Not all passwords are created equal, according to a new report from research firm Cybersecurity Ventures, which estimates that by 2020, hackers will have their choice of 300 billion passwords to target.
That total includes an estimated 100 billion user account passwords for things like social media and email, as well 200 billion passwords or credentials used to log in to Internet of Things (IoT) devices. So-called "privileged accounts," used to maintain IT infrastructure, will be among the most frequently targeted, because they are stored in multiple places and provide access to entire networks of devices. "One privileged account password breach can allow a hacker to access and steal the credentials and passwords belonging to every employee in a company," Joseph Carson, Chief Security Officer of Thycotic and one of the report's co-authors, said in a statement. Similarly, since consumers often reuse passwords for multiple online accounts, a breach at one site—like the massive Yahoo breach revealed in December—will likely provide hackers easier access to accounts at many other sites. The report also claims that most social media users do not use multi-factor authentication for logins, despite repeated attempts from social media companies to encourage its use. Multi-factor authentication requires a user to enter a unique code generated for a specific login attempt in addition to his or her regular password. The damage from password theft—which will keep happening, the report predicts—could reach $6 trillion annually by 2021. It's worth noting that the 300 billion passwords figure is a conservative number: it assumes an average of 25 passwords per Internet user, and apparently doesn't include laptops, desktops, or other non-IoT devices. http://www.pcmag.com/news/351438/report-300b-passwords-at-risk-by-2020?source=SectionArticles If you use WebEx at work it is time to update the software.
A vulnerability in Cisco WebEx browser extensions may allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the browser on the system. If you do not use it anymore, please remove the extensions. Versions prior to 1.0.7 of the Cisco WebEx Extension on Google Chrome Versions prior to 106 of the ActiveTouch General Plugin Container on Mozilla Firefox Versions prior to 10031. 6.2017.0126 of the Gpc Container Class ActiveX control file on Internet Explorer https://lnkd.in/d-KM7Yh Use this to remove the WebEx software. https://lnkd.in/db8y-4c As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads. Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones instead.
http://blog.trendmicro.com/trendlabs-security-intelligence/petya-crypto-ransomware-overwrites-mbr-lock-users-computers/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29 1. Earn or give, but never assume, trust.
2. Use an authentication mechanism that cannot be bypassed or tampered with. 3. Authorize after you authenticate. 4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources. 5. Define an approach that ensures all data are explicitly validated. 6. Use cryptography correctly. 7. Identify sensitive data and how it should be handled. 8. Always consider the users. 9. Understand how integrating external components changes your attack surface. 10. Be flexible when considering future changes to objects and actors. https://youtu.be/_dj_90TnVbo
•Implement perimeter blocks for known threat indicators:◦Email server or email security gateway filters for email indicators ◦Web proxy and firewall filters for websites or Internet Protocol (IP) addresses linked in the emails or used by related malware ◦DNS server blocks (blackhole) or redirects (sinkhole) for known related domains and hostnames •Remove malicious emails from targeted user mailboxes based on email indicators (e.g., using Microsoft ExMerge). •Identify recipients and possible infected systems:◦Search email server logs for applicable sender, subject, attachments, etc. (to identify users that may have deleted the email and were not identified in purge of mailboxes) ◦Search applicable web proxy, DNS, firewall or IDS logs for activity the malicious link clicked. ◦Search applicable web proxy, DNS, firewall or IDS logs for activity to any associated command and control (C2) domains or IP addresses associated with the malware. ◦Review anti-virus (AV) logs for alerts associated with the malware. AV products should be configured to be in quarantine mode. It is important to note that the absence of AV alerts or a clean AV scan should not be taken as conclusive evidence a system is not infected. ◦Scan systems for host-level indicators of the related malware (e.g., YARA signatures) •For systems that may be infected:◦Capture live memory of potentially infected systems for analysis ◦Take forensic images of potentially infected systems for analysis ◦Isolate systems to a virtual local area network (VLAN) segmented form the production agency network (e.g., an Internet-only segment) •Report incidents, with as much detail as possible, to the NCCIC. Educate Your Users Organizations should remind users that they play a critical role in protecting their organizations form cyber threats. Users should: •Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. Be particularly wary of compressed or ZIP file attachments. •Avoid clicking directly on website links in emails; attempts to verify web addresses independently (e.g., contact your organization’s helpdesk or sear the Internet for the main website of the organization or topic mentioned in the email). •Report any suspicious emails to the information technology (IT) helpdesk or security office immediately. Basic Cyber Hygiene Practicing basic cyber hygiene would address or mitigate the vast majority of security breaches handled by today’s security practitioners: •Privilege control (i.e., minimize administrative or superuser privileges) •Application whitelisting / software execution control (by file or location) •System application patching (e.g., operating system vulnerabilities, third-party vendor applications) •Security software updating (e.g., AV definitions, IDS/IPS signatures and filters) •Network segmentation (e.g., separate administrative networks from business-critical networks with physical controls and virtual local area networks) •Multi-factor authentication (e.g., one-time password tokens, personal identity verification (PIV cards) Anti-privacy unkillable super-cookies spreading around the world – study - from the Register.co.uk8/23/2015 At least nine telcos around the world are using so-called super-cookies to secretly monitor citizens' online behavior, according to a new study.
