• Babak D. Beheshti, Associate Dean of the School of Engineering and Computing Sciences at NYIT. • Clyde Bennett, Chief Healthcare Technology Strategist at Aldridge Health. • Ross Brewer, VP and MD of EMEA at LogRhythm. • Ben Desjardins, Director of Security Solutions at Radware. • Eric O'Neill, National Security Strategist at Carbon Black. • Jeff Schilling, Chief of Operations and Security at Armor. • Karl Sigler, Threat Intelligence Manager at Trustwave. • Sigurdur Stefnisson, VP of Threat Research at CYREN. • Amos Stern, CEO at Siemplify. • Ronen Yehoshua, CEO at Morphisec. Visit the magazine website at www.insecuremag.com
Feedback and contributions: Mirko Zorz, Editor in Chief - [email protected] News: Zeljka Zorz, Managing Editor - [email protected] Marketing: Berislav Kucan, Director of Operations - [email protected]
(IN)SECURE Magazine can be freely distributed in the form of the original, non-modified PDF document. Distribution of modified versions of (IN)SECURE Magazine content is prohibited without permission.
Copyright (IN)SECURE Magazine 2016. www.insecuremag.com Are all IoT vulnerabilities easily 5. Insecure or no network pairing control op- avoidable? tions (device to device or device to net- works). Every vulnerability or privacy issue reported 6. Not testing for common code injection ex- for consumer connected home and wearable ploits. technology products since November 2015 7. The lack of transport security and encrypt- could have been easily avoided, according to ed storage including unencrypted data the Online Trust Alliance (OTA). transmission of personal and sensitive in- formation including but not limited to user OTA researchers analyzed publicly reported ID and passwords. device vulnerabilities from November 2015 8. Lacking a sustainable and supportable through July 2016, and found the most glaring plan to address vulnerabilities through the failures were attributed to: product lifecycle including the lack of soft- ware/firmware update capabilities and/or insecure and untested security patches/ 1. Insecure credential management including making administrative controls open and updates. discoverable. “In this rush to bring connected devices to 2. Not adequately and accurately disclosing consumer data collection and sharing poli- market, security and privacy is often being cies and practices. overlooked,” said Craig Spiezle, OTA Execu- tive Director and President. “If businesses do 3. The omission or lack of rigorous security testing throughout the development not make a systemic change we risk seeing process including but not limited to pene- the weaponization of these devices and an tration testing and threat modeling. erosion of consumer confidence impacting the IoT industry on a whole due to their security 4. The lack of a discoverable process or ca- pability to responsibly report observed vul- and privacy shortcomings.” nerabilities. www.insecuremag.com 5 PCI Council wants more robust se- terminals and mobile devices used for pay- curity controls for payment devices ment transactions. Payment devices that di- rectly consume magnetic stripe information The PCI Council has updated its payment de- from customers remain a top target for data vice standard to enable stronger protections theft, according to the 2016 Data Breach In- for cardholder data, which includes the PIN vestigation Report from Verizon. and the cardholder data (on magnetic stripe or the chip of an EMV card) stored on the card or “Criminals constantly attempt to break security on a mobile device. controls to find ways to exploit data. We con- tinue to see innovative skimming devices and Specifically, version 5.0 of the PCI PIN Trans- new attack methods that put cardholder data action Security (PTS) Point-of-Interaction at risk for fraud,” said PCI Security Standards (POI) Modular Security Requirements empha- Council CTO Troy Leach. “Security must con- sizes more robust security controls for pay- tinue to evolve to defend against these ment devices to prevent physical tampering threats. The newest PCI standard for payment and the insertion of malware that can com- devices recognizes this challenge by requiring promise card data during payment transac- protections against advancements in attack tions. techniques.”
The updates are designed to stay one step Vendors can begin using PCI PTS POI Modu- ahead of criminals who continue to develop lar Security Requirements version 5.0 now for new ways to steal credit and debit card data payment device evaluations. Version 4.1 will from cash machines, in-store and unattended retire in September 2017 for evaluations of new payment devices.
Public cloud services market to cloud services. Not only are public cloud ser- grow to $208.6 billion in 2016 vices being used to recognize the tactical benefits of cost savings and innovation, but The worldwide public cloud services market is they are also being used to establish a more projected to grow 17.2 percent in 2016 to total modern IT environment — an environment $208.6 billion, up from $178 billion in 2015, that can serve as a strategic foundation for according to Gartner, Inc. The highest growth future applications and digital business pro- will come from IaaS, which is projected to cesses. grow 42.8 percent in 2016. SaaS is expected to grow 21.7 percent in 2016 to reach $38.9 Security and/or privacy concerns continue to billion. be the top inhibitors to public cloud adoption, despite the strong security track record and “The aspiration for using cloud services out- increased transparency of leading cloud paces actual adoption. There’s no question providers. there is great appetite within organizations to use cloud services, but there are still chal- Most organizations are already using a com- lenges for organizations as they make the bination of cloud services from different cloud move to the cloud. Even with the high rate of providers. While public cloud usage will con- predicted growth, a large number of organiza- tinue to increase, the use of private cloud and tions still have no current plans to use cloud hosted private cloud services is also expected services," said Sid Nag, research director at to increase at least through 2017. Gartner. The increased use of multiple public cloud IT modernization is currently the top driver of providers, plus growth in various types of pri- public cloud adoption, followed by cost sav- vate cloud services, will create a multi-cloud ings, innovation, agility and other benefits. environment in most enterprises and a need The focus on IT modernization indicates a to coordinate cloud usage using hybrid sce- more sophisticated and strategic use of public narios. www.insecuremag.com 6 Compromised electronic health get compromised just once, and sold repeat- records may haunt you forever edly all over the Dark Web, we’ll likely have problems for the rest of our lives. Information A recent report on the Deep Web black market that is contained in those records can be used for electronic health records (EHRs) by re- for many different types of fraud and attacks, searchers affiliated with the Institute for Criti- such as medical identity theft, submission of cal Infrastructure Technology has pointed out false claims, acquisition of controlled and pre- that healthcare systems are relentlessly and scription substances, and obtainment of med- incessantly attacked. ical devices. But the list of dangers doesn’t stop there – criminals can also create fake “Vulnerable legacy systems and devices that identities, perpetrate tax fraud, access gov- lack the ability to update and patch are ernment benefits, or try to extort patients. An- Frankensteined into networks possessing other problem is that there are still no legal newer technologies that can be updated and protections for medical identity theft victims. patched. As a result, the organization’s IoT microcosm becomes collectively vulnerable as “Stopping the damage, disputing the charges, effective layers of security cannot be properly and correcting the record can consume all of implemented,” the analysts noted. “Without a victim’s time and energy,” the researchers the input of cyber risk management profes- noted, adding that “even if the victim learns of sionals and without comprehensive oversight, the compromise before the information is ex- they will continue to make socially negligent ploited, remediation can still cost over $1,500 decisions that gamble the electronic health in fees and consume their free time for up to information of US citizens between antiquated five years.” security, insufficient fiscal and regulatory penalties, and the fingertips of tantalized insa- “Due to the longevity of the record, adver- tiable adversaries.” saries may continue to exchange and exploit the compromised information for the rest of By now, we also realized that the risk and im- the victim’s life. For some, such as children, pact of compromise of EHRs is usually and this can drastically hinder their future financial mostly shifted to us (the patients). But what stability and limit the potential lives that they most still don’t recognize is that if our EHRs could lead,” the researchers concluded. www.insecuremag.com 7 Chrome will start labeling some Internet towards the default use of HTTPS. HTTP sites as non-secure Changes in Chrome are one way to do it.
Slowly but relentlessly, Google is pushing Previously employed tactics include prioritis- website owners to deploy HTTPS – or get left ing websites using HTTPS in Google Search behind. rankings and adding a new section to the company’s Transparency Report that allows The latest announced push is scheduled for users to keep an eye on Google’s use of January 2017, when Chrome 56 is set to be HTTPS, and HTTPS use of the top 100 non- released and will start showing in the address Google sites on the Internet. bar a warning that labels sites that transmit passwords or credit cards over HTTP as non- “A substantial portion of web traffic has transi- secure. tioned to HTTPS so far, and HTTPS usage is consistently increasing,” noted Emily In due time, all HTTP pages will be labeled by Schechter, of the Chrome Security Team. Chrome as non-secure, and ultimately, the HTTP security indicator will turn red, and sport “We recently hit a milestone with more than the same “Danger!” triangle with which sites half of Chrome desktop page loads now with broken HTTPS are currently marked. served over HTTPS. In addition, since the time we released our HTTPS report in Feb- Google is in the perfect position to spearhead ruary, 12 more of the top 100 websites have the campaign aimed at pushing the collective changed their serving default from HTTP to HTTPS.”
The hidden cost of the insider threat gence recorded the highest annual cost, averaging nearly $2.3 million. Organizations are spending an average of $4.3 million annually to mitigate, address, and In line with expectations, legacy solutions – resolve insider-related incidents – with that such as data loss prevention (DLP), user spend surpassing $17 million annually in the awareness and training, and network intelli- most significant cases, according to the gence – ranked among the most frequently Ponemon Institute. deployed tools (at 46 percent, 43 percent, and 35 percent respectively). Yet, despite being While the report notes that user credential the most pervasive, the incremental cost sav- theft and malicious or criminal activity carried ings driven by these legacy technologies were a more substantial cost-per-incident, the fre- among the lowest recorded, with network in- quency and volume of insider incidents telligence and user training yielding $0.3 caused by employee and contractor negli- million. www.insecuremag.com 8 Top trends in security testing and Despite the fact that many organizations do vulnerability management not conduct security testing, two-thirds believe that security testing is a valuable best Many businesses fail to conduct frequent se- practice. curity testing despite believing that it’s critical- ly important to securing their systems and Both security testing and reviews of these data. One in five of businesses surveyed ad- tests are not commonplace: only 5 percent mitted they don’t do any security testing, de- perform detailed reviews of security testing to spite the fact that 95 percent of survey re- assess vulnerabilities on a daily basis and spondents reported encountering one of the only 24 percent do so weekly or multiple times dozen common security issues associated during the week. Meanwhile, 25 percent of the with security vulnerabilities. organizations surveyed perform these reviews only quarterly or annually, and 20 percent do One in five organizations has not performed so only when they perceive the need, creating security testing of any kind during the past six a situation where businesses are simply months. Among those that do conduct security guessing when to test their systems. testing, 66 percent do so only monthly or less frequently, and most do not perform regular Among the leading security testing challenges security testing after every infrastructure discovered in the survey, the most commonly change. Most organizations conduct security cited are insufficient staffing, insufficient time testing using a combination of in-house re- with which to perform the security tests, and sources and third-party testing services, al- insufficient skills to support regular testing. though two in five organizations manage se- curity testing only in-house.
www.insecuremag.com 9 Today’s headline-making hacks are the natural evolution of traditional espionage. In the past, spies leaned heavily on recruiting and leverage traditional espionage techniques insiders or moles to steal secrets. Historically, to perpetrate cyber penetrations. spies would remove information from office buildings (frequently in hard copy and later on An example of modern-day espionage via floppy disk) and leave the information in “dead hacking is spear phishing conducted via social drops,” which served as prearranged clandes- media and email. Email not only serves as our tine sites that could later be “serviced” by for- chief communication methodology, but also to eign intelligence. sign contracts and distribute records. Every- thing we do now leaves a trail, including all we Today, the way we store and share secrets do on email and social media. and critical information leaves the “keys to the kingdom” vulnerable to outside attack. While The best spear phishing attacks leverage so- recruiting a trusted insider remains the most cial media and involve reconnaissance re- effective way to breach a firewall, spies have search about the target. To conduct the An- changed their tactics to address the changes them attack, the attackers combed through in operational security in the digital world. LinkedIn data on Anthem employees to identi- fy system administrators and hit them with As cyber security has evolved so have spies. specially crafted emails. Today’s attackers are criminals and spies who have pivoted to survive in a new age of infor- Social media is one of the new playgrounds mation theft. They are devious, sophisticated, for spies. Everything an attacker needs to technologically proficient, often well funded, convince a target to click on a link in email can often be mined from personal social www.insecuremag.com 10 SOCIAL MEDIA IS ONE OF THE NEW PLAYGROUNDS FOR SPIES
media accounts. I constantly tell my audiences target after the State Department and White at cyber-security keynotes not to click on links House were compromised. in emails or open attachments, even if you be- lieve the email came from your sister, is about According to the DNC, after the warning, se- the party you both attended the week prior, curity policies were changed. It appears that and uses expressions that only your sister may have been too little, too late. Attackers would use. These are all things a spy can were either already in the system and re- learn by perusing your Facebook or Instagram mained undetected for the year-long breach, account for a few minutes. or changed their own approach to avoid detec- tion. Despite the warning, attackers continues Reactive vs active response to be one step ahead of security.
Too often, law enforcement and security pro- Another example of this cat-and-mouse game fessionals react to crime instead of actively came from The Office of Personnel Manage- stopping it before it happens. Also too often, ment (OPM), which was breached in March of they won’t know a crime has been committed 2014. The breach went unnoticed by the OPM until way too late. until April 2015. It has been described by fed- eral officials as one of the largest breaches of An example of this is the hack of the Democ- government data in United States’ history. At- ratic National Committee (DNC). US officials tackers may have compromised some 21.5 have stated that the attack persisted for million records, including biometric data and roughly a year. The hacks occurred despite a documents related to security background in- warning from the FBI that the DNC may be a vestigations. TOO OFTEN, LAW ENFORCEMENT AND SECURITY PROFESSIONALS REACT TO CRIME INSTEAD OF ACTIVELY STOPPING IT
The breach occurred despite the Government This disruption requires cybersecurity profes- Accountability Office warning that the OPM sionals to take an active role in defending (among other agencies) was vulnerable to at- against a predator by becoming a spy hunter. tack and should immediately correct weak- nesses and fully implement security programs. An example of the “attack – remediate – at- tack” cycle in physical security is best ex- To defeat cyber espionage, cybersecurity pro- plained using barriers. In the past, terrorists fessionals must disrupt the “attack - remediate frequently loaded explosives into trucks and - attack” cycle, by defending the endpoint, smashed them into government buildings. controlling applications, sharing knowledge about possible intrusions, and actively hunting for threats. www.insecuremag.com 11 ORGANIZATIONS MUST COLLABORATE IN REAL TIME TO SHARE THREAT INFORMATION AND THE FORENSICS BEHIND BREACHES
The first World Trade Center attack in 1993 Often, these highly sophisticated spies are involved a van loaded with explosives parked state actors (as in the case of China’s PLA unit in the underground parking beside what the 61398) or state-sponsored actors (such as the terrorists thought was the central support DNC hackers believed to be working for the column. Russian government). Money provides such attackers freedom to carefully research and In response to these vehicle attacks, security probe targets and then leverage intelligence and law enforcement remediated by building and the best equipment and resources possi- barriers (everything from jersey walls to mas- ble. This creates a very uneven playing field sive planters with steel cores) to create spac- when these attackers hunt small companies ing around government buildings that prevent and individuals that do not have the benefit of vehicle attacks. the FBI and CIA to defend them.
As these defenses went up and stopped one Companies and organizations must collabo- problem, the terrorists actively explored new rate in real time to share threat information attack vectors. Unable to drive trucks into and the forensics behind breaches in order to buildings, they turned to airplanes. defend themselves against foreign intelligence units (spies). This requires a certain level of If law enforcement and security become more sharing of cyber information between competi- active in hunting threats and brainstorming tors. possible attack vectors before spies launch attacks, cyber espionage will become more In the wake of the recently reported hacks - expensive, time consuming and burdensome. DNC, DCCC, Equation Group - it’s time for the US to start treating cybersecurity as national The goal of cybersecurity should be to layer security. Our democracy is at risk. In fact, the defenses in such a way that the cost of attack- upcoming presidential election could be at ing a protected organization is so high that the risk, too. criminals will turn to other targets. Addressing the inefficiencies of our cyber in- Additionally, the FBI, CIA, NSA, military intelli- frastructure should be a top issue in this year’s gence assets, and friendly foreign intelligence election cycle. The fact that it is has been, at units must continue to work together to collab- best, a footnote in both candidates’ platforms orate and share information to prevent the is an indication of where our national cyberse- most deadly and damaging terrorist attacks curity ranks on the list of priorities. and to catch the most sophisticated spies.
Eric O'Neill is the National Security Strategist for Carbon Black (www.carbonblack.com). www.insecuremag.com 12 Like military generals, IT security professionals frequently fight the last war using weaponry and tactics that worked in the past, while the enemy has studied our countermeasures and is already applying new methods. Today we face a new generation of malware “goes away.” We might consider the following which we might term “hyper-evasive” – threats “tiers” of malware sophistication: that have never been seen before, in volumes never seen before, and which have been de- Tier 1: Basic malware signed to evade traditional malware defenses, and specifically, current sandboxing technolo- These compromise a computer in order to gy. These threats require a rethinking of our gain access to its resources and – on occa- battlefield strategy. sion – its data. Attacks of this type are slow- moving and frequently noisy and obvious, and The evolution of threats can be blocked by analyzing a virus to capture a hash fingerprint or signature, and then using To understand today’s threat landscape, we this hash to identify and block subsequent should consider the evolutionary history of cy- copies of the virus. ber threats, while keeping in mind that each new class of threats emerged from the crimi- Tier 2: Polymorphic malware nals’ detailed understanding of the limitations of then-current protection technologies. While Although they are often basic viruses under a rough chronological retelling is possible, my the hood, polymorphic viruses first emerged in purpose here is to give a quick sense of clas- the early 1990s: malicious code that mutates sification, and emphasize that techniques are and changes its appearance each time it in- frequently cumulative – nothing ever really fects a new object in order to avoid pattern recognition by antivirus software. www.insecuremag.com 13 The emergence of polymorphic malware trig- While the overall volume and sophistication of gered the arrival of behavioral heuristics as a unknown objects was relatively low, and turn- countering technology, whereby the behavior around time was consequently fast, this ap- of the code execution during an emulation is proach was deemed sufficient. However, the observed. The development of application broad deployment and very success of appli- sandboxing in the 1990s was a key response ance-based sandboxes has led to not-surpris- to polymorphic malware. ing innovation by criminal enterprises, as per the usual historical pattern. The advent of server-side polymorphism has taken malware to the next level, with back-end It is worth restating that the variety and depth web services hiding the mutation engine of testing that is possible within first-genera- where defenders cannot inspect it. Sophisti- tion sandboxes is limited. Among the realities cated algorithms ensure that each time a of traditional sandboxing that are being ex- download occurs from a URL you receive a ploited today are: different file, and attack methods frequently involve encryption, droppers and packers. 1. The fixed amount of physical resources (i.e. memory and processing power) avail- Tier 3: Hyper-evasive malware able in a sandbox appliance, which limits the scalability of the solution in terms of Cyren has noted an emerging trend of threats total analysis object load and depth of incorporating many known evasion techniques analysis performed. within a single piece of malware. Attackers 2. The reliance on virtualized environments, have evolved their techniques to the point the presence of which can be detected by where malware rarely contains obviously sus- malware. picious code and originates from “unknown” 3. The lack of diversity in the scope and orig- sources or from code lodged in compromised, ination of the tests employed, with the va- trusted sites. As the use of sandboxing for riety and nature of tests limited to those malware defenses has increased, malware devised by the specific sandbox vendor. that is “sandbox aware” has become more 4. The fact that any specific sandbox is best prevalent. at one kind of analysis, e.g. OS or registry or network behavior analysis. Usually assumed to be the purview of large enterprises, a recent study commissioned by This last element is the most critical limitation Cyren and conducted by Osterman Research of all, as it enables malware developers to op- (July 2016) found that over 50 percent of small timize analysis detection techniques for each and mid-sized companies (100 to 3,000 em- sandbox platform, knowing that once they ployees) have also deployed an appliance- have found a “tell” for the particular sandbox based sandboxing capability. being used, their evasive techniques will get them past what is effectively the organization’s But such “hyper-evasive” threats are increas- last line of defense. No method is provided by ingly difficult for traditional, appliance-based traditional sandboxing solutions to harness sandboxing to detect, as the malware coders together sandboxes of different types (or from use sophisticated evasive tactics to exploit different vendors) in a collaborative analysis limitations in the architecture of appliance- model, to enable a broader and deeper scope based sandboxing. of testing with a pooling of analysis results.
Limitations of traditional application How hyper-evasive threats evade detection sandboxing Sandboxing solutions deploy two types of Traditional application sandboxing has be- analysis: come a critical last layer for corporate informa- tion security to attempt to stop infiltration. It • Static analysis is performed by the system pushes suspicious objects to a simulated end- without executing the suspected code. Ex- user computing environment running on an amples of static analysis techniques in- appliance in a corporate data center. clude file fingerprinting, extraction of www.insecuremag.com 14 • hard-coded strings, file format metadata, To combat the growing use of first-generation emulation, packer detection, and disas- sandboxes, cybercriminals have developed sembly. evasive techniques for use against both types • Dynamic analysis is performed by the sys- of analysis. tem while the suspected code is executed inside a protected (sandbox) environment. Some of the techniques are sophisticated, Examples of dynamic analysis techniques while others perform simplistic tests to deter- include analyzing the difference between mine if the malware is in a real or simulated defined points, and observing run-time (sandbox) environment. behavior. TO COMBAT THE GROWING USE OF FIRST-GENERATION SANDBOXES, CYBERCRIMINALS HAVE DEVELOPED EVASIVE TECHNIQUES FOR USE AGAINST BOTH TYPES OF ANALYSIS
Common techniques for evading sandbox therefore hide from, a sandboxing environ- analysis include: ment.
• Detecting the existence of a virtual Virtual machine check functions: environment • Delayed activation – attempting to “out- • Parallels wait” the sandbox • QEMU • Awaiting human interaction like mouse • Oracle VirtualBox movements that could not result from a • VMWare simulation • an unknown VM. • Making payload execution conditional. Debugger process check functions: As an example of this last approach, we are seeing recent ransomware downloaders that • CommView Network Monitor have added the requirement of an additional • WinDump parameter for the execution of the down- • WireShark loaded ransomware code. A sandbox may • DumPCAP have the download file itself, but it does not • OllyDbg have the full script – so it would not detonate • IDA Disassembler in the sandbox because it is missing one • SysAnalyzer component (a parameter). • SniffHit • SckTool Consider the impressive list of functions identi- • Proc Analyzer fied by Cyren researchers within a single vari- • HookExplorer ant of Cerber ransomware, which uses multi- • MultiPot. ple methods to check for the presence of, and www.insecuremag.com 15 Sandbox check functions: use in solutions, and proves that they can simply embed more anti-sandbox/debugger/ • Loaded modules check against VM modules in their malware as they see fit, • sbiedll.dll - Sandboxie significantly increasing the evasiveness of the • dir_watch.dll, api_log.dll - Sunbelt threats. Sandbox • Volume serial number checks against Conclusion • ThreatExpert • Malwr The appropriate response to the advent of hy- • Mutex name checks against per-evasive malware, which can evade any • Deep Freeze - Frz_State given sandbox and was designed to exploit • Other file path checks on modules used in the relatively limited processing power of ap- sandbox setups pliance-based solutions, is to exponentially • C:\popupkiller.exe improve the analytical capacity of the sand- • C:\stimulator.exe boxing systems. This can be done by subject- • C:\TOOLS\execute.exe ing malware to multiple and varied sandboxing • String checks from memory environments while applying increasingly so- • test_item.exe phisticated analysis, something now possible • \sand-box\ via the elastic processing scale and Big Data • \cwsandbox\ analytical capabilities of cloud computing. • \sandbox\ The best countermeasure is to automate the The inclusion of this variety of functions shows strengths of human analysts – in particular that malware writers are hard at work re- their capacity for complex decision-making searching sandbox and debugging technolo- and even “hunches” – through a cloud-based gies that the security industry is most likely to processing model.
Sigurdur Stefnisson is the Vice President of Threat Research at CYREN (www.cyren.com).
www.insecuremag.com 16 Not long ago, people used to come to work and work off of a desktop computer, tied to the network. Today, they work on their mobile devices, physically untethered to it. In fact, the majority of the work and email is continue their workflow seamlessly, while still done on mobile devices, and this changed giving companies optimal security.” how people interact with data and how we keep it safe. A perfect enterprise data security solution
This shift is why it’s important for businesses Data control and visibility is a huge problem to maintain a certain level of visibility when it that large and small companies need to be comes to data, and have the ability to use mindful of. tools like Dynamic Data Protection (DDP) to ensure that if policies need to be adjusted for A good data security solution is one that works specific users, IT admins can do so in real- as you want it to but it’s also equally important time. that it’s easy to use by your employees, man- agement, and partners. The best technical so- “As information travels, this introduces new lution will not mean much if they don’t want to ways to access data and collaborate using use it because it gets in the way of their work. tools like Dropbox and other productivity tools, so security must also evolve and change to “In an ideal world, you want your users to keep pace,” says Prakash Linga, CTO of data maintain productivity, while still giving IT the security company Vera. confidence they’re doing so in a secure way,” Linga points out. “On top of that, it’s not longer sufficient to rely on perimeter defenses when it comes to in- “Organizations spend too much time and formation security. You have to collapse the money trying to focus on one aspect of the data control and policy enforcement down to problem by adding more defenses, rather than the data. Any effective and usable data securi- focusing on the primary reason employees ty solution will encompass the best of both aren’t using the security tools already in worlds: it will secure information with granular place.” and flexible policies, and enable employees to www.insecuremag.com 17 The ideal data control solution should also of- most critical business information is secure fer robust data control tools with a user-friend- whether it’s at rest, behind a firewall, or has ly backend, to make life easier for IT and se- been moved outside their network. curity teams. Managing policies and data at scale is a challenge and, according to Linga, “For a lot of security savvy people, it’s all this is one of the reasons why Data Loss Pre- about having strong security controls. What vention (DLP) hasn’t taken off as expected. we’ve learned from conversations with cus- tomers, prospects, and industry research is A great data control system will be one that fits the biggest problem is keeping honest users well within a specific and complex enterprise honest,” says Linga. ecosystem – across different companies, meshing well with existing collaboration and “I’m referring to people who inadvertently productivity tools, and covering every data share information they shouldn’t. For example, workflow. an executive accidentally fat-fingers a confi- dential financial document or earnings report Finally, the solution has to be always on, so to the wrong person.” that organizations can be confident that their A great data control system will be one that fits well within a specific and complex enterprise ecosystem
Data control and the Internet of Things moment. However, over an extended period of time, you may start to see patterns, and it be- “The nature of data is changing rapidly. Today, coming more relevant from an enterprise and it’s mostly collaboration and exchange be- consumer standpoint,” he adds. tween two people, but tomorrow it’s with IoT and other devices and approaches,” says Lin- Enterprises will have to find a way to keep on ga. top of things, and be ready to pivot as fast as needed to tackle the known and yet unknown We know that makers of IoT devices and the challenges of data security in the age of IoT. software that makes them “smart” regularly disregard security, and that IoT is slowly infil- “Both security and privacy needs to evolve for trating both homes and offices. the new workflow around data and collabora- tion,” he concludes. “Small quantities of data is often shared be- tween devices and, if you look at the informa- tion as a snapshot in time, it might not be sen- sitive or something you care about at that
Zeljka Zorz is the Managing Editor of (IN)SECURE Magazine & Help Net Security (www.helpnetsecurity.com).
www.insecuremag.com 18
Patch Tuesday (or Update Tuesday, as Microsoft preferred to call it) used to occur on the second Tuesday of each month. This was the day when Microsoft released patches for its various products and was often the bane of system admins and hackers alike. System admins were forced to patch all of the allows an attacker to exploit it from anywhere systems they are responsible for, while crimi- on the network or Internet without any special nals sometimes found that the exploits they privileges. had used up to that point no longer worked. Bulletins rated as Important still address seri- Microsoft has now done away with Patch ous vulnerabilities, but exploitation of those Tuesday in the form that it came in for years, typically requires certain access or can result but the first eight Patch Tuesdays that came in limited damage. These are typically vulner- and went since the beginning of the year can abilities that allow Privilege Elevation (making tell us something about security trends in a regular account into an administrator one) or 2016. Denial of Service (temporarily taking down a service). By the numbers Each bulletin typically contains multiple First let's take a look at the raw numbers. patches for a single product. For instance, From January through August 2016 Microsoft August's bulletin for MS Office provided released 101 security bulletins. Each bulletin patches for five unique vulnerabilities. For contains patches for a specific product like identification purposes, each vulnerability is Microsoft Office or Internet Explorer. issued a unique number according to the Common Vulnerabilities and Exposures (CVE) Of these bulletins 44 were rated as Critical program. and the remaining 57 were rated as Important. The aforementioned 101 bulletins addressed Bulletins rated as Critical typically cover the 266 unique vulnerabilities (or CVEs). most severe type of vulnerability, Remote Code Execution (RCE). An RCE vulnerability www.insecuremag.com 20 The most common patches dows Edge. Keep in mind that many of those vulnerabilities are shared between both The most commonly affected products were products. Internet Explorer and the newer Windows Edge web browser. These two products have With the idea that vulnerabilities tend to be showed up with a bulletin rated Critical every found in more popular software first, it's prob- month in 2016 (and for many, many months ably not a surprise that the third most com- before 2016). This doesn't necessarily mean monly affected product is the Microsoft Office that these products are naturally insecure. suite. With a total of 39 CVEs since January, the Office suite has made a showing with ei- These products are likely the most used ther a Critical or Important rated bulletin every pieces of software Microsoft supports. They month this year. This doesn't include the are also constantly exposed to threats. Their dozens of vulnerabilities that affect the Office whole job is to process untrusted content from suite indirectly: critical vulnerabilities in the MS the public Internet. Looking at it from this per- XML Core, OLE, Java/VBScripting engines, spective, it's no surprise that vulnerabilities in and even maliciously created fonts in the Mi- these products are exposed first. crosoft Graphics Component can all be ex- ploited by opening the wrong Office docu- Overall, 72 unique CVEs were patched in In- ment. ternet Explorer and 57 were patched in Win- THE MOST COMMONLY AFFECTED PRODUCTS WERE INTERNET EXPLORER AND THE NEWER WINDOWS EDGE WEB BROWSER
Zero-day vulnerabilities Word document. When the document was opened and the vulnerability exploited, the The most critical vulnerabilities will always be document would automatically execute mal- the zero-day vulnerabilities. A zero-day vul- ware. The criminal group behind the campaign nerability is one that is discovered by criminals used the zero-day to deliver malware to finan- before the vendor knows of it. This gives the cial institutions and grab payment card track criminals a chance to develop an exploit for data. the vulnerability and successfully target vic- tims as no patch is available or is still pending. The second zero day was CVE-2016-0189, which affected Internet Explorer and was In the first eight months of this year two zero- patched in bulletin MS16-051 in May. The at- day vulnerabilities affecting Microsoft products tackers who exploited it first sent out malicious have been revealed. I'll stick to Microsoft links via a spear-phishing campaign to users products only and ignore the multiple Adobe in South Korea. Flash zero-day vulnerabilities even though the Flash engine is embedded in both Internet South Korean vendors were forced by law in Explorer and the Edge browser. 1999 to adopt ActiveX controls that use the country's SEED encryption cipher for e-com- The first zero-day was CVE-2016-0167, a merce transactions. Since Internet Explorer is privilege elevation vulnerability in Windows the only browser that still supports Active X, patched in bulletin MS16-039 in April. It was the country is very dependent on the browser, revealed to the public by FireEye reserchers, making them ripe targets for this type of zero- and prior to that exploited via a spam cam- day. This zero day was detailed by Symantec paign that contained a malicious Microsoft researchers. www.insecuremag.com 21 Exploits on the dark web very much needed puzzle piece in the overall infection process. Also this year, a criminal offered information about a zero-day flaw for sale on an under- For instance, an LPE exploit paired with a ground market for Russian-speaking cyber client-side RCE exploit can allow an attacker criminals. We've always known that zero-days to escape an application that implements have been sold in the shadows, but in this sandbox protection like Google Chrome or business you usually need to "know people Adobe Reader. Moreover, an LPE exploit pro- who know people" in order to buy or sell this vides the means for the attacker to persist on kind of commodity. This type of business an infected machine, which is a crucial need transaction is conducted in a private manner, for APTs (Advanced Persistent Threats). In meaning either through direct contact be- general terms, an LPE exploit can be lever- tween a potential buyer and the seller, or aged in almost any kind of attack scenario. through a middleman. Was the threat of Badlock overhyped? We've also seen zero-days exploited by the Angler Exploit Kit. Last year Angler introduced The biggest "disappointment" this year was four zero-day exploits. This, and a constantly Badlock. The existence of this flaw was an- refreshed offering of new exploits, allowed nounced with much fanfare in March. The an- Angler to become to the most popular exploit nouncement came with a dedicated domain kit on the market in 2015, representing 40% of and webpage, a cool icon and a memorable all exploit kit-related incidents. code name, but no details about the nature of the bug. For that, professionals had to wait The underground crime forum where the until the April Patch Tuesday. That gave the aforementioned zero-day was offered for sale security community three weeks to get worked serves as a collaboration platform where crim- up about whether this vulnerability was going inals can hire malware coders, lease an ex- to be big or a bust. It ended up being the lat- ploit kit, buy web shells for compromised web- ter. sites, or even rent a whole botnet for different purposes. However, finding a zero-day listed Badlock ended up being helpful in a man in between these fairly common offerings is defi- the middle (MITM) attack scenario, meaning nitely an anomaly. that an attacker needs to be listening on the exact same network as the client or server in The zero-day in question was claimed to be a order to perform the attack. This means that Local Privilege Elevation (LPE) vulnerability in any attack requires a pre-authenticated ses- Windows and came with videos showing the sion. It only affects open, authenticated ses- exploit executing. The auction started at sions using SMB to authenticate a system or $95,000 in Bitcoins but the seller quickly to manage users or policies on a remote. dropped the price down to $90,000, and finally to $85,000. The auction was eventually closed In other words, any effective attack requires and evidence of it deleted, but we’ll probabaly the attacker to be in the exact right place at never known whether this was due to the sell- the exact right time. er finding a buyer or due to the vulnerability getting patched before the sale was made. As silly as they may seem to some in the in- dustry, these so-called "celebrity vulnerabili- The fact that the first zero-day of the year and ties" can be very useful. It can be easier to the zero-day that was auctioned off both al- communicate the importance of a vulnerability lowed for privilege elevation is telling. In the with a name rather than one with just a CVE first eight months of this year, Microsoft has designation. A prime example of this is Heart- patched 49 privilege elevation vulnerabilities bleed. Heartbleed was a critical vulnerability in various components. and the name, website and icon helped draw attention to it. It could be argued that more Although the exploit of such a flaw can't pro- servers were patched in a short time because vide everything an attacker needs, it is still a of the high profile brought on by the name.