the same data or goals.

“In our experience, a fair amount of organizations who are targeted and compromised will continue to be,” Carmakal says. Nation-state attackers, for instance, don’t give up once they’ve been kicked out of a target’s network. “They want access to it again,” so they update and enhance their attack methods over and over, he says.

Mandiant often finds multiple hacking teams inside a targeted organization. And it seems most are unaware that they are competing with one another for access and data in the target. “It’s rare for them to be looking for evidence of other threat actors. We don’t think they knew the others were in there” too, he says. “They might know they have competition,” however.

And in a bit of positive news, Mandiant found in its 2017 IR engagements that victim organizations are getting better at detecting attacks on their own, rather than relying on third parties to alert them. The median time for internal detection was 57.5 days for organizations around the world, down from 80 days in 2016. And 62% of attacks last year were detected internally, up from 53% in 2016.

“This is important because our data shows that incidents identified internally tend to have a much shorter dwell time,” the report says.

On the flip side: worldwide, the median dwell time from compromise to discovery went up to 101 days, from 99 in 2016.

Related Content:

• Destructive and False Flag Cyberattacks to Escalate
• DoJ Indicts 9 Iranians for Hacking into Hundreds of Universities, FERC, Dept. of Labor, Others
• Nation-State Hackers Adopt Russian ‘Maskirovka’ Strategy
• Chafer’ Uses Open Source Tools to Target Iran’s Enemies

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/perimeter/iran-the-new-china-as-a-pervasive-nation-state-hacking-threat/d/d-id/1331450?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Defense Advanced Research Projects Agency (DARPA) has signed a contract with Tortuga Logic to develop hardware that integrates Tortuga Logic’s hardware security models with commercial emulation platforms to fully test an entire chip design running a full software stack.

As part of the contract, participants of the DARPA System Security Integrated Through Hardware and Firmware (SSITH) program will have early access to the emulation platforms that come from the research. The goal of the SSITH program is to develop hardware that is inherently more secure from the design process forward.

Tortuga Logic will build the emulation system on their two software suites, Prospect and Unison. The project will use the Palladium platform from Cadence Design Systems for the emulation component and will utilize the RISC-V processor architecture and sample design for initial prototyping and testing.

Avoiding a repeat of the Spectre and Meltdown vulnerabilities by helping implement a secure development lifecycle is a key goal of the project. The Meltdown and Spectre and related vulnerabilities affecting Intel, ARM, and AMD chips are examples of hardware security flaws that are exploited once chips are in the wild.

For more, read here and here.

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/vulnerability-management/new-darpa-contract-looks-to-avoid-another-meltdown/d/d-id/1331452?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple