STE WILLIAMS

The increasingly dynamic nature of attacks and high cost of data breaches have forced many organizations to supplement protection measures with internal or outsourced incident response capabilities. When designing an incident response program, it is vital to consider not only incident response, but also incident management. Although the two terms are often used interchangeably, there is an important distinction between response and management.

Response consists of actions taken to investigate, contain, and eradicate an incident, and then recover from it. Management consists of actions taken to plan for, oversee, coordinate, and manage an incident response process, and then conduct post-incident activities.

Failing to have proper management practices in place can lead to an inefficient and ineffective response, which can result in millions of dollars in lost revenue or fines as well as disruptions to business and organizational damages. Even seasoned IT teams require structure and leadership to successfully respond to an incident.

The Incident Command System (ICS) was developed in the 1970s by authorities in California to establish a reliable and repeatable process for responding effectively to dangerous and life-threatening incidents after a series of large, fatal wildfires. Due to its success, it was quickly adopted by agencies across the country and the world. ICS gives first responders a formal, scalable, standardized approach to managing critical incidents. Many of the philosophies and best practices of ICS are also present in corporate America, although often in a less formal manner.

For the purposes of this article, we will refer to ICS as IMS (Incident Management System), since incident management is a more familiar term in the security industry. Let’s examine IMS and how it can streamline the overall incident response process.

What Is IMS?
IMS is a framework developed and refined through decades of use to effectively manage incidents of any size and complexity. One of the core tenants of IMS is that it is both flexible and scalable. Each incident requires a distinct set of resources and tactics. IMS is precisely designed to do this.

IMS includes many familiar concepts, such as using common terminology, incident action planning (tabletop exercises and runbooks) and comprehensive resource management (asset inventory). However, there are several other core IMS concepts that, while they may seem like common sense, are often overlooked in most incident response programs. For example, here are four core concepts that should be part of any incident management system:

Concept 1: Appoint a Coordinator, Follow a Top-Down Structure … and Stay Flexible
To maximize the efficiency of IMS, you must first appoint an incident response coordinator (IRC), who will oversee all aspects of the response process. This role works with a top-down command structure, meaning that as the scope of an incident expands, tiers of stakeholders are added, with each tier reporting upward toward the IRC.

The tiered structure enables two other key tenants of IMS: each person should report to only a single supervisor, and each supervisor should oversee no more than six to seven people.

Concept 2: Optimize Information Management
To ensure the efficiency of an IMS, information must flow smoothly up and down the chain of command. When information does not flow properly, managers are forced to make decisions based on incorrect or incomplete information, while responders cannot fully address management’s questions or meet their objectives. The uninhibited flow of information is critical in effectively responding to an incident, and its absence is one of the most common reasons for a response process to fail.

Concept 3: Engage All Stakeholders
For IMS to succeed, an organization must involve all stakeholders in the process, both in training and implementation. All possible stakeholders should be aware of how IMS is implemented in the organization and their respective roles in the process. This is especially true for ancillary team members, such as human resources, legal, or finance, who may be unfamiliar with the incident response process.

Concept 4: Practice Makes Perfect
As is the case with most processes, the more an IMS is used, the more comfortable all stakeholders will be with it, and the easier the process will be to implement under stressful conditions. While tabletop exercises and training sessions are invaluable, there is no substitute for experience under real-world conditions. Implementing IMS for all incidents will ensure that when the time comes to implement it during a large-scale incident, all stakeholders will be comfortable with the process. 

A good training approach is to do an annual tabletop or walk-though response exercise simulating an incident that grows large enough to involve a large portion of the IMS. The first year’s exercise should focus on the core group of stakeholders, typically the information security and information technology groups.

Subsequent exercises should be extended to include ancillary stakeholders such as legal, human resources, executive management, and communications. This second exercise will ensure that ancillary stakeholders have a cursory familiarity with the IMS system and their respective potential roles.

Planning, preparation, and simulation are the surest way to be ready to respond to a security incident in a controlled and efficient fashion. 

