Login
This week, we welcome Henry Harrison, Co-Founder, and CTO at Garrison, to discuss how hardware security solutions from the intelligence community can help the commercial industry! In the Leadership and Communications Segment, Balancing the Company s Needs and Employee Satisfaction, Why Successful People Wear The Same Thing Every Day, What industry gets wrong about cyber insurance, and more!
Show Notes: https://wiki.securityweekly.com/BSWEpisode150
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, aggressive IoT malware that's forcing Wi-Fi routers to join its botnet army, Google discloses Chrome Zero-Day exploited in the wild on Halloween, the first Bluekeep exploit found in the wild, and oC Exploits Published for Unpatched RCE Bugs in rConfig! In the expert commentary, we welcome Sean O'Brien, Founder, and CEO of PrivacySafe, to talk about Siri, Alexa, and Google Assistant hacked via Laser Beam!
Show Notes: https://wiki.securityweekly.com/HNNEpisode240
To learn more about PrivacySafe, visit: https://securityweekly.com/privacysafe
Visit https://www.securityweekly.com/hnn for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we interview Daniel Lowrie and Justin Dennison, Edutainers at ITProTV, to discuss how to bridge the gap between a Developer and Security! In the Application Security News, Stable Channel Update for Desktop Chrome users should upgrade to, Overcoming the container security conundrum: What enterprises need to know, Security Think Tank: In the cloud, the buck stops with you, PHP Bug Allows Remote Code-Execution on NGINX, Servers and patch details at Sec Bug #78599, Raising Security Awareness: Why Tools Can't Replace People, and much more!
Show Notes: https://wiki.securityweekly.com/ASWEpisode83
To learn more about ITProTV, visit: https://securityweekly.com/itprotv
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Philippe Courtot, Chairman and CEO of Qualys, and Sumedh Thakar, Chief Product Officer at Qualys, to talk about a new prescription for security, and Security in the Cloud Era! In our second segment, we air a pre-recorded Technical Segment with Sven Morgenroth of Netsparker! In our final segment, we air another pre-recorded interview with Dave Bitner, producer and host from the CyberWire podcast!
Show Notes: https://wiki.securityweekly.com/PSWEpisode625
To learn more about Qualys, visit: https://securityweekly.com/qualys
To learn more about Netsparker, visit: https://securityweekly.com/netsparker
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, first we talk Enterprise News, discussing how IaaS cloud vulnerabilities are expected to increase 50% over 2018 figures, examining security process maturity in 400 organizations, Snow Software Unveils Risk Monitor to Combat Security and Compliance Threats, and some funding and acquisition updates from Aviatrix and enSilo! In our second segment, we welcome Carter Manucy, Cybersecurity Manager at the FMPA (Florida Municipal Power Agency), to talk IT/OT convergence in the power/utility space! In our final segment, we talk about the Vulnerability Management Evaluation Guide, with aspects of Deployment, Practice, and Reporting!
Show Notes: https://wiki.securityweekly.com/ESWEpisode159
Visit https://www.securityweekly.com/esw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Kevin O'Brien, Co-founder, and CEO at GreatHorn, to discuss email security! In the Leadership and Communications segment, Of the 4 manager types, only 1 boost employee performance 26%, How to Look and Sound Confident During a Presentation, 2020 IT spending priorities, and the traps a cloud shift creates, and more!
Show Notes: https://wiki.securityweekly.com/BSWEpisode149
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, Adobe database exposes 7.5 million Creative Cloud users, PHP team fixes nasty site-owning remote execution bug, Trend Micro's antivirus tools will run malware if the filename is cmd.exe, and how the country of Georgia was hit by a massive cyber attack! In the expert commentary, we welcome Jason Wood, to discuss how Fancy Bear targets Sporting and Anti-Doping Orgs as the 2020 Olympics Loom!
Show Notes: https://wiki.securityweekly.com/HNNEpisode239
Visit https://www.securityweekly.com/hnn for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, Mike Shema, Matt Alderman, and John Kinsella talk about Bug Bounties, Pentesting, & Scanners! In the Application Security News, Top cloud security controls you should be using, State of Software Security X, Developers: The Cause of and Solution to Security's Biggest Problems, and much more!
Show Notes: https://wiki.securityweekly.com/ASWEpisode82
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Tom Williams, Director of Veterans Operations for the Veterans Mental Health Hackers, to talk about How Mental Health Hackers is going to help Veterans in Infosec in 2020 and beyond! In our second segment, we talk Security News, discussing how Amazon Echo and Kindle devices were affected by a WiFi bug, Ransomware and data breaches linked to uptick in fatal heart attacks, a woman was ordered to type in her iPhone password so police could search the device, and how the military found Marijuana at a North Dakota nuclear launch facility! In our final segment, we air a pre-recorded interview with Mark Dufresne!
Show Notes: https://wiki.securityweekly.com/PSWEpisode624
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Trade and cybersecurity are inherently linked. The promise of the information revolution was always that it would allow people to connect internationally, and that it would make international investment available for everyday citizens.
It has certainly done that, but as trade and investment grow ever more complex, the risks also grow. Alongside the development of international investment networks has developed another, shadowy network of hackers and unscrupulous investment companies. As the Internet of Things (IoT) and Artificial Intelligence (AI) technologies are adopted, the complexity and vulnerability of trading platforms is also going to increase.
In this article, we’ll take a look at how and why the risks of international trade are increasing, and the political response to this.
The Security Risks Of Trade
There is one primary reason why digital trade is more at risk from cyberattack than ever before: a huge increase in the number of people using online trading platforms. Whilst this increase has greatly increased the ability of individuals to invest internationally, it has also opened up many opportunities for hackers.
In other cases, technologies that have been developed in order to increase the security of international trade can have the opposite effect. The move to cloud storage and Software as a Service (SaaS), for example, has been driven by the perception that there are many security benefits of cloud storage: as research firm BlueTree.ai notes, 83 percent of successful American businesses were planning a SaaS strategy for the coming year, due in part to data security concerns.
Whilst cloud storage can be a more secure way for traders to protect their data (and profits), cloud systems are also an order of magnitude more complex than more 'traditiona;' trading systems. That means that they require similarly complex cybersecurity protocols to be put in place in order to stop the spread of malware infection, or simply the interception of sensitive commercial data.
The Political Response
These concerns have led many governments to seek to regulate and control digital trading, in order to protect both individuals and firms against cyberattack. According to some estimates, up to 50 countries have now put in place – or are planning to put in place – policies that seek to limit the vulnerability of their citizens.
At the moment, however, these measures have largely been adopted on a per-country basis. Since international trading is, by definition, international, this has severely limited the efficacy of these systems.
Add to the simmering mix the reality that many individual investors simply don’t have the technical know-how to avoid scams and hacks. The Foreign exchange (Forex) market, in particular, has had a reputation for being a sort of online Wild West ever since it opened to retail traders in the late 90’s. Many jumped in (and continue to do so) without even a rudimentary knowledge of basic currency trading strategy, which contributes to the steady and still almost unbelievable 96% failure rate. Combine these poor trading skills with a mostly unregulated brokerage industry and you have a perfect storm preying on mass ignorance.
And this was before cryptocurrency was even a glimmer of a whitepaper in Satoshi Nakamoto’s probably collective head. If Forex is the equivalent of facing down the fastest gun in Dodge City at high noon with a cap pistol, trading cryptocurrency is even more dangerous.
Leading governments, to their credit, have recognized this minefield. The European Union has identified “a need for closer cooperation at a global level to improve security standards, improve information, and promote a common global approach to network and information security issues." The US has also made similar moves, and it's most recent Cybersecurity Strategy reaffirms the need to “strengthen the capacity and interoperability of those allies and partners to improve our ability to optimize our combined skills, resources, capabilities, and perspectives against shared threats."
There is, however, a very fine balance to be drawn between security and freedom. Any restrictions put in place in order to improve the security of international trading networks risk limiting the ability of individuals and companies to invest across borders. Given the benefits that this kind of decentralized trading has brought the world economy, and over-eager implementation of cross-border cybersecurity systems also risks undermining the profitability of many firms.
The Future
Though these issues are far from being resolved, some consensus on the direction of travel is emerging. The Brookings Institute has recently outlined a number of key principles that will govern the way that international trade will be secured in the years to come.
One of the most important is to ensure access to information across international boundaries. Whilst this may sound like it would increase the opportunities for this data to be stolen, in reality this kind of information sharing limits the risks inherent in the localization of financial records. It is strange to note, in fact, that in this regard the way that international trade is being secured bears many similarities to the kinds of decentralized systems used in cryptocurrency exchanges.
