Login
In Part 1 of our Through Your Mind’s Eye series, we explored how our brains don’t give each decision we make equal attention, and we take mental shortcuts known as biases. These biases allow us to react quickly, but they can also lead to mistakes and oversights. Because we all have biases that shape who we are, our decisions in and out of cybersecurity can be impacted in both good and bad ways.
Safety bias is focusing on shortcomings so as not to take a risk. Many studies have shown that we as humans would prefer not to lose money even more than we’d prefer to gain money. You may have heard about studies where people are offered a lower amount of money now or higher amount in two years. Most participants took the sure thing of money now rather than wait for more. However, this changes when people are faced with a loss decision. For instance, when asked if they would rather definitely lose $100 or take a 50% chance of losing $1000, most say they would take the option to risk losing $1000. Because of safety biases, progress in decision making is slowed and healthy forms of risk taking are held back.
Safety bias is seen in security development operations, risk assessment, policies and procedures, decision making, and identity and access management. For the area of security development operations, is your dev ops team applying traditional network controls to the cloud or are they looking at how they can refactor to help take their organization to the next level? Are they stuck in the past or moving to the future?
When was the last time you reviewed your security products and their capabilities for risk assessment? Are you keeping what you have because you already purchased those solutions, or are you reviewing them to ensure they’re the best at keeping your organization safe? For example, does your current solution have a vulnerability scanner that can identify advanced vulnerabilities? Would you upgrade if it didn’t? If you aren’t evaluating your security products against emerging threats on a regular basis, your risks can be impacted without realizing it.
There are also parallels with our example above where participants took the immediate sure thing. The same thinking causes companies to invest in solutions that may be overkill to address overly specific and high impact/low probability risk factors. They are solving for something with a low probability of happening and, as a result, may be spending much more on policies and procedures than necessary.
When there is an ambiguity in decision making, system owners may be reluctant to upgrade or apply the latest patches. There may also be an unwillingness of end-users to configure security features, and a lack of interest from developers to add new security features to an existing application. As a result, these system owners err on the side of caution so as to not break or change something since they see this as more of a risk than installing the latest patches. Likewise, developers may opt for cost savings rather than add in security features.
As you move from on-prem to cloud solutions, have you considered what software applications need to be retooled for optimization in the cloud for your identity and access management requirements? What new identity analytics solutions need to be put in place to be prepared for the future? Or are you keeping things “as is” because that is the safe thing to do?
Some social scientists lump the ostrich effect with safety bias. The ostrich effect is based on a myth that ostriches bury their head in the sand when they sense danger. Is your team “burying their heads in the sand” when they need to make a risky decision?
To overcome safety bias, get some distance between you and the decision being made. Imagine a past self already having made the choice successfully in order to weaken the perception that there will be loss. Another idea, if you feel this is something happening in your environment, is to balance out your team with both risk-taking and risk adverse team members.
Framing Effect – The framing effect also influences safety bias and relates to how something is “framed” or described. For instance, if something is worded in a negative way to emphasize the potential for loss, the receiver may be afraid to take a risk. You may have seen commercials for cyber services that say, “1 in 5 companies lost their data while using another service”. Instead of focusing on the 4 that did not lose their data, they focused on the 1 that did lose so you’ll think about them protecting you instead of their competition. Another example that drives home the point is related to health. Let’s say you needed an operation. How would you feel if the doctor told you that you had an 80% chance of recovery? Now what if the doctor said you had a 20% chance of death by having this same operation? Would you think differently how you approached the operation? Pay attention to how statements are phrased to overcome gut reactions when deciding.
Affinity Bias – Affinity bias is gravitating to what we know or are comfortable with as opposed to the unknown. For example, when you see a stranger wearing your college alma mater sweatshirt in another city you instantly feel a connection to them even though you have never met. This creates an “in-group” bias. This can manifest in cyber as an aversion to new product offerings. Are you still using the same solutions you’ve been using for the last 20 years because they are familiar and comfortable to you or are you using an XDR solution now? You may also feel your direct team alone has all the right answers and no one else knows how to secure the environment or application better than your team. Is that because it’s true or because you are most comfortable with them?
Similarity Bias – Similarity bias occurs because we as humans are highly motivated to see ourselves and those who are similar to us in a favorable light. We unconsciously create “ingroups” and “outgroups”. These could be related to the city or country where we grew up or live today, where we went to school, areas of interest, etc. Are you hiring people who are similar to who you currently have on the team or are you looking for skills and individuals that bring diverse perspectives or meet your needs in the next 1-2 years?
Loss Aversion – An example of loss aversion can be observed when companies have already invested in their traditional IT infrastructure so why move to the cloud? Moving to the cloud takes time and resources. Instead of modernizing, they keep buying new servers and storage to keep the environment running as it had been for decades.
Distance Bias – Distance bias is prioritizing what is nearby whether it is in physical space, time, or other domains. Prior to the pandemic when we were in conference rooms having conversations, how many times did you observe people in the meeting room failing to gather inputs from their remote colleagues on the phone? Or have you decided based on what you needed to do sooner in time instead of considering the long-term effects of what was best for the company?
As you saw in each of the biases featured in both of our articles, they are not mutually exclusive. There are many overlaps between the different types of cognitive biases. How do we address these?
Awareness of the cognitive biases at play for you and your teams is one of the first steps to ensuring your company is not at risk. After you have acknowledged the possibility of biases and flaws in your environment, examine where you may have biases influencing your cybersecurity posture. This requires personal insight and empathy by all involved.
Begin to educate others on where and how biases could be impacting your cybersecurity posture. Once that is done, have a thorough review of your current cybersecurity posture and adjust as necessary. Over the next few months, work on building habits across the team to ensure you are consciously removing biases that could be influencing your cybersecurity posture.
Our adversaries understand human biases and actively try to exploit them. Removing these biases as much as possible can help you and your team improve your security posture and defend your organization across all levels.
The post Through Your Mind’s Eye: How to Address Biases in Cybersecurity – Part 2 appeared first on McAfee Blogs.
Imagine this scenario: a CEO, CIO, CTO, CISO walk into a bar…
The CTO has heard about cocktails that go beyond the “pour and shake,” and asks the bartender what they know about molecular gastronomy to take their drink to the next level. The CIO considers the CTO’s choice, weighing the risk versus reward of trying something new. The CEO orders a Long Island iced tea – a bold, ambitious, and challenging choice that incorporates a bit of everything, but they know in their gut it is the right decision and direction. The CISO orders a water.
Why? Because somebody always must be the designated driver, taking the responsibility to protect the integrity of the entire team and organization. They are the eyes and ears, proactively anticipating what may happen, knowing the onus is also on them to respond reactively to anything that may occur.
While in a bar this may mean things getting a bit rowdy, in the security operations center (SOC) it means an entire business can be compromised, creating a catastrophic spiral of events that can have massive impact and implications for customers, not to mention severe cost to the business.
Needless to say, the consequences are more extreme than a hangover. They remain always-on in the mind of the CISO – and this isn’t the only challenge the role faces. It is no secret in the security industry that elevating the role of the CISO to carry equal weight and footing as the rest of the executive or c-suite has been an uphill battle. While progress has certainly been made, there is always more work to be done to thwart and combat the seemingly never-ending barrage of threats that continue to emerge.
Nearly every industry has been impacted in some manner by the events of 2020 and so far, across 2021. Attacks have increased and promise to become even more plentiful, more sophisticated. Enterprises and organizations have struggled against unforeseen challenges, yet at the same time have faced increased pressure and demand to modernize, digitize, and transform.
We’ve seen that with today’s distributed workforce, cloud usage has increased, and enterprises are tasked with maintaining efficiency across even more endpoints – and keeping those endpoints safe. This has presented a tremendous opportunity for CISOs to maximize their full power and impact by proving to be the clear connection and catalyst merging technology and business.
This means today’s CISOs may need to do more with less, convincing fellow c-suite members that integration is more important than introducing new toolsets, applications, or solutions at a time when enterprises may be more vulnerable or susceptible to risk due to staffing constraints or conflicting priorities across the business. With the amount of change rapidly occurring across enterprises, CISOs have an increased impetus, responsibility, and opportunity to show enhanced value to the organization. They must continue to shift the perception that security can be a barrier to business efficiency and success and instead show that security is more than a compliance function, but a true business enabler.
In order for CISOs to be successful, they must stay steadfast in aligning with the CIO, CTO, CEO, and all the way up to the board. They can do this by showing up with data to demonstrate the impact (both past and potential) made to business, including proof points related to vendor sprawl and legacy technologies (and any associated cost or complexity) as well as insight into threats that were prevented and the damage they could have caused.
CISOs will also need to continue the shift on their end, adapting their role and approach from waiting for a compromise to happen to understanding threat actors, their common techniques, and how to get ahead. In short, they need to become what they fight against – proactive threat management means you need to think like a threat actor. Ideally, the CISO should not only be able to articulate business risks and impacts – they also need to show foresight and maturity to suggest controls or process improvements that can improve business efficiencies because security is built in to protect and enable this agility.
Once CISOs truly understand the business side of an organization and can not only relate but prove this value to the rest of the c-suite, they can be viewed as more of a strategic partner. With this line of thinking, the SOC can move from being viewed as a cost center to being a more deliberate and proactive part of the enterprise facilitating business success.
The post Give CISOs a Shot – They Deserve It appeared first on McAfee Blogs.
Summer is here, which means more sun and more fun for everyone. It also means more streaming, gaming, and downloading. This seasonal reality reminds us that to enjoy the best of summer, it’s important to stay aware of the digital risks that could sink the fun faster than you can say, “it’s hammock time!”
Emerging from the pandemic, we’re familiar with the increase in online time that came with remote learning. However, shift into summer means the remote learning hours will quickly turn into hours spent gaming, TikTok scrolling, and social networking. If you add summer travel plans to those activities, your family also becomes vulnerable to Wi-Fi breaches, viruses, sketchy apps, and device theft.
Suppose your family’s screen time rules became laxer this year. In that case, summer is the perfect time to start re-establishing healthy digital habits for gamer security, app security, and Wi-Fi security, be it at home or while traveling. Here are just a few tips to get you rolling.
According to a recent McAfee study 2021 Consumer Security Mindset: Travel Edition, 2 out of 3 Americans plan to travel this summer. However, the study also highlighted a troubling discrepancy: while 68% of Americans confirm they are more digitally connected since the onset of COVID-19, only about half of them have implemented additional levels of internet security.
Chances are someone in your immediate family — perhaps an elderly relative or a younger child — is among those who are more connected since COVID-19 but less secure as they head into the summer months. One way to close that gap is to educate and share family internet security tips. Here are just a few.
This summer can unfold seamlessly and be packed with unforgettable family memories. Or, it could be a season you’d rather forget if you wander into a digital danger zone. Remember: Your family’s privacy is as strong as your weakest family member’s security IQ. One vulnerable person exposes the data and security of everyone under your roof. So, taking the time to build up your family’s internet security is a big step in bummer-proofing your summer. Here’s to fun, sunny, safe days ahead!
The post At Home or On-the-Go: Boost Your Internet Safety this Summer appeared first on McAfee Blogs.
When we think of tipping, many don’t see it as anything beyond a display of gratitude. However, Twitter’s latest feature is prompting its users to rethink this sentiment. It hasn’t been long since Twitter released their new Tip Jar feature, which allows users on the platform to send tips to designated accounts. However, online users and security experts are already exposing the vulnerabilities in its architecture.
Twitter’s Tip Jar has sparked concerns over user privacy due to the exposure of user’s shipping address, not to mention concerns over fraudulent payment disputes. Here’s what you need to know about this feature and what it means for your financial and data privacy.
It was recently revealed that the new feature may not be as secure as it was believed to be. Users were quick to point out a critical flaw that reveals their shipping address to the recipient when sending money through PayPal. Shortly after, others also discovered that Twitter Tip Jar could reveal a user’s email address even if no transaction took place. Only a limited number of accounts can receive payments, including creators, journalists, experts, and nonprofits. However, anyone can send tips, making the new feature’s vulnerabilities more concerning.
The reason why PayPal displays the sender’s shipping address is because Twitter categorizes tipping as a payment transaction. Therefore, recipients would receive the sender’s payment and shipping details by default, just like any other vendor would in a typical online transaction.
While your information is not shared publicly, exposing it to recipients poses increased security risks.
Picture this: Hackers recognize notable recipients and hack their accounts to steal their information—including your personal address. They then use your information to carry out targeted phishing attacks and ransomware. You lose your data, your device becomes infected and therefore unusable, and you’re even more susceptible to identity fraud—all stemming from an attempt to leave a digital tip as a token of goodwill.
Twitter Tip Jar is a prime example of a good idea gone awry. Twitter released the feature to support notable members of their community, many of whom prefer to use Twitter due to the level of anonymity that is allowed by the platform — it does not require your real name, which potentially leads to more anonymous interactions than other social media sites. For this reason, Twitter users are more vulnerable to privacy concerns when using the Tip Jar.
In addition to privacy concerns, hackers could also misuse the Tip Jar feature through fraudulent payment disputes. If someone tips a Twitter user using the Tip Jar and later files a “dispute” regarding the payment, PayPal requires the recipient pay a $20 dispute charge. Now imagine if a malicious entity does this to a recipient multiple times. The user could quickly accumulate hundreds of dollars in dispute charges instead of tips, causing the direction of money flow to effectively be reversed and financial stress on the recipient.
It can be challenging to safely navigate social media from a cybersecurity perspective because sharing is now synonymous with social networking. If you actively participate on social platforms, here are the three tips you should follow to side-step any security gotchas along the way:
Fortunately, there’s a simple workaround to avoid publicly sharing your shipping address while using the Twitter Tip Jar. When sending a tip using Tip Jar, rather than inputting an address under the shipping address form field, simply defer to the “No address needed” option to keep your address private.
Double check your privacy settings in both your social apps and your connected third-party payment systems. As you navigate this new feature and any that are up–and–coming, take note of the privacy policies that impact how your personal data is being used. (e.g. Twitter has updated its tipping prompt and Help Center to make it clear that other apps, such as PayPal, may share information between people sending and receiving tips).
Security researchers and engineers are constantly working to fix software bugs and vulnerabilities in the background. By turning on automatic updates, you are guaranteed to have all the latest security patches and enhancements for your apps and tools as soon as they become available.
It can be tempting to jump on the bandwagon when a shiny, new feature makes its way to the social media platforms you use and love. But taking the time to learn about these features before choosing to participate can save you from a potential privacy headache, especially in the case of the Twitter Tip Jar. By educating yourself on both the benefits and the risks, you’ll be able to take actionable steps that protect your personal information.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Keep the Change: 3 Tips for Using the Twitter Tip Jar appeared first on McAfee Blogs.
In the wake of the Schrems II decision[1], and even more in the light of Friday’s Facebook ruling[2], the question on everyone’s mind is how to truly protect personal data from the prying eyes of national security agencies around the world. Despite detailed guidelines[3] issued in November 2020, in the absence of new definitive guidelines for transferring data across European borders[4], many are starting to wonder whether data localisation is the magic bullet to protect personal data.
The terms ‘data sovereignty’, ‘data residency’ and ‘data localization’ are a source of confusion for most people. They are effectively three degrees of a single concept: how data privacy impacts cross-border data flows. This subject has become increasingly important following the Schrems II decision and its requirement that organizations when processing personal data must ensure their privacy is not put at risk and subject to governmental surveillance when shared across borders.
Data residency refers to the country where an organisation specifies that its data is stored, usually for regulatory or policy reasons. A common data residency requirement example is for tax purposes: to prove an organisation conducts a greater portion of its business in a given country, it will put in place an infrastructure that requires a strict data management in order to protect its taxation rights.
Data sovereignty differs from data residency in that not only is the data stored in a designated location, but it is also subject to the laws of the country in which it is physically stored. This difference is crucial, as there will be different privacy and security requirements depending on where the data centres physically sit. From a legal perspective, the difference is important because a government’s data access rights vary from country to country.
Data localisation is the most stringent concept of the three, which is the reason why it is often referred to as “hard data localisation”. It requires that data created within certain borders stay within them and is almost always applied to the creation and storage of personal data, without exception. A good example is Russia’s On Personal Data Law (OPD-Law), which requires the storage, update and retrieval of data on its citizens to be limited to data center resources within the Russian Federation.
In the post-Schrems II world, some organisations have taken the view that the GDPR requires hard data localisation. The question is then whether such practices are realistic, and whether they offer similar privacy protection to that of the GDPR.
Data localisation runs counter to the principles of cloud computing (and the internet) – allowing the free flow of data for the greatest use. It is also potentially contrary to the principles of free movement of data under EU law[5]. The Internet is global and beyond the Internet, most companies operate in an integrated global environment, bearing in mind that “remote access by an entity from a third country to data located in the EEA is also considered a transfer.”[6].
The cost of operating a localised service must also be factored in, including support, engineering (e.g. development, debugging and maintenance), and backup (e.g. redundancy) costs. So, whilst the creation of local infrastructure may in the short-term imply jobs for local economies, the reality is that given there are often fully automated, the jobs and investment dividend may be short-lived.
Data localisation is also often touted as a mean to shield European citizen data from 3rd country government surveillance in particular US Government access under the CLOUD Act. While localisation does offer some protections (i.e. from transfer of data out of the territory), it does not automatically mean that data will be protected adequately in country. For example, data localisation does not mean that appropriate encryption standards are met, nor does it mean that there is no local surveillance – even in adequate countries[7].
You have probably heard of the Five EYES, Nine EYES, and Fourteen EYES Alliances. If not, these are all about intelligence sharing agreements. Initially, the Five Eyes Alliance arose out of the cold war era and was a pact between the United States and the UK aimed at decrypting Soviet Russian intelligence. By the late 1950s, Canada, Australia, and New Zealand also joined the Alliance. These five English-speaking countries are the Five Eyes Alliance. On top of this alliance, two other international intelligence-sharing agreements are publicly known: the Nine Eyes (Five Eyes + Denmark, France, Holland, Norway) and the Fourteen Eyes Alliances (Nine Eyes + Germany, Belgium, Italy, Sweden, Spain).
With this in mind, some companies argue, without evidence, that by doing business from a given jurisdiction, they are able to offer more adequate protection against surveillance. And without much surprise, not one country, even within the European Union, offers the same level of protection against surveillance, and the US’ surveillance activity isn’t much more extensive than other countries viewed as providing adequate protection.[8] Let’s take for instance the use of a VPN to protect privacy. Many providers argue that choosing a VPN outside the 5/9/14 Eyes countries may offer further protection.
The truth is once this very obvious statement is said, the question still remains wide open for many valid reasons. VPNs are international operations, meaning effectively, any organisation operating in a given country may be liable to that country’s law enforcement, whether by treaty, or by any other type of court orders. If a country does not have a general treaty and is not part of 5/9/14 eyes, there’s nothing stopping one country from putting political pressure on the other (sanctions, for example) to get what they want. Additionally, operating in a given country, for instance Panama, does not mean a country will refuse to cooperate with another country’s authorities, such as Canada.
There is little chance to find one country that is completely immune to data access laws in one way or the other, and nothing can stop one country from putting pressure on another one to obtain what it wants. That works for companies as well. For instance, Microsoft recently announced that it has “answered Europe’s call,”[9] but it cannot reject a request based on the CLOUD Act, and the compensation offered by Microsoft for a violation of the GDPR is not equivalent to the recourse to an available judicial remedy as requested under the Schrems II decision.
Now, once all of the above is said, it must be kept in mind that just because being anonymous is impossible, that you shouldn’t still try to protect your personal data as much as possible, or request companies to strictly comply with data minimization principles. All in all, governments would not have access to so much data if companies were not holding themselves so much data. Data minimization ends up being not only a good tool for increasing security, since attackers can’t steal what you don’t have, but also because it could potentially help people decrease the costs of data redundancy, storage, etc.
In 2020, the Internet Society penned a report on the implication of data localisation for cybersecurity that has much merit, and stated that “Cybersecurity may suffer as organizations are less able to store data outside borders with the aim of increasing reliability and mitigating a wide variety of risks including cyber-attacks and national disasters.”[10]
Data localization practices may harm cybersecurity services through the following facts:
This train of thought also applies to the selling of data to unsecure third parties within the same region or preventing unauthorised access to the data gained by third parties.
Some also argue that data localisation interferes with fraud prevention. For example, the inability to mirror data across several data centers can prevent the provider from seeing patterns and trends of fraud or other risks.
Data localisation may be presented by some as a magic bullet, but the complete implications are yet to be fully understood. Hence policies or commercial practices requiring forced data localisation must be thought through carefully as they can impact the free flow of data, can comprise the ability to scale platforms and services for global customers in addition to the many cybersecurity harms that may impact operational effectiveness.
Disclaimer: This blog reflects the authors’ personal opinions. Any statements, opinions, and any errors are the authors’ own and not those of McAfee. The statements in this blog do not constitute legal advice, and each company must determine for itself its obligations under all laws. Nothing herein establishes an attorney-client relationship.
[1] https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf
[2] The EU-U.S. Data Transfer Problem Is Bigger Than Most People Realise (linkedin.com)
[3] Recommendations 2020/1 and 2020/2 of the EDPB – https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf
[4] European Standard Contractual Clauses, available on https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
[5] The European Parliament considers “the free movement of data as the Fifth Freedom in the single market after the free movement of persons, goods, services and capital” – Morrison Foerster Client Alert “New EU Regulation to Strengthen the Free Movement of Data 06 Nov 2018” https://www.mofo.com/resources/insights/181106-eu-regulation-data-movement.html
[6] https://iapp.org/news/a/why-this-french-court-decision-has-far-reaching-consequences-for-many-businesses/
[7] For example, French surveillance laws authorises surveillance not only to combat terrorism and other criminal offences, but also to protect France’s major economic, industrial, and scientific interests.
[8] https://www.comparitech.com/blog/vpn-privacy/surveillance-states/
Canada is part of the 5 Eyes but has repeatedly demonstrated its commitment to free and unrestricted internet access and has strong protections for freedom of speech and press, and the government has expressed support for net neutrality. Iran is not part of any of the know alliances. However, VPN providers are required to request government approval before providing their services, and people accessing the international internet network using VPNs without such government approval risk up to 1 year of prison time.
[9] https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/
[10] https://www.internetsociety.org/resources/doc/2020/internet-impact-assessment-toolkit/use-case-data-localization/
The post Data Localisation – The Magic Bullet? appeared first on McAfee Blogs.
Cybersecurity and biases are not topics typically discussed together. However, we all have biases that shape who we are and, as a result, impact our decisions in and out of security. Adversaries understand humans have these weaknesses and try to exploit them. What can you do to remove biases as much as possible and improve your cybersecurity posture across all levels of your organization?
Cybersecurity personnel have many things to address and decisions to make every day — from what alerts to investigate, to what systems to patch for the latest vulnerabilities, to what to tell the board of directors. However, our brains don’t give each decision equal attention—we take mental shortcuts. These mental shortcuts are known as biases and they allow us to react quickly.
In this two-part blog series, we’ll explore the types of cognitive biases that could be affecting your company’s security posture and give you tips on how to address these biases.
Do you feel you are biased? We all are to some extent. What do you see when you look at this picture below? Faces or a vase? Some people may see one or the other and some see both. This is representative of what happens in real life. Many of us are at the same meeting together but leave with different perspectives about the discussion. This is our cognitive biases influencing us.
A cognitive bias is a result of our brain’s attempt to simplify processing of information. The formal definition says it is “a systematic pattern of deviation from norms in judgment”. We as individuals create our own “subjective reality” from the perception of the inputs. Our construction of reality, not the input, may dictate how we behave.
Availability bias is a mental shortcut that our brains use based on past examples relating to information that is “available” to us around a specific topic, event, or decision. This information could come from things we saw on the news, heard from a friend, read, or experienced. When we hear information frequently, we can recall it quickly, and our brains feel it is important as a result. With all the urgent interrupts and overall volume of decisions needing to be made by CISOs and other cyber executives, it is very easy to get caught up in decision making based on past or recent information.
Availability bias impacts security in many ways. We often see the impact in the areas of risk assessment, preparedness, decision making and incident response. In the area of risk assessment, availability bias may arise when the company board of directors looks for an updated risk assessment. Rather than focusing on the entire company, data could be presented with respect to an area for which another company had a breach. For example, we have seen SolarWinds in the news a lot throughout the first quarter of this year, and our inclination might be to assess our risk in the context of that incident. However, the assessments should look at all aspects of the business in depth and not just focus on the supply chain risks. Are there issues that require more attention than what is trending in the news?
We also see availability bias in preparedness when organizations prepare for high impact, low probability events instead of preparing for high probability events. What we should worry about doesn’t always align with what we do worry about. Events that have a high impact but low probability of occurring, such as an airplane crash, a shark attack, or volcano eruption, often receive much attention but are less likely to occur. We remember these much more than we remember higher probability events like falling off a ladder or automobile accidents. For instance, can you name the last phishing campaign you heard about or the last time someone’s PII was stolen? Probably not, but these are examples of the high probability events your organization most likely needs to prepare for.
In the area of decision making, your CISO or the cybersecurity analysts may make decisions in favor of hot topics in the news. These topics may overshadow other information they know or is so mundane that it becomes background noise. As a result, decisions made are not well rounded. For example, if there was a recent IoT related issue like Dyn in 2016, your analysts may over focus on IoT related security decisions and neglect things like investing in new security controls for your mobile devices.
Availability bias also surfaces during critical incidents when emotions are typically running high and the focus is on quickly addressing the issue at hand. Focusing on securing the specific area where the incident occurred may leave us blind to another issue waiting in the wings. Let’s pretend someone broke into your home through a window, your first thought may be to secure all the windows quickly; however, if you didn’t look at all your security risks, you may forget that you can shake your garage door lock, and it’ll pop open.
Our analysts are typically exploring data thoroughly though executives may not always see the in-depth information. If you are at the executive level, I would recommend you review all the facts and consciously look beyond what is available quickly so you get the full picture of the incident, how prepared you are, risks, etc. If you are an analyst or in a position of influence, I would recommend summarizing the facts in way that accurately reflects the probability of those events occurring as well as considering all possible events.
Another bias that appears in cybersecurity is confirmation bias. This is when you look for things to “confirm” your own beliefs or you remember things that only conform to your beliefs (similar to availability bias). For example, your news feed may be full of things related to your political beliefs based on what articles you clicked on, shared, or liked. Chances are it’s not filled with things that oppose your beliefs. A few areas where confirmation bias is seen in cybersecurity is in decision making, security hygiene, risk assessment, preparedness, and penetration testing.
When you are making decisions, are you considering different points of view or just looking to your close group of trusted advisors who may think like you? Are you willing to push and challenge your own beliefs to ensure you are making the best decisions for the company?
When was the last time you reviewed your company’s security hygiene? Are you diligent about updating systems or do you believe it won’t happen to you because nothing has happened in the past? Are you using an XDR solution in your environment or do you feel you don’t need it because all your current systems are serving your needs just fine? Do you feel you are more secure when you are in the cloud vs on-prem despite human error affecting both?
How do you approach cybersecurity preparedness? Are you passive, reactive, or progressive? Similar to hygiene, do you feel an incident won’t happen to you so you look for data to confirm that? Or are you the opposite and feel you may repeat incidents if you don’t do everything possible to look for data to confirm those beliefs? If you are an executive, are you reviewing the facts and evidence for all your cyber processes or just those that you personally know well from early on in your career? I’ve seen some analysts ignore some of their alerts because they weren’t quite sure how to deal with them. As a result, they fall back on what they know or information that is readily available.
Sometimes organizations may hire third party companies or employ penetration testing performed on their environments. When you define the scope of work, are you looking for all the gaps or holes or just focusing on the weaknesses and strengths? When the results come in, do you address everything that is recommended or only focus on the items you believe will impact you?
It is hard to look beyond what we believe because in our eyes it is ground truth. It is important in making security decisions that we look beyond what we want to hear or see to ensure we are getting what we need to hear and see.
Unconscious or implicit biases are social stereotypes about certain groups of people that we form outside of our own conscious awareness. Just as you see in the picture, our mind is like an iceberg where the conscious mind is what we can recall quickly and are aware of. The subconscious mind stores our beliefs, previous experiences, memories, etc. When you have an idea, emotion, or memory from the past, it’s recalled from our subconscious by our conscious mind. The third layer – our unconscious mind – is deep inside our brain.
Everyone holds unconscious beliefs about various social groups, and these biases stem from our tendency to organize social worlds by categorizing them quickly. We often think about unconscious bias in the context of negative biases, but there are also positive unconscious biases, for example feeling a connection to someone from your hometown or college alma mater. Unconscious bias impacts security in the areas of decision making, risk assessment, incident response, cyber security policies and procedures, and identity and access management.
In the area of decision making, I’ve seen executives blindly trust the IT team because they are perceived as being the “experts”. While this may be true, they are wrestling with the same unconscious biases and skills shortages many of us are. Just as it’s important to seek out additional information and facts when making your own decisions, it’s equally important to review the data and provide feedback and alternate opinions to others. Often, it’s easy to go with the majority and not rock the boat. If you feel that something needs to change or be addressed differently, don’t be afraid to go against the flow. Mark Twain is quoted, “Whenever you find yourself on the side of the majority, it’s time to pause and reflect.” When was the last time you went against the majority?
Another unconscious bias that sometimes arises is related to age. Some people feel older workers are a greater risk to a company than younger workers because they perceive older workers as not being “up to date” on newer technologies. Conversely, some feel younger people engage in risky behavior like visiting potentially suspect websites or sharing too much information on social media. As a result, security analysts may focus on the wrong areas as the source of a security risk or issue based on their biases.
If you had an incident, how would you respond? Would you blame an unsecure IT environment, incompetent end users or would you look at the facts and evidence in and outside of your beliefs to determine what happened? How would you and your team respond to the incident? If your security operations team felt that IT had not done their part prior to the incident, you may be looking in the wrong area for the source of the incident. You may have heard the acronym PEBKAC. For those that don’t know what it means, it stands for “problem exists between the keyboard and chair”. Are you sure the problem is PEBKAC or does it lie somewhere in your environment?
Implicit trust is another form of unconscious bias. When was the last time your cybersecurity policies and procedures were thoroughly reviewed? Let’s say you feel your SOC analyst is amazing, and you trust everything they say. Because of this implicit trust, you don’t think to dive into the details. As a result, you could have a firewall running without any defined rules but wouldn’t know because you’ve never checked. This doesn’t mean your SOC analyst isn’t trustworthy, just that you shouldn’t allow your unconscious bias to overrule the necessary checks and balances.
We can sometimes also be led to overconfidence by unconscious bias. For example, when writing a paper or an article, we can be certain that there are no mistakes or typos, but often it’s because we’ve read or reviewed it so many times that our unconscious mind reads it as it should be and not what it actually is. Similarly, in the area of identity and access management, security analysts and software developers may blame users for issues and fail to look at the internal infrastructure or their own code because they have a false confidence that leads them to believe they couldn’t possibly be the problem.
To overcome unconscious and implicit bias, ensure you are sticking to the facts and asking all stakeholders, including those you may disagree with for inputs. Also look in the mirror. Did you make a mistake or are you excusing your behavior instead of facing it? Also, don’t be afraid to follow the words of Mark Twain and pause and reflect to ensure you are making the correct decision, addressing the incident in the correct way, or hiring the right person.
Because we all have biases and take mental shortcuts, we need to make a conscious effort to address them. Look beyond what you want to hear or see and what shows up in your news feeds to address availability and confirmation bias. Ensure you are sticking to the facts and asking all stakeholders, including those you disagree with, for inputs to overcome unconscious and implicit bias. You don’t want to be the next company in the news because your biases got in the way.
The post Through Your Mind’s Eye: What Biases Are Impacting Your Security Posture? appeared first on McAfee Blogs.
In our last blog about defense capabilities, we outlined the five efficacy objectives of Security Operations, that are most important for a Sec Ops; this blog will focus on Visibility.
The MITRE Engenuity ATT&CK® Evaluation (Round3) focused on the emulation of Carbanak+FIN7 adversaries known for their prolific intrusions impacting financial targets which included the banking and hospitality business sectors. The evaluation’s testing scope lasted 4 days – 3 days were focused on detection efficacy with all products set to detect/monitor mode only, and the remaining day focused on protection mode set for blocking events. This blog showcases the breadth and depth of our fundamental visibility capabilities across the 3 days of detection efficacy.
It is important to note that while the goal of these evaluations by MITRE Engenuity is not to rank or score products, our analysis of the results found that McAfee’s blue team was able to use MVISION EDR, complemented by McAfee’s portfolio, to obtain significant visibility, achieving:
| Scenario | Evaluation Scope | Visibility Outcome |
| Scenario – Carbanak | Across all 10 Major Steps (Attack Phases) | 100% |
| Scenario – FIN7 | Across all 10 Major Steps (Attack Phases) | 100% |
The evaluation when tracked by Sub-steps shows McAfee having 174 sub-steps with a total 87% visibility.
When you seek to defend enterprises, you need to assess your portfolio and ensure it can go the distance by spanning across the endpoint and its diverse context, as well as network visibility stemming from hostile activity executed on the target system. More importantly, your portfolio must closely track the adversary across kill-chain phases (miles-wide) to keep up with their up-tempo. The more phases you track, the better you will be able to orient your defenses in real-time.
The Carbanak emulation consisted of an attack with 10 Major Steps (Kill Chain Phases) on day one, and our portfolio provided visibility across every phase. In these 10 phases, MITRE conducted 96 substeps to emulate the behaviors aligned to the known TTPs attributed to the Carbanak adversary.
McAfee MITRE Engenuity ATT&CK Evaluation 3 Results
The FIN7 emulation consisted of an attack with 10 Major Steps (Kill Chain Phases) on day two, and our portfolio provided visibility across every phase. In these 10 phases, MITRE conducted 78 substeps to emulate the behaviors aligned to the known TTPs attributed to the FIN7 adversary.
McAfee MITRE Engenuity ATT&CK Evaluation 3 Results
Tracking the adversary across all phases of the attack (miles-wide) is significantly strong, but to be really effective at enterprise defense, you also need to stay deep within their operating mode, and keep up with their movement within and across your systems through different approaches (feet-deep). At McAfee, we design our visibility sensors across defensible components to anticipate where adversaries will interact with the system, consequently tracing their activities with diverse data sources (context) that enrich our portfolio. This not only let us track their intentions, but also discover impactful outcomes as they execute hostile actions (sub-steps).
Defensible Components and Telemetry acquired during the evaluation.
If a product is configured differently you can obtain information from each Defensible Component, but this represents telemetry acquired based on the config during the evaluation (not necessarily evidence that was accepted).
Of the 96 Sub-Steps emulating Carbanak, our visibility coverage extends from more than 10 unique data sources including the automated interception of scripted source code used in the attack by our ATD sandbox integration with the DXL fabric.
McAfee MITRE Engenuity ATT&CK Evaluation 3 Results
Of the 78 Sub-Steps emulating FIN7, our visibility coverage extends from more than 10 unique data sources providing higher context in critical phases with Systems/Api Calls Monitoring to preserve the user’s security awareness as advanced behaviors aim for in-memory approaches conducted by the adversary.
McAfee MITRE Engenuity ATT&CK Evaluation 3 Results
Acquiring data from sensors is fundamental, however, to be effective at security outcomes, your portfolio needs to essentially spread its deep coverage of data sources to balance the security visibility blue-teamers need as the progression of the attack is tracked through each phase.
This essential capability provides the blue-teamer a balance of contextual awareness from detection technologies (EDR and SIEM), and decisive disruption of impactful behaviors from protection products (ENS, DLP, ATD, NSP) oriented to neutralize the adversary’s actions on objectives.
In every phase of the attack, McAfee protection fused with detection products would successfully neutralize the adversary and afford blue teamers rich contextual visibility for investigations needing context before and after the block would have occurred.
McAfee MITRE Engenuity ATT&CK Evaluation 3 Results
This chart clearly shows how ENS (in observe mode) would have prevented a successful attack, blocking the Initial Breach, protecting the customers from further damage. For the scope of the evaluation, it’s also important to remark how the products interacted by providing telemetry on each step.
McAfee MITRE Engenuity ATT&CK Evaluation 3 Results
In the impactful kill-chain phase of “steal payment data”, the DLP product kicks into prevention, while being complemented by the ATD sandbox intercepting the payload that attempts to steal the information, as well as EDR having contextual information within the kill-chain for offline investigations the blue teamer needs.
Here, we covered the essentials of visibility and how to determine the power of having a strong telemetry foundation, not only as individual sensors or defensible components that provide information, but when analyzed and contextualized, we enable the next level of actionability required to prioritize cases with enriched detections.
Stay tuned for the next blog series explaining how detections were supported by this telemetry where we produced 274 detections that have more than 2 data sources.
The post Miles Wide & Feet Deep Visibility of Carbanak+FIN7 appeared first on McAfee Blogs.
Personal devices and the information they carry are incredibly valuable to their owners. It is only natural to want to protect your device like a royal family fortifying a medieval castle. Unlike medieval castles that depended upon layers and layers of protection (moats, drawbridges, spiky gates, etc.), personal devices thrive on just one defense: a devoted guard called antivirus software.
Increasing your personal device’s security detail with more than one guard, or antivirus software is actually less effective than using a single, comprehensive option. Microsoft operating systems recognize the detriment of running two antivirus software programs simultaneously for real-time protection. Microsoft Windows automatically unregisters additional programs so they do not compete against each other. In theory, if you have a Microsoft device, you could run on-demand or scheduled scans from two different antivirus products without the operating system disabling one of them. But why invest in multiple software where one will do?
If you do not have a Microsoft device, here is what could happen to your device if you run more than one antivirus program at a time, and why you should consider investing in only one top-notch product.
Antivirus programs want to impress you. Each wants to be the one to catch a virus and present you with the culprit, like a cat with a mouse. When antivirus software captures a virus, it locks it in a secure place to neutralize it. If you have two programs running simultaneously, they could engage in a tussle over who gets to scan, report, and remove the virus. This added activity could cause your computer to crash or use up your device’s memory.
Antivirus software quietly monitors and collects information about how your system runs, which is similar to how viruses operate. One software could mark the other as suspicious because real-time protection software is lurking in the background. So, while one antivirus program is busy blowing the whistle on the other, malicious code could quietly slip by.
Additionally, users could be buried under a barrage of red flag notifications about each software reporting the other as suspicious. Some users become so distracted by the onslaught of notifications that they deactivate both programs or ignore notifications altogether, leaving the device vulnerable to real threats.
Running one antivirus software does not drain your battery, and it can actually make your device faster. However, two antivirus programs will not double your operating speed. In fact, it will make it run much slower and drain your battery in the process. With two programs running real-time protection constantly in the background, device performance is extremely compromised.
There is no reason to invest in two antivirus programs when one solid software will more than do the trick to protect your device. Here are some best practices to get the most out of your antivirus software:
One habit you should adopt is backing up your files regularly. You never know when malware could hit and corrupt your data. Add it to your weekly routine to sync with the cloud and back up your most important files to an external hard drive.
Whenever your software prompts you to install an update, do it! New cyber threats are evolving every day, and the best way to protect against them is to allow your software to stay as up-to-date as possible.
Always read your antivirus results reports. These reports let you know the suspicious suspects your software was busy rounding up. It will give you a good idea of the threats your devices face and perhaps the schemes that you unknowingly fell into, such as clicking on a link in a phishing email. This information can also help you improve your online safety habits.
Everyone needs strong antivirus. Yet antivirus alone isn’t enough to beat back today’s threats. Hackers, scammers, and thieves rely on far more tricks than viruses and malware to wage their attacks, and data breaches slip billions of personal and financial records into the hands of bad actors. You’ll want to pair antivirus with further protection that covers your privacy and identity as well.
For example the antivirus included with McAfee+ Ultimate can secure an unlimited number of household devices. Yet it offers far more than antivirus alone with our most comprehensive protection for your privacy, identity, and devices. The full list of features is long, yet you’ll get credit monitoring, dark web monitoring, removal of personal information from risky data broker sites, along with identity theft protection and restoration from a licensed expert if the unexpected happens. In all, it offers a single solution for antivirus, and far more that can protect you from the broad range of threats out there today.
The post Less Is More: Why One Antivirus Software Is All You Need appeared first on McAfee Blog.
Today’s technology allows you to complete various tasks at the touch of a button wherever you go. As a result, you place trust in online services that make everyday chores more convenient without second-guessing their effects. One such service is online banking. More Canadians are doing their banking virtually with over 76% using online or mobile devices. Despite the extensive measures that banks take to strengthen their online security, no system is fail-safe. It is extremely important to practice proper security habits and be on the lookout for online fraud to ensure the safety of your financial information.
According to the Canadian Bankers Association (CBA), banks in Canada use sophisticated technology and layers of security to help protect customers from fraud when doing their banking online or using a mobile banking app. Although online banking is generally safe, it does provide cybercriminals with a potentially lucrative opportunity. Some scammers turn to phishing techniques to trick people into handing over their sensitive personal information. They call, text, or email you claiming to be a representative from your bank and state that they noticed some unusual activity related to your account. The imposters then ask you to click on a link in the email or text message to verify your credentials. Unfortunately, this “verification link” is actually a phishing link, and cybercriminals can use the password or credit card details to walk right into your account.
Once cybercriminals gain access to your password and username, they may then move on to credential stuffing. Credential stuffing occurs when an attacker inserts the username and password for one account into the login page of another online service. This tactic capitalizes on the fact that many people reuse the same username and password across multiple accounts.
Hackers also use phishing to spread malware onto the devices you use to access online banking services. These suspicious emails and text messages disguised as notifications from your bank could contain malicious links or attachments that trick you into downloading malware on your device. Furthermore, attackers mimic banking and money transfer institutions to collect your credentials and access your sensitive information.
The convenience of paying bills and depositing checks without running to the bank or post office is undeniable. Everyone is always rushing about, so if you’re now doing these things online securing your online privacy is not a responsibility to speed through.
It’s important that you put your privacy first when using online and mobile banking platforms so you can use these convenient services without jeopardizing your financial accounts. Follow these tips to enhance your online banking security:
Review your bank’s terms and conditions to understand your responsibilities as the account owner and the responsibilities of your bank. Check your accounts regularly for transactions you didn’t make and contact your financial provider as soon as you find an error. Most banks have policies that reimburse you for unauthorized purchases if someone uses your credit card without your permission.
Look at the recommendations provided by your bank, for example, CIBC recommends using longer passwords for your bank account that include a combination of uppercase, lowercase, numbers, and special characters. Additionally, do not reuse this password across your other accounts. If a hacker guesses your password for one of your online accounts, it’s likely that they will check for repeat credentials across multiple sites. By using different passwords or passphrases, you can feel secure knowing that the majority of your data is secure if one of your accounts becomes vulnerable. If you’re worried about forgetting your passwords, subscribe to a password management tool that will remember them for you.
Always opt-in for two- or multi-factor authentication if your financial institution offers it. This is a method of signing in that requires not only a username and password but also a one-time code that is sent by text or email. This extra layer of verification makes it much harder for a criminal to access your sensitive accounts.
From splitting the check when eating out with friends to dividing the cost of bills, third-party mobile payment apps are an incredibly easy way to share money. Before downloading these apps, do your research. Ensure that the company behind the app or the app itself hasn’t undergone any major security incidents and that they have a history of patching bugs immediately. If you decide to download a mobile payment app, set your account to private and limit the amount of data you share. Additionally, look for the lock icon in your web browser when logging in to online banking platforms. A closed lock or padlock indicates that the website you’re on is secure.
Phishing scammers often undo their own plans by making simple mistakes that are easy to spot once you know how to recognize them. These mistakes include spelling or grammar errors throughout the email or text message, using a company’s logo with the incorrect aspect ratio or low resolution, and using a URL with typos. For example, phishers may swap an “o” with a zero, or end the address with “.con” instead of “.com.” If you receive a message with any of these characteristics, do not click on any of the links and delete it immediately.
Never conduct your banking business on a public or unsecured wi-fi network. Connect to a virtual private network (VPN), which allows you to send and receive data while encrypting your information. When your data traffic is scrambled, it’s shielded from prying eyes, which protects your network and the devices connected to it.
While online banking adds a wealth of convenience to your lives, it’s important that you remain invested in your security first and foremost. Cybercriminals often take advantage of your reliance on digital platforms to disguise themselves as bank representatives and trick you into handing over your personal data. To remain secure while online banking, practice good cybersecurity hygiene by using strong, unique passwords, multi-factor authentication, and stay vigilant while looking for signs of phishing. These tips will help elevate your financial security so you can virtually bank with peace of mind.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Elevate Your Financial Security: How to Safely Bank Online appeared first on McAfee Blogs.
Imagine, if you will, a scene straight out of one of your favorite impossible mission movies. The background music is driving a suspenseful beat while the antagonist attempts to steal the latest technology from a very favored industry competitor called Rad-X Incorporated. It’s a trade secret that will change the industry forever, and if the villain achieves her mission, she will hold the future of aviation in the palm of her hand. She’s bypassed laser motion detectors, swung from the ceiling to avoid floor placed pressure plates, and even performed some seriously intense acrobatics to slip through video surveillance mechanisms. Then, at the apex of suspense while the music ascends to a crescendo, a hard thumping release, she reaches out to grasp a microchip placed in the center of the room on a pedestal as if the room were designed only to show off its magnificence. As her fingers gently nestle against the circuit… the music stops, the alarms sound, and she walks out completely and utterly undisturbed!
All the components in this scene were meant to record and detect when an activity occurs. But when we needed it most all that it amounts to is a noisy detection capability. It did not actually “prevent” the malicious actor from doing anything. Instead, the system merely let everyone know that it occurred… very anticlimactic if you ask me, and frankly not very useful if you’re the good guy.
SIEM technologies have been used in security operations for over 15 years for a few reasons. First, SOCs must be able to tell a story while performing incident response investigations. And to go back in time effectively, logged events of these activities can be more easily accessed if the events are stored centrally and for an appropriate longevity. So, when the police show up, the victim can accurately name the perpetrator. Next, because the data sources are so disparate, SIEMs can be used to correlate activities among usually unrelated feeds. For example, if a floor plate triggered, then a motion sensor fires within 15 seconds of each other, their collective severity may raise more of an alarm. And thirdly, centrally reporting on collective data allows the business to identify where it is effectively investing in control technologies. In this extended example, the victim can run a report monthly showing that the microchip pressure sensor triggered 5 times this month, while the others may have triggered only once or twice. Certainly, all these capabilities are just as important today as they were in 2005.
But there is one glaring gap: why isn’t there a better way to take corrective action after the incident occurs? Extended Detection and Response (XDR) capabilities have some similar outcomes as we would expect in 2021, but with an added response component… and in McAfee’s case, many response components. Some capabilities overlap SIEM’s, which is natural based on each use case, but both of which are still essential to the modern security operations program.
Figure 1: SIEM vs XDR Capabilities
While SIEM technologies, for the most part, allow its administrators to integrate through APIs with other technologies, the actions available are often limited in nature and fail to provide a seamless and consistent response option across the landscape. XDR, however, does just that. The platform is designed such that whether the system on which you are acting is an endpoint, network component, or cloud service, the security operations practitioner should expect to enjoy an intimate level of native control on that security control device. Performing actions like restricting further access, retrieving additional information, or gaining console capabilities should be as simple as a click of a button. With XDR, when the alarm sounded, Rad-X would have been able to simply click a button to lock the vaulted room and apprehend the perpetrator.
And since this is a differentiator between XDR and SIEM platforms, it should stand to reason that response capabilities should be a key factor when comparing XDR providers. McAfee offers some of the most robust response capabilities right out of the box such as quarantining affected assets, while simultaneously offering the ability to write your own for Windows, MacOS, or Linux.
While it is painfully apparent that data entering data lakes and massive data collections are regularly changing, data types are changing almost as frequently. SIEM technology, which is heavily based on collectors, parsing, enrichment, ontology, and more, often fails to address the ongoing change of data types on the data source. This means that the collectors need to be updated frequently. However, what if the data was first triaged and analyzed at the source and the results delivered to the collection and correlation points? This would address a large portion of the data type challenge while simultaneously expecting and embracing the idea that the data will continue to live at its source. Sure, there may be cases where the raw data needs to be shipped to mass storage for historical searching and hunting, but those are the minority of the cases. And, since the goal of XDR is not to meet log retention requirements as a compliance tool, it need not focus on collecting all events created.
When running a search in XDR platform, such as McAfee’s MVISION XDR, the searches can be run against mass storage or in real-time. Realtime searches allow the data source to perform the query against the raw origination of the event. And, since both capabilities are available, comparing deltas between the state of the data source is easily done. If Rad-X, were using XDR they would be able to ask questions of the corridors, cameras, and entry ways the villain was using throughout the attack. Instead, they were forced to wait for an event significant enough to have occurred to be alerted that the incident was now in the past.
Figure 2: XDR Logical Architecture
Figure 3: Traditional SIEM Architecture
As you can tell from the illustrations above, XDR offers security teams a simpler cloud-native service architectural model when compared to traditional SIEM. The majority of SIEM deployments require all the native infrastructure to be deployed as on-premises software or appliances or in IaaS. XDR can reduce the complexity of your security configuration and the expert resources required to operate it.
Rad-X’s CEO wants answers, and he wants them now! How did this happen? Did we know about this criminal and anything she may have been up to? Were we the only targets? What is our best course of action to investigate what happened here?
MVISION XDR is designed to answer exactly these questions.
MVISION XDR goes beyond consolidation of endpoint detection and response (EDR), network detection and response (NDR), and cloud detection and response capabilities as it leverages threat intelligence and analytical posture assessments from MVISION Insights to guide its ability to predict, to prescribe, and to help prioritize what’s most important in your organization. MVISION Insights would help Rad-X shift its focus left of the moment of impact by telling its defenders about the pending threats from the threat actor. Knowing that she was targeting aviation innovators and that Rad-X was in her line-of-sight would have helped, but it would also call out the gaps in defense capabilities based on her techniques and procedures.
Then, even if the incident were to still have occurred, MVISION XDR would be able to take advantage of its Artificial Intelligence data analytics by examining how the intruder behaved, what kind of artifacts were left behind on the floor, and what may be missing from the environment which “should” be there. It’s like having a virtual Sherlock Holmes analyzing each of your XDR incidents across endpoints, network, and cloud environments.
Rad-X suffered an unfortunate event, but they learned an incredibly valuable lesson: SIEM is important as it meets some critical functions, but XDR is more appropriate in performing action driven investigations, threat analytics, rapid response, and more. So, if you find yourself in a position like Rad-X and are curious about the value and benefits of XDR in your environment, take a page out of Rad-X’s playbook and consider MVISION XDR to provide a shift left in threat predictions, prescriptions, and prioritization. Consider MVISION XDR to enhance your incident analytics capabilities with cloud-based AI playbooks. And consider MVISION XDR to provide detection and response capabilities from device to cloud.
If you’d like to learn more about what MVISION XDR can do for you and how it is evolving at McAfee, join me for a live tech talk on May 25, 2021. I’ll be joined by Randy Kersey, XDR Product Manager at McAfee, to discuss how security operations teams can respond more effectively to incidents by harnessing their extensive security telemetry with the latest release of MVISION XDR. Be sure to register via LinkedIn. I hope to see you there!
The post Mission Possible: Hunting Down and Stopping Stealthy Attackers with MVISION XDR appeared first on McAfee Blogs.
Browser push notifications can highly resemble Windows system notifications. As recently discussed, scammers are abusing push notifications to trick users into taking action. This recent example demonstrates the social engineering tactics used to trick users into installing a fake Windows Defender update. A toaster popup in the tray informs the user of a Windows Defender Update.
Clicking the message takes the user to a fake update website.
The site serves a signed ms-appinstaller (MSIX) package. When downloaded and run, the user is prompted to install a supposed Defender Update from “Publisher: Microsoft”
After installation, the “Defender Update” App appears in the start menu like other Windows Apps.
The shortcut points to the installed malware: C:\Program Files\WindowsApps\245d1cf3-25fc-4ce1-9a58-7cd13f94923a_1.0.0.0_neutral__7afzw0tp1da5e\bloom\Eversible.exe, which is a data stealing trojan, targeting various applications and information:
The post Scammers Impersonating Windows Defender to Push Malicious Windows Apps appeared first on McAfee Blogs.
Data protection acts are regularly coming into force around the world and on July 1st 2021 it is the turn of South Africa, as the POPIA (Protection of Personal Information Act) will be enforced from that date. I caught up with David Luyt, Privacy Counsel at Michalsons in Cape Town to discuss what this means for South African consumers, businesses and IT teams.
Nigel: Must my organisation comply with POPIA?
David: Essentially, if you are domiciled in South Africa or you process personal information in South Africa, then you need to comply with POPIA. POPIA, unlike the GDPR, does not apply extraterritorially. Meaning that it only applies to organisations in South Africa.
Nigel: How can I find out more about the POPI Act?
David: Knowledge is Power. Having a high-level awareness of POPIA is crucial in helping you decide what your next steps are going to be. To learn more about the impact of POPIA on your organisation, take the Michalsons’ complimentary impact assessment for your specific organisation, read our insights on it, or watch our video.
Nigel: Who is the right person to be responsible for this?
David: Every organisation has an Information Officer by default and they are responsible for ensuring that the organisation complies with POPIA. However, the whole organisation needs to understand its responsibilities. Any employee that handles personal information, all systems that store and process that information and all 3rd party and cloud providers that are part of that data processing need to be reviewed and understand their responsibilities.
Nigel: What is the impact on my organisation?
David: You need to know the impact of POPIA on your specific organisation so that you can decide what the next best steps are.
Complying with POPIA is not a case of one size fits all. Different organisations need to take different actions to comply. For example, what a small enterprise (or SME) has to do is very different from what a medium or large-sized organisation has to do.
An organisation’s actions are also dependant on the foundations already built to protect personal information. Some organisations may have many safeguards in place while others are new to the issue.
Nigel: What are my organisation’s next steps?
David: At Michalsons we believe that data protection is like personal fitness – it takes time to get fit! To learn more, have a look at our top tips for data protection projects. And if you’re wondering ‘how much does data protection compliance cost?’ then we have the answer for that too!
Nigel: Which departments seem to need the most help understanding POPIA?
David: It would be unfair to single out a single group or department, but the adage “you cannot manage what you cannot see” is very true in this situation. Every organisation needs to know where its personal data is kept, how it is handled and make sure that all employees recognise the importance of the Act.
A lot of initial work falls to the IT department to find all the current data on employees, business partners and clients and to ensure that this data is kept secure – whether inside or outside the organisation.
As we discussed in our joint webinar, this includes reviewing all outsourcing and cloud services – when you share or pass data to other organisations you are STILL responsible for everything that happens to that data, so you need to review these providers and put in appropriate measures to make sure that the data handling policies are designed to conform to the Act.
Your document on mapping POPIA to Cloud Computing has some good ideas for IT people to review – and not just for cloud, but all data handling should be reviewed in a similar way.
Nigel: Thank you for your time.
David: My pleasure.
The post POPIA – July 1st Deadline Approaches For New South African Data Protection Act appeared first on McAfee Blogs.
Every year CRN recognizes the women who are leading the channel and their unique strengths, vision, and achievements. This year, CRN recognized five McAfee individuals on their prestigious list of those leading the channel. Those selected demonstrate commitment to mentoring future generations and driving channel innovation and growth.
The 2021 Women of the Channel (WOTC) awards highlight over 1,000 women in all areas of the IT ecosystem, including technology vendors, distributors, solution providers and other IT organizations. We’re thrilled to see our colleagues recognized for their strategic vision and dedication to channel success. See below to learn more about each McAfee honoree.
Please join us in celebrating this recognition and congratulating these exceptional women who are at the heart of our channel business.
A channel veteran of 20+ years and 2020 WOTC recipient, Kristin Carnes joined McAfee through the acquisition of Skyhigh Networks and has lead channel growth for industry bellwethers like EMC (NYSE: EMC), Nimble Storage, (HPE Subsidiary) and Veritas Software. She was chosen to lead McAfee’s global channel programs and operations and now leads global teams supporting an extensive network of distributors. Kristin was instrumental in organizing the early 2021 expansion of McAfee and Ingram Micro’s partnership to sell in more than 20 countries leveraging the Ingram Cloud Marketplace. She has also launched new partner experience initiatives that have been adopted worldwide and driven changes in the McAfee rebate policy to improve partner profitability.
Madeline Fugate is an experienced sales and marketing leader with 23 years of experience in the channel. Madeline has a passion for mentoring and nurturing younger talent. Through coaching, she has developed a strong McAfee team for Tech Data that has delivered Tech Data’s Cyber Range with McAfee on premise and cloud solutions as well as an easy to use customer demo environment. Her work with Tech Data led to further growth in 2021 with IBM. This year, she also launched McAfee’s first social media campaign through Tech Data and played a fundamental role in improving operational efficiency to reduce quoting lead times.
With 25+ years of experience in distribution, Sheri Leach has dedicated the last 15 years to supporting and growing Ingram Micro with their McAfee business. This year, she was instrumental in launching McAfee on the Ingram Micro Cloud Marketplace soon to bring in millions of dollars in no touch business to McAfee and our partners. She’s worked closely with the team at Ingram Micro to also facilitate a creative finance program and to deliver a Business Intelligence program that helped the McAfee sales teams to create, plan and execute on business plans to drive more sales. Sheri was recognized on the 2020 WOTC list and believes that in 2021, the keys to partner success are partner enablement, frequent engagement and special finance to ensure partners are thriving amid the pandemic.
Sarah Thompson joined McAfee’s channel organization 13 years ago and has spent the last six years focused on building the Service Provider Specialization for partners delivering managed services globally. This year, Sarah managed the launch coordination, tracking progress and initiatives across product, channel, marketing and executive teams for McAfee’s partner lead managed endpoint detection and response (EDR) offerings. She’s driven innovation for McAfee’s channel by helping define a select set of partners as Global Service Provider Partners through the creation of formal requirements and curriculum.
Natalie Tomlin has been at McAfee for over 20 years, and currently drives much of McAfee’s “Channel First” global strategy through resources, tools, enablement and marketing efforts ensuring partners and customers have a good experience with McAfee. Her team is focused on helping McAfee’s strategic partners lead customer cloud adoption and deliver security from Device to Cloud. Returning to the WOTC list from 2020, Natalie’s current goal is to continue with McAfee’s “Channel First” strategy and to continue empowering, enabling, and listen to our partners.
The post CRN’s Women of the Channel 2021 Recognizes McAfee Leaders appeared first on McAfee Blogs.
Many have seamlessly transitioned their fitness regimens out of the gym and into the living room since the start of the COVID-19 pandemic, thanks in part to the use of IoT devices. IoT (Internet of Things) denotes the web of interconnected physical devices embedded with sensors and software to collect and share information via the internet. The most common IoT devices used for virtual fitness include wearable fitness trackers and stationary machines equipped with digital interfaces. As effective as these devices are for facilitating a great workout, many do not realize the risks they pose for their online security. According to McAfee Labs Threats Report, new IoT malware increased by 7% at the start of the pandemic. There are various steps that users can take to continue using these devices securely without compromising performance. But first, it’s essential to understand why these devices are vulnerable to cyber-attacks.
IoT devices are just like any other laptop or mobile phone that can connect to the internet. They have embedded systems complete with firmware, software, and operating systems. As a result, they are exposed to the same vulnerabilities, namely malware and cyber-attacks.
One reason why IoT devices are so vulnerable is due to their update structure, or lack thereof. IoT devices lack the stringent security updates afforded to laptops or mobile phones. Because they do not frequently receive updates—and in some cases, never—they do not receive the necessary security patches to remain consistently secure.
What’s worse, if the developer goes out of business, there is no way to update the existing technology vulnerabilities. Alternatively, as newer models become available, older devices become less of a priority for developers and will not receive as many updates as their more contemporary counterparts.
Without these updates, cybercriminals can hack into these devices and taking advantage of the hardware components that make them a significant risk to users. For example, they can track someone’s location through a device’s GPS, or eavesdrop on private conversations through a video camera or audio technology.
IoT devices with unpatched vulnerabilities also present an easy entry point through which hackers can penetrate home networks and reach other devices. If these devices do not encrypt their data transmission between different devices and servers, hackers can intercept it to spoof communications. Spoofing is when a hacker impersonates a legitimate source, the back-end server or the IoT device in this case, to transmit false information. For instance, hackers can spoof communications between a wearable fitness tracker and the server to manipulate the tracking data to display excessive physical activity levels. They can then use this data for monetary gain by providing it to insurance companies and 3rd party websites with financial incentive programs.
Hackers can also exploit device vulnerabilities to spread malware to other devices on the same network to create a botnet or a web of interconnected devices programmed to execute automated tasks. They can then leverage this botnet to launch Distributed Denial of Service (DDoS) or Man in the Middle attacks.
Whether you own an IoT device to monitor your health or physical performance, it is essential to take the necessary precautions to minimize the risks they present to digital security. Here are a few tips to keep in mind when incorporating your device into your fitness routine.
Default names and passwords are low-hanging fruit for hackers and should be the first thing you address when securing your router. Default router names often include the make or model of the manufacturer. Changing it will reduce a hacker’s chance of infiltrating your home network by making the router model unidentifiable. Further, follow password best practices to ensure your router password is long, complex, and unique.
Next, make sure you enable the highest level of encryption which includes Wi-Fi Protected Access 2 (WPA2) or higher. Routers with older encryption protocols such as WPA or Wired Equivalent Privacy (WEP) are more susceptible to brute force attacks, where hackers will attempt to guess a person’s username and password through trial and error. WPA2 and higher encryption methods ensure that only authorized users can use your same network.
Lastly, create a guest network to segment your IoT devices from your more critical devices like laptops and mobile phones. If a hacker infiltrates your IoT devices, the damage is contained to the devices on that specific network.
Updates are critical because they go beyond regular bug fixes and algorithmic tweaks to adjust device software vulnerabilities.
Make it a point to stay on top of updates from your device manufacturer, especially since they will not always advertise their availability. Visit their website regularly to ensure you do not miss pertinent news or information that may impact you. Additionally, make sure to update the app corresponding to your IoT device. Go into your settings and schedule regular updates automatically, so you do not have to update manually.
Do your research before making a significant investment in an IoT device. Ask yourself if these devices are from a reputable vendor. Have they had previous data breaches in the past, or do they have a grade A track record for providing high-security products?
Also, take note of the information your IoT device collects, how vendors use this information and what they release to other users or third parties. Do they have privacy policies in place to protect their users’ data under PIPEDA regulation?
Above all, understand what control you have over your privacy and information usage. It is a good sign if an IoT device allows you to opt-out of having your information collected or lets you access and delete the data it does collect
Next time you go for a run with geolocation activated on your smartwatch, think again about what risks this poses to your virtual security and even your physical safety. Enhance your security by only enabling the features that are necessary to optimize your fitness performance. In doing so, you ensure that hackers cannot utilize them as a foothold to invade your privacy.
IoT devices have made in-home exercise routines possible, given their increase in availability and ease of use. However, despite their capabilities for optimizing the fitness experience, the nature of these devices has made them one of many threats to personal privacy and online safety. For an elevated fitness experience beyond a great workout, start securing your IoT devices to integrate them into your everyday exercise routine safely.
The post Don’t Sweat Your Security: How to Safely Incorporate IoT Into Your Fitness Routine appeared first on McAfee Blogs.
Over the past week we have seen a considerable body of work focusing on DarkSide, the ransomware responsible for the recent gas pipeline shutdown. Many of the excellent technical write-ups will detail how it operates an affiliate model that supports others to be involved within the ransomware business model (in addition to the developers). While this may not be a new phenomenon, this model is actively deployed by many groups with great effect. Herein is the crux of the challenge: while the attention may be on DarkSide ransomware, the harsh reality is that equal concern should be placed at Ryuk, or REVIL, or Babuk, or Cuba, etc. These, and other groups and their affiliates, exploit common entry vectors and, in many cases, the tools we see being used to move within an environment are the same. While this technical paper covers DarkSide in more detail, we must stress the importance of implementing best practices in securing/monitoring your network. These additional publications can guide you in doing so:
As mentioned earlier, DarkSide is a Ransomware-as-a-Service (RaaS) that offers high returns for penetration-testers that are willing to provide access to networks and distribute/execute the ransomware. DarkSide is an example of a RaaS whereby they actively invest in development of the code, affiliates, and new features. Alongside their threat to leak data, they have a separate option for recovery companies to negotiate, are willing to engage with the media, and are willing to carry out a Distributed Denial of Service (DDoS) attack against victims. Those victims who do pay a ransom receive an alert from DarkSide on companies that are on the stock exchange who are breached, in return for their payment. Potential legal issues abound, not to mention ethical concerns, but this information could certainly provide an advantage in short selling when the news breaks.
The group behind DarkSide are also particularly active. Using MVISION Insights we can identify the prevalence of targets. This map clearly illustrates that the most targeted geography is clearly the United States (at the time of writing). Further, the sectors primarily targeted are Legal Services, Wholesale, and Manufacturing, followed by the Oil, Gas and Chemical sectors.
McAfee’s market leading EPP solution covers DarkSide ransomware with an array of early prevention and detection techniques.
Customers using MVISION Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.
MVISION EDR includes detections on many of the behaviors used in the attack including privilege escalation, malicious PowerShell and CobaltStrike beacons, and visibility of discovery commands, command and control, and other tactics along the attack chain. We have EDR telemetry indicating early detection before the detonation of the Ransomware payload.
ENS TP provides coverage against known indicators in the latest signature set. Updates on new indicators are pushed through GTI.
ENS ATP provides behavioral content focusing on proactively detecting the threat while also delivering known IoCs for both online and offline detections.
ENS ATP adds two (2) additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviors and RealProtect (static and dynamic) with ML models targeting ransomware threats.
For the latest mitigation guidance, please review:
https://kc.mcafee.com/corporate/index?page=content&id=KB93354&locale=en_US
The RaaS platform offers the affiliate the option to build either a Windows or Unix version of the ransomware. Depending on what is needed, we observe that affiliates are using different techniques to circumvent detection, by masquerading the generated Windows binaries of DarkSide. Using several packers or signing the binary with a certificate are some of the techniques used to do so.
As peers in our industry have described, we also observed campaigns where the affiliates and their hacking crew used several ways to gain initial access to their victim’s network.
The configuration of the ransomware contains several options to enable or disable system processes, but also the above part where it states which processes should not be killed.
As mentioned before, a lot of the current Windows samples in the wild are the 1.8 version of DarkSide, others are the 2.1.2.3 version. In a chat one of the actors revealed that a V3 version will be released soon.
On March 23rd, 2021, on XSS, one of the DarkSide spokespersons announced an update of DarkSide as a PowerShell version and a major upgrade of the Linux variant:
In the current samples we observe, we do see the PowerShell component that is used to delete the Volume Shadow copies, for example.
Tools observed:
Before distributing the ransomware around the network using tools like PsExec and PowerShell, data was exfiltrated to Cloud Services that would later be used on the DarkSide Leak page for extortion purposes. Zipping the data, using Rclone or WinSCP are some of the examples observed.
While a lot of good and in-depth analyses are written by our peers, one thing worth noting is that when running DarkSide, the encryption process is fast. It is one of the areas the actors brag about on the same forum and do a comparison to convince affiliates to join their program:
DarkSide, like Babuk ransomware, has a Linux version. Both target *nix systems but in particular VMWare ESXi servers and storage/NAS. Storage/NAS is critical for many companies, but how many of you are running a virtual desktop, hosted on a ESXi server?
Darkside wrote a Linux variant that supports the encryption of ESXI server versions 5.0 – 7.1 as well as NAS technology from Synology. They state that other NAS/backup technologies will be supported soon.
In the code we clearly observe this support:
Also, the configuration of the Linux version shows it is clearly looking for Virtual Disk/memory kind of files:
Although the adversary recently claimed to vote for targets, the attacks are ongoing with packed and signed samples observed as recently as today (May 12, 2021):
Recently the Ransomware Task Force, a partnership McAfee is proud to be a part of, released a detailed paper on how ransomware attacks are occurring and how countermeasures should be taken. As many of us have published, presented on, and released research upon, it is time to act. Please follow the links included within this blog to apply the broader advice about applying available protection and detection in your environment against such attacks.
Data Encrypted for Impact – T1486
Inhibit System Recovery – T1490
Valid Accounts – T1078
PowerShell – T1059.001
Service Execution – T1569.002
Account Manipulation – T1098
Dynamic-link Library Injection – T1055.001
Account Discovery – T1087
Bypass User Access Control – T1548.002
File Permissions Modification – T1222
System Information Discovery – T1082
Process Discovery – T1057
Screen Capture – T1113
Compile After Delivery – T1027.004
Credentials in Registry – T1552.002
Obfuscated Files or Information – T1027
Shared Modules – T1129
Windows Management Instrumentation – T1047
Exploit Public-Facing Application – T1190
Phishing – T1566
External Remote Services – T1133
Multi-hop Proxy – T1090.003
Exploitation for Privilege Escalation – T1068
Application Layer Protocol – T1071
Bypass User Account Control – T1548.002
Commonly Used Port – T1043
Compile After Delivery – T1500
Credentials from Password Stores – T1555
Credentials from Web Browsers – T1555.003
Credentials in Registry – T1214
Deobfuscate/Decode Files or Information – T1140
Disable or Modify Tools – T1562.001
Domain Account – T1087.002
Domain Groups – T1069.002
Domain Trust Discovery – T1482
Exfiltration Over Alternative Protocol – T1048
Exfiltration to Cloud Storage – T1567.002
File and Directory Discovery – T1083
Gather Victim Network Information – T1590
Ingress Tool Transfer – T1105
Linux and Mac File and Directory Permissions Modification – T1222.002
Masquerading – T1036
Process Injection – T1055
Remote System Discovery – T1018
Scheduled Task/Job – T1053
Service Stop – T1489
System Network Configuration Discovery – T1016
System Services – T1569
Taint Shared Content – T1080
Unix Shell – T1059.004
The post DarkSide Ransomware Victims Sold Short appeared first on McAfee Blogs.
Cybersecurity is often used as a blanket term to address online safety. Cybersecurity can refer to the software used to protect your devices, but it can also refer to the processes you put in place to protect yourself from online threats. Whether you’re implementing best practices, building awareness of security threats, or installing security software, taking a holistic approach to online security is crucial to remain secure and protected at all times.
Here are three tips for a holistic online security approach.
Efficient online protection ultimately begins with you, the end-user, and the steps you take to secure your devices.
The first step to ensure your device is secure is never to leave it unattended. Whether you’re at the grocery store or at home, always keep an eye on your devices. All it takes is a few minutes for someone to steal them or for kids to click on a malicious link while your attention is diverted. Make sure you have a contingency plan in case your device is compromised. For example, if someone steals your device, wipe the information on the device remotely. Revert it to the factory setting, so the thief can’t access your personal information. Regularly back up your data in the event of a lost or compromised device to ensure you retain important documents.
In some instances, you can also recover deleted files at any time given the right tools. Regularly shred unwanted documents for the files that you want permanently deleted. Install security measures across all devices and your networks to protect your data and privacy. Always lock your device before stepping away and layer your device security with multi-factor authentication to ensure you are the only one who can access your sensitive information.
Passwords are the gateway to your device and play just as critical a role in securing your personal information. Follow password best practices to prevent cybercriminals or mischievous children from infiltrating files and data. Use long and complex passwords and never reuse them across accounts. You can also use a password manager to keep track of your passwords in one centralized and secure location.
Strengthen your protection strategy by layering your physical device security with an enhanced awareness of relevant threats. Start by first taking a step back to assess your online persona. In other words, who are you? Are you a college student or a remote working parent who teleconferences frequently? Do you own an iOS device? Understand what your online devices and habits say about you as a person, as this will affect why and how cybercriminals target you.
For example, if you frequently teleconference for work or medical visits, you need to be aware of the teleconferencing risks of remote work or telehealth. Remote workers and telehealth patients face threats such as phishing emails or disrupted video conference calls. As a result, users must know the importance of using a video conferencing tool with end-to-end encryption and not sharing sensitive information through chat features.
Once you know the risks you face as an online user, consider the specific daily best practices for online safety. One good habit includes regularly updating your devices and software. Updating laptops, mobile devices, and routers ensure that existing bugs are fixed and security flaws are patched. Devices not equipped with the latest software are vulnerable to hackers.
Additionally, many cybercriminals will use social media to identify victims and target them through social engineering tactics. For example, they will send phishing emails to steal personal information and sell it on the dark web or hold it for ransom. Once you know what to look for, phishing emails are easy to spot. From there, you can send malicious messages straight to your trash folder and sidestep the threats that lie within. Check your privacy settings to control who can view your posts and ensure you receive notifications about suspicious activity on your account. Don’t respond to unknown messages and think twice before revealing sensitive information online. Practice better awareness by keeping up with new viruses and vulnerabilities. Use monitoring tools to check if your email or phone number is released in a recent data breach. Keep an eye on your financial accounts and consider freezing your credit to prevent hackers from taking out loans and opening new accounts in your name. Read reports such as McAfee Labs Threats Report and stay informed through credible news sources to stay one step ahead of the latest threats.
Also, stay aware of online fraud tactics since they are a significant risk for many Canadians. According to a CPA Canada Fraud Study conducted in January, almost three in four of those surveyed have received fraudulent requests including email and telemarketing requests. Evade online fraud by screening for unknown calls and steering clear of unsecured websites asking for sensitive information such as personal identification numbers and bank information.
The final component of a holistic security strategy involves implementing a complete security suite, such as McAfee Total Protection, across all your devices. Leveraging software security tools is one of the best ways to protect your devices and personal information from online threats. This software takes a multi-layered approach to security to prevent virus infection, detect vulnerabilities and minimize the risk of viruses.
For example, tools like a VPN and antivirus software take a preventive approach to online security. A VPN encrypts your data, so even if someone were to get their hands on your information, they would not be able to make much sense of it. Antivirus software guards against malware and monitors online traffic and activities for malware.
Detection and correction capabilities are also crucial to a well-rounded security suite. Identity theft protection is a critical part of this solution to ensure the integrity of your credit, as well as your court and criminal records, remain intact. Report missing ID cards and conduct a background if you suspect someone is impersonating you. The right security solution will be able to monitor your accounts and notify you when it detects unusual activity. It will also be able to guide you through the remediation process to restore your privacy and identity.
Effective cybersecurity requires a multifaceted approach to create a holistic security strategy. This approach should integrate layered protection starting with your devices, expanding to your threat awareness, and ending with the software tools you leverage to enhance your digital security. With a strategic framework in place, you can rest assured knowing that you are well equipped to handle whatever malicious threat comes your way.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post 3 Tips to a Holistic Online Security Approach appeared first on McAfee Blogs.
Today, Microsoft released a highly critical vulnerability (CVE-2021-31166) in its web server http.sys. This product is a Windows-only HTTP server which can be run standalone or in conjunction with IIS (Internet Information Services) and is used to broker internet traffic via HTTP network requests. The vulnerability is very similar to CVE-2015-1635, another Microsoft vulnerability in the HTTP network stack reported in 2015.
With a CVSS score of 9.8, the vulnerability announced has the potential to be both directly impactful and is also exceptionally simple to exploit, leading to a remote and unauthenticated denial-of-service (Blue Screen of Death) for affected products.
The issue is due to Windows improperly tracking pointers while processing objects in network packets containing HTTP requests. As HTTP.SYS is implemented as a kernel driver, exploitation of this bug will result in at least a Blue Screen of Death (BSoD), and in the worst-case scenario, remote code execution, which could be wormable. While this vulnerability is exceptional in terms of potential impact and ease of exploitation, it remains to be seen whether effective code execution will be achieved. Furthermore, this vulnerability only affects the latest versions of Windows 10 and Windows Server (2004 and 20H2), meaning that the exposure for internet-facing enterprise servers is fairly limited, as many of these systems run Long Term Servicing Channel (LTSC) versions, such as Windows Server 2016 and 2019, which are not susceptible to this flaw.
At the time of this writing, we are unaware of any “in-the-wild” exploitation for CVE-2021-31166 but will continue to monitor the threat landscape and provide relevant updates. We urge Windows users to apply the patch immediately wherever possible, giving special attention to externally facing devices that could be compromised from the internet. For those who are unable to apply Microsoft’s update, we are providing a “virtual patch” in the form of a network IPS signature that can be used to detect and prevent exploitation attempts for this vulnerability.
McAfee Network Security Platform (NSP) Protection
Sigset Version: 10.8.21.2
Attack ID: 0x4528f000
Attack Name: HTTP: Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability (CVE-2021-31166)
McAfee Knowledge Base Article KB94510:
https://kc.mcafee.com/corporate/index?page=content&id=KB94510
The post Major HTTP Vulnerability in Windows Could Lead to Wormable Exploit appeared first on McAfee Blogs.
SOCwise Weighs In
When the infamous Carbanak cyberattack rattled an East European bank three years ago this month few would have guessed it would later play a starring role in the MITRE Engenuity enterprise evaluations of cybersecurity products from ourselves and 28 other vendors. We recently shared the results of this extensive testing and in a SOCwise discussion we turn to our SOCwise experts for insights into what this unprecedented exercise may mean for SOC teams assessing both strategy concerns and their tactical effectiveness.
Carbanak is a clever opponent known for innovative attacks on banks. FIN7 uses the similar malware and strategy of effective espionage and stealth to target U.S. retail, restaurant and hospitality sectors, according to MITRE Engenuity, and both were highlighted in this emulation. These notorious actors have reportedly stolen more than $1 billion worldwide over the past five years. An annual event, the four-day ATT&CK Evaluation spanned 20 major steps and 174 sub-steps of the MITRE framework.
The first thing to realize about this exercise is few enterprises could ever hope to match its scope. What do you get when you match up red and blue teams? “I have not been through an exercise like that in an organization with both the red team and blue teams operationally trying to determine what their strengths and weaknesses are,” said Colby Burkett, McAfee XDR architect, a participant in the event, on our recent SOCwise episode. “And that was fantastic.”
A lot of SOC teams conduct vulnerability assessments and penetration testing, but never emulate these types of behaviors, noted Ismael Valenzuela, McAfee’s Sr. Principal Engineer and co-host of SOCwise. And, he adds that many organizations lack the resources and skills to do purple-teaming exercises.
While our SOCwise team raved about the value of conducting broad scale purple-team exercises, they expressed concern that the emphasis on “visibility” is no more valuable than “actionability.” McAfee, which scored 87% on visibility, one of the industry’s best, turned in a remarkable 100% on prevention in the MITRE Engenuity evaluations.
When we think about visibility, we think about how much useful information we can provide to SOC analysts when an attack is underway. There may be a tsunami of attack data entering SOCs, but it’s only actionable when the data that’s presented to analysts is relevant, noted Jesse Netz, Principal Engineer at McAfee.
A well-informed SOC finds a sweet spot on an axis where the number of false positives is low enough and the true positives are high enough “where you can actually do something about it,” added Netz.
He believes that for SOC practitioners, visibility is only part of the conversation. “How actionable is the data you’re getting? How usable is the platform in which that data is being presented to you?”
For example, in the evaluation we saw McAfee’s MVISION EDR preserve actionability and reduce alert fatigue. We excelled in the five capabilities that matter most to SOC teams: time-based security, alert actionability, detection in depth, protection, and visibility.\
If you can’t do anything about the information you obtain, your results aren’t really useful in any way. In this regard, prevention also trumps visibility. “It’s great that we can see and gain visibility into what’s happening,” explained Netz. “But it’s even better at the end of the day as a security practitioner to be able to prevent it.”
The SOCwise team overall applauded the progressively sophisticated approach taken by the MITRE Engenuity enterprise evaluations of cybersecurity products—now in its third year. However, our panel of experts noted that this round of testing was more about defending endpoints, rather than cloud-based operations, which are fairly central to defending today’s enterprise. They expect that focus may change in the future.
The MITRE Engenuity enterprise evaluations provide a lot of useful data, but they should never be the single deciding factor in a cybersecurity product purchase decision. “Use it as a component of your evaluation arsenal,” advises Netz. “It’ll help to provide kind of statistics around visibility capabilities in this latest round, including some detection capabilities as well, but be focused on the details and make sure you’re getting your information from multiple sources.”
For instance, Carbanak and FIN 7 attacks may not be relevant to your particular organization, especially if they’re centered on Cloud-based operations.
While no emulation can perfectly replicate the experience of battling real-time, zero-day threats, McAfee’s Valenzuela believes these evaluations deliver tremendous value to both our customers and our threat content engineers.
The post What the MITRE Engenuity ATT&CK® Evaluations Means to SOC Teams appeared first on McAfee Blogs.
When you open your laptop or your mobile device, what is the first thing you do? Do you head to your favorite social media site to skim the latest news, or do you place your weekly grocery delivery order? No matter what your daily online habits are, even the slightest degree of caution can go a long way in staying secure online.
That’s because hackers are experts at hiding malware in your everyday online routines, or even infiltrating your cookies to steal login information and learn about your personal preferences.
According to a StatsCan Canadian internet use survey, six out of ten internet users reported experiencing a cybersecurity incident. There are many hoops to jump through when navigating the digital landscape. By taking the necessary steps to remedy vulnerabilities in your digital activity, you can dramatically improve your online protection.
Cybercriminals take advantage of online users through routine avenues you would not expect. Here are three common ways that cybercriminals eavesdrop on online users.
Adware, or advertising-supported software, generates ads in the user interface of a person’s device. Adware is most often used to generate revenue for the developer by targeting unsuspecting online users with personalized ads paid by third parties. These third parties usually pay per view, click, or application installation.
Though not always malicious, adware crosses into dangerous territory when it is downloaded without a user’s consent and has nefarious intent. In this case, the adware becomes known as a potentially unwanted application (PUA) that can remain undetected on users’ devices for long periods of time. According to a report by the Cybersecure Policy Exchange, an unintentionally installed or downloaded computer virus or piece of malware is one of the top five cybercrimes that Canadians experience. The PUA can then create issues like frequent crashes and slow performance.
Users unknowingly download adware onto their device when they download a free ad-supported program or visit a non-secure site that does not use the Hypertext Transfer Protocol Secure (HTTPS) to encrypt online communication.
Hackers also use invasive tactics known as ad injections, where they inject ads with malicious code for increased monetary gain. This is a practice known as “malvertising.” If a user clicks on a seemingly legitimate and well-placed ad, they risk exposing themselves to numerous online threats. These ads can be infected with malware such as viruses or spyware. For example, hackers can exploit browser vulnerabilities to download malware, steal information about the device system, and gain control over its operations. Hackers can also use malvertising to run fraudulent tech support scams, steal cookie data, or sell information to third-party ad networks.
Another vulnerability that many may not realize is their browser’s built-in autofill functions. As tempting as it is to use your browser’s autofill function to populate a long form, this shortcut may not be safe. Cybercriminals have found ways to capture credentials by inserting fake login boxes onto a web page that users cannot see. So, when you accept the option to autofill your username and password, you are also populating these fake boxes.
Take a proactive approach to your digital protection the next time you are browsing the internet by reassessing your online habits. Check out these five tips to ensure you are staying as safe as possible online.
Cookie data can contain anything from login information to credit card numbers. Cybercriminals looking to exploit this information can hijack browser sessions to pose as legitimate users and steal cookies as they travel across networks and servers. As a result, it is essential for online users to regularly clear out their cookies to better protect their information from falling into the wrong hands. Navigate to your browser’s history, where you can wipe the data associated with each browser session, including your cookies.
Clearing your browser’s cookie data will also remove your saved logins, which is why leveraging a password manager can make it easier to access regularly visited online accounts.
Many browsers come with a built-in password generator and manager; however, it is better to entrust your logins and password to a reputable password manager. Browser password managers are not as secure as password managers, because anyone who has access to your device will also access your online information. A password manager, provides a more secure solution since it requires you to log in with a separate master password. A password manager also works across various browsers and can generate stronger passwords than those created by your browser.
In addition to clearing cookie data, users should adjust their browser settings to ensure their online sessions remain private.
Another option is to access the internet in Private Browsing Mode to automatically block third-party tracking, making it a quick and easy option to ensure private browsing. Users can also enable the “do not track” function of their browser to prevent third-party tracking by advertisers and websites. Additionally, you can adjust your browser settings to block pop-up ads and control site permissions, such as access to cameras and locations.
Ad blockers suppress unwanted and potentially malicious ads to ensure a safer browsing experience. Ad blockers can also make it easier to view page layout by removing distracting ads and optimizing page load speed. Additionally, they prevent websites from tracking your information that third parties can sell.
Deploying a security solution like McAfee+ Ultimate ensures the safest internet browsing experience through a holistic approach for threat detection, protection, and remediation. Equipped with a password manager, antivirus software, and firewall protection, users can effectively sidestep online threats while browsing the internet. Moreover, it includes comprehensive privacy and identity protection, such as our Personal Data Cleanup, dark web monitoring, credit monitoring, along with ways you can quickly Lock or freeze your credit file to help prevent accounts from being opened in your name.
Your online behavior can say a lot about you so make sure you safeguard your internet protection. Whether it is through malvertising or invisible forms, hackers can glean information to paint a picture of who you are to target you through deceptive tactics. Cybercriminals are always looking for vulnerabilities which is why assessing your online habits sooner rather than later is a critical first step to smarter online browsing.
The post 5 Ways to Protect Your Online Privacy appeared first on McAfee Blog.
Vinay Khanna, Ashwin Prabhu & Sriranga Seetharamaiah also contributed to this article.
In the Cloud, security responsibilities are shared between the Cloud Service Provider (CSP) and Enterprise Security teams. To enable Security teams to provide compliance, visibility, and control across the application stack, CSPs and security vendors have added various innovative approaches across the different layers. In this blog we compare the approaches and provide a framework for Enterprises to think of these approaches.
Cloud Service Providers are launching new services at a breakneck pace to enable enterprise application developers to bring in new business value to the marketplace faster. For each of these services the CSPs are taking up more and more of the security responsibility while letting the enterprise security teams focus more on the application. To be able to provide visibility, security and enhance existing tools in such diverse and fast changing environments CSPs enable logs, APIs, Native agents and other technologies, that can be used by Enterprise security teams.
There are many different approaches to security and each have varying tradeoffs in terms of the depth of visibility and security they provide, the ease of deployment, permissions required, the costs, and the scale they work at.
APIs and logs are the best approach to do get started with discovering your Cloud accounts and finding anomalous activity interesting to security teams in those accounts. It is easy to get access to data from various accounts using these mechanisms, without the security teams having to do much more than get cross account access to the numerous accounts in the organization. The approach provides great visibility but needs to be complemented with protection approaches.
Image and snapshot analysis are a good approach to get deeper data of the workloads both before the application starts and as they run. In this method the image/ snapshot of the disk of the running system can be analyzed to detect any anomalies, vulnerabilities, config incidents etc. Snapshots provide deep data of workloads but may not detect memory resident issues like fileless malware. Also, as we move to ephemeral workloads, analyzing snapshots periodically may have limited usage. The mechanism may not work for cloud services for which disk snapshots may not be possible to obtain. The approach provides deep data of snapshots but needs to be complemented with some protection approaches to be useful.
Native agents and scripts are a good approach to enable deeper visibility and controls by providing an easy way to enhance Cloud native agents like SSM on a machine. Based on the functionality agents can have high resource usage. Native agent support is limited by the CSP provided capabilities, like OS support/ features provided. In a lot of cases the native agents run commands that log the information needed, which implies we need to have the logging approach working in parallel.
DaemonSet and Sidecar containers is an approach to deploying agents easily in Container and serverless environments. Sidecar allow running one container per pod which provide deep data but the resource usage and the cost as a result are high, because multiple sidecars would run on a single server. Sidecars can work in Container Serverless models in which case DaemonSet containers do not work. As the functionality of a Sidecar and DaemonSet is like that of an agent, many of the agent limitations mentioned apply here too.
Agent approach provides the deepest visibility and best control of the environment in which an application runs, by running code coresident with the application. This approach is however harder because the security teams need to have deep discovery capabilities beforehand to be able to deploy these agents. There is also friction in adding agents as it has to run on every machine and security teams do not have rights to run software on every machine, especially in the cloud. The resource usage and cost of a solution can be high depending on the use cases supported. Newer technologies like Extended Berkley Packet Filters (eBPF) enable reducing resource usage of agents to make them more palatable for broader usage.
Built-into-Image/ Build-into-code approach allows for the security being built into the application image deployed. This allows security functionality to be deployed without having to work on deploying an agent with each workload. This approach provides deep visibility of the application and works even for serverless workloads. Compiling in code adds immense friction by having to add code into the build process, and code libraries need to be available in every application language.
MVISION Cloud takes a Multi-pronged approach to securing applications and enable security teams to gain control of their Cloud environments.
The various approaches to security have their own unique tradeoffs and no one approach can satisfy all the requirements for the various teams, for the diverse set of platforms they support.
At any point of time different cloud services will be at different levels of adoption maturity. Security teams need to take an incremental approach where they start off adopting solutions that are easy to insert and can provide the basic guardrail of security and visibility, at the start of the service adoption cycle. As applications on a service mature and more high value apps come online, an approach to security that provides deeper discovery and control will be necessary to complement the existing approaches.
No one approach will be able to satisfy all customer use cases and at any time there will be different sets of security solutions that will be active. We are headed to a world of even more diverse security approaches, that have to all work seamlessly to help secure the Enterprise.
The post Cloud Native Security Approach Comparisons appeared first on McAfee Blogs.
Even as the internet kept us connected with family and friends during the pandemic, people remain understandably eager to reconnect in person as vaccines roll out and restrictions ease. In fact, people are making travel plans accordingly. Nearly two-thirds (64%) of people worldwide said that they’re planning to travel for leisure this year. And, as always, they’re bringing their devices with them.
These are a few of the top-line findings from our 2021 Consumer Security Mindset Report: Travel Edition, which garnered responses from more than 11,000 people aged 18 to 75 in eleven countries across North and South America, Europe, Asia, and the South Pacific. More broadly, this survey provides insight into people’s plans and preferences for travel and how they view online security while traveling—particularly after relying heavily on the internet at home during the pandemic for more than a year.
Indeed, people feel more connected by the internet today than they did prior to the onset of COVID-19 with a significant 76% of respondents stating as much. In light of that increasing reliance on the internet, 61% reported implementing more protection for their devices, connected homes, and online activities in general. This was particularly the case in nations like India (86%), Mexico (79%), and Brazil (68%). However, other nations trended much lower than the average, such as the UK (47%) and France (34%). In the U.S., that figure was lower than the international trend with roughly half of the people implementing more protection.
As called out earlier, people are taking the first steps toward leisure travel once again. Only 12% of people in the U.S said that they were planning on traveling internationally compared to a global average of 16%, while nations like Singapore (30%), the UK (25%), and Germany (24%) trending well above the average. In contrast, the outlook for domestic leisure travel appears exceptionally strong, particularly for respondents in Australia (88%), India (79%) and the U.S. (77%) who plan to travel as such.
The pandemic has shaped people’s views on where they’d like to stay, with 62% stating that their preference for lodging has changed this year. Well over one-third of respondents in the U.S., Australia, Indonesia, and Canada said that staying with family and friends as their preferred option. Globally speaking, hotel and motel accommodations topped the list at 41%. Vacation home rentals entered the mix as well with roughly 25% of respondents saying a rental was part of their plan.
Yet how have attitudes changed toward connecting to networks outside of the home, particularly after the past year saw the majority of people improve their security at home?
For a baseline, we found that 80% of respondents said that they’ve connected a device when visiting a home or place that is not their own. The devices they mentioned most include laptops, streaming devices, Bluetooth speakers, and gaming devices as well. To connect those devices, they’ll use the home network of the friend’s or rental home where they’re staying (48%) or the network provided by the hotel where they’re staying (48%). And while in-between places, public Wi-Fi remains a popular means of network connection at 50%, along with airport Wi-Fi (41%) plus transit Wi-Fi (31%). 
As to how secure people feel on those networks, the answer varies greatly. While people expect low risk or no risk at all on their home network (85%) or a friend’s home (73%), they’re far less apt to trust other networks. In general, they see Wi-Fi networks as most vulnerable to cyber threats than any other network or device at 68% and feel most at risk connecting to networks in hotels (25%) and rentals (21%).
Despite these findings, only 47% people said they take the same online security measures that they take at home when they’re on holiday or vacation. Similarly, just 52% of people check if the network they are joining is secure before they connect. Of that, 22% say they don’t check because they feel the network poses no threat and another 26% say that they simply don’t know how to check.
As travel becomes an actual possibility for people once again, it’s an opportunity to remember just how important security is outside the home. Whether people are at home or away, there will be banking to do, chances to shop online, and moments to stream a few shows while at the airport or on the road. Protecting laptops and mobile devices for travel become extra important when using public, airport, and public Wi-Fi, as those networks can expose people to more threats than their home networks.
With that, here are five things people can do to protect themselves and others while traveling:
The post Seeking Reconnection: Internet Usage and the Return to Travel appeared first on McAfee Blogs.
Countries all over the world are racing to achieve so-called herd immunity against COVID-19 by vaccinating their populations. From the initial lockdown to the cancellation of events and the prohibition of business travel, to the reopening of restaurants, and relaxation of COVID restrictions on outdoor gatherings, the vaccine rollout has played a critical role in staving off another wave of infections and restoring some degree of normalcy. However, a new and troubling phenomenon is that consumers are buying COVID-19 vaccines on the black market due to the increased demand around the world. As a result, illegal COVID-19 vaccines and vaccination records are in high demand on darknet marketplaces.
The impact on society is that the proliferation of fraudulent test results and counterfeit COVID-19 vaccine records pose a serious threat to public health and spur the underground economy. Individuals undoubtedly long to return to their pre-pandemic routines and the freedom of travel and behavior denied them over the last year. However, the purchase of false COVID-19 test certifications or vaccination cards to board aircraft, attend an event or enter a country endangers themselves, even if they are asymptomatic. It also threatens the lives of other people in their own communities and around the world. Aside from the collective damage to global health, darknet marketplace transactions encourage the supply of illicit goods and services. The underground economy cycle continues as demand creates inventory, which in turn creates supply. In addition to selling COVID-19 vaccines, vaccination cards, and fake test results, cybercriminals can also benefit by reselling the names, dates of birth, home addresses, contact details, and other personally indefinable information of their customers.
As we commemorate the one-year anniversary of the COVID-19 pandemic, at least 184 countries and territories worldwide have started their vaccination rollouts.[1] The United States is vaccinating Americans at an unprecedented rate. As of May 2021, more than 105 million Americans had been fully vaccinated. The growing demand has made COVID-19 vaccines the new “liquid gold” in the pandemic era.
However, following vaccination success, COVID-19 related cybercrime has increased. COVID-19 vaccines are currently available on at least a dozen darknet marketplaces. Pfizer-BioNTech COVID-19 vaccines (and we can only speculate as to whether they are genuine or a form of liquid “fool’s gold”) can be purchased for as little as $500 per dose from top-selling vendors. These sellers use various channels, such as Wickr, Telegram, WhatsApp and Gmail, for advertising and communications. Darknet listings associated with alleged Pfizer-BioNTech COVID-19 vaccines are selling for $600 to $2,500. Prospective buyers can receive the product within 2 to 10 days. Some of these supposed COVID-19 vaccines are imported from the United States, while others are packed in the United Kingdom and shipped to every country in the world, according to the underground advertisement.
Figure 1: Dark web marketplace offering COVID-19 vaccines
Figure 2: Dark web marketplace offering COVID-19 vaccines
A vendor sells 10 doses of what they claim to be Moderna COVID-29 vaccines for $2,000. According to the advertisement, the product is available to ship to the United Kingdom and worldwide.
Figure 3: Dark web marketplace offering COVID-19 vaccines
Besides what are claimed to be COVID-19 vaccines, cybercriminals offer antibody home test kits for $152 (again, we do not know whether they are genuine or not). According to the advertisement, there are various shipping options available. It costs $41 for ‘stealth’ shipping to the United States, $10.38 to ship to the United Kingdom, and $20 to mail the vaccines internationally.
Figure 4: Dark web marketplace offering COVID-19 test kits
On the darknet marketplaces, the sales of counterfeit COVID-19 test results and vaccination certificates began to outnumber the COVID vaccine offerings in mid-April. This shift is most likely because COVID-19 vaccines are now readily available for those who want them. People can buy and show these certificates without being vaccinated. A growing number of colleges will require students to have received a COVID-19 vaccine before returning to in-person classes by this fall.[2] Soon, COVID-19 vaccination proof is likely to become a requirement of some type of “passport” to board a plane or enter major events and venues.
The growing demand for proof of vaccination is driving an illicit economy for fake vaccination and test certificates. Opportunistic cybercriminals capitalize on public interest in obtaining a COVID-19 immunity passport, particularly for those who oppose COVID-19 vaccines or test positive for COVID-19 but want to return to school or work, resume travel or attend a public event. Counterfeit negative COVID-19 test results and COVID-19 vaccination cards are available for sale at various darknet marketplaces. Fake CDC-issued vaccination cards are available for $50. One vendor offers counterfeit German COVID-19 certificates for $23.35. Vaccination cards with customized information, such as “verified” batch or lot numbers for particular dates and “valid” medical and hospital information, are also available for purchase.
One darknet marketplace vendor offers to sell a digital copy of the COVID-19 vaccination card with detailed printing instructions for $50.
Figure 5: Dark web marketplace offering COVID-19 vaccination cards
One vendor sells CDC vaccination cards for $1,200 and $1,500, as seen in the following screenshot. These cards, according to the advertisement, can be personalized with details such as the prospective buyer’s name and medical information.
Figure 6: Dark web marketplace offering COVID-19 vaccination cards
Other darknet marketplace vendors offer fake CDC-issued COVID-19 vaccination card packages for $1,200 to $2,500. The package contains a PDF file that buyers can type and print, as well as personalized vaccination cards with “real” lot numbers, according to the advertisement. Prospective buyers can pay $1,200 for blank cards or $1,500 for custom-made cards with valid batch numbers, medical and hospital details.
Figure 7: Dark web marketplace offering COVID-19 vaccination cards
One vendor offers counterfeit negative COVID-19 test results and vaccine passports to potential buyers.
Figure 8: Dark web marketplace offering negative COVID-19 test results and vaccination cards
A seller on another dark web market sells five counterfeit German COVID-19 certificates for $23.35. According to the advertisement below, the product is available for shipping to Germany and the rest of the world.
Figure 9: Dark web marketplace offering German COVID-19 vaccination certificates
The proliferation of fraudulent test results and counterfeit COVID-19 vaccine records on darknet marketplaces poses a significant threat to global health while fueling the underground economy. While an increasing number of countries begin to roll out COVID-19 vaccines and proof of vaccination, questionable COVID vaccines and fake proofs are emerging on the underground market. With the EU and other jurisdictions opening their borders to those who have received vaccinations, individuals will be tempted to obtain false vaccination documents in their drive to a return to pre-pandemic normalcy that includes summer travel and precious time with missed loved ones. Those who buy questionable COVID-19 vaccines or forged vaccination certificates risk their own lives and the lives of others. Apart from the harm to global health, making payments to darknet marketplaces promotes the growth of illegal products and services. The cycle of the underground economy continues as demand generates inventory, which generates supply. These are the unintended consequences of an effective global COVID vaccine rollout.
[1] https[:]//www.cnn.com/interactive/2021/health/global-covid-vaccinations/
[2] https[:]//www.npr.org/2021/04/11/984787779/should-colleges-require-covid-19-vaccines-for-fall-more-campuses-are-saying-yes
The post “Fool’s Gold”: Questionable Vaccines, Bogus Results, and Forged Cards appeared first on McAfee Blogs.
At McAfee, we believe no one person, product or organization can combat cybercrime alone. That is why we continue to build our device-to-cloud security platform on the premise of working together – together with customers, partners and even other cybersecurity vendors. We continue this fight against the greatest challenges of our digital age: cybercrime. As part of our ongoing effort to protect what matters, we have developed breakthrough technologies over the past several years that enable customers to proactively respond to emerging threats and adversaries despite a constantly evolving threat landscape. So, today, we are extremely proud to announce that McAfee is positioned as a “Leader” in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms (EPP).
This is a monumental development in so many ways, especially when you consider that we were not recognized in the Magic Quadrant a few years ago. This recognition speaks volumes about the innovations we are bringing to market that resonate both with our customers and industry experts. Let me review, from my perspective, why McAfee is recognized in the Leaders Quadrant.
Here are some key innovations in our Endpoint Protection Platform that contributed to our Leader recognition:
We set out with a vision, to create the most powerful endpoint protection platform and we are aggressively executing towards this vision. Over the past 12 months, we have made great strides in developing a market leading product, MVISION Insights, and our cloud delivered MVISION EDR. Looking ahead, our goal is to develop a unified and open eXtended Detection and Response (XDR) solution and strategy that further delivers on our device-to-cloud strategy.
We believe, McAfee’s position as a Leader further acknowledges some of our key differentiators, such as MVISION Insights, and our ability to eclipse the market with an innovative device-to-cloud strategy that spans the portfolio, including web gateway, cloud, and our network security offerings.
We started by redefining our endpoint security offering with the release of MVISION Insights, a game-changing product that functions as the equivalent of an early warning system – effectively delivering preventative security. It’s hard to understate the significance of this innovation; we’re breaking the old paradigm of post-attack detection and analysis and enabling customers to stay ahead of threats. In parallel, we streamlined our EDR capabilities, which now provide AI-driven, guided investigations that ease the burden on already-stretched Security Operations Centers (SOCs).
The bottom line is that we’re the only vendor taking a proactive risk management approach for safer cloud usage while reducing total cost of ownership. In addition, we have improved our licensing structure to fit customer needs and simplify consumption of our endpoint security solutions. We’ve made it easy to choose from a simplified licensing structure allowing customers to buy subscriptions for complete endpoint protection with no add-ons or extra costs. Our user-based licensing agreements provide for 5 devices, thus enabling frictionless expansion to incorporate additional device support in remote work environments.
In just under a year, our latest release of McAfee Endpoint Security (ENS) 10.7 has emerged as our highest deployed version of any McAfee product worldwide and our fastest-ever single-year ramp. More than 15,000 customers comprising tens of millions of nodes are now on ENS 10.7 and are deploying its advanced defenses against escalating threats. Customers get added protected because ENS 10.7 is backed by our Global Threat Intelligence (GTI) service to provide adaptable, defense in-depth capabilities against the techniques used in targeted attacks, such as ransomware or fileless threats. It’s also easier to use and upgrade. All of this means your SOC can be assured that customers are protected with ENS 10.7 on their devices.
Customer input guides our thinking about what to do next. Since the best critics are the people who use our products, let’s give them the last word here.
“We are now positioned to block usage of personal instances of Sanctioned services while allowing the business to move forward with numerous cloud initiatives, without getting in the way. We also now have the visibility that was lacking to ensure that we can allow our user community to work safely from their homes without introducing risks to our corporate environment.”
–Kenn Johnson, Cybersecurity Consultant
Our continued commitment to our customers is to protect what matters. We believe that McAfee’s position in the Leaders Quadrant validates that we are innovating at the pace and scale that meets the most stringent needs of our enterprise customers. We are proud of our product teams and threat researchers who continue to be driven by our singular mission, and who strive to stay ahead of adversaries with their focus on technological breakthroughs, and advancements in researching threats and vulnerabilities.
What we have accomplished over the past several years, and our position as a Leader in the 2021 Gartner Magic Quadrant for EPP, is only the tip of the iceberg for what’s ahead.
McAfee named a Leader in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms. Download the Magic Quadrant report, which evaluates the 19 vendors based on ability to execute and completeness of vision.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner Magic Quadrant for Endpoint Protection Platforms, 5 May 2021 Paul Webber, Peter Firstbrook, Rob Smith , Mark Harris, Prateek Bhajanka
The post Gartner names McAfee a Leader in 2021 Magic Quadrant for Endpoint Protection Platforms appeared first on McAfee Blogs.
More and more social platforms are coming up with safer ways for younger kids to access their apps. The most recent announcement comes from Facebook who is reportedly creating a version of Instagram for kids 13 and under.
It’s a family safety win to see so many companies (YouTube, TikTok, and Facebook have parental control channels) making changes. That’s because currently, kids under 13 have no problem getting around an app’s age restrictions, a decision that can expose them to risks such as cyberbullying, stranger connections, and inappropriate content.
With apps making an overall shift toward safer experiences, areas of concern for families still exist especially since kids are increasingly connecting with social media companies before they enter middle school. Here are just a few things to consider as your child moves into the world of social networking, regardless of his or her age.
The window between 9-12 is an important one when it comes to teaching kids digital skills and influencing their digital behavior. It’s never too early to begin these conversations. Remember, kids need aware, digitally savvy parents more than ever to prepare them for the challenges ahead.
The post More Apps for Younger Users Emerging. Here’s What Parents Need to Know. appeared first on McAfee Blog.
This year’s RSA Conference will look a little different. Instead of booking flights and hotel rooms in the busy city of San Francisco, we’ll be powering up computers in our home office with family in the next room. We’ve all had a tumultuous year and with that comes resilience, which is also this year’s conference theme.
Ahead of the RSA virtual conference, I spoke with a few of my colleagues about the major themes we should expect to see at RSA this year.
Scott Howitt, Senior Vice President and Chief Information Officer – The COVID lockdown has exposed to enterprises that the ability to recover your business (Business Continuity) is important in the face of disaster, but Business Resilience means that your business will be able to adapt to Black Swan events. I’ve seen technology be the catalyst for resilience for most organizations.
Raj Samani, Chief Scientist and McAfee Fellow – For me, it would be ability to continue operations in light of disruption. Whether that disruption originated from digital factors, or indeed physical but to keep the wheels turning.
John Fokker, Principal Engineer and Head of Cyber Investigations for McAfee ATR – Just like Boxing: Isn’t as much about not being hit, because you are in the ring and punches are thrown, but resilience to me is more about how fast you can get back up on your feet once you do get hit. The same is true with security operations, attackers are going to try to hit you, but how good is your defense so you can minimize the impact of the attack and in the case you do get knocked down what controls do you have in place that you can get back up and resume operations.
Amanda House, Data Scientist – Cybersecurity is a unique industry in that new cyberthreats are always improving to avoid detection. A machine learning model made a month ago could now have weakness an adversary has learned to exploit. Machine learning model practitioners need to be resilient in always innovating and improving on past models to outpace new threats. Resilience is constantly monitoring machine learning models so that when we notice decay we can quickly improve them to stop new cyberthreats.
Sherin Mathews, Senior Research Scientist – To me, cyber-resilience implies being able to protect critical assets, maintain operations, and, most importantly, embrace new technologies in the face of evolving threats. The cybersecurity field is an arms race scenario with the threat landscape changing so much. In case of threats like deepfakes, some deepfakes will reach ultra-realism in the coming few years, many will still be more amateurish, and we need to keep advancing towards the best detection methods with newer forms of threats. I feel resiliency doesn’t mean you can survive or defend against all attacks, but it means that if you are compromised, you have a plan that lets us recover quickly after a breach and continue to function. Deepfakes and other offshoots of AI will require businesses to create a transparent, agile, and holistic detection approach to protect endpoints, data, apps, and cloud services.
Samani – I anticipate Zero Trust will play a prominent role, considering the year of remote working, and a myriad of significant threats being realised.
Fokker – Definitely Zero-Trust but also combatting threats that come with working from home, and threat intelligence so organization can better understand the actions of their adversaries even before they step into the ring.
Howitt – I am hoping to see how others have adapted to life with COVID and now that it is receding, what do they think life with look like after. As for my session, I want to highlight the importance of adaptability and stress that this paradigm shift means we will never go back to normal.
House – Cybersecurity is not a career path I ever imagined for myself. As a student I always enjoyed math and computer science and I naturally gravitated toward those topics. My love of both subjects led me to pursue data science and machine learning. My first job out of college was in the cybersecurity industry and that was my first introduction to this career. Since then, I have loved how cybersecurity requires constant innovation and creative ways of using AI to stop new threats.
Mathews – My background and Ph.D. focused on developing novel dictionary learning and deep learning algorithms for classification tasks related to remote health monitoring systems (e.g., activity recognition for wearable sensors and heartbeat classification). With a background in machine learning, deep learning with applications to computer vision areas, I entered the field of cybersecurity during my work at Intel Security/Mcafee in 2016. I contributed towards increasing the effectiveness of cybersecurity products by creating novel machine learning/deep learning models to detect advanced threats(e.g., ransomware & steganography). In my industry work experience, I also had a chance to develop leading-edge research such as eXplainable A.I. (XAI) and deepfakes. Overall, the advent of artificial intelligence can be considered a significant milestone as A.I. is steadily flooding several industries. However, A.I. platforms can also be misused if in the wrong hands, and as research professionals, we need to step up to detect attacks or mishaps before they happen. I feel deeply passionate about XAI, ethical A.I., the opportunity to combat deepfakes and digital misinformation, and topics related to ML and DL with cybersecurity applications. Overall, it is an excellent feeling as a researcher to use your knowledge to combat threats that affect humanity and safeguard humans. Also, I believe that newer A.I. research topics such as GANs, Reinforcement learning, and few-shot learning have a lot to offer to combat advanced cybersecurity threats.
House – I am fortunate to work with a lot of great women in technology at McAfee. Not only are these women on the cutting edge of innovation but they are also great mentors and leaders. We need more smart people pursuing jobs in this industry and in order to recruit new talent, especially young graduates, we need to mentor and encourage them to pursue this career. Every woman I have met in this industry wants to see new talent succeed and will go the extra mile to provide mentorship. I have also noticed women tend to have unique backgrounds in this industry. For example, some of the women I look up to have degrees in biomedical engineering or physics. These unique backgrounds allow these women to bring innovative ideas from outside cybersecurity to solve some of the toughest problems in the cybersecurity industry. We need more talent from diverse backgrounds to bring in fresh ideas.
McAfee is a proud platinum with keynote level sponsor of RSA Conference 2021. Take in the McAfee virtual booth and sessions presented by McAfee industry leaders Here are some of the best ways to catch McAfee at RSA. Can’t wait to see you there!
The post RSA Conference 2021: The Best Place to Strengthen Your Resilience appeared first on McAfee Blogs.
When gyms were forced to close last year, you likely looked for other ways to get some exercise and stay active during quarantine. From investing in a few pairs of dumbbells or perhaps downloading an app or two to help you track your workouts, you found alternatives to help you break a sweat. As an accessible, easy way to release endorphins, running quickly grew in popularity along with the platforms that help runners stay accountable. According to Runner’s World, there was a 34% uptick in outdoor miles logged by common fitness apps between March and September 2020 compared to the same stretch in 2019. But are these tools potentially endangering your privacy?
According to TechCrunch, running apps could potentially threaten your security if the data they collect ends up in the wrong hands. Let’s explore the functionalities of these apps and how they could pose a threat to your online safety.
Running apps are solid companions for advanced and amateur runners alike, allowing you to track the length of your run and set a pace for yourself. These apps learn a lot about you the more you use them by gathering health data like your height and weight and even your location. But similar to the threats that exist when you overshare on other online platforms, this data could pose a serious threat to your privacy. For example, location data could identify where you live or where you work – information that you definitely wouldn’t want in the hands of a stranger. If a cybercriminal is able to hack into your account, they could exploit this information to commit identity theft or craft a phishing email disguised as your employer.
Additionally, many of these apps lack basic security measures to prevent hackers from breaking into accounts or from health and fitness data from spilling out. For example, many popular running apps allow the most basic passwords like “qwerty” and “password.” Oftentimes, hackers automate their attacks by targeting accounts with easy-to-crack passwords like the ones mentioned. This allows them to exploit the most accounts with as little effort as possible. Furthermore, these apps do not have the option to set up two-factor authentication, which creates an additional barrier to prevent hackers from exploiting reused passwords.
No matter where you are in your fitness journey, it is essential to take the necessary precautions to minimize the risks of the platforms you use to hold yourself accountable – running apps included. If you are looking to hit your stride while keeping security and privacy top of mind, follow these tips:
Your password is your first line of defense, so it is important that you use one that is strong and unique to your other account credentials. If a hacker does manage to guess your password for one of your online accounts, it is likely they will check for repeat credentials across multiple sites. By using different passwords or passphrases, you can feel slightly more at ease knowing that the majority of your data is secure if one of your accounts becomes vulnerable.
You can also use a password manager to help you create strong passwords, remove the hassle of remembering numerous passwords, and log on to websites automatically.
Some running apps are configured to publicly share user data by default. After you download an app, spend some time researching how to change these settings so your data is not shared with strangers without your permission.
If your running app of choice does undergo any security updates, make sure that they are installed as soon as possible. Developers actively work to identify and address security issues. Frequently update your operating systems and apps so that they have the latest fixes and security protections. The easiest way to do this is to enable automatic software updates on your mobile device.
Next time you go for a run with your location services on, think again about what risks this poses to your virtual security and your physical safety. Enhance your security by only enabling the features that are necessary to optimize your fitness performance. This will help prevent hackers from using your location as a vehicle to invade your privacy.
Since the data collected on running apps involves sensitive health and location information, it is worth reviewing the privacy policies for all of the fitness platforms you regularly use to see how your data might be affected. To ensure that you can keep moving toward your fitness goals while protecting your online safety, stay educated on the tools you use to track your progress and implement the necessary security measure to do so with security in mind.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post How to Remain Secure While Using Running Apps appeared first on McAfee Blogs.
Cybercriminals are currently enjoying a golden age, with the volume and severity of attacks growing constantly, and an ability to commit hostile acts with impunity. The EU, in its overhaul of cybersecurity laws dubbed NIS2, is committed to ensuring that what’s illegal offline should also be illegal online. For that to happen, cybersecurity researchers need to have access to all the tools possible to detect, trace and prevent crime online, including access to the Internet’s yellow pages, also known as the WHOIS search.
Cyberthreat research is both an arts and science discipline. Our experts and software detection analysis in the ATR group sift through an enormous amount of data, from a broad range of sources, to detect the signs of a past, ongoing or future cyberattack. Each source of data that is out of reach is one tool less with which to keep up with cybercriminals. Access to the full set of WHOIS data, or lack thereof, is not going to make or break the future of cyber threat research. But it would give criminals an advantage, which is at odds with the core objective of the EU’s cybersecurity review.
The WHOIS search originally contained all the data of a person registering a website, including the contact details of the person responsible for the website. This information is crucial in the event a legitimate website comes under attack from malicious actors
But by continually scanning the registration data, cyber researchers can also pick up patterns that are indicative of malicious activity, such as preparing a botnet or priming a large number of websites ahead of a denial-of-service (DDOS) attack.
Using WHOIS data is particularly useful in preventing future cyber-incidents. Looking at data that indicates that a website or collection of websites are being rigged for a cyberattack can help stop the attack in its cradle. This data can also help cybersecurity researchers minimise the risk of false positives, where the contact data is consistent with a legitimate user, which will minimise the potential disruption for companies and people that have done nothing wrong but whose websites may have been flagged as suspicious.
This data was put out of reach after the EU’s GDPR law came into force, with the unfortunate and clearly unintended consequence of depriving cybersecurity researchers, law enforcement agencies and others from an important pool of data used to fight and prevent cybercrime.
With the review of the EU’s cybersecurity law, NIS2, we have a chance to set things right, by providing a legal basis to access personal data such as the contact details in the WHOIS, for the purpose of fighting crime online, without undermining the important privacy protections introduced in the GDPR. It is now up to lawmakers to ensure that this provision remains intact, as they consider whether to introduce amendments to the cybersecurity legislation text.
The post Defending Cybersecurity Can’t Be Done Blindfolded–The EU’s NIS2 Review Can Set This Right appeared first on McAfee Blogs.
Social media is a great place to connect with friends and family. Unfortunately, it is also a great place for misinformation to run rampant, and it is a virtual treasure chest for cybercriminals to steal personal information. Over 25 million Canadians own a social media account, and more than 80% of the Canadian population is expected to be on social media by 2025.
Check out this roundup of common social media scams so you can network intelligently, spot misinformation, and stop its spread.
The classic saying of “Don’t believe everything you see on TV” applies neatly to “Don’t believe everything you read on social media.” There is a resurgence of false news reports circulating on social media surrounding COVID-19 and the vaccine. For example, 5G aiding the spread of the virus and the preventive properties of garlic are just two of the rumors about COVID-19.
Misinformation leads to chaos and is a major threat to public health. Before you reshare a post or article, it is great to take a few minutes to digest the message, determine if it is true, and ask yourself if friends and family would genuinely benefit if they heard the news it carries.
There are a few tell-tale signs of fake news posts. First, they often try to inspire extreme emotions, such as rage and indignation, to prompt people to share immediately. Next, fake news reports are frequently poorly written and vague about where they received their information. Always try to find the primary source for “facts.” In the case of COVID-19 news, all health tips should be sourced from a licensed medical professional.
If you are ever in doubt about the facts, especially when they deal with public health, do not share the post. Instead, leave the reporting to trained medical professionals. Consult the World Health Organization and the Public Health Agency of Canada or direct your network to #ScienceUpFirst for the latest and most accurate reports about COVID-19 and the vaccine.
There was a recent data leak at Facebook, and the contents of about half a billion accounts were posted on a hacking website, including 3.49 million Canadian accounts. Hackers can get a lot of mileage out of just one social media profile because it contains all the greatest hits of information needed to verify an identity.
Most profiles list your real full name, birthday, your relationship status, your hometown, and contact information. Also, hackers can skim a user’s posting history to find even more personal details. Many social media users have posted at one time or another a “get to know you” post, where they list many revealing facts. These posts are a pot of gold to cybercriminals. They are basically lists of possible answers to security questions: Where did you go to primary school? What was the model of your first car? What is the name of your favorite stuffed animal?
Another recent trend that can make you vulnerable in case of a data leak is posting COVID-19 vaccine cards. Social media users are excited to share the big milestone of getting their first shot. What they might not realize is that vaccine cards contain vital personal information that could be used by malicious actors. There are alternative ways to share the happy news. Instead, post a picture of the fun bandage the nurse put on your arm or take a selfie outside of the vaccination center.
It is a shame that what you share on social media can be turned against you by cybercriminals, but that does not mean you have to stop sharing details about your life. Instead of posting personal details online that could be used maliciously in the event of a data leak, think about creating an exclusive email newsletter or secure group chat for your closest friends and family.
There is a major thrill when you think you have won something; however, if you receive a notification on social media that you have won a contest, reserve your excitement until you have confirmed its legitimacy. Be especially wary if you do not remember entering a contest.
Contest scams are a type of social engineering tactic used by cybercriminals. Social engineering relies on people’s tendency to trust others. Cybercriminals often capitalize upon extreme emotions, like fear, urgency, and in this case excitement, to trick unsuspecting people into hastily giving up sensitive information.
Phishing is also common in contest scams. Social media users may receive a message that they have won a giveaway and to click on a link to claim their prize. Luckily, easy-to-spot signs of a phishing message include poor grammar, misspellings, and a sense of urgency. Always approach these types of messages with caution. Instead of clicking on any of the links, hover your cursor over them to see where they redirect. If the redirect site URL is suspicious and contains misspellings, steer clear.
If you ever receive a notification on social media that you have won a prize, remain skeptical until you have verified the authenticity. Locate the organization’s official social media page (which you can likely find on their website), and direct message them for more details.
With all of these common scams floating about and waiting to strike, check out these tips to network safely.
The joy of social media is sharing your everyday life with your friends and family. It is fun to have dozens of people wish you a happy birthday on your profile, but consider removing the year of your birthday. Also, consider removing your phone number, home address, and email address from your profile. If a friend or family member wants to get in touch with you, they can personally direct message you. Cybercriminals can take your contact information and full birthday and use it to steal your identity, so it is best not to post it online.
While you may want to share the latest news with your networks, do not share information that you are not sure is true. According to Statistics Canada, only half of Canadians investigated the accuracy of COVID-19 social media posts before they reshared. Do your due diligence and be a part of the solution, not part of the problem.
Even if you are a diligent and intelligent social media user, there is a chance that you could accidentally click on a phishing link. In case this happens, you should have a backup plan to safeguard your devices and your personal information from viruses and malware. Protect your devices with a comprehensive antivirus program, such as McAfee Total Protection. You can rest assured that if you or a member of your family accidentally opens a malicious link, your devices will be safe.
The post Beware of Social Media Scams appeared first on McAfee Blogs.
Bottom Line: McAfee stopped the MITRE ATT&CK Evaluation Carbanak and FIN7 threats in their tracks within the first 15% of the major steps of the attack chain (on average), delivering on a critical security operations center (SOC) strategy: Stop the attack as early as possible.
In April 2021, MITRE Engenuity released the results of the Carbanak and FIN7 evaluations that leveraged Tactics, Techniques, and Procedures (TTP’s) from the MITRE ATT&CK framework. McAfee and 28 other vendors tested the capabilities of our cybersecurity solutions across a wide range of attack vectors. These multi-stage simulated attacks leveraged a full range of known TTPs to execute the Carbanak and FIN7 attack campaigns.
The Carbanak attack requires stealth and time. Threat actors count on operating undetected inside your infrastructure long enough to penetrate and own your crown jewel assets and information. They methodically step through complex custom TTPs to achieve their objectives. The sooner an attack can be detected and stopped, the lower the risk of a successful breach, damage to assets, and exfiltration of critical information.
McAfee displayed superior protection by blocking 100% across all 10 tests. On the other hand, several endpoint security providers failed to detect and block all threats. CrowdStrike, for example, was unable to block 30% of protection tests.
Additionally, McAfee was able to block the attacks within the first 15% of attack steps on average across all tests. On the other hand, CrowdStrike allowed 50% of the attack chain steps on average to execute before blocking. The earlier in the attack chain that a threat is detected, the more likely it will be shut down before it causes damage.
McAfee combines data and telemetry with comprehensive analytics-based detections that accelerate the pivot to defensive execution. This Time-Based Security metric determines if a blue team will have meaningful, timely, and actionable information. McAfee scores well on this metric by including specific references to MITRE Engenuity’s ATT&CK framework with centralized incident pivots to enriched telemetry, enabling faster detection, investigation, and reaction, and therefore lower exposure. Prioritizing Time-Based Security* (TBS) contributes to McAfee’s ability to block early and mitigate further damage. McAfee significantly outperformed CrowdStrike on the dimension of Time-Based Security.
How did McAfee achieve this success in the evaluation and against such a sophisticated threat?
Core to McAfee’s success is the alignment of products and capabilities around the ability to “shift left” in the attack cycle. Shifting left, or engaging as early as possible in the kill chain timeline, allows defenders to detect and stop an attack, minimize risk, and achieve these results at the lowest cost.
For scenarios where threats are not blocked, McAfee provides extensive and actionable alerting and intelligence to ensure that responses and remediations are timely. In the case of the MITRE Carbanak+FIN7 testing, McAfee demonstrated clear superiority over CrowdStrike in terms of Alert Actionability*.
(For more information on Time-based Security and Alert Actionability, please review the following blog: SOC vs MITRE APT29 evaluation – Racing with Cozy Bear | McAfee Blogs)
Sophisticated adversaries surround us, and MITRE ATT&CK evaluations emulated their techniques and procedures. It’s time to let your teams know that with the right tools from McAfee and Shift Left best practices, intelligent defenders will prevail.
Sneaky attackers traverse infrastructures and assets opportunistically and unpredictably. The complexity and variability in the attack chains associated with these threat actors make threats challenging to identify. McAfee will continue to evolve extended detection and response capabilities that go beyond the endpoint. The integration of these capabilities with solutions such as McAfee’s MVISION XDR enables the security operations team to benefit from unified visibility and control across the hybrid enterprise: endpoints, network, and the cloud.
Most important is the integration of the ecosystem to fight and defeat attackers. McAfee MVISION XDR orchestrates both McAfee and non-McAfee security assets to deliver actionable cyber threat management and support both guided and automated investigations.
As illustrated by the recent MITRE Carbanak+FIN7 protection tests, the industry recognizes the value of proactive capabilities to detect and block early, reducing reactive cyber defense efforts and damage. This dynamic enables your team to stop these sophisticated attacks earlier and more effectively. McAfee empowers your security operations teams to achieve faster and more effective results.
To find out more about the MITRE ATT&CK Evaluation results, please reach out to sales@mcafee.com.
* These critical capabilities are defined by McAfee algorithms designed to maximize value to SOC and XDR needs. Please see this McAfee MITRE blog for details on these algorithms
Assessments of performance are McAfee’s and not those of MITRE Engenuity.
MITRE Engenuity ATT&CK Evaluations are paid for by vendors and are intended to help vendors and end-users better understand a product’s capabilities in relation to MITRE’s publicly accessible ATT&CKⓇ framework. MITRE developed and maintains the ATT&CK knowledge base, which is based on real word reporting of adversary tactics and techniques. ATT&CK is freely available and is widely used by defenders in industry and government to find gaps in visibility, defensive tools, and processes as they evaluate and select options to improve their network defense. MITRE Engenuity makes the methodology and resulting data publicly available so other organizations may benefit and conduct their own analysis and interpretation. The evaluations do not provide rankings or endorsements.
The post McAfee Proactive Security Proves Effective in Recent MITRE ATT&CK™ appeared first on McAfee Blogs.
The Roaming Mantis smishing campaign has been impersonating a logistics company to steal SMS messages and contact lists from Asian Android users since 2018. In the second half of 2020, the campaign improved its effectiveness by adopting dynamic DNS services and spreading messages with phishing URLs that infected victims with the fake Chrome application MoqHao.
Since January 2021, however, the McAfee Mobile Research team has established that Roaming Mantis has been targeting Japanese users with a new malware called SmsSpy. The malicious code infects Android users using one of two variants depending on the version of OS used by the targeted devices. This ability to download malicious payloads based on OS versions enables the attackers to successfully infect a much broader potential landscape of Android devices.
The phishing SMS message used is similar to that of recent campaigns, yet the phishing URL contains the term “post” in its composition.
|
Japanese message: I brought back your luggage because you were absent. please confirm. hxxps://post[.]cioaq[.]com
|
Fig: Smishing message impersonating a notification from a logistics company. (Source: Twitter)
Another smishing message pretends to be a Bitcoin operator and then directs the victim to a phishing site where the user is asked to verify an unauthorized login.
|
Japanese message: There is a possibility of abnormal login to your [bitFlyer] account. Please verify at the following URL: hxxps://bitfiye[.]com
|
Fig: Smishing message impersonating a notification from a bitcoin operator. (Source: Twitter)
During our investigation, we observed the phishing website hxxps://bitfiye[.]com redirect to hxxps://post.hygvv[.]com. The redirected URL contains the word “post” as well and follows the same format as the first screenshot. In this way, the actors behind the attack attempt to expand the variation of the SMS phishing campaign by redirecting from a domain that resembles a target company and service.
Characteristic of the malware distribution platform, different malware is distributed depending on the Android OS version that accessed the phishing page. On Android OS 10 or later, the fake Google Play app will be downloaded. On Android 9 or earlier devices, the fake Chrome app will be downloaded.
|
|
Japanese message in the dialog: “Please update to the latest version of Chrome for better security.” |
Fig: Fake Chrome application for download (Android OS 9 or less)
|
|
Japanese message in the dialog: “[Important] Please update to the latest version of Google Play for better security!”
|
Fig: Fake Google Play app for download (Android OS 10 or above)
Because the malicious program code needs to be changed with each major Android OS upgrade, the malware author appears to cover more devices by distributing malware that detects the OS, rather than attempting to cover a smaller set with just one type of malware
The main purpose of this malware is to steal phone numbers and SMS messages from infected devices. After it runs, the malware pretends to be a Chrome or Google Play app that then requests the default messaging application to read the victim’s contacts and SMS messages. It pretends to be a security service by Google Play on the latest Android device. Additionally, it can also masquerade as a security service on the latest Android devices. Examples of both are seen below.
|
|
Japanese message: “At first startup, a dialog requesting permissions is displayed. If you do not accept it, the app may not be able to start, or its functions may be restricted.”
|
Fig: Default messaging app request by fake Chrome app
|
|
Japanese message: “Secure Internet Security. Your device is protected. Virus and Spyware protection, Anti-phishing protection and Spam mail protection are all checked.” |
Fig: Default messaging app request by fake Google Play app
After hiding its icon, the malware establishes a WebSocket connection for communication with the attacker’s command and control (C2) server in the background. The default destination address is embedded in the malware code. It further has link information to update the C2 server location in the event it is needed. Thus, if no default server is detected, or if no response is received from the default server, the C2 server location will be obtained from the update link.
The MoqHao family hides C2 server locations in the user profile page of a blog service, yet some samples of this new family use a Chinese online document service to hide C2 locations. Below is an example of new C2 server locations from an online document:
Fig: C2 server location described in online document
As part of the handshake process, the malware sends the Android OS version, phone number, device model, internet connection type (4G/Wi-Fi), and unique device ID on the infected device to the C2 server.
Then it listens for commands from the C2 server. The sample we analyzed supported the commands below with the intention of stealing phone numbers in Contacts and SMS messages.
| Command String | Description |
| 通讯录 | Send whole contact book to server |
| 收件箱 | Send all SMS messages to server |
| 拦截短信&open | Start <Delete SMS message> |
| 拦截短信&close | Stop <Delete SMS message> |
| 发短信& | Command data contains SMS message and destination number, send them via infected device |
Table: Remote commands via WebSocket
We believe that the ongoing smishing campaign targeting Asian countries is using different mobile malware such as MoqHao, SpyAgent, and FakeSpy. Based on our research, the new type of malware discovered this time uses a modified infrastructure and payloads. We believe that there could be several groups in the cyber criminals and each group is developing their attack infrastructures and malware separately. Or it could be the work of another group who took advantage of previously successful cyber-attacks.
McAfee Mobile Security detects this threat as Android/SmsSpy and alerts mobile users if it is present and further protects them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.
Phishing Domains:
| Domain | Registration Date |
| post.jpostp.com | 2021-03-15 |
| manag.top | 2021-03-11 |
| post.niceng.top | 2021-03-08 |
| post.hygvv.com | 2021-03-04 |
| post.cepod.xyz | 2021-03-04 |
| post.jposc.com | 2021-02-08 |
| post.ckerr.site | 2021-02-06 |
| post.vioiff.com | 2021-02-05 |
| post.cioaq.com | 2021-02-04 |
| post.tpliv.com | 2021-02-03 |
| posk.vkiiu.com | 2021-02-01 |
| sagawae.kijjh.com | 2021-02-01 |
| post.viofrr.com | 2021-01-31 |
| posk.ficds.com | 2021-01-30 |
| sagawae.ceklf.com | 2021-01-30 |
| post.giioor.com | 2021-01-30 |
| post.rdkke.com | 2021-01-29 |
| post.japqn.com | 2021-01-29 |
| post.thocv.com | 2021-01-28 |
| post.xkdee.com | 2021-01-27 |
| post.sagvwa.com | 2021-01-25 |
| post.aiuebc.com | 2021-01-24 |
| post.postkp.com | 2021-01-23 |
| post.solomsn.com | 2021-01-22 |
| post.civrr.com | 2021-01-21 |
| post.jappnve.com | 2021-01-19 |
| sp.vvsscv.com | 2021-01-16 |
| ps.vjiir.com | 2021-01-15 |
| post.jpaeo.com | 2021-01-12 |
| t.aeomt.com | 2021-01-2 |
| Hash | Package name | Fake Application |
| EA30098FF2DD1D097093CE705D1E4324C8DF385E7B227C1A771882CABEE18362 | com.gmr.keep | Chrome |
| 29FCD54D592A67621C558A115705AD81DAFBD7B022631F25C3BAAE954DB4464B | com.gmr.keep | Google Play |
| 9BEAD1455BFA9AC0E2F9ECD7EDEBFDC82A4004FCED0D338E38F094C3CE39BCBA | com.mr.keep | Google Play |
| D33AB5EC095ED76EE984D065977893FDBCC12E9D9262FA0E5BC868BAD73ED060 | com.mrc.keep | Chrome |
| 8F8C29CC4AED04CA6AB21C3C44CCA190A6023CE3273EDB566E915FE703F9E18E | com.hhz.keeping | Chrome |
| 21B958E800DB511D2A0997C4C94E6F0113FC4A8C383C73617ABCF1F76B81E2FD | com.hhz.keeping | Google Play |
| 7728EF0D45A337427578AAB4C205386CE8EE5A604141669652169BA2FBA23B30 | com.hz.keep3 | Chrome |
| 056A2341C0051ACBF4315EC5A6EEDD1E4EAB90039A6C336CC7E8646C9873B91A | com.hz.keep3 | Google Play |
| 054FA5F5AD43B6D6966CDBF4F2547EDC364DDD3D062CD029242554240A139FDB | com.hz.keep2 | Google Play |
| DD40BC920484A9AD1EEBE52FB7CD09148AA6C1E7DBC3EB55F278763BAF308B5C | com.hz.keep2 | Chrome |
| FC0AAE153726B7E0A401BD07C91B949E8480BAA0E0CD607439ED01ABA1F4EC1A | com.hz.keep1 | Google Play |
| 711D7FA96DFFBAEECEF12E75CE671C86103B536004997572ECC71C1AEB73DEF6 | com.hz.keep1 | Chrome |
| FE916D1B94F89EC308A2D58B50C304F7E242D3A3BCD2D7CCC704F300F218295F | com.hz.keep1 | Google Play |
| 3AA764651236DFBBADB28516E1DCB5011B1D51992CB248A9BF9487B72B920D4C | com.hz.keep1 | Chrome |
| F1456B50A236E8E42CA99A41C1C87C8ED4CC27EB79374FF530BAE91565970995 | com.hz.keep | Google Play |
| 77390D07D16E6C9D179C806C83D2C196A992A9A619A773C4D49E1F1557824E00 | com.hz.keep | Chrome |
| 49634208F5FB8BCFC541DA923EBC73D7670C74C525A93B147E28D535F4A07BF8 | com.hz.keep | Chrome |
| B5C45054109152F9FE76BEE6CBBF4D8931AE79079E7246AA2141F37A6A81CBA3 | com.hz.keep | Google Play |
| 85E5DBEA695A28C3BA99DA628116157D53564EF9CE14F57477B5E3095EED5726 | com.hz.keep | Chrome |
| 53A5DD64A639BF42E174E348FEA4517282C384DD6F840EE7DC8F655B4601D245 | com.hz.keep | Google Play |
| 80B44D23B70BA3D0333E904B7DDDF7E19007EFEB98E3B158BBC33CDA6E55B7CB | com.hz.keep | Chrome |
| 797CEDF6E0C5BC1C02B4F03E109449B320830F5ECE0AA6D194AD69E0FE6F3E96 | com.hz.keep | Chrome |
| 691687CB16A64760227DCF6AECFE0477D5D983B638AFF2718F7E3A927EE2A82C | com.hz.keep | Google Play |
| C88C3682337F7380F59DBEE5A0ED3FA7D5779DFEA04903AAB835C959DA3DCD47 | com.hz.keep | Google Play |
The post Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware appeared first on McAfee Blogs.
Email is one of the primary ways of communication in the modern world. We use email to receive notifications about our online shopping, financial transaction, credit card e-statements, one-time passwords to authenticate registration processes, application for jobs, auditions, school admissions and many other purposes. Since many people around the globe depend on electronic mail to communicate, phishing emails are an attack method favored by cyber criminals.
In this type of attack, cyber criminals design emails to look convincing and send them to targeted people. The sender pretends to be someone the potential victim knows, someone who can be trusted, like a friend, or close contact, or the very bank where they save their income, or even the social media platform where they might have an account. As soon as they click on any malicious files or links embedded within these emails, they may land in a compromised situation.
In this write up, I will focus on things to look at while hunting threats in phishing emails.
Header analysis:
An email is divided into three parts: header, body, and attachment. The header part keeps the routing information of the email. It may contain other information like content type, from, to, delivery date, sender origin, mail server, and the actual email address used to send/receive the email.
Important headers
Return- Path:
The Return-path email address receives the delivery status information. To get undelivered emails, or any other bounced back messages, our emails’ server uses Return-Path. The recipient server uses this field to identify spoof emails. In this process, the recipient server retrieves all the permitted IPs related to the sender domain and matches with the sender IP. If it fails to provide any match, we can consider the email to be spam.
Received:
This field shows information related to all hops, through which the email was transferred. The last entry shows the initial address of the email sender.
Reply-To:
This field’s email address is used to receive the reply message. It can differ from the address in spoof emails.
Received-SPF:
SPF (Sender Policy Framework) helps to verify that messages appearing from a particular domain were sent from servers under control of the actual owner. If the value is Pass, then the email source is valid.
DKIM:
Domain Keys Identified Mail (DKIM) signs the outgoing email with an encrypted signature inside the headers and the recipient email server decrypts it, using a shared public key to check whether the message was changed in transit.
X-Headers:
These headers are known as experimental or extension headers. They are usually added by the recipient mailbox providers. Fields like X-FOSE-Spam and X-Spam-Score are used to identify spam emails.
Consider the following email message:
Figure1: Raw email header information
Based on the above information the email is suspected to be spoofed. We should put the extracted email IDs in the block list.
The email bodies of phishing emails we usually receive mostly target our trust, by having something faithful and reliable in their content. It is so personalized and seemingly genuine, that victim’s often take the bait. Let us see the example below and understand what actions should be taken in such a scenario.
Figure2: Phishing email related to COVID-19
In the above email, the spammer pretends to be a medical insurance service provider and this mail is regarding a health-plan payment invoice for COVID-19 insurance the victim has supposedly purchased recently.
Figure2: Phishing email related to COVID-19 (continued)
Moreover, if we look closely at the bottom of the email, we can see the message, ‘This email has been scanned by McAfee’. This makes the email appear believable, as well as trustworthy.
Now, if we hover the mouse pointer over the |SEE DETAILS| button, one OneDrive link will pop up. Rather than clicking on the link, we must copy it for execution separately.
Figure3: Downloaded html file after clicking on the OneDrive link.
To execute the above OneDrive link separately (hxxps://1drv[.]ms/u/s!Ajmzc7fpBw5lrzwfPwIkoZRelG4D), it would be preferable to load it inside an isolated environment. If you do not have such an environment available yourself, you can use an online browser service like Browserling.
After loading the link in the browser, you will notice that it downloads an html attachment. Clicking on the html file takes us to another webpage (hxxps://selimyildiz[.]com.tr/wp-includes/fonts/greec/xls/xls/open/index.htm).
Figure4: Fake Office 365 login page
The content of the site is a lookalike of an online Microsoft Excel document where it is asking for Office 365 login details to download it. Before doing anything here we need to check a few more things.
Figure5: WordPress admin panel of selimyildiz[.]com.tr
To further validate whether the webpage is genuine or not, I have shortened the URL to its domain level to load it. The domain leads to a WordPress login page which does not belong to Microsoft, further arousing suspicion.
Figure 6: whois information of selimyildiz[.]com.tr
As per the whois information This domain has not been registered by Microsoft and it resolves to the public IP 2.56.152.159 which is also not owned by Microsoft. The information clearly indicates that it is not a genuine website.
Figure7: Attempting to login with random credentials to validate the authentication
Now to check the behavior, I came back to the login page, enter some random credentials, and try to download the invoice. As expected, I was faced with a login failed error. Here on we can assume there might be two probable reasons for the login failure. Firstly, to make the victim believe that it is a genuine login page or, secondly, to confirm whether the typed password is correct, as the victim may have made a typing error.
Figure8: Fake invoice to lure the victim
Now that we know this is fake, what is next? To validate the authentication check I entered random credentials again and bingo! This time it redirects to a pdf invoice, which looks genuine by showing it belongs to some medical company. However, the sad part is if the victim falls under this trap then, by the time they realize that this is a fake invoice, their login credentials will be phished.
In email, users commonly share two types of documents as an attachment, Microsoft office documents or PDF files. These are often used in document-based malware campaigns. To exploit the targeted systems, attackers usually infect these documents using VBA or JavaScript and distribute them via (phishing) emails.
In the first section of this part, we will analyze a malicious Word document. This type of document contains malicious Visual Basic Application (VBA) code, known as macros. Sometimes, a macro triggers the moment a document is opened, but from Microsoft Office 2007 onwards, a macro cannot execute itself until and unless the user enables the macro content. To deal with such showstoppers, attackers utilize various social engineering methods, where the primary goal is to build trust with the victim so that they click on the ‘Enable Editing’ button without any second thought.
File Name: PR_Report.bin
Hash: e992ffe746b40d97baf56098e2110ff3978f8229ca333e87e24d1539cea7415c
Tools:
Step 1: Getting started with File properties
It is always good practice to get familiar with the properties before starting any file analysis. We can get the details using the ‘file’ command in Linux.
Step 2: Apply Yara rules
Yara is a tool to identify and classify malware. This tool is used to conduct signature-based detection against any file. Let us check a couple of premade Yara rules from Didier Stevens Suites.
Step 3: Dump the document contents using oledump.py
As we know, an OLE file contains streams of data. Oledump.py will help us to analyze those streams further to extract macros or objects out of it.
You may notice in the above figure that we can see two letters ‘M‘ and ‘O’ in stream 8, 9 and 15, respectively. Here ‘M’ indicates the stream might contain macro code and ‘O’ indicates an object.
Step 4: Extract the VB script in macros
Shell cmd.exe /c ping localhost -n 100 && start Environ(“Temp”) & “\6C.pif”, vbHide
Step 5: Extract file from the ole object.
It is clear that the document has an embedded file which can be extracted using the oleobj tool.
Step 6: Getting the static information from the extracted file.
Step 7: Behavior analysis
Setup a Windows 7 32-bit VM, change the file extension to ‘.exe’ and simply run Apate DNS and Windows Network Monitoring tool before execution.
Figure9: Command and Control domain’s DNS queries captured in Apate DNS
Figure10: Captured network traffic of 5C.exe while trying to communicate with the C2
Figure11: Registry changes captured in Process Monitor
We can summarize it as the Word document first ran a VBA macro, dropped and ran an embedded executable, created a new process, communicated with the C2 servers and made unauthorized Registry changes. This is enough information to consider the document as malicious. From this point, if we want, we can do more detailed analysis like debugging the executable or analyzing the process dump to learn more about the file behavior.
A PDF document can be defined as a collection of objects that describes how the pages should be displayed inside the file.
Usually, an attack vector uses email or other social engineering skills to lure the user to click or open the pdf document. The moment a user opens the pdf file it typically executes JavaScript in the background that may exploit the existing vulnerability that persist with the Adobe pdf reader or drop an executable as a payload that might perform the rest of the objectives.
A pdf file has four components. They are header, body, reference, and trailer.
File name: Report.pdf
Sha256: a7b423202d5879d1f9e47ae85ce255e3758c5c1e5b19fcd56691dab288a47b4c
Tools –
Step 1: Scan the pdf document with PDFiD
PDFiD is a part of the Didier Stevens Suite. It scans the pdf document with a list of strings, which helps you to identify the information like JavaScript, Embedded files, actions while opening the documents and the count of the occurrences of some specific strings inside the pdf file.
Step 2: Looking inside the Objects
We have now discovered that there is JavaScript present inside the pdf file so let us start from there. We will run pdf-parser.py to search the JavaScript indirect object.
Step 3: Extract the embedded file using peepdf.
Peepdf is a tool built in Python, which provides all the necessary components in one place that are required during PDF analysis.
Syntax: peepdf –i file_name.pdf
The syntax (-i) means enabling interaction mode.
To learn more, just type help with the topic and explore the options it displays.
Step 4: Behavior analysis
Now set up a windows 7 32-bit virtual machine and execute the file.
Figure12: Process Explorer displays processes created by virus.exe
Figure13: Process Monitor captured the system changes made by virus.exe
The results in Process Monitor show the file was dropped as zedeogm.exe. Later it modified the Windows firewall rule. Then it executed WinMail.exe, following which it started cmd.exe to execute ‘tmpd849fc4d.bat’ and exited the process.
At this point, we have collected enough evidence to treat the pdf file as malicious. We can also perform additional precautionary steps like binary debugging and memory forensics on the extracted IOCs to hunt for further threats
In this write-up, we have understood the purpose of email threat hunting, how it will help to take preventive actions against un-known threats. We have discovered the areas we should investigate for hunting threats. We learned how a malicious URL can be hidden inside an email body and its analysis to further see if it is malicious or not.
To stay protected:
The post Steps to Discover Hidden Threat from Phishing Email appeared first on McAfee Blogs.
World Password Day isn’t the most popular day on the calendar, but it’s an important reminder that good password hygiene is essential to staying safe online. This World Password Day, we’d like to talk about improving your password hygiene, how you can help your friends and family improve theirs, and what the future of authentication holds.
The SolarWinds hack in 2020 is one of the most devastating hacks in the history of the internet. Close to 20,000 company’s systems were compromised, losing billions of pieces of data in the process. If you’re one of the 37% of Americans that go long periods of time without updating passwords*, large-scale attacks like SolarWinds can be devastating. By stealing so many login credentials simultaneously, attackers can potentially access exponentially more accounts by reusing leaked credentials on different sites. Unfortunately this is not an isolated event, data breaches from websites and services we frequently use continue to happen through 2021 as well.
According to a recent survey we conducted, 34% of Americans have reused the same, or similar, password more than once. By using the same password for multiple accounts, attackers only need to find one password, creating a domino effect that makes it easier to access more accounts. If that password is weak, it becomes even easier to tip over that first domino.
Our guidance is to create strong, hard-to-guess passwords to protect your accounts. We recommend creating a unique password for every online account, using more than 16 characters, with upper and lower case letters, some numbers, and special symbols, to make a stronger than average password. How are you supposed to remember all of those strong passwords, though?
Well, password managers, especially those included in comprehensive security suites like McAfee® Total Protection, do much of the heavy lifting for you. For instance, McAfee’s integrated password manager not only helps you create stronger passwords and store them, but will also autofill your credentials and log you into websites as well. These convenient features extend beyond just your computer and can be used on other devices like your phone and tablet. Best of all, password managers that are an integrated part of a security suite can be monitored, so you’ll be alerted if your passwords get exposed in a data breach.
You’ve already taken a step towards improving your password hygiene by reading this blog post. But the next step is, have an honest look at your passwords. Do you write them down, use the same for many accounts, or use weak ones? Then it may be time for a change to better protect your accounts and the personal info in those accounts.
If you’re like a certain member of my family—that will remain nameless, Mom—who kept their passwords written down in a notepad, making the change to a password manager (McAfee’s, naturally) was a life-changing moment. Not only did it help her see just how often she was using the same login credentials, she now has an easy way to store, auto-fill, and even generate strong passwords across all her accounts and devices. An intended bonus was that she also realized how many accounts she was no longer using!
Now that you know more about what makes a strong password and how to protect them, let’s talk about why strong passwords are just the start of keeping your accounts safe. You’re probably already using Two-Factor Authentication for apps and services, but you may not have heard the term before. Two-Factor Authentication, or 2FA, is the second layer of protection to authenticate or prove you are the owner of this account. If you’ve received a text message or an email to confirm a new account signup, that’s a type of 2FA.
Text messages and email aren’t the only types of 2FA. There are USB keys, apps, and even systems built-in to your phone, like facial recognition to open phone apps, for example. Some popular 2FA options are USB keys and Google Authenticator.
The great thing about 2FA is that it helps make your strong passwords even more effective by stopping an attacker from using stolen credentials. If you fell victim to a phishing attack that looked like your bank’s website, the attacker would have your email and password combination. Without 2FA, they could log into your account and pretend they’re you. With 2FA in place, it becomes much harder for an attacker to access your account because they’re missing that last important piece of information.
Humans are almost always the weakest link when it comes to securing information. But by committing ourselves to better password practices, with help from the latest technology, we can make sure passwords are a strong link in our security chain; one that will only get stronger in the future.
For instance, using a device like a key-fob, new passwordless systems can authenticate a user without entering their login details. Not only does this make logging into your accounts lightning fast, you also never have to remember a complicated password again.
Biometric locks, like FaceID, are another example of passwordless entry. Using your face, or a fingerprint to authenticate yourself makes it much harder for attackers to break into your accounts.
We hope this Password Day post has helped answer some questions about password hygiene and how to take better care of your online accounts. Online security changes from day to day, so staying aware of new technologies and building safe new habits is essential. Perhaps one day this day will no longer need to exist on our calendars, as we look to a future where we might not need passwords at all. While we collectively make strikes towards this future, let’s celebrate this day while it lasts.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post World Password Day: Make Passwords the Strongest Link in Your Online Security appeared first on McAfee Blogs.
McAfee is tracking an increase in the use of deceptive popups that mislead some users into taking action, while annoying many others. A significant portion is attributed to browser-based push notifications, and while there are a couple of simple steps users can take to prevent and remediate the situation, there is also some confusion about how these should be handled.
In many cases scammers use deception to trick users into Allowing push notifications to be delivered to their system.
In other cases, there is no deception involved. Users willingly opt-in uncoerced.
After Allowing notifications, messages quickly start being received. Some sites send notifications as often as every minute.
Many messages are deceptive in nature. Consider this fake alert example. Clicking the message leads to an imposter Windows Defender alert website, complete with MP3 audio and a phone number to call.
In several other examples, social engineering is crafted around the McAfee name and logo. Clicking on the messages lead to various websites informing the user their subscription has expired, that McAfee has detected threats on their system, or providing direct links to purchase a McAfee subscription. Note that “Remove Ads” and similar notification buttons typically lead to the publishers chosen destination rather than anything that would help the user in disabling the popups. Also note that many of the destination sites themselves prompt the user to Allow more notifications. This can have a cascading effect where the user is soon flooded with many messages on a regular basis.
First, it’s important to understand that the representative images provided here are not indications of a virus infection. It is not necessary to update or purchase software to resolve the matter. There is a simple fix:
1. Note the name of the site sending the notification in the popup itself. It’s located next to the browser name, for example:
Example popup with a link to a Popup remover
2. Go to your browser settings’ notification section
3. Search for the site name and click the 3 dotes next to the entry.
Chrome’s notification settings
4. Select Block
The simplest way is to carefully read such authorization prompts and only click Allow on sites that you trust. Alternatively, you can disable notification prompts altogether.
As the saying goes, an ounce of prevention is worth a pound of cure.
While there are thousands of various messages and sites sending them, and messages evolve over time, these are the most common seen in April 2021:
|Click here to review your PC protection|Reminder From McAfee|Click here to review your PC protection|Download your free Windows protection now.|Bestes Antivirus–Kostenlos herunterladen
Your Mcafee has Expired |Renew now to stay protected for your PC!
Activate McAfee Antivirus Your Mcafee has Expired | Renew Norton Antivirus!The post How to Stop the Popups appeared first on McAfee Blogs.
Google’s Android operating system has been a boon for the average consumer. No other operating system has given so much freedom to developers and hardware manufacturers to make quality devices at reasonable prices. The number of Android phones in the world is astounding. That success comes with a price, however.
A recent report from our own McAfee Mobile Research team has found malicious apps with hundreds of thousands of downloads in the Google Play store. This round of apps poses as simple wallpaper, camera filters, and picture editing, but they hide their nature till after they’ve been installed on your device.
Figure 1. Infected Apps on Google Play
On the bright side, Google Play performs a review for every app to ensure that they are legitimate, safe, and don’t contain malware before they’re allowed on the Play store. However, enterprising criminals regularly find ways to sneak malware past Google’s security checks.
Figure 2. Negative reviews on Google Play
When developers upload their apps to the Play store for approval, they have to send supporting documents that tell Google what the app is, what it does and what age group it’s intended for. By sending Google a “clean” version of their app, attackers can later get their malicious code into the store via a future update where it sits and waits for someone to download it. Once installed, the app contacts a remote server, controlled by the attackers, so it can download new parts of the app that Google has never seen. You can think of it as a malware add-on pack that installs itself on your device without you realizing it. By contacting their own server for the malware files, attackers sneak around Google security checks and can put anything they want on your device.
The current round of malware we’re seeing hijack your SMS messages so they can make purchases through your device, without your knowledge. Through a combination of hidden functionality and abuse of permissions like the ability to read notifications, that simple looking wallpaper app can send subscription requests and confirm them as if it were you. These apps will regularly run up large bills through purchasing subscriptions to premium rate services. The more troubling part is how they can read any message that you receive, possibly exposing your personal information to attackers.
To start, a comprehensive and cross-platform solution like McAfee Total Protection can help detect threats like malware and alerts you if your devices have been infected. I’d also like to share some tips our Research team has shared with me.
Before you hit that install button, take a good look at an app’s reviews. Do they look like they were written by real people? Do the account names of the reviewers make sense? Are people leaving real feedback, or are the majority of comments things like, “Works great. Loved it.” with no other information?
Scammers can easily generate fake reviews for an app to make it look like people are engaging with the developers. Look out for vague reviews that don’t mention the app or what it does, nothing but five-star reviews, and generic sounding account names like, “girl345834”. They’re probably bots, so be wary.
Search for the app developers’ company and see if they have a website. Having a website doesn’t guarantee an app is legitimate, but it’s another good indicator of how trustworthy a company’s app is. Through their website, you should be able to find out where their team is based, or at least some personal information about the company. If they’re hiding that information, or there’s no site at all, that might be a good sign to try a different app.
A lot of malicious apps offer features that your phone already provides, like a flashlight or photo viewer. Unless there’s a very specific reason why you need a separate app to do something your device already does, it’s not recommended to use a third-party app. Especially if it’s free.
App permissions must be clearly stated on the app’s page in order to get into the Google Play store. They’re found near the bottom of the page, along with developer information. Check the permissions every app asks for before you install it and ask yourself if they make sense. For example, a photo editor doesn’t need access to your contacts list, and wallpapers don’t need to have access to your location data. If the permissions don’t make sense for the type of app, steer clear.
Mobile devices are vulnerable to malware and viruses, just like your computer. By installing McAfee protection to your mobile device, you can secure your mobile data, protect your privacy, and even find lost devices.
Android is one of the most popular operating systems on the planet, which means the rewards for creating malware for Android devices are well worth it. It’s unlikely that Android malware is going away any time soon, so staying safe means being cautious with the things you install on your devices.
You can protect yourself by installing McAfee Total Protection on your mobile device and reading the permissions apps ask for when you install them. There’s no good reason for a wallpaper app to have SMS permissions, but that request should ring some alarm bells that something isn’t right and stop you from installing it.
The post Fraudulent Apps that Automatically Charge you Money Spotted in Google Play appeared first on McAfee Blogs.
Music is lovely, isn’t it?
It has the ability to brighten days with upbeat bars or provide a comfortable place of solace and reflection via gentle, soothing notes. Whether you typically opt for Black Sabbath, Shakira, or Bob Marley, music meets our ears in many different ways – and harmony is not always one-size-fits-all. We recognize this when a friend, sibling, partner, or stranger earnestly (yet tonelessly) attempts to mimic Mariah Carey’s five-octave range, resulting in room-clearing screeches that can only be found in a nature documentary.
While I’m not a Grammy-winning artist myself, my point is that harmony is relatable and relevant across any industry, method, measure, or format – even security. Trends and messaging have increasingly pointed to the consolidation of everything across Security Operations Centers (SOC) so they can act in a harmonious manner, not missing a beat to provide protection across the entire enterprise. We’ve seen this as conversations shift from endpoint detection and response (EDR) to extended detection and response (XDR), with the latter promising lower total cost of ownership as well as improved protection and productivity. Who wouldn’t want this!
But the truth is, it isn’t lack of desire for full protection in the most cost-effective and efficient manner, but lack of knowledge or perceived roadblocks. Enterprises across the world have been affected by the global pandemic, uprooting familiar processes. Companies were forced to introduce quick, sometimes temporary solutions for larger systemic issues all without 100 percent certainty where endpoints may lie and what damage this vulnerability presents, especially as bad actors extort the chaos created by COVID-19 to double down on attacks.
This upheaval has started to settle down and enterprises now have more time and energy to audit their businesses and processes with fresh eyes. It isn’t a matter of the pandemic, with hope, nearing its end, to just re-plug in an existing solution stack – but rather looking at how the business has changed and adapting to these changes for now and into the future. This includes changes across staff, solutions, shifting skillsets to manage increased workloads, and yes – increased, and perhaps hasty, consolidation attempts.
According to Enterprise Strategy Group, more than 80 percent of organizations are singing the tune of change with plans to increase spending on threat detection and response. They are hearing the melodious mandate to meet the needs of today’s “new-normal-digitally transformed-modern” enterprise. For many, this means an investment in extended detection and response (XDR) technology.
Enterprises are already feeling the pressure. They have their bottom lines trapped on repeat, looping in their minds. They are seeking counsel, support, and direction – not to be chastised by their choices – but rather guided to create and implement strategies that best fit their business.
That being said, the potential for XDR is tremendous. But you have to crawl before you can walk. I’m sure many of us may feel silly, or even stupid, thinking back to when we carried Walkman and Discmans, clunkily fumbling for them in our pockets or purses, forever tethered to the device if you wanted to listen to music. But at the same time, we recognize the progression from Walkman to iPod to iPhone to Bluetooth and voice-activated technology, and more. The Discman and Walkman crawled so digitized music could walk.
This natural progression is no different in the security industry, and the onus is on vendors to make this connection. Enterprises, after all, are not still storing floppy disks locked in a filing cabinet as a security measure. While XDR is the latest technology, the journey to XDR includes the fundamental need of endpoint detection and response (EDR) capabilities. EDR is a foundational piece in getting XDR right – or put another way, XDR is an efficient evolution of EDR platforms. EDR crawled so XDR could walk. XDR will walk so the next technology can fly.
This is what true innovation is, the constant desire to advance processes, products, and experiences. It is what XDR promises, to improve and streamline processes across enterprise SOCs, providing meaningful context, actionable intelligence, and the visibility and control necessary to connect solutions that orchestrate together in symphonic harmony.
In fact, from a philharmonic standpoint, symphonies by definition are made up of different types of instruments (endpoints) generating music (data) where each requires incredibly specific methods of tuning and expertise by musicians (SOC analysts) in order to ensure they can be harmonious with the group. Musicians are not born with their skillset, but rather they test and learn – and fail – trying to see which instrument is the best fit for them, which notes they can hit, and which notes are best suited for another instrument or musician to manage.
We must be the conductor and connecting point here to show the true benefits and value of XDR. While the journey is different for every enterprise (and vendor), the end goal is a protected society where good prevails over bad. It is our job to guide these choices and take responsibility regardless of where an enterprise is at in their journey – to show how innovation builds on itself, always striving to better experiences and outcomes.
Where are you in the journey to XDR? Check out the on-demand webinar below and start asking questions.
The post Stupid Is as Stupid Does: XDR Is About the Journey, Not the Destination appeared first on McAfee Blogs.
Industry analysts perform a huge service in evaluating markets, technology, vendors and sharing their insights with customers via one-on-one discussions and regular publications and events. Gartner publishes Magic Quadrant reports that review a particular market and evaluate vendors for their Completeness of Vision and Ability to Execute.
Gartner also has a separate team of analysts that evaluates single products in greater depth. Their reports review each product or product family across hundreds of criteria and produce a scorecard, key findings and customer recommendations.
We are proud to read the new Solution Scorecard for McAfee MVISION Cloud by Gartner, where we scored “94 out of 100 against Gartner’s 480-point Solution Criteria for Cloud Access Security Brokers”. MVISION Cloud was the only CASB product to score 94 out of 100 in the 2021 scorecards.”
We have licensed it for anyone to read.
We believe, for this review, they reviewed 480 sets of criteria across eleven areas from architecture, management and functions such as data security, threat protection and Cloud Security Posture Management. Once they had reviewed and weighted each attribute, MVISION Cloud came out with a total blended total score of 94 out of 100.
The framework that they used splits each of the criteria into one of three categories – Required, Preferred and Optional. We are pleased to see that they consider MVISION Cloud provides 97% of the Required functionality.
We have also licensed the Magic Quadrant for Cloud Access Security Brokers report from October 2020 – available here.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from McAfee. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner, Solution Scorecard for McAfee MVISION Cloud, 5 April 2021, Sushil Aryal, Dennis Xu, Patrick Hevesi
The post McAfee Recognised in 2021 Gartner Solution Scorecard Report appeared first on McAfee Blogs.
Ahhhh. Can you feel it? Summer is so close. Everything feels a little more buoyant, a little brighter. We’re in the home stretch of social distancing, a sense of normalcy is returning, and there’s a collective energy that’s ready to throw the screen door open, run outside, and pounce on summer.