Related Content:

• It’s Not What You Know, It’s What You Can Prove That Matters to Investigators
• Ticking Time Bombs in Your Data Center
• One in Three SOC Analysts Now Job-Hunting

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

John Moran is a security operations and incident response expert. He has served as a senior incident response analyst for NTT Security, computer forensic analyst for the Maine State Police Computer Crimes Unit and computer forensics task force officer for the US Department of … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/incident-management-what-it-security-can-learn-from-public-safety/a/d-id/1331120?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In a 1912 poem by Joseph Malins, a village debates how best to deal with a dangerous cliff. The town is torn over the decision whether to build a fence around the edge of the cliff or place an ambulance down in the valley. The townspeople decide to fund an ambulance, until a wise man suggests a preventative approach:

Then an old sage remarked, “It’s a marvel to me
that people give far more attention
to repairing results than to stopping the cause, 
when they’d much better aim at prevention.”

There’s no question that preventing a data breach is much safer and more cost-effective than dealing with a breach after it has already occurred. Implementing specialized tools and tactics for data breach response is reactive, like funding the ambulance in the valley. Many breaches, both accidental ones based on user error and malicious attacks, could have been avoided had companies thought about security in the product design phase — if there had only been a “fence” built into the user experience.

The most recent example can be seen in the missile alert that was incorrectly sent to Hawaiians in January 2018. An investigation into the incident determined “that insufficient management controls, poor computer software design and human factors contributed” to the alert and a delayed correction message. While it is impossible to say that the situation could have been totally avoided, a design that deterred sending out actual alerts could have made quite a difference. What might have happened if after the employee had clicked to send the alert, he was prompted with a second step to acknowledge the gravity of his actions, or if a supervisor’s approval was required? Changing the user experience could have helped prevent this unintended scare.

Another recent breach that could have been avoided or lessened by secure design is the 2017 Republican National Committee data breach, when it was discovered that a database containing personal details of more than 198 million American voters was exposed. The data was left unprotected after a software upgrade, when the analytics company storing files containing the information failed to re-enable password protection.

As with most breaches, there were numerous failures in this situation. This large amount of sensitive information deserved better protection than a simple website password as its defense. The fact that the upgrade required the password protection to be removed is bad; the fact that the upgrade didn’t notify IT personnel to re-enable it is worse. Additionally, the ideal design would have separated the names of the voters from their information altogether.

According to the 2017 Beazley Breach Insights report, unintended disclosures were the cause of a shocking 42% of healthcare-related breaches. These breaches typically are caused by employee error, such as misdirected faxes or improperly released discharge papers. As these processes increasingly are done digitally, properly designed user interfaces can help to reduce or eliminate human error. Additionally, they can warn individuals of risky behaviors before they happen. Imagine seeing a warning that said “You are about to export 135 medical records without encryption. Disclosure of this file could result in up to $6.75 million of HIPAA fines. Do you want to continue?“

Opportunities to protect information in advance arise every day, and not only in the situations involving publicized failures. Consider, for example, an application to help accountants prepare their clients’ taxes. This app would collect tax information and store tax returns for easy access. The app should make it very easy for the accountant to search for and view relevant information. However, the application should be designed in a way that makes it very difficult to download an Excel sheet documenting all their clients’ Social Security numbers and income. Instead of a simple export button, the designer could implement an approval process, or it could just be difficult to aggregate such information. It would also make sense to warn the user before sensitive information is downloaded in bulk — and inform supervisory personnel as well. The goal for the designer is to give an incentive for safe and secure use, and mitigate or prevent system abuse.

Real and hypothetical situations to protect information with better user experience exist across all industries and types of systems. It is easy to show how a design flaw could create a crisis, while prudent design could prevent or minimize the likelihood of one. The best mechanism to prevent these crises is at the design stage. Developers must always consider making it easier for individuals to do the safer activities, and harder for them to do the unsafe ones. Take the advice of the sage and spend the time to build the fence, rather than calling for an ambulance later.