Another key area for development will be in the standardisation of cybersecurity standards and policies across territories. The International Standards Organization (ISO) has recently developed a number of cybersecurity standards that aim to help countries to develop compatible ways of securing international trade. These policies can then be internationally integrated in trade agreements, ensuring that criminals and unscrupulous companies cannot escape justice by fleeing to another jurisdiction.
Finally, there is a building consensus – not just in government but also in industry – that a risk-based approach to cybersecurity needs to be adopted when it comes to securing international trade. This approach is one that has been developed in order to assuage the fears that regulation could stifle trade flows: instead of adopting a 'tick-box' approach to cybersecurity compliance, companies should carefully assess their threat profile before deciding which counter-measures to put in place.
Trust and Security
Ultimately, international digital trade is built on trust, and this will need to be maintained in order to ensure profitability for both individual and institutional investors.
At the broadest level, as complex networks get harder to secure, there will need to be much more dialogue between policy makers and cybersecurity experts. Building bridges between these communities will support the development of effective cybersecurity practices without putting in place unnecessary trade barriers.
About the author: A former defense contractor for the US Navy, Sam Bocetta turned to freelance journalism in retirement, focusing his writing on US diplomacy and national security, as well as technology trends in cyberwarfare, cyberdefense, and cryptography.
Copyright 2010 Respective Author at Infosec IslandThis week, In our first segment, we talk Enterprise News, discussing how ManageEngine launched a holistic take on privileged access security, Avast faced a security breach aimed at messing up its CCleaner, Recorded Future enhanced partnership with ServiceNow to reduce organizational risk, and the Sophos Cloud Optix are now available on AWS marketplace! In our second segment, we welcome Erich Anderson, Insider Threat Principal at ObserveIT, to talk about the Foundational Elements of an Insider Threat Program! In our final segment, we welcome Kevin O'Brien, CEO & Co-Founder at GreatHorn, to discuss Pen Testers, Social Engineering, and more!
To learn more about GreatHorn, visit: https://securityweekly.com/greathorn
Show Notes: https://wiki.securityweekly.com/ESWEpisode158
Visit https://www.securityweekly.com/esw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Merlin Namuth, former Chief Information Security Officer and Program Committee Member at RSA Conference! In the Leadership and Communications segment, Two Big Reasons that Digital Transformations Fail, DevSecOps model requires security to get out of its comfort zone, 3 things CIOs should discuss with the CEO to optimize cybersecurity, and more!
Show Notes: https://wiki.securityweekly.com/BSWEpisode148
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Artificial Intelligence (AI) is creating a brand new frontier in information security. Systems that independently learn, reason and act will increasingly replicate human behavior. However, like humans, they will be flawed, but capable of achieving incredible results.
AI is already finding its way into many mainstream business use cases and business and information security leaders alike need to understand both the risks and opportunities before embracing technologies that will soon become a critically important part of everyday business. Organizations use variations of AI to support processes in areas including customer service, human resources and bank fraud detection. However, the hype can lead to confusion and skepticism over what AI actually is and what it really means for business and security.
What Risks Are Posed by AI?
As AI systems are adopted by organizations, they will become increasingly critical to day-to-day business operations. Some organizations already have, or will have, business models entirely dependent on AI technology. No matter the function for which an organization uses AI, such systems and the information that supports them have inherent vulnerabilities and are at risk from both accidental and adversarial threats. Compromised AI systems make poor decisions and produce unexpected outcomes.
Simultaneously, organizations are beginning to face sophisticated AI-enabled attacks – which have the potential to compromise information and cause severe business impact at a greater speed and scale than ever before. Taking steps both to secure internal AI systems and defend against external AI-enabled threats will become vitally important in reducing information risk.
While AI systems adopted by organizations present a tempting target, adversarial attackers are also beginning to use AI for their own purposes. AI is a powerful tool that can be used to enhance attack techniques, or even create entirely new ones. Organizations must be ready to adapt their defenses in order to cope with the scale and sophistication of AI-enabled cyber-attacks.
