Thursday, 8 October 2020

Securing an Agile and Hybrid Workforce

Guest article by Andrea Babbs, UK General Manager, VIPRE

2020 has forced businesses to revise many of their operations. One significant transition being the shift to a remote working model, for which many were unprepared in terms of equipment, infrastructure and security. As the government now urges people to return to work, we’re already seeing a shift towards a hybrid workforce, with many employees splitting their time between the office and working from home.

As organisations are now reassessing their long-term office strategies, front and centre to that shift needs to be their IT security underpinned by a dependable and flexible cloud infrastructure. Andrea Babbs, UK General Manager, VIPRE, discusses what this new way of working means long-term for an organisation’s IT security infrastructure and how businesses can successfully move from remote working to a secure and agile workforce.

Power of the Cloud
In light of the uncertainty that has plagued most organisations, many are looking to options that can future-proof their business and enable as much continuity as possible in the event of another unforeseen event. The migration of physical servers to the Cloud is therefore a priority, not only to facilitate agile working, but to provide businesses with greater flexibility, scalability and more efficient resources. 

COVID-19 accelerated the shift towards Cloud-based services, with more data than ever before now being stored in the Cloud. For those organisations working on Cloud-based applications and drives, the challenges of the daily commute, relocations for jobs and not being able to ‘access the drive’ are in the past for many. Cloud services are moving with the user – every employee can benefit from the same level of security no matter where they are working or which device they are using. However, it’s important to ensure businesses are taking advantage of all the features included in their Cloud subscriptions, and that they’re configured securely for hybrid working. 

Layered Security Defence
Cloud-powered email, web and network security will always underline IT security defences, but these are only the first line of defence. Additional layers of security are also required to help the user understand the threat landscape, both external and internal. Particularly when working remotely with limited access to IT support teams, employees must be ready to question, verify the authenticity and interrogate the risk level of potential phishing emails or malicious links. 

With increased pressure placed on users to perform their roles faster and achieve greater results than ever before, employees will do what it takes to power through and access the information they need in the easiest and quickest way possible. This is where the cloud has an essential role to play in making this happen, not just for convenience and agility but also to allow users to stay secure – enabling secure access to applications for all devices from any location and the detection and deletion of viruses – before they reach the network. 

Email remains the most-used communication tool, even more so when remote working, but it also remains the weakest link in IT security, with 91%of cybercrimes beginning with an email. By implementing innovative tools that prompt employees to double-check emails before they send them, it can help reduce the risk of sharing the wrong information with the wrong individual. 

Additional layers of defence such as email checking tools, are removing the barriers which slow the transition to agile working and are helping to secure our new hybrid workforce, regardless of the location they’re working in, or what their job entails. 

Educating the User
The risk an individual poses to an organisation can often be the main source of vulnerability in a company’s IT infrastructure. When remote working became essential overnight, businesses faced the challenges of malware spreading from personal devices, employees being distracted and exposing incorrect information and an increase in COVID-related cyber-attacks. 

For organisations wanting to evolve into a hybrid work environment, their IT security policies need to reflect the new reality. By re-educating employees about existing products and how to leverage any additional functionality to support their decision making, users can be updated on these cyber risks and understand their responsibilities.

Security awareness training programmes teach users to be alert and more security conscious as part of the overall IT security strategy. In order to fully mitigate IT security risks and for the business to benefit from an educated workforce, both in the short and long term, employees need to change their outdated mindset. 

Changing the Approach
The evolution of IT and security over the past 20 years means that working from home is now easily achievable with cloud-based setups, whereas in the not too distant past, it would have been impossible. But the key to a successful and safe agile workforce is to shift the approach of full reliance on IT, to a mindset where everyone is alert, responsible, empowered and educated with regular training, backed up by tools that reinforce a ‘security first’ approach. 

IT departments cannot be expected to stay one step ahead of cybercriminals and adapt to new threats on their own. They need their colleagues to work mindfully and responsibly on the front lines of cyber defence, comfortable in the knowledge that everything they do is underpinned by a robust and secure IT security infrastructure, but that the final decision to click the link, send the sensitive information or download the file, lies with them. 

Conclusion
As employees prove they can work from home productively, the role of the physical office is no longer necessary. For many companies, it is a sink or swim approach when implementing a hybrid and agile workforce. Introducing and retaining flexibility in operations now will help organisations cope better with any future unprecedented events or crises.

By focusing on getting the basics right and powered by the capabilities of the Cloud, highlighting the importance of layered security and challenging existing mindsets, businesses will be able to shift away from remote workers being the ‘exception,’ to a secure and agile workforce as a whole.

Thursday, 1 October 2020

Cyber Security Roundup for October 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, October 2020.

COVID-19 wasn't the only virus seriously disrupting the start of the new UK academic year, with ransomware plaguing a number of University and Colleges in September.  Newcastle University was reportedly hit by the 'DoppelPaymer' crime group, a group known for deploying malware to attack their victims, and behind leaking online documents from Elon Musk's SpaceX and Tesla companies. The northeast university reported a personal data breach to the UK Information Commissioner's Office after its stolen files were posted online, along with a Twitter threat to release further confidential student and staff data if a ransom payment was not paid. In a statement, the university said "it will take several weeks" to address the issues, and that many IT services will not be operating during this period", that statement is the hallmark of recovery from a mass ransomware infection.

Doppelpaymer Ransom notice

On the back of the Newcastle University cyberattack, the UK National Cyber Security Centre (NCSC) issued a warning to all British universities and colleges about a spike in ransomware attacks targeting the British educational sector. NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.  The NCSC's guidance for organisations on defending against ransomware attacks is available here.

Across the pond, healthcare giant Universal Heather Services (UHS), which operates nearly 400 hospitals and clinics, was said to be severely disrupted by the Ryuk ransomware. According to Bleeping Computer, a UHS employee said encrypted files had the telltale .ryk extension, while another employee described a ransom note fitted the Ryuk ransomware demand note. A Reddit thread claimed “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center. Ambulances are being rerouted to other hospitals, the information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment. Four people died tonight alone due to the waiting on results from the lab to see what was going on”. In response, UHS released a statement which said, “We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods".

'Dark Overlord', the handle of a British hacker involved in the theft of information as part of "The Overlord" hacking group was jailed for five years in the United States and ordered to pay $1.5 million in restitution, after pleading guilty to conspiring to commit aggravated identity theft and computer fraud, in other words, orchestrating cyber exportation attacks against US firms.


ZeroLogon:  IT Support Staff must Patch Now!
A critical Microsoft Windows Server Domain Controller vulnerability (CVE-2020-1472) is now causing concern for IT staff, after the Microsoft, CISA, the UK NCSC, and other security bodies warned the vulnerability was being actively exploited in mid-September. Dubbed 'Zerologon', Microsoft issued a security fix for the bug, which scored a maximum criticality rate of 10.0, as part of their August 2020 'Patch Tuesday' release of monthly security updates. Since that public disclosure of the flaw, there have been multiple proofs-of-concept (PoC) exploits appearing on the internet, which threat actors are now adapting into their cyberattacks. There are no mitigation or workarounds for this vulnerability, so it is essential for the CVE-2020-1472 security update is installed on all Microsoft Windows Domain Controllers, and then ensure DC enforcement mode is enabled. 

Stay safe and secure.

BLOG

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Thursday, 3 September 2020

        The DRaaS Data Protection Dilemma

        Written by Sarah Doherty, Product Marketing Manager at iland

        Around the world, IT teams are struggling with choosing between less critical, but important tasks, versus focusing on innovative projects to help transform your business. Both are necessary for your business and need to be actioned, but should your team do all of it? Have you thought about allowing someone else to guide you through the process while your internal team continues to focus on transforming the business? 

        DRaaS Data protection dilemma; outsourcing or self-managing?
        Disaster recovery can take a lot of time to properly implement so it may be the right time to consider a third-party provider who can help with some of the more routine and technical aspects of your disaster recovery planning. This help can free up some of your staff’s valuable time while also safeguarding your vital data.

        Outsourcing your data protection functions vs. managing them yourself
        Information technology has raised many questions about how it really should be done. Some experts favour the Disaster Recovery as a Service (DRaaS) approach. They believe that data protection, although necessary, has very little to do with core business functionality. Organisations commonly outsource non-business services, which has driven many to consider the idea of employing third parties for other business initiatives. This has led some companies to believe that all IT services should be outsourced, enabling the IT team to focus solely on core business functions and transformational growth.

        Other groups challenge the concept and believe that the idea of outsourcing data protection is foolish. An organisation’s ability to quickly and completely recover from a disaster - such as data loss or an organisational breach - can be the determining factor as to whether the organisation will remain in business. Some may think that outsourcing something as critical as data protection, and putting your organisation’s destiny into the hands of a third party, is a risky strategy. The basic philosophy behind this type of thinking can best be described as: “If you want something done right, do it yourself.”

        Clearly, both sides have some compelling arguments. On one hand, by moving your data protection solution to the cloud, your organisation becomes increasingly agile and scalable. Storing and managing data in the cloud may also lower storage and maintenance costs. On the other hand, managing data protection in-house gives the organisation complete control. Therefore, a balance of the two approaches is needed in order to be sure that data protection is executed correctly and securely.

        The answer might be somewhere in the middle
        Is it better to outsource all of your organisation’s data protection functions, or is it better to manage it yourself? The best approach may be a mix of the two, using both DRaaS and Backup as a Service (BaaS). While choosing a cloud provider for a fully managed recovery solution is also a possibility, many companies are considering moving away from ‘do-it-yourself’ disaster recovery solutions and are exploring cloud-based options for several reasons.

        Firstly, purchasing the infrastructure for the recovery environment requires a significant capital expenditure (CAPEX) outlay. Therefore, making the transition from CAPEX to a subscription-based operating expenditure (OPEX) model makes for easier cost control, especially for those companies with tight budgets.

        Secondly, cloud disaster recovery allows IT workloads to be replicated from virtual or physical environments. Outsourcing disaster recovery management ensures that your key workloads are protected, and the disaster recovery process is tuned to your business priorities and compliance needs while also allowing for your IT resources to be freed up.

        Finally, cloud disaster recovery is flexible and scalable; it allows an organisation to replicate business-critical information to the cloud environment either as a primary point of execution or as a backup for physical server systems. Furthermore, the time and expense to recover an organisation’s data is minimised, resulting in reduced business disruption.

        Consequently, the disadvantages of local backups is that it can be targeted by malicious software, which targets backup applications and database backup files, proactively searching for them and fully encrypting the data. Additionally, backups, especially when organisations try to recover quickly are prone to unacceptable Recovery Point Objectives (RPO).

        What to look for when evaluating your cloud provider

        It is also essential when it comes to your online backups to strike a balance between micromanaging the operations and completely relinquishing any sort of responsibility. After all, it’s important to know what’s going on with your backups. Given the critical nature of the backups and recovery of your data, it is essential to do your homework before simply handing over backup operations to a cloud provider. There are a number of things that you should look for when evaluating a provider.
        • Service-level agreements that meet your needs.
        • Frequent reporting, and management visibility through an online portal.
        • All-inclusive pricing.
        • Failover assistance in a moment’s notice.
        • Do it yourself testing.
        • Flexible network layer choices.
        • Support for legacy systems.
        • Strong security and compliance standards.
        These capabilities can go a long way towards allowing an organisation to check on their data recovery and backups, on an as-needed basis, while also instilling confidence that the provider is protecting the data according to your needs. The right provider should also allow you the flexibility to spend as much or as little time on data protection, proportional to your requirements.

        Ultimately, using cloud backups and DRaaS is flexible and scalable; it allows an organisation to replicate business-critical information to the cloud environment either as a primary point of execution or as a backup for physical server systems. In most cases, the right disaster recovery provider will likely offer you better recovery time objectives than your company could provide on its own, in-house. Therefore as you review your options, cloud DR could be the perfect solution, flexible enough to deal with an uncertain economic and business landscape.

        Wednesday, 2 September 2020

        Top Five Most Infamous DDoS Attacks

        Guest article by Adrian Taylor, Regional VP of Sales for A10 Networks 

        Distributed Denial of Service (DDoS) attacks are now everyday occurrences. Whether you’re a small non-profit or a huge multinational conglomerate, your online services—email, websites, anything that faces the internet—can be slowed or completely stopped by a DDoS attack. Moreover, DDoS attacks are sometimes used to distract your cybersecurity operations while other criminal activity, such as data theft or network infiltration, is underway. 
        Why are DDoS attacks bigger and more frequent than ever?
        DDoS attacks are getting bigger and more frequent
        The first known Distributed Denial of Service attack occurred in 1996 when Panix, now one of the oldest internet service providers, was knocked offline for several days by an SYN flood, a technique that has become a classic DDoS attack. Over the next few years, DDoS attacks became common and Cisco predicts that the total number of DDoS attacks will double from the 7.9 million seen in 2018 to something over 15 million by 2023.

        But it’s not just the number of DDoS attacks that are increasing; as the bad guys are creating ever bigger botnets – the term for the armies of hacked devices that are used to generate DDoS traffic. As the botnets get bigger, the scale of DDoS attacks is also increasing. A Distributed Denial of Service attack of one gigabit per second is enough to knock most organisations off the internet but we’re now seeing peak attack sizes in excess of one terabit per second generated by hundreds of thousands, or even millions, of suborned devices. Given that IT services downtime costs companies anywhere from $300,000 to over $1,000,000 per hour, you can see that the financial hit from even a short DDoS attack could seriously damage your bottom line.

        So we’re going to take a look at some of the most notable DDoS attacks to date. Our choices include some DDoS attacks that are famous for their sheer scale while others are because of their impact and consequences.

        1. The AWS DDoS Attack in 2020
        Amazon Web Services, the 800-pound gorilla of everything cloud computing, was hit by a gigantic DDoS attack in February 2020. This was the most extreme recent DDoS attack ever and it targeted an unidentified AWS customer using a technique called Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection. This technique relies on vulnerable third-party CLDAP servers and amplifies the amount of data sent to the victim’s IP address by 56 to 70 times. The attack lasted for three days and peaked at an astounding 2.3 terabytes per second. While the disruption caused by the AWS DDoS Attack was far less severe than it could have been, the sheer scale of the attack and the implications for AWS hosting customers potentially losing revenue and suffering brand damage is significant.

        2. The MiraiKrebs and OVH DDoS Attacks in 2016
        On September 20, 2016, the blog of cybersecurity expert Brian Krebs was assaulted by a DDoS attack in excess of 620 Gbps, which at the time, was the largest attack ever seen. Krebs had recorded 269 DDoS attacks since July 2012, but this attack was almost three times bigger than anything his site or, for that matter, the internet had seen before.

        The source of the attack was the Mirai botnet, which, at its peak later that year, consisted of more than 600,000 compromised Internet of Things (IoT) devices such as IP cameras, home routers, and video players. Mirai had been discovered in August that same year but the attack on Krebs’ blog was its first big outing.

        The next Mirai attack on September 19 targeted one of the largest European hosting providers, OVH, which hosts roughly 18 million applications for over one million clients. This attack was on a single undisclosed OVH customer and driven by an estimated 145,000 bots, generating a traffic load of up to 1.1 terabits per second, and lasted about seven days. The Mirai botnet was a significant step up in how powerful a DDoS attack could be. The size and sophistication of the Mirai network were unprecedented, as was the scale of the attacks and their focus.

        3. The MiraiDyn DDoS Attack in 2016
        Before we discuss the third notable Mirai DDoS attack of 2016, there’s one related event that should be mentioned: On September 30, someone claiming to be the author of the Mirai software released the source code on various hacker forums and the Mirai DDoS platform has been replicated and mutated scores of times since.

        On October 21, 2016, Dyn, a major Domain Name Service (DNS) provider, was assaulted by a one terabit per second traffic flood that then became the new record for a DDoS attack. There’s some evidence that the DDoS attack may have actually achieved a rate of 1.5 terabits per second. The traffic tsunami knocked Dyn’s services offline rendering a number of high-profile websites including GitHub, HBO, Twitter, Reddit, PayPal, Netflix, and Airbnb, inaccessible. Kyle York, Dyn’s chief strategy officer, reported, “We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

        Mirai supports complex, multi-vector attacks that make mitigation difficult. Even though Mirai was responsible for the biggest assaults up to that time, the most notable thing about the 2016 Mirai attacks was the release of the Mirai source code enabling anyone with modest information technology skills to create a botnet and mount a Distributed Denial of Service attack without much effort.

        4. The Six Banks DDoS Attack in 2012
        On March 12, 2012, six U.S. banks were targeted by a wave of DDoS attacks—Bank of America, JPMorgan Chase, U.S. Bank, Citigroup, Wells Fargo, and PNC Bank. The attacks were carried out by hundreds of hijacked servers from a botnet called Brobot with each attack generating over 60 gigabits of DDoS attack traffic per second.

        At the time, these attacks were unique in their persistence: Rather than trying to execute one attack and then backing down, the perpetrators barraged their targets with a multitude of attack methods in order to find one that worked. So, even if a bank was equipped to deal with a few types of DDoS attacks, they were helpless against other types of attack.

        The most remarkable aspect of the bank attacks in 2012 was that the attacks were, allegedly, carried out by the Izz ad-Din al-Qassam Brigades, the military wing of the Palestinian Hamas organisation. Moreover, the attacks had a huge impact on the affected banks in terms of revenue, mitigation expenses, customer service issues, and the banks’ branding and image.

        5. The GitHub Attack in 2018
        On Feb. 28, 2018, GitHub—a platform for software developers—was hit with a DDoS attack that clocked in at 1.35 terabits per second and lasted for roughly 20 minutes. According to GitHub, the traffic was traced back to “over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.

        Even though GitHub was well prepared for a DDoS attack their defences were overwhelmed—they simply had no way of knowing that an attack of this scale would be launched.

        The GitHub DDoS attack was notable for its scale and the fact that the attack was staged by exploiting a standard command of Memcached, a database caching system for speeding up websites and networks. The Memcached DDoS attack technique is particularly effective as it provides an amplification factor – the ratio of the attacker’s request size to the amount of DDoS attack traffic generated – of up to a staggering 51,200 times.

        And that concludes our top five line up – it is a sobering insight into just how powerful, persistent and disruptive DDoS attacks have become.

        Tuesday, 1 September 2020

        Cyber Security Roundup for September 2020

        A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, August 2020.

        Taking security training courses and passing certification exams are common ingredients in the makeup of the vast majority of accomplished cybersecurity and information security professionals. As such, two security incidents last month raised more than just a surprising eyebrow or two within the UK security industry. 

        The first involved the renown and well respected United States security training company, The SANS Institue, announcing that a successful email phishing attack against one of its employees resulted in 28,000 personal records being stolenSANS classified this compromise as "consent phishing", namely where an employee is tricked into providing malicious Microsoft Office 365 OAuth applications access to their O365 accounts. In June 2020, Microsoft warned 'consent phishing' scams were targeting remote workers and their cloud services.

        The second incident involved British cybersecurity firm NCC Group, after The Register reported NCC marked CREST penetration testing certification exam 'cheat cheats' were posted on Github. El Reg stated the leaked NCC marked document "offered step-by-step guides and walkthroughs of information about the Crest exams.  With those who posted the documents claiming that the documents contained a clone of the Crest CRT exam app that helped users to pass the CRT exam in the first attempt. CREST, a globally recognised provider of penetration testing accreditations, conducted their own investigation into the Github post and then suspended their Certified Infrastructure Tester (CCF Inf) and Certified Web Application Tester (CCT App) exams.

        Reuters reported British trade minister Liam Fox email account was compromised by Russian hackers through a spear-phishing attack. This led to leaks of sensitive US-UK  trade documents in a disinformation campaign designed to influence the outcome of the UK general election in late 2019.

        UK foreign exchange firm Travelex is still revelling from the double 2020 whammy of major ransomware outbreak followed by the impact COVID-19, and has managed to stay in business thanks a bailout arranged by their business administrators PWC. 

        Uber's former Cheif Security Officer has been charged with obstruction of justice in the United States, accused of covering up a massive 57 million record data breach in 2016. Uber eventually admitted paying a hacking group $100,000 (£75,000) ransom to delete the data they had stolen.

        The British Dental Association advised its dentist members that their bank account details and correspondence with them were stolen by hackers.  A BDA spokeswoman told BBC News it was possible that information about patients was also exposed, but remained vague about the potential context. The cyber breach was likely caused by a hack of the BDA website given it was taken offline for a considerable amount of time after reporting the breach.

        Its seems that every month I report a huge cloud misconfiguration data beach, typically found by researchers looking for publicity, and caused by businesses not adequately securing their cloud services.  This month it was the turn of cosmetics giant Avon after researchers 'SafetyDetectives" found 19 million records were accessible online due to the misconfiguration of a cloud server.  Accurics separately reported misconfigured cloud services accounted for 93% of 200 breaches it has seen in the past two years, exposing more than 30 billion records. Also predicting cloud services data breaches are likely to increase in both velocity and scale, I am inclined to agree.
        Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global
        Finally, I was invited to review a pre-release of Geoff White’s new book, Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global”. I posted a book review upon its release in August, I thoroughly recommend it. The book is superbly researched and written, the author’s storytelling investigative journalist style not only lifts the lid on the murky underground world of cybercrime but shines a light on the ingenuity, persistence and ever-increasing global scale of sophisticated cybercriminal enterprises. While this book is an easily digestible read for non-cyber security experts, the book provides cybersecurity professionals working on the frontline in defending organisations and citizens against cyber-attacks, with valuable insights and lessons to be learnt about their cyber adversaries and their techniques, particularly in understanding the motivations behind today's common cyberattacks.

        Stay safe and secure.

        BLOG
        NEWS
        VULNERABILITIES AND SECURITY UPDATES
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Tuesday, 25 August 2020

        Beating the Emotet Malware with SSL Interception

        Guest post by Adrian Taylor, Regional VP of Sales for A10 Networks  

        The Emotet trojan recently turned from a major cybersecurity threat to a laughingstock when its payloads were replaced by harmless animated GIFs. Taking advantage of a weakness in the way Emotet malware components were stored, white-hat hackers donned their vigilante masks and sabotaged the operations of the recently revived cyberthreat. While highly effective as well as somewhat humorous, the incident should not distract attention from two unavoidable truths. 
        First, while the prank deactivated about a quarter of all Emotet malware payload downloads, the botnet remains a very real, ongoing threat and a prime vector for attacks such as ransomware. And second, relying on one-off operations by whimsical vigilantes is hardly a sustainable security strategy. To keep the remaining active Emotet botnets—and countless other cyber threats—out of their environment, organisations need to rely on more robust and reliable measures based on SSL interception (SSL inspection) and SSL decryption.

        History of Emotet and the threat it presents
        First identified in 2014, version one of Emotet was designed to steal bank account details by intercepting internet traffic. A short time after, a new version of the software was detected. This version, dubbed Emotet version two, came packaged with several modules, including a money transfer system, malspam module, and a banking module that targeted German and Austrian banks. Last year, we saw reports of a botnet-driven spam campaign targeting German, Polish, Italian, and English victims with craftily worded subject lines like “Payment Remittance Advice” and “Overdue Invoice.” Opening the infected Microsoft Word document initiates a macro, which in turn downloads Emotet from compromised WordPress sites.

        After a relative quiet start to 2020, the Emotet trojan resurfaced suddenly with a surge of activity in mid-July. This time around, the botnet’s reign of terror took an unexpected turn when the payloads its operators had stored on – poorly secured WordPress sites – were replaced with a series of popular GIFs. Instead of being alerted of a successful cyberattack, the respective targets received nothing more alarming than an image of Blink 182, James Franco, or Hackerman.

        Whilst this is all in good fun, the question remains: what if the white hats had left their masks in the drawer instead of taking on the Emotet trojan? And what about the countless other malware attacks that continue unimpeded, delivering their payloads as intended?

        A view into the encryption blind spot with SSL interception (SSL inspection)
        Malware attacks such as Emotet often take advantage of a fundamental flaw in internet security. To protect data, most companies routinely rely on SSL encryption or TLS encryption. This practice is highly effective for preventing spoofing, man-in-the-middle attacks, and other common exploits from compromising data security and privacy. Unfortunately, it also creates an ideal hiding place for hackers. To security devices inspecting inbound communications for threats, encrypted traffic appears as gibberish—including malware. In fact, more than half of the malware attacks seen today are using some form of encryption. As a result, the SSL encryption blind spot ends up being a major hole in the organisation’s defence strategy.

        The most obvious way to address this problem would be to decrypt traffic as it arrives to enable SSL inspection before passing it along to its destination within the organisation—an approach known as SSL interception. But here too, problems arise. For one thing, some types of data are not allowed to be decrypted, such as the records of medical patients governed by privacy standards like HIPAA, making across-the-board SSL decryption unsuitable. And for any kind of traffic, SSL decryption can greatly degrade the performance of security devices while increasing network latency, bottlenecks, cost, and complexity. Multiply these impacts by the number of components in the typical enterprise security stack—DLP, antivirus, firewall, IPS, and IDS—and the problem becomes clear.

        How efficient SSL inspection saves the day
        With many organisations relying on distributed per-hop SSL decryption. A single SSL inspection solution can provide the best course of action by decrypting traffic across all TCP ports and advanced protocols like SSH, STARTTLS, XMPP, SMTP and POP3. Also, this solution helps provide network traffic visibility to all security devices, including inline, out-of-band and ICAP-enabled devices.

        Whilst we should celebrate the work of the white hats who restrained Emotet, it is not every day that a lethal cyber threat becomes a matter of humour. But having had a good laugh at their expense, we should turn our attention to making sure that attacks like Emotet have no way to succeed in the future—without the need to count on vigilante justice - this is where SSL inspection can really save the day.