Related Content:

• 7 Ways to Maximize Your Security Dollars
• Leveraging Security to Enable Your Business
• Meltdown/Spectre: The First Large-Scale Example of a ‘Genetic’ Threat

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

For nearly two decades, Peter Hesse has leveraged his passion for technology and experience in security to develop successful solutions to interesting problems. From an exciting start developing the reference implementation of a standards-based certification authority for the … View Full Bio

Article source: https://www.darkreading.com/endpoint/security-starts-with-the-user-experience/a/d-id/1331118?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A newly discovered vulnerability lets attackers take advantage of single sign-on (SSO) systems relying on Security Assertion Markup Language (SAML) and authenticate as another user without knowing his or her password.

Duo Security’s Duo Labs discovered the flaw and coordinated with the CERT/CC on disclosures from the affected vendors, which include Duo Security. The CERT/CC published an advisory on the flaw today.

SAML is an XML markup language used to authenticate to third-party applications. When a user authenticates to an application such as Office 365 or Salesforce, SAML redirects the browser to a company login page. After a successful login, the browser redirects to the third-party app and grants the user access. SAML is popular among SSO services.

Step one of SSO authentication is via the Identity Provider (IdP), which checks usernames and passwords, verifies account status, and prompts two-factor authentication. The IdP generates a signed SAML response, which it forwards to the service provider for validation. If the signature is valid, a string identifier in the SAML response identifies which user to authenticate.

Researchers at Duo Labs discovered many open-source libraries incorrectly use the results of XML DOM traversal and canonicalization APIs. An attacker can change SAML responses without altering the cryptographic signature and authenticate to applications as a legitimate user.

“Single sign-on simplifies authentication by letting you log into one service which, in turn, grants access to multiple services,” explains Kelby Ludwig, senior application security engineer at Duo. “If an attacker has access to one of the single sign-on systems, they can tamper with SAML in such a way they can log in as different users.”

The vulnerability is in the XML comments inserted into SAML response requests. In most cases, the XML canonicalization algorithm will remove comments while validating the signature. This means any attacker can add comments to a SAML response without invalidating the signature.

All an attacker needs is an account on the same network as the target. They can change the content of their own SAML requests so a different user’s name appears as their own and bypass the primary authentication for the affected SAML provider.

Duo Labs identified the following affected vendors. CVEs have been assigned for:

• OneLogin – python-saml – CVE-2017-11427
• OneLogin – ruby-saml – CVE-2017-11428
• Clever – saml2-js – CVE-2017-11429
• OmniAuth-SAML – CVE-2017 – 11430
• Shibboleth – CVE-2018-0489
• Duo Network Gateway – CVE-2018-7340

This vulnerability affects each service relying on SAML in different ways. SAML IdPs and service providers are very configurable and there’s room for greater or lesser impact. For example, service providers that use email addresses and validate their domain against a whitelist are less likely to be exploited than those allowing arbitrary strings to identify users, researchers explain.

It’s important to emphasize this flaw doesn’t only affect IdPs but SAML libraries. In the case a vendor wants to add single sign-on, they may add one of these libraries, which would increase the number of people affected. Anyone who uses one of these libraries should check whether they’re affected, says Steve Manzuik, director of security research at Duo Labs.

“Enterprises running products will have patches to install and vendors using affected libraries will have to issue patches as well,” says Manzuik. Remediation depends on the type of relationship a business has with SAML.

This vulnerability only lets an attacker bypass the first factor of authentication, so it helps if your SAML service provider uses two-factor authentication. However, if your IdP handles both first- and second-factor authentication, the flaw likely bypasses both.

Related Content:

• Adobe Flash Vulnerability Reappears in Malicious Word Files
• 93% of Cloud Applications Aren’t Enterprise-Ready
• Best Practices for Recruiting Retaining Women in Security
• Criminals Obtain Code-Signing Certificates Using Stolen Corporate IDs

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/cloud/saml-flaw-lets-hackers-assume-users-identities/d/d-id/1331146?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Weary of chasing down vulns in bug-ridden homegrown apps or chasing after attackers whose moves you can never predict? Dark Reading’s webinars in March can help. 

Wednesday, March 7 at 1 p.m. ET: Strategies for Improving Enterprise Application Security, with Brad Causey, CEO of Zero Day Consulting and Rami Elron, senior director of product management of WhiteSource. While most enterprises are focused on application scanning and remediation, many software development experts are advocating better, more secure application development initiatives that prevent vulnerabilities from occurring in the first place. In this webcast, experts on application security discuss the steps that enterprises can take to build security into the app development process. Register today and learn:

• How to work more effectively with developers
• How to maintain application security when developers are using containers to build and deploy apps
• How to recognize and avoid the most common vulnerabilities that appear in homegrown enterprise applications
• What security factors developers should consider when selecting open-source, third-party software components
• How to work with DevOps teams to watch out for implementation errors as well as vulnerabilities

Register today.

Tuesday, March 13 at 1 p.m. ET: Why Hackers Attack: Understanding Threats and Motivations for Online Intrusion, with Chris Novak, co-founder and global director of the Verizon Threat Research Advisory Center and Travis Farral, director of security strategy for Anomali. To develop a strong defense, you must have a good understanding of who is likely to attack your organization – and why. In this webinar, experts discuss the different types of attackers that may test your defenses, and the different methods that each category of attacker might use to penetrate your systems. You’ll also get advice and recommendations on how to use your knowledge of attackers to build a more effective, customized defense that increases the security of your critical data. Learn:

• Which attackers target what types of organizations, people and industries
• Which attackers target what types of data and systems
• How different attackers exploit or destroy systems
• What questions you must ask your line-of-business managers in order to fully understand your organization, data, and the attackers who might target them

Register today.

Wednesday, March 21 at 2 p.m. ET: How Online Attackers Research Your Organization, with Chris Hadnagy, Chief Human Hacker at Social-Engineer LLC. Whether they are large or small, most targeted cyberattacks begin with some simple research on your organization. This process of collecting “open source intelligence” (OSINT) may include discovering employee information on e-mail or social networks, investigating your enterprise via sophisticated search techniques or the Dark Web, or basic social engineering methods that fool trusted users into giving up credentials or other information. In this webinar, top experts discuss the methods that online attackers use to perform reconnaissance on your organization – and they offer advice on how you can make it more difficult for attackers to collect the information they need to launch an exploit. Look for registration to open soon. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/march-dark-reading-event-calendar-spans-blackops-to-secdevops-/a/d-id/1331135?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

NSA director and US Cyber Command head Admiral Michael Rogers today testified in an open hearing of the US Senate Armed Services Committee that his agency has not been asked to do anything about Russian hackers targeting the US election system. Rogers told the committee that he doesn’t “have the day-to-day authority” to authorize activity to counter the attacks, according to a Politico report.

A request for direct action would have to come from the President, through the Secretary of Defense. This is the second time in a month that the head of a US security agency has confirmed that no request to address Russian election interference has come from the White House. In testimony before the Senate Intelligence Committee on Feb. 13, Rogers, FBI Director Christopher Wray, CIA Director Mike Pompeo, Director of National Intelligence Dan Coats, Defense Intelligence Agency Director Lt. Gen. Robert Ashley, and National Geospatial-Intelligence Agency Director Robert Cardillo, all confirmed that Russia had used “active measures” against the integrity of the 2016 US election and the upcoming 2018 elections are a significant potential target.

Rogers said Russia continues to target the US election process in part because “… they haven’t paid a price … that is sufficient to get them to change their behavior.” He also confirmed that he has shared with individuals in the Trump administration his opinion on the attacks and what might be done to stop them. But Rogers said he has neither asked for, nor volunteered, a formal plan in writing.

When asked whether it might be possible to stop the cyberattacks at their point of origin, rather than simply working on a US endpoint defense, Rogers said that he felt a plan to do so could be developed that was both legal and implementable. As to whether it would be effective, Rogers was more cautious: “It depends on the specifics,” he said. “I don’t want to over-promise.”

Read more here.

Here is a video clip from CSPAN of Rogers’ testimony today:

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/nsas-rogers-no-white-house-request-for-action-against-russian-hacking/d/d-id/1331147?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Multiple security vendors this week are warning about threat actors for the first time exploiting unprotected Memcached servers to launch dangerously large denial-of-service attacks against target organizations.

German DDoS mitigation service provider Link11, one of those to report on the new activity, says that over the past few days it has observed massive UDP attacks in which Memcached servers have been used as an amplification vector.