Defensive Opportunities Provided by AI
Security practitioners are always trying to keep up with the methods used by attackers, and AI systems can provide at least a short-term boost by significantly enhancing a variety of defensive mechanisms. AI can automate numerous tasks, helping understaffed security departments to bridge the specialist skills gap and improve the efficiency of their human practitioners. Protecting against many existing threats, AI can put defenders a step ahead. However, adversaries are not standing still – as AI-enabled threats become more sophisticated, security practitioners will need to use AI-supported defenses simply to keep up.
The benefit of AI in terms of response to threats is that it can act independently, taking responsive measures without the need for human oversight and at a much greater speed than a human could. Given the presence of malware that can compromise whole systems almost instantaneously, this is a highly valuable capability.
The number of ways in which defensive mechanisms can be significantly enhanced by AI provide grounds for optimism, but as with any new type of technology, it is not a miracle cure. Security practitioners should be aware of the practical challenges involved when deploying defensive AI.
Questions and considerations before deploying defensive AI systems have narrow intelligence and are designed to fulfil one type of task. They require sufficient data and inputs in order to complete that task. One single defensive AI system will not be able to enhance all the defensive mechanisms outlined previously – an organization is likely to adopt multiple systems. Before purchasing and deploying defensive AI, security leaders should consider whether an AI system is required to solve the problem, or whether more conventional options would do a similar or better job.
Questions to ask include:
Security leaders also need to consider issues of governance around defensive AI, such as:
AI will not replace the need for skilled security practitioners with technical expertise and an intuitive nose for risk. These security practitioners need to balance the need for human oversight with the confidence to allow AI-supported controls to act autonomously and effectively. Such confidence will take time to develop, especially as stories continue to emerge of AI proving unreliable or making poor or unexpected decisions.
AI systems will make mistakes – a beneficial aspect of human oversight is that human practitioners can provide feedback when things go wrong and incorporate it into the AI’s decision-making process. Of course, humans make mistakes too – organizations that adopt defensive AI need to devote time, training and support to help security practitioners learn to work with intelligent systems.
Given time to develop and learn together, the combination of human and artificial intelligence should become a valuable component of an organization’s cyber defenses.
The Future is Now
Computer systems that can independently learn, reason and act herald a new technological era, full of both risk and opportunity. The advances already on display are only the tip of the iceberg – there is a lot more to come. The speed and scale at which AI systems ‘think’ will be increased by growing access to big data, greater computing power and continuous refinement of programming techniques. Such power will have the potential to both make and destroy a business.
AI tools and techniques that can be used in defense are also available to malicious actors including criminals, hacktivists and state-sponsored groups. Sooner rather than later these adversaries will find ways to use AI to create completely new threats such as intelligent malware – and at that point, defensive AI will not just be a ‘nice to have’. It will be a necessity. Security practitioners using traditional controls will not be able to cope with the speed, volume and sophistication of attacks.
To thrive in the new era, organizations need to reduce the risks posed by AI and make the most of the opportunities it offers. That means securing their own intelligent systems and deploying their own intelligent defenses. AI is no longer a vision of the distant future: the time to start preparing is now.
Copyright 2010 Respective Author at Infosec Island
Corporate IT security professionals are bombarded every week with information about the capabilities and benefits of various products and services. One of the most commonly mentioned security products in recent years has been Security Information and Event Management (SIEM) tools.
And for good reason.
SIEM products provide significant value as a log collection and aggregation platform, which can identify and categorize incidents and events. Many also provide rules-based searches on data.
While often compared to user and entity behavior analytics (UEBA) products, SIEMs are a blend of security information management (SIM) and security event management (SEM). This makes SIEMs adept at providing aggregated security event logs analysts can query for known security threats.
In contrast, UEBA products utilize machine learning algorithms to analyze patterns of human and entity behavior in real time to uncover anomalies indicative of known and unknown threats.
Let’s consider the five ways in which SIEM and UEBA technology differs.
Point-in-time vs. Real-time Analysis
SIEM provides point-in-time analyses of event data, and is generally limited by the number of events that can be processed in a particular time frame. They also do not correlate physical security events with logical security events.
UEBA, meanwhile, operates in real-time, using machine learning, behavior-based security analytics and artificial intelligence. It can detect threats based on contextual information, and enforce immediate remediation actions.
“While SIEM is a core security technology it has not been successful at providing actionable security intelligence in time to avert loss or damage,” wrote Mike Small, a KuppingerCole analyst in a research note.
Manual vs. Automated Threat Hunting
SIEM does a very good job of providing IT pros with the data they need to manually hunt for threats, including details on what happened, when and where it happened. However, manual effort is needed to analyze the data, particularly to detect anomalies and threats.
UEBA performs real-time analysis using machine learning models and algorithms. These provide the machine speed needed to respond to security threats as they happen, while also offering predictive capabilities that anticipate what will or might happen in the future.
Logs vs. Multiple Data Types
SIEM ingests structured logs. Adding new data types often requires upgrading existing data stores and human intervention. In addition, SIEM does not correlate data on users and their activities, or make connections across applications, over time or user behavior patterns.
UEBA is built to process huge volumes of data from various sources, including structured and unstructured data sets. It can analyze data relationships over time, across applications and networks, and pore over millions of bits to find “meanings” that may help in detecting, predicting, and preventing threats.
Short vs. Long-Term Analysis
SIEM does a very good job of helping IT security staff compile valuable, short-term snapshots of events. It is less effective when it comes to storing, finding and analyzing data over time. For example, SIEM provides limited options for searching historical data.
UEBA is designed for real-time visibility into virtually any data type, both short-term and long-term. This generates insights that can be applied to various use cases such as risk-based access control, insider threat detection and entity-based threat detection associated with IoT, medical, and other devices.
Alerts vs. Risk Scores
SIEM, as the name implies, centralizes and manages security events from host systems, applications, and network and security devices such as firewalls, antivirus filters, etc. They deliver alerts based on events that may or may not be malicious threats. As a result, SIEMs generate a high proportion of false positive alerts which cannot all be investigated. This can lead to “actual” cyber threats going undetected.
UEBA provides risk scoring, which offers granular ranking of threats. By ranking risk for all users and entities in a network, UEBA enables enterprises to apply different controls to different users and entities, based on the level of threat they pose. One of the major advantages of risk scoring is it greatly eliminates the number of false positives.
Both SIEM and UEBA provide value for security operations teams. Each excels at specific use cases. When comparing these two technologies, it’s helpful to consider how they diverge. Namely, SIEM is oriented on point-in-time analyses of known threats. UEBA, meanwhile, provides real-time analysis of activity that can detect unknown threats as they happen and even predict a security incident based on anomalous behavior by a user or entity.
This week, researchers turn Alexa and Google Home into credential thieves, Microsoft aims to block firmware attacks with new secured-core PCs, the popular VPN service NordVPN confirms data center breach, a 4-year-old critical Linux Wi-Fi bug allows system compromise, and US nuclear weapons command finally ditches 8-inch floppies! In the expert commentary, we welcome Jason Wood, to discuss the Evolution of False Flag Operations!
Show Notes: https://wiki.securityweekly.com/HNNEpisode238
Visit https://www.securityweekly.com/hnn for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Doug Coburn, Director of Professional Services at Signal Sciences, discussing Containers, Layer 7, and Application Security! In the Application Security News, From Stackoverflow to CVE, with some laughs along the way, Four-Year-Old Critical Linux Wi-Fi Bug Allows System Compromise, Recent Site Isolation improvements in Chrome, policy_sentry is an IAM Least Privilege Policy Generator, auditor, and analysis database, and much more!
Show Notes: https://wiki.securityweekly.com/ASWEpisode81
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Daniel DeCloss, President and CEO of PlexTrac, to talk about what makes an excellent pentest report! In our second segment, we talk Security News, how hackers can hijack your local airport, Baltimore to buy $20M in cyber insurance months after the attack, a dangerous Kubernetes bug that allows authentication bypass-DoS, and using machine learning to detect IP hijacking! In our final segment, we air a pre-recorded interview with Peter Kruse, Co-Founder of the CSIS Security Group, discussing Cybercrime, Threat Hunting, and spear-phishing attacks!
Show Notes: https://wiki.securityweekly.com/PSWEpisode623
To learn more about PlexTrac, visit: https://securityweekly.com/plextrac
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, In our first segment, we talk Enterprise News, discussing how Okta is launching offerings for threat detection and remediation, Tenable extends Lumin to all platform customers, Signal Sciences announces integration with Pivotal Container Service, and how Thoma Bravo made a 3.9 Billion dollar offer to acquire Sophos! In our second segment, we talk about Tactics for Understanding Security Vendor Products! In our final segment, we air three pre-recorded interviews from Hacker Halted with Cathy Ullman, Joe Gray, and Jenny Radcliffe!