        Sunday, 23 August 2020

        Countering Cybercrime in the Next Normal

        Guest post By Tom Kellermann, Head of Cybersecurity Strategy, VMware Carbon Black

        COVID-19 has reshaped the global cyberthreat landscape. While cyberattacks have been on the rise, the surge in frequency and increased threat sophistication is notable. The latest VMware Carbon Black Global Incident Threat Report, Extended Enterprise Under Threat – Global Threat Report series, found cybercriminals have seized the opportunity, taking advantage of the global disruption to conduct nefarious activity.

        COVID-19 has Exacerbated pre-existing Cyber Threats
        The VMware Carbon Black latest global survey of Incident Response (IR) professionals found that COVID-19 has exacerbated pre-existing cyberthreats. From counter incident response and island hopping to destructive attacks. Remote work then compounds this bringing additional cybersecurity challenges as employees access critical data and applications from their home networks or with personal devices outside of the corporate perimeter. Cybercriminals are also targeting the cloud, which organisations rely on to enable remote work. If you’re a cybercriminal, the pool of people you can trick now is exponentially larger, simply because we are in a global disaster.

        As the threat landscape transforms and expands, the underlying methodologies behind the attacks have remained relatively consistent. Attackers have just nuanced their threat strategies. For example, last Christmas, the number one consumer purchase was smart devices, now they’re in homes that have fast become office spaces. Cybercriminals can use those family environments as a launchpad to compromise and conduct attacks on organizations. In other words, attackers are still island hopping – but instead of starting from an organisation’s network and moving along the supply chain, the attack may now originate in home infrastructures.

        Next-Generation Cyberattacks require Next-Generation IR
        While more than half (53%) of the IR professionals reported encountering or observing an increase in cyberattacks exploiting COVID-19, this isn’t a one-sided battle and there is much security teams can do to fight back.

        Next-generation cyberattacks – with adversaries increasingly working to maintain persistence on systems – call for next-generation IR, especially as corporate perimeters across the world breakdown. To this point, here are seven key steps that security teams can take to fight back:

        1. Gain better visibility into your system’s endpoints: Doing so can empower security teams to be proactive in their IR – rather than merely responding to attacks once they come, they can hunt out prospective threats. This is increasingly important in today’s landscape, with more attackers seeking to linger for long periods on a network and more vulnerable endpoints online via remote access.
        2. Establish digital distancing practices: People working from home should have two routers, segmenting traffic from work and home devices. They should have a room free of smart devices for holding potentially sensitive conversations. And they should restrict sensitive file sharing across insecure applications, like video conferencing tools.
        3. Enable real-time updates, policies and configurations across the network: This may include updates to VPNs, audits or fixes to configurations across remote endpoints and other security updates – even when outside the corporate network. It’s important to keep in mind the security architecture when making these changes, otherwise, things get changed without having the proper controls in place to react.
        4. Enhance collaboration between IT and security teams – and make IT teams more cybersecurity savvy: As noted, 92% of IR professionals agree that a culture of collaboration between IT and security teams will improve enterprise security and response to cyber risks. This is especially true under the added stress of the pandemic. Alignment should also help elevate IT personnel to become experts on their own systems, whether it’s training them to threat hunt on a Windows box or identify anomalous configurations on certain SaaS applications.
        5. Expand Cyber-Threat Hunting: Threat hunting provides ground truth and context which is essential for defence. Situational awareness is dependent on ground truth which is based in the assumption of breach. One must proactively explore their environment for abnormal activity. The cadence of threat hunting must be increased, and the scope should extend to the information supply chain as well as Senior Executives laptops as they work from home.
        6. Integrate Security Controls: Integration allows organisations to uniquely see across traditional boundaries/silos providing richer telemetry and allowing for defenders to react seamlessly.
        7. Remember to communicate: Now more than ever, organizations must motivate IT and SECops to get on the same page and prioritize change management while maintaining clear lines of communication – about new risk factors (application attacks, OS exploitation, smart devices, file-sharing applications, etc.), protocols and security resources.
        As we move into the next normal, the workforce will largely remain remote and distributed. Organisations will need to prioritise sharpening their security defences and gaining a clearer picture of the evolving threat landscape to inform today, tomorrow and the challenging months to come.

        Tuesday, 18 August 2020

        Book Review: Crime Dot Com, From Viruses to Vote Rigging, How Hacking Went Global

        I had the great delight of reading Geoff White’s new book, “Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global”, I thoroughly recommend it. The book is superbly researched and written, the author’s storytelling investigative journalist style not only lifts the lid on the murky underground world of cybercrime but shines a light on the ingenuity, persistence and ever-increasing global scale of sophisticated cybercriminal enterprises.
        Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global
        In Crime Dot Com Geoff takes the reader on a global historic tour of the shadowy cybercriminal underworld, from the humble beginnings with a rare interview with the elusive creator of the ‘Love Bug’ email worm, which caused havoc and panic back in 2000, right up to the modern-day alarming phenomenal of elections hacking by nation-state actors.