Each of the high-bandwidth attacks that Link11 observed in late February has exceeded 100 Gbps, with peaks of well over 400 Gbps. The attacks went on over multiple consecutive days and lasted up to 10 minutes on average, according to the company.

Akamai Technologies says this Monday it mitigated a 190 Gbps Memcached attack that generated over 17 million packets per second. Cloudflare, another vendor to report on the previously unseen attack type, says that over the past two days it has seen an increase in UDP attacks coming in via UDP port 11211, the port associated with Memcached services. 

The company says the peak inbound UDP Memcached traffic it has seen so far is 260 Gbps, which is massive for a completely new amplification vector.

Memcached is open source software that many organizations install on their servers to increase performance speed. It works by caching data in system memory and is designed purely for use behind firewalls and on enterprise LANs, says Link11 CTO Karsten Desler. But many organizations have deployed Memcached hosts that are completely accessible from the public Internet. All that attackers have to do is to search for these hosts and then use them to direct high-volume DDoS traffic at a victim.

Desler says a recent Link11 scan showed at least 5,000 Memcached servers deployed on the public Internet that are open for exploit. These servers give attackers a way to generate massive volumes of DDoS traffic with even a relatively small bandwidth connection and minimal input.

“The amplification factor with Memcached servers is hundreds of times larger than DNS,” says Desler. “You need a lot fewer servers to get the same bandwidth [compared to] using DNS, NTP, or any other amplification vector,” he says.

With DNS amplification, for instance, an attacker might be able to generate a 50KB response to a 1KB request. But with a Memcached server, an attacker would be able to send a 100-byte request and get a 100MB or even 500MB response in return. In theory, at least, the amplification could be unlimited, Desler says.

Security researchers have previously warned about Internet-facing Memcached servers being open to data theft and other security risks. Desler theorizes one reason why attackers have not used Memcached as an amplification vector in DDoS attacks previously is simply because they have not considered it and not because of any technical limitations.

Exploiting Memcached servers is new as far real-world DDoS attacks are concerned, says Chad Seaman, senior engineer, with Akamai’s Security Intelligence Response Team. “A researcher had theorized this could be done previously,” Seaman says. “But as Memcached isn’t meant to run on the Internet and is a LAN-scoped technology that is wide open, he thought it could really only be impactful in a LAN environment.”

But the use of default settings and reckless administration overall among many enterprises has resulted in a situation where literally tens of thousands of boxes running Memcached are on the public-facing Internet, Seaman says. “And now the DDoS attackers have found them and appear to be capitalizing on them before significant clean-up efforts take place.”

What makes the attacks worrisome is that Memcached services are deployed on servers and in hardware pools with plenty of bandwidth and resources. Unlike typical reflected attacks with mostly static payloads — like CharGen and NTP — that cannot be easily modified, with Memcached reflection an attacker has much more control over the payload. This gives them to the potential to do a lot more damage, Seaman says.

“The primary problem is that Memcached, with its lack of authentication or controls, is world readable and writable. It’s also very fast, as it does all data management directly in memory, and by default it supports key value stores of up to 1MB.”

So, if attackers can find suitably beefy machines and load them up with as many keys as they want, they can use the box to launch waves of traffic with amplification rates far exceeding the norm for DDoS attacks, Seaman says. “In theory, an attack could unleash gigs of traffic from a single machine with a packet that’s only a few dozen bytes.”

Mitigation at this point is basically blocking traffic from source port 11211 at the router, firewall, and elsewhere along the network edge, adds Domingo Ponce, director of global security operations at Akamai. Organizations also need to ensure they have the bandwidth to absorb the attacks while allowing legitimate traffic to remain up.

“It’s real and we’ve seen it,” Ponce says. “At the end of the day, your pipes better be big enough.”

Related content:

• DDoS Attacks Become More Complex and Costly
• DDoS Breach Costs Exceed $2M for Enterprises: Kaspersky Lab Report
• New Breed of DDoS Attack On the Rise
• 7 Things to Know About Today’s DDoS Attacks

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/memcached-servers-being-exploited-in-huge-ddos-attacks/d/d-id/1331149?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple