Iot Vulnerabilities Easily 5

• Babak D. Beheshti, Associate Dean of the School of Engineering and Computing Sciences at NYIT. • Clyde Bennett, Chief Healthcare Technology Strategist at Aldridge Health. • Ross Brewer, VP and MD of EMEA at LogRhythm. • Ben Desjardins, Director of Security Solutions at Radware. • Eric O'Neill, National Security Strategist at Carbon Black. • Jeff Schilling, Chief of Operations and Security at Armor. • Karl Sigler, Threat Intelligence Manager at Trustwave. • Sigurdur Stefnisson, VP of Threat Research at CYREN. • Amos Stern, CEO at Siemplify. • Ronen Yehoshua, CEO at Morphisec. Visit the magazine website at www.insecuremag.com

Feedback and contributions: Mirko Zorz, Editor in Chief - [email protected] News: Zeljka Zorz, Managing Editor - [email protected] Marketing: Berislav Kucan, Director of Operations - [email protected]

(IN)SECURE Magazine can be freely distributed in the form of the original, non-modiﬁed PDF document. Distribution of modiﬁed versions of (IN)SECURE Magazine content is prohibited without permission.

Copyright (IN)SECURE Magazine 2016. www.insecuremag.com Are all IoT vulnerabilities easily 5. Insecure or no network pairing control op- avoidable? tions (device to device or device to networks). Every vulnerability or privacy issue reported 6. Not testing for common code injection ex- for consumer connected home and wearable ploits. technology products since November 2015 7. The lack of transport security and encrypt- could have been easily avoided, according to ed storage including unencrypted data the Online Trust Alliance (OTA). transmission of personal and sensitive information including but not limited to user OTA researchers analyzed publicly reported ID and passwords. device vulnerabilities from November 2015 8. Lacking a sustainable and supportable through July 2016, and found the most glaring plan to address vulnerabilities through the failures were attributed to: product lifecycle including the lack of software/firmware update capabilities and/or insecure and untested security patches/ 1. Insecure credential management including making administrative controls open and updates. discoverable. “In this rush to bring connected devices to 2. Not adequately and accurately disclosing consumer data collection and sharing poli- market, security and privacy is often being cies and practices. overlooked,” said Craig Spiezle, OTA Execu- tive Director and President. “If businesses do 3. The omission or lack of rigorous security testing throughout the development not make a systemic change we risk seeing process including but not limited to pene- the weaponization of these devices and an tration testing and threat modeling. erosion of consumer confidence impacting the IoT industry on a whole due to their security 4. The lack of a discoverable process or capability to responsibly report observed vul- and privacy shortcomings.” nerabilities. www.insecuremag.com 5 PCI Council wants more robust se- terminals and mobile devices used for pay- curity controls for payment devices ment transactions. Payment devices that directly consume magnetic stripe information The PCI Council has updated its payment de- from customers remain a top target for data vice standard to enable stronger protections theft, according to the 2016 Data Breach In- for cardholder data, which includes the PIN vestigation Report from Verizon. and the cardholder data (on magnetic stripe or the chip of an EMV card) stored on the card or “Criminals constantly attempt to break security on a mobile device. controls to find ways to exploit data. We continue to see innovative skimming devices and Specifically, version 5.0 of the PCI PIN Trans- new attack methods that put cardholder data action Security (PTS) Point-of-Interaction at risk for fraud,” said PCI Security Standards (POI) Modular Security Requirements empha- Council CTO Troy Leach. “Security must con- sizes more robust security controls for pay- tinue to evolve to defend against these ment devices to prevent physical tampering threats. The newest PCI standard for payment and the insertion of malware that can com- devices recognizes this challenge by requiring promise card data during payment transac- protections against advancements in attack tions. techniques.”

The updates are designed to stay one step Vendors can begin using PCI PTS POI Modu- ahead of criminals who continue to develop lar Security Requirements version 5.0 now for new ways to steal credit and debit card data payment device evaluations. Version 4.1 will from cash machines, in-store and unattended retire in September 2017 for evaluations of new payment devices.

Public cloud services market to cloud services. Not only are public cloud ser- grow to $208.6 billion in 2016 vices being used to recognize the tactical benefits of cost savings and innovation, but The worldwide public cloud services market is they are also being used to establish a more projected to grow 17.2 percent in 2016 to total modern IT environment — an environment $208.6 billion, up from $178 billion in 2015, that can serve as a strategic foundation for according to Gartner, Inc. The highest growth future applications and digital business pro- will come from IaaS, which is projected to cesses. grow 42.8 percent in 2016. SaaS is expected to grow 21.7 percent in 2016 to reach $38.9 Security and/or privacy concerns continue to billion. be the top inhibitors to public cloud adoption, despite the strong security track record and “The aspiration for using cloud services out- increased transparency of leading cloud paces actual adoption. There’s no question providers. there is great appetite within organizations to use cloud services, but there are still chal- Most organizations are already using a com- lenges for organizations as they make the bination of cloud services from different cloud move to the cloud. Even with the high rate of providers. While public cloud usage will con- predicted growth, a large number of organiza- tinue to increase, the use of private cloud and tions still have no current plans to use cloud hosted private cloud services is also expected services," said Sid Nag, research director at to increase at least through 2017. Gartner. The increased use of multiple public cloud IT modernization is currently the top driver of providers, plus growth in various types of pri- public cloud adoption, followed by cost sav- vate cloud services, will create a multi-cloud ings, innovation, agility and other benefits. environment in most enterprises and a need The focus on IT modernization indicates a to coordinate cloud usage using hybrid sce- more sophisticated and strategic use of public narios. www.insecuremag.com 6 Compromised electronic health get compromised just once, and sold repeat- records may haunt you forever edly all over the Dark Web, we’ll likely have problems for the rest of our lives. Information A recent report on the Deep Web black market that is contained in those records can be used for electronic health records (EHRs) by re- for many different types of fraud and attacks, searchers affiliated with the Institute for Criti- such as medical identity theft, submission of cal Infrastructure Technology has pointed out false claims, acquisition of controlled and pre- that healthcare systems are relentlessly and scription substances, and obtainment of med- incessantly attacked. ical devices. But the list of dangers doesn’t stop there – criminals can also create fake “Vulnerable legacy systems and devices that identities, perpetrate tax fraud, access gov- lack the ability to update and patch are ernment benefits, or try to extort patients. An- Frankensteined into networks possessing other problem is that there are still no legal newer technologies that can be updated and protections for medical identity theft victims. patched. As a result, the organization’s IoT microcosm becomes collectively vulnerable as “Stopping the damage, disputing the charges, effective layers of security cannot be properly and correcting the record can consume all of implemented,” the analysts noted. “Without a victim’s time and energy,” the researchers the input of cyber risk management profes- noted, adding that “even if the victim learns of sionals and without comprehensive oversight, the compromise before the information is ex- they will continue to make socially negligent ploited, remediation can still cost over $1,500 decisions that gamble the electronic health in fees and consume their free time for up to information of US citizens between antiquated five years.” security, insufficient fiscal and regulatory penalties, and the fingertips of tantalized insa- “Due to the longevity of the record, adver- tiable adversaries.” saries may continue to exchange and exploit the compromised information for the rest of By now, we also realized that the risk and im- the victim’s life. For some, such as children, pact of compromise of EHRs is usually and this can drastically hinder their future financial mostly shifted to us (the patients). But what stability and limit the potential lives that they most still don’t recognize is that if our EHRs could lead,” the researchers concluded. www.insecuremag.com 7 Chrome will start labeling some Internet towards the default use of HTTPS. HTTP sites as non-secure Changes in Chrome are one way to do it.

Slowly but relentlessly, Google is pushing Previously employed tactics include prioritis- website owners to deploy HTTPS – or get left ing websites using HTTPS in Google Search behind. rankings and adding a new section to the company’s Transparency Report that allows The latest announced push is scheduled for users to keep an eye on Google’s use of January 2017, when Chrome 56 is set to be HTTPS, and HTTPS use of the top 100 non- released and will start showing in the address Google sites on the Internet. bar a warning that labels sites that transmit passwords or credit cards over HTTP as non- “A substantial portion of web trafﬁc has transi- secure. tioned to HTTPS so far, and HTTPS usage is consistently increasing,” noted Emily In due time, all HTTP pages will be labeled by Schechter, of the Chrome Security Team. Chrome as non-secure, and ultimately, the HTTP security indicator will turn red, and sport “We recently hit a milestone with more than the same “Danger!” triangle with which sites half of Chrome desktop page loads now with broken HTTPS are currently marked. served over HTTPS. In addition, since the time we released our HTTPS report in Feb- Google is in the perfect position to spearhead ruary, 12 more of the top 100 websites have the campaign aimed at pushing the collective changed their serving default from HTTP to HTTPS.”

The hidden cost of the insider threat gence recorded the highest annual cost, averaging nearly $2.3 million. Organizations are spending an average of $4.3 million annually to mitigate, address, and In line with expectations, legacy solutions – resolve insider-related incidents – with that such as data loss prevention (DLP), user spend surpassing $17 million annually in the awareness and training, and network intelli- most significant cases, according to the gence – ranked among the most frequently Ponemon Institute. deployed tools (at 46 percent, 43 percent, and 35 percent respectively). Yet, despite being While the report notes that user credential the most pervasive, the incremental cost sav- theft and malicious or criminal activity carried ings driven by these legacy technologies were a more substantial cost-per-incident, the fre- among the lowest recorded, with network in- quency and volume of insider incidents telligence and user training yielding $0.3 caused by employee and contractor negli- million. www.insecuremag.com 8 Top trends in security testing and Despite the fact that many organizations do vulnerability management not conduct security testing, two-thirds believe that security testing is a valuable best Many businesses fail to conduct frequent se- practice. curity testing despite believing that it’s critically important to securing their systems and Both security testing and reviews of these data. One in five of businesses surveyed ad- tests are not commonplace: only 5 percent mitted they don’t do any security testing, de- perform detailed reviews of security testing to spite the fact that 95 percent of survey re- assess vulnerabilities on a daily basis and spondents reported encountering one of the only 24 percent do so weekly or multiple times dozen common security issues associated during the week. Meanwhile, 25 percent of the with security vulnerabilities. organizations surveyed perform these reviews only quarterly or annually, and 20 percent do One in five organizations has not performed so only when they perceive the need, creating security testing of any kind during the past six a situation where businesses are simply months. Among those that do conduct security guessing when to test their systems. testing, 66 percent do so only monthly or less frequently, and most do not perform regular Among the leading security testing challenges security testing after every infrastructure discovered in the survey, the most commonly change. Most organizations conduct security cited are insufficient staffing, insufficient time testing using a combination of in-house re- with which to perform the security tests, and sources and third-party testing services, al- insufficient skills to support regular testing. though two in five organizations manage security testing only in-house.

www.insecuremag.com 9 Today’s headline-making hacks are the natural evolution of traditional espionage. In the past, spies leaned heavily on recruiting and leverage traditional espionage techniques insiders or moles to steal secrets. Historically, to perpetrate cyber penetrations. spies would remove information from office buildings (frequently in hard copy and later on An example of modern-day espionage via floppy disk) and leave the information in “dead hacking is spear phishing conducted via social drops,” which served as prearranged clandes- media and email. Email not only serves as our tine sites that could later be “serviced” by for- chief communication methodology, but also to eign intelligence. sign contracts and distribute records. Every- thing we do now leaves a trail, including all we Today, the way we store and share secrets do on email and social media. and critical information leaves the “keys to the kingdom” vulnerable to outside attack. While The best spear phishing attacks leverage so- recruiting a trusted insider remains the most cial media and involve reconnaissance re- effective way to breach a firewall, spies have search about the target. To conduct the An- changed their tactics to address the changes them attack, the attackers combed through in operational security in the digital world. LinkedIn data on Anthem employees to identify system administrators and hit them with As cyber security has evolved so have spies. specially crafted emails. Today’s attackers are criminals and spies who have pivoted to survive in a new age of infor- Social media is one of the new playgrounds mation theft. They are devious, sophisticated, for spies. Everything an attacker needs to technologically proficient, often well funded, convince a target to click on a link in email can often be mined from personal social www.insecuremag.com 10 SOCIAL MEDIA IS ONE OF THE NEW PLAYGROUNDS FOR SPIES

media accounts. I constantly tell my audiences target after the State Department and White at cyber-security keynotes not to click on links House were compromised. in emails or open attachments, even if you believe the email came from your sister, is about According to the DNC, after the warning, se- the party you both attended the week prior, curity policies were changed. It appears that and uses expressions that only your sister may have been too little, too late. Attackers would use. These are all things a spy can were either already in the system and re- learn by perusing your Facebook or Instagram mained undetected for the year-long breach, account for a few minutes. or changed their own approach to avoid detection. Despite the warning, attackers continues Reactive vs active response to be one step ahead of security.

Too often, law enforcement and security pro- Another example of this cat-and-mouse game fessionals react to crime instead of actively came from The Office of Personnel Manage- stopping it before it happens. Also too often, ment (OPM), which was breached in March of they won’t know a crime has been committed 2014. The breach went unnoticed by the OPM until way too late. until April 2015. It has been described by fed- eral officials as one of the largest breaches of An example of this is the hack of the Democ- government data in United States’ history. At- ratic National Committee (DNC). US officials tackers may have compromised some 21.5 have stated that the attack persisted for million records, including biometric data and roughly a year. The hacks occurred despite a documents related to security background in- warning from the FBI that the DNC may be a vestigations. TOO OFTEN, LAW ENFORCEMENT AND SECURITY PROFESSIONALS REACT TO CRIME INSTEAD OF ACTIVELY STOPPING IT

The breach occurred despite the Government This disruption requires cybersecurity profes- Accountability Ofﬁce warning that the OPM sionals to take an active role in defending (among other agencies) was vulnerable to at- against a predator by becoming a spy hunter. tack and should immediately correct weaknesses and fully implement security programs. An example of the “attack – remediate – attack” cycle in physical security is best ex- To defeat cyber espionage, cybersecurity pro- plained using barriers. In the past, terrorists fessionals must disrupt the “attack - remediate frequently loaded explosives into trucks and - attack” cycle, by defending the endpoint, smashed them into government buildings. controlling applications, sharing knowledge about possible intrusions, and actively hunting for threats. www.insecuremag.com 11 ORGANIZATIONS MUST COLLABORATE IN REAL TIME TO SHARE THREAT INFORMATION AND THE FORENSICS BEHIND BREACHES

The first World Trade Center attack in 1993 Often, these highly sophisticated spies are involved a van loaded with explosives parked state actors (as in the case of China’s PLA unit in the underground parking beside what the 61398) or state-sponsored actors (such as the terrorists thought was the central support DNC hackers believed to be working for the column. Russian government). Money provides such attackers freedom to carefully research and In response to these vehicle attacks, security probe targets and then leverage intelligence and law enforcement remediated by building and the best equipment and resources possi- barriers (everything from jersey walls to mas- ble. This creates a very uneven playing field sive planters with steel cores) to create spac- when these attackers hunt small companies ing around government buildings that prevent and individuals that do not have the benefit of vehicle attacks. the FBI and CIA to defend them.

As these defenses went up and stopped one Companies and organizations must collabo- problem, the terrorists actively explored new rate in real time to share threat information attack vectors. Unable to drive trucks into and the forensics behind breaches in order to buildings, they turned to airplanes. defend themselves against foreign intelligence units (spies). This requires a certain level of If law enforcement and security become more sharing of cyber information between competi- active in hunting threats and brainstorming tors. possible attack vectors before spies launch attacks, cyber espionage will become more In the wake of the recently reported hacks - expensive, time consuming and burdensome. DNC, DCCC, Equation Group - it’s time for the US to start treating cybersecurity as national The goal of cybersecurity should be to layer security. Our democracy is at risk. In fact, the defenses in such a way that the cost of attack- upcoming presidential election could be at ing a protected organization is so high that the risk, too. criminals will turn to other targets. Addressing the inefﬁciencies of our cyber in- Additionally, the FBI, CIA, NSA, military intelli- frastructure should be a top issue in this year’s gence assets, and friendly foreign intelligence election cycle. The fact that it is has been, at units must continue to work together to collab- best, a footnote in both candidates’ platforms orate and share information to prevent the is an indication of where our national cyberse- most deadly and damaging terrorist attacks curity ranks on the list of priorities. and to catch the most sophisticated spies.

Eric O'Neill is the National Security Strategist for Carbon Black (www.carbonblack.com). www.insecuremag.com 12 Like military generals, IT security professionals frequently fight the last war using weaponry and tactics that worked in the past, while the enemy has studied our countermeasures and is already applying new methods. Today we face a new generation of malware “goes away.” We might consider the following which we might term “hyper-evasive” – threats “tiers” of malware sophistication: that have never been seen before, in volumes never seen before, and which have been de- Tier 1: Basic malware signed to evade traditional malware defenses, and specifically, current sandboxing technolo- These compromise a computer in order to gy. These threats require a rethinking of our gain access to its resources and – on occa- battlefield strategy. sion – its data. Attacks of this type are slow- moving and frequently noisy and obvious, and The evolution of threats can be blocked by analyzing a virus to capture a hash fingerprint or signature, and then using To understand today’s threat landscape, we this hash to identify and block subsequent should consider the evolutionary history of cy- copies of the virus. ber threats, while keeping in mind that each new class of threats emerged from the crimi- Tier 2: Polymorphic malware nals’ detailed understanding of the limitations of then-current protection technologies. While Although they are often basic viruses under a rough chronological retelling is possible, my the hood, polymorphic viruses first emerged in purpose here is to give a quick sense of clas- the early 1990s: malicious code that mutates sification, and emphasize that techniques are and changes its appearance each time it in- frequently cumulative – nothing ever really fects a new object in order to avoid pattern recognition by antivirus software. www.insecuremag.com 13 The emergence of polymorphic malware trig- While the overall volume and sophistication of gered the arrival of behavioral heuristics as a unknown objects was relatively low, and turn- countering technology, whereby the behavior around time was consequently fast, this ap- of the code execution during an emulation is proach was deemed sufficient. However, the observed. The development of application broad deployment and very success of appli- sandboxing in the 1990s was a key response ance-based sandboxes has led to not-surpris- to polymorphic malware. ing innovation by criminal enterprises, as per the usual historical pattern. The advent of server-side polymorphism has taken malware to the next level, with back-end It is worth restating that the variety and depth web services hiding the mutation engine of testing that is possible within first-genera- where defenders cannot inspect it. Sophisti- tion sandboxes is limited. Among the realities cated algorithms ensure that each time a of traditional sandboxing that are being ex- download occurs from a URL you receive a ploited today are: different file, and attack methods frequently involve encryption, droppers and packers. 1. The fixed amount of physical resources (i.e. memory and processing power) avail- Tier 3: Hyper-evasive malware able in a sandbox appliance, which limits the scalability of the solution in terms of Cyren has noted an emerging trend of threats total analysis object load and depth of incorporating many known evasion techniques analysis performed. within a single piece of malware. Attackers 2. The reliance on virtualized environments, have evolved their techniques to the point the presence of which can be detected by where malware rarely contains obviously sus- malware. picious code and originates from “unknown” 3. The lack of diversity in the scope and orig- sources or from code lodged in compromised, ination of the tests employed, with the va- trusted sites. As the use of sandboxing for riety and nature of tests limited to those malware defenses has increased, malware devised by the specific sandbox vendor. that is “sandbox aware” has become more 4. The fact that any specific sandbox is best prevalent. at one kind of analysis, e.g. OS or registry or network behavior analysis. Usually assumed to be the purview of large enterprises, a recent study commissioned by This last element is the most critical limitation Cyren and conducted by Osterman Research of all, as it enables malware developers to op- (July 2016) found that over 50 percent of small timize analysis detection techniques for each and mid-sized companies (100 to 3,000 em- sandbox platform, knowing that once they ployees) have also deployed an appliance- have found a “tell” for the particular sandbox based sandboxing capability. being used, their evasive techniques will get them past what is effectively the organization’s But such “hyper-evasive” threats are increas- last line of defense. No method is provided by ingly difficult for traditional, appliance-based traditional sandboxing solutions to harness sandboxing to detect, as the malware coders together sandboxes of different types (or from use sophisticated evasive tactics to exploit different vendors) in a collaborative analysis limitations in the architecture of appliance- model, to enable a broader and deeper scope based sandboxing. of testing with a pooling of analysis results.

Limitations of traditional application How hyper-evasive threats evade detection sandboxing Sandboxing solutions deploy two types of Traditional application sandboxing has be- analysis: come a critical last layer for corporate information security to attempt to stop infiltration. It • Static analysis is performed by the system pushes suspicious objects to a simulated end- without executing the suspected code. Ex- user computing environment running on an amples of static analysis techniques in- appliance in a corporate data center. clude file fingerprinting, extraction of www.insecuremag.com 14 • hard-coded strings, file format metadata, To combat the growing use of first-generation emulation, packer detection, and disas- sandboxes, cybercriminals have developed sembly. evasive techniques for use against both types • Dynamic analysis is performed by the sys- of analysis. tem while the suspected code is executed inside a protected (sandbox) environment. Some of the techniques are sophisticated, Examples of dynamic analysis techniques while others perform simplistic tests to deter- include analyzing the difference between mine if the malware is in a real or simulated defined points, and observing run-time (sandbox) environment. behavior. TO COMBAT THE GROWING USE OF FIRST-GENERATION SANDBOXES, CYBERCRIMINALS HAVE DEVELOPED EVASIVE TECHNIQUES FOR USE AGAINST BOTH TYPES OF ANALYSIS

Common techniques for evading sandbox therefore hide from, a sandboxing environ- analysis include: ment.

• Detecting the existence of a virtual Virtual machine check functions: environment • Delayed activation – attempting to “out- • Parallels wait” the sandbox • QEMU • Awaiting human interaction like mouse • Oracle VirtualBox movements that could not result from a • VMWare simulation • an unknown VM. • Making payload execution conditional. Debugger process check functions: As an example of this last approach, we are seeing recent ransomware downloaders that • CommView Network Monitor have added the requirement of an additional • WinDump parameter for the execution of the down- • WireShark loaded ransomware code. A sandbox may • DumPCAP have the download file itself, but it does not • OllyDbg have the full script – so it would not detonate • IDA Disassembler in the sandbox because it is missing one • SysAnalyzer component (a parameter). • SniffHit • SckTool Consider the impressive list of functions identi- • Proc Analyzer fied by Cyren researchers within a single vari- • HookExplorer ant of Cerber ransomware, which uses multi- • MultiPot. ple methods to check for the presence of, and www.insecuremag.com 15 Sandbox check functions: use in solutions, and proves that they can simply embed more anti-sandbox/debugger/ • Loaded modules check against VM modules in their malware as they see fit, • sbiedll.dll - Sandboxie significantly increasing the evasiveness of the • dir_watch.dll, api_log.dll - Sunbelt threats. Sandbox • Volume serial number checks against Conclusion • ThreatExpert • Malwr The appropriate response to the advent of hy- • Mutex name checks against per-evasive malware, which can evade any • Deep Freeze - Frz_State given sandbox and was designed to exploit • Other file path checks on modules used in the relatively limited processing power of ap- sandbox setups pliance-based solutions, is to exponentially • C:\popupkiller.exe improve the analytical capacity of the sand- • C:\stimulator.exe boxing systems. This can be done by subject- • C:\TOOLS\execute.exe ing malware to multiple and varied sandboxing • String checks from memory environments while applying increasingly so- • test_item.exe phisticated analysis, something now possible • \sand-box\ via the elastic processing scale and Big Data • \cwsandbox\ analytical capabilities of cloud computing. • \sandbox\ The best countermeasure is to automate the The inclusion of this variety of functions shows strengths of human analysts – in particular that malware writers are hard at work re- their capacity for complex decision-making searching sandbox and debugging technolo- and even “hunches” – through a cloud-based gies that the security industry is most likely to processing model.

Sigurdur Stefnisson is the Vice President of Threat Research at CYREN (www.cyren.com).

www.insecuremag.com 16 Not long ago, people used to come to work and work off of a desktop computer, tied to the network. Today, they work on their mobile devices, physically untethered to it. In fact, the majority of the work and email is continue their workﬂow seamlessly, while still done on mobile devices, and this changed giving companies optimal security.” how people interact with data and how we keep it safe. A perfect enterprise data security solution

This shift is why it’s important for businesses Data control and visibility is a huge problem to maintain a certain level of visibility when it that large and small companies need to be comes to data, and have the ability to use mindful of. tools like Dynamic Data Protection (DDP) to ensure that if policies need to be adjusted for A good data security solution is one that works specific users, IT admins can do so in real- as you want it to but it’s also equally important time. that it’s easy to use by your employees, management, and partners. The best technical so- “As information travels, this introduces new lution will not mean much if they don’t want to ways to access data and collaborate using use it because it gets in the way of their work. tools like Dropbox and other productivity tools, so security must also evolve and change to “In an ideal world, you want your users to keep pace,” says Prakash Linga, CTO of data maintain productivity, while still giving IT the security company Vera. confidence they’re doing so in a secure way,” Linga points out. “On top of that, it’s not longer sufficient to rely on perimeter defenses when it comes to in- “Organizations spend too much time and formation security. You have to collapse the money trying to focus on one aspect of the data control and policy enforcement down to problem by adding more defenses, rather than the data. Any effective and usable data securi- focusing on the primary reason employees ty solution will encompass the best of both aren’t using the security tools already in worlds: it will secure information with granular place.” and flexible policies, and enable employees to www.insecuremag.com 17 The ideal data control solution should also of- most critical business information is secure fer robust data control tools with a user-friend- whether it’s at rest, behind a firewall, or has ly backend, to make life easier for IT and se- been moved outside their network. curity teams. Managing policies and data at scale is a challenge and, according to Linga, “For a lot of security savvy people, it’s all this is one of the reasons why Data Loss Pre- about having strong security controls. What vention (DLP) hasn’t taken off as expected. we’ve learned from conversations with customers, prospects, and industry research is A great data control system will be one that fits the biggest problem is keeping honest users well within a specific and complex enterprise honest,” says Linga. ecosystem – across different companies, meshing well with existing collaboration and “I’m referring to people who inadvertently productivity tools, and covering every data share information they shouldn’t. For example, workflow. an executive accidentally fat-fingers a confidential financial document or earnings report Finally, the solution has to be always on, so to the wrong person.” that organizations can be confident that their A great data control system will be one that fits well within a specific and complex enterprise ecosystem

Data control and the Internet of Things moment. However, over an extended period of time, you may start to see patterns, and it be- “The nature of data is changing rapidly. Today, coming more relevant from an enterprise and it’s mostly collaboration and exchange be- consumer standpoint,” he adds. tween two people, but tomorrow it’s with IoT and other devices and approaches,” says Lin- Enterprises will have to find a way to keep on ga. top of things, and be ready to pivot as fast as needed to tackle the known and yet unknown We know that makers of IoT devices and the challenges of data security in the age of IoT. software that makes them “smart” regularly disregard security, and that IoT is slowly infil- “Both security and privacy needs to evolve for trating both homes and offices. the new workflow around data and collaboration,” he concludes. “Small quantities of data is often shared between devices and, if you look at the information as a snapshot in time, it might not be sensitive or something you care about at that

Zeljka Zorz is the Managing Editor of (IN)SECURE Magazine & Help Net Security (www.helpnetsecurity.com).

www.insecuremag.com 18

Patch Tuesday (or Update Tuesday, as Microsoft preferred to call it) used to occur on the second Tuesday of each month. This was the day when Microsoft released patches for its various products and was often the bane of system admins and hackers alike. System admins were forced to patch all of the allows an attacker to exploit it from anywhere systems they are responsible for, while crimi- on the network or Internet without any special nals sometimes found that the exploits they privileges. had used up to that point no longer worked. Bulletins rated as Important still address seri- Microsoft has now done away with Patch ous vulnerabilities, but exploitation of those Tuesday in the form that it came in for years, typically requires certain access or can result but the first eight Patch Tuesdays that came in limited damage. These are typically vulner- and went since the beginning of the year can abilities that allow Privilege Elevation (making tell us something about security trends in a regular account into an administrator one) or 2016. Denial of Service (temporarily taking down a service). By the numbers Each bulletin typically contains multiple First let's take a look at the raw numbers. patches for a single product. For instance, From January through August 2016 Microsoft August's bulletin for MS Office provided released 101 security bulletins. Each bulletin patches for five unique vulnerabilities. For contains patches for a specific product like identification purposes, each vulnerability is Microsoft Office or Internet Explorer. issued a unique number according to the Common Vulnerabilities and Exposures (CVE) Of these bulletins 44 were rated as Critical program. and the remaining 57 were rated as Important. The aforementioned 101 bulletins addressed Bulletins rated as Critical typically cover the 266 unique vulnerabilities (or CVEs). most severe type of vulnerability, Remote Code Execution (RCE). An RCE vulnerability www.insecuremag.com 20 The most common patches dows Edge. Keep in mind that many of those vulnerabilities are shared between both The most commonly affected products were products. Internet Explorer and the newer Windows Edge web browser. These two products have With the idea that vulnerabilities tend to be showed up with a bulletin rated Critical every found in more popular software first, it's prob- month in 2016 (and for many, many months ably not a surprise that the third most com- before 2016). This doesn't necessarily mean monly affected product is the Microsoft Office that these products are naturally insecure. suite. With a total of 39 CVEs since January, the Office suite has made a showing with ei- These products are likely the most used ther a Critical or Important rated bulletin every pieces of software Microsoft supports. They month this year. This doesn't include the are also constantly exposed to threats. Their dozens of vulnerabilities that affect the Office whole job is to process untrusted content from suite indirectly: critical vulnerabilities in the MS the public Internet. Looking at it from this per- XML Core, OLE, Java/VBScripting engines, spective, it's no surprise that vulnerabilities in and even maliciously created fonts in the Mi- these products are exposed first. crosoft Graphics Component can all be exploited by opening the wrong Office docu- Overall, 72 unique CVEs were patched in In- ment. ternet Explorer and 57 were patched in Win- THE MOST COMMONLY AFFECTED PRODUCTS WERE INTERNET EXPLORER AND THE NEWER WINDOWS EDGE WEB BROWSER

Zero-day vulnerabilities Word document. When the document was opened and the vulnerability exploited, the The most critical vulnerabilities will always be document would automatically execute mal- the zero-day vulnerabilities. A zero-day vul- ware. The criminal group behind the campaign nerability is one that is discovered by criminals used the zero-day to deliver malware to finan- before the vendor knows of it. This gives the cial institutions and grab payment card track criminals a chance to develop an exploit for data. the vulnerability and successfully target victims as no patch is available or is still pending. The second zero day was CVE-2016-0189, which affected Internet Explorer and was In the first eight months of this year two zero- patched in bulletin MS16-051 in May. The at- day vulnerabilities affecting Microsoft products tackers who exploited it first sent out malicious have been revealed. I'll stick to Microsoft links via a spear-phishing campaign to users products only and ignore the multiple Adobe in South Korea. Flash zero-day vulnerabilities even though the Flash engine is embedded in both Internet South Korean vendors were forced by law in Explorer and the Edge browser. 1999 to adopt ActiveX controls that use the country's SEED encryption cipher for e-com- The first zero-day was CVE-2016-0167, a merce transactions. Since Internet Explorer is privilege elevation vulnerability in Windows the only browser that still supports Active X, patched in bulletin MS16-039 in April. It was the country is very dependent on the browser, revealed to the public by FireEye reserchers, making them ripe targets for this type of zero- and prior to that exploited via a spam cam- day. This zero day was detailed by Symantec paign that contained a malicious Microsoft researchers. www.insecuremag.com 21 Exploits on the dark web very much needed puzzle piece in the overall infection process. Also this year, a criminal offered information about a zero-day flaw for sale on an under- For instance, an LPE exploit paired with a ground market for Russian-speaking cyber client-side RCE exploit can allow an attacker criminals. We've always known that zero-days to escape an application that implements have been sold in the shadows, but in this sandbox protection like Google Chrome or business you usually need to "know people Adobe Reader. Moreover, an LPE exploit pro- who know people" in order to buy or sell this vides the means for the attacker to persist on kind of commodity. This type of business an infected machine, which is a crucial need transaction is conducted in a private manner, for APTs (Advanced Persistent Threats). In meaning either through direct contact be- general terms, an LPE exploit can be lever- tween a potential buyer and the seller, or aged in almost any kind of attack scenario. through a middleman. Was the threat of Badlock overhyped? We've also seen zero-days exploited by the Angler Exploit Kit. Last year Angler introduced The biggest "disappointment" this year was four zero-day exploits. This, and a constantly Badlock. The existence of this flaw was an- refreshed offering of new exploits, allowed nounced with much fanfare in March. The an- Angler to become to the most popular exploit nouncement came with a dedicated domain kit on the market in 2015, representing 40% of and webpage, a cool icon and a memorable all exploit kit-related incidents. code name, but no details about the nature of the bug. For that, professionals had to wait The underground crime forum where the until the April Patch Tuesday. That gave the aforementioned zero-day was offered for sale security community three weeks to get worked serves as a collaboration platform where crim- up about whether this vulnerability was going inals can hire malware coders, lease an ex- to be big or a bust. It ended up being the lat- ploit kit, buy web shells for compromised web- ter. sites, or even rent a whole botnet for different purposes. However, finding a zero-day listed Badlock ended up being helpful in a man in between these fairly common offerings is defi- the middle (MITM) attack scenario, meaning nitely an anomaly. that an attacker needs to be listening on the exact same network as the client or server in The zero-day in question was claimed to be a order to perform the attack. This means that Local Privilege Elevation (LPE) vulnerability in any attack requires a pre-authenticated ses- Windows and came with videos showing the sion. It only affects open, authenticated ses- exploit executing. The auction started at sions using SMB to authenticate a system or $95,000 in Bitcoins but the seller quickly to manage users or policies on a remote. dropped the price down to $90,000, and finally to $85,000. The auction was eventually closed In other words, any effective attack requires and evidence of it deleted, but we’ll probabaly the attacker to be in the exact right place at never known whether this was due to the sell- the exact right time. er finding a buyer or due to the vulnerability getting patched before the sale was made. As silly as they may seem to some in the industry, these so-called "celebrity vulnerabili- The fact that the first zero-day of the year and ties" can be very useful. It can be easier to the zero-day that was auctioned off both al- communicate the importance of a vulnerability lowed for privilege elevation is telling. In the with a name rather than one with just a CVE first eight months of this year, Microsoft has designation. A prime example of this is Heart- patched 49 privilege elevation vulnerabilities bleed. Heartbleed was a critical vulnerability in various components. and the name, website and icon helped draw attention to it. It could be argued that more Although the exploit of such a flaw can't pro- servers were patched in a short time because vide everything an attacker needs, it is still a of the high profile brought on by the name.

www.insecuremag.com 22 OVERALL, 266 VULNERABILITIES OVER AN EIGHT-MONTH PERIOD SOUNDS LIKE A LOT OF VULNERABILITIES, BUT NOT ALL VULNERABILITIES GET EXPLOITED

Since Heartbleed, however, the bulk of these first, because they are exposed to attack and celebrity vulnerabilities have been more or tend to be the most valuable assets. You'll less non-issues. I'm not saying that these also want to focus on your end users, as they aren't vulnerabilities that could cause a breach are constantly exposed to a wide range of or data loss. However, most of them stole the threats and are gatekeepers for important in- spotlight from much more critical vulnerabili- ternal data. ties, and that is a problem. Overall, 266 vulnerabilities over an eight- The other problem is that the type of build-up month period sounds like a lot of vulnerabili- that occurred with Badlock often forces ties, but not all vulnerabilities get exploited. A sysadmin teams to waste valuable resources. quick check of public sources shows only 30 public exploits for them. Naturally, these are These pre-releases force an "all hands on just the exploits and PoCs we know about. deck" situation in order to prepare for the worst-case scenario. Admin teams were pre- More surely exist in the underground, but the paring to patch their servers for a major Bad- problem for the criminal is how to keep those lock vulnerability and were auditing their fire- exploits unknown. The more an exploit is used wall policies for Badlock suspected access the more likely it is to be discovered, and the instead of making sure that their user base vulnerability patched. was set to auto-update or that their client browsers aren't using Flash anymore. Patching - and patching quickly - is an important part of securing systems and networks. Patch preparation However, tracking released patches can provide us with helpful insights. Speaking of preparing for patches, it is important to have a patching policy in place that al- While many system admins and network en- lows you to patch your most valuable and vul- gineers focus almost completely on vulnerabil- nerable assets as quickly as possible. This of ities that might affect their servers, we have course means knowing which assets are seen that client software like Internet Explorer valuable and which are at risk in your envi- and Microsoft Office often presents a greater ronment. This is generally performed through risk. And while Remote Code Execution vul- ongoing network scanning to keep an up-to- nerabilities are always the ones that claim the date inventory and risk assessment to nail spotlight, Privilege Elevation vulnerabilities down how vulnerable those assets are. are often the ones used to complete a compromise and maintain persistence. Typically you'll want to focus on your public facing servers (webservers and email servers)

Karl Sigler is Threat Intelligence Manager at Trustwave (www.trustwave.com) where he is responsible for research and analysis of current vulnerabilities, malware and threat trends. Karl and his team run the email advisory service, serve as liaison with Microsoft MAPP program, and coordinate disclosures of discovered vulnerabilities. www.insecuremag.com 23 Mirai Linux Trojan corrals IoT de- for the SSH or telnet account. Then they vices into DDoS botnets load the malware.

Mirai, a newly discovered and still poorly de- • The malware sets up several delayed protected piece of Linux malware, is being used cesses and then deletes malicious files to rope IoT devices into DDoS botnets. that might alert users to its existence. It then starts opening ports and establishes Researchers from MalwareMustDie have re- contact with its botmasters, and scans for cently gotten their hands on several variants other accessible devices to infect. For oth- of the threat, and have discovered the follow- er actions, it awaits further instructions. ing things: They consider Mirai to be the direct descen- dant of an older Trojan dubbed Gafgyt (aka • It comes in the form of an ELF file (typical for executable files in Unix and Unix-like BASHLITE, aka Torlus), which is one of the systems) main contributors to the rise of DDoS-for-hire services. • It targets mostly routers, DVR or WebIP cameras, Linux servers, and Internet of In order to protect their devices from this Things devices running Busybox – the threat, administrators are advised to close up “Swiss Army knife of Embedded Linux.” their telnet service, to block the TCP/48101 port (if unused), and to make sure their Busy- box execution can be run only on specific • The attackers first gain shell access to the target devices by taking advantage of the user. fact that most have a default password set www.insecuremag.com 24 US 911 emergency system can be The problem, the researchers say, rests in the crippled by a mobile botnet fact that current FCC regulations require that wireless carriers must immediately route all What would it take for attackers to significantly emergency calls to local public safety answer- disrupt the 911 emergency system across the ing points, regardless of the mobile phone’s US? According to researchers from Ben-Guri- available identifiers (like IMSI and IMEI, which on Univerisity of the Negev’s Cyber-Security tell if the caller is a subscriber to their service Research Center, as little as 200,000 com- and identify the mobile equipment, respective- promised mobile phones located throughout ly). the country. “A rootkit placed within the baseband firmware The phones, made to repeatedly place calls to of a mobile phone can mask and randomize the 911 service, would effect a denial-of-ser- all cellular identifiers, causing the device to vice attack that would made one third (33%) have no genuine identification within the cellu- of legitimate callers give up on reaching it. lar network. Such anonymized phones can issue repeated emergency calls that cannot If the number of those phones is 800,000, be blocked by the network or the emergency over two thirds (67%) would do the same. call centers, technically or legally,” they pointed out. Naturally, the researchers – Mordechai Guri, Yisroel Mirsky, and Yuval Elovici – haven’t There are several countermeasures that can performed such an attack on the actual, na- mitigate such an attack, including implement- tionwide system. Instead, they have created a ing “call firewalls” on mobile devices, and pub- simulated cellular network based on North lic safety answering points implementing “pri- Carolina’s 911 network (as information about it ority queues” that would give precedence to is widely available) and attacked it instead. callers with more reliable identifiers.

According to their ﬁndings, the 911 system in Attack prevention options include the disallow- North Carolina could be partially overwhelmed ing of 911 calls from NSI devices, and trusted by mere 6,000 infected devices. device identiﬁcation.

www.insecuremag.com 25 CodexGigas: Malware profiling When it comes to development challenges, search engine the authors tried to gather a massive amount of malware in order to test the software. “We CodexGigas is a free malware profiling search currently have about 25 million samples, that’s engine powered by Deloitte Argentina, which 15 TB of malware. Turns out that amount of allows malware analysts to explore malware data is not as easy to manage as we thought. internals and perform searches over a large When processing data, for every extra mil- number of file characteristics. lisecond it takes to process a sample on average, it takes seven hours to process the Instead of relying of file-level hashes, users whole database,” Luciano Martins, CodexGi- can compute hashes over features such as gas developer, told (IN)SECURE Magazine. imported functions, strings, constants, file segments, code regions, or everything that is You can check for updates on the CodexGi- defined in the file type specification. This pro- gas Twitter profile (@CodexGigasSys), and vides more than 142 possible searchable pat- the download is available here: github.com/ terns that can be combined. codexgigassys.

Five ways to respond to the ware to spread laterally within the environ- ransomware threat ment.

While organizations wrestle with the ever- 4. Plan your recovery pressing issue of whether to pay or not to pay The unfortunate truth is, despite the security if they’re victimized, Logicalis US suggests industry’s best efforts, no organization is en- CXOs focus first on how to protect, thwart and tirely immune to attack. Therefore, it’s critical recover from a potential attack. to examine how the organization will recover if it is breached. 1. Create a modern defense It is critically important to plan for the possibili- First, be sure you’re backing up. Second, test, ty of an attack by developing comprehensive test and re-test the backup and restore visibility and access to extensive details on process; a backup is only valuable if the data how the malware entered the organization’s can actually be restored when it’s needed. It’s environment in the first place. also important to ensure that the restore can be done at the system level since file-based 2. Take an architectural approach recovery may not be enough. In some limited situations, point solutions can be effective, but not with ransomware. The Consider, too, how much redundancy is re- most effective way to address the ran- quired; if the organization is hit, do you have somware threat and other pervasive cyberat- an uncorrupted source from which you can tacks is to take a holistic architectural ap- immediately recover? proach to security that encompasses the entire network including its systems and end- 5. Create a pay or no-pay policy points as well as the organization’s cloud and Do you have an uncompromised data backup mobile strategies. from which you can restore? What is the cost to restore vs. pay – both monetarily and in 3. Prevent the spread of malware terms of the business’ ability to function in the If an attacker’s malware does enter the net- meantime? Ultimately, the decision comes work, it has the ability to spread like a fast- down to how business-critical the compro- moving cold among passengers on an air- mised data is to the organization. If you do plane. The key at this stage is to compartmen- decide to pay, In most cases, you can talk the talize data using network micro-segmentation price down, so it may make sense to consider strategies that make it more difficult for mal- not paying the first amount offered.” www.insecuremag.com 26 Gugi banking Trojan outsmarts to work with graphics and windows.” There is Android 6 security only one button: “provide.”

The Gugi Trojan’s aim is to steal users’ mobile When the user clicks on this, they are pre- banking credentials by overlaying their gen- sented with a screen asking them to authorise uine banking apps with phishing apps and to app overlay. After receiving permission, the seize credit card details by overlaying the Trojan will block the device screen with a Google Play Store app. In late 2015, Android message asking for ‘Trojan Device Adminis- OS version 6 was launched with new security trator’ rights, and then it asks for permission to features designed specifically to block such send and view SMS and to make calls. attacks. Among other things, apps now need the user’s permission to overlay other apps, If the Gugi banking Trojan does not receive all and to request approval for actions such as the permissions it needs, it will completely sending SMS and making calls the first time block the infected device. If this happens, the they want to access them. user’s only option is to reboot the device in safe mode and try to uninstall the Trojan, an Kaspersky Lab experts have uncovered a activity that is made harder if the Trojan previ- modification of the Gugi banking Trojan that ously gained ‘Trojan Device Administrator’ can successfully bypass these two new fea- rights. tures. Initial infection with the modified Trojan takes place through social engineering, usual- Aside from these security workarounds and a ly with a spam SMS that encourages users to few other features, Gugi is a typical banking click on a malicious link. Trojan: stealing financial credentials, SMS and contacts, making USSD requests and sending Once installed on the device, the Trojan sets SMS as directed by the command server. To about getting the access rights it needs. When date, 93 percent of users attacked by the Gugi ready, the malware displays the following sign Trojan are based in Russia, but the number of on the user’s screen: “additional rights needed victims is on the rise. In the first half of August 2016, there were ten times as many victims as in April 2016. www.insecuremag.com 27 There's a reason why so much friction exists between security professionals and senior management or line of business (LOB) groups: poor communication. For security professionals, the problem origi- company assets by defending against intru- nates from two distinct issues: sions, whether internal or external.

1. Security doesn't effectively explain the re- At a glance, those job descriptions seem en- alistic nature of the threat, both direct and tirely appropriate. This brings us to perception. indirect, in business terms. The LOB managers see security people as 2. Ineffective communication of the potential colleagues, a support service that is helping business impact of security measures and them do their job. Therefore, they assume that how they affect the end user or customer. security people understand the products and services they’re selling, and how the end user The second of these often leads to the biggest interacts with them. Security people, however, challenge for effective communication with the often focus entirely on their role as a defend- C-level and LOB managers. It can also result er. in delayed approval for a security project. A clear example of this is when, immediately Setting the scene for miscommunication after a deployment, a LOB manager begins receiving calls from the field that their busi- Let’s use another example to demonstrate this ness applications are no longer functioning communication breakdown: properly. A security professional informs the LOB owner This example exposes the core issue: how that a specific security mechanism needs to security people view their jobs and the jobs of be altered (upgraded, replaced or added). the LOB managers they support. LOB man- They will do an exhaustive job of explaining agers and their leadership see their role in the the benefits of this change from a security company as generating revenue and profits. perspective. The LOB owner will nod and Security typically sees its job as protecting more than likely accept that the security www.insecuremag.com 28 professional knows what he or she is talking damage, but if security does its job perfectly, about and accept the change as a good nothing happens. An absence of something move. Next, they will ask about price and how bad happening is hard to trumpet on a re- long the deployment will take, generally re- sume. ceiving specific answers - so far, so good. It's akin to an effective insurance policy. Com- At this point, they will ask something generic, panies are happiest when the insurance policy such as "Anything else I need to know?" or is never needed, which can make those pre- "What are the non-security implications of this miums seem like wasted money. change?" That's where things are put in place for an inevitable blow-up. Security will mention When top-notch security professionals do a couple of things to be aware of and might their job, nothing happens. Will the CEO be even say that there's nothing to worry about. tempted to devalue that security investment? Then, the deployment occurs and the LOB If something bad happens, then the security owner’s phone starts blowing up. department failed. It's a no-win scenario. But if security professionals refocus their at- Back to security goes the manager, only to be tention on business functionality, the picture told that this was expected. Why didn't securi- begins to change. ty inform the LOB owner of that when asked about other implications? It's not out of malice Let's go back to that conversation between or even negligence. It's because they are the security and business professionals from thinking like a security organization (thwarting earlier. What if that proposal detailed the ways attacks) and not like a LOB owner (under- this software would force changes in opera- standing the precise ways customers use the tions and suggested different processes that company's offerings). would benefit the end-users, while also allow- ing the desired security improvement? Sud- Talking through the solution denly, that security professional is an ally. The business professional will be impressed with The solution sounds a lot easier than it actual- his or her end user functionality knowledge. ly is: security professionals need to spend time with their business colleagues to learn Business is a team sport how customers interact with the company’s products or software. It's a good idea for secu- This won't be easy. It’s like persuading a cryp- rity to go through the routine training on how tographer that they need to sit with customers the product is used, and to observe the end- to master how end users use the software. user customers working with the product. That cryptographer will ask how will that help them defend the company. The answer is: "It Until security has an intimate hands-on un- will turn you into an ally of your business derstanding of the end-user-product interac- peers, which will make our security requests tions, how can they be expected to provide get approved faster and easier." the C-Level and LOB owners a comprehensive list of post-deployment functionality The reality is that all employees of the com- changes? pany, regardless of position, are ultimately there to help the company make money and In theory, this could lead to a change that will profit. That’s easy to see when someone's job make security far more indispensable to the title is “salesperson” or “marketing manager.” business. This would certainly be a boon, as However, that’s not the case when their job is security is often viewed in the same less-than- fine-tuning firewalls or managing multi-factor enthusiastic way as insurance, legal, PR and authentication. IR departments. They are often not seen by rank-and-file employees as adding value. This proposed change in approach and com- They are seen as protecting against potential munication will not be easy, but it’s necessary.

Jeff Schilling is chief of operations and security for Armor’s cyber and physical security programs for the corporate environment and customer hosted capabilities (www.armor.com). www.insecuremag.com 29 Black Hat USA 2016 welcomed more than 15,000 infosec professionals – acade- mics, world-class researchers, and leaders in the public and private sectors. The Black Hat Review Board, comprised of 24 • Black Hat Arsenal returned for its seventh of the world's foremost security experts, eval- year, offering researchers and the open uated more submissions this year than ever source community the ability to demon- before. This year's conference welcomed 175 strate tools they develop and use in their speakers and researchers across more than daily professions. This year's event fea- 70 technical trainings and nearly 120 re- tured 80 tools – a 22% increase from 2015 search-based brieﬁngs on stage. – the largest line-up to date.

Show highlights • Removing Roadblocks to Diversity - Panel + luncheon featured some of the top • Keynote Dan Kaminsky, Chief Scientist, women in the security field sharing their WhiteOps, and one of seven "key share- paths to success, as well as the “why” and holders" able to restore the Internet's DNS ways to fix the dramatic underrepresenta- if necessary, presented "The Hidden Archi- tion of women and minorities in the securi- tecture of our Time: Why This Internet ty industry, even as the talent gap deep- Worked, How We Could Lose It, and the ens. Role Hackers Play" to a room of nearly 6,500 attendees. • Black Hat Business Hall was action- packed, with nearly 270 of the industry's • Black Hat CISO Summit welcomed 150 top companies showcasing their latest executives from top public and private or- technologies and solutions. Attendees also ganizations for an exclusive program in- enjoyed the bustling Career Zone, as well tended to give CISOs and other infosec as the Innovation City for impressive executives more practical insight into the startups. latest security trends and technologies and enterprise best practices. www.insecuremag.com 30 www.insecuremag.com 31 Apple finally announces bug bounty Remote Butler attack: APT groups’ dream program come true

Apple is finally going to monetarily reward se- Microsoft security researchers have come up curity researchers for spotting and responsibly with an extension of the “Evil Maid” attack that disclosing bugs in the company’s products. allows attackers to bypass local Windows au- The announcement that a bug bounty pro- thentication to defeat full disk encryption: gram is going to be set up by the company “Remote Butler”. this September was made by Ivan Krstić, Apple’s head of security engineering and ar- Demonstrated at Black Hat USA 2016 by re- chitecture, at Black Hat USA 2016. searchers Tal Be’ery and Chaim Hoch, the Remote Butler attack has one crucial im- His presentation was also rather uncharacter- provement over Evil Maid: it can be effected istic for Apple, as it included the sharing of de- by attackers who do not have physical access tails about several of the companies data pro- to the target Windows computer that has, at tection and security technologies. one time, been part of a domain, i.e. enterprise virtual network, and was authenticated Krstić revealed that the Apple bug bounty pro- to it via a domain controller. gram will be invite-only at the beginning: only a few dozen researchers have been asked to Evil Maid attacks got the name from the fact participate. that even a hotel maid (or someone posing as one) could execute the attack while the com- Their names haven’t been revealed, but it is puter is left unattended in a hotel room. known that they have worked with Apple in the past. Still, he said that the company will ac- The most recent of those was demonstrated cept bug reports from other bug hunters, if the by researcher Ian Haken at Black Hat Europe found flaw is deemed critical enough. 2015, when he managed to access the target user’s data even when the disk of its comput- In due time, everybody will be able to partici- er was encrypted by BitLocker, Windows’ full pate in the program, and its scope will widen, disk encryption feature. too. The vulnerability that allowed this attack was For now, we know that Apple will pay a maxi- definitely patched by Microsoft in February mum of: 2016, and the good news is that this patch also prevents attackers from effecting a “Re- • $200,000 for flaws in secure boot firmware mote Butler” attack. components • $100,000 for flaws that allow the extraction But its unlikely that everybody applied the of confidential material protected by the patch. Secure Enclave • $50,000 for vulnerabilities that can lead to “While being a clever attack, the physical ac- execution of arbitrary code with kernel priv- cess requirement for [Haken’s Evil Maid at- ileges tack] seems to be prohibitive and would pre- • $25,000 for holes that allow access from a vent it from being used on most APT cam- sandboxed process to user data outside of paigns. As a result, defenders might not cor- that sandbox, and rectly prioritize the importance of patching it,” • $50,000 for vulnerabilities that can let at- Be’ery and Hoch explained, and urged those tackers access to iCloud account data on admins who haven’t already implemented it to Apple servers without authorization. do so as soon as possible.

The actual reward amount will depend on the Or, if that’s not possible, to implement some severity and exploitability of the bug. Apple network and system hardening and defense- will require researchers to submit a proof-of- in-depth policy to minimize the risk of the at- concept exploit of the bug on the latest iOS tack being executed. version and hardware. www.insecuremag.com 32 www.insecuremag.com 33 Armor Anywhere: Managed security for Global network shares phishing attack any cloud intelligence in real-time

As growing businesses increasingly rely on IRONSCALES, a multi-layered phishing miti- public, private and hybrid cloud platforms in gation solution that combines human intelli- addition to internal infrastructures, at Armor gence with machine learning, launched Fed- launched Armor Anywhere to keep sensitive eration, a product that will automatically and data safe. anonymously share phishing attack intelligence with organizations worldwide. Compatible with popular cloud platforms, including AWS and Azure, Armor Anywhere se- “Instantaneous sharing of phishing attack in- cures data 24/7 while providing visibility telligence will make it substantially easier for across a multi-cloud infrastructure. enterprises and organizations to consistently remain secure and in control,” said Eyal Ben- “The modern threat landscape presents size- ishti, CEO of IRONSCALES. able challenges for companies managing sensitive data, particularly those facing strict IRONSCALES’ employee-based intrusion compliance requirements,” said Chris Drake, prevention system is the first phishing solution founder and CEO, Armor. with an automatic one-click mitigation response. This functionality makes it possible “Armor Anywhere is a battle-tested security for IRONSCALES to expedite the time from solution backed by threat expertise that com- attack to remediation from weeks to seconds, plements our customers’ unique needs. It without ever needing the SOC team’s in- simplifies security, so they can focus on volvement. growth and driving revenue, not defending against sophisticated cyberattacks. We deploy IRONSCALES first challenges all users with a an effective and scalable approach so cus- series of staged, real-world email attacks in tomers can leverage our security knowledge order to evaluate their individual level of and talent at a fraction of the cost of doing it awareness. Based on an analysis of perfor- themselves,” Drake added. mance, a tailored phishing training campaign, using advanced simulation and gamification, Armor Anywhere allows customers to monitor is created to maximize individual awareness and defend operating systems with security and responsiveness to social engineering technology and controls, backed by an elite techniques. security operations center (SOC). Once trained, vigilant employees, upon suspi- Armor experts utilize the latest threat intelli- cion of a phishing attack, can trigger a real- gence, as well as a proprietary, highly-auto- time automated forensic review through the mated agent to deliver around the clock secu- click of just one button, without requiring ac- rity, patch monitoring, log and event manage- tive SOC team participation. ment, malware protection, file integrity monitoring and external vulnerability scans. Within minutes, forensics is completed, and an intrusion signature is sent directly to both The solution is designed to meet PCI and endpoints, email servers and the SIEM, which HIPAA compliance standards, and be audit- then triggers an immediate enterprise-wide ready in defense of ePHI, PII and payment automatic mitigation response, such as quar- data. antines, disabling of links and attachments, and even permanent removal of email, pro- With Armor Anywhere, organizations can also tecting the entire organization from the attack. enjoy a shared approach to both risk and security responsibility to optimize IT spend and Important event information is then automati- cloud accessibility. cally and anonymously shared via Federation to ensure the same attack won’t hit any other company under IRONSCALES protection. www.insecuremag.com 34 Perhaps we, as cyber security practitioners, should be thanking the perpetrators of ransomware and other high profile attacks. While years of prodding, pleading and presenting mounds of evidence to top execs earned us a toehold with the C-suite, the now ever-present headlines have shoved us all the way in. A survey by KPMG of CEOs from top global endpoints secure, business and customer in- companies found that nearly a third see cyber formation safe and our company’s name off security as the issue having the biggest im- the latest cyber victim list. The one solution pact on their companies today. However, now that will reassure the C-suite and board mem- that cyber security leaders have earned a bers, now that they understand that cyber se- place at the table, they are finding the seat curity is not just a tactical problem but a isn’t all that comfortable. A full half of these strategic issue. same CEOs report they are not fully prepared for a cyber event. But the recent discovery of critical vulnerabilities in the Symantec security suite has dis- With every threat or, even worse, internal pelled that dream once and for all. CISOs breach in the news, the pressure on security need to focus on several complementing se- leaders grows. In response, they add more curity technologies versus relying on one se- layers of technology in an attempt to plug curity vendor or platform - focus on creating a gaps, real and imagined. new cybersecurity stack that balances traditional and innovative approaches through a No silver bullet deliberate strategy that always keeps benefit, risk and operational load in mind, and which It’s hard to give up the dream of that cyber sil- brings the widest range of protection with the ver bullet. The one technology that will keep least cost and business disruption.

www.insecuremag.com 35 A general framework From the broadest level on down, these can be divided as: As with most things when you have acade- mics, corporations and governments all in- 1. Policies, procedure and awareness volved, the concept of a cybersecurity stack is 2. Physical security somewhat ﬂuid. On an organizational level, 3. Perimeter security the security stack encompasses everything 4. Internal security from password security to antivirus and HIPS/ 5. Host/endpoint security HIDS, from ﬁrewalls to physical security, secu- 6. Data security. rity policies, education and backup strategies. THE CONCEPT OF A CYBERSECURITY STACK IS SOMEWHAT FLUID

It starts with the endpoint • Application control – Exploits that use legitimate operations are not stopped (e.g. a Each layer in this general cyber security stack malicious Word macro). Malware can also can be broken down into sub-stacks. Of these spoof a trusted application. sub-stacks, the first place of focus should be • Behavior analysis – Attackers that under- the endpoint protection stack. The SANS Insti- stand the rules defining suspicious behav- tute found that nearly 50% of organizations ior can design exploits that get past them. are aware they’ve had endpoints compro- • Endpoint detection and response (EDR) – mised in the past 24 months. Once compro- Speed is critical – an exploit can cause se- mised, the endpoint can yield tremendous rious damage before detection kicks in. amounts of information, including access cre- • Containment – This is the most challeng- dentials to critical organizational systems and ing from an attacker perspective but can data. impact business efficiency from the user perspective. Given that endpoints are the main entrance point for advanced attacks, and attackers con- Theoretically, the most comprehensive de- tinue to develop ever more sophisticated fense would incorporate all of the above tech- methods, various types of technologies have niques to ensure that the endpoint is covered evolved around the endpoint and the network from all potential threat vectors. In reality, that surrounds it. dealing with the configurations, CPU drain, collisions between products, maintenance and Each approach has its own strengths and vast quantities of data generated (including weaknesses: high rates of false positives) would be far too costly and degrade business operations to the • Signature based malware prevention – point of almost causing as much damage as Very effective at blocking basic malware an attack. Not to mention the fact that the but easy to evade. worldwide shortage of security personnel • Exploit mitigation – Makes a vulnerability would make the task impossible. more difficult to exploit. Some technologies can be evaded by script-based malware. Moreover, each of these techniques still has • Network sandboxing – Some malware can limitations and, even in combination, attackers detect sandboxing and avoids malicious may slip through the cracks long enough to activity until tagged as benign. Once exe- cause harm. cuted on a real system, it starts its malicious activities. So how should security teams decide which products to deploy? www.insecuremag.com 36 THE LONGER IT TAKES TO DETECT AND CONTAIN A DATA BREACH, THE MORE COSTLY IT BECOMES TO RESOLVE

The leaner, meaner endpoint stack catches the bulk of attacks for the lowest cost. Augment traditional signature-based ap- Endpoint security technologies are generally proaches with memory protection and exploit added independently and haphazardly, in re- prevention that prevent the common ways that sponse to the latest threat or regulation, with malware gets onto systems. Combine new little planning as to how they might best work technologies like Moving Target Defense to together or how they may affect an organiza- handle advanced threats with existing “good tion’s overall business goals. hygiene” products like anti-virus. For all its flaws, AV is still the most effective prevention Recently, a CISO told me he cannot identify for run-of-the-mill malware. the contribution of a specific HIPS agent his company added years back, one of seven With such a lean, effective prevention stack agents; its value in the risk mitigation equation companies could possibly do away with HIPS, long forgotten except that it is required for personal FW, tedious repetitive patching regulatory compliance. There needs to be a prompted by new vulnerabilities and other better equilibrium of benefit and risk, a full un- techniques that do little to improve security derstanding of the costs and implications. efficacy, but a lot to increase inefficiency of workstations and their users. The longer it takes to detect and contain a data breach, the more costly it becomes to Supplementary components should be added resolve. The 2016 Ponemon Cost of Data according to specific organizational needs, Breach Study found that breaches that were always weighing benefits against costs. Busi- identified in less than 100 days cost compa- nesses that are under frequent attack should nies an average of $3.23 million, while consider EDR and sandboxing detection breaches found later cost over $1 million more techniques, especially given that malware is ($4.38 million). most likely already in the network.

Forrester rightly predicted that in 2016 cyber- If this is done right, security teams will have security would swing back to prevention. Take fewer agents to maintain, a lower level of the case of ransomware – by the time an at- compatibility issues, less CPU drain, fewer tack is detected, it is already too late. false alerts and lower remediation costs.

An optimal endpoint stack should start with an effective and efﬁcient prevention stack that

Ronen Yehoshua is the CEO of Morphisec (www.morphisec.com) with more than 20 year of technology management and venture capital experience. Prior to Morphisec, Ronen was a partner at Cedar Fund, an in- ternational venture capital ﬁrm with over $325M under management. In this strategic, hands-on role, he lead investments and resided on the boards of several companies in seed and growth stages.

www.insecuremag.com 37

The IT manager tasked with understanding today’s complex vendor landscape is in an unenviable position. The rapid proliferation of new types of cyber security threats and general IT dynamics has, in turn, driven a near equal proliferation of products and services aimed at helping manage the associated risks. Keeping up with the categories of products However, leading vendors are not only push- and services that now make up the security ing their own technologies in pursuit of new vendor landscape is challenging enough, not solutions, but also committing active teams to to mention keeping abreast of the strengths finding these opportunities through collabora- and weaknesses of individual vendors. tion with other, sometimes competing, vendors. Expanded use of open APIs by a variety On some level, the vendors themselves com- of technology companies, in conjunction with plicate this process through their efforts to dif- movements toward SaaS and cloud comput- ferentiate around unique features or capabili- ing, have made a strong case for the necessi- ties. Not all of this is disingenuous. The pace ty of third-party collaboration and integration. with which cybersecurity threats emerge and/ or evolve creates both the need and the op- In the security arena, this collaboration be- portunity for vendors to innovate new capabili- tween vendors most commonly takes the form ties that create true separation from other of API integrations that allow for the exchange players in the market. of threat, vulnerability, or general security event data across products. In particular, most This specialization is, to a large degree, a now expect vendors to support integration necessary response to the continued innova- with major players in the Security Information tion on the threat side of the equation. We see and Event Management (SIEM) space. Enter- constant and clear evidence that traditional prises and service providers often leverage security products (firewalls, intrusion preven- SIEM platforms to deliver a consolidated view tion/detection systems) continue to serve a of relevant security information for correlation key role but alone can’t ensure protection of events and to provide a “single pane of from attacks of increasing scale and glass” view into their environment. complexity. www.insecuremag.com 39 Keys to successful security vendor One such trend would be the DevOps model, collaboration where application development, testing, and release of new applications or application up- There are some important considerations for dates occur more rapidly. vendors looking to collaborate, which also reflect some of the characteristics of collabora- Even in the most disciplined application de- tion that end users should be looking for from velopment environments where secure coding their vendors. is part of the SDLC, every change to an application can introduce new vulnerabilities. It’s imperative to find opportunities where complementary capabilities address real-world Suddenly, in this environment, application se- use cases or scenarios. There are a number curity scanning tools that were built to operate of trends within IT at any given time driving around more defined, spaced development changes to the dynamics of how products and cycles find they need to not only speed up services are being used. Occasionally, these their operation, but also tie into complemen- become disruptive trends that render good tary products or services that help security products or services suddenly vulnerable to teams act on results more quickly. obsolescence if they can’t evolve.

Every day we see clear evidence of the increasingly automated nature of the cybersecurity threat landscape

One way vendors can extend this concept fur- sponse. Then focus the human skills on ther is to seek out technology collaboration deeper interpretation and longer-term that creates opportunities for automation in remediation strategies. security operations. Every day we see clear evidence of the increasingly automated nature If we apply this to the DevOps example of the cybersecurity threat landscape. above, this might look something like a technology integration that takes the results of dy- The result is faster, larger, more complex at- namic application testing and automatically tacks that can rapidly move from target to tar- feeds it into an application security product get seeking vulnerabilities to its tactics, tech- (such as a Web Application Firewall) for au- niques, and procedures. tomated policy deployment in response to newly identiﬁed vulnerabilities. As a result, forward-thinking security teams recognize they need collaboration and inte- Steps for IT pros to leverage or spur grations that do more than add another prod- collaboration uct’s data to a SIEM or other platform for consolidated human decision-making. Fight bots There are some basic tactics that enable IT with bots and leverage unique combined professionals to get more from potential col- technology capabilities to allow for faster re- laboration within their stable of security vendors. www.insecuremag.com 40 Focus on addressing your critical requirements, but know the categories to help you compartmentalize and quickly compare vendors

First, really understand the unique require- gabit-per-second attacks push many to focus ments of your network, applications, and primarily on total mitigation capacity of cloud business. With all the buzzword bingo in the vendors, but in so doing they overlook the po- security space, it’s easy to get bogged down tential damage of smaller or encrypted at- and become convinced you have to address tacks. something that either isn’t a problem for you or poses little risk. The final step is to familiarize yourself and get comfortable with one of the existing security An example of this emerged in our 2016 product/service taxonomies. That’s not to Global Application & Network Security Report, suggest you should become rigidly fixated on where 35 percent of respondents listed Ad- the idea that all solutions need to fit neatly into vanced Persistent Threats as the biggest one or the other for consideration. danger, yet only 23 percent of respondents had actually experienced any such attack. Focus on addressing your critical requirements, but know the categories to help you Another pitfall to avoid is becoming overly fo- compartmentalize and quickly compare ven- cused on the security headlines and assume dors. It can also help you understand which those are critical requirements for protection. categories are being successfully integrated We see this often with customers exploring for specific unique use cases and where your protection options from DDoS attacks. The organization can flourish among the seemingly daily headlines about multi-100 Gi- competition.

Ben Desjardins is the Director of Security Solutions at Radware (www.radware.com).

www.insecuremag.com 41 The world of corporate information security is locked in an ongoing battle, with hackers always one step ahead. In order to be successful, security operations teams need to rethink security infrastructure in their shift from detection to response. Security teams traditionally turn to detection missing the forest: the overall picture of their and mitigation tools in their attempts to over- security infrastructure, and how each aspect power their pursuers. The tools used to de- feeds into and relates to the others. As distin- tect, respond, prevent and predict attacks are guished engineer and CTO of Security at IBM numerous and complex. Europe Martin Borrett says, it's “hard to be successful when organizations have an aver- Today, the typical security team employs a age 85 tools from 45 vendors.” With a diversi- cocktail of detection tools, threat management fied and growing attack surface spanning IOT, tools, mitigation tools, threat intelligence tools, mobile and cloud infrastructures, the number log management tools, and so on. The as- of tools needed to secure all these new plat- sumption is that the more tools the team uses, forms increases, introducing even more com- the better the chances of simple and straight- plexity and noise. forward containment will be. But a cursory look at the numbers behind recent breaches To truly see the context and connect the dots such as Anthem or OPM tells another story. between all events, security teams must shift Despite the plethora of tools found in security their focus away from point solutions and start departments today, security teams are still viewing all aspects as part of one cohesive locked in the battle – and they are not win- unit. For example, teams must start connect- ning. ing external threat intelligence with alert data and internal assets to fully understand and Because today's skilled analysts have to con- contextualize threats across time and source. tend with so many tools, updates and pro- Is the team agile enough to see the individual cesses, they often miss the big picture: they aspects as one whole? Do they see the un- see the trees (each siloed element as its own derlying story or do they just see the individual entity, unrelated to every other aspect) while trees? www.insecuremag.com 42 Remaining zeroed-in on this elaborate patch- Loss of revenue work of point solutions essentially blocks teams from getting a clear picture into what is According to an annual study conducted by actually taking place within their security envi- IBM and the Ponemon Institute, the average ronment and can be damaging in a host of loss per year due to breaches for a large ways. company is $4 million, a figure that is just slightly higher than it was in 2015, but a full 29 Loss of time percent higher than it was just three years ago in 2013. And this isn't even the full cost. Ac- In a breach, every moment counts. A study cording to the study’s author, “the biggest fi- conducted by the Ponemon Institute states nancial consequence to organizations that that it takes companies in the financial sector experienced a data breach is lost business.” 98 days from breach to containment (on aver- The true financial blow of a breach might not age). Companies in the retail sector take 197 be fully felt for years. days on average to resolve them. This dwell time is staggering, leaving organizations vul- To highlight all this, IBM’s study shares with us nerable to threat actors. this important gem: the longer it takes to identify and contain an attack, the higher the The time it takes to put together the storyline costs. And as the total cost of cybercrime of a threat can make all the difference be- crosses the $3 trillion mark, spending goes up tween emerging from a breach with the in- proportionally. According to Steven Morgan at tegrity of data still somewhat intact or a com- CyberSecurity Ventures, “as cybercrime rises, plete loss of data. so does cyber defense spending — it’s the nature of the beast.” Team efficiency Closing the gap In the sea of alerts, logs and tools, security teams often feel like they are drowning. The While point solution tools are effective in their same study found that a typical company re- own target domain, each on its own is incom- ceives 50,000 alerts per month, of which ap- plete, leaving analysts to do the complex dirty proximately five percent are real. work of stitching together the real story of what is taking place. In this environment, it is The rest are false positives, a result of frag- nearly impossible to find context and easily mented and independent tools working in dis- correlate between events, and there is no un- unity with the others. But they all must be ex- derlying infrastructure, nothing to unify events. amined, as even one unprocessed alert can spell disaster as it did in the Target breach in In such a fragmented environment, with its 2014. multiple point solutions, alerts and logs, it is no small wonder that those alerts fall through The underlying story behind the string of the cracks, that incidents go uninspected and events that led up to the breach and ultimate- that threats remain unresolved. ly, the loss of data of over 110 million customers, was there for all to see if they had Security teams today simply do not have the been able to see events within context. time or ability to deal with all the hundreds of moving parts that go into trying to contain the Target’s varied and complex security environ- next big breach. Adding more tools, hiring ment contained so many individual aspects more analysts, these are all just Band-Aids that when their malware detection platform slapped onto the wound. alerted them to a high level threat, it went unnoticed, amid all the background noise. As long as corporate security continues down this path, the game of cat and mouse will con- The reality is that an alert from one detection tinue and the bad guys will continue to tool could be deemed insignificant, yet when emerge victorious. put together with information from other tools and alerts it could, in fact, be critical. www.insecuremag.com 43 Learning to see the whole story sources more efficiently and thoroughly. With tools that use existing resources more effec- A new paradigm is needed. One that takes all tively, teams can take on entry-level staff and the disparate security sources and puts them on-board them faster and more efficiently. into one unified picture, one single pane of glass, illuminating the relationships between Put information sources into context: Iden- them, focusing on what is significant and re- tify and contextualize all incoming intelligence moving what is not, ultimately giving teams from all the numerous, difficult-to-access the tools they need to look at huge volumes of sources within organizations. Out of context, data and understand their significance at a this intelligence is useless, living in its own glance. silo.

So what is needed to help security teams Build a ﬂexible and adaptive security in- actualize this new paradigm? frastructure: As new data sources and requirements emerge, teams need to ensure Provide end-to-end visibility: Security their security environment is built to be able to teams should implement software and tools incorporate new data sources and tools effec- needed to create a connective tissue that puts tively as they evolve in a complementary all events, alerts, logs and accumulated data manner. into crystal clear context. Connect the dots: Collecting the data is not Streamline operations: Give teams the nec- enough; it is the process of distilling intelli- essary training to organize workﬂows, process gence out of it that will drive the value that events and train new employees better, thus SOCs need in order to evolve and compete in lowering overhead and using existing re- today’s competitive security environment. Understand that breaches will occur no matter what, so stop focusing solely on preventing breaches. They will happen.

Final note breaches reduces loss, cuts damage and reduces dwell time from months to minutes. Understand that breaches will occur no matter what, so stop focusing solely on preventing The parts and processes of your security in- breaches. They will happen. frastructure tell a story. When seen as individual units, the story is confusing, fragmented What matters most is how and how fast your and difﬁcult to decipher. Put those same organization responds to the threats. Using events in context and a whole new world of the right methods to locate and contain insight and meaning becomes abundantly clear.

Amos Stern is the CEO at Siemplify (www.siemplify.co). He brings a unique technical and business background that includes leadership of the Cyber Security department within the IDF Intelligence Corps as well as directing sales and business development for Elbit’s Cyber & Intelligence Division. www.insecuremag.com 44 IP EXPO Europe 2016 ipexpoeurope.com - London, UK / 5 - 6 October 2016.

With six top IT events under one roof, 300+ exhibitors and 300+ free to attend sem- inar sessions, IP EXPO Europe is a must-attend IT event for CIOs, heads of IT, security specialists, heads of insight and tech experts. Cyber Security Europe at IP EXPO Europe offers invaluable security insight for both IT managers and security specialists. Hear from the experts how you can build stronger defences against cyber-attacks, and recover more quickly if your systems are breached.

Global Cyber Security Leaders 2016 cybersecurity-leaders.com - Berlin, Germany / 7 - 8 November 2016.

Meet with other cyber security leaders and learn from Texas Instruments, Allianz Deutschland AG, PayPal, Bundeswehr, City of Atlanta, Huawei Technologies, UK Ministry of Defence, Uber, Deutsche Telekom AG and many more, on how to establish an effective Cyber Security Strategy, address the human factor in cybersecurity, and improve your threat intelligence and cyber security response plan. www.insecuremag.com 45 The US Department of Health and Human Services’ Office for Civil Rights (OCR) warned healthcare professionals and their business associates of its intention to launch a series of random HIPAA compliance audits throughout 2016. This announcement caused some panic Understanding what is changing and what an among businesses unsure of their ability to audit entails will help ensure if businesses pass a compliance review. Many organiza- meet HIPAA compliance standards. tions are unclear as to who’s bound by HIPAA compliance standards and what aspects of What has changed? their business will be evaluated during an audit. Before 2016, the OCR was only investigating non-compliance situations after a complaint, Any organization that transmits electronic Pro- tip, or media report had been filed, thus 98% tected Health Information (ePHI) is required to of closed privacy cases were the result of a comply with all HIPAA parameters. These complaint. The Health Information Technology rules work to protect the security and confi- for Economic and Clinical Health (HITECH) dentiality of patient data and the failure to ad- audit act became effective starting in 2010, here to these standards could put a business but the OCR has yet to implement an audit at risk for both substantial fines and potential program that will proactively evaluate the lawsuits. compliance status of covered entities and business associates. Covered entities and their business associates need to understand what’s required A 2015 report released by the Office of In- to meet HIPAA standards and how their orga- spector General found the OCR’s oversight of nizations could be affected if a random audit HIPAA compliance to be lacking. were to occur. www.insecuremag.com 46 Now, the OCR plans to strengthen its review However, it’s important to note that some efforts by implementing a second phase of states define these roles differently and busi- audits that was scheduled to occur in 2014, nesses should check with their legal counsel but encountered a number of delays. or state trade association to determine the state’s specific rules. In Texas, for example, In this new round of assessments, providers covered entities are classified as any organi- with fewer than 15 physicians and healthcare zation in possession of PHI, meaning busi- business associates will be subject to audits. ness associates are subject to the same regu- A business associate is any person or group lations imposed on covered entities. While the that generates, stores, receives, or transmits odds a practice will be randomly audited are PHI on behalf of the covered entity with which slim, it’s pertinent that an entity with access to they’re affiliated. A covered entity is any health PHI be vigilant about consistently evaluating plan, healthcare clearinghouse, or healthcare and modifying its HIPAA security and compli- provider that electronically transmits PHI. ance strategy, thus avoiding damages to its bottom line and reputation. Business associates are required to implement training for their employees and all instruction efforts must be documented

The HIPAA Omnibus Rule healthcare provider and are subject to the same penalties and fines as a covered entity. The Final HIPAA Omnibus Rule was established in 2013 to revise previous HIPAA defini- Privacy policies tions, clarify procedures and policies, and include business associates and their contrac- The Omnibus rule includes several HIPAA def- tors within the HIPAA regulations. While the inition changes and a provider’s privacy policy rule has been in effect for a few years, the should be updated to reflect these adjust- OCR’s lax investigation efforts have allowed ments. Policies should include the amend- some businesses to continue operating with- ments made in regards to deceased persons, out adjusting their policies or procedures to the rights of patients to access the ePHI, and meet the Omnibus Rule’s standards. Covered access request responses. They must also entities should address the following elements take into consideration the new restrictions of their organization and make any updates to regarding the disclosure of information to former documents and procedures to ensure Medicare and insurance providers, the distrib- they will be adequately covered in case of an ution of ePHI and school immunizations, and audit. the use of ePHI for marketing, fundraising, and research efforts. Business associate agreements Employee training All business associate agreements should be revised and updated to include the standards An organization’s employees can be either a outlined in the HIPAA Omnibus Rule. Whereas risk or an asset to its network and information before, covered entities shouldered compli- security. Sufficient training should be held to ance responsibilities, now business as- inform staff of the definitions and procedures sociates are equally liable if a data breach or changed as a result of the Omnibus Rule. security error occurs on their end. Business Business associates are required to imple- associates must sign a Business Associate ment training for their employees and all Agreement before their services are used by a instruction efforts must be documented. www.insecuremag.com 47 How to prepare for an audit formation and if it does not have the proper documentation and procedures in place when For any organization, managing HIPAA com- the audit occurs, it will likely be unable to sup- pliance can be daunting. A business and its ply the necessary information in the allotted employees should understand what a HIPAA time. compliance audit entails and what steps should be taken to adhere to HIPAA stan- Generally, an audit will require an organization dards. When an organization is audited, they to provide records of its compliance efforts will be evaluated on aspects like patient priva- dating back several years. If this information is cy requests rights for PHI, individual access to unavailable or nonexistent, the company PHI, administrative, technical and physical could incur a number of legal and financial safeguards, the use and disclosure of PHI, penalties. Businesses bound by HIPAA regu- HIPAA Breach Notification Rule policies and lations should hold regular security reviews to changes to PHI. assess the ability of the organization and its technology to meet compliance standards. In If an organization is subjected to an audit, it addition, changes made to suit these regula- will likely be required to supply a plethora of tions should be regularly documented and up- documents to the OCR. An organization has dated to prove a remediation plan is in effect. 10 business days to supply the requested in- It’s vital an organization’s security review be held and updated at least annually

When performing a security review, business- • Do patients receive a Notice of Privacy es should ask themselves: Practices and where is this notice available? (on-site, online, etc.) • What written policies and procedures are in place to address HIPAA regulations? It’s vital an organization’s security review be • Is there an established incident response held and updated at least annually as busi- plan to address a breach if it occurs? nesses often restructure processes or add • Are regular risk assessments being per- additional technology to their IT environment. formed and documented? Such changes can leave holes in the organi- • What policies are in place to address data zation’s security strategy and render it vulner- security? able to a data breach. • Are security and use policies for BYOD and mobile devices in effect? While much of the HIPAA legislation remains • Are business associates complying with unchanged in 2016, the OCR is bolstering its HIPAA standards? efforts to monitor and remediate PHI security • Is there a regular training program in place risks throughout the nation. And as more or- to educate both old and new employees ganizations will be prone to an audit or inves- about HIPAA compliance regulations? tigation, it’s important that business understand HIPAA so they can remain compliant and protect their clients.

Clyde Bennett is the Chief Healthcare Technology Strategist at Aldridge Health (health.aldridge.com).

www.insecuremag.com 48 For as long as there has been recorded history, humans have had the need to encrypt content-sensitive messages to prevent them from being read by anyone except by the intended recipient. Early signs of encryption have been found in In a symmetric key cipher, the “key” (the Egypt dating to ca. 2000 B.C., when non- unique digital pattern) that was used to en- standard hieroglyphics were used to hide se- crypt the plaintext is identical to the key need- cret messages. Archeologists have uncovered ed to decrypt the ciphertext by the recipient. documented cases of secret writing in ancient This inherently requires the secure transporta- Greece (Scytale of Sparta), as well as the tion of the key from the sender to the receiver. well-known Caesar cipher in ancient Rome. This produces a paradox in which our own cipher system needs another cipher system to In the modern age of electronic communica- transport its key. tion, we have moved on from letter-based encryption schemes of the ancient past to digital Asymmetric key (or public key) cryptography schemes, all based on mathematical concepts schemes use an entirely different set of math- and algorithms that not only obscure the origi- ematical algorithms and concepts to create a nal content of the message (plaintext), but situation where the key used to decrypt a also have properties that make them resilient message (the private key) will never have to to attacks by unintended recipients looking to leave the recipient’s sight. decrypt the encrypted message (ciphertext). On the other hand, the recipient openly publi- Cipher schemes can be categorized into two cizes his/her public key. Any party can encrypt groups: Symmetric Key, and Asymmetric key a plaintext using this public key, but only the cryptography. recipient has the ability to decrypt it with the www.insecuremag.com 49 private key. The pair (public key and the pri- crypted), or block ciphers (in which a block of vate key) constitutes the key in these bits are encrypted at a time). The important schemes. factor to remember is that in the traditional web-based cipher, the computational power of In reality, the computational complexity of pub- the CPUs at either end of the communication lic key schemes is far more than that of sym- link has been sufﬁciently large that these ci- metric key schemes, making them impractical pher schemes does not tax the performance for fast, and in particular real-time, massive of the CPUs signiﬁcantly. Encryption time is data encryption/decryption. “Hybrid” systems used to calculate the throughput of an encryp- are most prevalent today (for web based tion scheme. In 2010, three scholars pub- commutations), in which the symmetric key is lished their comparison of the performance of initially securely exchanged using public key several key symmetric ciphers using a 2.4 crypto, and subsequently the bulk data cipher GHz CPU. The throughput of the encryption uses symmetric key schemes. scheme was calculated by dividing the total plaintext in megabytes encrypted on the total Modern symmetric key ciphers can be either encryption time. The table below captures the stream ciphers (in which one bit at time is en- approximate values.

Cipher Throughput (MB/sec) RC2 3 DES 4 3DES 3 AES 3.5 Blowﬁsh 25 RC6 7

The Internet of Things (IoT) IoT security

The definition of the Internet of Things evolves Inadequate security will be a critical barrier to around the central concept of “a world-wide large-scale deployment of IoT systems and network of interconnected objects.” More broad customer adoption of IoT applications. things are being connected to address a Since the data collected and transmitted via growing range of business needs. In fact, by IoT devices can be private and often extreme- 2020, more than 50 billion things will connect ly sensitive, encryption of all transmitted data to the Internet—seven times our human popu- is a requisite feature of most applications. lation. The challenge in implementation of cipher IoT devices that connect to one another can systems in IoT devices comes in the low end range from a high-powered server to coin- of IoT devices where, by design, these de- sized (or even smaller) smart devices that col- vices can be very constrained as far as com- lect information from their surroundings (via putational power is concerned. sensors) and transmit them wirelessly to their designated destinations. Remember that a coin-sized device that must run on its internal battery power for periods Examples of IoT applications include wearable upwards of one year has very low computa- health and performance monitors, connected tional power, often a very low speed proces- vehicles, smart grids, connected oil rigs, and sor, little memory, and finally, often no hard- connected manufacturing. ware support for crypto algorithms. www.insecuremag.com 50 Earlier in this article we saw the performance many such algorithms designed for specific of symmetric key ciphers on a laptop with a application domains. Fortunately, all of these 2.4 GHz CPU. What throughput do you think algorithms are public and significant studies the same algorithms will yield in a small pro- are done on their performance and security. cessor with little memory, say with a total As a small set of example ciphers, a few such computational power of 1/100 of the laptop lightweight ciphers are introduced here. DESL used above? and DESXL are lightweight versions of the DES cipher that are used in mobile ap- Consider an Intel Core i7 5960X , manufac- plications. CURUPIRA-1 is proposed for ap- tured in 2014, which has a performance of plications in sensor networks. HIGHT is an- 238,310 MIPS at 3.0 GHz. Compare this to an other lightweight cipher that is proposed for Atmel AVR XMEGA MCU embedded proces- RFID devices, as well as sensor networks. sor that delivers 32 MIPS at the maximum XTEA (eXtended TEA) is a block cipher in- clock speed of 32MHz. This is a performance vented at the Cambridge Computer Laborato- difference in the order of 7500! ry, and the algorithm was presented in an un- published technical report in 1997. It is becoming clear that IoT devices need a new set of “lightweight” cipher algorithms that, The table below gives the comparative analy- while providing adequate security, are able to sis of the lightweight cipher algorithms avail- realistically run on low end devices. There are able in the literature:

Cipher Block Size (Bits) Key (Bits) Throughput (MB/s)

DESL 64 56 50 DESXL 64 184 50 CURUPIRA-1 96 96 120 CURUPIRA-2 96 96 120 HIGHT 64 128 25 XTEA 64 128 25

As can be seen, one can achieve real-time market segments. The study found that 80% performance of encryption/decryption on con- of these devices raised privacy concerns; strained IoT devices using available light- 90% collected at least one piece of personal weight ciphers. information via the device; and 70% didn’t encrypt communications to along their path to In conclusion, as Premnath states in his the the destination. IEEE Wireless Communications Letters, since IoT devices typically exchange tactical data, As the public becomes more exposed to as opposed to strategic data, it is more practi- scandals of private data exposed due to ill- cal to achieve data protection for a time span designed security features in their IoT devices ranging from real-time to a few days, as op- and products, it will be more difﬁcult for IoT posed to several years or decades. device designers and manufacturers to avoid putting security and privacy as a central and HP performed a study in 2015 in which it re- paramount feature of their products. viewed ten products in the most popular IoT

Babak D. Beheshti is the Associate Dean of the School of Engineering and Computing Sciences at NYIT (www.nyit.edu). He has over 20 years of experience in R&D for embedded systems and wireless technology, and has successfully managed joint R&D programs with Asian, European, and U.S. companies including Siemens Mobile, Nokia, Samsung, KDDI, and LG. Beheshti has been an active member of IEEE since 1991. www.insecuremag.com 51 Recently, the European Parliament signed off on its first ever set of cybersecurity rules. The Network and Information Security (NIS) Directive spells the end of more than three years of political bickering, and requires critical national infrastructure operators - such as banks, healthcare, transportation, energy and digital service providers - to ramp up their security measures and report major data breaches. The directive is poised to establish the first set The directive ultimately aims to improve secu- of baseline cybersecurity and breach reporting rity defences and knowledge sharing of to- responsibilities in the European Union and will day’s cyber threats. specifically require the implementation of measures that are proportionate to today’s cy- It’s fair to say that hackers are using much ber risks and will minimise the impact of mod- more sophisticated techniques to gain access ern-day security incidents. to data, which is making it much harder for companies to defend themselves. APTs, ran- This will work in tandem with the EU’s General somware and stolen credentials are becoming Data Protection Regulation (GDPR), which will increasingly common ways for hackers to get also force companies to tighten up their secu- their hands on confidential information. rity with the threat of hefty fines and the small breach disclosure window. Furthermore, there’s the insider threat to consider as people from within an organization However, while the GDPR requires notification continue to pose a risk to network security, of a breach only when there is a risk to per- whether malicious or unintentional. It is gener- sonal data, the directive takes things one step ally agreed that no organization is safe and further, mandating operators to notify authori- threats will find a way onto the network, but ties whenever there is an impact on the provi- they can be stopped before any damage has sion of its service. been done. www.insecuremag.com 52 A big problem within the critical national in- lutions may have worked in the years before frastructure industry is that much of its in- cyber-attacks became one of – if not, the – frastructure was developed and implemented biggest threat to national security, but this is prior to the proliferation of the Internet. As no longer sufficient. If hackers are finding new, such, many SCADA devices used by critical innovative ways to get into IT systems, then national infrastructure industries employ very logic would dictate that companies need to basic, easily defeated authentication methods, find new, innovative ways of protecting their IT transmitting data in clear text, with many cyber systems. Unfortunately, avoiding a breach assets operating on old and vulnerable code completely is unrealistic, but there are ways to bases. take control and mitigate any subsequent damage. Examples of just how vulnerable SCADA systems are to attack include the recent Ukrainian Given the notion that computing environments power grid hack, which led to the first large- may already be compromised, the critical na- scale electricity outage, and the attack on a tional infrastructure industry needs to move Ukrainian airport, in which suspicious malware their processes and priorities towards detect- was found on a computer at Kiev’s main air- ing when compromises occur, and responding port, Boryspil. Stuxnet and Flame are also two to them as quickly as possible. While that infamous forms of malware that have been does not mean that threat prevention itself is used to hack into SCADA systems. These at- obsolete, it simply means these defenses tacks highlight the growing threat to critical na- cannot be relied upon to protect against de- tional infrastructure and SCADA systems, but termined hackers. The time between detection also just how determined and capable hackers and response is when systems are at their can be. most vulnerable, and without a strategy in place to effectively and efficiently deal with the Gaining control of a SCADA system could, po- problem, the consequences could be far tentially, have a hugely damaging impact on a reaching. country and the increasing connectedness of infrastructure finds control systems being even Critical national infrastructure needs security more vulnerable to cyber-attacks, but also in- intelligence, which ensures that all systems creases the knock-on effect an attack can are continuously monitored so any type of have on other infrastructure sectors and ca- compromise can be identified and dealt with pabilities. The situation is not likely to improve as soon as it arises. Indeed, critical national – as hackers will continue to target systems infrastructure operators tend to be controlled that require little effort on their part, yet have a across a variety of geographic locations, large widespread impact. therefore, having a centralized system that can provide full visibility across all IT network What we often find is that those managing crit- activity in real-time is vital for the management ical national infrastructure are relying on secu- of security. rity strategies that are out of date and becoming increasingly obsolete. It is a dangerous Critical national infrastructure will continue to misconception to think that using point-based be a top target for hackers, and we cannot af- perimeter tools, such as anti-viruses and fire- ford to have any sector not know if they can walls are sufficient, especially when it comes stay safe. Only by taking an approach capable to these industries that have such a huge im- of monitoring and analysing network activity in pact on a country’s economic stability and de- real-time can sophisticated attacks attempting velopment. to control critical national infrastructure and, more specifically, SCADA systems, be effec- Today’s hackers are becoming increasingly tively detected, remediated and correctly miti- persistent in their approaches and using ex- gated before any significant damage is done. tremely sophisticated tactics to exploit existing vulnerabilities. Sticking with basic security so-

Ross Brewer is the VP and MD of EMEA at LogRhythm (www.logrhythm.com). Prior to joining LogRhythm, he was a senior executive at LogLogic where he served as Vice President and Managing Director of EMEA. www.insecuremag.com 53