A super-cookie is a token unique to each subscriber that is injected into every HTTP request made through a telco's cellphone networks. They can't be stripped by the user: every time a subscriber visits a website from his or her smartphone, the telco's system places the super-cookie in the HTTP headers, so that the site's servers can identify the visitor. This super-cookie allows ad networks and media publishers to follow people across the internet even if they clear their cookies. It allows the networks to build up profiles on users' habits, and pitch them targeted advertising, while the telcos take a cut. When it emerged that Verizon and AT&T in the US were using this technology it caused a storm. AT&T dropped the super-cookies, and Verizon eventually switched to an opt-out approach: if you switched them off, the headers went away. Now a six-month investigation by digital rights group Access has shown that telcos overseas are using the same super-cookie techniques. Access set up a website called Amibeingtracked.com, and monitored visits from 180,000 netizens on their phones. The group found that 15.3 per cent of visitors had the tracking headers installed from cellphone owners in Canada, China, India, Mexico, Morocco, the Netherlands, Peru, Spain, the US, and Venezuela. Verizon, AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica de España, Viettel Peru S.a.c., Vodafone NL, and Vodafone Spain all used the technology, although AT&T dropped off the charts when it withdrew the system. Verizon is still on the charts because people are opted-in by default. By far the largest number of people being monitored were in the US, with the Access engine finding over 23,000 unstrippable headers from phone users in the Land of the Free. Spain was the next most tracked nation – with just over 3,000 cases – and the other countries had fewer than a thousand cases each. The samples collected by the website showed a great degree of variance in what data was being collected and transferred using the technique. Telcos are increasingly encrypting the header information, but some still send data in clear text, including the phone number of the user in three cases. "Not all carriers track their users, and those that respect user privacy deserve our support," the report [PDF] concludes. "Telecommunications companies occupy a central role in providing access to the internet, enhancing the communications capabilities of billions of people. By delivering open access, networks, and services, telcos can serve not just as internet service providers, but also as 'freedom providers.'" The only way to stop the header from reporting back is to limit your web browsing to HTTPS sites only, but that's going to prove rather limiting. Alternatively, switch to a telco that doesn't use the technology, although that may become harder over time as well. ® Sponsored: Go beyond APM with real-time IT operations analytics Privileged accounts are still easy to compromise Posted on 17 August 2015. A Thycotic survey of 201 Black Hat USA 2015 attendees found that a majority (75%) have not seen a fundamental change in the level of difficulty in compromising privileged account credentials, despite an overall increase in IT security spending over the past two years.
Among other topics, the survey also asked hackers how often they come across privileged account credentials in unprotected files like spreadsheets. Only 6 percent of respondents said they had never seen this, meaning 94% find privileged credentials in unprotected files at least some of the time. Other key findings from the survey include:
“Perhaps not surprising to those in the cybersecurity industry, it is apparent that for all the new defensive solutions that have been introduced, we still haven’t cracked the code on how best to protect mission-critical data and company secrets, and in fact, in some cases we’re only adding additional layers of complexity which provide attackers more attack vectors to use to break in,” said Nathan Wenzler, senior technology evangelist at Thycotic. “It’s also clear from the data that even some of the most basic security practices are still not being enforced well enough by organizations and privileged login credentials are constantly left vulnerable to intruders.” http://thenextweb.com/insider/2015/08/21/how-hackers-tempt-you-to-open-that-email/
https://www.infosecindustry.com/
https://www.schneier.com/blog/archives/2015/08/shooting_down_d.html?utm_source=twitterfeed&utm_medium=twitter
I am not going write a thesis here but will share a few things from the weekend. If you install Win 10 and don't select "express Install" you will be guided through 13 pages of configuration settings. Microsoft are being transparent with the data that is being captured. I found it very interesting to see what data and to what extent the data was used to "improve my user experience".
If you went for the express install there is a little bit of code at GitHub that will help disable some of the tracking without too much of your involvement. https://github.com/10se1ucgo/DisableWinTracking. There is a browser extension you can add into Chrome or Firefox that purports to block third party tracking. https://www.eff.org/privacybadger. IE is not supported currently. Today
Your browser fingerprint appears to be unique among the 5,595,111 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 22.42 bits of identifying information. The measurements we used to obtain this result are listed below. You can read more about our methodology, statistical results, and some defenses against fingerprinting in this article. https://panopticlick.eff.org/browser-uniqueness.pdf A great overview of the Black hat briefings | topic coverage. https://www.blackhat.com/us-15/briefings.html
https://www.privacytools.io/
7 STEPS TO SECURING HEALTHCARE INFRASTRUCTURES USING A CLOUD SECURITY PLAN (from HIMSS Media)5/6/2015 Step 1: Review business goals Although hospital settings and physician practices can vary greatly, every cloud security plan should begin with a routine assessment of specific business objectives. Security should enable:
The easiest way to create security policies, procedures and standards is to embrace best practices. Read everything available and apply industry best practices in order to create policies that align with your specific business goals and allow for the development of realistic procedures that are acceptable to your organization. For healthcare providers, a good example may be found in the provisioning of HIPAA- and HITECH-compliant services to new and existing patients. In order to do so, the healthcare organization must build security policies that define the restrictions when handling Protected Health Information (PHI), procedures that define the process of acquiring PHI and guidelines that promote the general adoption of best practices. Healthcare organizations can dramatically reduce the learning curve for developing security policies, procedures and standards by leveraging high-performance cloud computing. Step 3: Maintain a risk management program An effective cloud-computing risk management program will reduce overall risk, prioritize the utilization of resources and provide your healthcare organization with a long-term strategy. But only a well-defined and carefully maintained risk-management program will deliver an aggregated view of the risk that an organization is willing to accept. Most organizations assess the value of the asset and the loss expectancy probability before determining whether a risk is acceptable, or if steps should be taken to reduce the chances of that loss. Careful analysis should be conducted regularly to develop responsible programs and to build in the controls and auditing capabilities needed to lower threats and maintain a reasonable security program that protects assets within budgetary guidelines. Your cloud-computing risk-management program should be audited, and policies should be defined explicitly stating who may accept risk on behalf of the organization. Having a robust risk management program in place means you have identified your critical assets and established appropriate levels of protection. Rather than devoting the bulk of your time to writing policies, plan on spending the majority of your time learning how the organization truly functions, so security can better contribute to its success and not be viewed as a daily battle. Step 4: Support business goals A well-developed cloud-computing security plan should include goals with measurable results that provide support for the growth and stability of your healthcare organization. It should include compliance programs, technologies and processes with specific results. In many ways, your security plan will become a natural extension of the first two steps. Step 5: Go for organization-wide support and alignment To garner support and acceptance of your cloud-computing security plan, prioritize security policies and ensure that they are not in conflict with other policies from different departments. Involvement and support of the plan throughout the organization is critical to its success. Although establishing levels of security that meet business goals and comply with regulatory requirements and risk- management policies is critical, it is equally important that they can be centrally managed and conveniently implemented with minimal negative impact to productivity. Balancing ease of deployment and organizational acceptance is a necessary trade-off. Studies have found that the key is to budget enough time into the process to foster an understanding of how a healthcare organization develops its services and delivers them to patients and/or affiliated partners. Rather than devoting the bulk of your time to writing policies, plan on spending the majority of your time learning how the organization truly functions, so security can better contribute to its success and not be viewed as a daily battle. Step 6: Plan for regular audits and reviews Regularly reviewing your security plan, reporting on goal progress and auditing the organization’s compliance with security policies and procedures are important components of the plan’s success. If it is part of your overall business plan, a third-party audit can deliver an impartial review of the controls and report on compliance to established programs. Fully grasping the auditing requirements for your healthcare organization – as well as the frequency of audits – ensures both compliance with relevant requirements and maintenance of best practices for securing enterprise resources. Step 7: Improve your improvements The continuous improvement of security and compliance goes hand-in-hand with a well-developed security plan. Healthcare is a rapidly evolving industry. Your organization’s security needs will change over time, just as the technology available to support these needs will continue to evolve. Senior executives and your cloud services provider should review your cloud computing security plan at least once a year. Plan on revising goals and objectives as needed, reviewing and editing security policies and procedures, and reporting the security and compliance teams’ achievements back to your organization. Half of cloud adopters are hosting clinical applications in the cloud, primarily using Software as a Service (SaaS). Other common cloud services include Health Information Exchange (HIE), hosting human resources (HR) applications and data, as well as backup and disaster recovery. Although approximately 3 percent of survey respondents expressed a resistance to adopting cloud services due to security concerns, properly managed cloud infrastructure provides better security than most enterprise data centers, applications and IT infrastructure. Selecting a stable cloud service provider with world-class data centers, enterprise cloud computing infrastructure, application expertise and a proven security methodology will help your healthcare organization reap the financial rewards of cloud computing while implementing a security framework optimized for the requirements of cloud architectures. By partnering with cloud providers, healthcare organizations can more readily alter their security plans to support evolving corporate strategies or regulatory requirements The first action is to gain command of the facts. This entails acquiring the data on information assets to support a company-specific risk profile; building a consensus with the business on what matters and on the impact of security compromise; and developing a planning tool that includes corporate and industry data.
The second action is to get business leaders to own risk. This entails advocating for the mind-shift that business owns IT security risk; building key alliances with the business; run security exercises, games and simulations; and develop strong stewardship policies and tools. The third action is to embed security into key processes. This involves embedding safe coding practices into the software development processes, including criteria into vendor due diligence, building consultations into new business initiatives, and getting involved early in mergers and acquisitions. Fourth, a CISO should run IT security like a business. This entails developing financial discipline to tie budgets to business impact, developing sophisticated resource management skills, and building strong project management capabilities within information security. Fifth, a CISO should put together a technical and business-capable team. This involves changing the game with competency models that balance technical, business, and interpersonal skills; applying model and layout career paths to retain those who can represent the CISO; and investing in leadership and management for the CISO and direct reports. The sixth action is to communicate the value of security. This entails building a value proposition for how IT security helps the business grow and compete, communicating that value consistently, and engaging with stakeholders to express the value of security in terms that have meaning to them. ...And the seventh action is to organize for success. This involves assessing the workload on the IT security team, developing a clear reporting path for the CISO, and instituting mechanisms that put the CISO and team in direct contact with corporate leaders. Margaret Rouse writes that homomorphic encryption is the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form. Homomorphic encryptions allow complex mathematical operations to be performed on encrypted data without compromising the encryption.
Homomorphic encryption is the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form. Homomorphic encryptions allow complex mathematical operations to be performed on encrypted data without compromising the encryption. In mathematics, homomorphic describes the transformation of one data set into another while preserving relationships between elements in both sets. The term is derived from the Greek words for "same structure." Because the data in a homomorphic encryption scheme retains the same structure, identical mathematical operations -- whether they are performed on encrypted or decrypted data -- will yield equivalent results. Homomorphic encryption is expected to play an important part in cloud computing, allowing companies to store encrypted data in a public cloud and take advantage of the cloud provider’s analytic services. Here is a very simple example of how a homomorphic encryption scheme might work in cloud computing: •Business XYZ has a very important data set (VIDS) that consists of the numbers 5 and 10. To encrypt the data set, Business XYZ multiplies each element in the set by 2, creating a new set whose members are 10 and 20. •Business XYZ sends the encrypted VIDS set to the cloud for safe storage. A few months later, the government contacts Business XYZ and requests the sum of VIDS elements. •Business XYZ is very busy, so it asks the cloud provider to perform the operation. The cloud provider, who only has access to the encrypted data set, finds the sum of 10 + 20 and returns the answer 30. •Business XYZ decrypts the cloud provider’s reply and provides the government with the decrypted answer, 15. Respectfully, lots of us work in large organizations that have very porous boundaries that with mobile device support and the arrival of "the Internet of things" will undoubtedly lead to even further perimeter fragmentation. How do we move from a mentality of "Not if, but when" to one of "it's happened" to understand the compromise and mitigate loss as efficiently as possible?
|