GitHub Attacks – Expert Opinions

Following the news that GitHub was downed by a DDoS attack, its second of the year, @DFMag gets expert opinions from Matt Watkins and Nick Le Mesurier, security consultants from MWR InfoSecurity:

Who might be responsible for the attack? Can the finger be pointed at China again?

Matt: It’s important to not just jump to conclusions. Last time Github saw a DDoS attack of a similar scale, it was attributed back to China and there was a clear motive behind it. This time however, things could be completely different. If we look at the user base of Github, a large proportion consists of US based IPs, any of whom could have a potential motive to perform an attack. Github is also ranked as the 86th most visited website as per Alexa in the globe. There’s therefore plenty of potential for this to be completely unrelated.

Can we speculate how the attack was carried out?

Matt: This kind of attack is likely to be some form a volumetric attack, however with so many types of attacks existing it’s impossible to speculate. This could be one of the more common DNS/NTP amplification attacks, or possibly one of the new and upcoming amplification protocol attacks.

How do we defend against such attacks?

Matt: There are lots of different techniques, but essentially with volumetric attacks it’s all down to bandwidth. The problem is it only takes a single point of failure to result in a Denial of Service situation occurring. Many specialist providers offer cloud based mitigation services whereby traffic can be redirected to specialist scrubbing centres which are specifically designed to deal with these attacks. The important thing is to not rely on traditional network defences such as firewalls or IPS/IDS as these systems can easily be overwhelmed.

Nick: Defending against DDoS attacks require a combination of actions;

– Use third party providers that specialise in DDoS prevention

– Ensure your infrastructure has high bandwidth inbound links

– Use a mutli-layered architecture of DDoS prevention hardware devices to manage inbound traffic

– Have a plan in place of how to respond to an attack and what actions to take in the event services are disrupted

– Have secondary systems in place in the event primary services are taken offline

What can organisations do to mitigate the effects of a DDoS attack?

Matt: Having a plan in place to deal with attacks is very important. The last thing a company wants to be doing is running around endlessly during a DDoS attack trying to work both what is happening and what actions to take. Many DDoS mitigation providers offer specialist response services that can quickly perform traffic redirection, but ensuring procedures are in place is key.

Why would GitHub be a target for a DDoS attack?

Nick: Purely speculative but this could be a demonstration of capability. GitHub is a large platform that supports high volumes of traffic, attacks against it could be used to gauge how effective an attacker’s DDoS capablity actually is.

Matt: Relating to Nick’s point: the Arbor Networks Worldwide Security Infrastruture Report 2014 found that in one of their surveys a target was more likely to be attacked by an attacker demonstrating capability than for extortion. Nihilism/Vandalism however remained the highest motive, with no direct financial benefit.

How easy / difficult it is for an attacker to perform a DDoS attack of this nature?              

Nick: The difficulty depends on the size of an attack. For example, online DDoS services that can be bought by anyone have been used in the past to take small ISPs offline.

Matt: This kind of attack is fairly easy to perform, in terms of sophistication. There are a huge number of resources online that allow an attacker to buy booter or stresser services which could be used to perform this kind of attack. The issue is that these services are marketed as network stress testers and so do not take responsibility for how their services are used – i.e. for both legitimate and malicious purposes. Alternatively, with a strategic NTP amplification attack for example, the initial bandwidth requirements of a botnet are only minimal to have huge adverse effects on a target. Ultimately, this would depend entirely by how much bandwidth Github have, and what mitigation they have in place.

(363)

Share

Online fraud trends released in wake of significant breaches

NuData Security today announced new threat intelligence that provides insight into the latest trends in online fraud. Trends NuData Security researchers have observed include:

Account takeover, in which fraudsters steal an established account with personally identifiable information (PII) attached to it, continues to beat credit card fraud. This continuing trend showcases fraudsters’ preference for account details beyond just credit cards.

NuData Security evaluated 5.1 billion behaviours in May through July. Of the over 500 million account creations analysed, more than 57 percent were flagged as high risk or fraudulent, compared to 28 percent in February through April.

Account creation fraud has increased by more than 100 percent since February 2015.
Nearly half of all account registration fraud attempted in May was tied to creating false accounts to deliver false product ratings.

NuData Security observed more than 270 million fraudulent or high-risk behaviour events in May through July. These events were assessed through the following behavioural biometrics and data points, including more than:

32.8 billion keystrokes
9.3 billion clicks
388 million unique email addresses
191 million unique IP addresses

A significant portion of attacks in the past three months originated from China and the United States, however, incidents were traced back to as many as 151 countries. The top six sources of malicious behaviour include:

China
United States
Saudi Arabia
United Kingdom
Malaysia
Brazil

Unlike previous ecommerce industry breaches, recent attacks are growing in size and targeting more valuable PII, which may include information such as social security numbers and bank account information, among other data. A data breach has a ripple effect that reaches far beyond the breached organisation. Businesses must protect themselves from fraudsters who know more about their customers than they do. They must not only verify a user’s identity through PII, but must also verify that the behaviour behind the transaction is that of a valid user. This is where user behaviour analytics (UBA) play a vital role. Becoming complacent in an age of massive data breaches is both a financial and reputational hazard.

Michel Giasson, CEO, NuData Security, said:

“NuData Security is in a unique position to monitor key trends based on real-time analysis of fraudulent attempts at account creation, login and transaction. For organisations to protect their brand and users, they must figure out how to detect fraudsters utilising the increasing amount of stolen identity data. The good news is that harnessing the power of behavioural attributes and biometrics helps authenticate the genuine user. Behavioural analysis serves as a means of understanding how legitimate users truly act reducing the impact to victims of the data breach.”

To learn more about UBA, please watch: https://www.youtube.com/watch?v=MsbpzHwUa38&feature=youtu.be

To learn more about account takeover, please watch:  https://www.youtube.com/watch?v=-PR0q8M9cUk&feature=youtu.be

(329)

Share

OPSWAT Releases First Report on Market Share of Anti-Malware Vendors

OPSWAT today announced that their quarterly market share reports will now look at anti-malware market share as opposed to the antivirus market share that has been covered in past reports. These changes are in response to the changes in the marketplace (which OPSWAT’s technology has already shifted to recognise). Over time, the threat landscape has changed and the anti-malware community has responded with new products that detect a wider range of threats including PUAs (Potentially Unwanted Applications), spyware, keyloggers and botnets.

The top three anti-malware vendors in our August 2015 data are Avast, Microsoft and Malwarebytes. 

Adam Winn, Senior Product Manager for Gears at OPSWAT, commented on the first-time inclusion of anti-malware vendors stating, “Re-focusing this section of our reports on only those products and vendors that classify as anti-malware versus antivirus, allows us to more accurately represent the current marketplace and showcase the improved detection capabilities of our technology. This change will also allow us to represent new vendors, such as Spybot, that may not have shown up in our data in the past.”

This report includes new market share data for the top three anti-malware vendors, detailed comparisons of encryption usage for Windows and Mac devices and analysis for threats detected on Windows devices.

The report also covers the security practices of Mac and Windows devices in regards to their use of disk encryption. Surprisingly, Windows devices lag behind in their use of encryption when compared to Macs. The report also highlights threat statistics for these same Windows devices, showing the percentage of devices with repeatedly detected threats from their installed anti-malware as well as the percentage of devices with threats detected by Metascan® Online, our could-based multi anti-malware scanner that performs daily malware scan in Gears.

For more details on the collection of this data and a complete breakdown of threat data, report changes and Windows and Mac device comparisons, please view the full report.

The data in this report was collected from free accounts of OPSWAT Gears, an enterprise device security and compliance tool that enables organisations to directly assess and manage the endpoint security posture of their devices through a unified view of mobile and PC endpoints, and their applications/security issues. Administrators can to take rapid action to remediate issues on non-compliant devices and improve endpoint security. Gears is completely free for up to 25 devices. To try the free Gears tool, please visit opswatgears.com/download.

(320)

Share

Ashley Madison Breach – Expert Opinions

Following the recent high profile news that Avid Life Media (ALM), the company behind adult fantasy website Ashley Madison had been a victim of a successful cyber attack relating to personal data of its 37 million users, it now appears they have become the victim of multiple leaks with the first leak containing 9.7 gigabytes of customer data stolen from the dating site being released on the dark web. The hackers responsible, known as Impact Team have subsequently released a further 18.5 gigabytes of data containing internal emails and source code for the website and app.

The initial data released includes millions of payment transactions, includes names, street address and email addresses and even possibly GPS coordinates, now freely available information which can arm other cyber attackers and blackmailers with the weapons to cause even more damage to Ashley Madison users at work or at home.

Ken Westin, Senior Analyst at Tripwire:

“These kinds of breaches can be quite disastrous for individuals who signed up for web services with the expectation of confidentiality and privacy. Even if users of the site had paid a fee to remove their profile and history, their personal information was still compromised. Unfortunately, in these situations even if aliases were used the profile is still linked to real names through credit card transactions, emails and other pieces of data.  If this information is released it could expose the 40 million users of the various online entities, and it has the potential to compromise much more than just email addresses and credit card numbers. Information associated with adult services has the potential to ruin lives, be used for blackmail or even espionage purposes if government officials are involved. 

These kinds of compromises exposes an ongoing issue of websites and services which claim to protect privacy and anonymity in their marketing collateral, or in this particular service it was the key feature. The problem is in order for these services to operate and collect money, the anonymous profiles are usually connected to a real identity. The amount of information these services collect regarding activity and interactions with the website such as IP addresses, usernames, email addresses, browsing history and other information increases the stakes, particularly if this data is archived instead of deleted.”

Blue Coat, a cyber security technology company investigating the breach, previously predicted the Ashley Madison breach will have a long tail last month and believe there is certainly more to come from ALM:

Reselling personal data to other cyber attackers:

Now that more than 9 gigabytes of data has been released, they may begin to look at the financial value of a target to see if they will profit from the time spent building malware for the attack. This data is most likely to be amongst some of the most valuable data set compromised so far. If it is worth $100 to ‘go away’ and there are 37 million users, this could be one of the largest cyber heists in history.

Financial or non-financial blackmail of Ashley Madison and its customers: Not all of the personal data of Ashley Madison users has been released, therefore cyber attackers may go directly to the management, or to the individual users of Ashley Madison and ask for a payment for the release/deletion of personal data. Blackmail can also happen through non-financial means by coercing victims into working with the attackers as an insider.

Social Engineering to take down bigger business targets:

Attackers can identify high value targets who are members of Ashley Madison and collect widely available social media data to impersonate the victim over a long period. If successful, attackers can gain unrestricted access to corporate networks and sensitive work information.

Stephen Coty, chief security evangelist at Alert Logic has been mining the leaked data from the Ashley Madison breach and has discovered that over 14,000 government officials’ information has been compromised and comments;

“With such diversity of individuals, whose information was compromised through the Ashley Madison hack, you have to wonder what the lasting impact of this breach can be. What are the implications to the companies these individuals work for? Will these individuals give in to blackmail to betray their employer, save their marriage or relationship? What can this data, plus the information from breaches like OPM, be used for to compromise our national security or trade secrets? These are all questions employers should be asking themselves.

People will always be a risk to any company’s security strategy. When I was a penetration tester, I always relied on other people to gain access into an environment. I would commonly drop USB drives in parking lots, relying on someone to pick it up and plug it into their workstation just to see, out of curiosity, what was on the drive. 9 out of 10 times this would always grant me access into the customer’s environment. 

Now with this latest breach, we have an opportunity to use a similar tactic to show evidence of a individual’s infidelity to motivate them to give me the information that I want. Once I have this information, I can sell it on the underground to either a competitor or an overseas start-up for considerably more than I could ever get by simply blackmailing an individual.

Should employers start locking down their internet and mail services to work functions only? Should HR and Corporate Security policies be enforced with actual consequences? These are all challenges that corporate security teams have been dealing with for years. Should we now start empowering our security teams to do their jobs efficiently? In order to do that job efficiently, companies need to invest in the people, process and technologies to build a comprehensive and effective security strategy. This also means investing in a threat research and intelligence function that will mine for lost and stolen data to understand and combat the risk that our employees introduce into our environments.  

This is a sample of data to give you the extent of what individuals that used corporate accounts for their Ashley Madison account profiles. I tried to randomly hit domains from different countries and different industries.

502839 .uk

134 gov.uk

7245 Army.mil

7015 .gov

13 starbucks.com

46 Whitehouse.gov

150 Shell.com

190 Wellsfargo.com

87 Stanford.edu

16 chs.net

89 aig.com

More news will be posted as it becomes available

(459)

Share

Akamai Q2 2015 State of the Internet – Security Report

Akamai Technologies have  announced the availability of the Q2 2015 State of the Internet – Security Report. This quarter’s report, which provides analysis and insight into the global cloud security threat landscape, can be downloaded here.

 
“The threat posed by distributed denial of service (DDoS) and web application attacks continues to grow each quarter,” said John Summers, vice president, Cloud Security Business Unit, Akamai. “Malicious actors are continually changing the game by switching tactics, seeking out new vulnerabilities and even bringing back old techniques that were considered outdated. By analysing the attacks observed over our networks, we’re able to identify emerging threats and trends and provide the public with the information to harden their networks, websites and application and improve their cloud security profiles.

 
“For example, for this report, we not only added two web application attack vectors to our analysis, we also examined the perceived threat posed by the onion router (Tor) traffic and even uncovered some new vulnerabilities in third-party WordPress plugins which are being published as CVEs,” he said. “The more you know about cyber security threats, the better you can defend your enterprise.”

 
DDoS attack activity at a glance

For the past three quarters, there has been a doubling in the number of DDoS attacks year over year. And while attackers favored less powerful but longer duration attacks this quarter, the number of dangerous mega attacks continues to increase. In Q2 2015, there were 12 attacks peaking at more than 100 Gigabits per second (Gbps) and five attacks peaking at more than 50 Million packets per second (Mpps). Very few organisations have the capacity to withstand such attacks on their own.

 
The largest DDoS attack of Q2 2015 measured more than 240 gigabits per second (Gbps) and persisted for more than 13 hours. Peak bandwidth is typically constrained to a one to two hour window. Q2 2015 also saw one of the highest packet rate attacks ever recorded across the Prolexic Routed network, which peaked at 214 Mpps. That attack volume is capable of taking out tier 1 routers, such as those used by Internet service providers (ISPs).

 

DDoS attack activity set a new record in Q2 2015, increasing 132% compared to Q2 2014 and increasing 7% compared to Q1 2015. Average peak attack bandwidth and volume increased slightly in Q2 2015 compared to Q1 2015, but remained significantly lower than the peak averages observed in Q2 2014.

 
SYN and Simple Service Discovery Protocol (SSDP) were the most common DDoS attack vectors this quarter – each accounting for approximately 16% of DDoS attack traffic. The proliferation of unsecured home-based, Internet-connected devices using the Universal Plug and Play (UPnP) Protocol continues to make them attractive for use as SSDP reflectors. Practically unseen a year ago, SSDP attacks have been one of the top attack vectors for the past three quarters. SYN floods have continued to be one of the most common vectors in all volumetric attacks, dating back to the first edition of the security reports in Q3 2011.

 
Online gaming has remained the most targeted industry since Q2 2014, consistently being targeted in about 35 percent of DDoS attacks. China has remained the top source of non-spoofed attack traffic for the past two quarters, and has been among the top three source countries since the very first report was issued in Q3 2011.

 
At a glance

Compared to Q2 2014

132.43% increase in total DDoS attacks
122.22% increase in application layer (Layer 7) DDoS attacks
133.66% increase in infrastructure layer (Layer 3 & 4) attacks
18.99% increase in the average attack duration: 20.64 vs. 17.35 hours
11.47% decrease in average peak bandwidth
77.26% decrease in average peak volume
100% increase in attacks > 100 Gbps: 12 vs. 6
 
Compared to Q1 2015

7.13% increase in total DDoS attacks
17.65% increase in application layer (Layer 7) DDoS attacks
6.04% increase in Infrastructure layer (Layer 3 & 4) attacks
16.85% decrease in the average attack duration: 20.64 vs. 24.82 hours
15.46 increase in average peak bandwidth
23.98% increase in average peak volume
50% increase in attacks > 100 Gbps: 12 vs. 8
As in Q1 2015, China is the quarter’s top country producing DDoS attacks
 
Web application attack activity

Akamai first began reporting web application attack statistics in Q1 2015. This quarter, two additional attacks vectors were analyzed:  Shellshock and cross-site scripting (XSS).

 
Shellshock, a Bash bug vulnerability first tracked in September 2014, was leveraged in 49% of the web application attacks this quarter. However, 95% of the Shellshock attacks targeted a single customer in the financial services industry, in an aggressive, persistent attack campaign that endured for the first several weeks of the quarter. Since Shellshock attacks typically occur over HTTPS, this campaign shifted the balance of attacks over HTTPS vs. HTTP. In Q1 2015, only 9% of attacks were over HTTPS; this quarter 56% were over HTTPS channels.

 
Looking beyond Shellshock, SSQL injection (SQLi) attacks accounted for 26% of all attacks. This represents a greater than 75% increase in SQLi alerts in the second quarter alone. In contrast, local file inclusion (LFI) attacks dropped significantly this quarter. While it was the top web application attack vector in Q1 2015, LFI only accounted for 18% of alerts in Q2 2015. Remote file inclusion (RFI), PHP injection (PHPi), command injection (CMDi), OGNL injection using OGNL Java Expressing Language (JAVAi), and malicious file upload (MFU) attacks combined accounted for 7% of web application attacks.

 
As in Q1 2015, the financial services and retail industries were attacked most frequently.

 
The threat of third-party WordPress plugins and themes

WordPress, the world’s most popular website and blogging platform, is an attractive target for attackers who aim to exploit hundreds of known vulnerabilities to build botnets, spread malware and launch DDoS campaigns.

 
Third-party plugins go through very little, if any, code vetting. To better understand the threatscape, Akamai tested more than 1,300 of the most popular plugins and themes. As a result, 25 individual plugins and themes that had at least one new vulnerability were identified. In some cases, the plugin or theme had multiple vulnerabilities – totaling 49 potential exploits. A full listing of the newly discovered vulnerabilities is included in the report, along with recommendations to harden WordPress installs.

 
The pros and cons of Tor

The Onion Router (TOR) project ensures the entry node to a network does not match the exit node, providing a cloak of anonymity for its users. While Tor has many legitimate uses, its anonymity makes it an attractive option for malicious actors. In order to assess the risks involved with allowing Tor traffic to websites, Akamai analyzed web traffic across the Kona security customer base during a seven-day period.

The analysis showed that 99% of the attacks were sourced from non-Tor IPs. However, 1 out of 380 requests out of Tor exit nodes were malicious. In contrast, only 1 out 11,500 requests out of non-Tor IPs was malicious. That said, blocking Tor traffic could have a negative business affect. However, legitimate HTTP requests to e-commerce related pages showed that Tor exit nodes had conversion rates on par with non-Tor IPs.

Download the report

A complimentary copy of the Q2 2015 State of the Internet – Security Report is available as a free PDF download at www.stateoftheinternet.com/security-report.

(384)

Share

IRS cyber attacks may have affected more than 300,000 taxpayer accounts

Last night, The Wall Street Journal reported that the IRS cyber attacks may have affected more than 300,000 taxpayer accounts – and more than 600,000 breaches were attempted. Various expert comments on this news are;

Gavin Reid, VP of threat intelligence, Lancope:

“The IRS would have much preferred to get all the bad news out in one shot. This new revelation shows that the IRS still is working out / learning the details of the attack. The fact they are forced to reveal new exposures highlights the lack of good logging and monitoring of network telemetry. Understanding the total extent of an attack is doable with tools and processes well understood and available. Why they are not more widely deployed and used, along with how that is going to change in the near future,  will hopefully soon also be in the news.”

Simon Crosby, co-founder and CTO, Bromium:

“The IRS was the last “big piece in the puzzle” for nation state actors seeking to construct a detailed map of US society.  It seems they partially succeeded in this attack. But they will be back.  When will political leaders learn that it is possible, and even straightforward, to make enterprises secure by design against such attacks – and save money doing so?  Virtualization based security is the answer.”

Leo Taddeo, CSO, Cryptzone:

“This case highlights how easy it is for criminals to find, steal or guess information necessary to bypass perimeter protections.  Even security questions, such as “what was your high school mascot?” pose no real security challenge in an era where many people are posting the details of their lives on social media.  It definitely shows the need for network defenders to go beyond user names and passwords to protect sensitive data.”  

(328)

Share

Former Kaspersky employees accuse company of creating fake malware

Russian cyber-security firm, Kaspersky, has come under fire after former employees accused the company of creating fake malware and viruses to trick their competitors.

Commenting on this, Rahul Kashyup, Chief Security Architect and SVP of Security & Solutions Engineering at endpoint security specialists Bromium, said:

“If true, this news is indeed a jolt for the security industry – especially the Anti-Virus industry. The AV malware samples exchanged amongst vendors is based on trust, and this report claims that was breached. The ramifications are quite high – many users suffered in this process with crippled PC’s and many firms actually lost business. Besides the huge impact of the claim, there are two other issues this report brings out – the challenges of reliably attributing and the fragility of anti-virus ‘system’.

To prove that this story is indeed true, reliable facts need to be presented that provide legit evidence against Kaspersky. I doubt it’ll be easy for anyone to reliably attribute the act directly to Kaspersky (unless the informants did it themselves and stored reliable evidence at the time of crime). Reliable attribution on the internet is hard and tedious. It’s not like traditional crime.      

This also exposes to the fragility of the entire malware sample distribution system. As the report claims – a hole in the system was uncovered and plugged after large scale damage was observed. The entire Anti-Virus industry is about reacting after damage, this act further proves yet another flaw in the model.”

(314)

Share

Flash and Java – Can businesses Live Without Them?

By: Gavin Millard, technical director at Tenable Network Security

The Hacking Team breach continues to expose risks for individuals and businesses alike, as flaws in widely popular pieces of software continue to be uncovered from the stolen data.

Recently, there has been a spate of warnings of Flash zero day vulnerabilities, plus a previously unknown and unpatched Java arbitrary code execution vulnerability, being utilised by attackers. The news is dire for users that have these applications installed as they are seriously at risk of these vulnerabilities being exploited. Worst still is the speed in which the recent disclosures were weaponised, beating Adobe to the punch with the bugs being utilised in popular exploit kits like Angler before a patch was available, so even if you’ve got a short patch cycle users can still be at risk.

But can businesses live without implementing Java and Flash?

Java has enjoyed a long period of popularity, with many employers still asking for knowledge of Java as a requirement for new programmers. This popularity is due to the vast array of libraries that are available for solving most of the common issues present when developing enterprise applications, as well as Java’s reported flexibility and its usage on up to a billion devices, making a standard requirement for a lot of sites and businesses in terms of accessibility and ease of use. However users are starting to disable it in their browsers, looking for alternatives – so perhaps the winds of change are a-blowin’.

As for Flash, organisations such as Mozilla have taken steps to block Adobe Flash temporarily and Facebook wants an end to Flash altogether. The amount of new vulnerabilities being reported shows that user data is not as safe as was thought, which is why organisations need to minimise their use. Alternatives such as HTML5 are gaining ground, especially as there is no flash plug-in for most mobile browsers, it’s clear that it isn’t a complete necessity. However flash is still ubiquitous, with it reaching a reported 99% of internet enabled desktops worldwide.

A major obstacle is that many organisations have developed applications using Java and Flash or rely on code written by a third party in these aging languages. Unfortunately, the probability that a business could disable Flash and Java across every device today without impact is low.

Death knell

Nonetheless, the internet is fluid and with it the opportunities for new norms to develop is equally viable. Alternative software tools are constantly evolving, with more secure offerings coming to the fore.

With the rapid disclosure and weaponisation of vulnerabilities within Flash and Java outpacing the vendors’ ability to fix the flaws and IT staff to identify and patch, the ease of attackers gaining a foothold in environments is unfortunately increasing. With most employees nowadays using corporate systems at home, away from the advanced security of the corporate network, if IT staff don’t have an effective method of identifying how vulnerable mobile endpoints are to exploits of this type, combined with the ability to rapidly push updates to fix them, threats could be walking through the door in employees laptop bags every day.

As long as Flash and Java continue to be a favoured attack vector for exploit kits and malware authors, maybe it’s time that they were put out to pasture, only being used by parts of the business that require it and continually monitoring for users that don’t. If this is too drastic a move, educating the users to threats associated with Flash and Java and disabling the auto play of code so the user has to decide to run it could be a first step in finally getting rid of a major weakness on client machines.

(373)

Share

Bromium Black Hat Survey: Endpoint Risk Five Times Greater Than Network or Cloud

Bromium has released “Black Hat 2015: State of Security,” a survey of more than 100 information security professionals conducted at the Black Hat Conference 2015. The survey reveals issues with Flash and security patch management, with the majority of respondents citing the endpoint as the source of greatest risk. The report also highlights the risk of cyber attacks on critical infrastructure and an initial positive reception to Windows 10.

“One reason that the endpoint is the source of the greatest security risk is because of how difficult it is to balance security and productivity. For example, 90 percent of organisations would be more secure if they disabled Flash, but 41 percent would become less productive,” said Clinton Karr, senior security strategist, Bromium. “Traditional security solutions have proven ineffective at mitigating this dilemma, putting our critical infrastructure at significant risk.”

Key findings from “Black Hat 2015: State of Security” include:

The Endpoint Is the Source of Greatest Security Risk — The majority of information security professionals cited the endpoint as the source of the greatest security risk (55 percent). The second most common response was insider threats (27 percent). Network (9 percent) and cloud (9 percent) were selected less frequently.

Security Professionals Pan Flash — The overwhelming majority of security professionals believe their organisation would be more secure if it disabled Flash (90 percent); however, 41 percent believe disabling Flash would make their organisation less productive or break critical applications.

Implementing Security Patches Is a Challenge — The majority of organisations implement patches for zero-day vulnerabilities in software, such as Flash and Internet browsers, in the first week (50 percent first week; 10 percent first day); however, 22 percent take more than a month to deploy.

Critical Infrastructure Is at Risk of Cyber Attack — The majority of Black Hat attendees cited financial services (30 percent), energy (17 percent), healthcare (17 percent) and government (12 percent) as the verticals at the most risk of cyber attacks. Interestingly, financial services was also selected as the vertical that has implemented the best security practices (60 percent).

Windows 10 Improves Security, But Not Enough — The majority of information security professionals believe Windows 10 improves security (56 percent), but many (33 percent) believe these improvements are not enough.
 

“Black Hat 2015: State of Security” surveyed 101 information security professionals at Black Hat Conference 2015, in Las Vegas, Nevada, August 5 and 6, 2015.

Download the PDF “Black Hat 2015: State of Security” at http://www.bromium.com/sites/default/files/rpt-black-hat-survey-us-en.pdf.

(327)

Share

Phishing – the hook may be seen, but employees unlikely to report it

A survey of over 200 IT professionals at this year’s InfoSecurity Europe has found that, while almost 80% of organisations have a process for employees to report phishing emails to the IT/security department, most don’t. In fact, over half of those spoken with (52%) estimated employees report less than 25% of dodgy emails. Digging a little deeper revealed only 8% think that more than 75% of suspicious messages are reported.

 

This surprising statistic comes in the wake of countless recent phishing incidents surfacing in the media, with some incurring personal costs of almost £50,000. The study, conducted by Phish’d by MWR InfoSecurity – a fully managed phishing assessment service designed to maintain a heightened level of security awareness across an organisation, found that organisations are all too aware that email offers a passage into an organisations’  infrastructure with 64% believing it’s the weakest entry point that could result in the compromise of internal systems.

“I’m reassured by the high percentage of organisations that have a reporting process for phishing messages but somewhere along the line something is going wrong as employees simply aren’t using these reporting processes. The sad reality is that, while spam filters and anti-phishing software will prevent some of the nuisance messages landing in people’s inboxes, more targeted phishing messages are purposefully designed to avoid detection and usually get through to the intended recipient, even in companies using the latest technological controls. Ultimately, it comes down to employees to report targeted phishing attacks; so organisations need to ensure their workforce is educated and empowered enough to use the correct reporting process,” explains James Moore, senior security consultant of Phish’d.

James continues “Our experiences tell us that, if a phishing message does manage to coerce the individual into either clicking or downloading a payload, the malware it delivers will almost certainly slip in and then conceal itself. Once on the network, malware can allow an attacker to start spreading out across a network; turning the compromise of one users’ workstation into a much larger issue. Of course, the ideal is for users not to be tricked in the first place but, assuming someone will be fooled, if other colleagues have reported the message the IT team can at least be aware that something may have got in and start tracing other likely points of entry to contain the damage and eradicate the infection.”

Even companies that have effective tools for reporting scam e-mails tend not to train their employees how to spot them, as only 45% of the companies questioned during this survey regularly train their staff to spot friend from foe in their inboxes. Organisations are often quick to assure their clientele that they keep data secure and stringently maintain their defences against cybercriminals – however this survey highlights that even businesses that have plans and processes to prevent phishing being used as an attack vector, the lack of implementation weakens defences.

To find out more about Phish’d, visit https://www.phishd.com/

(288)

Share