Show Notes: https://wiki.securityweekly.com/ES_Episode157
Visit https://www.securityweekly.com/esw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Autumn is the “hacking season,” when hackers work to exploit newly-disclosed vulnerabilities before customers can install patches. This cycle gives hackers a clear advantage and it’s time for a paradigm shift.
Each year, when the leaves start changing color you know the world of cybersecurity is starting to heat up.
This is because the cyber industry holds its two flagship events — DEFCON and BlackHat —over the same week in Las Vegas in late Summer. Something akin to having the Winter and Summer Olympics back-to-back in the same week, these events and other similar ones present priceless opportunities for the world’s most talented hackers to show their chops and reveal new vulnerabilities they’ve uncovered.
It also means that each Fall there’s a mad race against time as customers need to patch these newly revealed vulnerabilities before hackers can pull off major attacks — with mixed results.
A good example began in August, after researchers from Devcore revealed vulnerabilities in enterprise VPN products during a briefing they held at BlackHat entitled “Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs.”
The researchers also published technical details and proof-of-concept code of the vulnerabilities in a blog post two days after the briefing. Weaponized code for exploits is also widely available online, including on GitHub.
News of the vulnerability rang out like a starter pistol, sending hackers sprinting to attack two enterprise VPN products in use by hundreds of thousands of customers — Pulse Secure VPN and Fortinet FortiGate VPN.
In both cases, White Hat hackers discovered the flaws months earlier and disclosed them confidentiality to the manufacturer, giving them the time and details needed to issue the necessary patches. Both Pulse Secure and Fortinet instructed customers to install the patches, but months later there were still more than 14,500 that had not been patched, according to a report in Bad Packets — and the number could be even higher.
Being that these are enterprise products, they are in use in some of the most sensitive systems, including military networks, state and local government agencies, health care institutions, and major financial bodies. And while these organizations tend to have trained security personnel in place to apply patches and mitigate threats, they tend to be far less nimble than hackers, who can seize a single device and use it to access devices across an entire network, with devastating consequences.
The potential for these attacks is vast, considering the sheer volume of targets. This was again demonstrated in the case of the “URGENT/11” zero-day vulnerabilities exposed by Armis in late July. The vulnerabilities affect the VxWorks OS used by more than 2 billion devices worldwide and include six critical vulnerabilities that can enable remote code execution attacks. Chances are that attackers are already on the move looking for lucrative targets to hit.
This is how it plays out — talented White Hat hackers sniff out security flaws and confidentially inform manufacturers, who then scramble to issue patches and inform users before hackers can pounce. And while manufacturers face the impossible odds of hoping that tens of thousands of customers — and often far more — install new security patches in time, the hackers looking to take advantage of these flaws only need to get lucky once.
It’s time for a paradigm shift. Manufacturers need to provide built-in security which doesn’t rely upon customer updates after the product is already in use. This “embedded security” creates self-protected systems that don’t wait for a vulnerability to be discovered before mounting a response.
This approach was outlined in a report from the US Department of Commerce’s National Institute of Standards and Technology (“NIST”) published in July. Entitled “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” the report detailed the unique challenges of IoT security, and stated that these devices must be able to verify their own software and firmware integrity.
There are already built-in security measures that can stack the deck against hackers, including secure boot, application whitelisting, ASLR, and control flow integrity to name a few. These solutions are readily available and it is imperative that leading manufacturers provide runtime protection during the build process, to safeguard their customers’ data and assets.
It’s a race against time and a reactive security approach that waits for a vulnerability to be discovered and then issues patches is lacking, to put it lightly. There will always be users who don’t install the patches in time and hackers who manage to bypass the security solutions before manufacturers can get their feet on the ground. And with White Hat hackers constantly looking for the next vulnerability to highlight, it’s a vicious cycle and one that gives hackers every advantage against large corporations.
And as Fortinet and Pulse Secure lick their wounds from the recent exploits, the onus is upon other manufacturers to realize that the current security paradigm simply isn’t enough.
Copyright 2010 Respective Author at Infosec IslandSecurity is top of mind for every company and every IT team – as it should be. The personal data of employees and customers is on the line and valuable company information is at risk. Security protocols are subject to even closer scrutiny when companies are considering migrating to the cloud.
More and more enterprises recognize that they need to pursue cloud adoption to future-proof their tech stack and achieve their business transformation objectives. The agility and cost savings the cloud provides is fast becoming a requirement for competing in today’s marketplace. Despite the growing sense that cloud is the future, many companies are hesitant to migrate their applications as they believe the cloud is not as secure as on-premise. This is a common myth, and far from the truth. While security must remain a top priority for IT professionals during the migration process, there is a successful pathway to safely and securely migrate.
Who Owns What in the Cloud?
In today’s “cloud wars” landscape, it can be difficult to separate fact from fiction – and it’s clear that many IT professionals feel the cloud is less secure. It’s time to address this myth. The cloud can be just as secure, if not more so, than a traditional on-premise environment. A survey by AlertLogic found that security issues do not vary greatly whether the data is stored on-premise or in a public cloud. Although there is the belief that public cloud servers are most at risk for an attack, on-premise systems are typically older, complex legacy systems, which can be more difficult to secure. The public cloud has the advantage of being less dependent on other legacy technologies.
Significant advancements have been made to ensure cloud migration and management can be executed in a highly secure fashion. For example, the major cloud providers today have developed a large partner network with cloud-native tools and services built from the ground up to specifically address cloud security. Public cloud providers have extensive security-focused teams and experts on staff to ensure that the cloud remains secure, supported by an ecosystem of cloud certified Managed Service Providers (“MSPs”) who can monitor and assess threat risk every step of the way. If done properly, organizations can take advantage of these advanced products and skilled resources to secure and harden their cloud environment. Most IT organizations, driven to be lean and efficient, simply can’t replicate the same level of security which leverages layers of security expertise and experience. The biggest threats are people related, either through inadvertent implementation and configuration errors, lack of proactive management discipline (e.g. applying patches) or malicious exploitation of vulnerabilities which, unfortunately, originate most easily from someone inside.
Unlike an on-premise data center deployed and managed by internal IT staff in which the organization is solely responsible, security and compliance in public cloud operates under a shared responsibility model. The cloud provider is responsible for security of the cloud and the customer is responsible for security in the cloud. What this means is that providers such as Amazon Web Services (AWS), manage and control the host operating system, physical security of its facilities, hardware, software, virtualization layer and infrastructure including networking, database, storage and compute resources. Meanwhile, the customer is responsible for system security above the hypervisor – things like data encryption in-transit and at rest, guest operating systems, networking traffic protection, platform and application security including updates and security patches.
The hybrid cloud is another valuable pathway for companies that aren’t ready or able, for various reasons, to make the full leap to the public cloud. The shared responsibility model for security and compliance applies to hybrid cloud which utilizes a combination of public cloud, private cloud and/or on-premise environment. This definition, understanding and execution of roles is critical for cloud security. According to Gartner, by 2020, 90 percent of companies will utilize some form of the hybrid cloud. In the end, security requires expertise, tools, discipline and governance. The ability for organizations to leverage and push responsibility to vendors is an underlying benefit of cloud.
How to Move to Cloud Safely
The migration process isn’t a simple task. While there is no universal pathway to migrating securely, the following tips will help IT professionals make the move:
Having a plan in place post-migration is also vital, as security doesn’t stop when the migration is complete. Companies should continue to assess their applications to ensure security remains a top priority. Working with a third-party provider or MSP skilled in cloud security can help take some of the load off the IT team, as systems require continuous updates, maintenance and cost optimization that will need to be monitored to ensure that resources deployed in the cloud are being used as efficiently and safely as possible.
Cloud technology has advanced significantly over the past 5 years. While IT pros may miss the sense of security of actually being able to physically see, restrict and manage access to their tech stack in an on-premise environment, the tide has shifted so that the benefits of cloud along with the maturity and ongoing evolution of cloud security products and services has enabled organizations to achieve a high, if not increased, level of security if implemented properly.
Copyright 2010 Respective Author at Infosec IslandThis week, it's our quarterly security money segment! In the first segment, we'll review the Security Weekly 25 index! In our second segment, we'll share the results of our Security Weekly 25 Index Survey, which we completed earlier this year!
Show Notes: https://wiki.securityweekly.com/BSWEpisode147
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
FreshRSS