There’s no doubt you’ve established great digital ground rules that worked well during quarantine. However, as we begin the mental trek toward some degree of our former life, summer may be the perfect window to think about a digital reset.
A reset is simply taking a moment to pause, assess, and adjust where it makes sense. Consider what digital expectations and ground rules you established during the pandemic, what worked for your family, and what needs to be phased out before the new school year approaches.
We know that during quarantine (and even after), kids’ screen time doubled for several reasons, including learning from home, needing to connect with friends online more, and boredom. During the pandemic, we also knew that helping kids manage the ongoing stress of homebound life was crucial for helping them maintain digital, emotional, and physical health. All of these factors impacted our digital routines and expectations.
Summer routines will look different for every family. Some students are attending school on site throughout the summer as many districts strive to bridge 2020 learning losses. Other students will enjoy a traditional summer break before starting back to school in a few months.
Whichever way your family’s summer routine rolls out, here are a few small shifts you can begin making today that will slowly help you re-establish smart digital habits.
1. Pause, assess, adjust. Stop to evaluate the role technology has grown to occupy in your home over the past year. Assess your family’s screen time and device habits that shifted or grew. Where do you need to help your kids slowly pull back? How many hours a day do the kids play video games? How much TikTok or YouTube scrolling is going on? Are the TV binges out of control? Is there still a phone curfew in place, or have kids started taking their phones to bed?
2. Give parental controls a go. If you gave your kids a little more device freedom during the pandemic and put the idea of parental controls on hold, summer is a great time to give this option a go. Test monitoring features, content filters, and make adjustments that fit your family’s needs. If your goal for your kids is less device time and more outside time this summer, parental controls include screen limits to help you reset any poor habits that have set in.
3. Safety and Privacy revamp. During summer especially, take time to understand the friends your kids connect with online – new friend groups can form over the summer. Review privacy and location settings on apps. Teens often leave their location on for one another so they can find things to do. This practice isn’t always a good idea since location-based apps can open your family up to risks.
4. Screen-free zones. Another wise habit that may have gone by the wayside is creating screen-free zones such as the dinner table, the bedroom, restaurants, and family trips. Setting a tech curfew is also a great way to help kids get into consistent sleep patterns. These few steps can add hours of family time to your day and give kids a much-needed device break. If you are going on vacation, creating screen-free zones on your trip will ensure you are fully engaged and don’t miss out on the experience.
5. Get a plan. The summer has a way of flying by, especially if kids end up playing video games, watching YouTube videos, or chatting on social media all day. Get in front of that temptation with a plan. Collaborate on a wish list of things every family member would like to do over the summer. Maybe it’s canoeing, a trip somewhere fun, a family project, volunteering, or a new hobby that taps into their creativity.
As you ease back into new habits, remember to share your reasoning for the reset. Handing down digital edicts rarely sticks, but when kids understand the mental and physical benefits of balancing their technology, they will be more likely to get on board with the change.
The post 5 Ways to Reset Your Family’s Digital Habits this Summer appeared first on McAfee Blog.
Of all the pastimes that took off during the pandemic, it’s not surprising that online gaming was one of them. After all, gaming offers excitement, new experiences, and social interaction, all from the comfort of home. It’s no wonder then that the gaming industry saw a 20% increase in revenue in 2020, as new and previously-retired gamers returned to this pastime.
But while the gaming industry was finding a lot of new allies, the players themselves faced growing exposure to malware and threats. Our 2020 Mobile Threat Report found that gamers are being targeted with phishing attacks and malicious apps, aimed at stealing usernames and passwords. With this information, hackers could potentially steal hard-earned in-game collectibles, as well as real-world money and personal information. And PC gamers face similar threats, from viruses and spyware to network attacks that could potentially put their personal information and property at risk.
While 75% of gamers surveyed worry about their security while gaming in the future, some worry they’ll have to compromise performance to be protected. That’s why McAfee® Gamer Security offers robust protection to PC gamers with one of the lowest impacts on system performance in the industry.
To protect the growing number of gamers against increasing threats, we are offering one free year of McAfee Gamer Security for one gaming PC to multi-device McAfee ® Total Protection and McAfee® Live Safe users in the U.S. This powerful software was built from the ground up to address the challenges gamers face, with speedy performance, system optimization, uninterrupted gaming, and no pop-up apps.
But don’t just take it from me. This is what one of our users have to say: “I believe [McAfee Gamer Security] had a positive impact … because it increased the speed of my game as well as gave me peace of mind that I was protected during my gameplay.”
We know that gamers are some of the most tech-savvy and connected users out there, so it’s important that we meet them where they are by giving them the performance and security they need to play at full throttle. After all, many users are seeking stress relief through gaming, not the extra worry over their online security.
With McAfee Gamer Security we made security for players more fun, by including a gamer-centric interface that was inspired by familiar apps like game launchers — you can check the current status of your system and key resources that impact in-game performance, like GPU, CPU, and memory, as well as perform real-time optimization. And of course, we’ve also included monitoring for your all-important FPS (frames per second). You can even access past performance data to better understand your game-by-game trends.
Let’s keep the excitement of gaming while adding the extra confidence of knowing that your digital life is protected. Whether you are new to McAfee or already enjoying our personal protection, you can download McAfee Gamer Security for free in under one minute with a qualifying subscription! In our mission to provide users with personal protection, we are welcoming PC gamers with open arms.
The post PC Gamers (and Parents of Gamers) Rejoice! appeared first on McAfee Blogs.
It’s easy to imagine where we would be without women in technology.
We’d be poorer for it.
With Mother’s Day upon us, I couldn’t help but think once more about the stark employment figures I shared in my International Women’s Day blog just a few weeks ago. Millions of women have involuntarily left the workforce at a much higher rate than men during the pandemic—with roughly one third of women in the U.S. aged 25-44 citing that childcare was the reason for that unemployment.
Reflecting on this further, I thought about the women in technology who’ve left their positions during this past year. It’s a loss of talent and capability that’s set back decades of advances by trailblazing women who not only shine in their field yet also do so in male-dominated realms of study, research, and employment.
So as we look ahead to recovery, we should also look back. By celebrating just a few of the women in technology who shaped our world today, women who truly are “mothers of invention,” perhaps we can remember just how vital women are in our field—and how we should double down on our efforts to welcome them back.
Imagine a time when the term “software engineering” wasn’t recognized, even though it was crucial to us landing on the moon.
Such were the days when Margaret Hamilton began her work at Massachusetts Institute of Technology (MIT) as a job to support her family while her husband went to law school at Harvard. This was in 1959 and would introduce her to Edward Lorenz, the father of chaos theory, and put her on the path to help humanity set its first footsteps on the moon.
It was her work and her code that developed a software-driven system that warned astronauts of in-flight emergencies, an advance she credits her young daughter for inspiring, as recounted in this interview:
Often in the evening or at weekends I would bring my young daughter, Lauren, into work with me. One day, she was with me when I was doing a simulation of a mission to the moon. She liked to imitate me – playing astronaut. She started hitting keys and all of a sudden, the simulation started. Then she pressed other keys and the simulation crashed … I thought: my God – this could inadvertently happen in a real mission.
I suggested a program change to prevent a prelaunch program being selected during flight. But the higher-ups at MIT and NASA said the astronauts were too well trained to make such a mistake. Midcourse on the very next mission, Apollo 8, one of the astronauts on board accidentally did exactly what Lauren had done. The Lauren bug! It created much havoc and required the mission to be reconfigured. After that, they let me put the program change in, all right.
When you search online, you have this woman to thank.
A true pioneer, Karen Spärck Jones worked at Cambridge, during which time she developed the algorithm for deriving a statistic known as “term frequency–inverse document frequency” (TFIDF). In lay terms, TFIDF determines how important a word is relative to the document or collection of terms in which it is found. Sound familiar? It should, as her work forms the basis of practically every search engine today.
Spärck Jones remained outspoken with regards to what she referred to as “professionalism” in technology. This had two layers: the first being the technical efficacy of a solution, the second being the rationale for even doing it in the first place. In her words,
“[T]o be a proper professional you need to think about the context and motivation and justifications of what you’re doing … You don’t need a fundamental philosophical discussion every time you put finger to keyboard, but as computing is spreading so far into people’s lives you need to think about these things.”
Her vision for computing and her hands-on work led to development of COBOL, a programming language still in use today. Driving that vision was the belief that human language could be used as the basis for a programming language, making it more accessible, particularly for business use. The result was the FLOW-MATIC programming language, which was later developed into COBOL, a language that is estimated to be used in 95% of ATM card swipes.
During her time as a naval officer, she helped transform centralized Defense Department systems into smaller, distributed networks akin to the internet we now know and use. At her retirement near the age of 80, she went to work in the private sector where she held the role of full-time senior consultant until her passing at age 85. This 1983 profile of her, aired when she was 76, is certainly worth a watch.
Quite plainly, Perlman’s work paved the way for the routing protocols that underpin the modern internet.
Prior to Perlman’s work, as networks grew and accordingly became more complex, data would often flow into loops that prevented them from reaching their intended destination. Enter her creation of the Spanning Tree Protocol (STP), which can handle large clouds of computers and network devices. While its since evolved, the concept of an adaptive network remains squarely in place.
Another advance of hers was introducing computer programming to young children aged 3 to 5 back in the 1970s. While working at MIT’s LOGO Lab, she created TORTIS (Toddler’s Own Recursive Turtle Interpreter System), which used buttons from programming and allowed for experimentation with a robotic turtle that would follow a toddler’s commands. In the abstract for her paper that documented the work, she emphasized what she felt was a vital point, “Most important of all, it should teach that learning is fun.”
These women have led and inspired, and likewise it’s on all of us in technology to build on the advances they made possible through both our work and the workplace cultures we foster—particularly as we begin our recovery from this pandemic.
One of the many reasons I’m proud to be a part of McAfee is our Women in Security (WISE) community. It’s truly a forward-thinking program, which we introduced to enrich and support women in the tech sector through mentorship programs and professional development conferences. It’s one of the several, tangible ways we actively strive for a vibrant and diverse culture at McAfee.
Another powerful voice for women in tech is AnitaB.org, which supports women in technical fields, as well as the organizations that employ them and the academic institutions training the next generation. A full roster of programs help women grow, learn, and develop their highest potential.
And for looking forward yet further, there’s Girls Who Code, which is building the next generation of female engineers and technologists. Their data shows why this is so vital. They found that 66 percent of girls aged six to 12 show interest in computing, but that drops to 32 percent for girls aged 13 to 17, and then plummets to only 4 percent for college freshmen. Accordingly, they support several programs for school-aged girls from third grade up through senior year of high school, help educators and communities launch clubs, and advocate for women in their field through their work in public policy and research.
And that’s just for starters. For an overview of yet more organizations where you can get involved, check out this list of 16 organizations for women in tech—all of which help us realize a better world with women in technology.
The post The Mothers of Invention: Women Who Blazed the Trail in Technology appeared first on McAfee Blogs.
Since ransomware’s introduction in 1989 in the form of the AIDS Trojan, also known as PS Cyborg, distributed on diskettes, ransomware has continually increased and evolved into a heinous threat to our national security, public safety, and to our economic and public health. With ransoms paid in 2020 reaching more than $300+ million, it has become a disruptive economic leach on the resources of its victims. Local governments, educational organizations, hospitals, critical infrastructure services, businesses and organizations of all sizes have had to decide what to do when presented with a ransomware demand. These activities are highly disruptive, causing far more costs to the victims than just the cost of the ransom.
Ransomware is highly profitable. Today malicious actors are organized and coordinate their operations. We are seeing Ransomware as a Service (RaaS) businesses making it easy for those without the skills or infrastructure to threaten us as well. The scourge of ransomware must be addressed.
The Institute for Security and Technology (IST) stood up and initiated the Ransomware Task Force (RTF) late last year to address ransomware in a more wholistic fashion. In partnership with a broad coalition of 60+ experts from cybersecurity vendors, financial services, governments, law enforcement, non-profits, and international organizations, the RTF developed and released Combating Ransomware: A Comprehensive Framework for Action.
As you might expect, there were some very tough conversations during the development of the recommendations. For example, prohibiting / outlawing ransomware payments was one area of contention. There are valid reasons to want to prohibit payments. No one wants their corporate funds or governmental tax dollars going to pay for other forms of cybercrime or elicit nation state activities. Sadly, the state of cybersecurity maturity, in the U.S. alone, is not ready for such a step. Consensus was reached that we are really not ready to play that game of chicken.
Ransomware is a global problem and while many of the recommendations in the framework for action are directed at specific U.S. government bodies, it is important our international partners map the recommendations onto their specific governmental structures. Throughout the report it is clear the recommendations are global in nature and that coordinated, international diplomatic and law enforcement efforts are critical. There are 48 recommendations as a part of the report. Most of the recommendations are not technical but rather legal, economic, and diplomatic tools.
It is heartening to see the level of activity focused on addressing ransomware in the new administration. The Department of Justice is standing up a new task force dedicated to dealing with ransomware. The Department of Homeland Security (DHS) recently formed a ransomware task force and launched a 60-day sprint. Participating in the RTF Launch event, DHS Secretary Alejandro Mayorkas said the IST RTF report will help guide a whole-of-government approach to the problem. He also stated the White House is developing a plan to combat ransomware.
While all these efforts are welcomed, my hope is that the great work of the IST RTF described in Combating Ransomware: A Comprehensive Framework for Action is used as a foundation to feed these and future efforts so we can see real progress in the actionable outcomes we all desire.
I’d like to thank IST CEO Philip Reiner and his outstanding team for allowing me to participate as a member of the RTF. To all my fellow RTF members, I hope to work with each of you again.
The post Ransomware Task Force Releases its Comprehensive Framework for Action appeared first on McAfee Blogs.
While we’re enjoying the fruits of digital life—our eBooks, movies, email accounts, social media profiles, eBay stores, photos, online games, and more—there will come a time we should ask ourselves, What happens to all of this good stuff when I die?
Like anything else we own, those things can be passed along through our estates too.
With the explosion of digital media, commerce, and even digital currency too, there’s a very good chance you have thousands of dollars of digital assets in your possession. For example, we can look at research we conducted in 2011 which found that people placed an average value of $37,438 on the digital assets they owned at the time. Now, with the growth of streaming services, digital currency, cloud storage, and more in the past ten years, that figure feels conservative.
Enter the notion of a digital legacy, the way you can catalog and prepare your digital assets for passing through your estate.
Like so many aspects of digital life nowadays, estate planning law has started to catch up to the realities that attorneys, executors, and heirs face when dealing with an estate and its digital assets. In the U.S., new laws are rolling out that address how digital assets are treated when the owner passes away. For example, they give fiduciaries (like an estate executor, trustee, or an agent under a power of attorney) the right to manage a person’s digital assets if they already have the right to manage a person’s tangible assets. Such laws continue to evolve, and they can vary from state to state here in the U.S.
With that in mind, nothing offered in this article is legal advice, nor should it be construed as such. For legal advice, you can and should turn to your estate attorney for counsel on the best approach for you and the laws in your area. However, consider this article as a sort of checklist that can help you with your estate planning.
My hope is that this article will open your eyes to the digital value you have to pass along, both real and sentimental, and help you prepare your estate accordingly for the ones you care about.
The best answer you can get to this question will come from your legal counsel. However, for purposes of discussion, a digital asset is any text or media in digital form that has value and offers the bearer with the right to use it.
To frame it up in everyday terms, let’s look at some real-world examples of digital assets that quickly come to mind. They include but are not limited to:
However, digital assets can readily expand to further include:
And as far as your estate is concerned, you can also consider:
That’s quite the list, and it’s not entirely comprehensive, either.
The process of lining up your digital assets begins just like any other aspect of estate planning, by listing all the digital assets and accounts you own. From there, you can see what you have and what you’d like to distribute—and what you can distribute. In fact, when it comes to digital, there are some things you simply can’t pass along. Let’s take a closer look.
Generally speaking, digital assets that you own can be passed along. “Own” is the operative word here. Many digital things we have are in fact licensed to us, which are not transferrable. More on that next, yet examples of things you can likely transfer include:
Check with your legal counsel to ensure you’re following the letter of the law in your region, and also look into any licensing agreements you may have for items like internet domain names and airline miles that you may hold to determine if they are in fact transferrable.
This is an important topic. As mentioned above, some accounts you hold are simply licensed to you and you alone. Thus, they will not transfer. Two of the biggest examples are social media and email accounts. This can have serious repercussions if you do not leave specific instructions as to how those accounts should be handled after your passing.
For example, do you want your social media profiles to remain online as a memorial or do you want them simply to shut down? Note that different social media platforms have different policies for handling the accounts of users who have passed away. For example, Facebook allows for creating memorialized accounts that allow friends and families to continue sharing memories. Policies vary, so check with your social media platforms of choice for specifics.
Likewise, will your executor need access to your email account to handle affairs of the estate? And what about access to online accounts for paying bills and then ultimately closing those accounts? In all, these are points of discussion to have with an experienced estate attorney who knows the law in your region.
Other things to be aware of are that subscriptions to streaming accounts are likely non-transferrable as well. Often, eBooks and digital publications you own are only licensed to you as the sole owner and can’t be transferred. Again, check the agreements associated with items like these and have a talk with your attorney about them to determine what can and can’t be done with them.
Another aspect of your digital legacy is your voice. If you’re a blogger or a participant in an online community, you may wish for a fiduciary or family member to leave a farewell post. Additionally, in the case of a blog, you may want to set up some means for your work to stay online or get archived in some manner. Again, you can work with your attorney to leave specific instructions as to what should be said and then what should be done with the blog or site in question.
I have a real-life example of why this is so vital. A friend of mine lost the photos of her and her husband because they were kept in an online storage account to which she had no access. And sadly, the company would not grant her access after his passing. This is often the case with many online accounts and services. Legally speaking, while the deceased may have owned the storage account and the media kept within it, the cloud storage company owns the servers on which that media is stored. The potential difficulty here is that the online service provider may view giving your personal representatives access to your account as a breach of their privacy policy or user agreements.
One way you can avoid heartbreak like this is to discuss giving your executor access to your accounts. This can be provided through a list of accounts, usernames, and passwords that are kept in a sealed letter along with your will, along with instructions that outline your wishes. This is important: a will is public record after you pass away. You won’t want info like usernames and passwords getting out there. Again, you can discuss an option such as this with your attorney.
One thing you can do today that can protect your digital assets for the long haul is to use comprehensive security protection. Far more than just antivirus, comprehensive security can store precious and important files securely with encryption, arm all your online accounts with strong passwords, and protect your identity as well. Features like these will help you see to it that your digital legacy is secure.
When I’ve brought up the idea of a digital legacy with friends, a light goes on in their head. “Of course, that makes a lot of sense.” It’s easy to take our digital possessions somewhat for granted, perhaps in a way that we simply don’t with our physical possessions. Yet as you can see, there’s a good chance that you indeed have a digital legacy to pass along. By getting organized now, you can see to it that your wishes are followed, and I hope this checklist helps you get started.
The post Digital Estate Planning – What to Do With Your Digital Assets appeared first on McAfee Blog.
With on-premises infrastructure, securing server workloads and applications involves putting security controls between an organization’s network and the outside world. As organisations migrate workloads (“lift and shift”) to the cloud, the same approach was often used. On the contrary to lift and shift, many enterprise businesses had realized that in order to use the cloud efficiently they need to redesign their apps to become cloud-native. Cloud native is an approach to building and running applications that exploits the advantages of the cloud computing delivery model. Cloud native development incorporates the concepts of DevOps, continuous delivery, microservices, and containers.
”IDC predicts, by 2025, nearly two-thirds of enterprises will be prolific software producers with code deployed daily, over 90% of new apps cloud native, 80% of code externally sourced, and 1.6 times more developers”
Monolithic Apps vs Cloud Native Apps
Successful protection of cloud-native applications will require a combination of multiple security controls working together and managed from one security platform. First, the cloud infrastructure where is the cloud-native application is running (containers, serverless functions and virtual machines) should be assessed for security misconfigurations (security posture ), compliance and for known vulnerabilities. Second, securing the workloads needs a different security approach. Workloads are becoming more granular with shorter life spans as development organizations adopt DevOps-style development patterns. DevOps delivers faster software releases , in some cases, several times per day. The best way to secure these rapidly changing and short-lived cloud-native workloads is to start their protection proactively and build security into every part of the DevOps lifecycle.
Cloud Security Posture Management (CSPM):
The biggest cloud breaches are caused by customer misconfiguration, mismanagement, and mistakes. CSPM is a class of security tools to enable compliance monitoring, DevOps integration, incident response, risk assessment, and risk visualization. It is imperative for security and risk management leaders to enable cloud security posture management processes to proactively identify and address data risks.
Cloud Workload Protection Platforms (CWPP):
CWPP is an agent-based workload security protection technology. CWPP addresses unique requirements of server workload protection in modern hybrid data center architectures including on-premises, physical and virtual machines (VMs), and multiple public cloud infrastructure. This includes support for container-based application architectures.
MVISION CNAPP is the industry’s first platform to bring application and risk context to converge Cloud Security Posture Management (CSPM) for multi public cloud infrastructure, and Cloud Workload Protection (CWPP) to protect hybrid, multi cloud workloads including VMs, containers, and serverless functions. McAfee MVISION CNAPP extends MVISION Cloud’s data protection – both Data Loss Prevention and malware detection – threat prevention, governance and compliance to comprehensively address the needs of this new cloud-native application world thereby improving security capabilities and reducing the Total Cost of Ownership of cloud security.
1. Single Hybrid multi cloud security platform: McAfee MVISION Cloud simplify multi-cloud complexity by using a single, cloud-native enforcement point. It’s a comprehensive cloud security solution that protects and prevents enterprise and customer data, assets and applications from advanced security threats and cyberattacks across multiple cloud infrastructures and environments.
2. Cloud Security Posture Management: McAfee MVISION Cloud provide a continuous monitoring for multi cloud IaaS / PaaS environments to identify gaps between their stated security policy and the actual security posture. At the heart of CSPM is the detection of cloud misconfiguration vulnerabilities that can lead to compliance violations and data breaches.
3. Deep discovery and risk based application:You can’t protect what you can’t see. Discovering all cloud resources and prioritise them based on the risk. MVISION CNAPP uniquely provided deep discovery of all workloads, data, and infrastructure across endpoint, networks, and cloud. If you can quickly understand those risks relative to each other, you can quickly prioritize your remediation reducing overall riskMas quickly as possible.
4. Shift Left posture and vulnerability:By moving security into the CI/CD pipeline and make it easy for developers to incorporate into their normal application development processes and ensuring that applications are secure before they are ever published reduces the chance of introducing new vulnerabilities and minimizing threats to the organization.
5. Zero Trust policy control: McAfee’s CNAPP solution supported by CWPP focus on Zero Trust network and workload policies. This approach not only allows you to gain analytics about who is accessing your environment and how an important component of your SOC strategy but it also ensures that people and services have appropriate permissions to perform necessary tasks.
6. Unified Threat Protection:CWPP unifies threat protection across workloads in the cloud and on-premise. Including OS Hardening, Configuration and Vulnerability Management, Application Control/Allow-Listing and File Integrity control. It also synthesizes workload protections and account permissions into the same motion. Finally, by connecting cloud-native application protection to XDR, you are able to have full visibility, risk management, and remediation across your on-premise and cloud infrastructures.
7. Governance and Compliance:The ideal solution for protecting cloud-native applications includes the ability to manage privileged access and address threat protection for both workloads and sensitive data, regardless of where they reside
https://www.idc.com/research/viewtoc.jsp?containerId=US45599219
The post New Security Approach to Cloud-Native Applications appeared first on McAfee Blogs.
If you’re like me, you love a good heist film. Movies like The Italian Job, Inception, and Ocean’s 11 are riveting, but outside of cinema these types of heists don’t really happen anymore, right? Think again. In 2019, the Green Vault Museum in Dresden, Germany reported a jewel burglary worthy of its own film.
On November 25, 2019 at 4am, the Berlin Clan Network started a fire that destroyed the museum’s power box, disabling some of the alarm systems. The clan then cut through iron bars and broke into the vault. Security camera footage published online shows two suspects entering the room with flashlights, across a black-and-white-tiled floor. After grabbing 37 sets of stolen jewelry in a couple of minutes, the thieves exited through the same window, replacing the bars in order to delay detection. Then they fled in a car which was later found torched.[1]
Since then, there’s been numerous police raids and a couple of arrests, but an international manhunt is still underway and none of the stolen jewels have been recovered. What’s worse is that the museum didn’t insure the jewelry, resulting in a $1.2 billion-dollar loss. Again, this is a story ripe for Hollywood.
Although we may not read about jewelry heists like this one every day, we do see daily headlines about security breaches resulting in companies losing their own crown jewels – customer data. In fact, the concept of protecting crown jewels is so well known in the cybersecurity industry, that MITRE has created a process called Crown Jewels Analysis (CJA), which helps organizations identify the most important cyber assets and create mitigation processes for protecting those assets.[2] Today exposed sensitive data has become synonymous with cloud storage breaches and there is no shortage of victims.
To be fair all of these breaches have a common factor – the human element in charge of managing cloud storage misconfigured or didn’t enable the correct settings. However, at the same time we can’t always blame people when security fails. If robbers can so easily access multiple crown jewels again and again, you can’t keep blaming the security guards. Something is wrong with the system.
Some of the most well-versed cloud native companies like Netflix, Twilio, and Uber have suffered security breaches with sensitive data stored in cloud storage.[3] This has gotten to the point that in 2020, the Verizon Data Breach Report listed Errors as the second highest cause for data breaches due “in large part, associated with internet-exposed storage.”[4]
So why is securing cloud storage services so hard? Why do so many different companies struggle with this concept? As we’ve talked to our customers and asked what makes protecting sensitive data in the cloud so challenging, many simply don’t know if they had sensitive data in the cloud or struggle with handling the countless permissions and available overrides for each service.[5] Most of them have taken the approach that someone – whether that be an internal employee, a third-party contractor, or a technology partner – will eventually fail in setting the right permissions for their data, and they need a solution that will continuously check for sensitive data and prevent it from being accessed regardless of the location or service-level permissions.
Enter in Cloud Native Application Protection Platform (CNAPP). Last month our new CNAPP service dedicated to securing hybrid cloud infrastructure and cloud native applications became generally available. One of the core pillars behind CNAPP is Apps & Data – meaning that along with Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP), CNAPP provides a cohesive Data Loss Prevention (DLP) service.
Figure 1: CNAPP Pillars
Typically, the way security vendors perform DLP scans for cloud storage is by copying down customer data to their platform. They do this because in order to scan for sensitive data, the vendor needs access to your data from a platform that can run their DLP engine. However, this solution presents some challenges:
This is where we came up with the concept of in-tenant DLP scanning. In-tenant DLP scanning works by launching a small software stack inside the customers’ AWS, Azure, or GCP account. The stack is a headless, microservice (called a Micro Point of Presence or Micro PoP) that pushes out workload protection policies to compute and storage services. The Micro PoP connects to the CNAPP console for management purposes but allows customers to perform local DLP scans within each virtual network segment using direct access. No customer data ever leaves the customers’ tenant.
Figure 2: In-tenant DLP Scanning
Customers can also choose to connect multiple virtual network segments to a single Micro PoP using services like AWS PrivateLink if they want to consolidate DLP scans for multiple S3 buckets. There’s no capacity limit or license limitation to how many Micro PoPs customers can deploy. CNAPP supports in-tenant DLP scanning for Amazon S3, Azure Blob, and GCP storage today with on-prem storage coming soon. Lastly, customers don’t have to pick and choose only one deployment model – they can use our traditional DLP scans (called API scans) over network connections or select our in-tenant DLP scans for more sensitive workloads.
In-tenant DLP scanning is just one of the many innovate features we’ve launched with CNAPP. I invite you to check out the solution for yourself. Visit https://mcafee.com/CNAPP for more information or request a demo at https://mcafee.com/demo. We’d love to get your feedback and see how MVISION CNAPP can help your company stay out of the headlines and make sure your crown jewels are right where they should be.
Disclaimer: this blog post contains information on products, services and/or processes in development. All information provided here is subject to change without notice at McAfee’s sole discretion. Contact your McAfee representative to obtain the latest forecast, schedule, specifications, and roadmaps.
[1] https://www.dw.com/en/germanys-heist-that-shocked-the-museum-world-the-green-vault-theft/a-55702898
[2] https://www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/systems-engineering-for-mission-assurance/crown-jewels-analysis
[3] https://www.darkreading.com/cloud/twilio-security-incident-shows-danger-of-misconfigured-s3-buckets/d/d-id/1338447
[4] https://enterprise.verizon.com/resources/reports/dbir/
[5] https://www.upguard.com/blog/s3-security-is-flawed-by-design
The post You Don’t Have to Give Up Your Crown Jewels in Hopes of Better Cloud Security appeared first on McAfee Blogs.
In the working world, there’s a chance you’ve come across your fair share of team-building exercises and workshops. There’s one exercise that comes to mind that often results in worried, and uneasy faces during these seminars: The Trust Fall. This is where you fall backward with the expectation that your colleague will catch you before you hit the ground.
Whether you have been with an organization for many years or just started, the same “pit in stomach” feeling reverberates across bellies as people exchange nervous glances and weigh their odds against whomever they may be paired up with when The Trust Fall is announced. That feeling is doubt, and it isn’t fun. And the problem is, once doubt is introduced, it tends to stealthily expand in its always-on, silent, and transparent ways, either serving as an incessant top-of-mind presence or staying at bay only to rear its troubling head at an unexpected moment until it is addressed.
“I saw Chris drop his stapler once, will he drop me?” “I know Betsy is the Godmother to my children, but what if she sneezes as I’m falling?” “I just started at this company yesterday, I don’t trust anybody I don’t know!”
If you’re wondering what Trust Falls have to do with cybersecurity, we just need to take a deeper look at the concept of trust in its simplest definition. Trust is a concrete concept: it is either there or it is not. Trusting your colleagues is based on multiple parameters; will they be strong enough to catch me, do they look mature enough to take this seriously, how did they behave when the game was announced – trust is not easily won and can also be quickly lost.
This is a necessity in today’s enterprises as computing has moved from private data centers to most everything consumed as a service. There are endless choices to compare, contrast, and comprise a technology stack, but when organizations start leveraging outside infrastructure, tools, and solutions – the sense of trust in these solutions weakens, since integrity can be promised, but should never be assumed.
Examples of this are abundant. As we see organizations explore the concept of trust more and attempt to align practices with the reality of today’s security circumstances, we are seeing an increasing number of trust models being exploited via poor management. Intent and implementation are not enough against today’s threats.
So, my question to security operation center (SOC) staff, IT leaders, and the c-suite is: Do you have complete trust in your current security infrastructure?
In all honesty, can you with no doubt in your mind, say your organization’s data and computing are secure? Is there any area you are unsure about?
If you hesitated when responding, even if for just a moment, keep reading.
Putting guards up, constantly looking over your shoulder, always expecting the worst or for the other shoe to drop – these are not desirable feelings. As a security professional, these are the feelings that cause them to stock up on antacids, with them knowing they are the front-line defense keeping an organization secure and in turn, revenue flowing. For the CIO and CISO, the onus is daunting as they face the challenge to piece together fragmented and disparate infrastructure from a strategic standpoint to best serve the business in an efficient, transparent manner all while simultaneously maintaining compliance and data integrity.
While we want to believe that trust is an intrinsic trait – that we’re born bright-eyed and bushy-tailed ready to spout only the truth – we also unfortunately know the reality is not everybody has good intentions. We constantly see this unfold across the security industry where a company is breached, recognizing the flaw(s) that allowed the breach to occur, to then implement a solution to fix the issue. This break-fix cycle can result in always looking backwards and rushing around to fix yesterday’s problem to quickly get business functions up and running without looking at underlying problems or issues.
And no industry is immune. Hackers are coming after everything from Happy Hours and breakfast routines to our more personal and high-stakes data across the financial services and healthcare industries. They’re more strategic too, and we can only expect them to continue to evolve. Adversaries today are looking for “low-hanging fruit” targets to take advantage of trust models and move laterally within an organization – first finding an avenue to exploit and enter to later gain access to higher-value targets, data, and assets.