        The book tells the tales of the most notorious hacks in recent history, explaining how they were successfully planned and orchestrated, all wonderfully written in a plain English style that my Luddite mother-in-law can understand.  Revealing why cybercrime is not just about the Hollywood stereotypical lone hacker, eagerly tapping away on a keyboard in the dark finding ingenious ways of exploiting IT systems. But is really about society obscured online communities of likeminded individuals with questionable moral compasses, collaborating, and ultimately exploiting innocent victims people out of billions of pounds.

        The book covers the UK’s most notorious cyberattacks, such as the devasting 2017 WannaCry ransomware worm attack on the NHS, and the infamous TalkTalk hack carried out by teenage hackers.  Delving beyond the media 'cyber scare' headlines of the time, to bring the full story of what happened to the reader. The book also explores the rise and evolution of the Anonymous hacktivist culture and takes a deep dive into the less savoury aspects of criminal activities occurring on the dark web.

        As you read about the history of cybercrime in this book, a kind of symbiosis between cybercriminals and nation-state hackers activities becomes apparent, from Russian law enforcement turning a blind-eye to Russia cybercriminals exploiting the West, to both the NSA’s and North Korea’s alleged involvement in creating the heinous WannaCry ransomware worm, and the UK cybercriminal that disabled that attack.  The growing number of physical world impacts caused by cyber-attacks are also probed in Crime Dot Com, so-called ‘kinetic warfare’. How sophisticated malware called Stuxnet, attributed by the media as United States military created, was unleashed with devastating effect to physically cripple an Iranian nuclear power station in a targeted attack, and why the latest cyber threat actors are targeting Britain’s energy network.

        While this book is an easily digestible read for non-cyber security experts, the book provides cybersecurity professionals working on the frontline in defending organisations and citizens against cyber-attacks, with valuable insights and lessons to be learnt about their cyber adversaries and their techniques, particularly in understanding the motivations behind today's common cyberattacks.
        5 out of 5: A must-read for anyone with an interest in cybercrime

        Friday, 7 August 2020

        Cyber Security Roundup for August 2020

        A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, July 2020.

        The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets. 
        Twitter confirms internal tools used in bitcoin-promoting attack ...
        Scam Tweet
        The high-profile Twitter accounts compromised included Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Around £80,000 of Bitcoin was sent to the scammer's Bitcoin account before Twitter swiftly took action by deleting the scam tweets and blocking every 'blue tick' verified Twitter user from tweeting, including me

        While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.

        There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.

        Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers).  The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)

        At least 10 universities in the UK had student data stolen after hackers attacked Blackbaud, an education-focused cloud service provider. UK universities impacted included York, Loughborough, Leeds, London, Reading, Exeter and Oxford. According to the BBC News website, Blackbaud said "In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment."

        As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020.  Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said. 
        In some media quarters, it was suggested the UK u-turn on Huawei could lead to cyberattack repercussions after Reuter's said its sources confirmed China was behind cyberattacks on Australia's critical national infrastructure and government institutions following their trade dispute with China.

        Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour". 

        UK sport said hackers tried to steal a £1 million club transfer fee and froze turnstiles at a football game. Cybercriminals hacked a Premier League club managing director's email account during a player transfer negotiation, the million-pound theft was only thwarted by a last-minute intervention by a bank.  Another English football club was targeted by a ransomware attack which stopped its turnstiles and CCTV systems from working, which nearly resulted in a football match being postponed. Common tactics used by hackers to attack football clubs include compromising emails, cyber-enabled fraud and ransomware to shutting down digital systems. For further information on this subject, see my extensive blog post on football club hacking, The Billion Pound Manchester City Hack.

        Smartwatch maker Garmin, had their website, mobile app and customer service call centres taken down by ransomware on 23rd July 2020. Reports suggest the fitness brand had been hit by the WastedLocker ransomware strain, which is said to have been developed by individuals linked to a Russia-based hacking group called 'Evil Corp'.  According to Bleeping Computer, Garmin paid $10 million to cybercriminals to receive decryption keys for the malware on 24th or 25th July 2020.

        Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.

        BLOG

        NEWS
        VULNERABILITIES AND SECURITY UPDATES
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE