Login
Editor’s note: While this topic isn’t entirely security-specific, Trend Micro leader William Malik, has career expertise on the trending topic and shared his perspective.
——
There was a provocative report recently that the Governor of New Jersey told reporters that the state of New Jersey needed COBOL programmers. The reason was that the number of unemployment claims had spiked, and the legacy system running unemployment claims had failed. That 40-year-old system was written in COBOL, so the conclusion was that the old language had finally given out. Hiring COBOL programmers would let the State update and modernize the application to handle the increase in load.
This might be the problem, but it probably is not. Here’s why.
From these points, we learn the following lessons.
Software Doesn’t Wear Out
Logic is indelible. A computer program is deterministic. It will do exactly what you tell it to do, even if what you tell it to do isn’t precisely what you meant it to do. Code never misbehaves – but your instructions may be incorrect. That’s why debugging is such a hard problem.
Incidentally, that’s also why good developers usually make lousy testers. The developer focuses her mind on one thing – getting a bunch of silicon to behave. The tester looks for faults, examines edge conditions, limit conditions, and odd configurations of inputs and infrastructure to see how things break. The two mindsets are antithetical.
Once a piece of software has been in production long enough, the mainline paths are usually defect free. In fact, the rest of the code may be a hot mess, but that stuff doesn’t get executed so those defects are latent and do not impact normal processing. Ed Adams published a report in 1984 titled “Optimizing Preventative Service for Software Products” (https://ieeexplore.ieee.org/document/5390362, originally published in the IBM Journal of Research and Development, v 28, n 1). He concluded that once a product has been in production for a sufficient time, it was safer to leave it alone. Installing preventative maintenance was likely to disrupt the system. Most IT organizations know this, having learned the hard way. “If it ain’t broke, don’t fix it” is the mantra for this wisdom.
As a corollary, new software has a certain defect rate. Fixes to that software typically have a defect rate ten times greater. So if a typical fix is large enough, you put in a new bug for every bug you take out.
Computers Are Constrained
All computers have constraints. The relative amount of resources mean some computers are better for some workloads than others. For mainframes, the typical constraint is processing power. That’s why mainframes are tuned to run at 100% utilization, or higher. (How do you get past 100% utilization? Technically, of course, you can’t. But what the measurements are showing you is how much work is ready to run, waiting for available processing power. The scale actually can go to 127%, if there’s enough work ready.)
Different types of computers have different constraints. Mainframes run near 100% utilization – the CPU is the most expensive and constrained resource. PCs on the other hand never get busy. No human can type fast enough to drive utilization above a few percent. The constrained resource on PCs is typically disk storage. That’s why different types of computers do better at different types of work. PCs are great for user interface stuff. Mainframes are perfect for chewing through a million database records. By chance we developed mainframes first; that’s not an indictment of either type, Both are useful.
Computers Can Run Out of Resources
Any IT infrastructure has a design point for load. That is, when you put together a computer you structure it to meet the likely level of demand on the system. If you over-provision it, you waste resources that will never be used. If you under-provision it, you will not meet your service level agreements. So when you begin, you must know what the customers – your users – expect in terms of response time, number of concurrent transactions, database size, growth rates, network transaction load, transaction mix, computational complexity of transaction types, and so on. If you don’t specify what your targets are for these parameters, you probably won’t get the sizing right. You will likely buy too much of one resource or not enough of another.
Note that cloud computing can help – it allows you to dynamically add additional capacity to handle peak load. However, cloud isn’t a panacea. Some workloads don’t flex that much, so you spend extra money for flexibility for a capability that you can provide more economically and efficiently if it were in-house.
Add Capacity in Balance
When I was in high school our physics teacher explained that temperature wasn’t the same as heat. He said “Heat is the result of a physical or chemical reaction. Temperature is simply the change in heat over the mass involved.” One of the kids asked (snarkily) “Then why don’t drag racers have bicycle tires on the back?” The teacher was caught off guard. The answer is that the amount of heat put into the tire is the same regardless of its size, but the temperature was related to the size of the area where the tire touched the road. A bicycle tire has only about two square inches on the pavement, a fat drag tire has 100 square inches or more. So putting the same amount of horsepower spinning the tire will cause the bicycle tire’s temperature to rise about 50 times more than the gumball’s will.
When you add capacity to a computing system, you need to balance related capacity elements or you’ll be wasting money. Doubling the processor’s power (MHz or MIPS) without proportionately increasing the memory or network capacity simply moves the constraint from one place to another. What used to be a system with a flat-out busy CPU now becomes a system that’s waiting for work with a queue at the memory, the disk drive, or the network card.
Adding Staff Makes Things Worse
Increasing any resource creates potential problems of its own, especially of the system’s underlying architecture is ignored. Fore the software development process (regardless of form) one such resource is staff. The book “The Mythical Man-Month” by Fred Brooks (https://www.barnesandnoble.com/w/the-mythical-man-month-frederick-p-brooks-jr/1126893908) discusses how things go wrong.
The core problem is adding more people require strong communications and clear goals. Too many IT projects lack both. I once was part of an organization that consulted on a complex application rewrite – forty consultants, hundreds of developers, and very little guidance. The situation degenerated rapidly when the interim project manager decided we shouldn’t waste time on documentation. A problem would surface, the PM would kick off as task force, hold a meeting, and send everybody on their way. After the meeting, people would ask what specific decisions had been reached, but since there were no minutes, nobody could be sure. That would cause the PM to schedule another meeting, and so on. Two lessons I learned concerns meetings:
When you add staff, you must account for the extra overhead managing the activities of each person, and establish processes to monitor changes that every participant must follow. Scrum is an excellent way of flattening potentially harmful changes. By talking face to face regularly, the team knows everything that’s going on. Omit those meetings or rely on second-hand reports and the project is already off the rails. All that remains is to see how far things go wrong before someone notices.
In Conclusion …
If you have a computer system that suddenly gets a huge spike in load, do these things first:
If you are unable to resolve the capacity constraints with these steps, examine the programs for internal limitations:
Note that if you do not have (or cannot find) the relevant documentation, you will need to examine the source code. At this point, you may need to bring in a small set of experts in the programming language to recreate the relevant documentation. Handy hint: before you start working on the source code, regenerate the load modules and compare them with the production stuff to identify any patches or variance between what’s in the library and what’s actually in production.
Bringing in a bunch of people before going through this analysis will cause confusion and waste resources. While to an uninformed public it may appear that something is being done, the likelihood is that what is actually being done will have to be expensively undone before the actual core problem can be resolved. Tread lightly. Plan ahead. State your assumptions, then verify them. Have a good plan and you’ll work it out. Remember, it’s just ones and zeros.
What do you think? Let me know in the comments below, or @WilliamMalikTM.
The post “We Need COBOL Programmers!” No, You Probably Don’t appeared first on .
The acceleration of in-house development enabled by public cloud and Software-as-a-Service (SaaS) platform adoption in the last few years has given us new levels of visibility and access to data. Putting all of that data together to generate insights and action, however, can substitute one challenge for another.
Proprietary protocols, inconsistent fields and formatting combined with interoperability and connectivity hurdles can turn the process of answering simple questions into a major undertaking. When this undertaking is a recurrent requirement then that effort can seem overwhelming.
Nowhere is this more evident than in security teams, where writing code to integrate technologies is rarely a core competency and almost never a core project, but when a compliance or security event requires explanation, finding and making sense of that data is necessary.
Amazon is changing that with the release of AppFlow. Trend Micro Cloud One is a launch partner with this new service, enabling simple data retrieval from your Cloud One dashboard to be fed into AWS services as needed.
Amazon AppFlow is an application integration service that enables you to securely transfer data between SaaS applications and AWS services in just a few clicks. With AppFlow, you can data flows between supported SaaS applications, including Trend Micro, and AWS services like Amazon S3 and Redshift, and run flows on a schedule, in response to a business event, or on demand. Data transformation capabilities, such as data masking, validation, and filtering, empower you to enrich your data as part of the flow itself without the need for post-transfer manipulation. AppFlow keeps data secure in transit and at rest with the flexibility to bring your own encryption keys.
Audit automation
Any regularly scheduled export or query of Cloud One requires data manipulation before an audit can be performed.
You may be responsible for weekly or monthly reports on the state of your security agents. To create this report today, you’ve written a script to automate the data analysis process. However, any change to the input or output requires new code to be written for your script, and you have to find somewhere to actually run the script for it to work.
As part of a compliance team, this isn’t something you really have time for and may not be your area of expertise, so it takes significant effort to create the required audit report.
Using Amazon AppFlow, you can create a private data flow between RedShift, for example, and your Cloud One environment to automatically and regularly retrieve data describing security policies into an easy to digest format that can be stored for future review. Data flows can also be scheduled so regular reports can be produced without recurring user input.
This process also improves integrity and reduces overall effort by having reports always available, rather than needing to develop them in response to a request.
This eliminates the need for custom code and the subsequent frustration from trying to automate this regularly occurring task.
Developer Enablement
Developers don’t typically have direct access to security management consoles or APIs for Cloud One or Deep Security as a Service. However, they may need to retrieve data from security agents or check the state of agents that need remediation. This requires someone from the security team to pull data for the developer each time this situation arises.
While we encourage and enable DevOps cultures working closely with security teams to automate and deploy securely, no one likes unnecessary steps in their workflow. And having to wait on the security team to export data is adding a roadblock to the development team.
Fortunately, Amazon AppFlow solves this issue as well. By setting up a flow between Deep Security as a Service and Amazon S3, the security team can enable developers to easily access the necessary information related to security agents on demand.
This provides direct access to the needed data without expanding access controls for critical security systems.
Security Remediation
Security teams focus on identifying and remediating security alerts across all their tools and multiple SaaS applications. This often leads to collaborating with other teams across the organization on application-specific issues that must be resolved. Each system and internal team has different requirements and they all take time and attention to ensure everything is running smoothly and securely.
At Trend Micro, we are security people too. We understand the need to quickly and reliably scale infrastructure without compromising its security integrity. We also know that this ideal state is often hindered by the disparate nature of the solutions on which we rely.
Integrating Amazon AppFlow with your Cloud One – Workload Security solution allows you to obtain the security status from each agent and deliver them to the relevant development or cloud team. Data from all machines and instances can be sent on demand to the Amazon S3 bucket you indicate. As an added bonus, Amazon S3 can trigger a Lambda to automate how the data is processed, so what is in the storage bucket can be immediately useful. And all of this data is secured in transit and at rest by default, so you don’t have to worry about an additional layer of security controls to maintain.
Easy and secure remediation that doesn’t slow anyone down is the goal we’re collectively working toward.
It is always our goal to help your business securely move to and operate in the cloud. Our solutions are designed to enable security teams to seamlessly integrate with a DevOps environment, removing the “roadblock” of security.
As always, we’re excited to be part of this new Amazon service, and we believe our customers can see immediate value by leveraging Amazon AppFlow with their existing Trend Micro cloud solutions.
The post Trend Micro Integrates with Amazon AppFlow appeared first on .
Full disclosure: I am a security product testing nerd*.
I’ve been following the MITRE ATT&CK Framework for a while, and this week the results were released of the most recent evaluation using APT29 otherwise known as COZY BEAR.
First, here’s a snapshot of the Trend eval results as I understand them (rounded down):
91.79% on overall detection. That’s in the top 2 of 21.
91.04% without config changes. The test allows for config changes after the start – that wasn’t required to achieve the high overall results.
107 Telemetry. That’s very high. Capturing events is good. Not capturing them is not-good.
28 Alerts. That’s in the middle, where it should be. Not too noisy, not too quiet. Telemetry I feel is critical whereas alerting is configurable, but only on detections and telemetry.
So our Apex One product ran into a mean and ruthless bear and came away healthy. But that summary is a simplification and doesn’t capture all the nuance to the testing. Below are my takeaways for you of what the MITRE ATT&CK Framework is, and how to go about interpreting the results.
Takeaway #1 – ATT&CK is Scenario Based
The MITRE ATT&CK Framework is intriguing to me as it mixes real world attack methods by specific adversaries with a model for detection for use by SOCs and product makers. The ATT&CK Framework Evaluations do this but in a lab environment to assess how security products would likely handle an attack by that adversary and their usual methods. There had always been a clear divide between pen testing and lab testing and ATT&CK was kind of mixing both. COZY BEAR is super interesting because those attacks were widely known for being quite sophisticated and being state-sponsored, and targeted the White House and US Democratic Party. COZY BEAR and its family of derivatives use backdoors, droppers, obfuscation, and careful exfiltration.
Takeaway #2 – Look At All The Threat Group Evals For The Best Picture
I see the tradeoffs as ATT&CK evals are only looking at that one scenario, but that scenario is very reality based and with enough evals across enough scenarios a narrative is there to better understand a product. Trend did great on the most recently released APT/29/COZY BEAR evaluation, but my point is that a product is only as good as all the evaluations. I always advised Magic Quadrant or NSS Value Map readers to look at older versions in order to paint a picture over time of what trajectory a product had.
Takeaway #3 – It’s Detection Focused (Only)
The APT29 test like most Att&ck evals is testing detection, not prevention nor other parts of products (e.g. support). The downside is that a product’s ability to block the attacks isn’t evaluated, at least not yet. In fact blocking functions have to be disabled for parts of the test to be done. I get that – you can’t test the upstairs alarm with the attack dog roaming the downstairs. Starting with poor detection never ends well, so the test methodology seems to be focused on ”if you can detect it you can block it”. Some pen tests are criticized that a specific scenario isn’t realistic because A would stop it before B could ever occur. IPS signature writers everywhere should nod in agreement on that one. I support MITRE on how they constructed the methodology because there has to be limitations and scope on every lab test, but readers too need to understand those limitations and scopes. I believe that the next round of tests will include protection (blocking) as well, so that is cool.
Takeaway #4 – Choose Your Own Weather Forecast
Att&ck is no magazine style review. There is no final grade or comparison of products. To fully embrace Att&ck imagine being provided dozens of very sound yet complex meteorological measurements and being left to decide on what the weather will be. Or have vendors carpet bomb you with press releases of their interpretations. I’ve been deep into the numbers of the latest eval scores and when looking at some of the blogs and press releases out there they almost had me convinced they did well even when I read the data at hand showing they didn’t. I guess a less jaded view is that the results can be interpreted in many ways, some of them quite creative. It brings to mind the great quote from the Lockpicking Lawyer review “the threat model does not include an attacker with a screwdriver”.
Josh Zelonis at Forrester provides a great example of the level of work required to parse the test outcomes, and he provides extended analysis on Github here that is easier on the eyes than the above. Even that great work product requires the context of what the categories mean. I understand that MITRE is taking the stance of “we do the tests, you interpret the data” in order to pick fewer fights and accommodate different use cases and SOC workflows, but that is a lot to put on buyers. I repeat: there’s a lot of nuance in the terms and test report categories.
If, in the absence of Josh’s work, if I have to pick one metric Detection Rate is likely the best one. Note that Detection rate isn’t 100% for any product in the APT29 test, because of the meaning of that metric. The best secondary metrics I like are Techniques and Telemetry. Tactics sounds like a good thing, but in the framework it is lesser than Techniques, as Tactics are generalized bad things (“Something moving outside!”) and Techniques are more specific detections (“Healthy adult male Lion seen outside door”), so a higher score in Techniques combined with a low score in Tactics is a good thing. Telemetry scoring is, to me, best right in the middle. Not too many alerts (noisy/fatiguing) and not too few (“about that lion I saw 5 minutes ago”).
Here’s an example of the interpretations that are valuable to me. Looking at the Trend Micro eval source page here I get info on detections in the steps, or how many of the 134 total steps in the test were detected. I’ll start by excluding any human involvement and exclude the MSSP detections and look at unassisted only. But the numbers are spread across all 20 test steps, so I’ll use Josh’s spreadsheet shows 115 of 134 steps visible, or 85.82%. I do some averaging on the visibility scores across all the products evaluated and that is 66.63%, which is almost 30% less. Besides the lesson that the data needs gathering and interpretation, it highlights that no product spotted 100% across all steps and the spread was wide. I’ll now look at the impact of human involvement add in the MSSP detections and the Trend number goes to 91%. Much clinking of glasses heard from the endpoint dev team. But if I’m not using an MSSP service that… you see my point about context/use-case/workflow. There’s effectively some double counting (i.e. a penalty, so that when removing MSSP it inordinately drops the detection ) of the MSSP factor when removing it in the analyses, but I’ll leave that to a future post. There’s no shortage of fodder for security testing nerds.
Takeaway #5 – Data Is Always Good
Security test nerdery aside, this eval is a great thing and the data from it is very valuable. Having this kind of evaluation makes security products and the uses we put them to better. So dig into ATT&CK and read it considering not just product evaluations but how your organization’s framework for detecting and processing attacks maps to the various threat campaigns. We’ll no doubt have more posts on APT29 and upcoming evals.
*I was a Common Criteria tester in a place that also ran a FIPS 140-2 lab. Did you know that at Level 4 of FIPS a freezer is used as an exploit attempt? I even dipped my toe into the arcane area of Formal Methods using the GYPSY methodology and ran from it screaming “X just equals X! We don’t need to prove that!”. The deepest testing rathole I can recall was doing a portability test of the Orange Book B1 rating for MVS RACF when using logical partitions. I’m never getting those months of my life back. I’ve been pretty active in interacting with most security testing labs like NSS and ICSA and their schemes (that’s not a pejorative, but testing nerds like to use British usages to sound more learned) for decades because I thought it was important to understand the scope and limits of testing before accepting it in any product buying decisions. If you want to make Common Criteria nerds laugh point out something bad that has happened and just say “that’s not bad, it was just mistakenly put in scope”, and that will then upset the FIPS testers because a crypto boundary is a very real thing and not something real testers joke about. And yes, Common Criteria is the MySpace of tests.
The post Getting ATT&CKed By A Cozy Bear And Being Really Happy About It: What MITRE Evaluations Are, and How To Read Them appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about a security researcher who has published details about four zero-day vulnerabilities impacting an IBM security product after the company refused to patch the bugs. Also, learn about Amazon’s new AppFlow and how Trend Micro Cloud One integrates with it.
Read on:
Trend Micro’s COVID-19 Resource Page
To help protect you during the COVID-19 pandemic, Trend Micro has put together a resource page to help address the new security challenges you may be facing. This page includes the latest news and information on COVID-19 scams, security tools and programs to help keep you informed and safe while you work remotely.
Security Researcher Discloses Four IBM Zero-Days After Company Refused to Patch
A security researcher has published details about four zero-day vulnerabilities impacting an IBM security product after the company refused to patch bugs following a private bug disclosure attempt. The bugs impact the IBM Data Risk Manager (IDRM), an enterprise security tool that aggregates feeds from vulnerability scanning tools and other risk management tools to let admins investigate security issues.
“We Need COBOL Programmers!” No, You Probably Don’t
New Jersey recently made the news following a plea for COBOL programmers to help modernize legacy systems running unemployment claims that had apparently failed following a recent spike in activity. In a recent blog from Bill Malik, VP of Infrastructure Strategies at Trend Micro, Bill explains why needing more COBOL programmers is likely not the answer.
All the Things COVID-19 Will Change Forever, According to 30 Top Experts
We’re four weeks into the massive time-out forced on us by coronavirus and many of us have spent much of that time trying to get used to the radical lifestyle change the virus has brought. But we’re also beginning to think about the end of the crisis, and what the world will look like afterward. In this article, read Trend Micro CEO Eva Chen’s thoughts on how businesses will operate in the post-COVID world.
Gamaredon APT Group Use COVID-19 Lure in Campaigns
Gamaredon is an APT group that has been active since 2013 and is generally known for targeting Ukrainian government institutions. Trend Micro recently came across an email with a malware attachment that used the Gamaredon group’s tactics. Some of the emails used the coronavirus pandemic as a topic to lure victims into opening emails and attachments, and campaigns targeted victims in European countries, among others.
Grouping Linux IoT Malware Samples with Trend Micro ELF Hash
This year, 31 billion IoT devices are expected to be installed globally. Consequently, cybercriminals have been developing IoT malware, such as backdoors and botnets, for malicious purposes, including digital extortion. In response, Trend Micro created Trend Micro ELF Hash (telfhash), an open-source clustering algorithm that effectively clusters malware targeting IoT devices running on Linux, using Executable and Linkable Format (ELF) files.
SBA Reveals Potential Data Breach Impacting 8,000 Emergency Business Loan Applicants
The US Small Business Administration (SBA) has revealed a suspected data breach impacting the portal used by business owners to apply for emergency loans. On Tuesday, the US agency said the incident may affect close to 8,000 applicants to the Economic Injury Disaster Loan program (EIDL), which offers up to $10,000 to small business owners currently struggling due to the coronavirus pandemic.
Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining
Recently, Trend Micro wrote an article about more than 8,000 unsecured Redis instances found in the cloud. In this blog, Trend Micro expands on how these instances can be abused to perform remote code execution (RCE), as demonstrated by malware samples captured in the wild. These malicious files have been found to turn Redis instances into cryptocurrency-mining bots and infect other vulnerable instances via their “wormlike” spreading capability.
Trend Micro Integrates with Amazon AppFlow
The acceleration of in-house development enabled by public cloud and Software-as-a-Service (SaaS) platform adoption in the last few years has given us new levels of visibility and access to data. Putting all the data together to generate insights and action, however, can present a challenge. Amazon is changing that with the release of AppFlow. Trend Micro Cloud One is a launch partner with this new service, enabling simple data retrieval from your Cloud One dashboard to be fed into AWS services as needed.
iOS Exploit Lets Attackers Access Default iPhone Mail App
This week it was reported that alleged Chinese state-sponsored hackers have been exploiting a critical vulnerability in iOS to spy to Uyghurs Muslim minority in China. In a new report published by security firm Zecops, it has been noted that a bug in iOS has been exploited by hackers since at least January 2018.
Nemty Ransomware Ceases Public Operations, Focuses on Private Schemes
Threat actors behind Nemty ransomware are to close their ransomware-as-a-service operation as they zero in on private schemes. This was confirmed in a Russian hacker forum post that security researcher Vitali Kremez shared with Bleeping Computer. In the post, “jsworm,” the ransomware’s operator, declared that “we leave in private” (translated from Russian) and that current victims only have one week to acquire decryptors for the last time.
Maze Ransomware Attacks US IT Firm
According to a report from Bleeping Computer, IT managed services firm Cognizant suffered a ransomware attack purportedly conducted by threat actors behind Maze ransomware. The company has emailed their clients about the attack, including a preliminary list of indicators of compromise (IoC) identified through its investigation. The list of IoCs include IP addresses and file hashes, which have been linked to previous Maze attacks.
Containers Are Not VMs, and Other Misconceptions
The adoption rate of containers has been steadily growing as organizations begin to see the benefits container technology provides. This adoption represents a new computing paradigm for many of the engineers responsible for running the IT infrastructure of these organizations – but new concepts often come with misconceptions. In this article, Trend Micro’s Rob Maynard shares some of the biggest misconceptions about container technology.
Australian Health Insurance-Themed Spam Spreads Ursnif
Trend Micro researchers encountered a spam campaign referencing the Australian health insurance brand Medicare. The attachment, which Trend Micro detects as Trojan.X97M.URSNIF.THDAEBO, downloads the malicious file (detected as TrojanSpy.Win32.URSNIF.THDAEBO). The campaign aims to spread the spyware Ursnif, also known as Gozi.
Loki Delivered as CAB File Attachment
Trend Micro has found a spam sample that delivers the info stealer Loki through an attached Windows Cabinet (CAB) file in its honeypot. The email that bears the malicious file poses as a quotation request to trick the user into executing the binary file inside the CAB file.
Know the Symptoms: Protect Your Devices While Working from Home
Would you know if one of your devices was compromised? In this article, Trend Micro shares how cybercriminals are leveraging the COVID-19 pandemic to capitalize on vulnerable hardware and unsecured systems. Trend Micro also shares common symptoms of compromise across mobile devices, desktops, laptops and IoT devices.
What do you think will be the biggest change to business in the post-COVID world? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Security Researcher Discloses Four IBM Zero-Days After Company Refused to Patch and Trend Micro Integrates with Amazon AppFlow appeared first on .
Teaching you to be a Natural Born Pillar!
Last week, we took you through the “WHO” of securing a cloud migration here, detailing each of the roles involved with implementing a successful security practice during a cloud migration. Read: everyone. This week, I will be touching on the “WHAT” of security; the key principles required before your first workload moves. The Well-Architected Framework Security Pillar will be the baseline for this article since it thoroughly explains security concepts in a best practice cloud design.
If you are not familiar with the AWS Well-Architected Framework, go google it right now. I can wait. I’m sure telling readers to leave the article they’re currently reading is a cardinal sin in marketing, but it really is important to understand just how powerful this framework is. Wait, this blog is html ready – here’s the link: https://wa.aws.amazon.com/index.en.html. It consists of five pillars that include best practice information written by architects with vast experience in each area.
Since the topic here is Security, I’ll start by giving a look into this pillar. However, I plan on writing about each and as I do, each one of the graphics above will become a link. Internet Magic!
There are seven principles as a part of the security framework, as follows:
|
|
Now, a lot of these principles can be solved by using native cloud services and usually these are the easiest to implement. One thing the framework does not give you is suggestions on how to set up or configure these services. While it might reference turning on multi-factor authentication as a necessary step for your identity and access management policy, it is not on by default. Same thing with file object encryption. It is there for you to use but not necessarily enabled on the ones you create.
Here is where I make a super cool (and free) recommendation on technology to accelerate your learning about these topics. We have a knowledge base with hundreds of cloud rules mapped to the Well-Architected Framework (and others!) to help accelerate your knowledge during and after your cloud migration. Let us take the use case above on multi-factor authentication. Our knowledge base article here details the four R’s: Risk, Reason, Rationale, and References on why MFA is a security best practice.
Starting with a Risk Level and detailing out why this is presents a threat to your configurations is a great way to begin prioritizing findings. It also includes the different compliance mandates and Well-Architected pillar (obviously Security in this case) as well as descriptive links to the different frameworks to get even more details.
The reason this knowledge base rule is in place is also included. This gives you and your teams context to the rule and helps further drive your posture during your cloud migration. Sample reason is as follows for our MFA Use Case:
“As a security best practice, it is always recommended to supplement your IAM user names and passwords by requiring a one-time passcode during authentication. This method is known as AWS Multi-Factor Authentication and allows you to enable extra security for your privileged IAM users. Multi-Factor Authentication (MFA) is a simple and efficient method of verifying your IAM user identity by requiring an authentication code generated by a virtual or hardware device on top of your usual access credentials (i.e. user name and password). The MFA device signature adds an additional layer of protection on top of your existing user credentials making your AWS account virtually impossible to breach without the unique code generated by the device.”
If Reason is the “what” of the rule, Rationale is the “why” supplying you with the need for adoption. Again, perfect for confirming your cloud migration path and strategy along the way.
“Monitoring IAM access in real-time for vulnerability assessment is essential for keeping your AWS account safe. When an IAM user has administrator-level permissions (i.e. can modify or remove any resource, access any data in your AWS environment and can use any service or component – except the Billing and Cost Management service), just as with the AWS root account user, it is mandatory to secure the IAM user login with Multi-Factor Authentication.
Implementing MFA-based authentication for your IAM users represents the best way to protect your AWS resources and services against unauthorized users or attackers, as MFA adds extra security to the authentication process by forcing IAM users to enter a unique code generated by an approved authentication device.”
Finally, all the references for each of the risk, reason, and rationale, are included at the bottom which helps provide additional clarity. You’ll also notice remediation steps, the 5th ‘R’ when applicable, which shows you how to actually the correct the problem.
All of this data is included to the community as Trend Micro continues to be a valued security research firm helping the world be safe for exchanging digital information. Explore all the rules we have available in our public knowledge base: https://www.cloudconformity.com/knowledge-base/.
This blog is part of a multi-part series dealing with the principles of a successful cloud migration. For more information, start at the first post here: https://blog.trendmicro.com/principles-of-a-cloud-migration-from-step-one-to-done/
The post Principles of a Cloud Migration – Security, The W5H – Episode WHAT? appeared first on .
The introduction of the MITRE ATT&CK evaluations is a welcomed addition to the third-party testing arena. The ATT&CK framework, and the evaluations in particular, have gone such a long way in helping advance the security industry as a whole, and the individual security products serving the market.
The insight garnered from these evaluations is incredibly useful. But let’s admit, for everyone except those steeped in the analysis, it can be hard to understand. The information is valuable, but dense. There are multiple ways to look at the data and even more ways to interpret and present the results (as no doubt you’ve already come to realize after reading all the vendor blogs and industry articles!) We have been looking at the data for the past week since it published, and still have more to examine over the coming days and weeks.
The more we assess the information, the clearer the story becomes, so we wanted to share with you Trend Micro’s 10 key takeaways for our results:
1. Looking at the results of the first run of the evaluation is important:
|
|
|
|
2. There is a hierarchy in the type of main detections – Techniques is most significant
|
|
https://attackevals.mitre.org/APT29/detection-categories.html
3. More alerts does not equal better alerting – quite the opposite
|
|
4. Managed Service detections are not exclusive
|
|
5. Let’s not forget about the effectiveness and need for blocking!
|
|
6. We need to look through more than the Windows
|
|
7. The evaluation shows where our product is going
|
|
8. This evaluation is helping us make our product better
|
|
9. MITRE is more than the evaluation
|
|
10. It is hard not to get confused by the fud!
|
|
The post Trend Micro’s Top Ten MITRE Evaluation Considerations appeared first on .
If you have to ask yourself when to implement security, you probably need a time machine!
Security is as important to your migration as the actual workload you are moving to the cloud. Read that again.
It is essential to be planning and integrating security at every single layer of both architecture and implementation. What I mean by that, is if you’re doing a disaster recovery migration, you need to make sure that security is ready for the infrastructure, your shiny new cloud space, as well as the operations supporting it. Will your current security tools be effective in the cloud? Will they still be able to do their task in the cloud? Do your teams have a method of gathering the same security data from the cloud? More importantly, if you’re doing an application migration to the cloud, when you actually implement security means a lot for your cost optimization as well.
In this graph, it’s easy to see that the earlier you can find and resolve security threats, not only do you lessen the workload of infosec, but you also significantly reduce your costs of resolution. This can be achieved through a combination of tools and processes to really help empower development to take on security tasks sooner. I’ve also witnessed time and time again that there’s friction between security and application teams often resulting in Shadow IT projects and an overall lack of visibility and trust.
Start there. Start with bringing these teams together, uniting them under a common goal: Providing value to your customer base through agile secure development. Empower both teams to learn about each other’s processes while keeping the customer as your focus. This will ultimately bring more value to everyone involved.
At Trend Micro, we’ve curated a number of security resources designed for DevOps audiences through our Art of Cybersecurity campaign. You can find it at https://www.trendmicro.com/devops/.
Also highlighted on this page is Mark Nunnikhoven’s #LetsTalkCloud series, which is a live stream series on LinkedIn and YouTube. Seasons 1 and 2 have some amazing content around security with a DevOps focus – stay tuned for Season 3 to start soon!
This is part of a multi-part blog series on things to keep in mind during a cloud migration project. You can start at the beginning which was kicked off with a webinar here: https://resources.trendmicro.com/Cloud-One-Webinar-Series-Secure-Cloud-Migration.html.
Also, feel free to give me a follow on LinkedIn for additional security content to use throughout your cloud journey!
The post Principles of a Cloud Migration – Security W5H – The When appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how the operators of the Shade (Troldesh) ransomware have shut down and released more than 750,000 decryption keys. Also, learn about an attack using Zoom installers to spread a WebMonitor RAT malware.
Read on:
The Industry 4.0 Lab Never Ignores Brownfields – What POLIMI and Trend Micro Aim to Prove
It takes time for new technologies to penetrate the market and even the most innovative technology must be used safely and with confidence. Industry 4.0 technology is no exception. Engineers and researchers, including those at Politecnico di Milano (POLIMI) and Trend Micro, are currently investigating how to map ICT technology principles onto OT environments, including factory environments.
Shade (Troldesh) Ransomware Shuts Down and Releases Decryption Keys
The operators of the Shade (Troldesh) ransomware have shut down and, as a sign of goodwill, have released more than 750,000 decryption keys that past victims can now use to recover their files. Security researchers from Kaspersky Lab have confirmed the validity of the leaked keys and are now working on creating a free decryption tool.
Trend Micro’s Top Ten MITRE Evaluation Considerations
The MITRE ATT&CK framework, and the evaluations, have gone a long way in helping advance the security industry, and the individual security products serving the market. The insight garnered from these evaluations is incredibly useful but can be hard to understand. In this blog, read Trend Micro’s top 10 key takeaways for its evaluation results.
New Android Malware Steals Banking Passwords, Private Data and Keystrokes
A new type of mobile banking malware has been discovered abusing Android’s accessibility features to exfiltrate sensitive data from financial applications, read user SMS messages, and hijack SMS-based two-factor authentication codes. Dubbed “EventBot” by Cybereason researchers, the malware can target over 200 different financial apps, including banking, money transfer services, and crypto-currency wallets.
Principles of a Cloud Migration – Security, The W5H – Episode WHAT?
Last week in Trend Micro’s cloud migration blog series, we explained the “WHO” of securing a cloud migration, detailing each of the roles involved with implementing a successful security practice during the migration. This week, Trend Micro touches on the “WHAT” of security: the key principles required before your first workload moves.
Critical WordPress e-Learning Plugin Bugs Open Door to Cheating
Researchers have disclosed critical-severity flaws in three popular WordPress plugins used widely by colleges and universities: LearnPress, LearnDash and LifterLMS. The flaws, now patched, could allow students to steal personal information, change their grades, cheat on tests and more.
WebMonitor RAT Bundled with Zoom Installer
The COVID-19 pandemic has highlighted the usefulness of communication apps for work-from-home setups. However, as expected, cybercriminals look to exploit popular trends and user behavior. Trend Micro has witnessed threats against several messaging apps, including Zoom. In April, Trend Micro spotted an attack using Zoom installers to spread a cryptocurrency miner. Trend Micro recently encountered a similar attack that drops a different malware: RevCode WebMonitor RAT.
Group Behind TrickBot Spreads Fileless BazarBackdoor
A new campaign is spreading a new malware named “BazarBackdoor,” a fileless backdoor created by the same threat actors behind TrickBot, according to BleepingComputer. The conclusion is drawn due to similarities in code, crypters, and infrastructure between the two malware variants. The social engineering attacks used to spread the backdoor use topics such as customer complaints, COVID-19-themed payroll reports, and employee termination lists for the emails they send out.
Critical Adobe Illustrator, Bridge and Magento Flaws Patched
Adobe is warning of critical flaws in Adobe Bridge, Adobe Illustrator and the Magento e-commerce platform. If exploited, the most severe vulnerabilities could enable remote code execution on affected systems. Francis Provencher, Mat Powell, and an anonymous reporter were credited for discovering the flaws, all working with Trend Micro’s Zero Day Initiative.
Guidance on Kubernetes Threat Modeling
Kubernetes is one of the most used container orchestration systems in cloud environments. As such, like any widely used application, it is an attractive target for cybercriminals and other threat actors. In this blog, Trend Micro shares three general areas that cloud administrators need to secure their deployments against, as they can introduce threats or risks to their Kubernetes-driven containerization strategies.
Loki Info Stealer Propagates Through LZH Files
Trend Micro previously encountered a spam sample that propagates the info stealer Loki through Windows Cabinet (CAB) files. Recently, Trend Micro also acquired another sample that delivers the same malware, but through LZH compressed archive files. Trend Micro detects the attachment and the dropper as TrojanSpy.Win32.LOKI.TIOIBYTU.
Security 101: How Fileless Attacks Work and Persist in Systems
As security measures improve, modern adversaries continue to craft sophisticated techniques to evade detection. One of the most persistent evasion techniques involves fileless attacks, which don’t require malicious software to break into a system. Instead of relying on executables, these threats misuse tools that are already in the system to initiate attacks.
COVID-19 Lockdown Fuels Increase in RDP Attacks
The number of attacks abusing the remote desktop protocol (RDP) to compromise corporate environments has increased significantly over the past couple of months, according to Kaspersky. With employees worldwide forced to work from home due to the COVID-19 pandemic, the volume of corporate traffic has increased significantly, just as the use of third-party services has increased to keep teams connected and efficient.
What measures are you taking to secure your migration to the cloud? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Shade Ransomware Shuts Down, Releases Decryption Keys and WebMonitor RAT Bundled with Zoom Installer appeared first on .
If the past couple of months have taught us anything, it’s that partnerships matter in times of crisis. We’re better, stronger and more resilient when we work together. Specifically, public-private partnerships matter in cybersecurity, which is why Trend Micro is always happy to reach out across industry, academia and law enforcement to offer its expertise.
We are again delighted to be working with long-time partner INTERPOL over the coming weeks on a new awareness campaign to help businesses and remote workers stay safe from a deluge of COVID-19 threats.
The new normal
All over the world, organizations have been forced to rapidly adjust to the new normal: social distancing, government lockdowns and mass remote working. While most have responded superbly to the challenge, there’s no denying that IT security teams and remote access infrastructure are being stretched to the limit. There are understandable concerns that home workers may be more distracted, and therefore likely to click on phishing links, and that their PCs and devices may not be as well protected as corporate equivalents.
At the same time, the bad guys have also reacted quickly to take advantage of the pandemic. Phishing campaigns using COVID as a lure have surged, spoofing health authorities, government departments and corporate senders. BEC attacks try to leverage the fact that home workers may not have colleagues around to check wire transfer requests. And remote infrastructure like RDP endpoints and VPNs are being targeted by ransomware attackers — even healthcare organizations that are simultaneously trying to treat critical patients infected with the virus.
Getting the basics right
That’s why Trend Micro has been pushing out regular updates — not only on the latest scams and threats we’re picking up around the globe, but also with advice on how to secure the newly distributed workforce. Things like improved password security, 2FA for work accounts, automatic software updates, regular back-ups, remote user training, and restricted use of VPNs can all help. We’re also offering six months free use of our flagship Trend Micro Maximum Security product to home workers.
Yet there’s always more to do. Getting the message across as far and wide as possible is where organizations like INTERPOL come in. That’s why we’re delighted to be teaming up with the global policing organization to run a new public awareness campaign throughout May. It builds on highly successful previous recent campaigns we’ve collaborated on, to tackle BEC and crypto-jacking.
This time, we’ll be resharing some key resources on social media to alert users to the range of threats out there, and what businesses and home workers can do to stay safe. And we’ll help to develop infographics and other new messages on how to combat ransomware, online scams, phishing and other threats.
We’re all doing what we can during these difficult days. But if some good can come from a truly terrible event like this, then it’s that we show our strength in the face of adversity. And by following best practices, we can make life much tougher for the cybercriminals looking to profit from tragedy.
The post Teaming up with INTERPOL to combat COVID-19 threats appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that targets open Docker daemon ports. Also, learn about tips for IT and security pros struggling to patch properly throughout the pandemic.
Read on:
#Let’sTalkSecurity: Bounty Smarter Not Harder
This Week, Rik Ferguson, Vice President of Security Research at Trend Micro, hosted the first episode of #Let’sTalkSecurity featuring Katie Moussouris, Founder and CEO of Luta Security. This series explores security and how it impacts our digital world. In discussion with some of the brightest and most influential minds in the community, Trend Micro explores this fascinating topic. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.
Teaming Up with INTERPOL to Combat COVID-19 Threats
Partnerships matter in times of a crisis. Specifically, public-private partnerships matter in cybersecurity, which is why Trend Micro is always happy to reach out across industry, academia, and law enforcement to collaborate. Trend Micro is delighted to be working with long-time partner, INTERPOL, over the coming weeks on a new awareness campaign to help businesses and remote workers stay safe from an influx of COVID-19 threats.
7 Tips for Security Pros Patching in a Pandemic
Patch management has historically been a challenge for IT and security teams, which are under pressure to create strong programs and deploy fixes as they are released. Now, their challenges are intensified as a global shift to remote work forces companies to rethink patching strategies. In this article, experts in vulnerability and patch management share their advice for IT and security pros struggling to patch properly throughout the pandemic.
Principles of a Cloud Migration – Security W5H – The When
Security is as important to your cloud migration as the actual workload you are moving to the cloud. It is essential to plan and integrate security at every single layer of both architecture and implementation. If you are doing a disaster recovery migration, you need to make sure that security is ready for the infrastructure, your shiny new cloud space, as well as the operations supporting it.
Samsung Patches 0-click Vulnerability Impacting All Smartphones Sold Since 2014
This week Samsung released a security update to fix a critical vulnerability impacting all smartphones sold since 2014. The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.
Security 101: How Fileless Attacks Work and Persist in Systems
As security measures get better at identifying and blocking malware and other threats, modern adversaries are constantly crafting sophisticated techniques to evade detection. One of the most persistent evasion techniques involves fileless attacks, which do not require malicious software to break into a system. Instead of relying on executables, these threats misuse tools that are already in the system to initiate attacks.
Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform
Popular communications platform provider Zoom Video announced on Thursday that it has acquired secure messaging and file-sharing service Keybase for an undisclosed sum. The move is the latest by the company as it attempts to bolster the security of its offerings and build in end-to-end encryption that can scale to the company’s massive user base.
Phishing, Other Threats Target Email and Video App Users
Trend Micro has seen several threats abusing tools utilized in work from home (WFH) setups. Cybercriminals are using credential phishing sites to trick users into entering their credentials into fake login pages of email and collaboration platforms and videoconferencing apps.
Firefox 76 Delivers New Password Security Features and Security Fixes
Just in time for this year’s World Password Day, Mozilla has released new Firefox Lockwise features. Starting with Firefox 76, users will be able to check whether any of the passwords they use are vulnerable (e.g., identical to a password that has been breached) and be alerted when their login and password is involved in a breach.
Excel Files with Hidden Sheets Target Users in Italy
A spam campaign using emails that have Excel file (.xls) attachments has been seen circulating and targeting users in Italy, Germany and other countries. The attachment appears blank when opened, but it has a sheet set to “hidden” that attempts to connect to a URL and download a file. Setting sheets to hidden is a documented feature. Some of the subjects of the spam emails written in Italian involve topics like free services, correcting information, invoice details, order completion and service assistance.
Coinminer, DDoS Bot Attack Docker Daemon Ports
Researchers found an open directory containing malicious files, which was first reported in a series of Twitter posts by MalwareHunterTeam. Analyzing some of the files, Trend Micro found a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that targets open Docker daemon ports. The attack starts with the shell script named mxutzh.sh, which scans for open ports (2375, 2376, 2377, 4243, 4244) and then creates an Alpine Linux container that will host the coinminer and DDoS bot.
Naikon APT Hid Five-Year Espionage Attack Under Radar
After five years under the radar, the Naikon APT group has been unmasked in a long-term espionage campaign against several governments in the Asia-Pacific region. The Chinese APT group was first uncovered by Kaspersky researchers in 2015. A recently discovered widespread campaign reveals the group has spent the past five years quietly developing their skills and introducing the “Aria-body” RAT into their arsenal of weapons.
What do you think about Firefox’s new Lockwise password security features? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: 7 Tips for Security Pros Patching in a Pandemic and Coinminer, DDoS Bot Attack Docker Daemon Ports appeared first on .
“Wherever I go, there I am” -Security
I recently had a discussion with a large organization that had a few workloads in multiple clouds while assembling a cloud security focused team to build out their security policy moving forward. It’s one of my favorite conversations to have since I’m not just talking about Trend Micro solutions and how they can help organizations be successful, but more so on how a business approaches the creation of their security policy to achieve a successful center of operational excellence. While I will talk more about the COE (center of operational excellence) in a future blog series, I want to dive into the core of the discussion – where do we add security in the cloud?
We started discussing how to secure these new cloud native services like hosted services, serverless, container infrastructures, etc., and how to add these security strategies into their ever-evolving security policy.
Quick note: If your cloud security policy is not ever-evolving, it’s out of date. More on that later.
A colleague and friend of mine, Bryan Webster, presented a concept that traditional security models have been always been about three things: Best Practice Configuration for Access and Provisioning, Walls that Block Things, and Agents that Inspect Things. We have relied heavily on these principles since the first computer was connected to another. I present to you this handy graphic he presented to illustrate the last two points.
But as we move to secure cloud native services, some of these are outside our walls, and some don’t allow the ability to install an agent. So WHERE does security go now?
Actually, it’s not all that different – just how it’s deployed and implemented. Start by removing the thinking that security controls are tied to specific implementations. You don’t need an intrusion prevention wall that’s a hardware appliance much like you don’t need an agent installed to do anti-malware. There will also be a big focus on your configuration, permissions, and other best practices. Use security benchmarks like the AWS Well-Architected, CIS, and SANS to help build an adaptable security policy that can meet the needs of the business moving forward. You might also want to consider consolidating technologies into a cloud-centric service platform like Trend Micro Cloud One, which enables builders to protect their assets regardless of what’s being built. Need IPS for your serverless functions or containers? Try Cloud One Application Security! Do you want to push security further left into your development pipeline? Take a look at Trend Micro Container Security for Pre-Runtime Container Scanning or Cloud One Conformity for helping developers scan your Infrastructure as Code.
Keep in mind – wherever you implement security, there it is. Make sure that it’s in a place to achieve the goals of your security policy using a combination of people, process, and products, all working together to make your business successful!
This is part of a multi-part blog series on things to keep in mind during a cloud migration project. You can start at the beginning which was kicked off with a webinar here: https://resources.trendmicro.com/Cloud-One-Webinar-Series-Secure-Cloud-Migration.html.
Also, feel free to give me a follow on LinkedIn for additional security content to use throughout your cloud journey!
The post Principles of a Cloud Migration – Security W5H – The WHERE appeared first on .
“Alexa, turn on the TV.”
”Get it yourself.”
This nightmare scenario could play out millions of times unless people take steps to protect their IoT devices. The situation is even worse in industrial settings. Smart manufacturing, that is, Industry 4.0, relies on tight integration between IT systems and OT systems. Enterprise resource planning (ERP) software has evolved into supply chain management (SCM) systems, reaching across organizational and national boundaries to gather all forms of inputs, parting out subcomponent development and production, and delivering finished products, payments, and capabilities across a global canvas.
Each of these synergies fulfills a rational business goal: optimize scarce resources across diverse sources; minimize manufacturing, shipping, and warehousing expense across regions; preserve continuity of operations by diversifying suppliers; maximize sales among multiple delivery channels. The supply chain includes not only raw materials for manufacturing, but also third party suppliers of components, outsourced staff for non-core business functions, open source software to optimize development costs, and subcontractors to fulfill specialized design, assembly, testing, and distribution tasks. Each element of the supply chain is an attack surface.
Software development has long been a team effort. Not since the 1970s have companies sought out the exceptional talented solo developer whose code was exquisite, flawless, ineffable, undocumented, and impossible to maintain. Now designs must be clear across the team, and testing requires close collaboration between architects, designers, developers, and production. Teams identify business requirements, then compose a solution from components sourced from publically shared libraries. These libraries may contain further dependencies on yet other third-party code of unknown provenance. Simplified testing relies on the quality of the shared libraries, but shared library routines may have latent (or intentionally hidden) defects that do not come to life until in a vulnerable production environment. Who tests GitHub? The scope of these vulnerabilities is daunting. Trend Micro just published a report, “Attacks on Smart Manufacturing Systems: A Forward-looking Security Analysis,” that surveys the Industry 4.0 attack surface.
Within the manufacturing operation, the blending of IT and OT exposes additional attack surfaces. Industrial robots provide a clear example. Industrial robots are tireless, precision machines programmed to perform exacting tasks rapidly and flawlessly. What did industry do before robots? Factories either relied on hand-built products or on non-programmable machines that had to be retooled for any change in product specifications. Hand-built technology required highly skilled machinists, who are expensive and require time to deliver. See Figure 1 for an example.
Figure 1: The cost of precision
Non-programmable robots require factory down time for retooling, a process that can take weeks. Before programmable industrial robots, automobile factories would deliver a single body style across multiple years of production. Programmable robots can produce different configurations of materials with no down time. They are used everywhere in manufacturing, warehousing, distribution centers, farming, mining, and soon guiding delivery vehicles. The supply chain is automated.
However, the supply chain is not secure. The protocols industrial robots depend on assumed the environment was isolated. One controller would govern the machines in one location. Since the connection between the controller and the managed robots was hard-wired, there was no need for operator identification or message verification. My controller would never see your robot. My controller would only connect to my robot, so the messages they exchanged needed no authentication. Each device assumed all its connections were externally verified. Even the safety systems assumed the network was untainted and trustworthy. No protocols included any security or privacy controls. Then Industry 4.0 adopted wireless communications.
The move, which saved the cost of laying cable in the factory, opened those networks to eavesdropping and attacks. Every possible attack against industrial robots is happening now. Bad guys are forging commands, altering specifications, changing or suppressing error alerts, modifying output statistics, and rewriting logs. The consequences can be vast yet nearly undetectable. In the current report on Rogue Robots, our Forward-looking Threat Research team, collaborating with the Politecnico di Milano (POLIMI), analyzes the range of specific attacks today’s robots face, and the potential consequences those attacks may have.
Owners and operators of programmable robots should heed the warnings of this research, and consider various suggested remedies. Forewarned is forearmed.
The Rogue Robots research is here: https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/rogue-robots-testing-industrial-robot-security.
The new report, Attacks on Smart Manufacturing Systems: A Forward-looking Security Analysis, is here: https://www.trendmicro.com/vinfo/us/security/threat-intelligence-center/internet-of-things/threats-and-consequences-a-security-analysis-of-smart-manufacturing-systems.
What do you think? Let me know in the comments below, or @WilliamMalikTM.
The post Securing Smart Manufacturing appeared first on .
The COVID-19 pandemic, along with social distancing, has done many things to alter our lives. But in one respect it has merely accelerated a process begun many years ago. We were all spending more and more time online before the virus struck. But now, forced to work, study and socialize at home, the online digital world has become absolutely essential to our communications — and video conferencing apps have become our “face-to-face” window on the world.
The problem is that as users flock to these services, the bad guys are also lying in wait — to disrupt or eavesdrop on our chats, spread malware, and steal our data. Zoom’s problems have perhaps been the most widely publicized, because of its quickly rising popularity, but it’s not the only platform whose users have been potentially at risk. Cisco’s WebEx and Microsoft Teams have also had issues; while other platforms, such as Houseparty, are intrinsically less secure (almost by design for their target audience, as the name suggests).
Let’s take a look at some of the key threats out there and how you can stay safe while video conferencing.
Depending on the platform (designed for work or play) and the use case (business or personal), there are various opportunities for the online attacker to join and disrupt or eavesdrop on video conferencing calls. The latter is especially dangerous if you’re discussing sensitive business information.
Malicious hackers may also look to deliver malware via chats or shared files to take control of your computer, or to steal your passwords and sensitive personal and financial information. In a business context, they could even try to hijack your video conferencing account to impersonate you, in a bid to steal info from or defraud your colleagues or company.
The bad guys may also be able to take advantage of the fact that your home PCs and devices are less well-secured than those at work or school—and that you may be more distracted at home and less alert to potential threats.
To accomplish their goals, malicious hackers can leverage various techniques at their disposal. These can include:
|
|
Zoom has in many ways become the victim of its own success. With daily meeting participants soaring from 10 million in December last year to 200 million by March 2020, all eyes have been focused on the platform. Unfortunately, that also includes hackers. Zoom has been hit by a number of security and privacy issues over the past several months, which include “Zoombombing” (meetings disrupted by uninvited guests), misleading encryption claims, a waiting room vulnerability, credential theft and data collection leaks, and fake Zoom installers. To be fair to Zoom, it has responded quickly to these issues, realigning its development priorities to fix the security and privacy issues discovered by its intensive use.
And Zoom isn’t alone. Earlier in the year, Cisco Systems had its own problem with WebEx, its widely-used enterprise video conferencing system, when it discovered a flaw in the platform that could allow a remote, unauthenticated attacker to enter a password-protected video conferencing meeting. All an attacker needed was the meeting ID and a WebEx mobile app for iOS or Android, and they could have barged in on a meeting, no authentication necessary. Cisco quickly moved to fix the high-severity vulnerability, but other flaws (also now fixed) have cropped up in WebEx’s history, including one that could enable a remote attacker to send a forged request to the system’s server.
More recently, Microsoft Teams joined the ranks of leading business videoconferencing platforms with potentially deadly vulnerabilities. On April 27 it surfaced that for at least three weeks (from the end of February till the middle of March), a malicious GIF could have stolen user data from Teams accounts, possibly across an entire company. The vulnerability was patched on April 20—but it’s a reminder to potential video conferencing users that even leading systems such as Zoom, WebEx, and Teams aren’t fool-proof and require periodic vulnerability and security fixes to keep them safe and secure. This is compounded during the COVID-19 pandemic when workers are working from home and connecting to their company’s network and systems via possibly unsecure home networks and devices.
So how do you choose the best, most secure, video conferencing software for your work-at-home needs? There are many solutions on the market today. In fact, the choice can be dizzying. Some simply enable video or audio meetings/calls, while others also allow for sharing and saving of documents and notes. Some are only appropriate for one-on-one connections or small groups, while others can scale to thousands.
In short, you’ll need to choose the video conferencing solution most appropriate to your needs, while checking if it meets a minimum set of security standards for working at home. This set of criteria should include end-to-end encryption, automatic and frequent security updates, the use of auto-generated meeting IDs and strong access controls, a program for managing vulnerabilities, and last but not least, good privacy practices by the company.
Some video conferencing options alongside Zoom, WebEx, and Teams include:
|
|
Whatever video conferencing platform you use, it’s important to bear in mind that cyber-criminals will always be looking to take advantage of any security gaps they can find — in the tool itself or your use of it. So how do you secure your video conferencing apps? Some tips listed here are Zoom-specific, but consider their equivalents in other platforms as general best-practice tips. Depending on the use case, you might choose to not enable some of the options here.
|
|
Fortunately, Trend Micro has a range of capabilities that can support your efforts to stay safe while using video conferencing services.
Trend Micro Home Network Security (HNS) protects every device in your home connected to the internet. That means it will protect you from malicious links and attachments in phishing emails spoofed to appear as if sent from video conferencing firms, as well as from those sent by hackers that may have covertly entered a meeting. Its Vulnerability Check can identify any vulnerabilities in your home devices and PCs, including work laptops, and its Remote Access Protection can reduce the risk of tech support scams and unwanted remote connections to your device. Finally, it allows parents to control their kids’ usage of video conferencing applications, to limit their exposure.
Trend Micro Security also offers protection against email, file, and web threats on your devices. Note too, that Password Manager is automatically installed with Maximum Security to help users create unique, strong passwords for each application/website they use, including video conferencing sites.
Finally, Trend Micro WiFi Protection (multi-platform) / VPN Proxy One (Mac and iOS) offer VPN connections from your home to the internet, creating secure encrypted tunnels for traffic to flow down. The VPN apps work on both Wi-Fi and Ethernet connections. This could be useful for users concerned their video conferencing app isn’t end-to-end encrypted, or for those wishing to protect their identity and personal information when interacting on these apps.
The post From Bugs to Zoombombing: How to Stay Safe in Online Meetings appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how researchers at Trend Micro used an app store to demonstrate hacks on a manufacturing facility. Also, learn about this month’s patch activity from Microsoft.
Read on:
How Two Researchers Used an App Store to Demonstrate Hacks on a Factory
When malicious code spread through the networks of Rheinmetall Automotive, it disrupted plants on two continents, temporarily costing up to $4 million each week. While awareness of these type of threats has grown, there’s still a risk that too many organizations view such attacks as isolated incidents, rather than the work of a determined attacker. Federico Maggi, a senior researcher at Trend Micro, set out to dispel that mindset.
#LetsTalkSecurity: Hacker Adventures
This Week, Rik Ferguson, Vice President of Security Research at Trend Micro, hosted the second episode of #LetsTalkSecurity featuring Jayson E. Street, Vice President at SphereNY. This series explores security and how it impacts our digital world. In discussion with some of the brightest and most influential minds in the community, Trend Micro explores this fascinating topic. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.
Microsoft Again Surpasses 100 Vulnerabilities on Patch Tuesday
For the third consecutive month Microsoft issued a hefty list of Patch Tuesday security updates covering 111 CVEs with 16 making the critical list. This is the third month Microsoft has had more than 100 vulnerabilities listed in its monthly security rollup, but unlike the last few months, May’s list does not contain any vulnerabilities currently being exploited in the wild.
Principles of a Cloud Migration – Security W5H – The WHERE
Where do we add security in the cloud? Start by removing the thinking that security controls are tied to specific implementations. You don’t need an intrusion prevention wall that’s a hardware appliance much like you don’t need an agent installed to do anti-malware. This blog puts the focus on your configuration, permissions, and other best practices.
Trend Micro recently published a report that surveys the Industry 4.0 attack surface, finding that within the manufacturing operation, the blending of IT and OT exposes additional attack surfaces. In the current report on rogue robots, Trend Micro collaborated with the Politecnico di Milano to analyze the range of specific attacks today’s robots face, and the potential consequences those attacks may have.
Package Delivery Giant Pitney Bowes Confirms Second Ransomware Attack in 7 Months
Package and mail delivery giant Pitney Bowes suffered its second ransomware attack in seven months. The incident came to light after a ransomware gang known as Maze published a blog post claiming to have breached and encrypted the company’s network. The Maze crew provided proof of access in the form of 11 screenshots portraying directory listings from inside the company’s computer network.
Tropic Trooper’s Back: USBferry Attack Targets Air-Gapped Environments
Trend Micro recently found that Tropic Trooper’s latest activities center around targeting Taiwanese and the Philippine military’s physically isolated networks through a USBferry attack. Trend Micro also observed targets among military/navy agencies, government institutions, military hospitals, and a national bank. The group employs USBferry, a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage.
Texas Courts Won’t Pay Up in Ransomware Attack
A ransomware attack has hit the IT office that supports Texas appellate courts and judicial agencies, leading to their websites and computer servers being shut down. The office said that it will not pay the ransom requested by the cybercriminals. Specifically affected is the Office of Court Administration, which is the IT provider for the appellate courts and state judicial agencies within the Texas Judicial Branch.
New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability
Trend Micro found an application sample in April called TinkaOTP that seemed like a normal one-time password authentication tool. However, further investigation showed the application bearing a striking resemblance to Dacls remote access trojan (RAT), a Windows and Linux backdoor that 360 Netlab discovered in December 2019.
Facebook Awards Researcher $20,000 for Account Hijacking Vulnerability
Security researcher Vinoth Kumar says Facebook awarded him $20,000 after he discovered and reported a Document Object Model-based cross-site scripting (DOM XSS) vulnerability that could have been exploited to hijack accounts. The researcher says he discovered the vulnerability in the window.postMessage() method, which is meant to safely enable cross-origin communication between Window objects.
Cloud Security: Key Concepts, Threats, and Solutions
Enterprises may be migrating requirements to the cloud, starting fully in the cloud (going “cloud native”), or mastering their cloud-based security strategy. Regardless of what stage of the cloud journey a company is in, cloud administrators should be able to conduct security operations like performing vulnerability management, identifying important network events, carrying out incident response, and gathering and acting on threat intelligence — all while keeping many moving parts in compliance with relevant industry standards.
From Bugs to Zoombombing: How to Stay Safe in Online Meetings
Forced to now work, study, and socialize at home, the online digital world has become essential to our communications — and video conferencing apps have become our “face-to-face” window on the world. The problem is that as users flock to these services, the bad guys are also waiting to disrupt or eavesdrop on chats, spread malware, and steal data. In this blog, Trend Micro explores some of the key threats out there and how users can stay safe while video conferencing.
Surprised by Texas courts’ decision not to pay the ransom in its latest ransomware attack? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: How Researchers Used an App Store to Demonstrate Hacks on a Factory and Microsoft Again Surpasses 100 Vulnerabilities on Patch Tuesday appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about a new security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device. Also, learn about two malware files that pose as Zoom installers but when decoded, contain malware code.
Read on:
Forward-Looking Security Analysis of Smart Factories <Part 1> Overlooked Attack Vectors
Trend Micro recently released a paper showing the results of proof-of-concept research on new security risks associated with smart factories. In this series of five columns, Trend Micro will explore the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This first column introduces the concept of “smart manufacturing,” and explains the research methods and attack vectors that are unique to smart factories.
Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers
Trend Micro found two malware files that pose as Zoom installers but when decoded, contain malware code. These malicious fake installers do not come from Zoom’s official installation distribution channels. One of the samples installs a backdoor that allows threat actors to run malicious routines remotely, while the other sample involves the installation of the Devil Shadow botnet in devices.
Adobe Releases Critical Out-of-Band Security Update
This week, Adobe released four security updates, one of them being an out-of-band security update for Adobe Character Animator that fixes a critical remote code execution vulnerability. All these vulnerabilities were discovered by Mat Powell of Trend Micro’s Zero Day Initiative and were not found in the wild.
QNodeService: Node.js Trojan Spread via Covid-19 Lure
Trend Micro recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its name, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, suggests it may have been used in a Covid-19-themed phishing campaign. Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.
ShinyHunters Is a Hacking Group on a Data Breach Spree
In the first two weeks of May, a hacking group called ShinyHunters went on a rampage, hawking what it claims is close to 200 million stolen records from at least 13 companies. Such binges aren’t unprecedented in the dark web stolen data economy, but they’re a crucial driver of identity theft and fraud.
Netwalker Fileless Ransomware Injected via Reflective Loading
Trend Micro has observed Netwalker ransomware attacks involving malware that is not compiled but written in PowerShell and executed directly in memory and without storing the actual ransomware binary into the disk. This makes this ransomware variant a fileless threat, enabling it to maintain persistence and evade detection by abusing tools that are already in the system to initiate attacks.
Beware of Phishing Emails Urging for a LogMeIn Security Update
LogMeIn users are being targeted with fake security update requests, which lead to a spoofed phishing page. The phishing email has been made to look like it’s coming from LogMeIn. Not only does the company logo feature prominently in the email body, but the sender’s identity has been spoofed and the phishing link looks, at first glance, like it might be legitimate.
Phishing Site Uses Netflix as Lure, Employs Geolocation
A phishing site was found using a spoofed Netflix page to harvest account information, credit card credentials, and other personally identifiable information (PII), according to a Twitter post by PartnerRe Information Security Analyst Andrea Palmieri. Trend Micro looked into the malicious site, hxxp://secure-up-log.com/netflix/, to learn more about the operation and found that the sites have geolocation features.
New Bluetooth Vulnerability Exposes Billions of Devices to Hackers
Academics from École Polytechnique Fédérale de Lausanne (EPFL) disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion modern devices to hackers. The attacks, dubbed Bluetooth Impersonation Attacks or BIAS, concern Bluetooth Classic, which supports Basic Rate (BR) and Enhanced Data Rate (EDR) for wireless data transfer between devices.
#LetsTalkSecurity: Fighting Back
This Week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the third episode of #LetsTalkSecurity featuring guest Katelyn Bowden, CEO & founder of The BADASS Army. In this week’s episode, Rik and Katelyn discuss fighting back and more. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.
Fraudulent Unemployment, COVID-19 Relief Claims Earn BEC Gang Millions
An infamous business email compromise (BEC) gang has submitted hundreds of fraudulent claims with state-level U.S. unemployment websites and coronavirus relief funds. Behind the attacks is Scattered Canary, a highly organized Nigerian cybergang that employs dozens of threat actors to target U.S. enterprise organizations and government institutions. Researchers who tracked the fraudulent activity said the gang may have made millions from the fraudulent activity.
Factory Security Problems from an IT Perspective (Part 1): Gap Between the Objectives of IT and OT
The manufacturing industry is undergoing drastic changes and entering a new transition period. Today, it may be difficult to find companies that don’t include Digital Transformation (DX) or the Internet of Things (IoT) in their strategies. Manufacturing companies need to include cybersecurity in both the information technology (IT) domain and the operational technology (OT) one as well. This three-part blog series discusses the challenges that IT departments face when assigned the task of overseeing cybersecurity in factories and implementing measures to overcome these challenges.
What did you think about this week’s #LetsTalkSecuirty episode? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: New Bluetooth Vulnerability Exposes Billions of Devices to Hackers and Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers appeared first on .
The cybercrime economy is one of the runaway success stories of the 21st century — at least, for those who participate in it. Estimates claim it could be worth over $1 trillion annually, more than the GDP of many countries. Part of that success is due to its ability to evolve and shift as the threat landscape changes. Trend Micro has been profiling the underground cybercrime community for many years. Over the past five years, we’ve seen a major shift to new platforms, communications channels, products and services, as trust on the dark web erodes and new market demands emerge.
We also expect the current pandemic to create yet another evolution, as cyber-criminals look to take advantage of new ways of working and systemic vulnerabilities.
Shifts in the underground
Our latest report, Shifts in the Cybercriminal Underground Markets, charts the fascinating progress of cybercrime over the past five years, through detailed analysis of forums, marketplaces and dark web sites around the world. It notes that in many product areas, the cost of items has dropped as they become commoditised: so where in 2015 you expected to pay $1000 per months for crypting services, today they may be as little as $20.
In other areas, such as IoT botnets, cyber-propaganda and stolen gaming account credentials, prices are high as new products spark surging demand. Fortnite logins can sell for around $1,000 on average, for example.
The good news is that law enforcement action appears to be working. Trend Micro has long partnered with Interpol, Europol, national crime agencies and local police to provide assistance in investigations. So it’s good to see that these efforts are having an impact. Many dark web forums and marketplaces have been infiltrated and taken down over the past five years, and our researchers note that current users complain of DDoS-ing and log-in issues.
Cybercriminals have been forced to take extreme measures as trust erodes among the community, for example, by using gaming communications service Discord to arrange trades, and e-commerce platform Shoppy.gg to sell items. A new site called DarkNet Trust was even created to tackle this specific challenge: it aims to verify cybercrime vendors’ reputations by analysing their usernames and PGP fingerprints.
What does the future hold?
However, things rarely stay still on the cybercrime underground. Going forward, we expect to see a range of new tools and techniques flood dark web stores and forums. AI will be at the centre of these efforts. Just as it’s being used by Trend Micro and other companies to root out fraud, sophisticated malware and phishing, it could be deployed in bots designed to predict roll patterns on gambling sites. It could also be used in deepfake services developed to help buyers bypass photo ID systems, or launch sextortion campaigns against individuals.
Some emerging trends are less hi-tech but no less damaging. Log-ins for wearable devices could be stolen and used to request replacements under warranty, defrauding the customer and costing the manufacturers dear. In fact, access to devices, systems and accounts is so common today that we’re already seeing it spun out in “as-a-service” cybercrime offerings. Prices for access to Fortune 500 companies can hit as much as $10,000.
Post-pandemic threats
Then there’s COVID-19. We’re already seeing fraudsters targeted government stimulus money with fake applications, sometimes using phished information from legitimate businesses. And healthcare organisations are being targeted with ransomware as they battle to save lives.
Even as the pandemic recedes, remote working practices are likely to stay in many organisations. What does this mean for cybercrime? It means more targeting of VPN vulnerabilities with malware and DDoS services. And it means more opportunities to compromise corporate networks via connected home devices. Think of it like a kind of Reverse BYOD scenario – instead of bringing devices into work to connect, the corporate network is now merged with home networks.
Tackling such challenges will demand a multi-layered strategy predicated around that familiar trio: people, process and technology. It will require more training, better security for home workers, improved patch management and password security, and much more besides. But most of all it will demand continued insight into global cybercriminals and the platforms they inhabit, to anticipate where the next threats are coming from.
Fortunately, this is where Trend Micro’s expert team of researchers come in. We won’t let them out of our sight.
The post How the Cybercriminal Underground Has Changed in 5 Years appeared first on .
Cloud computing has revolutionized the IT world, making it easier for companies to deploy infrastructure and applications and deliver their services to the public. The idea of not spending millions of dollars on equipment and facilities to host an on-premises data center is a very attractive prospect to many. And certainly, moving resources to the cloud just has to be safer, right? The cloud provider is going to keep our data and applications safe for sure. Hackers won’t stand a chance. Wrong. More commonly than anyone should, I often hear this delusion from many customers. The truth of the matter is, without proper configuration and the right skillsets administering the cloud presence, as well as practicing common-sense security practices, cloud services are just (if not more) vulnerable.
The Shared Responsibility Model
Before going any further, we need to discuss the shared responsibility model of the cloud service provider and user.
When planning your migration to the cloud, one needs to be aware of which responsibilities belong to which entity. As the chart above shows, the cloud service provider is responsible for the cloud infrastructure security and physical security of such. By contrast, the customer is responsible for their own data, the security of their workloads (all the way to the OS layer), as well as the internal network within the companies VPC’s.
One more pretty important aspect that remains in the hands of the customer is access control. Who has access to what resources? This is really no different than it’s been in the past, exception being the physical security of the data center is handled by the CSP as opposed to the on-prem security, but the company (specifically IT and IT security) are responsible for locking down those resources efficiently.
Many times, this shared responsibility model is overlooked, and poor assumptions are made the security of a company’s resources. Chaos ensues, and probably a firing or two.
So now that we have established the shared responsibility model and that the customer is responsible for their own resource and data security, let’s take a look at some of the more common security issues that can affect the cloud.
Amazon S3
Amazon S3 is a truly great service from Amazon Web Services. Being able to store data, host static sites or create storage for applications are widely used use cases for this service. S3 buckets are also a prime target for malicious actors, since many times they end up misconfigured.
One such instance occurred in 2017 when Booz Allen Hamilton, a defense contractor for the United States, was pillaged of battlefield imagery as well as administrator credentials to sensitive systems.
Yet another instance occurred in 2017, when due to an insecure Amazon S3 bucket, the records of 198 million American voters were exposed. Chances are if you’re reading this, there’s a good chance this breach got you.
A more recent breach of an Amazon S3 bucket (and I use the word “breach,” however most of these instances were a result of poor configuration and public exposure, not a hacker breaking in using sophisticated techniques) had to do with the cloud storage provider “Data Deposit Box.” Utilizing Amazon S3 buckets for storage, a configuration issue caused the leak of more than 270,000 personal files as well as personal identifiable information (PII) of its users.
One last thing to touch on the subject of cloud file storage has to do with how many organizations are using Amazon S3 to store uploaded data from customers as a place to send for processing by other parts of the application. The problem here is how do we know if what’s being uploaded is malicious or not? This question comes up more and more as I speak to more customers and peers in the IT world.
API
APIs are great. They allow you to interact with programs and services in a programmatic and automated way. When it comes to the cloud, APIs allow administrators to interact with services, an in fact, they are really a cornerstone of all cloud services, as it allows the different services to communicate. As with anything in this world, this also opens a world of danger.
Let’s start with the API gateway, a common construct in the cloud to allow communication to backend applications. The API gateway itself is a target, because it can allow a hacker to manipulate the gateway, and allow unwanted traffic through. API gateways were designed to be integrated into applications. They were not designed for security. This means untrusted connections can come into said gateway and perhaps retrieve data that individual shouldn’t see. Likewise, the API requests to the gateway can come with malicious payloads.
Another attack that can affect your API gateway and likewise the application behind it, is a DDOS attack. The common answer to defend against this is Web Application Firewall (WAF). The problem is WAFs struggle to deal with low, slow DDOS attacks, because the steady stream of requests looks like normal traffic. A really great way to deter DDOS attacks at the API gateway however is to limit the number of requests for each method.
A great way to prevent API attacks lies in the configuration. Denying anonymous access is huge. Likewise, changing tokens, passwords and keys limit the chance effective credentials can be used. Lastly, disabling any type of clear-text authentication. Furthermore, enforcing SSL/TLS encryption and implementing multifactor authentication are great deterrents.
Compute
No cloud service would be complete without compute resources. This is when an organization builds out virtual machines to host applications and services. This also introduces yet another attack surface, and once again, this is not protected by the cloud service provider. This is purely the customers responsibility.
Many times, in discussing my customers’ migration from an on-premises datacenter to the cloud, one of the common methods is the “lift-and-shift” approach. This means customers take the virtual machines they have running in their datacenter and simply migrating those machines to the cloud. Now, the question is, what kind of security assessment was done on those virtual machines prior to migrating? Were those machines patched? Were discovered security flaws fixed? In my personal experience the answer is no. Therefore, these organizations are simply taking their problems from one location to the next. The security holes still exist and could potentially be exploited, especially if the server is public facing or network policies are improperly applied. For this type of process, I think a better way to look at this is “correct-and-lift-and-shift”.
Now once organizations have already established their cloud presence, they will eventually need to deploy new resources, and this can mean developing or building upon a machine image. The most important thing to remember here is that these are computers. They are still vulnerable to malware, so regardless of being in the cloud or not, the same security controls are required including things like anti-malware, host IPS, integrity monitoring and application control just to name a few.
Networking
Cloud services make it incredibly easy to deploy networks and divide them into subnets and even allow cross network communication. They also give you the ability to lock down the types of traffic that are allowed to traverse those networks to reach resources. This is where security groups come in. These security groups are configured by people, so there’s always that chance that a port is open that shouldn’t be, opening a potential vulnerability. It’s incredibly important from this perspective to really have a grasp on what a compute resource is talking to and why, so the proper security measures can be applied.
So is the cloud really safe from hackers? No safer than anything else unless organizations make sure they’re taking security in their hands and understand where their responsibility begins, and the cloud service provider’s ends. The arms war between hackers and security professionals is still the same as it ever was, the battleground just changed.
The post Is Cloud Computing Any Safer From Malicious Hackers? appeared first on .
If the first few months of 2020 have taught us anything, it’s the importance of collaboration and partnership to tackle a common enemy. This is true of efforts to fight the current pandemic, and it’s also true of the fight against cybercrime. That’s why Trend Micro has, over the years, struck partnerships with various organizations that share a common goal of securing our connected world.
So when we heard that one of these partners, the non-profit Shadowserver Foundation, was in urgent need of financial help, we didn’t hesitate to step in. Our new $600,000 commitment over three years will help to support the vital work it does collecting and sharing global threat data for the next three years.
What is Shadowserver?
Founded in 2004, The Shadowserver Foundation is now one of the world’s leading resources for reporting vulnerabilities, threats and malicious activity. Their work has helped to pioneer a more collaborative approach among the international cybersecurity community, from vendors and academia to governments and law enforcement.
Today, its volunteers, 16 full-time staff and global infrastructure of sinkholes, honeypots and honeyclients help run 45 scans across 4 billion IPv4 addresses every single day. It also performs daily sandbox scans on 713,000 unique malware samples, to add to the 12 Petabytes of malware and threat intelligence already stored on its servers. Thousands of network owners, including 109 CSIRTS in 138 countries worldwide, rely on the resulting daily reports — which are available free of charge to help make the digital world a safer place.
A Global Effort
Trend Micro is a long-time partner of The Shadowserver Foundation. We automatically share new malware samples via its malware exchange program, with the end goal of improving protection for both Trend Micro customers and Shadowserver subscribers around the world. Not only that, but we regularly collaborate on global law enforcement-led investigations. Our vision and mission statements of working towards a more secure, connected world couldn’t be more closely aligned.
As COVID-19 has brutally illustrated, protecting one’s own backyard is not enough to tackle a global challenge. Instead, we need to reach out and build alliances to take on the threats and those behind them, wherever they are. These are even more pronounced at a time when remote working has dramatically expanded the corporate attack surface, and offered new opportunities for the black hats to prosper by taking advantage of distracted employees and stretched security teams.
The money Trend Micro has donated over the next three years will help the Shadowserver Foundation migrate to the new data center it urgently needs and support operational costs that combined will exceed $2 million in 2020. We wish the team well with their plans for this year.
It’s no exaggeration to say that our shared digital world is a safer place today because of their efforts, and we hope to continue to collaborate long into the future
The post Securing the Connected World with Support for The Shadowserver Foundation appeared first on .
Nowadays, Macs are part of the work-from-home workforce during the COVID-19 pandemic. If you’ve brought a Mac from the office to home, it’s likely your IT department has already set it up to meet your company’s security policies. But what if you’re enlisting a Mac already at home to do duty for your company? You need to outfit it for business, to protect it and your company from infections and snooping, while ensuring it continues to run smoothly over time.
Here are 21 tips for staying secure, private, and productive while working from home on your Mac—while also making sure your personal “helpdesk” is in place, should you run into problems while doing your work.
While good security habits are important for all Mac users (since, contrary to popular opinion, Macs are as vulnerable to malicious attacks as PCs), you need to take special care when working from home on your Mac because you’ll be interacting with your company’s applications and platforms over the internet. Start your “security upgrade” with the Mac itself, to keep it free of viruses and malware. Make sure your security checklist includes the following:
|
|
Trend Micro Mac Endpoint Security solutions include:
|
|
Next, you need to make sure your work remains private. This means creating a “chain of privacy” that extends from your Mac over the internet to your company’s servers, so that each link in the chain is “locked” to ensure your company data remains private.
|
|
Trend Micro Mac Privacy/Security solutions include:
|
|
Working from home means contending with home distractions (though working in the office has its own set of distractions too). Staying productive therefore includes setting good work and break habits, physically optimizing your work-from-home Mac setup, and keeping your Mac in good working order. Effective and productive remote working, when it comes setting up good work habits, using efficiency maximizing tools, and separating work from home activities, is a whole topic in itself. Here we include only those tips that directly affect the healthy operation and optimization of your Mac:
|
|
Trend Micro Performance tools include:
|
|
Finally, should things go wrong at any time with your working Mac setup, you need to make sure to have a work-from-home “Help Desk” in place for when you need it. This can include the following:
|
|
Trend Micro Solutions include:
|
|
That’s it! These tips should get you started on the road to staying secure, private, and productive, while running smoothly, as you work from home on your Mac. During the COVID-19 pandemic, many of us are doing just that. Now is the time to keep your working Mac working for you!
The post 21 Tips to Stay Secure, Private, and Productive as You Work from Home on Your Mac appeared first on .
“How about… ya!”
Security needs to be treated much like DevOps in evolving organizations; everyone in the company has a responsibility to make sure it is implemented. It is not just a part of operations, but a cultural shift in doing things right the first time – Security by default. Here are a few pointers to get you started:
1. Security should be a focus from the top on down
Executives should be thinking about security as a part of the cloud migration project, and not just as a step of the implementation. Security should be top of mind in planning, building, developing, and deploying applications as part of your cloud migration. This is why the Well Architected Framework has an entire pillar dedicated to security. Use it as a framework to plan and integrate security at each and every phase of your migration.
2. A cloud security policy should be created and/or integrated into existing policy
Start with what you know: least privilege permission models, cloud native network security designs, etc. This will help you start creating a framework for these new cloud resources that will be in use in the future. Your cloud provider and security vendors, like Trend Micro, can help you with these discussions in terms of planning a thorough policy based on the initial migration services that will be used. Remember from my other articles, a migration does not just stop when the workload has been moved. You need to continue to invest in your operation teams and processes as you move to the next phase of cloud native application delivery.
3. Trend Micro’s Cloud One can check off a lot of boxes!
Using a collection of security services, like Trend Micro’s Cloud One, can be a huge relief when it comes to implementing runtime security controls to your new cloud migration project. Workload Security is already protecting thousands of customers and billions of workload hours within AWS with security controls like host-based Intrusion Prevention and Anti-Malware, along with compliance controls like Integrity Monitoring and Application Control. Meanwhile, Network Security can handle all your traffic inspection needs by integrating directly with your cloud network infrastructure, a huge advantage in performance and design over Layer 4 virtual appliances requiring constant changes to route tables and money wasted on infrastructure. As you migrate your workloads, continuously check your posture against the Well Architected Framework using Conformity. You now have your new infrastructure secure and agile, allowing your teams to take full advantage of the newly migrated workloads and begin building the next iteration of your cloud native application design.
This is part of a multi-part blog series on things to keep in mind during a cloud migration project. You can start at the beginning which was kicked off with a webinar here: https://resources.trendmicro.com/Cloud-One-Webinar-Series-Secure-Cloud-Migration.html. To have a more personalized conversation, please add me to LinkedIn!
The post Principles of a Cloud Migration – Security W5H – The HOW appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how, over the past five years, the cybercriminal underground has seen a major shift to new platforms, communications channels, products, and services. Also, read about a new wave of Sandworm cyberattacks against email servers conducted by one of Russia’s most advanced cyber-espionage units.
Read on:
How the Cybercriminal Underground Has Changed in 5 Years
Trend Micro has been profiling the underground cybercrime community for many years. Over the past five years, it has seen a major shift to new platforms, communications channels, products, and services, as trust on the dark web erodes and new market demands emerge. Trend Micro expects the current pandemic to create yet another evolution, as cyber-criminals look to take advantage of new ways of working and systemic vulnerabilities.
Shadowserver, an Internet Guardian, Finds a Lifeline
In March, internet security group Shadowserver learned that longtime corporate sponsor Cisco was ending its support. With just weeks to raise hundreds of thousands of dollars to move its data center out of Cisco’s facility—not to mention an additional $1.7 million to make it through the year—the organization was at real risk of extinction. Ten weeks later, Shadowserver has come a long way toward securing its financial future. This week, Trend Micro committed $600,000 to Shadowserver over three years, providing an important backbone to the organization’s fundraising efforts.
#LetsTalkSecurity: No Trust for the Wicked
This Week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the fourth episode of #LetsTalkSecurity featuring guest Dave Lewis, Global Advisory CISO at Duo Security. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.
Principles of a Cloud Migration – Security W5H – The HOW
Security needs to be treated much like DevOps in evolving organizations, meaning everyone in the company has a shared responsibility to make sure it is implemented. It is not just a part of operations, but a cultural shift in doing things right the first time – security by default. In this blog from Trend Micro, learn 3 tips to get you started on your journey to securing the cloud.
What’s Trending on the Underground Market?
Trust has eroded among criminal interactions in the underground markets, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, a new Trend Micro report reveals. Determined efforts by law enforcement appear to be having an impact on the cybercrime underground as several forums have been taken down by global police entities.
Is Cloud Computing Any Safer from Malicious Hackers?
Cloud computing has revolutionized the IT world, making it easier for companies to deploy infrastructure and applications and deliver their services to the public. The idea of not spending millions of dollars on equipment and facilities to host an on-premises data center is a very attractive prospect to many. But is cloud computing any safer from malicious threat actors? Read this blog from Trend Micro to find out.
Smart Yet Flawed: IoT Device Vulnerabilities Explained
The variety and range of functions of smart devices present countless ways of improving different industries and environments. While the “things” in the internet of things (IoT) benefits homes, factories, and cities, these devices can also introduce blind spots and security risks in the form of vulnerabilities. Vulnerable smart devices open networks to attack vectors and can weaken the overall security of the internet. For now, it is better to be cautious and understand that “smart” can also mean vulnerable to threats.
Cyberattacks Against Hospitals Must Stop, Says Red Cross
Immediate action needs to be taken to stop cyberattacks targeting hospitals and healthcare organizations during the ongoing coronavirus pandemic – and governments around the world need to work together to make it happen, says a newly published open letter signed by the International Committee of the Red Cross, former world leaders, cybersecurity executives and others.
Securing the 4 Cs of Cloud-Native Systems: Cloud, Cluster, Container, and Code
Cloud-native technologies enable businesses to make the most of their cloud resources with less overhead, faster response times, and easier management. Like any technology that uses various interconnected tools and platforms, security plays a vital role in cloud-native computing. Cloud-native security adopts the defense-in-depth approach and divides the security strategies utilized in cloud-native systems into four different layers.
Coinminers Exploit SaltStack Vulnerabilities CVE-2020-11651 and CVE-2020-11652
Researchers from F-Secure recently disclosed two high-severity vulnerabilities in SaltStack Salt: CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory traversal vulnerability. These can be exploited by remote, unauthenticated attackers, and all versions of SaltStack Salt before 2019.2.4 and 3000 before 3000.2 are affected. Trend Micro has witnessed attacks exploiting these vulnerabilities, notably those using cryptocurrency miners.
PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time
A Java-based ransomware known as PonyFinal has emerged, targeting enterprise systems management servers as an initial infection vector. It exfiltrates information about infected environments, spreads laterally and then waits before striking — the operators go on to encrypt files at a later date and time, when the likelihood of the target paying is deemed to be the most likely.
Qakbot Resurges, Spreads through VBS Files
Trend Micro has seen events that point to the resurgence of Qakbot, a multi-component, information-stealing threat first discovered in 2007. Feedback from Trend Micro’s sensors indicates that Qakbot detections increased overall. A notable rise in detections of a particular Qakbot sample (detected by Trend Micro as Backdoor.Win32.QBOT.SMTH) was also witnessed in early April.
CSO Insights: SBV’s Ian Keller on the Challenges and Opportunities of Working Remotely
The COVID-19 pandemic has forced businesses to change the way they operate. These abrupt changes come with a unique set of challenges, including security challenges. Ian Keller, Chief Security Officer of SBV Services in South Africa, sat down with Trend Micro and shared his thoughts on how SBV is coping with the current pandemic, the main challenges they faced when transitioning their staff to remote work, as well as how they plan to move forward.
NSA Warns of New Sandworm Attacks on Email Servers
The US National Security Agency (NSA) has published a security alert warning of a new wave of cyberattacks against email servers, attacks conducted by one of Russia’s most advanced cyber-espionage units. The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA).
In the second part of this five series column, Trend Micro looks at the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This column is especially applicable for architects, engineers, and developers who are involved in smart factory technology.
Factory Security Problems from an IT Perspective (Part 2): People, Processes, and Technology
This blog is the second in a series that discusses the challenges that IT departments face when they are assigned the task of overseeing cybersecurity in factories and implementing measures to overcome these challenges. In this article, Trend Micro carries out an analysis to uncover the challenges that lie in the way of promoting factory security from an IT perspective.
21 Tips to Stay Secure, Private, and Productive as You Work from Home on Your Mac
If you brought a Mac home from the office, it’s likely already set up to meet your company’s security policies. But what if you are using your personal Mac to work from home? You need to outfit it for business, to protect it and your company from infections and snooping, while ensuring it continues to run smoothly over time. In this blog, learn 21 tips for staying secure, private, and productive while working from home on your Mac.
Surprised by the new wave of Sandworm attacks? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers appeared first on .
I would like to express my outrage over the brutal killings of George Floyd, Breonna Taylor, and Ahmaud Arbery – not as the CEO of an international company, but as a human being and a citizen of the world. It makes me very sad, but also intensely frustrated and angry to realize how little is being done around the world to overcome the blatant inequality and racism that persists. The disturbing, high-profile incidents in the past weeks expose in a cruel way how we live in a world where fear, uncertainty and discrimination continue to impact the lives of black people every single day.
As a global society, we should do better; we must be better.
At Trend Micro, we are committed to providing a safe, empathetic and respectful environment where we reject any form of racism and discrimination, with zero tolerance. We not only welcome diversity in our Trend Micro family, we encourage it, whether it is diversity of race, ethnicity, nationality, gender, gender identification, sexual orientation, physical ability, age, religion, veteran status, socio-economic status, and political philosophy. We believe it is our different backgrounds and experiences that make us who we are and make us as strong as we are. But we continue to listen and learn how to create equality for all.
I feel very strongly that we all need to do something and become a force for change. We have an obligation towards our communities and our children to leave this world in a better place. I am fortunate as a CEO to be able to use my voice to speak out against any kind of discrimination, against racism in any form. I ask that we all seek to expand our perspectives and heighten our awareness of others. We must open our eyes to the current and ugly truth and challenge any subconscious tendencies to avoid this painful reality of inequality!
Today I am inspired to lift up the voice of a young Trend Micro employee who posted on our internal web site:
“Progress is a process. Unity is part of the process.
Unity drives awareness…
Awareness drives education…
Education drives action…
Action drives change…
Let’s make a change!”
These are very difficult times for us as individuals, communities, and as nations. I ask you to join me in doing our part to fight racism – we can’t afford any more lives to be lost, any more children growing up deprived of their opportunities. First and foremost, we need to listen to our black communities and educate ourselves. And we must acknowledge that this is an ongoing issue – and continue to fight inequality every day, even when the protests don’t make headlines anymore. We can all make a difference. Speak out against injustice, listen to the stories of inequality, act, vote and make a change.
Together, we can make this world a better place!
Eva Chen
The post Message from Eva Chen – as a human being, not a CEO: We need to speak out and act against racism appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a new module for the infamous trojan known as TrickBot that has been deployed. Also, read about Google’s $5 billion class-action lawsuit over claims that it has been collecting people’s browsing information when using the incognito browsing mode.
Read on:
No Entry: How Attackers Can Sneak Past Facial Recognition Devices
Now more than ever, businesses are looking into contactless entry solutions, turning to edge devices that use facial recognition or small devices like radio-frequency identification cards. These devices serve as the first line of defense for keeping intruders out of offices, which can be subject to many different types of attacks. In this blog, Trend Micro analyzes the different ways an intruder can trick or hack into facial recognition access control devices.
Cloud Security and Data Protection: What Enterprises Need to Know
Data security is rarely the first consideration when choosing a public cloud service provider. That is changing, though, because of the rise of tougher rules, regulations, and standards aimed at protecting consumer privacy. In this article, Mark Nunnikhoven, vice president of cloud research at Trend Micro, shares his thoughts on what enterprises need to know about cloud security and data protection.
Lemon Duck Cryptominer Spreads Through Covid-19 Themed Emails
In a recent campaign, Trend Micro came across a PowerShell script (mailer script) that distributes the Lemon Duck cryptominer through a new propagation method: Covid-19-themed emails with weaponized attachments. These emails are delivered to all Microsoft Outlook contacts of the user of a compromised machine, as similarly observed by SANS Internet Storm Center.
TrickBot Adds BazarBackdoor to Malware Arsenal
A new module for the infamous trojan known as TrickBot has been deployed: A stealthy backdoor that researchers call “BazarBackdoor.” The binary was first spotted being delivered as part of a phishing campaign that began in March, according to Panda Security. The campaign used the legitimate marketing platform Sendgrid to reach targets in a mass-mailing fashion.
Factory Security Problems from an IT Perspective (Part 3): Practical Approach for Stable Operation
This article is the last in a three-part series discussing the challenges IT departments face when they are tasked with overseeing cybersecurity in factories and implementing measures to overcome those challenges. For strong factory security, Trend Micro recommends three measures: network separation, layer-optimized measures, and integrated management of these elements. In this third article, Trend Micro explains this concrete approach to security.
Zoom Patches Two Serious Vulnerabilities Found by Cisco Researchers
Members of Cisco’s Talos threat intelligence and research group have identified two vulnerabilities in the Zoom client application that can allow a remote attacker to write files to the targeted user’s system and possibly achieve arbitrary code execution. The vulnerabilities, tracked as CVE-2020-6109 and CVE-2020-6110, are both rated high severity.
#LetsTalkSecurity: Ghost in the Machine
This Week, Rik Ferguson, vice president of security research at Trend Micro, hosted the fourth episode of #LetsTalkSecurity featuring guest Joe Slowik, USN Vet, Adversary Hunter, and Digital Sanitation Engineer with a focus on ICS. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.
Google Faces Privacy Lawsuit Over Tracking Users in Incognito Mode
Google faces a $5 billion class-action lawsuit over claims that it has been collecting people’s browsing information without their knowledge when using the incognito browsing mode that is meant to keep their online activities private. The lawsuit, filed in the federal court in San Jose, California, alleges that Google compiles user data through Google Analytics, Google Ad Manager and other applications and website plug-ins, including smartphone apps, regardless of whether users click on Google-supported ads.
Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique
Trend Micro recently saw two barcode reader apps in Google Play, together downloaded more than a million times, that started showing unusual behavior (detected as AndroidOS_HiddenAd.HRXJA). This includes behavior that can be seen even when the user is not actively using the phone.
Email Scammer Pleads Guilty to Defrauding Texas Firms Out of More Than $500,000
A 64-year-old man has admitted his role in an email-based fraud scheme that relied on spoofed email addresses to con two companies out of more than $500,000. Kenety Kim, or Myung Kim, pleaded guilty Tuesday in a Texas court to conspiracy to commit money laundering as part his role in a business email compromise scheme.
Surprised by Google’s lawsuit over tracking users in incognito mode? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Google Faces Privacy Lawsuit Over Tracking Users in Incognito Mode and TrickBot Adds Enterprise-grade Module to Malware Arsenal appeared first on .
The analyst firm Canalys annually produces their Cybersecurity Leadership Matrix. Whereas many third-party assessments are looking at just the security product, this one focuses on the value to channel partners.
Sidebar: what is the channel? If you aren’t actively buying or selling cybersecurity and aren’t familiar with the term, the short answer is that the channel is how products get from the maker to the buyer. Resellers are the most commonly discussed example, however the channel is also distributors, system integrators, and others. Most established cybersecurity makers don’t have a big sales force that sells direct, for good reasons. Channel partners are usually not a single product seller, and they know a region, vertical or specific customer best and are ideally the end users’ de facto partner or trusted advisor. The channel dedicated for smaller companies sell more than just cybersecurity and can be an extension of the CIO team. Channel partners select products carefully: they are usually in for a much longer period of time and more of a commitment than a specific buyer.
Partners have to train staff, make significant investments, become familiar with the product and back it with their reputation. Features alone aren’t enough. Even the very best product that isn’t backed with a channel friendly vendor is a nightmare for the channel. Of course, bad products are a non-starter no matter how channel-friendly a company is as that reseller has to live with any fallout. Assessing channel success matters obviously to the channel but it is also significant for buyers. Channel partner success at the end of the day is a simple metric: a positive customer experience throughout a product lifecycle. In my experience a channel partner will do a more thorough product assessment than any enterprise buyer.
Canalys does a good job in capturing the channel aspects of a successful cybersecurity vendor with the leadership matrix, and they make it more than just about product or channel but combine the two. So, it is good news that Trend Micro is in the upper right “Champions” quadrant in 2020. It’s significant to me that Trend Micro is one of only seven entries in that quadrant when there are, according to Richard Stiennon, more than 2300 cybersecurity vendors in the world[1]. What is particularly significant to me is that the placement movement for Trend from last 2019 was so important, as it reflects the effort and focus we have put on our channel activities.
Like any third-party assessment it matters to know the context, so check out the Matrix here, and our own formal announcement here.
[1] https://www.techcentury.com/2020/02/14/cybersecurity-guru-stiennon-publishes-2020-yearbook/
The post Not Just Good Security Products, But a Good Partner appeared first on .
Some smart devices are not limited to use on the home network; for instance, your child’s mobile phone or tablet. Keeping your kids safe on these on-the-go devices means extending your security policies beyond the home. Trend Micro Home Network Security (HNS) makes it easy with its complementary app, Trend Micro Guardian. Guardian integrates with HNS’s parental control rules via Mobile Device Management technology to extend the rules you’ve applied on your home network to your children’s Wi-Fi / mobile connections outside the home.
Guardian enables the following security and parental controls:
|
|
Setup and Configuration
In order to benefit from these features, the Trend Micro Guardian app must be installed on your child’s device and paired with your Home Network Security Station. It’s recommended that you install Trend Micro Guardian on the child’s device before setting up Parental Controls. However, you may also save the Trend Micro Guardian setup process until after you’ve defined the Parental Control rules for your child. Either way, Guardian accepts the rules defined and applies them to the child’s device whenever they go beyond your home and hook up to public WiFi or their mobile network.
For the Trend Micro Guardian app setup and installation process, you may refer to FAQ: Trend Micro Guardian or the Home Network Security Product Guide for more details.
A Few Additional Notes
|
|
Protection that Goes Where Your Child Goes
Internet safety for kids is a must, whether they’re online at home, or out and about, away from home. Trend Micro Guardian ensures the child will observe and practice the same security rules at home and on the internet anywhere in the world.
For more information on Trend Micro Home Network Security with Guardian, go to Home Network Security.
The post Trend Micro Guardian: Protecting Your Kids On-the-Go appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Microsoft’s largest-ever Patch Tuesday update including 129 CVEs. Also, read about a new Android Spyware dubbed ActionSpy.
Read on:
Microsoft June Patch Tuesday Fixes 129 Flaws in Largest-Ever Update
Microsoft has released patches for 129 vulnerabilities as part of its June Patch Tuesday updates – the highest number of CVEs ever released by Microsoft in a single month. Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products.
#LetsTalkSecurity: Become the Hunter
This week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the sixth episode of #LetsTalkSecurity featuring guest Jake Williams, founder of Rendition Infosec. Check out this week’s episode and follow the link to find more information about upcoming episodes and guests.
Not Just Good Security Products, But a Good Partner
This week, Trend Micro announced it has been placed in the Champions quadrant of the Canalys Global Cybersecurity Leadership Matrix, in recognition of major investments and improvements in the channel over the past year. The report particularly highlights Trend Micro’s partner portal improvements that include significant investments in deal registration, sales kits, promotions and training.
12 Biggest Cloud Threats and Vulnerabilities In 2020
Data breaches, cybercrime and targeted attacks in the cloud have driven demand for cloud security products and services in recent years. From misconfigured storage buckets and excess privileges to Infrastructure as Code (IoC) templates and automated attacks, here’s a look at 12 of the biggest cloud threats technical experts are worried about this year. Data breaches, cybercrime and targeted attacks in the cloud have driven demand for cloud security products and services in recent years.
Trend Micro Guardian: Protecting Your Kids On-the-Go
Some smart devices are not limited for use on the home network, for example, your child’s mobile phone or tablet. Keeping your kids safe with on-the-go devices means extending your security policies beyond the home. Trend Micro Home Network Security makes it easy with its free app, Trend Micro Guardian. Guardian integrates with HNS’s parental control rules via Mobile Device Management technology to extend the rules you’ve applied on your home network to your children’s Wi-Fi/mobile connections outside the home.
Microsoft Discovers Cryptomining Gang Hijacking ML-Focused Kubernetes Clusters
Microsoft published a report detailing a never-before-seen series of attacks against Kubeflow, a toolkit for running machine learning (ML) operations on top of Kubernetes clusters. The attacks have been going on since April, and Microsoft says its end-goal has been to install a cryptocurrency miner on Kubernetes clusters running Kubeflow instances exposed to the internet.
New Tekya Ad Fraud Found on Google Play
In late March, researchers from CheckPoint found the Tekya malware family being used to carry out ad fraud on Google Play. These apps have since been removed from the store, but Trend Micro recently found a variant of this family that had made its way onto Google Play via five malicious apps, although these have also been removed.
Fake COVID-19 Contact-Tracing Apps Infect Android Phones
Security researchers have identified 12 malicious Android applications, disguised to appear as official government COVID-19 contact-tracing apps, distributing malware onto devices. The Anomali Threat Research team found multiple applications containing a range of malware families, primarily banking Trojan Anubis and SpyNote, an Android Trojan with the goal of collecting and monitoring data on infected devices.
Tracking, Detecting, and Thwarting PowerShell-based Malware and Attacks
While traditional malware and attacks rely on crafted executables to function, fileless malware reside in memory to evade traditional scanners and detection methods. PowerShell, a legitimate management tool used by system administrators, provides an ideal cover for threat actors as they craft payloads heavily dependent on its deep Windows integration. Trend Micro has published multiple reports on this phenomenon, which has been further validated by telemetry data.
Updated Analysis on Nefilim Ransomware’s Behavior
Shortly after the discovery of Nefilim in March 2019, Trend Micro released its analysis of the ransomware and its behavior. Through recent investigations of cases observed in several companies, Trend Micro has amassed more information on how this ransomware operates. Some notable updates added the use of other tools such as Mimikatz, AdFind, CobaltStrike, and MegaSync, and the description of events that occur within the attack phases weeks or even months before the ransomware is deployed.
New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa
While tracking Earth Empura, also known as POISON CARP/Evil Eye, Trend Micro identified an undocumented Android spyware it has dubbed ActionSpy. During the first quarter of 2020, Trend Micro observed Earth Empusa’s activity targeting users in Tibet and Turkey before they extended their scope to include Taiwan.
Babylon Health Admits ‘Software Error’ Led to Patient Data Breach
Babylon Health, a UK AI chatbot and telehealth startup which has been valued in excess of $2BN, has suffered an embarrassing data breach after a user of the app found he was able to access other patients’ video consultations. The company confirmed the breach yesterday, telling the BBC that a “software error” related to a feature that lets users switch from audio to video-based consultations part way through a call had caused a “small number” of UK users to be able to see others sessions.
In part three of this five-part blog series, Trend Micro looks at the security risks of promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This blog describes the usage of Industrial IoT (IIoT) devices and overlooked security risks in software supply chains.
Surprised by the new Android spyware ActionSpy that was revealed via phishing attacks from Earth Empusa? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Microsoft June Patch Tuesday Fixes 129 Flaws in Largest-Ever Update and New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how the next generation of Intel mobile processors will include malware protection built into the chip. Also, read about a new phishing campaign that uses brand names to bypass security filters and trick victims into giving up Microsoft Office 365 credentials to gain access to corporate networks.
Read on:
Intel Says ‘Tiger Lake’ Will Drown Control-Flow Malware
Announced this week, the next generation of Intel mobile processors will include malware protection built into the chip. The protection, provided by Intel’s Control-Flow Enforcement Technology (CET), will first be available in the company’s “Tiger Lake” mobile processors. In this article, Greg Young, vice president of cybersecurity at Trend Micro, shares his thoughts.
Forward-Looking Security Analysis of Smart Factories Part 4: MES Database Compromises
In this five-part blog series, Trend Micro looks at the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios and recommended defense strategies. Part four describes how the Manufacturing Engineering System (MES) plays an important role in the manufacturing process and how cyberattacks on the MES can affect production activities.
The theft of top-secret computer hacking tools from the CIA in 2016 was the result of a workplace culture in which the agency’s elite computer hackers “prioritized building cyber weapons at the expense of securing their own systems,” according to an internal report. The breach — allegedly committed by a CIA employee — was discovered a year after it happened, when the information was published by WikiLeaks in March 2017.
Unpatched Vulnerability Identified in 79 NETGEAR Router Models
A whopping 79 NETGEAR router models are vulnerable to a severe security flaw that can let hackers take over devices remotely. According to researchers, the vulnerability impacts 758 different firmware versions that have been used on 79 NETGEAR routers across the years, with some firmware versions being first deployed on devices released as far back as 2007.
Massive IBM Cloud Outage Caused by BGP Hijacking
IBM has provided new information about the large-scale outage that occurred this week, affecting many IBM Cloud customers. The outage, which knocked a whole host of sites offline, was the result of BGP hijacking, said the firm.
Hackers Posing as LinkedIn Recruiters to Scam Military, Aerospace Firms
A new, highly sophisticated espionage campaign targeting military and aerospace organizations across Europe and the Middle East has been discovered by cybersecurity firm ESET. The campaigners attempt to lure company employees to extract money and/or sensitive documents. Dubbed Operation In(ter)caption; the campaign was active from September to December 2019, and espionage is declared the primary objective behind this campaign.
Phishing Campaign Targeting Office 365, Exploits Brand Names
Researchers have discovered a sophisticated new phishing campaign that uses recognized brand names to bypass security filters and to trick victims into giving up Microsoft Office 365 credentials to gain access to corporate networks. A report from Check Point Software first observed the attacks—the majority of which targeted European companies, with others seen in Asia and the Middle East.
Foodora Data Breach Impacts Customers in 14 Countries
Online food delivery service Delivery Hero has confirmed a data breach affecting its Foodora brand. The cybersecurity incident has exposed the account details of 727,000 customers in 14 different countries. Information exposed in the incident included names, addresses, phone numbers, and hashed passwords. While no financial data was leaked, customers’ geolocation data, accurate to within a couple of inches, was breached.
Cisco Adds New Security Features to Webex, Patches Serious Vulnerabilities
At its Cisco Live 2020 event, the networking giant informed customers that it has extended its data loss prevention (DLP) retention, Legal Hold and eDiscovery features to Webex Meetings. The company has also published several security advisories this week for Webex vulnerabilities, including three that have been classified as high severity and one rated medium severity.
Vulnerable Platform Used in Power Plants Enables Attackers to Run Malicious Code on User Browsers
Otorio’s incident response team identified a high-score vulnerability in OSIsoft’s PI System. They immediately notified OSIsoft Software of the vulnerability, which OSIsoft filed with ICS-CERT (ICSA-20-163-01). Installed in some of the world’s largest critical infrastructure facilities, OSIsoft Software’s PI System is a data management platform that accesses a broad range of core OT network assets in the sites it serves.
What other sophisticated phishing campaigns have you seen during the pandemic? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Intel Says ‘Tiger Lake’ Will Drown Control-Flow Malware and New Phishing Campaign Targeting Office 365 Exploits Brand Names appeared first on .
Vendor lock-in has been an often-quoted risk since the mid-1990’s.
Fear that by investing too much with one vendor, an organization reduces their options in the future.
Was this a valid concern? Is it still today?
Organizations walk a fine line with their technology vendors. Ideally, you select a set of technologies that not only meet your current need but that align with your future vision as well.
This way, as the vendor’s tools mature, they continue to support your business.
The risk is that if you have all of your eggs in one basket, you lose all of the leverage in the relationship with your vendor.
If the vendor changes directions, significantly increases their prices, retires a critical offering, the quality of their product drops, or if any number of other scenarios happen, you are stuck.
Locking in to one vendor means that the cost of switching to another or changing technologies is prohibitively expensive.
All of these scenarios have happened and will happen again. So it’s natural that organizations are concerned about lock-in.
When the cloud started to rise to prominence, the spectre of vendor lock-in reared its ugly head again. CIOs around the world thought that moving the majority of their infrastructure to AWS, Azure, or Google Cloud would lock them into that vendor for the foreseeable future.
Trying to mitigate this risk, organizations regularly adopt a “cloud neutral” approach. This means they only use “generic” cloud services that can be found from the providers. Often hidden under the guise of a “multi-cloud” strategy, it’s really a hedge so as not to lose position in the vendor/client relationship.
In isolation, that’s a smart move.
Taking a step back and looking at the bigger picture starts to show some of the issues with this approach.
The first issue is the heavy use of automation in cloud deployments means that vendor “lock-in” is not nearly as significant a risk as in was in past decades. The manual effort required to make a vendor change for your storage network used to be monumental.
Now? It’s a couple of API calls and a consumption-based bill adjusted by the megabyte. This pattern is echoed across other resource types.
Automation greatly reduces the cost of switching providers, which reduces the risk of vendor lock-in.
When your organization sets the mandate to only use the basic services (server-based compute, databases, network, etc.) from a cloud service provider, you’re missing out one of the biggest advantages of moving to the cloud; doing less.
The goal of a cloud migration is to remove all of the undifferentiated heavy lifting from your teams.
You want your teams directly delivering business value as much of the time as possible. One of the most direct routes to this goal is to leverage more and more managed services.
Using AWS as an example, you don’t want to run your own database servers in Amazon EC2 or even standard RDS if you can help it. Amazon Aurora and DynamoDB generally offer less operation impacts, higher performance, and lower costs.
When organizations are worried about vendor lock-in, they typically miss out on the true value of cloud; a laser focus on delivering business value.
In this new light, a multi-cloud strategy takes on a different aim. Your teams should be trying to maximize business value (which includes cost, operational burden, development effort, and other aspects) wherever that leads them.
As organizations mature in their cloud usage and use of DevOps philosophies, they generally start to cherry pick managed services from cloud providers that best fit the business problem at hand.
They use automation to reduce the impact if they have to change providers at some point in the future.
This leads to a multi-cloud split that typically falls around 80% in one cloud and 10% in the other two. That can vary depending on the situation but the premise is the same; organizations that thrive have a primary cloud and use other services when and where it makes sense.
There are some tools that are more effective when they work in all clouds the organization is using. These tools range from software products (like deployment and security tools) to metrics to operational playbooks.
Following the principles of focusing on delivering business value, you want to actively avoid duplicating a toolset unless it’s absolutely necessary.
The maturity of the tooling in cloud operations has reached the point where it can deliver support to multiple clouds without reducing its effectiveness.
This means automation playbooks can easily support multi-cloud (e.g., Terraform). Security tools can easily support multi-cloud (e.g., Trend Micro Cloud One). Observability tools can easily support multi-cloud (e.g., Honeycomb.io).
The guiding principle for a multi-cloud strategy is to maximize the amount of business value the team is able to deliver. You accomplish this by becoming more efficient (using the right service and tool at the right time) and by removing work that doesn’t matter to that goal.
In the age of cloud, vendor lock-in should be far down on your list of concerns. Don’t let a long standing fear slow down your teams.
The post The Fear of Vendor Lock-in Leads to Cloud Failures appeared first on .
Trend Micro is excited to launch new Trend Micro Cloud One – Conformity capabilities that will strengthen protection for Azure resources.
As with any launch, there is a lot of new information, so we decided to sit down with one of the founders of Conformity, Mike Rahmati. Mike is a technologist at heart, with a proven track record of success in the development of software systems that are resilient to failure and grow and scale dynamically through cloud, open-source, agile, and lean disciplines. In the interview, we picked Mike’s brain on how these new capabilities can help customers prevent or easily remediate misconfigurations on Azure. Let’s dive in.
What are the common business problems that customers encounter when building on or moving their applications to Azure or Amazon Web Services (AWS)?
The common problem is there are a lot of tools and cloud services out there. Organizations are looking for tool consolidation and visibility into their cloud environment. Shadow IT and business units spinning up their own cloud accounts is a real challenge for IT organizations to keep on top of. Compliance, security, and governance controls are not necessarily top of mind for business units that are innovating at incredible speeds. That is why it is so powerful to have a tool that can provide visibility into your cloud environment and show where you are potentially vulnerable from a security and compliance perspective.
Common misconfigurations on AWS are an open Amazon Elastic Compute Cloud (EC2) or a misconfigured IAM policy. What is the equivalent for Microsoft?
The common misconfigurations are actually quite similar to what we’ve seen with AWS. During the product preview phase, we’ve seen customers with many of the same kinds of misconfiguration issues as we’ve seen with AWS. For example, Microsoft Azure Blobs Storage is the equivalent to Amazon S3 – that is a common source of misconfigurations. We have observed misconfiguration in two main areas: Firewall and Web Application Firewall (WAF),which is equivalent to AWS WAF. The Firewall is similar to networking configuration in AWS, which provides inbound protection for non-HTTP protocols and network related protection for all ports and protocols. It is important to note that this is based on the 100 best practices and 15 services we currently support for Azure and growing, whereas, for AWS, we have over 600 best practices in total, with over 70 controls with auto-remediation.
Can you tell me about the CIS Microsoft Azure Foundation Security Benchmark?
We are thrilled to support the CIS Microsoft Azure Foundation Security Benchmark. The CIS Microsoft Azure Foundations Benchmark includes automated checks and remediation recommendations for the following: Identity and Access Management, Security Center, Storage Accounts, Database Services, Logging and Monitoring, Networking, Virtual Machines, and App Service. There are over 100 best practices in this framework and we have rules built to check for all of those best practices to ensure cloud builders are avoiding risk in their Azure environments.
Can you tell me a little bit about the Microsoft Shared Responsibility Model?
In terms of shared responsibility model, it’s is very similar to AWS. The security OF the cloud is a Microsoft responsibility, but the security IN the cloud is the customers responsibility. Microsoft’s ecosystem is growing rapidly, and there are a lot of services that you need to know in order to configure them properly. With Conformity, customers only need to know how to properly configure the core services, according to best practices, and then we can help you take it to the next level.
Can you give an example of how the shared responsibility model is used?
Yes. Imagine you have a Microsoft Azure Blob Storage that includes sensitive data. Then, by accident, someone makes it public. The customer might not be able to afford an hour, two hours, or even days to close that security gap.
In just a few minutes, Conformity will alert you to your risk status, provide remediation recommendations, and for our AWS checks give you the ability to set up auto-remediation. Auto-remediation can be very helpful, as it can close the gap in near-real time for customers.
What are next steps for our readers?
I’d say that whether your cloud exploration is just taking shape, you’re midway through a migration, or you’re already running complex workloads in the cloud, we can help. You can gain full visibility of your infrastructure with continuous cloud security and compliance posture management. We can do the heavy lifting so you can focus on innovating and growing. Also, you can ask anyone from our team to set you up with a complimentary cloud health check. Our cloud engineers are happy to provide an AWS and/or Azure assessment to see if you are building a secure, compliant, and reliable cloud infrastructure. You can find out your risk level in just 10-minutes.
Get started today with a 60-day free trial >
Check out our knowledge base of Azure best practice rules>
Do you see value in building a security culture that is shifted left?
Yes, we have done this for our customers using AWS and it has been very successful. The more we talk about shifting security left the better, and I think that’s where we help customers build a security culture. Every cloud customer is struggling with implementing earlier on in the development cycle and they need tools. Conformity is a tool for customers which is DevOps or DevSecOps friendly and helps them build a security culture that is shifted left.
We help customers shift security left by integrating the Conformity API into their CI/CD pipeline. The product also has preventative controls, which our API and template scanners provide. The idea is we help customers shift security left to identify those misconfigurations early on, even before they’re actually deployed into their environments.
We also help them scan their infrastructure-as-code templates before being deployed into the cloud. Customers need a tool to bake into their CI/CD pipeline. Shifting left doesn’t simply mean having a reporting tool, but rather a tool that allows them to shift security left. That’s where our product, Conformity, can help.
The post Knowing your shared security responsibility in Microsoft Azure and avoiding misconfigurations appeared first on .
Many businesses have misperceptions about cloud environments, providers, and how to secure it all. We want to help you separate fact from fiction when it comes to your cloud environment.
This list debunks 8 myths to help you confidently take the next steps in the cloud.
The post 8 Cloud Myths Debunked appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about two recently detected variants of existing Linux botnet malware types targeting exposed Docker servers. Also, read about a group of vulnerabilities dubbed Ripple20 that have the potential to critically impact millions of IoT devices across many different industries.
Read on:
The Fear of Vendor Lock-in Leads to Cloud Failures
Vendor lock-in, the fear that by investing too much with one vendor an organization reduces their options in the future, has been an often-quoted risk since the mid-1990s. Organizations continue to walk a fine line with their technology vendors. Ideally, you select a set of technologies that not only meet your current needs but that align with your future vision as well.
How Do I Select a Mobile Security Solution for My Business?
The percentage of companies admitting to suffering a mobile-related compromise has grown, despite a higher percentage of organizations deciding not to sacrifice the security of mobile devices to meet business targets. To make things worse, the C-suite is the most likely group within an organization to ask for relaxed mobile security protocols – despite also being highly targeted by cyberattacks.
Knowing Your Shared Security Responsibility in Microsoft Azure and Avoiding Misconfigurations
Trend Micro is excited to launch new Trend Micro Cloud One – Conformity capabilities that will strengthen protection for Azure resources. As with any launch, there is a lot of new information, so we held a Q&A with one of the founders of Conformity, Mike Rahmati. In the interview, Mike shares how these new capabilities can help customers prevent or easily remediate misconfigurations on Azure.
FBI Warns K-12 Schools of Ransomware Attacks via RDP
The US Federal Bureau of Investigation (FBI) this week sent out a security alert to K-12 schools about the increase in ransomware attacks during the coronavirus pandemic, and especially about ransomware gangs that abuse RDP connections to break into school systems.
XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers
Trend Micro recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers: XORDDoS malware and Kaiji DDoS malware. Having Docker servers as their target is a new development for both XORDDoS and Kaiji; XORDDoS was known for targeting Linux hosts on cloud systems, while recently discovered Kaiji was first reported to affect internet of things (IoT) devices.
Frost & Sullivan Employee, Customer Data for Sale on Dark Web
A group is hawking records of more than 12,000 Frost & Sullivan employees and customers on a hacker folder. According to Cyble CEO Beenu Arora the breach was a result of a misconfigured backup directory on one of Frost & Sullivan’s public-facing servers. The KelvinSecurity Team said they put the information – which includes names, email addresses, company contacts, login names and hashed passwords – for sale in a hacking forum to sound the “alarm” after Frost & Sullivan didn’t respond to the group’s attempt to alert it to the exposed database.
Millions of IoT Devices Affected by Ripple20 Vulnerabilities
Israeli cybersecurity firm JSOF has released information on a group of vulnerabilities dubbed Ripple20. These vulnerabilities have the potential to critically impact millions of internet of things (IoT) devices across many different industries — crucial machines in the medical, oil and gas, transportation, power, and manufacturing industries can be affected by these bugs.
Nvidia Warns Windows Gamers of Serious Graphics Driver Bugs
Graphics chipmaker Nvidia has fixed two high-severity flaws in its graphics drivers. Attackers can exploit the vulnerabilities to view sensitive data, gain escalated privileges or launch denial-of-service (DoS) attacks in impacted Windows gaming devices.
Cyberattacks from the Frontlines: Incident Response Playbook for Beginners
For enterprises, staying competitive in an ever-changing market involves keeping up with the latest technological trends. However, without the parallel development of security infrastructure and robust response, new technology could be used as a conduit for cyberthreats that result in losses. Organizations should aim to prevent these breaches from happening — but having protocols for reducing a breach lifecycle is an essential and realistic approach for dealing with current threats.
OneClass Unsecured S3 Bucket Exposes PII on More than One Million Students, Instructors
An unsecured database belonging to remote learning platform OneClass has exposed information associated with more than a million students in North America who use the platform to access study guides and educational assistance. Data exposed includes full names, email addresses (some masked), schools and universities attended, phone numbers, school and university course enrollment details and OneClass account details.
During the past decade, various countries and industries have actively developed guidelines and frameworks for OT security. Recently, multiple guidelines have been integrated, and two standards as global standards are IEC62443 and the NIST CSF, SP800 series, from the viewpoint of security in smart factories. In this series, Trend Miro explains the overviews of IEC62443 and NIST CSF, in order to understand their concepts required for security in smart factories.
Many businesses have misperceptions about cloud environments, providers, and how to secure it all. In order to help separate fact from fiction when it comes to your cloud environment, Trend Micro debunks 8 myths to help you confidently take the next steps in the cloud.
Does your organization have an incident response playbook for potential breaches? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: XORDDoS and Kaiji Botnet Malware Variants Target Exposed Docker Servers and Ripple20 Vulnerabilities Could Impact Millions of IoT Devices appeared first on .
Development and application teams can be the initial entry point of a cloud migration as they start looking at faster ways to accelerate value delivery. One of the main things they might use during this is “Infrastructure as Code,” where they are creating cloud resources for running their applications using lines of code.
In the below video, as part of a NADOG (North American DevOps Group) event, I describe some additional techniques on how your development staff can incorporate the Well Architected Framework and other compliance scanning against their Infrastructure as Code prior to it being launched into your cloud environment.
If this content has sparked additional questions, please feel free to reach out to me on my LinkedIn. Always happy to share my knowledge of working with large customers on their cloud and transformation journeys!
The post Principles of a Cloud Migration appeared first on .
On Thursday, June 25, Trend Micro hosted our Perspectives 2-hour virtual event. As the session progressed, we asked our attendees, composed of +5000 global registrants, two key questions. This blog analyzes those answers.
First, what is your current strategy for securing the cloud?
Rely completely on native cloud platform security capabilities (AWS, Azure, Google…) 33%
Add on single-purpose security capabilities (workload protection, container security…) 13%
Add on security platform with multiple security capabilities for reduced complexity 54%
This result affirms IDC analyst Frank Dickson’s observation that most cloud customers will benefit from a suite offering a range of security capabilities covering multiple cloud environments. For the 15% to 20% of organizations that rely on one cloud provider, purchasing a security solution from that vendor may provide sufficient coverage. The quest for point products (which may be best-of-breed, as well) introduces additional complexity across multiple cloud platforms, which can obscure problems, confuse cybersecurity analysts and business users, increase costs, and reduce efficiency. The comprehensive suite strategy compliments most organizations’ hybrid, multi-cloud approach.
Second, and this is multiple choice, how are you enabling secure digital transformation in the cloud today?
This shows that cloud users are open to many available solutions for improving cloud security. The adoption pattern follows traditional on-premise security deployment models. The most commonly cited solution, Network Security/Cloud IPS, recognizes that communication with anything in the cloud requires a trustworthy network. This is a very familiar technique, dating back in the on-premise environment to the introduction of firewalls in the early 1990s from vendors like CheckPoint and supported by academic research as found in Cheswick and Bellovin’s Firewalls and Internet Security (Addison Wesley, 1994).
The frequency of data exposure due to misconfigured cloud instances surely drives Cloud Security Posture Management, certainly aided by the ease of deployment of tools like Cloud One conformity.
The newness of containers in the production environment most likely explains the relatively lower deployment of container security today.
The good news is that organizations do not have to deploy and manage a multitude of point products addressing one problem on one environment. The suite approach simplifies today’s reality and positions the organization for tomorrow’s challenges.
Looking ahead, future growth in industrial IoT and increasing deployments of 5G-based public and non-public networks will drive further innovations, increasing the breadth of the suite approach to securing hybrid, multi-cloud environments.
What do you think? Let me know @WilliamMalikTM.
The post Perspectives Summary – What You Said appeared first on .
Risk decisions are the foundation of information security. Sadly, they are also one of the most often misunderstood parts of information security.
This is bad enough on its own but can sink any effort at education as an organization moves towards a DevOps philosophy.
To properly evaluate the risk of an event, two components are required:
Unfortunately, teams—and humans in general—are reasonably good at the first part and unreasonably bad at the second.
This is a problem.
It’s a problem that is amplified when security starts to integration with teams in a DevOps environment. Originally presented as part of AllTheTalks.online, this talk examines the ins and outs of risk decisions and how we can start to work on improving how our teams handle them.
The post Risk Decisions in an Imperfect World appeared first on .
Intelligent transportation systems (ITS) require harmonization among manufacturers to have any chance of succeeding in the real world. No large-scale car manufacturer, multimodal shipper, or MaaS (Mobility as a Service) provider will risk investing in a single-vendor solution. Successful ITS require interoperable components, especially for managing cybersecurity issues. See https://www.trendmicro.com/vinfo/us/security/news/intelligent-transportation-systems for a set of reports on ITS cybersecurity.
The good news is we now have a standard for automotive cybersecurity, ISA/SAE 21434. This standard addresses all the major elements of connected car security including V2X, reaching from the internals of ECUs and communications busses including CAN to the broader issues of fleet management and public safety. See https://www.iso.org/standard/70918.html for the current draft version of this standard.
Intelligent transport systems rely on complex, contemporary infrastructure elements, including cloud (for data aggregation, traffic analysis, and system-wide recommendations) and 5G (for inter-component networking and real-time sensing). ITS also rely on aging industrial control systems and components, for vehicle detection, weather reporting, and traffic signaling, some dating back forty years or more. This profound heterogeneity makes the cybersecurity problem unwieldy. Automotive systems generally are the most complex public-facing applications of industrial IoT. Any information security problems with them will erode public trust in this important and ultimately critical infrastructure.
Robert Bosch GmbH began working on the first automotive bus architecture in 1986. Automobiles gained increasing electronic functions (smog controls, seat belt monitors, electric window controls, climate controls, and so on). With each new device, the manufacturers had to install additional point-to-point wiring to monitor and control them. This led to increasing complexity, the possibility for error, extended manufacturing time, more costly diagnosis and repair post-sales, and added weight. See Figure 1 for details. By replacing point-to-point wiring with a simple bus, manufacturers could introduce new features connected with one pair of wires for control. This simplified design, manufacturing, diagnosis, and improved quality and maintainability.
Figure 1: CAN Networks Significantly Reduce Wiring (from National Instruments https://www.ni.com/en-us/innovations/white-papers/06/controller-area-network–can–overview.html)
The bus was simple: all devices saw all traffic and responded to messages relevant to them. Each message has a standard format, with a header describing the message content and priority (the arbitration IDs), the body which contains the relevant data, and a cyclic redundancy check (CRC), which is a code to verify that the message contents are accurate. This CRC uses a mathematical formula to determine if any bits have flipped, and for small numbers of errors can correct the message, like a checksum. This is not as powerful as a digital signature. It has no cryptographic power. Every device on the bus can use the CRC algorithm to create a code for messages it sends and to verify the data integrity of messages it receives. Other than this, there is no data confidentiality, authentication, authorization, data integrity, or non-repudiation in CAN bus messages – or any other automotive bus messages. The devices used in cars are generally quite simple, lightweight, and inexpensive: 8-bit processors with little memory on board. Any device connected to the network is trusted. Figure 2 shows the layout of a CAN bus message.
Figure 2: The Standard CAN Frame Format, from National Instruments
Today’s automobiles have more sophisticated devices on board. The types of messages and the services the offer are becoming more complex. In-vehicle infotainment (IVI) systems provide maps, music, Bluetooth connectivity for smartphones and other devices, in addition to increasingly more elaborate driving assistance and monitoring systems all add more traffic to the bus. But given the diversity of manufacturers and suppliers, impeding security measures over the automotive network. No single vendor could today achieve what Robert Bosch did nearly forty years ago. Yet the need for stronger vehicle security is growing.
The ISO/SAE 21434 standard describes a model for securing the supply chain for automotive technology, for validating the integrity of the development process, detecting vulnerabilities and cybersecurity attacks in automotive systems, and managing the deployment of fixes as needed. It is comprehensive. ISO/SAE 21434 builds on decades of work in information security. By applying that body of knowledge to the automotive case, the standard will move the industry towards a safer and more trustworthy connected car world.
But the standard’s value doesn’t stop with cars and intelligent transport systems. Domains far beyond connected cars will benefit from having a model for securing communications among elements from diverse manufacturers sharing a common bus. The CAN bus and related technologies are used onboard ships, in aircraft, in railroad management, in maritime port systems, and even in controlling prosthetic limbs. The vulnerabilities are common, the complexity of the supply chain is equivalent, and the need for a comprehensive architectural solution is as great. So this standard is a superb achievement and will go far to improve the quality, reliability, and trustworthiness of critical systems globally.
What do you think? Let me know in the comments below or @WilliamMalikTM.
The post Connected Car Standards – Thank Goodness! appeared first on .
Organisations have been forced to adapt rapidly over the past few months as government lockdowns kept most workers to their homes. For many, the changes they’ve made may even become permanent as more distributed working becomes the norm. This has major implications for cybersecurity. Employees are often described as the weakest link in the corporate security chain, so do they become an even greater liability when working from home?
Unfortunately, a major new study from Trend Micro finds that, although many have become more cyber-aware during lockdown, bad habits persist. CISOs looking to ramp up user awareness training may get a better return on investment if they try to personalize strategies according to specific user personas.
What we found
We polled 13,200 remote workers across 27 countries to compile the Head in the Clouds study. It reveals that 72% feel more conscious of their organisation’s cybersecurity policies since lockdown began, 85% claim they take IT instructions seriously, and 81% agree that cybersecurity is partly their responsibility. Nearly two-thirds (64%) even admit that using non-work apps on a corporate device is a risk.
Yet in spite of these lockdown learnings, many employees are more preoccupied by productivity. Over half (56%) admit using a non-work app on a corporate device, and 66% have uploaded corporate data to it; 39% of respondents “often” or “always” access corporate data from a personal device; and 29% feel they can get away with using a non-work app, as IT-backed solutions are “nonsense.”
This is a recipe for shadow IT and escalating levels of cyber-risk. It also illustrates that current approaches to user awareness training are falling short. In fact, many employees seem to be aware of what best practice looks like, they just choose not to follow it.
Four security personas
This is where the second part of the research comes in. Trend Micro commissioned Dr Linda Kaye, Cyberpsychology Academic at Edge Hill University, to profile four employee personas based on their cybersecurity behaviors: fearful, conscientious, ignorant and daredevil.
In this way: Fearful employees may benefit from training simulation tools like Trend Micro’s Phish Insight, with real-time feedback from security controls and mentoring.
Conscientious staff require very little training but can be used as exemplars of good behavior, and to team up with “buddies” from the other groups.
Ignorant users need gamification techniques and simulation exercises to keep them engaged in training, and may also require additional interventions to truly understand the consequences of risky behavior.
Daredevil employees are perhaps the most challenging because their wrongdoing is the result not of ignorance but a perceived superiority to others. Organisations may need to use award schemes to promote compliance, and, in extreme circumstances, step up data loss prevention and security controls to mitigate their risky behavior.
By understanding that no two employees are the same, security leaders can tailor their approach in a more nuanced way. Splitting staff into four camps should ensure a more personalized approach than the one-size-fits-all training sessions most organisations run today.
Ultimately, remote working only works if there is a high degree of trust between managers and their teams. Once the pandemic recedes and staff are technically allowed back in the office, that trust will have to be re-earned if they are to continue benefiting from a Work From Home environment.
The post Survey: Employee Security Training is Essential to Remote Working Success appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about eight U.S. cities that recently had payment card data stolen via point-of-sale skimming malware on their Click2Gov online payment platforms. Also, learn about the cybersecurity behaviors of more than 13,000 remote workers across 27 countries in a new survey from Trend Micro.
Read on:
Connected Car Standards – Thank Goodness!
Intelligent transportation systems (ITS) require harmonization among manufacturers to have any chance of succeeding in the real world. Successful ITS’ require interoperable components, especially for managing cybersecurity issues. The good news is we now have a standard for automotive cybersecurity (ISA/SAE 21434) that addresses all the major elements of connected car security. In this blog from Trend Micro, learn more about this standard for automotive cybersecurity.
The Next Cybersecurity Headache: Employees Know the Rules but Just Don’t Care
Cybersecurity has shot to the top of many IT leaders’ priorities over the past few months as remote working became the de facto way of doing business. Yet despite more awareness of the security risks of working from home, employees are still showing a lax attitude when putting it into practice. Trend Micro recently surveyed more than 13,000 remote workers across 27 countries and found that 72% of respondents claimed to have gained better cybersecurity awareness during the pandemic.
Risk Decisions in an Imperfect World
Risk decisions are the foundation of information security – but sadly also one of the most often misunderstood parts. This is bad enough on its own but can sink any effort at education as an organization moves towards a DevOps philosophy. In this blog, check out a video on how to properly evaluate risk from Mark Nunnikhoven, vice president of cloud research at Trend Micro.
Payment Card Skimmer Attacks Hit 8 Cities
Eight U.S. cities recently had payment card data stolen via point-of-sale skimming malware on their Click2Gov online payment platforms, according to Trend Micro. Five of those cities had already been victims of similar Magecart-style attacks in recent years. This new round of attacks targeted payment card information, along with the card owner’s name and address.
Perspectives Summary – What You Said
On Thursday, June 25, Trend Micro hosted its first-ever virtual Perspectives event. As the session progressed, Trend Micro polled attendees, composed of more than 5,000 global registrants, on two key cloud security questions. In this blog, Trend Micro analyzes and shares the responses.
Microsoft Issues Two Emergency Security Updates Impacting Windows 10 and Windows Server
This week, Microsoft issued emergency security updates for two vulnerabilities that could allow attackers to run remote code execution against victims. One of the flaws, CVE-2020-1425, would allow attackers to gather information from victims about further compromising their targets. Abdul-Aziz Hariri, a vulnerability analysis manager for Trend Micro’s Zero Day Initiative, is credited for finding and reporting the vulnerabilities.
Principles of a Cloud Migration
Development and application teams can be the initial entry point of a cloud migration as they start looking at faster ways to accelerate value delivery. In this video, Trend Micro’s Jason Dablow describes some techniques on how development staff can incorporate the Well Architected Framework and other compliance scanning against their Infrastructure as Code prior to it being launched into a cloud environment.
V Shred Data Leak Exposes PII, Sensitive Photos of Fitness Customers and Trainers
Las Vegas-based fitness brand V Shred, that offers fitness plans for women and men, exposed the personally identifiable information (PII) of more than 99,000 customers and trainers – and has yet to fully resolve the leaking database responsible. On Thursday, vpnMentor’s research team made the data leak public.
When remote work becomes not just an option but the only choice for many, it raises vital questions about the technical side regarding how to make the transition feasible and how to keep it secure. In this blog, Mark Liggett, CEO of Liggett Consulting and longtime IT and cybersecurity key player, sits down with Trend Micro to share his thoughts on the importance of connectivity and visibility in securing WFH setups.
FakeSpy Android Malware Spread Via ‘Postal-Service’ Apps
Android mobile device users are being targeted in a new SMS phishing campaign that is spreading the FakeSpy infostealer. The malware, disguised as legitimate global postal-service apps, steals SMS messages, financial data and more from victims’ devices. The campaign was first discovered targeting South Korean and Japanese speakers, but it has now expanded to China, Taiwan, France, Switzerland, Germany, the United Kingdom and the United States.
This blog series from Trend Micro describes typical examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. In part two, learn about the concepts of system design and security levels in IEC62443.
In this five-part blog series, Trend Micro looks at the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. Wrapping up this series is a blog examining recommended security strategies and countermeasures to secure smart factories and to keep operations running.
How well do you think your organization’s employees are following security and IT procedures during quarantine? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Payment Card Skimmer Attacks Hit 8 Cities and Survey Finds 72% of Remote Workers Have Gained Cybersecurity Awareness During Lockdown appeared first on .
Connected cars are on the move. Globally their number is set to grow 270% between 2018 and 2022 to reach an estimated 125 million in a couple of years. Increasingly, these vehicles are more akin to high-performance mobile computers with wheels than traditional cars, with features including internet access, app-based remote monitoring and management, advanced driver-assistance, and autonomous driving capabilities. But this also leaves them exposed to sensitive data theft and remote manipulation, which could create serious physical safety issues.
This is where a new standard comes in. ISO/SAE 21434 creates detailed guidance for the automotive industry to help it navigate these challenges and reduce reputational and cyber-risk. A new report from Trend Micro details what industry stakeholders need to, along with our recommendations as cybersecurity experts.
Packed with power
Modern automobiles do far more than transport their occupants from A to B. They are filled with computing power, sensors, infotainment systems and connectivity to help improve the car experience, traffic safety, vehicle maintenance and much more. This all creates complexity, which in turn leads to the emergence of cybersecurity gaps.
For example, there are now more than 100 engine control units (ECUs) in many modern vehicles, packed with software to control everything from the engine and suspension to the brakes. By hijacking the execution of any ECU an attacker could move laterally to any target in the vehicle, potentially allowing them to remotely cause life-threatening accidents.
As our report explains, there are three fundamental issues that make securing connected cars challenging:
Vulnerabilities are difficult to patch due to the highly tiered mature of car supply chains, firmware interoperability and long update times. If updates fail, as they can, a vehicle may be left inoperable.
Protocols used for connectivity between ECUs were not designed with security in mind, allowing attackers to conduct lateral movement.
Aftermarket products and services represent a third area of risk exposure. Akin to unsecured IoT devices in the smart home, they can be abused by attackers to pivot to more sensitive parts of the vehicle.
These vulnerabilities have been highlighted in research dating back years, but as connected cars grow in number, real-world attacks are now starting to emerge. Attack scenarios target everything from user applications to network protocols, to the CAN bus, on-board software and more. In short, there’s much for the bad guys to gain and plenty for carmakers to lose.
Here to help
This is where the new standard comes in. ISO/SAE 21434 “Road vehicles – Cybersecurity engineering” is a typically long and detailed document designed to improve automotive cybersecurity and risk mitigation across the entire supply chain — from vehicle design and engineering through to decommissioning.
As a long-time collaborator with the automotive industry, Trend Micro welcomes the new standard as a way to enhance security-by-design in an area coming under the increasing scrutiny of attackers. In fact, eight out of the world’s top 10 automotive companies have adopted Trend Micro solutions for their enterprise IT.
In order to follow ISO/SAE 21434 and protect connected cars, organizations need comprehensive visibility and control of the entire connected car ecosystem, including: vehicle, network and backend systems. They should then consider developing a Vehicle Security Operations Center (VSOC) to manage notifications coming in from all three areas and to create a bird’s eye view of the entire ecosystem.
Consider the following capabilities in each of these key areas:
Vehicle: Detect in-vehicle vulnerabilities and possible exploitation, including those in critical devices that connected the in-vehicle network to outside networks, for instance, in-vehicle infotainment systems (IVI) and telematic control units (TCUs).
Network: Apply network security policy, monitoring traffic to detect and prevent threats including connections between vehicle and backend cloud and data centers.
Backend: Secure data centers, cloud and containers from known and unknown threats and bugs without compromising performance.
Vehicle SOC: Take quick and effective action by correlating threats detected from the endpoint, network, and backend with individual notifications from each, enabling a bird’s eye view of comprehensive elements.
In uncertain times for the industry, it pays to get ahead of the game, and any prospective changes in local laws that the new ISO/SAE standard may encourage. For carmakers looking to differentiate in a tough market, and do the right thing by protecting their customers, Trend Micro is here to help.
To find out more, read the full report here.
The post ISO/SAE 21434: It’s time to put the brakes on connected car cyber-threats appeared first on .
The endpoint has long been a major focal point for attackers targeting enterprise IT environments. Yet increasingly, security bosses are being forced to protect data across the organization, whether it’s in the cloud, on IoT devices, in email, or on-premises servers. Attackers may jump from one environment to the next in multi-stage attacks and even hide between the layers. So, it pays to have holistic visibility, in order to detect and respond more effectively.
This is where XDR solutions offer a convincing alternative to EDR and point solutions. But unfortunately, not all providers are created equal. Trend Micro separates themselves from the pack by providing mature security capabilities across all layers, industry-leading threat intelligence, and an AI-powered analytical approach that produces fewer, higher fidelity alerts.
Under pressure
It’s no secret that IT security teams today are under extreme pressure. They’re faced with an enemy able to tap into a growing range of tools and techniques from the cybercrime underground. Ransomware, social engineering, fileless malware, vulnerability exploits, and drive-by-downloads, are just the tip of the iceberg. There are “several hundred thousand new malicious programs or unwanted apps registered every day,” according to a new Osterman Research report. It argues that, while endpoint protection must be a “key component” in corporate security strategy, “It can only be one strand” —complemented with protection in the cloud, on the network, and elsewhere.
There’s more. Best-of-breed approaches have saddled organizations with too many disparate tools over the years, creating extra cost, complexity, management headaches, and security gaps. This adds to the workload for overwhelmed security teams.
According to Gartner, “Two of the biggest challenges for all security organizations are hiring and retaining technically savvy security operations staff, and building a security operations capability that can confidently configure and maintain a defensive posture as well as provide a rapid detection and response capacity. Mainstream organizations are often overwhelmed by the intersectionality of these two problems.”
XDR appeals to organizations struggling with all of these challenges as well as those unable to gain value from, or who don’t have the resources to invest in, SIEM or SOAR solutions. So what does it involve?
What to look for
As reported by Gartner, all XDR solutions should fundamentally achieve the following:
However, the analyst urges IT buyers to think carefully before choosing which provider to invest in. That’s because, in some cases, underlying threat intelligence may be underpowered, and vendors have gaps in their product portfolio which could create dangerous IT blind spots. Efficacy will be a key metric. As Gartner says, “You will not only have to answer the question of does it find things, but also is it actually finding things that your existing tooling is not.”
A leader in XDR
This is where Trend Micro XDR excels. It has been designed to go beyond the endpoint, collecting and correlating data from across the organization, including; email, endpoint, servers, cloud workloads, and networks. With this enhanced context, and the power of Trend Micro’s AI algorithms and expert security analytics, the platform is able to identify threats more easily and contain them more effectively.
Forrester recently recognized Trend Micro as a leader in enterprise detection and response, saying of XDR, “Trend Micro has a forward-thinking approach and is an excellent choice for organizations wanting to centralize reporting and detection with XDR but have less capacity for proactively performing threat hunting.”
According to Gartner, fewer than 5% of organizations currently employ XDR. This means there’s a huge need to improve enterprise-wide protection. At a time when corporate resources are being stretched to the limit, Trend Micro XDR offers global organizations an invaluable chance to minimize enterprise risk exposure whilst maximizing the productivity of security teams.
The post Beyond the Endpoint: Why Organizations are Choosing XDR for Holistic Detection and Response appeared first on .
Things fail. It happens. A core principle of building well in the AWS Cloud is reliability. Dr. Vogels said it best, “How can you reduce the impact of failure on your customers?” He uses the term “blast radius” to describe this principle.
One of the key methods for reducing blast radius is the AWS account itself. Accounts are free and provide a strong barrier between resources, and thus, failures or other issues. This type of protection and peace of mind helps teams innovate by reducing the risk of running into another team’s work. The challenge is managing all of these accounts in a reasonable manner. You need to strike a balance between providing security guardrails for teams while also ensuring that each team gets access to the resources they need.
AWS Services & Features
There are a number of AWS services and features that help address this need. AWS Organizations, AWS Firewall Manager, IAM Roles, tagging, AWS Resource Access Manager, AWS Control Tower, and more, which all play a role in helping your team manage multiple accounts.
For this post, we’ll look at AWS Control Tower a little closer. AWS Control Tower was made generally available at AWS re:Inforce. The service provides an easy way to setup and govern AWS accounts in your environment. You can configure strong defaults for all new accounts, pre-populate IAM Roles, and more. Essentially, AWS Control Tower makes sure that any new account starts off on the right foot.
For more on the service, check out this excellent talk from the launch.
Partner Integrations
With almost a year under its belt, AWS Control Tower is now expanding to provide partner integrations. Now, in addition to setting up AWS services and features, you can pre-config supported APN solutions as well. Trend Micro is among the first partners to support this integration by providing the ability to add Trend Micro Cloud One – Workload Security and Trend Micro Cloud One – Conformity to your Control Tower account factory. Once configured, any new account that is created via the factory will automatically be configured in your Trend Micro Cloud One account.
Integration Advantage
This integration not only reduces the friction in getting these key security tools setup, it also provides immediate visibility into your environment. Workload Security will now be able show you any Amazon EC2 instances or Amazon ECS hosts within your accounts. You’ll still need to install and apply a policy to the Workload Security agent to protect these instances, but this initial visibility provides a map for your teams, reducing the time to protection. Conformity will start generating information within minutes. This information from Conformity will allow your teams to get a quick handle on their security posture and more with fast and ongoing security and compliance checks.
Integrating this from the beginning of every new account will allow each team to track their progress against a huge set of recommended practices across all five pillars of the Well-Architected Framework.
What’s Next?
One of the biggest challenges in cloud security is integrating it early in the development process. We know that the earlier security is factored into your builds, the better the result. You can’t get much earlier than the initial creation on an account. That’s why this new integration with AWS Control Tower is so exciting. Having security in every account within your organization from day zero provides much needed visibility and a fantastic head start.
The post Automatic Visibility And Immediate Security with Trend Micro + AWS Control Tower appeared first on .
“Cloud security is simple, absolutely simple. Stop over complicating it.”
This is how I kicked off a presentation I gave at the CyberRisk Alliance, Cloud Security Summit on Apr 17 of this year. And I truly believe that cloud security is simple, but that does not mean easy. You need the right strategy.
As I am often asked about strategies for the cloud, and the complexities that come with it, I decided to share my recent talk with you all. Depending on your preference, you can either watch the video below or read the transcript of my talk that’s posted just below the video. I hope you find it useful and will enjoy it. And, as always, I’d love to hear from you, find me @marknca.
For those of you who prefer to read rather than watch a video, here’s the transcript of my talk:
Cloud security is simple, absolutely simple. Stop over complicating it.
Now, I know you’re probably thinking, “Wait a minute, what is this guy talking about? He is just off his rocker.”
Remember, simple doesn’t mean easy. I think we make things way more complicated than they need to be when it comes to securing the cloud, and this makes our lives a lot harder than they need to be. There’s some massive advantages when it comes to security in the cloud. Primarily, I think we can simplify our security approach because of three major reasons.
The first is integrated identity and access management. All three major cloud providers, AWS, Google and Microsoft offer fantastic identity, and access management systems. These are things that security, and [inaudible 00:00:48] professionals have been clamouring for, for decades.
We finally have this ability, we need to take advantage of it.
The second main area is the shared responsibility model. We’ll cover that more in a minute, but it’s an absolutely wonderful tool to understand your mental model, to realize where you need to focus your security efforts, and the third area that simplifies security for us is the universal application of APIs or application programming interfaces.
These give us as security professionals the ability to orchestrate. and automate a huge amount of the grunt work away. These three things add up to, uh, the ability for us to execute a very sophisticated, uh, or very difficult to pull off, uh, security practice, but one that ultimately is actually pretty simple in its approach.
It’s just all the details are hard and we’re going to use these three advantages to make those details simpler. So, let’s take a step back for a second and look at what our goal is.
What is the goal of cybersecurity? That’s not something you hear quite often as a question.
A lot of the time you’ll hear the definition of cybersecurity is, uh, about, uh, securing the confidentiality, integrity, and availability of information or data. The CIA triad, different CIA, but I like to phrase this in a different way. I think the goal is much clearer, and the goal’s much simpler.
It is to make sure that whatever you’re building works as intended and only as intended. Now, you’ll realize you can’t accomplish this goal just as a security team. You need to work with your, uh, developers, you need to work with operations, you need to work with the business units, with the end users of your application as well.
This is a wonderful way of phrasing our goal, and realizing that we’re all in this together to make sure whatever you’re building works as intended, and only as intended.
Now, if we move forward, and we look at who are we up against, who’s preventing our stuff from working, uh, well?
You look at normally, you think of, uh, who’s attacking our systems? Who are the risks? Is it nation states? Is it maybe insider threats? While these are valid threats, they’re really overblown. You’re… don’t have to worry about nation state attacks.
If you’re a nation state, worry about it. If you’re not a nation state, you don’t have to worry about it because frankly, there’s nothing you can do to stop them. You can slow them down a little bit, but by definition, they’re going to get through your resources.
As far as insider attacks, this is an HR problem. Treat your people well. Um, check in with them, and have a strong information management policy in place, and you’re going to reduce this threat naturally. If you go hunting for people, you’re going to create the very threats that you’re looking at.
So, it brings us to the next set. What about cyber criminals? You know, we do have to worry about cyber criminals.
Cyber criminals are targeting systems simply because these systems are online, these are profit motivated criminals who are organized, and have a good set of tools, so we absolutely need to worry about them, but there’s a more insidious or more commonplace, maybe a simpler threat that we need to worry about, and that’s one of mistakes.
The vast majority of issues that happen around data breaches around security vulnerabilities in the cloud are mistake driven. In fact, to the point where I would not even worry about cyber criminals simply because all the work we’re going to do to focus on, uh, preventing mistakes.
And catching, and rectifying the stakes really, really quickly is going to uh, you a cover all the stuff that we would have done to block out cyber criminals as well, so mistakes are very common because people are using a lot more services in the cloud.
You have a lot more, um, parts and moving, uh, complexity in your deployment, um, and you’re going to make a mistake, which is why you need to put automated systems in place to make sure that those mistakes don’t happen, or if they do happen that they’re caught very, very quickly.
This applies to standard DevOps, the philosophies for building. It also applies to security very, very wonderfully, so this is the main thing we’re going to focus on.
So, if we look at that sum up together, we have our goal of making sure whatever we’re building works as intended, and only as intended, and our major issue here, the biggest risk to this is simple mistakes and misconfigurations.
Okay, so we’re not starting from ground zero here. We can learn from others, and the first place we’re going to learn is the shared responsibility model. The shared responsibility applies to all cloud service providers.
If you look on the left hand side of the slide here, you’ll see the traditional on premise model. We roughly have six areas where something has to be done roughly daily, whether it’s patching, maintenance, uh, just operational visibility, monitoring, that kind of thing, and in a traditional on premise environment, you’re responsible for all of it, whether it’s your team, or a team underneath your organization.
Somewhere within your tree, people are on the hook for doing stuff daily. Here when we move into an infrastructure, so getting a virtual machine from a cloud provider right off the bat, half of the responsibilities are pushed away.
That’s a huge, huge win.
And, as we move further and further to the right to more managed service, or staff level services, we have less and less daily responsibilities.
Now, of course, you always still have to verify that the cloud service provider’s doing what they, uh, say they’re doing, which is why certifications and compliance frameworks come into play, uh, but the bottom line is you’re doing less work, so you can focus on fewer areas.
Um, that is, or I should say not less work, but you’re doing, uh, less broad of a work.
So you can have that deeper focus, and of course, you always have to worry about service configuration. You are given knobs and dials to turn to lock things down. You should use them like things like encrypting, uh, all your data at rest.
Most of the time it’s an easy check box, but it’s up to you to check it ‘cause it’s your responsibility.
We also have the idea of an adoption framework, and this applies for Azure, for AWS and for Google, uh, and what they do is they help you map out your business processes.
This is important to security, because it gives you the understanding of where your data is, what’s important to the business, where does it lie, who needs to touch it, and access it and process it.
That also gives us the idea, uh, or the ability to identify the stakeholders, so that we know, uh, you know, who’s concerned about this data, who is, has an investment in this data, and finally it helps to, to deliver an action plan.
The output of all of these frameworks is to deliver an action plan to help you migrate into the cloud and help you to continuously evolve. Well, it’s also a phenomenal map for your security efforts.
You want to prioritize security, this is how you do it. You get it through the adoption framework, understanding what’s important to the business, and that lets you identify critical systems and areas for your security.
Again, we want to keep things simple, right? And, the third, uh, the o- other things we want to look at is the CIS foundations. They have them for AWS, Azure and GCP, um, and these provide a prescriptive guidance.
They’re really, um, a strong baseline, and a checklist of tasks that you can accomplish, um, or take on, on your, uh, take on, on your own, excuse me, uh, in order to, um, you know, basically cover off the really basics is encryption at rest on, um, you know, do I make sure that I don’t have, uh, things needlessly exposed to the internet, that type of thing.
Really fantastic reference point and a starting point for your security practice.
Again, with this idea of keeping things as simple as possible, so when it comes to looking at our security policy, we’ve used the frameworks, um, and the baseline to kind of set up a strong, uh, start to understand, uh, where the business is concerned, and to prioritize.
And, the first question we need to ask ourselves as security practitioners, what happened? If we, if something happens, and we ask what happened?
Do we have the ability to answer this question? So, that starts us off with logging and auditing. This needs to be in place before something happened. Let me just say that again, before something happened, you need [laughs] to be able to have this information in place.
Now, uh, this is really, uh, to ask these key questions of what happened in my account, and who, or what made that thing happen?
So, this starts in the cloud with some basic services. Uh, for AWS it’s cloud trail, for Azure, it’s monitor, and for Google Cloud it used to be called Stackdriver, it is now the Google Cloud operations suite, so these need to be enabled on at full volume.
Don’t worry, you can use some lifecycle rules on the data source to keep your costs low.
But, this gives you that layer, that basic auditing and logging layer, so that you can answer that question of what happened?
So, the next question you want to ask yourself or have the ability to answer is who’s there, right? Who’s doing what in my account? And, that comes down to identity.
We’ve already mentioned this is one of the key pillars of keeping security simple, and getting that highly effective security in your cloud.
[00:09:00] So here you’re answering the questions of who are you, and what are you allowed to do? This is where we get a very simple privilege, uh, or principle in security, which is the principle of least privilege.
You want to give an identity, so whether that’s a user, or a role, or a service, uh, only the privileges they, uh, require that are essential to perform the task that, uh, they are intended to do.
Okay?
So, basically if I need to write a file into a storage, um, folder or a bucket, I should only have the ability to write that file. I don’t need to read it, I don’t need to delete it, I just need to write to it, so only give me that ability.
Remember, that comes back to the other pillar of simple security here of, of key cloud security, is integrated identity.
This is where it really takes off, is that we start to assign very granular access permissions, and don’t worry, we’re going to use the APIs to automate all this stuff, so that it’s not a management headache, but the principle of these privilege is absolutely critical here.
The services you’re going to be using, amazingly, all three cloud providers got in line, and named them the same thing. It’s IAM, identity access management, whether that’s AWS, Azure or Google Cloud.
Now, the next question we’re going to a- ask ourselves are the areas where we’re going to be looking at is really where should I be focusing security controls? Where should I be putting stuff in place?
Because up until now we’ve really talked about leveraging what’s available from the cloud service providers, and you absolutely should available, uh, maximize your usage of their, um, native and primitive, uh, structures primitive as far as base concepts, not as, um, refined.
They’re very advanced controls and, but there are times where you’re going to need to put in your own controls, and these are the areas you’re going to focus on, so you’re going to start with networking, right?
So, in your networking, you’re going to maximize the native structures that are available in the cloud that you’re in, so whether that’s a project structure in Google Cloud, whether that’s a service like transit gateway in AWS, um, and all of them have this idea of a VPC or virtual private cloud or virtual network that is a very strong boundary for you to use.
Remember, most of the time you’re not charged for the creation of those. You have limits in your accounts, but accounts are free, and you can keep adding more, uh, virtual networks. You may be saying, wait a minute, I’m trying to simplify things.
Actually, having multiple virtual networks or virtual private clouds ends up being far simpler because each of them has a task. You go, this application runs in this virtual private cloud, not a big shared one in this specific VPC, and that gives you this wonderfully strong security boundaries, and a very simple way of looking at one VPC, one action, very much the Unix philosophy in play.
Key here though is understanding that while all of the security controls in place for your service provider, um, give you, so, you know, whether it’s VPCs, routing tables, um, uh, access control lists, security groups, all the SDN features that they’ve got in place.
These really help you figure out whether service A or system A is allowed to talk to B, but they don’t tell you what they’re saying.
And, that’s where additional controls called an IPS, or intrusion prevention system come into play, and you may want to look at getting a third party control in to do that, because none of the th- big three cloud providers offer an IPS at this point.
[00:12:00] But that gives you the ability to not just say, “Hey, you’re allowed to talk to each other.” But, to monitor that conversation, to ensure that there’s not malicious code being passed back and forth between systems that nobody’s trying a denial of service attack.
A whole bunch of extra things on there have, so that’s where IPS comes into play in your network defense. Now, we look at compute, right?
We can have compute in various forms, whether that’s in serverless functions, whether that’s in containers, manage containers, whether that’s in traditional virtual machines, but all the principles are the same.
You want to understand where the shared responsibility line is, how much is on your plate, how much is on the CSPs?
You want to understand that you need to harden the EOS, or the service, or both in some cases, make sure that, that’s locked down, so have administrator passwords. Very, very complicated.
Don’t log into these systems, uh, you know, because you want to be fixing things upstream. You want to be fixing things in the build pipeline, not logging into these systems directly, and that’s a huge thing for, uh, systems people to get over, but it’s absolutely essential for security, and you know what?
It’s going to take a while, but there’s some tricks there you can follow with me. You can see, uh, on the slides, uh, at Mark, that is my social everywhere, uh, happy to walk you through the next steps.
This idea of this presentation’s really just the simple basics to start with, to give you that overview of where to focus your time, and, dispel that myth that cloud security is complicating things.
It is a huge path is simplicity, which is a massive lens, or for security.
So, the last area you want to focus here is in data and storage. Whether this is databases, whether this is big blob storage, or, uh, buckets in AWS, it doesn’t really matter the principles, again, all the same.
You want to encrypt your data at rest using the native cloud provided, uh, cloud service provider, uh, features functionality, because most of the time it’s just give it a key address, and give it a checkbox, and you’re good to go.
It’s never been easier to encrypt things, and there is no excuse for it and none of the providers charge extra for, uh, encryption, which is amazing, and you absolutely want to be taking advantage of that, and you want to be as granular as possible with your IAM, uh, and as reasonable, okay?
So, there’s a line here, and a lot of the data stores that are native to the cloud service providers, you can go right down to the data cell level and say, Mark has access, or Mark doesn’t have access to this cell.
That can be highly effective, and maybe right for your use case. It might be too much as well.
But, the nice thing is that you have that option. It’s integrated, it’s pretty straightforward to implement, and then, uh, when we look here, uh, sorry. and then, finally you want to be looking at lifecycle strategies to keep your costs under control.
Um, data really spins out of control when you don’t have to worry about capacity. All of the cloud service providers have some fantastic automations in place.
Basically, just giving you, uh, very simple rules to say, “Okay, after 90 days, move this over to cheaper storage. After 180 days, you know, get rid of it completely, or put it in cold storage.”
Take advantage of those or your bill’s going to spiral out of control, and, and that relates to availability ‘cause uh, uh, and reliability, ‘cause the more you’re spending on that kind of stuff, the less you have to spend on other areas like security and operational efficiency.
So, that brings us to our next big security question. Is this working?
[00:15:00] How do you know if any of this stuff is working? Well, you want to talk about the concept of traceability. Traceability is a, you know, somewhat formal definition, but for me it really comes down to where did this come from, who can access it, and when did they access it?
That ties very closely with the concept of observability. Basically, the ability to look at, uh, closed systems and to infer what’s going on inside based on what’s coming into that system, and what’s leaving that system, really what’s going on.
There’s some great tools here from the service providers. Again, you want to look at, uh, Amazon CloudWatch, uh, Azure Monitor and the Google Cloud operations, uh, suite. Um, and here this leads us to the key, okay?
This is the key to simplifying everything, and I know we’ve covered a ton in this presentation, but I really want you to take a good look at this slide, and again, hit me up, uh, @marknca, happy to answer any questions with, questions afterwards as well here, um, that this will really, really make this simple, and this will really take your security practice to the next level.
If the idea of something happened in your, cloud system, right? In your deployment, there’s a trigger, and then, it either is generating an event or a log.
If you go the bottom row here, you’ve got a log, which you can then react to in a function to deliver some sort of result. That’s the slow-lane on the bottom.
We’re talking minutes here. You also have the top lane where your trigger fires off an event, and then, you react to that with a function, and then, you get a result in the fast lane.
These things happen in seconds, sub-second time. You start to build out your security practice based on this model.
You start automating more and more in these functions, whether it’s, uh, Lambda, whether it’s Cloud Functions, whether it’s Azure Functions, it doesn’t matter.
The CSPs all offer the same core functionality here. This is the critical, critical success metric, is that when you start reacting in the fast lane automatically to things, so if you see that a security event is triggered from like your malware, uh, on your, uh, virtual machine, you can lock that off, and have a new one spin up automatically.
Um, if you’re looking for compliance stuff, the slow lane is the place to go, because it takes minutes.
Reactions happen up top, more, um, stately or more sedate things, so somebody logging into a system is both up top and down low, so up top, if you logged into a VPC or into, um, an instance, or a virtual machine, you’d have a trigger fire off and maybe ask me immediately, “Mark, did you log into the system? Uh, ‘cause you’re, you know, you’re not supposed to be.”
But then I’d respond and say, “Yeah, I, I did log in.” So, immediately you don’t have to respond. It’s not an incident response scenario, but on the bottom track, maybe you’re tracking how many times I’ve logged in.
And after the three or fourth time maybe someone comes by, and has a chat with me, and says, “Hey, do you keep logging into these systems? Can’t you fix it upstream in the deployment, uh, and build a pipeline ‘cause that’s where we need to be moving?”
So, you’ll find this balance, and this concept, I just wanted to get into your heads right now of automating your security practice. If you have a checklist, it should be sitting in a model like this, because it’ll help you, uh, reduce your workload, right?
The idea is to get as much automated possible, and keep things in very clear, and simple boundaries, and what’s more simple than having every security action listed as an automated function, uh, sitting in a code repository somewhere?
[00:18:00] Fantastic approach to modern security practice in the cloud. Very simple, very clear. Yes, difficult to implement. It can be, but it’s an awesome, simple mental model to keep in your head that everything gets automated as a function based on a trigger somewhere.
So, what are the keys to success? What are the keys to keeping this cloud security thing simple? And, hopefully you’ve realized the difference between a simple mental model, and the challenges, uh, in, uh, implementation.
It can be difficult. It’s not easy to implement, but the mental model needs to be kept simple, right? Keep things in their own VPCs, and their own accounts, automate everything. Very, very simple approach. Everything fits into this s- into this structure, so the keys here are remembering the goal.
Make sure that cybersecurity, uh, is making sure that whatever you build works as intended and only as intended. It’s understanding the shared responsibility model, and it’s really looking at, uh, having a plan through cloud adoption frameworks, how to build well, which is a, uh, a concept called the Well-Architected Framework.
It’s specific to AWS, but it’s generic, um, its principles, it can be applied everywhere. We didn’t cover it here, but I’ll put the links, um, in the materials for you, uh, as well as remembering systems over people, right?
Adding the right controls at the right time, uh, and then, finally observing and react. Be vigilant, practice. You’re not going to get this right out of the gates, uh, perfect.
You’re going to have to refine, iterate, and then it’s extremely cloud friendly. That is the cloud model is, get it out there, iterate quickly, but putting the structures in place, you’re not going to make sure that you’re not doing that in an insecure manner.
Thank you very much, uh, here’s a couple of links that’ll help you out before we take some Q&A here, um, trendmicro.com/cloud will get you to the products to learn more. We’re also doing this really cool streaming.
Uh, I host a show called Let’s Talk Cloud. Um, we uh, interview experts, uh, and have a great conversation around, um, what they’re talking about, uh, in the cloud, what they’re working on, and not just around security, but just in building in general.
You can hit that up at trendtalks.fyi. Um, and again, hit me up on social @marknca.
So, we have a couple of questions to kick this off, and you can put more questions in the webinar here, and they will send them along, or answer them in kind if they can.
Um, and that’s really what these are about, is the interaction is getting that, um, to and from. So, the first question that I wanted to tackle is an interesting one, and it’s really that systems over people.
Um, you heard me mention it in the, uh, in the end and the question is really what does that mean systems over people? Isn’t security really about people’s expertise?
And, yes and no, so if you are a SOC analyst, if you are working in a security, uh, role right now, I am really confident saying that 80%, 90% of what you do right now could be delegated out to a system.
So, if you were looking at log lines, and stuff that should be done by systems and bubble up, just the goal for you to investigate to do what people are good at in systems are bad at, so systems mean, uh, you know, putting in, uh, to build pipeline, putting in container scanning in the build pipeline, so that you have to manually scan stuff, right to get rid of the basics. Is that a pen test? 100% no.
Um, but it gets rid of that, hey, you didn’t upgrade to, um, you know, this version of this library.
[00:21:00] That’s all automated, and those, the more systems you get in place, the more you as a security professional, or your security team will be able to focus on where they can really deliver value and frankly, where it’s more interesting work, so that’s what systems over people mean, is basically automate as much as you can to get people doing what people are really good at, and to make sure that the systems catch what we make as mistakes all the time.
If you accidentally try to push an old build out, you know that systems should stop that, if you push a build that hasn’t been checked by that container scanning or by, um, you know, it doesn’t have the appropriate security policy in place.
Systems should catch all that humans shouldn’t have to worry about it at all. That’s systems over processing. You saw that on the, uh, keys to success slide here. I’ll just pull it up. Um, you know, is that, that’s absolutely key.
Another question that we had, uh, was what we didn’t get into here, which was around the Well-Architected Framework. Now, this is a document that was published by AWS, uh, a number of years back, and they’ve kept it going.
They’ve evolved it and essentially it has five pillars. Um, performance, efficiency, uh, op- reliability, security, cost optimization, and operational excellence. Hey, I’ve got all five.
Um, and really [laughs] what that is, is it’s about how to take advantage of these cloud tools.
Now, AWS publishes it, but honestly it applies to Azure, it applies to Google Cloud as well. It’s not service specific. It teaches you how to build in the cloud, and obviously security is one of those big pillars, but it’s… so talking about teaching you how to make those trade offs, how to build an innovation flywheel, so that you have an idea, test it, uh, get the feedback from it, and move forward.
Um, and that’s really, really key. Again, now you should be reading that even if you are an Azure, or GCP customer or, uh, that’s where you’re putting your most of your stuff, because it’s really about the principles, and everything we do, and encourage people to build well, it means that there’s less security issues, right?
Especially we know that the number one problem is mistakes.
That leads to the last question we have here, which is about that, how can I say that cyber criminals, you don’t need to worry about them.
You need to worry about mistakes? That’s a good question. It’s valid, and, um, Trend Micro does a huge amount of research around cyber criminals. I do a whole huge amount of research around cyber criminals.
Uh, my training, by training, and by professional experience. I’m a forensic investigator. This is what I do is take down cyber crimes. Um, but I think mistakes are the number one thing that we deal with in the cloud simply because of the underlying complexity.
I know it’s ironic, and to talk about simplicity, to talk about complexity, but the idea is, um, is that you look at all the major breaches, especially around s3 buckets, those are all m- based on mistake.
There’ve been billions, and billions, and billions of records, and, uh, millions of dollars of damage exposed because of simple mistakes, and that is far more common, uh, than cyber criminals.
And yes, cyber crimes you have [inaudible 00:23:32] worry. You have to worry about them, but everything you’re going to do to fix mistakes, and to put systems in place to stop those mistakes from happening is also going to be for your pr- uh, protection up against cyber criminals, and honestly, if you’re the guy who runs around your organization’s screaming about cyber criminals all the time, you’re far less credible than if you’re saying, “Hey, I want to make sure that we build really, really well, and don’t make mistakes.”
Thank you for taking the time. My name’s Mark Nunnikhoven. I’m the vice president of cloud research at Trend Micro. I’m also an AWS community hero, and I love this stuff. Hit me up on social @marknca. Happy to chat more.
The post Cloud Security Is Simple, Absolutely Simple. appeared first on .
The Mac has always been pretty easy to use, but even the most ardent Mac supporters know there comes a time when their Mac is no longer new and they notice slowdowns in its performance, particularly after intensive use. They’d like a handy one-stop tool to help them optimize memory and CPU performance, free up disk space, and generally speed up their Mac, since they don’t want to dig around in the MacOS for buried utilities they don’t know how to use. Fortunately, Trend Micro has a solution for that.
Trend Micro Cleaner One Pro is an easy-to-use, all-in-one disk cleaning and optimization utility that can help you boost your Mac’s performance. Cleaner One Pro includes a number of Mac housecleaning tools such as a Memory Optimizer, a Junk Files cleaner, a Big Files scanner, a Duplicate Files finder, an App Manager, a File Shredder, and a Disk Map. These functions are all rolled into an easy-to-use interface that helps you visualize your Mac’s usage, while freeing up memory and storage on your Mac.
In this two-part blog, we will show you how you can use Cleaner One Pro to make your Mac run faster, walking you through its features. In Part 1, we focus on Quick Optimizer, the Main Console, and the Cleaning Tools. In Part 2, we’ll focus on System and Application Management, Privacy Protection, and some Other Options.
Once you’ve installed Cleaner One Pro, its Quick Optimizer appears in the Apple Menu, with handy tools to speed up your Mac. Click the icon and it displays a Console that monitors your Memory, Junk Files, CPU, and Network Usage, while letting you Optimize your Memory Usage and Clean your Junk Files with just one click. System Optimizer opens a Window onto the contents of your Mac for more detailed management.
Memory Optimizer
There are applications running in the background of your Mac that take up physical memory and affect its performance. The Memory Optimizer gives you control over how your computer consumes its memory resources—and you can free up your Mac’s memory in seconds with just one click on the Optimize button. If you want to see which apps are taking up significant memory, you can click the three-dot icon next to Memory Usage. It will show your Mac’s memory usage by app, in descending order. Click the Information (i) icon in the Memory Usage window for a breakdown of the types of memory being used.
Junk files, temporary files, system files and other non-essential items will accumulate on your Mac over time. These files take up a lot of space on your hard drive and may degrade the performance of your Mac as you reach higher disk usage. Click the Clean button and the Junk Files cleaner quickly removes application cache, system log files, update files, temporary files and hidden leftover files. You can also see the details of the identified Junk Files by clicking the three-dot icon next to Junk Files.
When your computer starts to run slowly it’s helpful to have a snapshot of its CPU usage. With this feature, you can see which apps are using significant CPU resources and how much percentage they’re using. It also let you know how long your computer has been up and running, since system reliability can degrade if it’s been awhile since you restarted your Mac.
If you want to keep an eye on your bandwidth consumption and avoid exceeding data caps, it’s useful to know the real-time download and upload speeds on your Mac. The Network Usage Monitor also provides a view of other network related information such as your Wi-Fi signal quality.
The Main Console is the core workplace in Trend Micro Cleaner One Pro and provides the following features, which are presented here grouped by purpose:
|
|
To access the Main Console, click System Optimizer in the Cleaner One Pro Apple Menu. The first time you do, you’ll need to authorize full access to your disk, so Cleaner One Pro can access more junk files. Simply click Grant Access in the System Optimizer window and watch the video or follow the written instructions. Complete the steps by closing Cleaner One Pro, then reload it. You’re now ready to begin optimizing.
The hard drive on your Mac holds the entire Mac operating system and important files including your data. As you use your Mac, over time its hard drive will accumulate junk files. These junk files are generated by the system and other programs. Cleaner One Pro is equipped with advanced and efficient algorithms that scan and remove junk files within seconds. Click Scan to scan for Junk Files and when the scan is done, either check a whole category or individual items in the category, then click Remove.
You may have a lot of clutter on your Mac in the form of big or old files that you probably no longer need and may have just forgotten about. Removing big unused files can recover a lot of disk space, but it could be time-consuming to delete them if done manually. Also, it is hard to select files for deletion if you don’t know the proper context— where the files are stored or how important they may be.
Big Files scanner provides a big file collector where you can easily spot and remove these files if you don’t need them anymore. Additionally, if you hover your mouse on a file, you’ll see a magnifier and a lock icon. Once you click the magnifier icon, you’ll locate the actual file. If you click the lock icon, the file will be added to the Ignore List, which will be locked.
Disk Map is a significant tool that helps you analyze the usage of your storage in a visual and interactive map. It quickly scans your drive and builds a visualization of files on the target folder of your Mac, allowing you to easily navigate the system. With Disk Map, you can find out the date when the file/folder was created, modified, and last opened. Furthermore, hovering your mouse on a folder then clicking the magnifier icon will direct you to the file’s location.
Another practice that you are probably comfortable doing is backing-up important files, photos, program installation files and apps on your hard drive. While this is a good practice, it creates duplicate files on your Mac that eventually add clutter and consume disk space. It’s also hard to find files in name searches when you have too many of them.
The Duplicate Files function lets you select a source folder where it will inspect and identify duplicate files on your Mac. In the scan results, an option called “Auto Select” helps you automatically select duplicate files. The information provided by “Auto Select” is listed below:
|
|
You can choose Remove to Trash or Delete Permanently on the confirmation page.
Often, you organize pictures of travels and life events, and also keep a copy to ensure you don’t lose those captured moments. But as digital photos pile up, often similar to others on your drive, they take up a lot of space. To assist you cleaning these up, use Similar Photos, and then choose your photo library to scan the photos on your Mac.
The result will display similar photos and you can choose the ones you don’t need, and the files will be added in the selected list. Click the Remove button to completely delete them from your hard drive.
That’s it for now! The second part of this blog will take up the remaining toolsets of Trend Micro Cleaner One Pro.
Go to Cleaner One Mac for more information or to purchase the app.
The post Cleaner One Pro Speeds Up Your Mac: Part 1 appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. Also, learn about a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173.
Read on:
Cloud Security is Simple, Absolutely Simple.
“Cloud security is simple, absolutely simple. Stop over complicating it.” This is the advice that Mark Nunnikhoven, vice president of cloud research at Trend Micro, shared to kick off his presentation at the CyberRisk Alliance Cloud Security Summit this year. Check out a recording of his talk in this blog recap to learn more.
Order Out of Chaos: Tackling Phishing Attacks
Responding to phishing attacks requires a combination of commodity tools, cutting-edge machine learning techniques and human-powered defense. That’s how to create order out of chaos and beat the phishers at their own game, according to Trend Micro’s Greg Young. Learn more in his recent article on phishing in Security Boulevard.
Beyond the Endpoint: Why Organizations are Choosing XDR for Holistic Detection and Response
The endpoint has long been a major focal point for attackers targeting enterprise IT environments. Yet increasingly, security teams are needing to protect data across the organization – whether it’s in the cloud, on IoT devices, in email, or on-premises servers – attackers may jump from one environment to the next in multi-stage attacks and even hide between the layers. XDR solutions offer a convincing alternative to EDR and point solutions.
15 Billion Credentials Currently Up for Grabs on Hacker Forums
Fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. A report released from the Digital Shadows Photon Research Team found that 100,000 separate data breaches over a 2-year period have yielded a 300% increase in stolen credentials, leaving a wealth of account details on dark-web hacker forums up for grabs.
ISO/SAE 21434: It’s Time to Put the Brakes on Connected Car Cyber-Threats
Connected cars are set to grow 270% by 2022 to reach an estimated 125 million in just a few years. However, the high-performance mobile computers in connected cars can also leave them exposed to sensitive data theft and remote manipulation, which could create serious physical safety issues. This is where the ISO/SAE 21434 standard comes in and creates detailed guidance for the automotive industry to help it navigate these challenges and reduce reputational and cyber-risk.
New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173
Trend Micro discovered a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which were not observed as exploited by past Mirai variants. This discovery is a new addition to the Mirai variants that appeared in the past few months which include SORA, UNSTABLE, and Mukashi.
Microsoft Files Lawsuit to Seize Fake Domains Used in COVID-19-Themed BEC Attacks
Microsoft has filed a lawsuit in an effort to seize control of several domains used to launch COVID-19-themed cyberattacks against the company’s customers in 62 countries. The company started tracking the malicious activity in December 2019 after identifying it as a phishing scheme attempting to compromise Microsoft customer accounts and access emails, contacts, sensitive files, and other information.
Cleaner One Pro Speeds Up Your Mac: Part 1
Trend Micro Cleaner One Pro is an easy-to-use, all-in-one disk cleaning and optimization utility that can help you boost your Mac’s performance. In this two-part blog series, Trend Micro outlines how you can use Cleaner One Pro to make your Mac run faster, walking you through its features. In Part 1, Trend Micro focuses on Quick Optimizer, the Main Console, and the Cleaning Tools.
Joker Malware Apps Once Again Bypass Google’s Security to Spread via Play Store
Cybersecurity researchers unveiled another instance of Android malware hidden under the guise of legitimate applications to stealthily subscribe unsuspecting users for premium services without their knowledge. The Joker malware has found another trick to bypass Google’s Play Store protections: obfuscate the malicious DEX executable inside the application as Base64 encoded strings, which are then decoded and loaded on the compromised device.
Malicious Chrome Extensions, Domains Used to Steal User Data
Google Chrome extensions and Communigal Communication Ltd. (Galcomm) domains were used in a campaign that aims to track user activity and data, according to Awake Security. In the past three months, the researchers found 111 malicious or fake Chrome extensions using Galcomm domains as their command and control infrastructure. There have been at least 32 million downloads of these malicious extensions.
Patch Now: F5 Vulnerability with CVSS 10 Severity Score
F5 Networks, a provider of networking devices and services, urges users to patch their BIG-IP networking systems as soon as possible after disclosing two vulnerabilities: CVE-2020-5902, a critical remote code execution (RCE) vulnerability found in BIG-IP device’s Traffic Management User Interface (TMUI), and CVE-2020-5903, a less critical vulnerability that involves cross-site scripting (XSS). F5 has now released patches for both in the vulnerabilities’ respective security advisories.
Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted
Over the past couple of months, ransomware has remained a formidable threat as new families, techniques, and targets continue emerging at every turn. Trend Micro recently witnessed the rise of a new ransomware family called Avaddon. In this blog, Trend Micro examines techniques utilized by some ransomware variants and the industries affected by these attacks.
70% of Organizations Experienced a Public Cloud Security Incident in the Last Year
70% of organizations experienced a public cloud security incident in the last year – including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%), according to Sophos. Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud.
Russian Group Cosmic Lynx Launches Over 200 BEC Campaigns
A Russian group dubbed as Cosmic Lynx initiated more than 200 Business Email Compromise (BEC) campaigns targeting hundreds of multinational companies, according to security firm Agari. Cosmic Lynx was revealed to have been launching campaigns in over 40 countries including the United States, Canada, and Australia since 2019. The average amount requested from the targets is at US $1.27 million.
Guidelines Related to Security in Smart Factories Part 3: NIST Cyber Security Framework
This blog series explains examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. Part three dives into the NIST Cyber Security Framework (CSF), which is issued by US National Institute of Standards and Technology (NIST).
Has your organization experienced a public cloud security incident over the last year? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: 15 Billion Credentials Currently Up for Grabs on Hacker Forums and New Mirai Variant Expands Arsenal appeared first on .
In July 2015, I did my first threat webinar. I had planned to do it on a monthly basis, and never imagined I would still be doing it five years later, but here I am, still creating monthly webinars. I still do. I started the webinar series to help people understand the different threats targeting our customers and I have always tried to focus on three areas:
|
|
This last point, discussing technologies versus solutions, has been one of the key items I try to follow as much as possible – after all, the goal of my webinars is to be educational, not a sales pitch.
Coming from a technical background, BS in Electrical Engineering from Michigan State University (Go Spartans!!), I enjoy learning about the new technologies being used to detect the latest threats and to ensure you know what to look for when selecting a vendor and/or a security solution. Over the years, I’ve discussed everything from APTs, coinminers, exploits, messaging threats, ransomware, underground activity and lots in between. It is pretty easy to find topics to discuss, as there is so much going on in our industry, and with the malicious actors regularly shifting their tactics, techniques and procedures, I can keep the content fairly fresh.
I really enjoy having guest speakers on my webinars to mix things up a bit for the viewers as well, as I know my limitations – there are just too many threats out there to keep up with all of them. The main reason I love doing the threat webinars is that I enjoy sharing information and teaching others about our industry and the threats affecting them. If you want to check out any of my previous five years of webinars you can watch them here.
For my fifth year anniversary I wanted to try something different and I would like to do an open Q&A session. As I’ve never done this before, it will certainly be an interesting experience for me, but hopefully for you as well. I hope I can answer a majority of your questions, but I know some of you are way too smart for me, so please bear with me.
Our registration page for this webinar allows you to submit any pre-session questions that I’ll answer throughout the webinar. You can ask me anything that is on your mind and if I cannot get to your question, I’ll do my best to answer you afterwards in an email.
I hope to continue to do these webinars for the foreseeable future and I would like to end my post by thanking each and every one of you who has participated in my webinars over the years. It has been a pleasure, and I look forward to answering your questions.
Take care, stay healthy, and keep on smiling!
Jon
The post Ask Me Anything – Celebrating The Fifth Anniversary Of My Monthly Threat Webinar appeared first on .
Migrating to the cloud is hard. The PowerPoint deck and pretty architectures are drawn up quickly but the work required to make the move will take months and possibly years.
The early stages require significant effort by teams to learn new technologies (the cloud services themselves) and new ways of the working (the shared responsibility model).
In the early days of your cloud efforts, the cloud center of expertise is a logical model to follow.
A cloud center of excellence is exactly what it sounds like. Your organization forms a new team—or an existing team grows into the role—that focuses on setting cloud standards and architectures.
They are often the “go-to” team for any cloud questions. From the simple (“What’s an Amazon S3 bucket?”), to the nuanced (“What are the advantages of Amazon Aurora over RDS?”), to the complex (“What’s the optimum index/sort keying for this DynamoDB table?”).
The cloud center of excellence is the one-stop shop for cloud in your organization. At the beginning, this organizational design choice can greatly accelerate the adoption of cloud technologies.
The problem is that accelerated adoption doesn’t necessarily correlate with accelerated understanding and learning.
In fact, as the center of excellent continues to grow its success, there is an inverse failure in organizational learning which create a general lack of cloud fluency.
Cloud fluency is an idea introduced by Forrest Brazeal at A Cloud Guru that describes the general ability of all teams within the organization to discuss cloud technologies and solutions. Forrest’s blog post shines a light on this situation and is summed up nicely in this cartoon;
Our own Mark Nunnikhoven also spoke to Forrest on episode 2 of season 2 for #LetsTalkCloud.
Even though the cloud center of excellence team sets out to teach everyone and raise the bar, the work soon piles up and the team quickly shifts away from an educational mandate to a “fix everything” one.
What was once a cloud accelerator is now a place of burnout for your top, hard-to-replace cloud talent.
If you’ve paid attention to how cybersecurity teams operate within organizations, you have probably spotted a number of very concerning similarities.
Cybersecurity teams are also considered a center of excellence and the central team within the organization for security knowledge.
Most requests for security architecture, advice, operations, and generally anything that includes the prefix “cyber”, word “risk”, or hints of “hacking” get routed to this team.
This isn’t the security team’s fault. Over the years, systems have increased in complexity, more and more incidents occur, and security teams rarely get the opportunity to look ahead. They are too busy stuck in “firefighting mode” to take as step back and re-evaluate the organizational design structure they work within.
According to Gartner, for every 750 employees in an organization, one of those is dedicated to cybersecurity. Those are impossible odds that have lead to the massive security skills gap.
Security needs to follow the example of cloud fluency. We need “security fluency” in order to import the security posture of the systems we built and to reduce the risk our organizations face.
This is the reason that security teams need to turn their efforts to educating development teams. DevSecOps is a term chock full of misconceptions and it lacks context to drive the needed changes but it is handy for raising awareness of the lack of security fluency.
Successful adoption of a DevOps philosophy is all about removing barriers to customer success. Providing teams with the tools and autonomy they require is a critical factor in their success.
Security is just one aspect of the development team’s toolkit. It’s up to the current security team to help educate them on the principles driving modern cybersecurity and how to ensure that the systems they build work as intended…and only as intended.
The post Are You Promoting Security Fluency in your Organization? appeared first on .
The cloud space has been evolving for almost a decade. As a company we’re a major cloud user ourselves. That means we’ve built up a huge amount of in-house expertise over the years around cloud migration — including common challenges and perspectives on how organizations can best approach projects to improve success rates.
As part of our #LetsTalkCloud series, we’ve focused on sharing some of this expertise through conversations with our own experts and folks from the industry. To kick off the series, we discussed some of the security challenges solution architects and security engineers face with customers when discussing cloud migrations. Spoiler…these challenges may not be what you expect.
Drag and drop
This lack of strategy and planning from the start is symptomatic of a broader challenge in many organizations: There’s no big-picture thinking around cloud, only short-term tactical efforts. Sometimes we get the impression that a senior exec has just seen a ‘cool’ demo at a cloud vendor’s conference and now wants to migrate a host of apps onto that platform. There’s no consideration of how difficult or otherwise this would be, or even whether it’s necessary and desirable.
These issues are compounded by organizational siloes. The larger the customer, the larger and more established their individual teams are likely to be, which can make communication a major challenge. Even if you have a dedicated cloud team to work on a project, they may not be talking to other key stakeholders in DevOps or security, for example.
The result is that, in many cases, tools, applications, policies, and more are forklifted over from on-premises environments to the cloud. This ends up becoming incredibly expensive. as these organizations are not really changing anything. All they are doing is adding an extra middleman, without taking advantage of the benefits of cloud-native tools like microservices, containers, and serverless.
There’s often no visibility or control. Organizations don’t understand they need to lockdown all their containers and sanitize APIs, for example. Plus, there’s no authority given to cloud teams around governance, cost management, and policy assignment, so things just run out of control. Often, shared responsibility isn’t well understood, especially in the new world of DevOps pipelines, so security isn’t applied to the right areas.
Getting it right
These aren’t easy problems to solve. From a security perspective, it seems we still have a job to do in educating the market about shared responsibility in the cloud, especially when it comes to newer technologies, like serverless and containers. Every time there’s a new way of deploying an app, it seems like people make the same mistakes all over again — presuming the vendors are in charge of security.
Automation is a key ingredient of successful migrations. Organizations should be automating everywhere, including policies and governance, to bring more consistency to projects and keep costs under control. In doing so, they must realize that this may require a redesign of apps, and a change in the tools they use to deploy and manage those apps.
Ultimately, you can migrate apps to the cloud in a couple of clicks. But the governance, policy, and management that must go along with this is often forgotten. That’s why you need clear strategic objectives and careful planning to secure more successful outcomes. It may not be very sexy, but it’s the best way forward.
To learn more about cloud migration, check out our blog series. And catch up on all of the latest trends in DevOps to learn more about securing your cloud environment.
The post Fixing cloud migration: What goes wrong and why? appeared first on .
It started with one weird tweet. Then another. Quickly, some of the most prominent accounts on Twitter were all sending out the same message;
I am giving back to the community.
All Bitcoin sent to the address below will be sent back double! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes.
[- BITCOIN WALLET ADDRESS -]
Are Apple, Elon Musk, Barrack Obama, Uber, Joe Biden, and a host of others participating in a very transparent bitcoin scheme?
No. Of course, not. The question was whether or not individual accounts were compromised or if something deeper was going on.
User Account Protection
These high profile accounts are prime targets for cybercriminals. They have a broad reach, and even a brief compromise of one of these accounts would significantly increase a hacker’s reputation in the underground.
That is why these accounts leverage the protections made available by Twitter in order to keep their accounts safe.
This means;
|
|
While it’s believed that one or two of these accounts failed to take these measures, it’s highly unlikely that dozens and dozens of them did. So what happened?
Rumours Swirl
As with any public attack, the Twitter-verse (ironically) was abuzz with speculation. That speculation ramped up when Twitter took the reasonable step of preventing any verified account from tweeting for about three hours.
This step helped prevent any additional scam tweets from being published and further raised the profile of this attack.
While some might shy away from raising the profile of an attack, this was a reasonable trade-off to prevent further damage to affected accounts and to help prevent the attack from taking more ground.
This move also provided a hint as to what was going on. If individual accounts were being attacked, it’s unlikely that this type of movement would’ve done much to prevent the attacker from gaining access. However, if the attacker was accessing a backend system, this mitigation would be effective.
Had Twitter itself been hacked?
Occam’s Razor
When imagining attack scenarios, a direct breach of the main service is a scenario that is often examined in-depth, which is also why it is one of the most planned for scenarios.
Twitter — like any company — has challenges with its systems, but they center primarily around content moderation…their backend security is top-notch.
An example of this an incident in 2018. Twitter engineers made a mistake that meant anyone’s password could have been exposed in their internal logs. Just in case, Twitter urged everyone to reset their password.
While possible, it’s unlikely that Twitter’s backend systems were directly breached. There is a much simpler potential explanation: insider access.
Internal Screenshot
Quickly after the attack, some in the security community noticed a screenshot of an internal support tool from Twitter surfacing in underground discussion forums. This rare inside view showed what appeared to be what a Twitter support team member would see.
This type of access is dangerous. Very dangerous.
Joseph Cox’s article detailing the hack has a key quote,
“We used a rep that literally done all the work for us.”
Anonymous Source
What remains unclear is whether this is a case of social engineering (tricking a privileged insider into taking action) or a malicious insider (someone internally motivated to attack the system).
The difference is important for other defenders out there.
The investigation is ongoing, and Twitter continues to provide updates via @TwitterSupport;
Our investigation is still ongoing but here’s what we know so far:
— Twitter Support (@TwitterSupport) July 16, 2020
Social Engineering
Donnie Sullivan from CNN has a fantastic interview with the legendary Rachel Tobac showing how simple social engineering can be and the dangerous impact it can have;
What is “social engineering,” you ask? @RachelTobac showed me. pic.twitter.com/TAw7FB1QPQ
— Donie O'Sullivan (@donie) July 16, 2020
If this attack was conducted through social engineering, the security team at Twitter would need to implement additional processes and controls to ensure that it doesn’t happen again.
Such a situation is what your team also needs to look at. While password resets, account closures, data transfers, and other critical processes are at particular risk of social engineering, financial transactions are atop the cybercriminal’s target list.
BEC—business email compromise—attacks accounted for USD 1.7 billion in losses in 2019 alone.
Adding additional side-channel confirmations, additional steps for verifications, firm and clear approvals and other process steps can help organizations mitigate these types of social engineering attacks.
Malicious Insider
If the attack turns out to be from a malicious insider. Defenders need to take a different approach.
Malicious insiders are both a security problem and human resource one.
From the security perspective, two key principles help mitigate the potential of these attacks;
Making sure that individuals only have the technical access needed to complete their assigned tasks, and only that access is key to limiting this potential attack. Combined with the smart separation of duties (one person to request a change, another to approval it), this significantly reduces the possibility of these attacks causing harm.
The other—and not often spoken of—side of these attacks is the reason behind the malicious intent. Some people are just malicious, and when presented with an opportunity, they will take it.
Other times, it’s an employee that feels neglected, passed over, or is disgruntled in some other way. A strong internal community, regular communication, and a strong HR program can help address these issues before they escalate to the point where aiding a cybercriminal becomes an enticing choice.
Support Risks
Underlying this whole situation is a more challenging issue; the level of access that support has to any given system.
It’s easy to think of a Twitter account as “yours.” It’s not. It’s part of a system run by a company that needs to monitor the health of the system, respond to support issues, and aid law enforcement when legally required.
All of these requirements necessitate a level of access that most don’t think about.
How often are you sharing sensitive information via direct message? Those messages are most likely accessible by support.
What’s to prevent them from accessing any given account or message at any time? We don’t know.
Hopefully, Twitter—and others—have clear guardrails (technical and policy-based) in place to prevent abuse of support access, and they regularly audit them.
It’s a hard balance to strike. User trust is at stake but also the viability of running a service.
Clear, transparent policies and controls are the keys to success here.
Abuse can be internal or external. Support teams typically have privileged access but are also among the lowest paid in the organization. Support—outside of the SRE community—is usually seen as entry-level.
These teams have highly sensitive access, and when things go south, can do a lot of harm. Again, the principles of least privilege, separation of duties, and a strong set of policies can help.
What’s Next?
In the coming days, more details of the attack will surface. In the meantime, the community is still struggling to reconcile the level of access gained and how it was used.
Getting access to some of the world’s most prominent accounts and then conducting a bitcoin scam? Based on the bitcoin transactions, it appears the cybercriminals made off with a little over USD 100,000. Not insignificant, but surely there were other opportunities?
Occam’s razor can help here again. Bitcoin scams and coin miners are the most direct method fo cybercriminals to capitalized on their efforts. Given the high profile nature of the attack, the time before the discovery was always going to be sure. This may have been the “safest” bet for the criminal(s) to profit from this hack.
In the end, it’s a lesson for users of social networks and other services; even if you take all of the reasonable security precautions, you are relying on the service itself to help protect you. That might not always hold true.
It’s a harsh reminder that the very tooling you put in place to run your service may be its biggest risk for service providers and defenders…a risk that’s often overlooked and underestimated.
In the end, Marques Brownlee sums it up succinctly;
Don't send Bitcoin to strangers.
— Marques Brownlee (@MKBHD) July 15, 2020
What do you think of this entire episode? Let’s talk about it—un-ironically—on Twitter, where I’m @marknca.
The post Twitter Hacked in Bitcoin Scam appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about Trend Micro’s report on the botnet battle for IoT territory and how attacker groups are trying to gain control of vulnerable routers and other devices. Also, learn about a Twitter breach that happened earlier this week, involving some of the most well-known and wealthiest people and brands globally.
Read on:
‘DDoS-For-Hire’ is Fueling a New Wave of Attacks
Earlier this week, Trend Micro released a report about escalating global turf wars between attacker groups vying to seize control of vulnerable routers and other devices, titled “Worm War: The Botnet Battle for IoT Territory.” Robert McArdle, director of Trend Micro’s forward-looking threat research (FTR) and David Sancho, senior threat researcher, spoke with WIRED about findings from the report and how the aim of attacker groups is to power botnets that can direct a firehose of malign traffic or requests for DDoS attacks.
Extraordinary Twitter Hack Compromises Some of the World’s Most Prominent Accounts
Earlier this week, hackers hijacked the Twitter accounts of some of the world’s most prominent and wealthiest people and brands including Barack Obama, Joe Biden, Kanye West, Jeff Bezos, Bill Gates, Elon Musk and tech giant Apple. These hacked accounts sent out messages promising bitcoin payments as part of a scam.
Tax Scams – Everything You Need to Know to Keep Your Money and Data Safe
Cybercriminals are always on the hunt for two things: people’s identity data from their accounts and their money. Both can be exposed during the tax-filing season, and cybercriminals have adapted multiple tools and techniques to obtain this information. In this blog, take a look at some of the main threats during tax-filing season and what you can do to stay safe.
Russia is Trying to Hack and Steal Coronavirus Vaccine Data, U.S., Canadian and UK Officials Claim
Officials said that hackers linked to Russian intelligence services are trying to steal information about coronavirus vaccine research in the U.S., Canada and the U.K. They said that a group known as APT29 — also known as “Cozy Bear” and believed to be associated with Russian intelligence — was likely to blame for the attack, which used spear phishing and custom malware to target vaccine researchers.
Trend Micro and Girls in Tech to Provide Cybersecurity Training to Girls Around the World
Trend Micro recently announced that it is expanding its partnership with non-profit Girls in Tech with a new initiative aimed at closing the gender diversity and talent gap in the technology industry. Together, the organizations will provide cybersecurity training to girls around the world to help develop a large talent pool of women eager to get their start in the industry.
Microsoft Tackles 123 Fixes for July Patch Tuesday
A critical DNS bug and a publicly known elevation-of-privilege flaw top this month’s Patch Tuesday list of 123 fixes. This article includes data from the Trend Micro Zero Day Initiative (ZDI) July Patch Tuesday blog post, which says that this Patch Tuesday “makes five straight months of 110+ CVEs released and brings the total for 2020 up to 742. For comparison, Microsoft released patches for 851 CVEs in all of 2019. At this pace, Microsoft will eclipse that number next month.”
Guidelines Related to Security in Smart Factories (Part 4) NIST SP800 Series
This blog series explains examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. Based on the NIST CSF that was introduced in Part 3, from the SP800 series which are guidelines with high specificity, Part 4 explains SP800-53, SP800-82, and SP800-171, which are considered to be particularly relevant to general manufacturing industries.
TikTok’s Huge Data Harvesting Prompts U.S. Security Concerns
Security researchers say TikTok’s information collection practices are consistent with Facebook Inc., Google and other U.S. tech companies looking to tailor ads and services to their users. The bigger issue lies in what TikTok does with the intel it gathers. Some groups like the Democratic and Republican national committees and Wells Fargo & Co. have discouraged or banned people from using the app.
Infrastructure as Code: Security Risks and How to Avoid Them
Infrastructure as Code (IaC) is a key DevOps practice that bolsters agile software development. In this report, Trend Micro identifies security risk areas in IaC implementations and the best practices in securing them.
Lost in Translation: Serious Flaws Found in ICS Protocol Gateways
Marco Balduzzi, senior research scientist with Trend Micro, will disclose details of multiple vulnerabilities he and his team discovered in a sampling study of five popular ICS gateway products at Black Hat USA’s virtual event next month. Their findings focus not on the gateways’ software nor the industrial protocols as in previous research, but rather on a lesser-studied function: the protocol translation process that the devices conduct.
Fixing Cloud Migration: What Goes Wrong and Why?
As part of our #LetsTalkCloud series, Trend Micro is sharing some of its deep, in-house expertise on cloud migration through conversations with company experts and folks from the industry. To kick off the series, this blog covers some of the security challenges that solution architects and security engineers face with customers when discussing cloud migrations. Spoiler: these challenges may not be what you expect.
Has your organization experienced security challenges related to cloud migration? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Trend Micro Research Discovers Cybercriminal Turf War on Routers and a Massive Twitter Breach Compromises Some of the World’s Most Prominent Accounts appeared first on .
TL;DR Deal with your dirty laundry.
Have you ever skipped doing your laundry and watched as that pile of dirty clothes kept growing, just waiting for you to get around to it? You’re busy, you’re tired and you keep saying you’ll get to it tomorrow. Then suddenly, you realize that it’s been three weeks and now you’re running around frantically, late for work because you have no clean socks!
That is technical debt.
Those little things that you put off, which can grow from a minor inconvenience into a full-blown emergency when they’re ignored long enough.
How many times have you had an alarm go off, or a customer issue arise from something you already knew about and meant to fix, but “haven’t had the time”? How many times have you been working on something and thought, “wow, this would be so much easier if I just had the time to …”?
That is technical debt.
But back to you. In your craze to leave for work you manage to find two old mismatched socks. One of them has a hole in it. You don’t have time for this! You throw them on and run out the door, on your way to solve real problems. Throughout the day, that hole grows and your foot starts to hurt.
This is really not your day. In your panicked state this morning you actually managed to add more pain to your already stressed system, plus you still have to do your laundry when you get home! If only you’d taken the time a few days ago…
In the tech world where one seemingly small hole – one tiny vulnerability – can bring down your whole system, managing technical debt is critical. Fixing issues before they become emergent situations is necessary in order to succeed.
If you’re always running at full speed to solve the latest issue in production, you’ll never get ahead of your competition and only fall further behind.
It’s very easy to get into a pattern of leaving the little things for another day. Build optimizations, that random unit test that’s missing, that playbook you meant to write up after the last incident – technical debt is a real problem too! By spending just a little time each day to tidy up a few things, you can make your system more stable and provide a better experience for both your customers and your fellow developers.
Picture your code as that mountain of dirty laundry. Each day that passes, you add just a little more to it. The more debt you add on, the more daunting your task seems. It becomes a thing of legend. You joke about how you haven’t dealt with it, but really you’re growing increasingly anxious and wary about actually tackling it, and what you’ll find when you do.
Maybe if you put it off just a little bit longer a hero will swoop in and clean up for you! (A woman can dream, right?) The more debt you add, the longer it will take to conquer it, and the harder it will be and the higher the risk is of introducing a new issue.
This added stress and complexity doesn’t sound too appealing, so why do we do it? It’s usually caused by things like having too much work in progress, conflicting priorities and (surprise!) neglected work.
Managing technical debt requires only one important thing – a cultural change.
As much as possible we need to stop creating technical debt, otherwise we will never be able to get it under control. To do that, we need to shift our mindset. We need to step back and take the time to see and make visible all of the technical debt we’re drowning in. Then we can start to chip away at it.
My team took a page out of “The Unicorn Project” (Kim, 2019) and started by running “debt days” when we caught our breath between projects. Each person chose a pain point, something they were interested in fixing, and we started there. We dedicated two days to removing debt and came out the other side having completed tickets that were on the backlog for over a year.
We also added new metrics and dashboards for better incident response, and improved developer tools.
Now, with each new code change, we’re on the lookout. Does this change introduce any debt? Do we have the ability to fix that now? We encourage each other to fix issues as we find them whether it’s with the way our builds work, our communication processes or a bug in the code.
We need to give ourselves the time to breathe, in both our personal lives or our work day. Taking a pause between tasks not only allows us to mentally prepare for the next one, but it gives us time to learn and reflect. It’s in these pauses that we can see if we’ve created technical debt in any form and potentially go about fixing it right away.
The improvement of daily work ultimately enables developers to focus on what’s really important, delivering value. It enables them to move faster and find more joy in their work.
So how do you stay on top of your never-ending laundry? Your family chooses to makes a cultural change and decides to dedicate time to it. You declare Saturday as laundry day!
Make the time to deal with technical debt –your developers, security teams, and your customers will thank you for it.
The post Have You Considered Your Organization’s Technical Debt? appeared first on .
In Part 1 of this blog, we introduced Trend Micro Cleaner One Pro, a one-stop shop to help you speed up your Mac, highlighting the Quick Optimizer, the Main Console, and the Cleaning Tools. In Part 2, we resume the discussion of how to make your Mac run faster with the remaining Cleaner One Pro features: System and Application Management, Privacy Protection, and Other Options.
Your Mac may get sluggish after a year or two of usage and you may find that booting up takes a lot longer. Doing a Startup Manager scan can help you reduce slowdown due to unwanted startup programs and services, to help your Mac boot faster.
Upon completing the scan, Startup Manager will identify apps under two categories: Login Items and Launch Agents.
Login Items are apps that run automatically upon login. You can manage these apps by enabling them to run automatically or disabling them to make your Mac more efficient. If you don’t need autorun, you can remove the apps from the list.
Launch Agents are background services that run automatically on System startup for the extension features of apps. You can manage these services by letting them run automatically or by disabling them to make your Mac boot faster. Similarly, you can remove these agents if you don’t need them or they’re broken.
When a user installs an app that doesn’t meet their expectations, they’ll never use it again. In many cases, they remove the app by simply dragging it into the trash, assuming the action completely removes the app, but this is not always true. When you uninstall an app, there are often associated files left on your Mac, even after you have emptied the Trash. They’re known as leftovers.
Leftovers are an app’s associated files and folders that can include different languages, log files, agents, or processes that might try to start an application. App Manager aims to resolve this and helps you clean up your Mac by completely removing app leftovers. App Manager detects all app leftovers automatically so you can remove them with just one click.
Data security and privacy are especially important and managing these applies to anyone collecting and keeping data. Data that has reached its retention limit needs to be permanently removed from your file system and to be sure it can’t be recovered you need to overwrite the file with random series of binary data multiple times. This process is often referred to as shredding. With File Shredder, you can remove sensitive files from your hard disk without worrying that they can be recovered.
Preferences allows you to manage how the Cleaner One Pro app performs. In Preferences, you’ll see General, Notifications, Memory, Duplicates, Whitelists and Auto Select.
On the General tab, you can choose Auto start at login and other options according to how you would like Cleaner One Pro to behave during startup.
On the Notifications tab, you can disable the notification about smart memory optimization.
Cleaner One Pro is also equipped with a Smart Memory Optimization feature on the Memory tab. This feature uses artificial intelligence. You can set auto clean when your available memory is low or when an app is closed.
The Duplicates, Whitelists and Auto Select tabs work when you use the Duplicate Files feature on the main console. When there are too many duplicate files on your Mac, you can set the rules on the minimum file size, as well as which files to exempt or prioritize during deletion.
If you need technical assistance about Cleaner One Pro, click the robot icon either in the Apple Menu window or on the Main Console.
A chat support person will attend to your concerns or suggestions when using Cleaner One Pro. In case there is no available support engineer, you can send an email by clicking Send Email. Make sure to provide the correct email address.
Aside from Cleaner One Pro for Mac, we offer Antivirus One for Mac—as well as Cleaner One for iPhone, which you can download by scanning the QR Code. You can also submit your ideas for Other Tools by clicking the panel.
As you use your Mac over time, you need to maintain it to keep it running smoothly. Trend Micro Cleaner One Pro can clean up your disk space, help boost performance, and solve other Mac issues you might encounter during your daily work. As you consider it for your Mac, you may have remaining questions:
What’s the difference between the Free version and the Paid version? The Free version of Cleaner One Pro includes the Memory Optimizer, basic CPU and Network Monitoring, a Junk Files Cleaner, a Big Files Scanner, a Disk Map, and the Startup Manager. The Paid upgrade of Cleaner One Pro unlocks more features, including more Advanced CPU/Network Monitoring, a Duplicate Finder, a Similar Photos Scanner, an App Manager, and a File Shredder.
Is it safe to use Cleaner One Pro? Cleaner One Pro is notarized by Apple, which assures its users both security and privacy.
How can I download Cleaner One Pro? Cleaner One Pro is distributed via the official Trend Micro website and other authorized channels. Note that Cleaner One Pro is also available for Windows. To make it easy for the readers of this blog series, we’ve provided the download links here: Download Mac Version – Download Windows Version
Go to Cleaner One Windows or to Cleaner One Mac for more information or to purchase the apps.
The post Cleaner One Pro Speeds Up Your Mac: Part 2 appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read new insights from Trend Micro that look at the market for underground hosting services and where cybercriminals rent the infrastructure for their business. Also, learn about Apple’s new iPhone Research Device Program that will provide certain hackers with special devices to conduct security research.
Read on:
Trend Micro Research Uncovers the Business Infrastructure of Cybercrime
This week Trend Micro released new insights analyzing the market for underground hosting services and detailing how and where cybercriminals rent the infrastructure that hosts their business. This first report of a planned three-part series details the market for buying and selling these services, which are the backbone of every other aspect of the cybercriminal business model, whether that includes sending spam, communicating with a command and control server, or offering a help desk for ransomware.
Have You Considered your Organization’s Technical Debt?
In the tech world where one seemingly tiny vulnerability can bring down your whole system, managing technical debt is critical. Fixing issues before they become emergent situations is necessary in order to succeed. By spending a little time each day to tidy up a few things, you can make your system more stable and provide a better experience for both your customers and your fellow developers.
New ‘Shadow Attack’ Can Replace Content in Digitally Signed PDF Files
Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research published this week by academics from the Ruhr-University Bochum in Germany.
Cleaner One Pro Speeds Up Your Mac: Part 2
In the first part of this blog series, Trend Micro introduced its Cleaner One Pro, a one-stop shop to help you speed up your Mac, highlighting the quick optimizer, the main console, and the cleaning tools. In part two, Trend Micro resumes the discussion of how to make your Mac run faster with more Cleaner One Pro features: system and application management, privacy protection and other options.
Multi-Platform Malware Framework Linked to North Korean Hackers
Security researchers at Kaspersky have identified a multi-platform malware framework that they believe North Korea-linked hackers have been leveraging in attacks over the past couple of years. Called MATA, the platform appears to have been in use since spring 2018 to target computers running Windows, Linux, and macOS. The framework, which consists of components such as a loader, an orchestrator, and plugins, is believed to be linked to the prolific North Korean hacking group Lazarus.
Updates on ThiefQuest, the Quickly-Evolving macOS Malware
In early July, Trend Micro noticed a new malware dubbed ThiefQuest, a threat that targets macOS devices, encrypts files, and installs keyloggers in affected systems. However, new reports on the malware state the assumption that the malware’s ransomware activity is not its main attack method; rather, it is a pre-emptive move to disguise its other capabilities such as file exfiltration, Command and Control (C&C) communication, and keylogging.
Apple’s Long-Awaited Security Device Research Program Makes its Debut
In order to make it easier for security researchers to find vulnerabilities in iPhones, Apple is launching an iPhone Research Device Program that will provide certain hackers with special devices to conduct security research. Beyond enhancing security for iOS users and making it easier to unearth flaws in iPhones, the program also aims to improve the efficiency of ongoing security research on iOS.
Guidelines Related to Security in Smart Factories Part 5: CIS Controls
The purpose of this blog series is to explain typical examples of general-purpose guidelines for ICS and OT security and understand the concepts required for security in smart factories. As a subset of NIST SP800-53 which was introduced in part four, part five explains the CIS Controls that correspond to practical guides.
US Charges Two Chinese Spies for a Global Hacking Campaign that Targeted COVID-19 Research
U.S. prosecutors have charged two Chinese nationals, said to be working for China’s state intelligence bureau, for their alleged involvement in a massive global hacking operation that targeted hundreds of companies and governments for more than a decade. The 11-count indictment, unsealed Tuesday, alleges Li Xiaoyu, 34, and Dong Jiazhi, 33, stole terabytes of data from high-technology companies around the world—including the United States.
Twitter Hacked in Bitcoin Scam
Are Apple, Elon Musk, Barrack Obama, Uber, Joe Biden, and a host of others participating in a very transparent bitcoin scheme? No. The question was whether individual accounts were compromised or if something deeper was going on. Underlying this whole situation is a more challenging issue: The level of access that support has to any given system.
What are your thoughts on Apple’s new iPhone Research Device program? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Trend Micro Research Uncovers the Business Infrastructure of Cybercrime and Apple Launches Security Device Research Program appeared first on .
Ransomware is Still a Blight on Business
Trends come and go with alarming regularity in cybersecurity. Yet a persistent menace over the past few years has been ransomware. Now mainly targeting organizations rather than consumers, and with increasingly sophisticated tools and tactics at their disposal, the cybercriminals behind these campaigns have been turning up the heat during the COVID-19 pandemic. That’s why we need industry partnerships like No More Ransom.
Celebrating its fourth anniversary this week, the initiative has helped over four million victims fight the scourge of ransomware, saving hundreds of millions of dollars in the process. At Trend Micro, we’re proud to have played a major part, helping to decrypt over 77 million files for victims.
Not going anywhere
Ransomware has been with us for years, but only really hit the mainstream after the global WannaCry and NotPetya incidents of 2017. Unfortunately, that was just the start. Today, no sector is safe. We saw attacks rage across US municipalities, school districts and hospitals in 2019. Most recently, a major outage at a connected technology giant impacted everything from consumer fitness trackers to on-board flight systems.
Such attacks can hit victim organizations hard. There are serious reputational and financial repercussions from major service outages, and the stakes have been raised even further as attackers now often steal data before encrypting victims’ files. A recent incident at a US cloud computing provider has led to data compromise at over 20 universities and charities in the UK and North America, for example. A separate ransomware attack on a managed service provider earlier this year may cost it up to $70m.
The bad guys have shown no sign of slowing down during the pandemic — quite the reverse. Even as hospitals have been battling to save the lives of patients battling COVID-19, they’ve been targeted by ransomware designed to lock mission-critical systems.
No More Ransom
That’s why we need to celebrate public-private partnerships like No More Ransom, which provides helpful advice for victims and a free decryption tool repository. Over the past four years it has helped 4.2 million visitors from 188 countries, preventing an estimated $632 million in ransom demands finding its way into the pockets of cyber-criminals.
At Trend Micro, we’re proud to have been an associate partner from the very start, contributing our own decryption tools to the scores available today to unlock 140 separate ransomware types. Since the start of No More Ransom, Trend Micro tools have been downloaded nearly half a million times, helping over 50,000 victims globally to decrypt more than 77 million files. We simply can’t put a price on this kind of intervention.
https://www.europol.europa.eu/publications-documents/infographic-4th-anniversary-no-more-ransom
Yet while the initiative is a vital response to the continued threat posed by ransomware, it is not all we can do. To truly beat this menace, we need to educate organizations all over the planet to improve their resilience to such malware threats. That means taking simple steps such as:
|
|
I’m also speaking on a panel today hosted by the U.S. Chamber of Commerce on NotPetya and general ransomware attack trends related to the pandemic. Join us to learn more about ransomware from law enforcement agencies, policy makers and businesses.
If your organization has been impacted by ransomware, check the resources available on https://www.nomoreransom.org/ for advice and access to the free decryption tool repository.
The post Ransomware is Still a Blight on Business appeared first on .
This material was published by ESG Research Insights Report, Validating Trend Micro’s Approach and Enhancing GTM Intelligence, 2020.
The post ESG Findings on Trend Micro Cloud-Powered XDR Drives Monumental Business Value appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how Trend Micro found an IoT Mirai botnet downloader that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion. Also, learn about how the Vermont Department of Taxes may have been exposing taxpayer data for more than three years.
Read on:
Ransomware is Still a Blight on Business
Ransomware has been with us for years, but only really became mainstream after the global WannaCry and NotPetya incidents of 2017. Now mainly targeting organizations in lieu of consumers, and with increasingly sophisticated tools and tactics, the cybercriminals behind these campaigns have been turning up the heat during the COVID-19 pandemic. That’s why we need industry partnerships like No More Ransom.
Garmin Outage Caused by Confirmed WastedLocker Ransomware Attack
Wearable device maker Garmin shut down some of its connected services and call centers last week following what the company called a worldwide outage, now confirmed to be caused by a WastedLocker ransomware attack. Garmin’s product line includes GPS navigation and wearable technology for the automotive, marine, aviation, marine, fitness, and outdoor markets.
Trend Micro Launches Cloud Solution for Microsoft Azure
Trend Micro announced the availability of its Trend Micro Cloud One – Conformity offering to Azure customers, helping global organizations tackle misconfigurations, compliance challenges and cyber-risks in the cloud. The company also achieved the CIS Microsoft Azure Foundation Security Benchmark, certifying that the Conformity product has built-in rules to check for more than 100 best practices in the CIS framework.
Ensiko: A Webshell with Ransomware Capabilities
Ensiko is a PHP web shell with ransomware capabilities that targets platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine. It can also execute shell commands on an infected system and send the results back to the attacker via a PHP reverse shell.
‘Boothole’ Threatens Billions of Linux, Windows Devices
A newly discovered serious vulnerability – dubbed “BootHole” – with a CVSS rating of 8.2 could unleash attacks that could gain total control of billions of Linux and Windows devices. Security firm Eclypsium researchers released details this week about how the flaw can take over nearly any device’s boot process.
Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902
Following the initial disclosure of two F5 BIG-IP vulnerabilities in early July, Trend Micro continued monitoring and analyzing the vulnerabilities and other related activities to further understand their severities. Based on the workaround published for CVE-2020-5902, Trend Micro found an IoT Mirai botnet downloader that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload.
Hackers Stole GitHub and GitLab OAuth Tokens from Git Analytics Firm Waydev
Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers’ work output by analyzing Git-based codebases. Earlier this month, the company disclosed a security breach, saying that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database.
As the world currently grapples with the disruption brought about by the coronavirus pandemic, the need for digital transformation has become not only more apparent but also more urgent. Applications now play an integral role, with many businesses and users relying on a wide range of applications for work, education, entertainment, retail, and other uses.
Vermont Taxpayers Warned of Data Leak Over the Past Three Years
The Vermont Department of Taxes may have been exposing taxpayer data that could be used in credential scams for more than three years due to a vulnerability in its online tax filing system. A notice posted on the department’s website warned taxpayers who filed a Property Transfer Tax return through the department’s online filing site between Feb. 1, 2017, and July 2, 2020, may have had their personal information leaked.
Guidelines Related to Security in Smart Factories Part 6: MITRE ATT&CK
This blog series explains examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. Thus far, part one through part five have explained IEC62443, the NIST CSF, part of the P800 series, and CIS Controls. In part six, Trend Micro explains MITRE ATT&CK, although not a guideline, it is a knowledge base in which offensive and defensive technologies in cyber-attacks are clearly organized.
Netgear has decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code. The vulnerability was revealed publicly in June by Trend Micro’s Zero Day Initiative (ZDI).
Online Dating Websites Lure Japanese Customers to Scams
In May, Trend Micro observed a sudden increase in traffic for online dating websites primarily targeting Japanese customers. After analyzing and tracking these numbers, we found that these dating scam campaigns attract potential victims by using different website domains that have similar screen page layouts. By the end of the transactions, the fraudsters steal money from victims without the subscribers receiving any of the advertised results.
ESG Findings on Trend Micro Cloud-Powered XDR Drives Monumental Business Value
Trend Micro’s cloud-powered XDR and Managed XDR offerings optimize threat detection and response across all critical vectors. In a recent survey commissioned by Trend Micro and conducted by ESG, organizations surveyed experience faster detection and less alert fatigue as a result of intelligently using data from all their security controls (including those covering endpoints, email, servers, cloud workloads and networks).
How does your organization manage threat detection and response? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902 and Vermont Taxpayers Warned of Data Leak Over the Past Three Years appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. Based on research that Trend Micro released during Black Hat USA this past week, read about how some industrial robots have flaws that could make them vulnerable to advanced hackers, as well as the risks related to protocol gateways and how to secure these devices.
Read on:
Unveiling the Hidden Risks of Industrial Automation Programming
The legacy programming environments of widely used industrial machines could harbor virtually undetectable vulnerabilities and malware. Trend Micro’s recent security analysis of these environments, presented at Black Hat USA 2020 this week, reveals critical flaws and their repercussions for smart factories.
Top 6 Cybersecurity Trends to Watch for at Black Hat USA 2020
At this year’s Black Hat USA 2020 conference, some of the top trends expected to surface include ransomware, election security and how to protect a remote workforce. Trend Micro’s vice president of cybersecurity, Greg Young, said, “Cybercrime increased rather than slowed down due to the pandemic, as we saw 1 billion more threats blocked in the first half of 2020 compared to 2019.”
Lost in Translation: When Industrial Protocol Translation Goes Wrong
Also presented this week at Black Hat USA, this recent research from Trend Micro examines the risks related to protocol gateways, the possible impact of an attack or wrong translation, and ways to secure these devices.
As COVID-19 cases around the U.S. continue to rise, the International Criminal Police Organization (INTERPOL) says that governments are seeing an “alarming” rate of cyberattacks aimed at major corporations, governments and critical infrastructure.
Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts
A series of ongoing business email compromise (BEC) campaigns that uses spear-phishing schemes on Office 365 accounts has been seen targeting business executives of more than 1,000 companies globally since March. The campaigns target senior positions in the United States and Canada, and the fraudsters, dubbed “Water Nue” by Trend Micro, primarily target accounts of financial executives to obtain credentials for further financial fraud.
Robots Running the Industrial World Are Open to Cyber Attacks
Industrial robots are now being used to assemble everything from airplanes to smartphones, using human-like arms to mechanically repeat the same processes over and over, thousands of times a day with nanometric precision. But according to a new report from Trend Micro, some robots have flaws that could make them vulnerable to advanced hackers, who could steal data or alter a robot’s movements remotely.
Patch Fail Led to Password Leak of 900 VPN Enterprise Servers
Applying a security update to a CVE released more than a year ago could have prevented a hacker from publishing plaintext usernames and passwords as well as IP addresses for more than 900 Pulse Secure VPN enterprise servers. This vulnerability, CVE 2019-11510, was one of the several recently exploited vulnerabilities by Russia’s Cozy Bear, APT29, in an attempt to steal COVID-19 vaccine research.
U.S. Offers Reward of $10M for Info Leading to Discovery of Election Meddling
The U.S. government is concerned about foreign interference in the 2020 election, so much so that it will offer a reward of up to $10 million for anyone providing information that could lead to tracking down potential cybercriminals aiming to sabotage the November vote.
TeamViewer Flaw Could be Exploited to Crack Users’ Password
A high-risk vulnerability in TeamViewer for Windows could be exploited by remote attackers to crack users’ password and, consequently, lead to further system exploitation. CVE-2020-13699 is a security weakness arising from an unquoted search path or element – more specifically, it’s due to the application not properly quoting its custom URI handlers – and could be exploited when the system with a vulnerable version of TeamViewer installed visits a maliciously crafted website.
Black Hat: How Your Pacemaker Could Become an Insider Threat to National Security
Implanted medical devices are an overlooked security challenge that is only going to increase over time. The emerging problem of vulnerabilities and avenues for attack in IMDs was first highlighted by the 2017 case of St. Jude (now under the Abbott umbrella), in which the US Food and Drug Administration (FDA) issued a voluntary recall of 465,000 pacemakers due to vulnerabilities that could be remotely exploited to tamper with the life-saving equipment.
What was your favorite session from Black Hat USA this week? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Robots Running the Industrial World Are Open to Cyber Attacks and Industrial Protocol Translation Gone Wrong appeared first on .
The past few months have seen radical changes to our work and home life under the Coronavirus threat, upending norms and confining millions of American families within just four walls. In this context, it’s not surprising that more of us are spending an increasing portion of our lives online. But this brings with it some familiar cyber-risks. In Part 1 of this mini-series, we explained how cyber-criminals are looking to capitalize on these sweeping changes to society to further their own ends.
Now let’s take a look at what you can do to protect your family, your data, and access to your corporate accounts.
The bad guys are laser-focused on stealing your personal data and log-ins and increasingly see the remote worker as an easy target for leapfrogging into corporate networks. That’s not to mention the potential internet safety risks inherent in bored kids spending more time in front of their screens. To respond, you’ll need to create an equally focused “home security plan” governed by sensible policies and best practices. Here are some of the key areas to consider.
Protect your smart home and router
Increasingly, unprotected smart home devices are being targeted by cyber-criminals to turn into botnets to attack others. They might also provide sophisticated attackers with a stepping-stone into your corporate systems, via the home network. The home router, with its known flaws, is (after the modem) the digital front door to the smart home and the basis for your networking, so it should be first in any security strategy. Consider the following when tackling home network security:
|
|
Secure your home office
Cyber-criminals are primed to take advantage of distracted home workers and potentially less secure PCs/devices. Secure this environment by doing the following:
|
|
Stay safe from phishing
Phishing is the number one tactic used by attackers to trick you into installing malware or handing over your log-ins. Emails, text messages, social media messages and more are spoofed to appear as if sent by a legitimate company or contact. In response:
|
|
Use video conferencing safely
New videoconferencing platforms can introduce risk, especially if you’re not familiar with the default settings. Here’s how to stay safe when video conferencing:
|
|
Stay safe shopping and banking
Next, protect your financial information and stay safe from e-commerce fraud by doing the following:
|
|
Think about online safety for kids
They may be under your roof for more hours of the day than usual, but your children are also likely to be spending more time online. That means you need to have a measured conversation with them about internet safety, backed up with parental controls. Consider the following:
|
|
Mobile security best practices
Finally, sheltering at home has limits, particularly for restless kids. When they go to the store or out to the park, facemasks notwithstanding, they’re likely going to use their mobile devices, just as they’ll continue to do at home. Of course, you’re not exempt either from mobile threats. Ensure mobile security by
|
|
When it comes to protecting the home from security and privacy threats during lockdown, leave no stone unturned. Cyber-criminals will always look for the weak link in the chain and focus their efforts there. Network security is important, but it doesn’t replace the need for protection on each individual device. You’ll need to cover your router, network, smart devices, and all endpoints (PCs, laptops, mobiles and other devices). Here’s how Trend Micro can help:
Trend Micro Home Network Security
Trend Micro Home Network Security provides industry-leading protection against any threats to internet-connected devices in the home. The solution
|
|
Trend Micro Security (PC and Mac)
Trend Micro Security, available in various editions (led by Trend Micro Maximum Security), is Trend’s flagship endpoint security product for consumers. Available for both PCs and Macs, it features AI learning to stop advanced threats. Among a wide range of protections, it includes:
|
|
Trend Micro Mobile Security:
Trend Micro Mobile Security provides endpoint security for all your mobile devices, whether Android or iOS-based.
|
|
Additional Trend Micro Tools:
Network and endpoint security should be supplemented with tools that accomplish specific tasks, such as protecting your internet connections, your passwords, and your identity data. Trend Micro provides
|
|
Maintaining your family’s security and privacy on all their devices during the coronavirus lockdown above all means changing your mindset, to take into account the mix of work and play in the household during the “new normal.” Use these tips and tools during lockdown and you’ll be well on your way to ensuring you and your family’s safety from malicious viruses—both digital and natural.
The post Top Tips For Home Cybersecurity And Privacy In A Coronavirus-Impacted World (Part 2) appeared first on .
Welcome to the new normal. We’re all now living in a post-COVID-19 world characterized by uncertainty, mass home working and remote learning. The lines demarcating normal life have shifted abruptly – perhaps never to return. That’s not the worst that can happen, as we all know, but it does mean we all need to get used to new ways of living, working and studying from home. This has major implications for the online safety, security and privacy of our families.
To help you adapt to these new conditions while protecting what matters most, Trend Micro has developed a two-part blog series on “The New Normal.” Part 1 identifies the scope and specific cyber-threats of the new normal. Part 2 provides security tips and products to help address those threats.
In April, nearly 300 million Americans were estimated to be in government-mandated lockdown. Even as some businesses, municipalities and states begin to relax these rules, experts have warned of subsequent waves of the virus, which could result in new localized lockdowns. In short, a lot of people will continue to work from home, while their children, also at home, attempt to study remotely from their mobile devices.
This has considerable implications for how we spend our time. Without that morning commute to work or school, more of it than ever will involve sitting in front of a desktop, laptop, tablet or smartphone screen. Even the smart TV is enlisted. Dangers include
|
|
Unfortunately, the increase in working from home (WFH), especially for those not used to it, may lead to an increase in risky behavior, such as: using non-approved apps for work; visiting non work-related sites on work devices; and using personal devices to access work resources. Recent global Trend Micro research found that:
|
|
This is not about restricting your freedom to visit the sites you want to visit while at home. It’s about reducing the risk of exposing corporate data and systems to possible malware.
Unsurprisingly, there has also been a major uptick in the volume of cyber-threats targeting home users. With a captive audience to aim at, it’s a huge opportunity for cyber-criminals to steal your log-ins and personal data to sell to fraudsters, or even to steal corporate passwords and information for a potentially bigger pay-off. They are helped by the fact that many home workers may be more distracted than they usually would be at the office, especially if they have young children. Your kids may even share the same laptops or PCs as you, potentially visiting risky sites and/or downloading unapproved apps.
There’s also a chance that, unless you have a corporate machine at home, your personal computing equipment is less secure than the kit you had in the office. Add to that the fact that support from the IT department may be less forthcoming than usual, given that stretched teams are overwhelmed with requests, while themselves struggling to WFH. One recent report claimed that nearly half (47%) of IT security pros have been taken off some or all of their typical security tasks to support other IT-related jobs. In another, only 59% of respondents said they believe their cybersecurity team has the right tools and resources at home to perform their job effectively.
It’s time to step up and take security into your own hands. Stay on the lookout for the following threats.
|
|
So what’s a remote worker/concerned parent to do to protect themselves and the family in the midst of the “new normal?”
Read Part 2 in this mini-series, which we’re publishing simultaneously with Part 1, where we share some best practice advice on how to keep your digital lives and work systems safe from online threats during lockdown—and where we provide tools to help you do just that.
The post Top Tips For Home Cybersecurity And Privacy In A Coronavirus-Impacted World (Part 1) appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about one of Microsoft’s largest Patch Tuesday updates ever, including fixes for 120 vulnerabilities and two zero-days. Also, learn about Trend Micro’s new integrations with Amazon Web Services (AWS).
Read on:
Microsoft Patches 120 Vulnerabilities, Two Zero-Days
This week Microsoft released fixes for 120 vulnerabilities, including two zero-days, in 13 products and services as part of its monthly Patch Tuesday rollout. The August release marks its third-largest Patch Tuesday update, bringing the total number of security fixes for 2020 to 862. “If they maintain this pace, it’s quite possible for them to ship more than 1,300 patches this year,” says Dustin Childs of Trend Micro’s Zero-Day Initiative (ZDI).
Trend Micro has discovered an unusual infection related to Xcode developer projects. Upon further investigation, it was discovered that a developer’s Xcode project at large contained the source malware, which leads to a rabbit hole of malicious payloads. Most notable in our investigation is the discovery of two zero-day exploits: one is used to steal cookies via a flaw in the behavior of Data Vaults, another is used to abuse the development version of Safari.
Top Tips for Home Cybersecurity and Privacy in a Coronavirus-Impacted World: Part 1
We’re all now living in a post-COVID-19 world characterized by uncertainty, mass home working and remote learning. To help you adapt to these new conditions while protecting what matters most, Trend Micro has developed a two-part blog series on ‘the new normal’. Part one identifies the scope and specific cyber-threats of the new normal.
Trend Micro enhances agility and automation in cloud security through integrations with Amazon Web Services (AWS). Through this collaboration, Trend Micro Cloud One offers the broadest platform support and API integration to protect AWS infrastructure whether building with Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS Lambda, AWS Fargate, containers, Amazon Simple Storage Service (Amazon S3), or Amazon Virtual Private Cloud (Amazon VPC) networking.
Shedding Light on Security Considerations in Serverless Cloud Architectures
The big shift to serverless computing is imminent. According to a 2019 survey, 21% of enterprises have already adopted serverless technology, while 39% are considering it. Trend Micro’s new research on serverless computing aims to shed light on the security considerations in serverless environments and help adopters in keeping their serverless deployments as secure as possible.
In One Click: Amazon Alexa Could be Exploited for Theft of Voice History, PII, Skill Tampering
Amazon’s Alexa voice assistant could be exploited to hand over user data due to security vulnerabilities in the service’s subdomains. The smart assistant, which is found in devices such as the Amazon Echo and Echo Dot — with over 200 million shipments worldwide — was vulnerable to attackers seeking user personally identifiable information (PII) and voice recordings.
New Attack Lets Hackers Decrypt VoLTE Encryption to Spy on Phone Calls
A team of academic researchers presented a new attack called ‘ReVoLTE,’ that could let remote attackers break the encryption used by VoLTE voice calls and spy on targeted phone calls. The attack doesn’t exploit any flaw in the Voice over LTE (VoLTE) protocol; instead, it leverages weak implementation of the LTE mobile network by most telecommunication providers in practice, allowing an attacker to eavesdrop on the encrypted phone calls made by targeted victims.
An Advanced Group Specializing in Corporate Espionage is on a Hacking Spree
A Russian-speaking hacking group specializing in corporate espionage has carried out 26 campaigns since 2018 in attempts to steal vast amounts of data from the private sector, according to new findings. The hacking group, dubbed RedCurl, stole confidential corporate documents including contracts, financial documents, employee records and legal records, according to research published this week by the security firm Group-IB.
Walgreens Discloses Data Breach Impacting Personal Health Information of More Than 72,000 Customers
The second-largest pharmacy chain in the U.S. recently disclosed a data breach that may have compromised the personal health information (PHI) of more than 72,000 individuals across the United States. According to Walgreens spokesman Jim Cohn, prescription information of customers was stolen during May protests, when around 180 of the company’s 9,277 locations were looted.
Top Tips for Home Cybersecurity and Privacy in a Coronavirus-Impacted World: Part 2
The past few months have seen radical changes to our work and home life under the Coronavirus threat, upending norms and confining millions of American families within just four walls. In this context, it’s not surprising that more of us are spending an increasing portion of our lives online. In the final blog of this two-part series, Trend Micro discusses what you can do to protect your family, your data, and access to your corporate accounts.
What are your thoughts on Trend Micro’s tips to make your home cybersecurity and privacy stronger in the COVID-19-impacted world? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Microsoft Patches 120 Vulnerabilities, Including Two Zero-Days and Trend Micro Brings DevOps Agility and Automation to Security Operations Through Integration with AWS Solutions appeared first on .
At Black Hat USA 2020, Trend Micro presented two important talks on vulnerabilities in Industrial IoT (IIoT). The first discussed weaknesses in proprietary languages used by industrial robots, and the second talked about vulnerabilities in protocol gateways. Any organization using robots, and any organization running a multi-vendor OT environment, should be aware of these attack surfaces. Here is a summary of the key points from each talk.
Rogue Automation
Presented at Black Hat, Wednesday, August 5. https://www.blackhat.com/us-20/briefings/schedule/index.html#otrazor-static-code-analysis-for-vulnerability-discovery-in-industrial-automation-scripts-19523 and the corresponding research paper is available at https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/unveiling-the-hidden-risks-of-industrial-automation-programming
Industrial robots contain powerful, fully capable computers. Unlike most contemporary computers, though, industrial robots lack basic information security capabilities. First, at the architectural level, they lack any mechanism to isolate certain instructions or memory. That is, any program can alter any piece of storage, or run any instruction. In traditional mainframes, no application could access, change, or run any code in another application or in the operating system. Even smartphone operating systems have privilege separation. An application cannot access a smartphone’s camera, for instance, without being specifically permitted to do so. Industrial robots allow any code to read, access, modify, or run any device connected to the system, including the clock. That eliminates data integrity in industrial robots and invalidates any audit of malfunctions; debugging becomes exceptionally difficult.
Industrial robots do not use conventional programming languages, like C or Python. Instead, each manufacturer provides its own proprietary programming language. That means a specialist using one industrial robot cannot use another vendor’s machine without training. There are no common information security tools for code validation, since vendors do not develop products for fragmented markets. These languages describe programs telling the robot how to move. They also support reading and writing data, analyzing and modifying files, opening and closing input/output devices, getting and sending information over a network, and accessing and changing status indicators on connected sensors. Once a program starts to run on an industrial robot, it can do anything any fully functional computer can do, without any security controls at all. Contemporary industrial robots do not have any countermeasures against this threat.
Most industrial robot owners do not write their own programs. The supply chain for industrial robot programs involves many third-party actors. See Figure 1 below for a simplified diagram. In each community, users of a particular vendor’s languages share code informally, and rely on user’s groups for hints and tips to solve common tasks. These forums rarely discuss security measures. Many organizations hire third-party contractors to implement particular processes, but there are no security certifications relevant to these proprietary languages. Most programmers learned their trade in an air-gapped world, and still rely on a perimeter which separates the safe users and code inside from the untrusted users and code outside. The languages offer no code scanners to identify potential weaknesses, such as not validating inputs, modifying system services, altering device state, or replacing system functions. The machines do not have a software asset management capability, so knowing where the components of a running program originated from is uncertain.
Figure 1: The Supply Chain for Industrial Robot Programming
All is not lost – not quite. In the short term, Trend Micro Research has developed a static code analysis tool called OTRazor, which examines robotic code for unsafe code patterns. This was demonstrated during our session at Black Hat.
Over time, vendors will have to introduce basic security checks, such as authentication, authorization, data integrity, and data confidentiality. The vendors will also have to introduce architectural restrictions – for instance, an application should be able to read the clock but not change it.. Applications should not be able to modify system files, programs, or data, nor should they be able to modify other applications. These changes will take years to arrive in the market, however. Until then, CISOs should audit industrial robot programs for vulnerabilities, and segment networks including industrial robots, and apply baseline security programs, as they do now, for both internally developed and procured software.
Protocol Gateway Vulnerabilities
Presented at Black Hat, Wednesday, August 5, https://www.blackhat.com/us-20/briefings/schedule/index.html#industrial-protocol-gateways-under-analysis-20632, with the corresponding research paper available here: https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/lost-in-translation-when-industrial-protocol-translation-goes-wrong.
Industry 4.0 leverages the power of automation alongside the rich layer of software process control tools, particularly Enterprise Resource Planning (ERP), and its bigger cousin, Supply Chain Management (SCM). By bringing together dynamic industrial process control with hyper-efficient “just-in-time” resource scheduling, manufacturers can achieve minimum cost, minimum delay, and optimal production. But these integration projects require that IIoT devices speak with other technology, including IIoT from other manufacturers and legacy equipment. Since each equipment or device may have their own communication protocol, Industry 4.0 relies heavily on protocol converters.
Protocol converters are simple, highly efficient, low-cost devices that translate one protocol into another. Protocol converters are ubiquitous, but they lack any basic security capabilities – authentication, authorization, data integrity or data confidentiality – and they sit right in the middle of the OT network. Attackers can subvert protocol converters to hijack the communication or change configuration. An attacker can disable a safety thresholds, generate a denial of service attack, and misdirect an attached piece of equipment.
In the course of this research, we found nine vulnerabilities and are working with vendors to remediate the issues. Through our TXOne subsidiary, we are developing rules and intelligence specifically for IIoT message traffic, which are then embedded in our current network security offerings, providing administrators with better visibility and the ability to enforce security policies in their OT networks.
Protocol converters present a broad attack surface, as they have limited native information security capabilities. They don’t validate senders or receivers, nor do they scan or verify message contents. Due to their crucial position in the middle of the OT network, they are an exceptionally appealing target for malicious actors. Organizations using protocol converters – especially those on the way to Industry 4.0 – must address these weak but critical components of their evolving infrastructure.
What do you think? Let me know in the comments below or @WilliamMalikTM
The post Black Hat Trip Report – Trend Micro appeared first on .
“We’re here to serve” is Benny Yazdanpanahi’s motto as CIO for City of Tyler located in Texas. Supporting a population of approximately 107,000, Yazdanpanahi’s vision for his city relies on the use of data to deliver exceptional services to citizens, today and into the future.
Since joining the city nearly 19 years ago, Yazdanpanahi has continually challenged himself and his small IT team to stay agile and to keep the needs of the city’s citizens at the forefront. Today, Yazdanpanahi and his team use IT systems to make more informed decisions, enhance community services, and improve public safety.
“Our citizens, and especially the younger generation, want immediate access to information and online services,” said Yazdanpanahi. “We want to keep pace with the latest technologies, not only for citizens but also to make our city employees more effective and efficient.”
But Yazdanpanahi knows that a highly secure IT environment is essential to their continued success. “Many US cities have been hacked, so security is on top of everyone’s mind. As a city, we want to provide great services, but we have to provide them in a highly secure manner.”
To accomplish those security goals with limited resources and staff, Tyler’s leaders have been collaborating with Trend Micro for several years. The cybersecurity giant has brought a hands-on approach and an ability to stay ahead of the threats. Their adaptability to the threat landscape strengthens the city’s security posture and empowers the IT team to focus on serving the community.
The city has been able to stay secure without additional staff and resources. City employees don’t spend time resolving IT issues and improve their productivity to focus on things that mater for the city.
“If you don’t collaborate with a partner that’s highly experienced in the security field, you can easily get blindsided,” said Yazdanpanahi. “We need someone there, day in and out, focused on security. Trend Micro knows how to protect cities like us. They provide the kind of north, south, east, and west protection that makes my job easier and allows us to use our data to accomplish new, exciting things for our city.”
Read more about Benny’s journey to securing the city:
https://www.trendmicro.com/en_ca/about/customer-stories/city-of-tyler.html
The post Connected Security Solutions Helps City of Tyler’s CIO to Reduce Costs While Enabling Delivery of Enhanced Community & Public Safety Services appeared first on .
FreshRSS 