The rush to get business–as–usual back on track is made doubly difficult as business momentum doesn’t stop. Organizations are introducing new SaaS services, development teams are writing new code, and even software that you have already reviewed has new features rolled out. The wealth of personal and corporate cloud apps can lead to hasty decisions; increased sprawl of an organization’s tech stack as new tools and solutions are introduced; as well as new policies, updates, and procedures for staff to learn and execute. This can all compound into more time spent addressing and fixing the past with blinders on to the future and other vulnerabilities that may exist.
If this past pandemic-filled year has taught us anything, it is that plans do not always go according to plan.
Organizations that have traditionally leveraged a more piecemeal and solutions-based approach to security were blindsided as the work from home era was thrust upon them. From companies updating or adopting collaboration tools, sharing more data digitally, and opening access to external users to create greater efficiencies – the rule book was thrown out the window and malicious actors started looking at all the data being produced and shared like kids in a candy store.
The impact of these plans gone awry isn’t pretty and perhaps risk could have been mitigated by using a least or earned trust model as a strategic framework to ensure sound security posture. The ‘Zero Trust’ concept coined more than a decade ago outlining a model of restricting access and control across an organization’s infrastructure is only now getting increased attention.
The harsh reality is, cybercrime is up 300% since the pandemic began, according to the FBI’s Internet Crime Complaint Center (IC3). At a time when bottom lines are more important than ever as businesses bounce back, our Hidden Cost of Cybercrime report adds that 35% of those surveyed said security incidents resulting in system downtime cost them between $100,000 and $500,000.
The correlation of a pandemic occurring and malicious actors taking advantage of weaknesses caused by it is crystal clear, leading to increased awareness. In its Responding to COVID-19: What We are Hearing From Legal and Compliance Leaders report, Gartner states that 52% of legal and compliance leaders are concerned about third-party cybersecurity risks since COVID-191. Knowing that the increased number of remote workers and their mobile (and potentially unmanaged) endpoints are leading to more breaches and that these breaches are increasingly costly, organizations need to get a handle on their existing architecture and shift from awareness to action, eliminating assumptions of who is safe or allowed access.
A Zero Trust mentality allows organizations to restrict and compartmentalize access and data manipulation while still maintaining optimal user experience and productivity levels. Guidelines such as those from the National Institute of Standards & Technology (NIST) can provide a practical framework to explore and implement Zero Trust.
With hackers getting more sophisticated to impersonate and infiltrate networks via verified users, it is time to go back to the drawing board – starting at zero and assuming everything is a threat until proven otherwise. This is a mindset shift and strategy, not another tool or solution to plug in. It involves a recognition of the importance of context and control over security posture, which can only be attained with continuous assessment. It is also about acknowledging trust is about risk – and that while risk is sometimes necessary for growth, it cannot outweigh the reward, so must be strategically managed. This line of thinking must be carefully navigated as more and more enterprises seek to define and assign accountability and responsibility across infrastructure.
While the journey to Zero Trust isn’t the same for every organization, the imperative to adopt Zero Trust is, given our collective experiences throughout the last year and cybercrime poised to keep increasing. It is time to stop looking over shoulders and anticipating the worst, acting only in a reactive manner, and instead feel empowered to erase doubt when maintaining security and compliance across an organization.
To learn more and start the journey toward implementing a Zero Trust strategy, I encourage you explore McAfee’ Zero Trust Security hub.
Source: 1 Gartner Press Release, Gartner Says 52% of Legal & Compliance Leaders Are Concerned About Third-Party Cybersecurity Risk Since COVID-19, April 24, 2020. https://www.gartner.com/en/newsroom/press-releases/2020-04-24-gartner-says-52-percent-of-legal-and-compliance-leaders-are-concerned-about-third-party-cybersecurity-risk-rince-covid-19 (URL can be added as a hyperlink in source title)
The post Trust Nobody, Not Even Yourself: Time to Take Zero Trust Seriously appeared first on McAfee Blogs.
Most of us don’t have responsibility for airports, but thinking about airport security can teach us lessons about how we consider, design and execute IT security in our enterprise. Airports have to be constantly vigilant from a multitude of threats; terrorists, criminals, rogue employees and their security defenses need to combat major attacks, individual threats, stowaways, smuggling as well as considering the safety of passengers and none of this can stop the smooth flow of travelers as every delay has business knock on effects. Whew! And this is just the start.
The airport operators are a lesson in supply-chain and 3rd party communications. They cooperate with airlines, retailers and government agencies, and their threats can be catastrophic. They also need to consider mundane problems like how do you move a large number of people around quickly, what to do when someone leaves a bag to go shopping and how to balance risk reduction with traveler comfort – many needs to be considered, planned for and the execution when a risk is identified needs to be immediate. All this before thinking about IT-related issues, thefts from retailers, employee assessments and training, building safety, people tracking and … the list seems almost endless.
Our business IT security needs might not seem so complex; however every enterprise has its external and internal attackers; hackers, ransomware, DDoS attacks to take down your systems and rogue employees or inadvertent actions by good employees who don’t realize what link they are clicking on or data they are over-sharing. At the same time, the business needs to be able to enable the newest and most effective apps and systems and employees hate anything that appears to get in their way.
So, let’s see what airports can teach us about thinking about possible threats and appropriate safeguards to deploy a layered approach that protects your data, users and infrastructure.
If you take just one threat; terrorism as – this image shows that US airports have more than 20 layers of security – a mixture of human and technological measures.
There’s no silver bullet, there’s not one piece of security awareness or technology that will solve all problems – but if integrated, they can all build together to draw a picture of the possible threat. Our defenses shouldn’t rely on just one technology either, but when we have multiple capabilities working together, we can evaluate, identify and address our security needs.
Here’s my table of some of the needs of an airport and equivalent areas in general IT security. Just as in an airport, individual pieces are of limited benefit unless they are brought together. Even though each item improves overall security, a single management console that can correlate all these pieces of knowledge and suggest or make policy decisions is crucial to ensure you get maximum benefit.
| Airport | Enterprise IT |
| Check ticket against passport | Global SSO and multi-factor authentication for every app (including cloud) |
| X-ray baggage | Scan attachments for malware |
| Security gates and handbaggage check | DLP for confidential data loss control |
| Facial recognition comparing security gate and plane gate with ticket | Zero trust – keep checking at all times |
| Baggage weight check | Review email attachments – treat previously unseen executables as suspect |
| CCTV as passengers move around airport | User behavior analytics for risky behavior |
| Database of travellers, prior travel, destination information | Logging / analytics |
| Temperature tests for COVID | Block surfing to high risk web sites |
| Visa requirements | Access control to sensitive areas or sensitive data |
| Check expiry date on passport | Reconfirm credentials after a period |
| History of prior travel | User behavior analytics to understand “normal traffic” for each individual user and alert on unusual patterns. |
| Open Skies Initative – sharing data with destination – allowing arrest on landing | Insights to check and implement defences before attacks based on other organization’s threats |
| Landing card (where staying, reason etc.) | Employee justification for actions – feedback loops when challenged |
| Finger prints on landing – check against previous travel history | Insights |
| Security guards, customs agents, check in staff, people monitoring CCTV | The personal touch – the SOC team investigating threats and defining and implementing policies |
| Different security lines for additional checks | Remote Browser Isolation |
| Overall SOC center to correlate all inputs | Global management |
What have we learned?
Firstly, the job of securing an airport is complex and involves a lot of planning, cooperation with 3rd parties and a vast mixture of people and technology-based security.
Secondly, we cannot rely on one defense, just like airports.
Thirdly, concepts like zero trust, MITRE ATT&CK framework, Cyber Kill Chain are all aiming to look at threats in the round – we need look at threats from every angle we can and implement the best technology we can.
The best solutions will be integrated, you need to be able to collate activity patterns to evaluate risks and define defenses. McAfee’s Device to Cloud Suites are designed to bring together multiple systems all under one umbrella and let you accelerate cloud adoption, improve productivity and bring together more than ten different security technologies all managed by McAfee ePO.
Easy, comprehensive protection that spans endpoints, web, and cloud
The post Lessons We Can Learn From Airport Security appeared first on McAfee Blogs.
Cybercriminals go to great lengths to hack personal devices to gather sensitive information about online users. To be more effective, they make significant investments in their technology. Also, cybercriminals are relying on a tactic called social engineering, where they capitalize upon fear and urgency to manipulate unsuspecting device users to hand over their passwords, banking information, or other critical credentials.
One evolving mobile device threat that combines malware and social engineering tactics is called BRATA. BRATA has been recently upgraded by its malicious creators and several strains have already been downloaded thousands of times, according to a McAfee Mobile Research Team report.
Here’s how you can outsmart social engineering mind games and protect your devices and personal information from BRATA and other phishing and malware attacks.
BRATA stands for Brazilian Remote Access Tool Android and is a member of an Android malware family. The malware initially targeted users in Brazil via Google Play and is now making its way through Spain and the United States. BRATA masquerades as an app security scanner that urges users to install fake critical updates to other apps. The apps BRATA prompts the user to update depends on the device’s configured language: Chrome for English speakers, WhatsApp for Spanish speakers, and a non-existent PDF reader for Portuguese speakers.
Once BRATA infects a mobile device, it combines full device control capabilities with the ability to capture screen lock credentials (PIN, password, or pattern), capture keystrokes (keylogger functionality), and record the screen of the compromised device to monitor a user’s actions without their consent.
BRATA can take over certain controls on mobile phones, such as:
BRATA is like a nosy eavesdropper that steals keystrokes and an invisible hand that presses buttons at will on affected devices.
BRATA’s latest update added new phishing and banking Trojan capabilities that make the malware even more dangerous. Once the malware is installed on a mobile device, it displays phishing URLs from financial institutions that trick users into divulging their sensitive financial information. What makes BRATA’s banking impersonations especially effective is that the phishing URLs do not open into a web browser, which makes it difficult for a mobile user to pinpoint it as fraudulent. The phishing URLs instead redirect to fake banking log-in pages that look legitimate.
The choice to impersonate banks is a strategic one. Phishers often impersonate authoritative institutions, such as banks and credit card companies, because they instill fear and urgency.
Social engineering methods work because they capitalize on the fact that people want to trust others. In successful phishing attacks, people hand cybercriminals the keys instead of the cybercriminal having to steal the keys themselves.
Awareness is the best defense against social engineering hacks. When you’re on alert and know what to look for, you will be able to identify and avoid most attempts, and antivirus tools can catch the lures that fall through the cracks.
Here are three tell-tale signs of a social engineering attack and what you should do to avoid it.
Just because an app appears on Google Play or the App Store does not mean it is legitimate. Before downloading any app, check out the number of reviews it has and the quality of the reviews. If it only has a few reviews with vague comments, it could either be because the app is new or it is fake. Also, search the app’s developer and make sure they have a clean history.
Never click on links if you are not sure where they redirect or who sent it. Be especially wary if the message surrounding the link is riddled with typos and grammar mistakes. Phishing attempts often convey urgency and use fear to pressure recipients to panic and respond too quickly to properly inspect the sender’s address or request. If you receive an urgent email or text request concerning your financial or personal information, take a deep breath and investigate if the claim is legitimate. This may require calling the customer service phone number of the institution.
Just like computers, mobile devices can be infected with viruses and malware. Protect your mobile device by subscribing to a mobile antivirus product, such as McAfee Mobile Security. McAfee Mobile Security is an app that is compatible with Android devices and iPhones, and it protects you in various ways, including safe surfing, scanning for malicious apps, and locating your device if it is lost or stolen.
The post Beware of BRATA: How to Avoid Android Malware Attack appeared first on McAfee Blogs.
Each year, MITRE Engenuity conducts independent evaluations of cybersecurity products to help government and industry make better decisions to combat security threats and improve industry’s threat detection capabilities. These evaluations are based on MITRE ATT&CK®, which is widely recognized as the de facto framework for tracking adversarial tactics and techniques. At McAfee we know that cybercriminals are always evolving their tradecraft, and we are committed to providing blue teams (cyber defenders) the capabilities needed to win the game. To do so, we believe in the importance of putting our security solutions through rigorous testing. To demonstrate our commitment, McAfee has participated in all MITRE Engenuity Enterprise Evaluations to date, including the previous round 1 (APT3 emulation) and round 2 (APT29 emulation).
Today, MITRE Engenuity released the results of the Carbanak and FIN7 evaluations (round 3) that were conducted over the last few months. McAfee participated in this evaluation, along with 28 other vendors, which tested the capabilities of their cybersecurity solutions, in what has been the most comprehensive ATT&CK Evaluation to date, covering 20 major steps and 174 sub-steps.
For the first time ever, MITRE Engenuity offered an optional extension to the detection evaluations to examine a vendor’s ability to protect against specific adversary techniques utilized by these groups. This was also the first time that the evaluations went beyond Windows systems and addressed techniques aimed at the Linux devices that are often used on networks as file servers or domain controllers.
While it’s important to note that the goal of these ATT&CK Evaluations is not to rank or score products, our analysis of the results found that McAfee’s blue team was able to use MVISION EDR, complemented by McAfee’s portfolio, to obtain a significant advantage over the adversary, achieving:
While prior emulated groups were more focused on espionage, the ATT&CK Evaluations team chose to emulate Carbanak and FIN7 due to the wide range of industries these groups target for financial gain. Both groups carry a firm reputation of using innovative tradecraft. Efficient espionage and stealth are at the forefront of their strategy, as they often rely heavily on scripting, obfuscation, “hiding in plain sight,” and fully exploiting the users behind the machine while pillaging an environment. They also leverage a unique spectrum of operational utilities, spanning both sophisticated malware as well as legitimate administration tools capable of interacting with various platforms.
The ATT&CK Evaluation was conducted over a total of 4 days, including the protection testing. On each day a different version of the attack comprised of 10 steps was executed. On Day 1, MITRE Engenuity emulated an attack carried out by the Carbanak group to a financial institution that starts with the breach of the HR Manager’s workstation, and includes elevation of privileges, credential theft, lateral movement to the CFO’s system, collection of sensitive data on both Windows and Linux systems, and the spoofing of money transfers. On Day 2, MITRE Engenuity emulated an attack carried out by the FIN7 group against a hotel, involving the breach of the hotel manager’s system, persistence, credential theft, discovery, lateral movement to an accounting system and the skim of customer payment data.
The McAfee blue team successfully defended against these two advanced adversaries, demonstrating the power of the McAfee portfolio, including MVISION EDR, complemented by MVISION Endpoint Security (ENS), Advanced Threat Detection (ATD), Network Security Platform (NSP), Data Loss Prevention (DLP), and Enterprise Security Manager (ESM). These products were configured following MITRE Engenuity’s standards:
During these 4 days of extensive purple teaming, McAfee demonstrated that its portfolio provides solid cyber defense across the top 5 capabilities that matter the most to any security operations team: time-based security, alert actionability, detection in depth, protection, and visibility.
Time-Based Security (TBS) is one of the most relevant, effective, and simple security models a defender can apply. It provides a mechanism to determine if a blue teamer would have the necessary, timely, and actionable information to effectively defend against adversarial attacks.
Using the results of the ATT&CK Evaluation, we modeled the data following an attack timeline, grouping the techniques executed by the ATT&CK red team for Days 1 (Carbanak) and 2 (FIN7) into each of the steps (attack milestones) they employed. To represent the data for each evaluation day, we list the detection categories used by MITRE Engenuity. As Figures 1 and 2 show, during the evaluation, McAfee provided the maximum level of visibility, detection and context for every major step in the attack. An analyst that used McAfee’s products would have received a correlated and enriched threat alert for each of the steps of these advanced attacks, including references to MITRE Engenuity’s ATT&CK framework and pivoting points to enriched telemetry, enabling faster detection, investigation and reaction, and therefore resulting in reduced exposure.
Figure 1. Time Based Security for Carbanak (Day 1)
Figure 2. Time Based Security for FIN7 (Day 2)
To be successful as a defender, it is essential to react in the fastest possible way, raising an alarm as early as possible on the attack chain, while correlating, aggregating and summarizing all subsequent activity to preserve actionability. McAfee’s MVISION EDR preserved actionability and reduced alert fatigue during the evaluation providing context and enrichment, resulting in a ratio of 62%1 analytic detections (non-telemetry detections) out of the 274-total count of detections. This was possible due to McAfee’s strong correlation and having all telemetry tagged and labeled as close to the source as possible.
Effective attack technique detection requires certain vantage points. Additional perspective improves context, correlation, and subsequently fidelity. Having diverse data sources for every technique enables coverage quantity and quality.
McAfee demonstrated coverage across a dozen of different data sources during the evaluation with 72% of detections utilizing two or more data sources.
Figure 3. McAfee data source diversity across 274 detections
For the first time in an ATT&CK Evaluation, MITRE Engenuity exercised 10 protection scenarios; a subset of the attack sequences used during the detection assessment. McAfee demonstrated its superior protection efficacy by successfully disrupting all 10 attacks, early in the chain, before any impact occurred. Before the disruption, high context detections and telemetry was produced to alert the analyst.
Figure 4. 100% blocking at every protection test
Many organizations live in an alert driven world where there is not enough data to support key security operations activities, including investigations or threat hunting. During the Carbanak+FIN7 evaluation, McAfee provided visibility across all major steps of the attack, and 87% visibility of the total count of sub-steps across both days. It is worth noting that the remaining 13% does not necessarily represent blind spots, but rather that the minimum criteria selected by MITRE Engenuity was not met, according to the evaluation rules. For example, more visibility was obtained through the automated detonation of samples in our ATD sandbox, which provides additional data context to security analysts during a real attack.
At McAfee, we know how security operations work, and that’s why we designed our detection and response platform with ‘Human Machine Teaming’ in mind. For this latest round of the MITRE Engenuity ATT&CK Evaluation, our Threat Detection Engineering and Applied Countermeasures (AC3) team have delivered 85% more visibility and over 22% more analytic detections than in the previous APT29 evaluation.
During this evaluation, we demonstrated that McAfee delivers best-balanced defense across the top 5 capabilities that matter the most to any security operations team: time-based security, alert actionability, detection in depth, protection, and visibility. Our McAfee detection and response platform offered enhanced meaningful context across the entire attack chain, allowing cyber defenders to disrupt attacks early, before damage occurs.
Stay tuned for upcoming details on how each of these security capabilities played a key role in the Carbanak+FIN7 evaluation as part of our ATT&CK Evaluation blog series.
MITRE ATT&CK and ATT&CK are registered trademarks of the MITRE Corporation.
The post McAfee Provides Max Cyber Defense Capabilities in MITRE’s Carbanak+FIN7 ATT&CK® Evaluation appeared first on McAfee Blogs.
Something you’ll want to know about all those movies, mp3s, eBooks, air miles, and hotel points you’ve accrued over the years: they’re digital assets that can factor into a divorce settlement.
Understandably, several factors determine the distribution of assets in a divorce. However, when it comes to dividing digital assets, divorce settlements and proceedings are charting new territory. The rate of digital innovation and adoption in recent years has filled our phones, tablets, and computers with all manner of digital assets. What’s more, there are also the funds sitting in our payment apps or possibly further monies kept in the form of cryptocurrencies like bitcoin. Put plainly, the law is catching up with regards to the distribution of these and other digital assets like them.
Yet one thing that the law recognizes is that digital assets can have value and thus can be considered property subject to distribution in a divorce.
In light of this, the following is a checklist of considerations that can help prepare you or someone you know for the distribution of digital assets in a fair and just way.
Nothing offered in this article is legal advice, nor should it be construed as such. For legal advice, you can and should turn to your legal professional for counsel on the best approach for you and the laws in your area.
For starters, let’s get an understanding as to what actually constitutes a digital asset.
Because laws regarding digital assets vary (and continue to evolve), the best answer you can get to this question will come from your legal counsel. However, for purposes of discussion, a digital asset is any text or media in digital form that has value and offers the bearer the right to use it.
To put that in practical terms, let’s look at some real-world examples of what could constitute a digital asset. That list includes, but is not limited to:
However, digital assets can readily expand to further include:
And like any other asset in the case of a divorce, a value will be ascribed to each digital asset and then distributed per the conditions or orders of the settlement.
Arriving at the value of specific digital assets begins with an inventory—listing all the digital assets and accounts you own, just as you would with any other monetary or physical assets like bank accounts, properties, and cars. When you go through this process, chances are you’ll quickly find that you have hundreds if not thousands of dollars of digital assets.
For example, we can look at the research we conducted in 2011 which found that people placed an average value of $37,438 on the digital assets they owned at the time. Now, with the growth of streaming services, digital currency, cloud storage, and more in the past ten years, that figure feels conservative.
Above and beyond preparing for a divorce settlement, taking such an inventory of your digital assets is a wise move. One, it provides you with a clearer vision of the things you own and their worth; two, maintaining such a list gives you a basis for estate planning and determining who you would like to see receive those assets. Likewise, maintain that list on a regular basis and keep it safe. It’s good digital hygiene to do so.
With this inventory, each asset can then have an assessed value ascribed to it. In some instances, a value will easily present itself, such as the cost of a subscription or how much money is sitting in a PayPal account. In other cases, the value will be sentimental, such as the case is with digital photos and videos. Ideally, you and your spouse will simply be able to duplicate and share those photos and videos amicably, yet it is important that you articulate any such agreement to do so. This way, a settlement can call out what is to be shared, how it will be shared, and when.
Not all digital assets are transferrable. Certain digital assets are owned solely in your name. In other words, you may have access to certain digital assets that cannot transfer to someone else because you do not have the rights to do so per your user agreement. This can be the case with things such as digital books, digital music, and digital shows and movies.
In such circumstances, there may be grounds for negotiation and a “limited transfer” in the settlement, where one party exchanges one asset for another rather than splitting it equally. A case in point might be a sizeable eBook library on a device that’s in the name of one spouse. While that library can’t be split or transferred, one spouse may keep the eBook library while another spouse keeps a similarly valued asset or group of assets in return—like say a collection of physical books.
Streaming services will need to be addressed too. Be prepared to either terminate your accounts or simply have them assigned to the person in whose name they are kept. In the case of family accounts, the settlement should determine how that is handled, whether it gets terminated or similarly turned over to one spouse or the other. In all, your settlement will want to specify who takes over what streaming service and when that must occur.
Like dividing up investment accounts where the value of the account can vary daily, digital currencies can present challenges when spouses look to divide the holdings. Cryptocurrency valuation can be quite volatile, thus it can be a challenging asset to settle from a strict dollar standpoint.
What’s more, given the nature of digital currencies, there are instances where an unscrupulous spouse may seek to hide worth in such currency—which is an evolving issue in of itself. This recent article, “Cryptocurrency: What to Know Before and During Divorce,” covers the additional challenges of cryptocurrency in detail, along with an excellent primer on what cryptocurrency is and how it works.
Ultimately, cryptocurrency is indeed an asset, one that your attorney and settlement process will need to address, specifically so that there are no complications later with the transfer or valuation of the awarded currency.
With accounts changing hands, now’s the time to start fresh with a new set of passwords. What’s more, we have a tendency to reuse the same passwords over and over again, which may be known to an ex-spouse and is an inherent security risk in of itself. Change them. Even better, take this opportunity to use a password manager. A password manager can create and securely store strong, unique passwords for you, thus saving you the headache of maintaining dozens of them yourself—not to mention making you far more secure than before.
Again, keep in mind that nothing here is legal advice. Yet, do keep these things in mind when consulting with an attorney. The reality is that we likely have thousands of dollars of what could be considered digital assets. Inventorying them and ascribing a fair market value to them along with your legal professional is the first step in a fair and just settlement.
The post Digital Divorce: Who Gets the Airline Miles and Music Files? appeared first on McAfee Blogs.
Many malware attacks designed to inflict damage on a network are armed with lateral movement capabilities. Post initial infection, such malware would usually need to perform a higher privileged task or execute a privileged command on the compromised system to be able to further enumerate the infection targets and compromise more systems on the network. Consequently, at some point during its lateral movement activities, it would need to escalate its privileges using one or the other privilege escalation techniques. Once malware or an attacker successfully escalates its privileges on the compromised system, it will acquire the ability to perform stealthier lateral movement, usually executing its tasks under the context of a privileged user, as well as bypassing mitigations like User Account Control.
Process access token manipulation is one such privilege escalation technique which is widely adopted by malware authors. These set of techniques include process access token theft and impersonation, which eventually allows malware to advance its lateral movement activities across the network in the context of another logged in user or higher privileged user.
When a user authenticates to Windows via console (interactive logon), a logon session is created, and an access token is granted to the user. Windows manages the identity, security, or access rights of the user on the system with this access token, essentially determining what system resources they can access and what tasks can be performed. An access token for a user is primarily a kernel object and an identification of that user in the system, which also contains many other details like groups, access rights, integrity level of the process, privileges, etc. Fundamentally, a user’s logon session has an access token which also references their credentials to be used for Windows single sign on (SSO) authentication to access the local or remote network resources.
Once the attacker gains an initial foothold on the target by compromising the initial system, they would want to move around the network laterally to access more resource or critical assets. One of the ways for an attacker to achieve this is to use the identity or credentials of already logged-on users on the compromised machine to pivot to other systems or escalate their privileges and perform the lateral movement in the context of another logged on higher privileged user. Process access token manipulation helps the attackers to precisely accomplish this goal.
For our YARA rule, MITRE ATT&CK techniques and to learn more about the technical details of token manipulation attacks and how malware executes these attacks successfully at the code level, read our complete technical analysis here.
McAfee On-Access-Scan has a generic detection for this nature of malware as shown in the below screenshot:
Additionally, the YARA rule mentioned at the end of the technical analysis document can also be used to detect the token manipulation attacks by importing the rule in the Threat detection solutions like McAfee Advance Threat Defence, this behaviour can be detected.
Several types of malware and advanced persistent threats abuse process tokens to gain elevated privileges on the system. Malware can take multiple routes to achieve this goal. However, in all these routes, it would abuse the Windows APIs to execute the token stealing or token impersonation to gain elevated privileges and advance its lateral movement activities.
Access Token Theft and Manipulation Attacks – A Door to Local Privilege Escalation.
The post Access Token Theft and Manipulation Attacks – A Door to Local Privilege Escalation appeared first on McAfee Blogs.
In a recent episode of McAfee’s SOCwise Series, guest security expert Chris Crowley revealed findings of his recent survey of security efforts within SOCs. His questions were designed to gain insight into all things SOC, including how SOCs can accomplish their full potential and how they assess their ability to keep up with security technology.
Hosts Ismael Valenzuela and Michael Leland tapped into Chris’ security operations expertise as he told “A Tale of Two SOCs.”
“Chris has a tremendous experience in security operations,” Ismael said. “I always like people who have experience both in the offensive side and the defensive side. Think red, act blue, right? . . . but I think that’s very important for SOCs. Where does ‘A Tale of Two SOCs’ come from?”
In reference to the Charles Dickens’ classic, Chris explained how survey responses fell into two categories: SOCs that had management support or those that did not.
“It’s not just this idea of does management support us. It’s are we effectively aligned with the organization?” Chris said. “And I think that is manifest in the perception of management support of not management support, right? So, I think when people working in a SOC have the sense that they’re doing good things for the organization, their perceptions is that the management is supporting them.”
In this case, Chris explains “A Tale of Two SOCs” also relates to the compliance SOC versus the real security SOC.
“A lot of it has to do with what are the goals when management set up to fund the SOC, right? Maybe the compliance SOC versus the SOC that’s focused on the security outcomes on defending, right? There are some organizations that are funding for basic compliance,” Chris said. [If the] law says we have to do this, we’re doing that. We’re not really going to invest in your training and your understanding and your comprehension. We’re not going to hire really great analysts. We’re just going to buy the tools that we need to buy. We’re going to buy some people to look at monitors and that’s kind of the end of it.”
One of the easiest and telling methods of assessing where an SOC sees itself in this tale is having conversations with staff. Chris recommends asking staff if they feel aligned with management and do they feel empowered?
“If you feel like you’re being turned into a robot and you pick stuff from here and drop it over there, you’re probably in a place where management doesn’t really support you. Because they’re not using the human being’s capability of synthesis of information and that notion of driving consensus and making things work,” Chris said. “They’re looking more for people who are replaceable to put the bits in the bucket and move through.”
Chris shared other survey takeaways including how SOCs gauge their value, metrics and tools.
The survey included hypotheses designed to measure how organizations classify the value of a SOC:
“This showed that as SOC teams met the challenge of skilled staffing, they moved on to their next order of task: Let’s make the computers compute well,” Chris said.
Ismael asked about the tendency for some SOC management not to report any metrics, and those that simply reported number of incidents not reporting the right metrics. Chris reported that most people said they do provide metrics, but a still–surprising number of people said that they don’t provide metrics at all.
Here’s the breakdown of how respondents answered, “Do you provide metrics to your management?”
That roughly a third of respondents either do not report metrics or don’t know if they report metrics was telling to the survey’s author.
“In which case [metrics] obviously don’t have a central place of importance for your SOC,” Chris said.
Regarding the most frequently used metric – number of incidents – Chris speculated that several SOCs he surveyed are attempting to meet a metric goal of zero incidents, even if it means they’re likely not getting a true reading of their cyber security effectiveness.
“You’re allowed to have zero incidents in the environment. And if you consistently meet that then you’re consistently doing a great job,” Chris said. “Which is insane to me, right? Because we want to have the right number of incidents. If you actually have a cyber security problem … you should want to know about it, okay?
Among the group of respondents who said their most common metric is informational, the desired information from their “zero incidents” metrics doesn’t actually have much bearing on the performance or the value of what the SOC is doing.
“The metrics tend to be focused on what can we easily show as opposed to what truly depicts the value that the SOC has been providing for the org,” Chris said. “And at that point you have something you can show to get more funding and more support right over time.”
Chris suggests better use of metrics can truly depict the value that the SOC is providing the organization and justify the desired support it seeks.
“One which I like, which is not an easy metric to develop is actually loss prevention. If I can actually depict quantitatively, which it will not be precise, there will be some speculation in that,” Chris said. “But if I can depict quantitatively what the SOC did this month, or quarter where our efforts actually prevented or intervened in things which were going wrong and we stopped damage that’s loss prevention, right? That’s what the SOC is there for, right? If I just report, we had 13 incidents there’s not a lot of demonstration of value in that. And so always the metrics tend to be focused on what can we easily show as opposed to what truly depicts the value that the SOC has been providing for the org. “
Michael steered the discussion to the value discussion around incident metrics and their relationship with SOC capacity. How many incidents can you handle? Is it a tools issue or a people issue or a combination of both? Chris’ study also revealed a subset of tools that respondents more frequently leveraged and added value to delivery of higher capacity of incident closure.
One question on the survey asked, “Do you use it?
“Not whether you like it or not, but do you use it? And do you use it in a way where you have full coverage or partial coverage? Because another thing about technology, and this is kind of a dirty secret in technology applications, is a lot of people buy it but actually never get it deployed fully,” Chris said.
His survey allowed respondents to reveal their most-used technologies and to grade tools.
The most common used technologies reported in the survey were:
Tools receiving the most A grades:
Tools receiving the most F grades:
Chris pointed out that the reasoning behind the F grades may be less a case of failing and more a case of not meeting their full potential.
“Some of these are newer in this space and some of them just feel like they’re failures for people” Chris said. “Now, whether they’re technology failures or not this is what people are reporting that they don’t like in terms of the tech.”
For more findings read or download Chris Crowley’s 2020 survey here.
Watch this entire episode of SOCwise below.
The post SOCwise Series: A Tale of Two SOCs with Chris Crowley appeared first on McAfee Blogs.
A new wave of fraudulent apps has made its way to the Google Play store, targeting Android users in Southwest Asia and the Arabian Peninsula as well—to the tune of more than 700,000 downloads before detection by McAfee Mobile Research and co-operation with Google to remove the apps.
Figure 1. Infected Apps on Google Play
Posing as photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, the malware embedded in these fraudulent apps hijack SMS message notifications and then make unauthorized purchases. While apps go through a review process to ensure that they are legitimate, these fraudulent apps made their way into the store by submitting a clean version of the app for review and then introducing the malicious code via updates to the app later.
Figure 2. Negative reviews on Google Play
McAfee Mobile Security detects this threat as Android/Etinu and alerts mobile users if they are present. The McAfee Mobile Research team continues to monitor this threat and is likewise continuing its co-operation with Google to remove these and other malicious applications on Google Play.
In terms of details, the malware embedded in these apps takes advantage of dynamic code loading. Encrypted payloads of malware appear in the assets folder associated with the app, using names such as “cache.bin,” “settings.bin,” “data.droid,” or seemingly innocuous “.png” files, as illustrated below.
Figure 3. Encrypted resource sneaked into the assets folder
Figure 4. Decryption flow
The figure above shows the decryption flow. Firstly, the hidden malicious code in the main .apk opens “1.png” file in the assets folder, decrypts it to “loader.dex,” and then loads the dropped .dex. The “1.png” is encrypted using RC4 with the package name as the key. The first payload creates HTTP POST request to the C2 server.
Interestingly, this malware uses key management servers. It requests keys from the servers for the AES encrypted second payload, “2.png”. And the server returns the key as the “s” value of JSON. Also, this malware has self-update function. When the server responds “URL” value, the content in the URL is used instead of “2.png”. However, servers do not always respond to the request or return the secret key.
Figure 5. Updated payload response
As always, the most malicious functions reveal themselves in the final stage. The malware hijacks the Notification Listener to steal incoming SMS messages like Android Joker malware does, without the SMS read permission. Like a chain system, the malware then passes the notification object to the final stage. When the notification has arisen from the default SMS package, the message is finally sent out using WebView JavaScript Interface.
Figure 6. Notification delivery flow
As a result of our additional investigation on C2 servers, following information was found, including carrier, phone number, SMS message, IP address, country, network status, and so forth—along with auto-renewing subscriptions:
Figure 7. Leaked data
We expect that threats which take advantage of Notification Listener will continue to flourish. The McAfee Mobile Research team continues to monitor these threats and protect customers by analyzing potential malware and working with app stores to remove it. Further, using McAfee Mobile Security can detect such threats and protect you from them via its regular updates. However, it’s important to pay attention to apps that request SMS-related permissions and Notification Listener permissions. Simply put, legitimate photo and wallpaper apps simply won’t ask for those because they’re not necessary for such apps to run. If a request seems suspicious, don’t allow it.
MITRE ATT&CK Matrix
| 08C4F705D5A7C9DC7C05EDEE3FCAD12F345A6EE6832D54B758E57394292BA651 | com.studio.keypaper2021 |
| CC2DEFEF5A14F9B4B9F27CC9F5BBB0D2FC8A729A2F4EBA20010E81A362D5560C | com.pip.editor.camera |
| 007587C4A84D18592BF4EF7AD828D5AAA7D50CADBBF8B0892590DB48CCA7487E | org.my.favorites.up.keypaper |
| 08FA33BC138FE4835C15E45D1C1D5A81094E156EEF28D02EA8910D5F8E44D4B8 | com.super.color.hairdryer |
| 9E688A36F02DD1B1A9AE4A5C94C1335B14D1B0B1C8901EC8C986B4390E95E760 | com.ce1ab3.app.photo.editor |
| 018B705E8577F065AC6F0EDE5A8A1622820B6AEAC77D0284852CEAECF8D8460C | com.hit.camera.pip |
| 0E2ACCFA47B782B062CC324704C1F999796F5045D9753423CF7238FE4CABBFA8 | com.daynight.keyboard.wallpaper |
| 50D498755486D3739BE5D2292A51C7C3D0ADA6D1A37C89B669A601A324794B06 | com.super.star.ringtones |
d37i64jgpubcy4.cloudfront.net
d1ag96m0hzoks5.cloudfront.net
dospxvsfnk8s8.cloudfront.net
d45wejayb5ly8.cloudfront.net
d3u41fvcv6mjph.cloudfront.net
d3puvb2n8wcn2r.cloudfront.net
d8fkjd2z9mouq.cloudfront.net
d22g8hm4svq46j.cloudfront.net
d3i3wvt6f8lwyr.cloudfront.net
d1w5drh895wnkz.cloudfront.net
The post Clever Billing Fraud Applications on Google Play: Etinu appeared first on McAfee Blogs.
After experiencing a health scare that changed his life, VP of Technology Services, Paul, vowed to make incremental changes by incorporating four important health pledges into his daily routine.
Hear Paul’s life-changing story, how his diagnosis impacted his outlook on prioritizing his physical and mental health, and how he describes McAfee’s role in empowering him and others to follow their own wellness goals.
“To the leadership team and colleagues around me, thank you for giving me the time, space and flexibility to recover. The fact that we can 100% check out and focus on our wellbeing is paramount. At McAfee, that’s in our culture and our spirit.”
Here are Paul’s recommendations of four daily practices that every person can incorporate daily into their busy schedules.
Get up and Walk
Plan for virtual 1:1 walking meetings with your team, it allows you to stay active even on the busiest days.
Hydrate
Keep a cannister of ice, cold water at your desk so that you can stay hydrated throughout the workday.
Takes Breaks
Take mental breaks and intentionally unplug. Spend time away from your electronic devices by avoiding emails or going on chat.
Stand Up
It can be easy to sit at your desk all day. This doesn’t benefit your health. Instead, stand up and find ways to move.
At McAfee, we believe that your mental and physical wellbeing is a top priority. That’s why we encourage team members to take the time they need to reset, recharge, and care for their health. Between our paid holidays, unlimited vacation policy in the U.S., and leave policy, we enable our team to balance work with life’s responsibilities. We know that the key to living our best lives at and away from the office starts with focusing on wellbeing.
Want to work for a company that encourages team members to prioritize their health and wellbeing? Check out McAfee’s Latest Career Opportunities. Subscribe to Job Alerts.
Stay Connected
For more stories like this, follow @LifeAtMcAfee on Instagram and @McAfee on Twitter to see what working at McAfee is all about.
Search Career Opportunities with McAfee
Interested in joining our team? We’re hiring! Apply now.
The post McAfee VP Shares His Four Pledges for a Healthier Lifestyle appeared first on McAfee Blogs.
In a year where people relied on their digital lives more than ever before and a dramatic uptick in attacks quickly followed, McAfee’s protection stood strong.
We’re proud to announce several awards from independent third-party labs, which recognized our products, protection, and the people behind them over the course of last year.
The Cybersecurity Excellence Awards is an annual competition honoring individuals and companies that demonstrate excellence, innovation, and leadership in information security. We were honored with four awards:
Further recognition came by way of three independent labs known for their testing and evaluation of security products. Once more, this garnered several honors:
As the threat landscape continues to evolve, our products do as well. We’re continually updating them with new features and enhancements, which our subscribers receive as part of automatic product updates. So, if you bought your product one or two years ago, know that you’re still getting the latest award-winning protection with your subscription.
We’d like to acknowledge your part in these awards as well. None of this is possible without the trust you place in us and our products. With the changes in our work, lifestyles, and learning that beset millions of us this past year, your protection and your feeling of security remain our top priority.
With that, as always, thank you for selecting us.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post McAfee Awarded “Cybersecurity Excellence Awards” appeared first on McAfee Blogs.
Throw open the windows and let in some fresh air. It’s time for spring cleaning.
And that goes for your digital stuff too.
Whether it’s indeed spring where you are or not, you can give your devices, apps, and online accounts a good decluttering. Now’s the time. Cleaning them up can protect your privacy and your identity, because when there’s less lying about, there’s less for hackers to scoop up and exploit.
The reality is that we accumulate plenty of digital clutter that needs cleaning up from time to time. Think about it:
Together, these things take up space on your devices and, in some cases, can open you up to security hazards. Let’s take a look at how you can clean up in a few steps.
1. Review your accounts and delete the ones you don’t use. Look through your bookmarks, your password manager, or the other places where you store your passwords and usernames. Review the sites and services associated with them critically. If you haven’t used an account in some time, log in one last time, remove all personal info, and deactivate it.
Doing so can keep your email address, usernames, and passwords out of unnecessary circulation. Major breaches like this one happen with unfortunate regularity, and the sad thing is that you may not even be aware that a site you’ve used has been hit. Meanwhile, your name, password, and info associated with that account (such as your credit card) are in the hands of hackers. Limit your exposure. Close those old accounts.
2. Get organized, and safer too, with a password manager. While creating strong, unique passwords for each of our accounts is a must nowadays, it can be quite the feat, given all of the accounts in our lives. Here’s where a password manager comes in. It can create those strong, unique passwords for you. Not only that, but it also stores your passwords on secure servers, away from hackers and thieves.
Along those lines, never store your passwords on your computer or device, like a text document or spreadsheet. Should your device ever get compromised, lost, or stolen, having passwords stored on them are like handing over the keys to your digital life.
3. Clean your PC to improve your performance (and your security). Let’s face it, so many of us are so busy with the day-to-day that cleaning up our computers and laptops is way down the list. However, doing so once a month can keep our devices running stronger for longer and even give you that “new computer feeling,” particularly if you haven’t cleaned it up for some time. Check out or guide for improving PC performance. It’ll walk you through some straightforward steps that can make a marked difference.
Moreover, part of this process should entail bolstering your operating system and apps with the latest updates. Such updates can not only improve speed and functionality, but they also often include security upgrades as well that can make you safer in the long run. If your operating system and apps feature automatic updates, enable them, and they’ll do the work for you.
4. Organize and store your photos. Photos. Now there’s a topic all unto itself. Here’s the thing: Estimates show that worldwide we took somewhere around 1.2 trillion photos in 2018. And you certainly have your share.
However, your photos may be just sitting there, taking up storage space on your computer or phone, instead of becoming something special like an album, greeting cards, a wall hanging, or popping them into a digital picture frame for your kitchen or living room. And this is where a little spring cleaning can be a bit of fun. For tips on cleaning up your photos, backing them up, and making something special with them, check out my earlier blog.
5. Delete old apps and the data associated with them. Let’s say you have a couple of apps on your phone for tracking your walks, runs, and exercise. You’ve since stopped using one altogether. Go ahead and delete the old one. But before you do, go in and delete your account associated with the app to ensure that any data stored off your phone, along with your password and user id are deleted as well.
For your computers and laptops, follow the same procedure, recognizing that they also may have account data stored elsewhere other than on your device.
In short, many apps today store information that’s stored and maintained by the app provider. Make sure you close your accounts so that data and information is taken out of circulation as well.
6. Shred your old files and encrypt the important files you’re holding on to. This bit of advice calls for using comprehensive security software on your devices. In addition to protecting you from viruses, malware, and other cyberattacks on your privacy and identity, it can help you protect your sensitive information as well. Such security software can offer:
7. Throwing away old computers and tech—dispose of properly. When it comes time to say goodbye to an old friend, whether that’s a computer, laptop, phone, or tablet, do so in a way that’s friendly to the environment and your security.
Consider this … what’s on that old hard drive of yours? That old computer may contain loads of precious personal and financial info on it. Same thing goes for your tablets and phones. The Federal Trade Commission (FTC) offers some straightforward advice in their article about protecting your data before you get rid of your computer. You don’t want those old tax returns ending up in the trash unprotected.
When it comes time for disposal, you have a few options:
Enjoying the benefits of your work—that’s what spring cleaning is all about, right? With this little list, you can end up with a digital life that’s safer and faster than before.
The post Digital Spring Cleaning: Seven Steps for Faster, Safer Devices appeared first on McAfee Blog.
Cryptocurrency enthusiasts are flocking to the Wild West of Bitcoin and Monero to cash in on the recent gold rush. Bitcoin’s meteoric rise in value is making coin mining an appealing hobby or even a whole new career. Coin mining software is the main tool in a prospector’s belt.
Some coin miners, also known as cryptocurrency miners, are tempted by the dark side of the industry and resort to nefarious means to harness the immense computing power needed for cryptocurrency profits. Greedy cryptocurrency criminals employ a practice called cryptojacking, stealing the computer power of unsuspecting devices to help them mine faster. Your device could be at risk at being recruited to their efforts.
Let’s dig into how coin mining programs work, why they turn malicious, and how you can stay safe from cryptojackers.
Mining cryptocurrency takes a lot of time and computer processing power. A coin mining home setup requires a graphics processing unit (GPU) or an application-specific integrated circuit (ASIC). Coin mining software then runs off the GPU or ASIC. Each central processing unit (CPU), or the brain of the computer, plus the GPU or ASIC is referred to as a mining rig.
Once the software is installed, the rig is ready to mine, running mathematical calculations to verify and collect new cryptocurrency transactions. Each calculation is known as a hash, and hash rates are the number of calculations that can be run per second.
From there, casual miners may choose to join a mining pool, which is a club of miners who agree to consolidate their computing power and split the profits based on how much work each miner contributed to the output.
Bitcoin rewards miners every 10 minutes for their efforts. Each time miners solve a string of mathematical puzzles, they validate a chain of transactions, thus helping make the entire Bitcoin system more secure. Miners are paid in bitcoin and they also receive a transactional fee.
While coin mining typically starts off as a casual hobby, coin mining programs can turn malicious when cryptocurrency miners want to earn more without investing in boosting their own computing power. Instead, they reroute their targets’ computing power without asking. This is called cryptojacking.
Mining requires incredible amounts of electricity and the more rigs involved; the more cryptocurrency can be mined. Usually, the utility bills and the cost of running coin mining software negates any profit. For example, a casual miner may have one rig devoted to mining. An average rig processes approximately 500 hashes per second on the Monero network (a type of cryptocurrency). However, 500 hashes per second translates to less than a dollar per week in traditional, or fiat, currency.
Greedy cryptocurrency criminals recruit CPU soldiers to their mining army to improve their hash rate. To do so, criminals download coin mining software to a device and then program it to report back to their server. The device’s thinking power is diverted from the owner and funneled straight to the criminal’s server that now controls it. Compromised devices run considerably slower and can overheat, and the strain on the device can eventually destroy it.
Cryptojackers are not your everyday thieves. Their target is your CPU power, and they employ devious methods to funnel it for their own use. Luckily, there are a few easy ways to thwart their efforts:
Personal devices are often infected through phishing within emails and texts. There are many tell-tale signs of a phishing message. For example, they are often poorly written and use language that indicates that the sender wants a hasty response. Also, phishing attempts often charade as official organizations, like banks and credit card companies. If you are ever suspicious of an email or text, do not open any of the links and do not reply. Instead, contact the organization’s customer support to verify the legitimacy of the message.
Another way miners gain access to personal devices is by camouflaging malicious code in pop-up ads. An easy way to avoid being cryptojacked is to simply never click on these ads. Or even better, install an ad blocker to help eliminate the risk.
Public wi-fi and poorly protected networks present a vulnerable entry point for cybercriminals to hack into your devices. Cybercriminals often attempt to download software remotely to your laptop, desktop, or mobile device to reroute its computing power for their own selfish gains. Always connect to a VPN like McAfee Safe Connect VPN to safely surf unsecure networks.
Cryptojacking code is inconspicuous and generally hidden in legitimate code. Antivirus software, such as McAfee Total Protection, is a recommended way to proactively scan for malware and even identify fraudulent websites. McAfee WebAdvisor has a Chrome extension that specifically blocks cryptojackers.
Be aware of the signs your devices have been cryptojacked. For example, monitor any changes in the speed of your devices and check out your utility bills for dramatic spikes. By remaining vigilant with these tips, you will keep your devices safe from cryptocurrency miners gone rogue.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Why Coin Miners Go Bad & How to Protect Your Tech When They Do appeared first on McAfee Blogs.
You flick through some reels and an ad for “a more private phone” crops up. You scroll through your news feed and catch wind of yet another data breach at a major retailer. You see a post from a friend who says their social media account was hacked. Maybe you don’t think about security every day, but when you do, it can feel … overwhelming. We’re here to solve that. We’re here to make security easy.
As security providers, we have to offer protection against a wide variety of threats without adding more complexity to your already busy life. Managing your security should be easy, and even enjoyable.
Enjoyable?
Yes. We want you to have a sense of accomplishment, both knowledge and a feeling that you’re safer than you were before.
With these things in mind, we set out to make your security software work better for you. We streamlined the experience to simplify what you see, while still offering robust protection. After all, true security is the security that you benefit from every day, and it’s up to us as providers to make it smooth and easy as possible.
Our new setup process now includes easier navigation, fewer screens, and clearer action items and alerts. It smoothly moves you through setting up protection across all the ways you interact online and your compatible devices. This way, you know that we’re helping to keep you safe whether you’re messaging, browsing, or shopping and banking online.
Another area where we put a lot of focus is the new home screen. This is your home base, where we clearly show you what your current protection status is in the areas that matter the most to you. This includes making it easier to monitor your personal information and strengthen protections you already use, like passwords.
The home screen is also where you come to perform essential tasks, such as running an antivirus scan. It guides you to take actions when needed, giving you proactive protection, and a clear view of your overall security in one convenient place. From here you can access details on the status of your PC, web, and identity protection.
While we’re always focused on helping you feel confident and protected online, we realize that making our tools easy to use is just as important. The digital security landscape will continue to be a complicated one, with more than a million new and unique threats cropping up each day, but we can and are making security simpler, and therefore, more effective.
With easier setup and protection that turns on automatically at the right moments, we want to make security easier for you so that you can feel safer online. We’ve heard your feedback about how we can improve, and we’ll bring all that goodness in a product that you can use every day.
You’ll find this interface across our McAfee+ family of products, along with continual upgrades and improvements as we roll out more features that will keep you safer online.
The post Let’s Make Security Easy appeared first on McAfee Blog.
The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: April 2021.
In this edition, we present new findings in our traditional threat statistical categories – as well as our usual malware, sectors, and vectors – imparted in a new, enhanced digital presentation that’s more easily consumed and interpreted.
Historically, our reports detailed the volume of key threats, such as “what is in the malware zoo.” The introduction of MVISION Insights in 2020 has since made it possible to track the prevalence of campaigns, as well as, their associated IoCs, and determine the in-field detections. This latest report incorporates not only the malware zoo but new analysis for what is being detected in the wild.
The Q3 and Q4 2020 findings include:
Additional Q3 and Q4 2020 content includes:
These new, insightful additions really make for a bumper report! We hope you find this new McAfee Labs threat report presentation and data valuable.
Don’t forget keep track of the latest campaigns and continuing threat coverage by visiting our McAfee COVID-19 Threats Dashboard and the MVISION Insights preview dashboard.
The post McAfee Labs Report Reveals Latest COVID-19 Threats and Malware Surges appeared first on McAfee Blogs.
Recently, the McAfee Mobile Research Team uncovered several new variants of the Android malware family BRATA being distributed in Google Play, ironically posing as app security scanners.
These malicious apps urge users to update Chrome, WhatsApp, or a PDF reader, yet instead of updating the app in question, they take full control of the device by abusing accessibility services. Recent versions of BRATA were also seen serving phishing webpages targeting users of financial entities, not only in Brazil but also in Spain and the USA.
In this blog post we will provide an overview of this threat, how does this malware operates and its main upgrades compared with earlier versions. If you want to learn more about the technical details of this threat and the differences between all variants you can check the BRATA whitepaper here.
First seen in the wild at the end of 2018 and named “Brazilian Remote Access Tool Android ” (BRATA) by Kaspersky, this “RAT” initially targeted users in Brazil and then rapidly evolved into a banking trojan. It combines full device control capabilities with the ability to display phishing webpages that steal banking credentials in addition to abilities that allow it capture screen lock credentials (PIN, Password or Pattern), capture keystrokes (keylogger functionality), and record the screen of the infected device to monitor a user’s actions without their consent.
Because BRATA is distributed mainly on Google Play, it allows bad actors to lure victims into installing these malicious apps pretending that there is a security issue on the victim’s device and asking to install a malicious app to fix the problem. Given this common ruse, it is recommended to avoid clicking on links from untrusted sources that pretend to be a security software which scans and updates your system—e even if that link leads to an app in Google Play. McAfee offers protection against this threat via McAfee Mobile Security, which detects this malware as Android/Brata.
The main upgrades and changes that we have identified in the latest versions of BRATA recently found in Google Play include:
During 2020, the threat actors behind BRATA have managed to publish several apps in Google Play, most of them reaching between one thousand to five thousand installs. However, also a few variants have reached 10,000 installs including the latest one, DefenseScreen, reported to Google by McAfee in October and later removed from Google Play.
Figure 1. DefenseScreen app in Google Play.
From all BRATA apps that were in Google Play in 2020, five of them caught our attention as they have notable improvements compared with previous ones. We refer to them by the name of the developer accounts:
Figure 2. Timeline of identified apps in Google Play from May to October 2020
BRATA poses as a security app scanner that pretends to scan all the installed apps, while in the background it checks if any of the target apps provided by a remote server are installed in the user’s device. If that is the case, it will urge the user to install a fake update of a specific app selected depending on the device language. In the case of English-language apps, BRATA suggests the update of Chrome while also constantly showing a notification at the top of the screen asking the user to activate accessibility services:
Figure 3. Fake app scanning functionality
Once the user clicks on “UPDATE NOW!”, BRATA proceeds to open the main Accessibility tab in Android settings and asks the user to manually find the malicious service and grant permissions to use accessibility services. When the user attempts to do this dangerous action, Android warns of the potential risks of granting access to accessibility services to a specific app, including that the app can observe your actions, retrieve content from Windows, and perform gestures like tap, swipe, and pinch.
As soon as the user clicks on OK the persistent notification goes away, the main icon of the app is hidden and a full black screen with the word “Updating” appears, which could be used to hide automated actions that now can be performed with the abuse of accessibility services:
Figure 4. BRATA asking access to accessibility services and showing a black screen to potentially hide automated actions
At this point, the app is completely hidden from the user, running in the background in constant communication with a command and control server run by the threat actors. The only user interface that we saw when we analyzed BRATA after the access to accessibility services was granted was the following screen, created by the malware to steal the device PIN and use it to unlock it when the phone is unattended. The screen asks the user to confirm the PIN, validating it with the real one because when an incorrect PIN is entered, an error message is shown and the screen will not disappear until the correct PIN is entered:
Figure 5. BRATA attempting to steal device PIN and confirming if the correct one is provided
Once the malicious app is executed and accessibility permissions have been granted, BRATA can perform almost any action in the compromised device. Here’s the list of commands that we found in all the payloads that we have analyzed so far:
In addition to the commands above, BRATA also performs automated actions by abusing accessibility services to hide itself from the user or automatically grant privileges to itself:
Earlier BRATA versions like OutProtect and PrivacyTitan were designed to target Brazilian users only by limiting its execution to devices set to the Portuguese language in Brazil. However, in June we noticed that threat actors behind BRATA started to add support to other languages like Spanish and English. Depending on the language configured in the device, the malware suggested that one of the following three apps needed an urgent update: WhatsApp (Spanish), a non-existent PDF Reader (Portuguese) and Chrome (English):
Figure 6. Apps falsely asked to be updated depending on the device language
In addition to the localization of the user-interface strings, we also noticed that threat actors have updated the list of targeted financial apps to add some from Spain and USA. In September, the target list had around 52 apps but only 32 had phishing URLs. Also, from the 20 US banking apps present in the last target list only 5 had phishing URLs. Here’s an example of phishing websites that will be displayed to the user if specific US banking apps are present in the compromised device:
Figure 7. Examples of phishing websites pretending to be from US banks
Throughout 2020, BRATA constantly evolved, adding different obfuscation layers to impede its analysis and detection. One of the first major changes was moving its core functionality to a remote server so it can be easily updated without changing the original malicious application. The same server is used as a first point of contact to register the infected device, provide an updated list of targeted financial apps, and then deliver the IP address and port of the server that will be used by the attackers to execute commands remotely on the compromised device:
Figure 8. BRATA high level network communication
Additional protection layers include string obfuscation, country and language check, encryption of certain key strings in assets folder, and, in latest variants, the use of a commercial packer that further prevents the static and dynamic analysis of the malicious apps. The illustration below provides a summary of the different protection layers and execution stages present in the latest BRATA variants:
Figure 9. BRATA protection layers and execution stages
In order get infected with BRATA ,users must install the malicious application from Google Play so below are some recommendations to avoid being tricked by this or any other Android threats that use social engineering to convince users to install malware that looks legitimate:
The activation of accessibility services is very sensitive in Android and key to the successful execution of this banking trojan because, once the access to those services is granted, BRATA can perform all the malicious activities and take control of the device. For this reason, Android users must be very careful when granting this access to any app.
Accessibility services are so powerful that in hands of a malicious app they could be used to fully compromise your device data, your online banking and finances, and your digital life overall.
When BRATA was initially discovered in 2019 and named “Brazilian Android RAT” by Kaspersky, it was said that, theoretically, the malware can be used to target other users if the cybercriminals behind this threat wanted to do it. Based on the newest variants found in 2020, the theory has become reality, showing that this threat is currently very active, constantly adding new targets, new languages and new protection layers to make its detection and analysis more difficult.
In terms of functionality, BRATA is just another example of how powerful the (ab)use of accessibility services is and how, with just a little bit of social engineering and persistence, cybercriminals can trick users into granting this access to a malicious app and basically getting total control of the infected device. By stealing the PIN, Password or Pattern, combined with the ability to record the screen, click on any button and intercept anything that is entered in an editable field, malware authors can virtually get any data they want, including banking credentials via phishing web pages or even directly from the apps themselves, while also hiding all these actions from the user.
Judging by our findings, the number of apps found in Google Play in 2020 and the increasing number of targeted financial apps, it looks like BRATA will continue to evolve, adding new functionality, new targets, and new obfuscation techniques to target as many users as possible, while also attempting to reduce the risk of being detected and removed from the Play store.
McAfee Mobile Security detects this threat as Android/Brata. To protect yourselves from this and similar threats, employ security software on your mobile devices and think twice before granting access to accessibility services to suspicious apps, even if they are downloaded from trusted sources like Google Play.
Figure 10. MITRE ATT&CK Mobile for BRATA
<h3>Indicators of compromise
Apps:
| SHA256 | Package Name | Installs |
| 4cdbd105ab8117620731630f8f89eb2e6110dbf6341df43712a0ec9837c5a9be | com.outprotect.android | 1,000+ |
| d9bc87ab45b0c786aa09f964a8101f6df7ea76895e2e8438c13935a356d9116b | com.privacytitan.android | 1,000+ |
| f9dc40a7dd2a875344721834e7d80bf7dbfa1bf08f29b7209deb0decad77e992 | com.greatvault.mobile | 10,000+ |
| e00240f62ec68488ef9dfde705258b025c613a41760138b5d9bdb2fb59db4d5e | com.pw.secureshield | 5,000+ |
| 2846c9dda06a052049d89b1586cff21f44d1d28f153a2ff4726051ac27ca3ba7 | com.defensescreen.application | 10,000+ |
URLs:
This paper will analyze five different “Brazilian Remote Access Tool Android” (BRATA) apps found in Google Play during 2020.
The post BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain appeared first on McAfee Blogs.
“It’s alive! It’s alive!”
Even if you haven’t seen the 1931 film Frankenstein, you are more than likely familiar with the story of the “monster” created by Victor Frankenstein. You may associate this cry from its titular character with the image of what Victor conjured finally opening its eyes and slowly lurching off the table.
While amusing and entertaining, this ongoing trope has a flaw that has tainted most of our memories. The fact is, in Mary Shelley’s classic 1818 novel of the same name, Victor does not excitedly exclaim when that first forward lurch occurs – but rather runs away and hides.
That’s right – fear was the first instinct met when a human, Victor, created and powered a non-human entity. While a work of fiction, was this our first brush with the concept of Artificial Intelligence (AI)? We don’t necessarily align the year 1818 in our minds as a technologically booming era. We have certainly come a long way from shipbuilding patents equaling the heights of technology to the technology that empowers life and business today.
So why are so many of us still fearful like Victor when it comes to AI? Especially since, in its earnest efforts, most AI technology today is designed to better processes, outcomes, and experiences – not to mention ensure greater security and control. We constantly see doom-and-gloom headlines asking whether AI will replace human jobs or touting added expenses associated with implementation. There’s even an entire Wikipedia page devoted to the notion of an “AI Takeover.”
But the truth is, AI – and machine learning – technology has gotten to the point today where it is more of an anomaly if a company or business does not implement it in some form. It is so commonplace that many of us don’t even know it is there. From smart assistants to progressing the healthcare industry at a time where it needs all the efficiencies it can afford, AI is everywhere and the security industry is no stranger when it comes to benefitting from its advances as well.
Our company looks at AI as an enhancement not a replacement. We know AI can improve experiences, create greater efficiencies, and solve complex problems – but at the same time are realistic. We know that humans alone cannot possibly address and respond to the sheer amount of threats businesses face today. But we also know that machines and technology do not currently have the creativity, wit, and wisdom that humans possess.
This is an important factor in the cybersecurity industry. This realism and notion that AI is an enhancement aligns with the concepts and origins of AI itself.
Most AI we see today can be categorized as strong AI, or AGI – artificial general intelligence, and weak AI. The latter means that humans are involved in some facet of programming the technology, whereas with strong AI, technology is able to use algorithms to process, inform, and make decisions independent of human interaction. What we don’t talk about as much is artificial superintelligence (ASI), where technology gains advanced cognitive abilities that can match – or even surpass – a human.
ASI can be ideal for many industries, but we’re not quite there yet. Since most AI today is still in the strong AI stage, AKA the enhancement phase where humans are still needed to process and define what technology currently cannot: emotion. Machines cannot currently replace thinking like a threat actor – imagining scenarios that only humans experience, intuition, motive, and brain power can conjure.
Therefore, we need humans and machines working together as a team. Machines are able to keep pace with the number of emerging threats and help security operation center analysts manage a tremendous amount of data and convert it into actionable intelligence. But human skill is needed to prioritize threats based on context, insight, and consciousness that machines don’t have.
It is increasingly important to remember this as we see adversarial AI on the rise and threat actors use AI to infiltrate AI-powered solutions. With this increase, speed of response is crucial, which is where we see AI have the most impact across the cybersecurity industry when coupled with human strategy to reduce potential damage done to an organization.
We are far from the point where AI needs to invoke fear, but we have a responsibility to know the shortcomings of current AI alongside its benefits.
This open-minded outlook is critical as AI in its truest form is about intelligence – and we can always add to and grow intelligence. The concept of always-on learning levels the playing field for both humans and machines. We’re the same in this aspect in that the possibilities are endless based on what we both can conjure and create based on education, learning, and knowledge.
The post AI Is Alive! But Not Without Our Help appeared first on McAfee Blogs.
Cuba ransomware is an older ransomware, that has recently undergone some development. The actors have incorporated the leaking of victim data to increase its impact and revenue, much like we have seen recently with other major ransomware campaigns.
In our analysis, we observed that the attackers had access to the network before the infection and were able to collect specific information in order to orchestrate the attack and have the greatest impact. The attackers operate using a set of PowerShell scripts that enables them to move laterally. The ransom note mentions that the data was exfiltrated before it was encrypted. In similar attacks we have observed the use of a Cobalt Strike payload, although we have not found clear evidence of a relationship with Cuba ransomware.
We observed Cuba ransomware targeting financial institutions, industry, technology and logistics organizations.
The following picture shows an overview of the countries that have been impacted according to our telemetry.
Defenders should be on the lookout for traces and behaviours that correlate to open source pen test tools such as winPEAS, Lazagne, Bloodhound and Sharp Hound, or hacking frameworks like Cobalt Strike, Metasploit, Empire or Covenant, as well as abnormal behavior of non-malicious tools that have a dual use. These seemingly legitimate tools (e.g., ADfind, PSExec, PowerShell, etc.) can be used for things like enumeration and execution. Subsequently, be on the lookout for abnormal usage of Windows Management Instrumentation WMIC (T1047). We advise everyone to check out the following blogs on evidence indicators for a targeted ransomware attack (Part1, Part2).
Looking at other similar Ransomware-as-a-Service families we have seen that certain entry vectors are quite common among ransomware criminals:
When it comes to the actual ransomware binary, we strongly advise updating and upgrading endpoint protection, as well as enabling options like tamper protection and Rollback. Please read our blog on how to best configure ENS 10.7 to protect against ransomware for more details.
For active protection, more details can be found on our website – https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/ransomware-details.cuba-ransomware.html – and in our detailed Defender blog.
Learn more about Cuba ransomware, Yara Rules, Indicators of Compromise & Mitre ATT&CK techniques used by reading our detailed technical analysis.
The post McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware appeared first on McAfee Blogs.
FreshRSS 