Background Image on Blogs "Quilted" Page: 

PrettyBuilding.jpg

Despite the growing number of high-profile data breaches - Equifax being the most recent big victim - cybersecurity awareness still remains a back-burner issue at many organizations.

More often than not, management relegates the topic to an annual training event, one that most employees are all too happy to ignore.

When MediaPro, a company specializing in cybersecurity awareness training, investigated the level of cyber awareness, it found that seven in 10 employees lacked the basic awareness to stop preventable cybersecurity incidents. Their report also judged the average respondent to be dangerously close to making one mistaken decision that might trigger a security or privacy incident. These included working remotely on unsecured public WiFi hotspots (19%), failing to recognize common signs of malware (12%), and participating in risky social media behavior (20%).

Most companies don’t do more either because they think their investment in IT security infrastructure offers enough of a shield or because they don’t have sufficient funding or C-level backing to engage in formal cybersecurity awareness training. Many also believe that having a security policy employees can reference on occasion is enough of a deterrent.  

"There’s an attitude of immunity," according to Kevin Beaver, founder and principal information security consultant at Principle Logic LLC. "Many organizations believe they aren’t targeted or won’t get hit."

It’s up to the organization’s leadership to inculcate cyber awareness early on, starting with the candidates they interview during the hiring process. Then it’s up to them to put the right policies and programs in place to make this second nature. 

But while companies have become more rigorous about securing their IT infrastructure in recent years, they haven’t shown the same due diligence in creating awareness programs that reinforce the technology by adequately engaging and informing users about risky cybersecurity behavior, experts say.

"Current cybersecurity awareness training, if it actually exists at all, is inadequate," said Adam Godfrey, a cybersecurity policy consultant. "The majority of approaches are minimalist—maybe an annual refresher course or a PowerPoint presentation that serves to check the box that training technically took place. The reality is they have no purpose beyond that."

 Inform and Delight

Standard informational tools like policy documents or training courses simply don’t go far enough in grabbing employees’ attention and providing working knowledge of how to avoid or ward off threats. However, for organizations willing to go beyond traditional tactics, there are new gamification and behavioral awareness techniques that are proving to be more effective tools in combating cybersecurity threats.

Consider phishing attacks, one of the most prevalent attack vectors. Instead of simply talking about the threat or providing background reading material, some organizations now conduct mock phishing scenarios to give employees first-hand experience with what an attack looks and feels like.

Couple the hands-on approach with gamification tactics and a reward system (awarding gift cards or a catered lunch to the winners, for example) and all of the sudden, employees are highly motivated to become cybersecurity subject matter experts, Godfrey says.

"By actively engaging users in this manner, they remain on their toes in anticipation of future attempts," he explains, adding that gamification removes monotony and boredom from the equation. "It encourages participation in something that would otherwise be dry and disengaging. It forces the user to interact with the training rather than mindlessly clicking through it or zoning out until the end of the session."

Making cybersecurity awareness fun—and funny—is another way to break the tedium of traditional training. Leveraging short-form videos, keeping things light, and creating social media content destined to go viral is an effective way to keep employees from tuning out. It also helps to leverage a campaign approach to get the message out while conducting awareness training on a continuous basis, notes Tom Pendergast, CTO at MediaPro, which helps companies create cybersecurity awareness programs.

"We’ve been using tactics like advertising and public relations forever to get people to pay attention, although historically we haven’t applied those domains to run security awareness programs," he said. "The more progressive and risk-adverse companies recognize that there’s got to be a year-round program communicating about cyber security in a variety of modalities using humor and getting influential people in the organization involved in the conversation."

Deb Walter, a manager of information security policy, standards, training and awareness for AmerisourceBergen, says her company is taking just that approach. The firm has been working to mature its awareness strategy, working with MediaPro to create courses for targeted areas of security awareness training, but also to put a program in place to cover the basics for new hires.

"We do regular, mandatory phishing training on a regular basis and on-going publishing of security-focused content on our website, among other things," Walter said. She added that the drug wholesale company is making role-based training a priority.

"It’s still early in the maturation process, but we’ve gotten lots of great feedback from employees about the training, particularly since it’s short and interactive," she said. "We’re continuing to focus on keeping it brief and engaging for maximum retention."

Background Image on Blogs "Quilted" Page: 

labs-quilt-image.jpg

After spending a good part of my career doing serious embedded security engineering, I once confidently believed it was possible to build serious security into (nearly) any kind of thing. 

Yet each day, it seemed, there was a new kind of item to secure. Like the film character “Neo,” we’ve become wired into a 24 x 7 digital matrix of constant connectivity with networked lights, locks, heating-cooling systems, cameras, and a variety of other smart “things” to secure. 

It took me more than a year to realize that I couldn’t possibly build security into all of the - literally - billions of things coming online, each with their own operating systems or embedded applications. That would take more than a lifetime.   

But if the long-term goal of absolute cybersecurity in the Internet of Things era remains beyond our grasp for now, there may still be another way to move closer to that target. The fact that we’re already constantly connected and able to participate in a seamless experience - an ecosystem of devices we call ambient computing - offers the theoretical hope that we can do the same for security.

“Always-on” Security

Think about it this way. What if your device was connected to a cloud-based service that delivered “always on” security? What’s more, the device wouldn’t be able to connect to anything except through that particular security service, which would offer full protection against any imaginable cyberattacks cooked up by the bad guys.

This isn’t fantasy. We already do something similar for laptops, smartphones, and tablets with “firewall as a service” offerings. Many enterprises also use cloud-based services with global deployments of security hardware so that wherever they connect, employees are connecting through these security sites. 

Some may be connecting over an untrusted local connection but that’s why those services set you up with a “personal” crypto connection, thus eliminating the need to trust a particular local network.  What’s more, everything is encrypted from the device to a secure site which deploys security hardware to protect users from potential attack. 

Of course, firewalls aren’t enough. That’s why such services seriously need things like full proxies and careful “key management.” That allows the security hardware to even defend against attacks tunneling through encrypted web connections.  Fortunately, this exists today in commercial services like our own Web Security Service (WSS) as well as offerings by other security providers.    

The Road Ahead

Where do we head from here? I see three possibilities. 

If your company makes IoT devices, be sure they only connect through such security services.  It should be up to the manufacturer, not the end-customer, to decide whether or not their “things” connect to security services - or to anything else. 

If you or your company buys IoT devices, don’t be bashful. Tell your suppliers that you want products configured so as to only connect to cloud-based security gateways that protect them. If a supplier can’t do that, put them on notice that the clock is ticking.  Let them know that you’ll only source products in the future from vendors that are serious about IoT security. While we’re at it, consider this: If a vendor is unable to configure their devices to connect to a simple cloud-based security service, can you really trust them to deal with the harder aspects of security?  

We can glimpse a better security future over the horizon. So, whether you make or buy IoT devices, let’s team up and further the research into how to make seamless, “always on” ambient security better.  Symantec collaborates with countless universities and customers and we regularly share our research with the industry.  Even if someone else manages to find an answer, we’d still be flattered and grateful that you chose to join us on the journey. After all, we all share the same goal of making a better, more secure world.   

First confirmed in Japan in December of 2016, the DreamBot Trojan infected computers and tricked victims into giving up their credentials and one-time passcode, which a criminal group used to siphon off funds.

                                                                                           * Mainichi Japan October 5 2017

By the time Japan’s Metropolitan Police Department announced, on October 5, 2017, that it had exposed the criminals, the group had pilfered a staggering 240 million yen (approximately US$2.1 million) from consumer accounts. DreamBot exposed the need for banks to move away from one-time passcodes (OTPs) as their only two-factor authentication for access and embrace a strong form of transaction verification.

Strong Authentication for Access

DreamBot was a man in-the-browser attack, facilitated by malware installed on a Windows machine. Traditional OTP has never been the right security measure to protect against man-in-the-middle or man-in-the-browser attacks. Given the growing scale of data breaches, banks, in particular, have an obligation to implement stronger security measures to protect sensitive consumer accounts. Banks need to leverage a multifactor authentication (MFA) solution that provides a secure out-of-band authentication method for both account logon as well as transaction verification. Whether the action is a password reset or a wire transfer, banks need to require two-factor authentication on any risky actions to confirm their legitimacy.

Contextual Authentication for Transactions

The DreamBot attack could have been mitigated had unsuspecting users received a push notification asking them to confirm the (malicious) account activity. While human error cannot be completely eliminated, the vast majority of transfers would have been stopped when users recognized the malicious activity and denied the unauthorized request.

If the transaction details match what you were submitting—for example, “Transfer $100 to my friend’s account”—then a simple Accept on your smartphone will let the transaction proceed. If the details have changed—for example, “Transfer $10,000 to an unknown account”—then a Deny will stop it dead in its tracks. Assurance is provided through the user response from a unique, secure device, answered by the intended human that previously linked this device to the account. The attacker cannot compromise both communication channels (web and mobile) without significant effort.

Choosing the Right Authentication Solution

When selecting a strong, out-of-band authentication software method, look for security vendors with proprietary technology, which is unique and cannot be cloned. When implementing a soft authenticator solution, ensure your authentication vendor leverages the Trusted Execution Environment (TEE). We believe a TEE-protected soft authenticator approach is more secure than a dedicated hardware approach because it resides in a full-stack computing platform that enables secure updates, such as secret rotation, which can quickly mitigate possible threats.

Banks also need to consider vendors that offer complementary security services. DreamBot took advantage of compromised Windows machines—it is as critical to protect user devices as it is to protect user credentials.* Consider authentication vendors who can provide malware detection for all user devices. Soft authenticators are oftentimes hosted on mobile devices so choose a vendor that can check for mobile risk factors and ensure good device hygiene. Mobile device risk factors include outdated operating systems, jail-broken or rooted phones, and debuggers or other development tools.

Last, banks should ensure any security solution easily fits with their consumer-facing applications. Look for a scalable solution that delivers strong, out-of-band authentication and device protection using supporting APIs and advanced business logic. By building these capabilities into their applications, banks can preserve the user experience while promoting their brand.

By leveraging all the above-mentioned security capabilities for access control and transaction verification, banks can greatly decrease the attack surface and protect themselves and their consumers from future criminal activity. 

*Japan Cybercrime Control Center has a page that enables user to check if their computers are infected

By Jonathan Omansky, Senior Director, Development, Security Technology & Response Team

Symantec’s Jonathan Omansky provides a simple set of steps to launch a career in cyber security and to address the critical shortage of qualified cyber security professionals. Check out his first article on how to break into the cyber security field. This week he focuses on step two: research, learn, and assess—and most importantly, do work!

I was raised to know that education and hard work provide opportunities. If I didn’t know how to do something, I learned it through whatever means possible. If books or teachers weren’t available, I’d watch someone (or three people if need be) do a task and then emulate what I saw. I’d read up on a topic, try different ways of getting something done, and learn from my errors.

Let’s use learning how to build an automobile engine as an example. It’s a big job and what I quickly learned is that all big goals need to be broken up into smaller, more digestible chunks of learning. I also learned that I didn’t need to know how to construct the whole engine at first. Instead, I started by focusing on my needs at the time. For instance, I could start by learning how to change the oil or replace a spark plug, completing smaller tasks that allowed me to move forward towards my ultimate goal.

This approach is no different in security. It may seem daunting to learn how to code, to reverse engineer, or to construct a sound security architecture system. If you have interest and ability, the great thing about the security field is people are hiring even if you only currently know how to “change the oil”. Opportunities in cyber security exist at all levels, and now is the best time to jump in!

This brings me to my next bit of advice for those keen on entering our field. Below you’ll find six simple steps to launch a career in cyber security and in this article, I’ll cover the second step, research, learn, and assess, in detail.

1. Define your career focus
2. Research, learn, and assess
3. Read and write
4. Formulate a view of the attack 
5. Make friends, make lots of different friends
6. Don’t be afraid to be wrong

#2. Research, learn, and assess

If you haven’t already selected an area of focus based on my previous blog recommendations, or are overwhelmed by the process of choosing an area, this approach might help.

Research

Many of the interns I’ve mentored—from colleges, prep schools, retraining programs, and other learning institutions —came into their internships with no exposure to security at all. In these situations, the first thing we work on is finding an area of security that interests them. To do this, I give all interns a learning task, for example, reading up on the latest corporate hack or information leak.

You can find these examples using resources like RSS feeds or news aggregators and focusing your reading on all things cyber security. This is one of my favorite news feeds and Symantec’s own Security Response blog is a great place to start. Twitter is also an excellent resource for reading up on the latest cyber security news. Find a handful of well-known cyber security professionals (including yours truly @jomansky), follow them, and the add some of their followers.

From there I ask them to break down the technical aspects of the story, focusing on things like: why the topic is important; what the risks are and who is at risk; how to detect the threat; and how to protect against it. This process often helps students find topics they are excited to learn about, and provides me with an opportunity to shape their internships.

Learn

Once you’ve defined your focus, it’s up to you to dive in and learn to “change the oil”. Let’s use incident response (IR) as an example. There are a ton of books, blogs, videos, and other learning materials that provide the basic steps on responding to an incident. These tools vary in length and complexity, and once you’ve explored a handful you’ll begin to see a pattern. You’ll learn about IR fundamentals from the perspective of a CSO, a CISO, a junior analyst, a government worker, and more.

It’s also helpful to review articles about actual incidents across different business sectors. Reading the analyst’s view of a particular incident can help you learn what he or she did right or wrong, where technology played a role, and where it was a people or process breakdown. This should give you a sense of what responding to an incident looks like, and give you insight into how to correct specific problems from happening again.

Learning about IR strategies is a great first step. When paired with technical awareness of the tools an incident responder might use to do the job, many of which are free or have trial versions along with demos, you are on your way to your first career opportunity in cyber security.

Assess

After researching security areas, and learning all you can, I next suggest assessing where your knowledge gaps are, and filling them. Focusing on what you’re missing can help ensure you have the full range of knowledge on a topic and that you can speak to it when asked in an interview. Taking incident response as our example again, review the duties and expectations of a dozen incident responder-related jobs, to see where you still need to build skills. Focus on what you’re missing and how you plan to gain that knowledge. The information is out there; go get it!

Though we focused on only one particular category of the cyber security space, incident response, as our example, the approach is the same for all positions, even the more technically advanced roles. The tools and knowledge are available and the cyber security skills gap in today’s job market needs to be filled. It’s up to you to grab this information, learn it, and get your foot in the door.

Follow our CR in Action blog for more on how to launch a cyber security career. Interested in a career in cyber security? Learn more about the Symantec Cyber Career Connection(Symantec C3), which provides a mix of targeted classroom education, non-technical skills development, and cyber security internships to position students to fill in-demand cyber security 

Background Image on Blogs "Quilted" Page: 

Silhouettes of Business People Discussing Outdoors.jpg

Week in, week out, the TV series, “Mr. Robot,” introduces fans to the darker side of our connected world. It makes for great entertainment but fun aside, the show’s plots aren’t far from fantasy.

When the hackers led by Mr. Robot decided to force the general counsel for E Corp out of her home, for example, they simply exploited a variety of unpatched devices to make their victim’s various “intelligent” devices suddenly go bonkers.

Too much? Maybe, but give Hollywood credit for having its collective finger on the pulse of an important security issue. As more smart things wind up in our homes and offices as part of the Internet of Things, we need to do better protecting these new endpoints - because there are going to be lots of them. In fact, Juniper Research estimates the number of IoT devices will more than double between 2015 and 2020 to 38.5 billion.  

Are we ready for a challenge of that magnitude? I want to be optimistic, but frankly, the road ahead is going to get bumpy.  

Rolling the Dice

Consider the way that the Conficker worm (sometimes also known as Downadup or Kido) continues to enjoy a Lazarus-like resurrection. Conficker, which began around 2008 was seemingly neutralized after the cybersecurity industry joined forces with overseas governments and cut off the worm’s access to internet domains.

Game over? Well, not exactly.

One of the lessons taught by WannaCry is that worms can infect a large number machines very quickly and have incredibly long lives. They self-propagate and never give up; as long as a device remains infected, they try and infect other devices.

It’s hardly shocking to learn that Conficker continues to hang around. It even made it onto Symantec’s list of the 10 most active worms and viruses last year.

The disruptions were particularly apparent at hospitals and healthcare facilities. Hackers targeted medical equipment because many hospital systems ran Windows XP and failed to apply timely patches or security software. Unsurprisingly, malware like Conficker was subsequently able to exploit the resulting security vulnerabilities.

The problem is even more acute nowadays as more medical devices that get connected don’t get regularly patched. But this problem stretches far beyond the medical industry. Starting today, even if every IoT device manufactured was guaranteed to be 100% secure – and that requires a leap of imagination - there still would be millions of vulnerable devices in use around the world. The blunt fact is that the poor security of IoT devices will haunt us for years.

Changing Old Habits

If this reminds you of a ticking time bomb, it should. IoT is a game-changing event in the history of IT and organizations increasingly view it as strategic to their operations. But that also puts enormous new responsibility on organizations and individuals to do better when it comes to cybersecurity. Left unprotected, IoT devices can turn into bots in a larger criminal enterprise to steal information or launch denial-of-service attacks as we’ve seen with Mirai, BASHLITE and other IoT malware.

So, what can you do to make a difference? A good place to start is by being more cyber-aware, at work and at home, when it comes to these myriad devices. Human nature is slow to change but begin by paying attention to the basic blocking and tackling around securing IoT.

• First, recognize that as technology pushes forward, more smart devices are inevitably going to wind up in your home. In my house, for example, I have 5 PCs, several cell phones connected to WiFi, a couple of smart TVs, a cable box, an Xbox player and an Apple TV device - all connected to the internet. Until I actually took an inventory, I had no idea that the number of connected devices was this high. I’m sure that's also the case with a lot of you.  

• Don’t stick with the default password on your router. This is the front door to your home network and it’s crucial to protect that device. Yet 34% of the end users we sampled recently said they still use the default password that came with their routers.

• When choosing a home router, make sure there’s some kind of protection beyond a simple firewall and that it can self-update.

• Password-protect all of your IoT devices. Get a password manager if you need help. But by all means, don't reuse the original password.

• Configure your Wi-Fi network to use encryption. It’s OK to be a little paranoid.Malicious hackers are lurking everywhere so don’t make it easy for them.

• Don’t connect any IoT devices to the internet if they don’t need to be connected. You’re simply reducing the odds of coming under attack.

Additional Resources:

If you enjoyed this blog and would like to watch Kevin’s webinar, click here here

Background Image on Blogs "Quilted" Page: 

mobileclick.jpg

Yes, you read that right: more than 25 percent of the mobile devices used by employees at financial services organizations are at risk from attack by malicious hackers due to unpatched vulnerabilities. This is one of many findings from our Q2 Mobile Threat Intelligence Report: Mobility and Finance. That means that 1 in 4 employees at the institutions you have trusted with your banking services are at risk. And you need look no further than Equifax to see what that might mean for you and your data.

The figures, unfortunately, don’t get any more encouraging as the report continues. We also found that more than 15 percent of financial service employee devices have been exposed to a malicious network, which makes planting malware and stealing information significantly easier for attackers. Yet another way for your sensitive information to find its way onto the dark web.

Security experts know all of this. The financial institutions have to know all this. And yet, financial breaches not only continue, but have been found to be the costliest of any industry, with the average cost to the company coming in at $5.24 million (versus $4 million for companies in other industries1). But, that’s just the average. In 2011, a major global bank paid to settle a case against the company because it had a “known technical vulnerability in its online banking system” that led to a breach that affected 130 million customers and ultimately cost the company more than $19 million.

Given the cost to the organization, the risk to both corporate and customer personal information, and the brand damage, the report posits that any cyber security breach of a financial institution is one too many. In fact, according to a 2016 poll conducted by OnePoll nearly 87% of people said they were either “not very likely” or “not at all likely” to do business with a company that had financial information breached. Imagine if a major bank had 87% (or even 20%) of its customer base leave on account of a security breach?

One of the biggest challenges for these financial services institutions is that mobile devices have known vulnerabilities that are regularly patched by Apple and Google. But, because of how user notifications might work (or not work), most users and enterprises don’t know when upgrades with security patches are available. Some Android users may never get a notice for their device at all! Then it’s left up to the enterprise and its users to install those patches, which exacerbates this critical gap in mobile security.

Along those lines, the report finds some big challenges with unpatched mobile devices:

• More than 13 percent of financial mobile devices are not running on the current major version of the operating system
• At any given time up to 99 percent of mobile devices in financial organizations may not yet be on the newest minor update
• iOS users update their devices far more rapidly than those using Android devices, with only 4.6 percent of iOS devices in financial organizations not on the latest major OS version, compared to 47.8 percent of Android.
• During the reporting period, an average of 25.9 percent of mobile devices in finance were able to update to a more secure OS version, but had not yet done so, leaving the device open to mobile exploits.

In addition to the high percentage of known unpatched vulnerabilities, the report also found additional gaps at banking and finance organizations:

• Three in every thousand devices has been infected with malware.
• More than 15 percent of employee devices have been victims of a malicious network exposure.
• Of every hundred devices, 2.5 are not even protected with a passcode.

The silver lining here is that there are ways for you – and financial services employees – to keep mobile devices safe. In some cases, like with SEP Mobile, it’s actually easy to do so! What we’re saying is: there is hope. Here are five rules to follow to dramatically reduce the risk of mobile cyber attacks:

1. Don’t click, install or connect to anything that you are not confident is safe.
2. Only install apps from reputable app stores.
3. Don’t perform sensitive work on your device while connected to a network you don’t trust.
4. Always update to the latest security patch as soon as it is available for your device.
5. Protect your device with a free mobile security app like SEP Mobile.

All of these risks and statistics illustrate why it is crucial for organizations – especially financial services institutions – to invest in a comprehensive mobile threat defense solution. If you’d like to dive a bit deeper, download the entire Q2 2017 Mobile Intelligence Threat Report: Mobility and Finance. If you’d like to learn more about how SEP Mobile threat defense protects organizations and prevents cyber-attacks without compromising the mobile user experience or privacy, visit our website or drop us a line.

Background Image on Blogs "Quilted" Page: 

commandcenter.jpg

The Senate has included the Modernizing Government Technology (MGT) Act as part of the Defense Authorization bill, a major step in providing federal technology leaders with additional funding to improve outdated technology.

While the bill must go through a few more legislative hurdles before becoming reality, the MGT Act has the potential to serve as a game-changing piece of legislation. Federal agencies currently spend more than $80 billion on information technology with 75 percent going to simply maintaining old and outdated systems.

With the MGT Act’s flexible funding options, the government can move one step closer to the modern era — tackling dangerous cyber vulnerabilities and better protecting the American people from increasingly severe attacks – while empowering agencies to move forward with long-overdue projects to streamline how the federal government operates.

Improving Security

Security needs to be at the heart of technology modernization. Legacy systems are slow and inefficient, but they are also a major security risk. They do not communicate well with newer systems, creating blind spots in visibility. They require special knowledge to maintain. They, in short, cause major headaches.

If fully passed, the MGT Act provides an avenue to improve this situation. Government has taken major steps to improve security in recent years. For the longest time, the approach around security was to plug best-of-breed solutions into different aspects of the enterprise with the belief that the best pieces made the most complete solution.

That turned out to not be completely true. Instead, agencies are now learning that working with an end-to-end security system that protects data at each stage of its lifecycle is optimal. These new systems can link cloud and on-premise solutions, creating an enterprise that is completely visible to security teams. Not only does this improve security it allows agencies to further integrate new solutions more seamlessly.

The federal government continues to face a big challenge when it comes to modernizing IT systems. The MGT Act provides a critical step, but can only help so much. The key for technology leaders going forward will be to use the MGT Act where possible, but also continue to look for ways to integrate modern security systems while reducing that legacy IT. Simply continuing on the same road is not an option. The MGT Act can provide a valuable tool that will be incredibly helpful. It can also serve as a catalyst to make other major changes in government technology, including the strengthening of the overall security posture.

Overview

As a widely used open-source platform, Android has always naturally attracted  a large contingent of hackers looking to build and design sophisticated malware that can be used to target mobile users globally. However, in last few years there has been a tremendous uptick in the creation and delivery of malicious Android apps for delivering malware, stealing sensitive information, distributing spam advertisements for profit, and abusing mobile resources.  A number of attacks have been identified recently in which malicious code infected millions of android mobile devices at a time. [1,2].

Hackers are targeting mobile devices more frequently because they have now become ubiquitous..  And tremendous amounts of data are being transferred between multiple mobile users, between mobile and on-prem users, and between mobile users and their cloud storage apps.  The heavy volume of traffic that these mobile devices are generating substantially increases a hacker’s success rate. t And since threats are more frequently originating in cloud storage applications and can easily be distributed to mobile devices,  malicious android code that is stored or distributed via cloud storage applications must be quickly detected and blocked.

Case Study: SMS Bomber Android Malicious Code

During in-house research and intelligence collection activities for the CloudSOC  Detect capability, Symantec researchers discovered that Microsoft OneDrive was being used to  distribute a “SMS Bomber” APK file. This is a hack tool that is used to trigger SMS bombing attacks.

When the shared link on OneDrive was clicked, the SMS Bomber Android package prompted the user to download the file. The testing is usually conducted in the controlled environment but real world attacks are carried out in the wild. For example:- the link is embedded or injected in the third-party domain.Mobile users were forced to visit that domain and could have downloaded this malicious binary (Hack Tool) once the device was compromised. In addition, direct URLs could have been shared to distribute the tool. Figure 2 shows the downloading of the SMS Bomber application.

Let’s see what happens when the shared link was clicked. The HTTP request was redirected by OneDrive to LiveFileStore URL via a “Location” header. This shows that the Android application was not hosted directly on the OneDrive storage platform. Rather, it was hosted on the LiveFileStore platform. The “livefilestore.com” is actually registered by Microsoft and used to store user-supplied content. This can be considered a content storage platform but it is not same as of “1drv.ms”. If any file is uploaded by the user, it will be stored on the livefilestore.com and eventually mapped back to the 1drv.ms link.

GET /v1.0/shares/u!<URI TRUNCATED> =/root/content HTTP/1.1
Host	api.onedrive.com
User-Agent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0
Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language	en-US,en;q=0.5
Accept-Encoding	gzip, deflate, br
Referer	https://onedrive.live.com/
Connection	keep-alive
Upgrade-Insecure-Requests	1


HTTP/1.1 302 Found
Via	1.1 BN2BAP1CAD6862F (wls-colorado)
Content-Length	0
Location	https://public.blu.livefilestore.com/<URI Truncated>/Sms%20bomber.apk
Server	Microsoft-IIS/8.5
p3p	CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-WLSPROXY	BN2BAP1CAD6862F
X-MSNSERVER	SN2AAPB5938F619
Strict-Transport-Security	max-age=31536000; includeSubDomains
X-AsmVersion	UNKNOWN; 21.2.0.0
X-AsmVersion-ProxyApp	UNKNOWN; 21.2.0.0
x-msedge-ref	Ref A: 8E3B9168A9F546838F701F7BD8379C14 Ref B: PAOEDGE0414 Ref 

Once the HTTP request was redirected to the LiveFileStore platform, the application was downloaded via HTTP response header “Content-Disposition”.

GET /<Truncated URI>/Sms%20bomber.apk HTTP/1.1
Host	public.blu.livefilestore.com
User-Agent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0
Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language	en-US,en;q=0.5
Accept-Encoding	gzip, deflate, br
Referer	https://onedrive.live.com/
Connection	keep-alive
Upgrade-Insecure-Requests	1


HTTP/1.1 200 OK
Cache-Control	public
Content-Length	370721
Content-Type	application/zip
Content-Location	https://public.blu.livefilestore.com/<Truncated URI>
Accept-Ranges	bytes
p3p	CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER	DM5SCH102221022
Strict-Transport-Security	max-age=31536000; includeSubDomains
X-SqlDataOrigin	S
CTag	aYzpBOEE3NTMxNEIxMDlBOTM4ITQyOS4yNTY
Etag	aQThBNzUzMTRCMTA5QTkzOCE0MjkuMQ
X-PreAuthInfo	rv;poba;
Content-Disposition	attachment; filename*=UTF-8''Sms%20bomber.apk
X-Content-Type-Options	nosniff
X-StreamOrigin	X
X-AsmVersion	UNKNOWN; 21.2.0.0

The application was fetched and dissected for analysis. It was forced to  install on an Android Nexus tablet to understand how the application works. Researchers determined that the application was a standard Hack Tool that is used to spam SMS messages on the fly to a large number of mobile users.  Figure 3 shows the SMS Bomber HackTool in action.

Generally, Hack Tool is considered malicious in nature because it is designed to perform some unverified operations that could impact the security state of the target device.

Countermeasures

CloudSOC can detect this threat as shown below:

Further. CloudSOC helps to:

• Gain granular visibility into the cloud application traffic as well as network traffic. Symantec CloudSOC provides complete visibility into cloud application traffic and how users interact with these apps.

• Scan files sitting in OneDrive via APIs and files shared via OneDrive URLs.  Symantec’s advanced malware analysis engine, along with CloudSOC, provides the capability to scan all files in cloud applications and shared via links.

• Enforce security policy for both cloud and non-cloud apps. Symantec ProxySG and advanced malware analysis integration with Symantec CloudSOC provides enterprise users with complete cloud app visibility and data security policy enforcement features, which can eliminate or mitigate the impact of these types of exploits.

References

[1] https://www.cyberscoop.com/android-malware-china-huawei-zte-kryptowire-blu-products/

[2] https://www.cnet.com/news/malware-from-china-infects-over-10-million-android-users-report-says/

Background Image on Blogs "Quilted" Page: 

multifactor.png

The damage to organizations that experience a data breach extends far beyond monetary fines or penalties–their brand may never recover.

Newer regulations such as GDPR, PCI & NIST 800-171 require companies to take a more holistic approach to security compliance. Meeting compliance requirements is only half the challenge, however. Organizations also need newer and faster ways to measure and prove their compliance with the mandated requirements. Large global organizations in regulated industries must often comply with a cornucopia of regulations and mandates with varied reporting requirements. Collecting the data needed to measure and prove compliance on an ongoing basis can be especially challenging in these environments considering how granular the reporting requirements can get at times. Even medium sized organizations that do not need to meet as many regulations as large companies can find the data collection and reporting tasks very cumbersome.

Using manual processes, custom scripts, or spreadsheets to collect and manage the data needed to measure compliance was never a good idea and is even less so now. The sheer scope of the reporting challenge requires the use of tools that automate the process of data collection and compliance measurement. You need to have a way to continuously bring measurement data, from across your enterprise to a central location so you can monitor how your security controls are working and help resolve problems expeditiously. Web-based dashboards and visualization capabilities are critical to helping you measure risk and check compliance status across your organization.

Periodic snapshots of your compliance status are also no longer enough. Your organization needs to be able to show compliance with mandated requirements on an ongoing and continuous basis across your digital infrastructure. That means having complete visibility over your data assets and consistently monitoring the controls you have at the application, database, server, network, endpoint, and cloud tiers to manage risk to the data. You need to identify new risks to your infrastructure and quickly address identified gaps in coverage that might result from the use of new technologies, such as IoT for instance. By having a process and technology that covers your entire digital infrastructure and the associated security controls, you can have the full visibility on what needs to be addressed to help reduce the security and mandate risks of your Enterprise.

Once you have the required compliance data, you need the ability to prioritize and fix the issues identified. These can vary from identifying and applying a patch, to changing processes, training users, or changing a configuration. Before you execute, often the biggest challenge is knowing where to start and how to prioritize. Wouldn’t it be nice to be able to view all the elements at risk, prioritized by relevance to your business, and the impact they could have? This can then serve as a starting point for remediation activities, and give comprehensive visibility into why certain things need to be addressed first. Building automation into the remediation process is key because left to manual steps; things can take an unacceptable amount of time and are prone to error.

There are at least two options available:

• Automate your patch process or
• Put in place a mitigating control that prevents the particular weakness from being exploited, which is then a repetitive process as you get closer and closer to the goal of compliance and reducing the overall risk within your organization.

Symantec Control Compliance Suite 12.0

The new release of Symantec Control Compliance Suite 12.0 is designed to help demonstrate compliance and to help reduce the overall risk to the enterprise. It supports automated security compliance assessments for over 100 major regulations and mandates including GDPR, NIST, HIPAA, PCI and many more right out-of-the-box. The agent-based and agentless scanning capabilities can perform 57,000 patch checks and over 15,000 configuration checks across 75 platforms so you can  quickly identify vulnerabilities and security gaps in your infrastructure. Control Compliance Suite lets you use the results of a single assessment to report against multiple regulations thereby eliminating the need to conduct separate security assessments for individual mandates. Audit-ready reports and dashboards provide visibility across both technical and procedural controls so you have a holistic understanding of how effectively you are managing IT risk. Most importantly, it has deep integrations with multiple offerings in the Symantec portfolio to enable closed loop remediation and risk reduction.

The new release of CCS v12.0 caters to the following areas of a compliance program:

• Deploy and upgrade within hours to ensure quick time to value
• New UI with guided flows and 30% reduction in clicks
• An architecture with self-healing agents for operational resilience
• Easy access to automated reports and dashboards
• Integrations with products like Symantec Data Loss Prevention (Relevant for GDPR), IT Management Suite (Automated closed loop remediation), and Data Center Security (enable virtual patching) to accelerate remediation, reduce risks, and enable Symantec to be your Cyber Defense Platform.

For information on Control Compliance Suite please visit the CCS home page.

Background Image on Blogs "Quilted" Page: 

PrettyBuilding.jpg

At the end of August, well-known security researcher Johannes Ullrich conducted a simple experiment that showed just how hostile the Internet is for connected devices.

Ullrich, the dean of research for the SANS Technology Institute, connected a digital video recorder to the Internet and left it there for nearly two days, rebooting the device — essentially wiping the slate clean — every five minutes. It only took two minutes, on average, for the DVR to be compromised by an attack. And not just any type of attack, but the most basic of approaches: Someone used the default password for the device.

The experiment underscores the spotty security plaguing so many of the connected devices that make up the so-called Internet of Things. While some devices have well-thought-out protections, others can easily be exploited by attackers. "This is not just about DVRs, but any device connected to the Internet with default passwords," Ullrich said. "Devices running Linux and using one of these default passwords — they are getting popped within minutes."

There are millions — if not, billions — of vulnerable devices connected to the Internet — from home routers to video cameras, and from medical devices to thermostats. The Internet of Things is firmly in the sights of attackers, and unfortunately, the bad guys don't have to work very hard as manufacturers making these devices continue to build in default passwords  across these devices, a practice that should've been stopped years ago.

In the summer of 2016, for example, attackers quickly spread malware across the Internet, armed only with a list of 62 commonly used and default passwords for — mostly — connected video cameras. The malware, the now well-known Mirai, scanned the Internet, infected the camera, and then used the device to keep scanning, while awaiting new commands.

An early command was to create a massive denial-of-service attack — an unprecedented massive flood of data — to make inaccessible the Web site of noted security journalist Brian Krebs in September 2016. The following month, attackers used the Mirai botnet — and other attack networks — to disrupt the operations of Dyn, an Internet infrastructure provider, and its clients, reportedly including Netflix, Twitter and CNN.

While smaller attacks happened earlier in the summer, the massive data floods against Krebs and Dyn made Mirai the poster boy for the dangers of insecure devices. "IoT botnets did not start with Mirai, they just gained a lot of exposure," said Ben Herzberg, security group research manager for security firm Imperva.

Mirai raised awareness of the danger of IoT devices to cybersecurity professionals, but attracted the attention of potential attackers. The release of Mirai's source code also fueled attackers' efforts.

In October, for example, another group introduced Hajime, which also uses default passwords to infect devices. Hajime is both stealthier and more technically sophisticated than Mirai. Because neither malware overwrites the flash memory of the compromised device — a restart resets the device back to a clean slate, and still vulnerable — a single IoT device can be serially attacked by different malware, Waylon Grange, a malware analyst with Symantec, wrote in a January blog post.

"One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next any of the many other IoT malware (or) worms that are out there scanning for devices with hardcoded passwords," he said. "This cycle will continue with each reboot until the device is updated with a newer, more secure firmware."

Beyond Botnets

While most IoT compromises have led to the creation of botnets, security experts warn that more sophisticated attacks will become more common. Of significant concern for companies is an attacker using an insecure device as a beachhead — a technique known as pivoting.

The breach of retail giant Target happened in just this way. An attacker used the interface to the company's HVAC system to gain a foothold in the retailer's network, leading to the leak of more than 100 million records, including credit-card data.

Perhaps the most oddball pivot is the reported hack of a connected fish tank that led to the compromise of a North American casino, and could have resulted in 10GB of data being transferred to another country, according to an unverified report in the annual threat report of anti-malware firm DarkTrace.

Companies should be prepared for more sophisticated attacks that reach beyond default passwords, said SANS's Ullrich. "There are a number of other vulnerabilities — like Web application vulnerabilities in the admin interfaces for the devices — but at this point, it is too easy to go after the default passwords," he said.

Because the Internet of Things often connects the digital network to a physical device — such as a thermostat, x-ray machine or an industrial centrifuge — compromising the device can lead to physical damage. Attackers — most thought to be nation-state agents — are already accomplishing such attacks. The Stuxnet attack on Iranian uranium processing facilities in 2009 and 2010, and the more recent ransomware attacks on hospitals — causing operational disruptions — have both shown the vulnerability of connecting insecure digital devices with physical systems.

"We are seeing a lot of attacks beyond default passwords and other low-hanging fruit," said Brian Witten, senior director of Symantec Research Labs Worldwide. "We are already seeing a wide range of these attack techniques done at scale."

Unfortunately, there is no easy defense. Most manufacturers only rarely patch, and most users wouldn't know how to patch the devices on their own.

For companies, the regular approach to information-technology systems — firewall and patch — does not necessarily work either. The business version of the Internet of Things tends to be devices needed for operation: Door locks, temperature controls and other physical systems.

Yet, there are things that the average company can do.

1. Don't Connect Unprotected IoT Devices to the Internet

The first line of defense for companies should be to put any connected device behind a good router with a firewall. While the approach can limit a device's functionality, it also prevents attackers from attempting to access the device via brute-force password guessing.

In addition, experts say a single firewall is not enough. Companies should also segment their network, preventing devices from accessing critical data and servers. Regularly monitoring the network for anomalous activity can also pick out when a device is acting strangely.

2. Manage the Devices

Every business should know what devices are connected to their network and manage every single one, from the time it connects until it leaves. Default passwords should be changed, the device should be regularly checked to ensure it has the latest update, and the users who can access the device should be limited.

Sensible in theory, but many devices do not have any way to be managed, SANS's Ullrich said.

"These devices tend to be so difficult to secure, because you don't have any integrated patch management systems for them," he said. "You can put them behind firewalls, but then you may lose a lot of functionality because you need to connect to those devices."

3. Be Prepared to be DDoSed

Finally, companies need to be prepared to be a target, even if their devices are not vulnerable. The widespread availability of connected devices with default passwords and easy vulnerabilities means that attackers have a ready supply of would-be bots to turn into a massive denial-of-service attack, warned Imperva's Herzberg said.

"Organizations need to understand that this huge availability of IoT bots means that something that was very expensive or much more expensive a couple of years ago is cheaper for attackers these days," he said. "So, they need to prepare themselves for an attack."

Background Image on Blogs "Quilted" Page: 

Silhouettes of Business People Discussing Outdoors.jpg

If only we could solve IT’s security headaches with a magic pill.  As impatient employees demand access to new cloud-based services and devices - which sometimes don’t mesh with an organization’s existing security framework - they’re not taking no for an answer. 

Oftentimes, departmental managers go behind IT’s back and procure the products on their own. But while these lone wolves may argue they are only cutting through bureaucracy and acting in the company’s best interests, they also risk introducing new vulnerabilities into the network.  We sat down with Jason Crist, Symantec’s Regional Vice President of Sales State, Local & Education for the Western United States to find out how IT can cope with these and other myriad challenges to cloud security. 

Q: Shadow IT - the unofficial, unsanctioned hardware and software like WiFi connected tablets and cell phones most workers bring to work - looks daunting from a security viewpoint. Security professionals are already swamped. What are you doing at Symantec to ease the burden? 

Crist: Shadow IT is certainly a buzzword today and it’s not going away anytime soon.  A huge issue that enterprises face is data loss through theft or accidental sharing of data.  Roughly 23% of cloud documents are shared broadly and 12% of those documents actually have sensitive, personally identifiable information including health and credit data. 

Organizations depend on mobile more than ever before. Take, for instance, Salesforce’s mobile app. Salesforce on the cellphone is critical for many people in sales. But you can’t just lock things down to the point where people can’t do their jobs, so ultimately there has to be a policy that says, `these apps we accept, and these we don’t.’ 

Symantec works with organizations to give them visibility into the cloud apps that are in use and shed light on which “unsanctioned” cloud services are potential issues.  Symantec can also monitor the content and files flowing in and out of a customer’s network through the web and email to make sure potentially harmful information isn’t leaking out. 

Clients also have to develop a policy and make sure that there is messaging and collaboration within the leadership team. You can leverage technologies to help you adhere to that policy. 

Q: What are you seeing overall? Are the best IT departments looking to give their clients more freedom than before, or less? 

Crist: They’re being selective in what they allow. Your marketing department certainly has the right to publish on Facebook and promote the brand of the company. Yet, with controls like the ones we have at Symantec, you can allow people to go to Facebook for an hour a day, say, but not play games there. Other than marketing, there’s really no reason for most workers to be on Facebook during work hours. So, no, I don’t think we are headed back to the days when everything was locked down. But it’s clear that organizations need to be mindful of the information and applications their people are touching. 

Beyond a list of sanctioned and unsanctioned apps, good cloud security means you have controls in the data center. You have the ability to see who is accessing which app and which data within a storage environment. Then you have controls to prevent that information from seeping out, whether the intent is malicious or not. 

And that’s what makes Cloud Access Security Brokers (CASB) – so important right now. We are at Shadow IT V 2.0 right now. There’s a lot more to pay attention to than most people realize.

We’ve polled IT managers and asked them: How many cloud apps do you suppose are in use by your employees? We routinely hear answers in the range of 30 or 40. The reality is much, much higher. We find 900 cloud apps, on average, on large networks. And many of these are from vendors that you’ve never heard of. 

So, what can go wrong? Here’s an example. In many cases, companies will only use the cloud for storage – let’s say they set a policy that says you are allowed to use Dropbox. What happens when an employee from Company X is about to move to the competition, company Y?  If he has Dropbox on his desktop, he can simply take a copy of all of his files with him. If they don’t have a policy that monitors what applications employees can use from their home, and they don’t have a policy that defines what they can download from their Dropbox, that data is gone. That’s such a simple thing. And you wouldn’t believe how often we see it happen.

Or suppose I work for a company that uses Dropbox, but I prefer SugarSync. SugarSync seems to work well because it syncs with my iPad and my PC and Mac and it does the same thing. So, I install SugarSync on my laptop. Next thing you know I’m connected to SugarSync with all corporate information in the Cloud, and there’s nothing to keep me from downloading anything I want, even though I wouldn’t be able to do that with Dropbox on this network. A good CASB can help prevent that. 

We’re in a good place in this market –in the top right of the Gartner quadrant with our CASB Solution. Our Symantec CloudSOC CASB gives not just visibility into apps that are running, but also corporate policy and control with data loss prevention so that you can really prevent important confidential information like personal health data or credit card account details from leaking out.

If you think of what firewalls do, controlling or preventing people from going places or making sure they go a certain pathway and what an intrusion prevention system (IPS) does in terms of what information is allowed and not allowed - all of these are functions our CASB does for cloud apps and content.  

Additionally, it also makes sure data is not transferred from one cloud to another, like from Dropbox to SugarSync to someone's desktop. Whether it's data at rest or data in motion, you've got a way to protect and control your most critical information. There are multiple ways to do that. 

Q: What’s the demand for CASB and other cloud security? Will this be the next big wave? 

Crist: Absolutely. In the state, local government and educational market, everyone is looking at adopting Amazon Web Services, Office 365, or numerous other cloud services because they want out of the managing of their own data center and managing the operating and capital expenditures that go along with it. They really want more of a utility model, where they can scale up and scale down without worrying about it.It’s something that I would say 60 or 70% of customers are asking us for a proof of concept or more info regarding visibility or audit of different cloud providers they may be using, sanctioned or not. 

Q: So, what’s the bottom line? Is the cloud more secure in practice? Less? 

Crist: It used to be that antivirus, gateways and firewalls were enough to keep you reasonably secure. Recently though, people have been getting into really big problems in the cloud when the crown jewels were compromised – like 120 million credit cards at one major retailer we’ve all heard of.  That placed a massive amount of money at risk. At consumer credit agencies, it's the data of their customers -- their crown jewels – that have been compromised. 

Those crown jewels are now in the cloud. Large organizations of all sorts have to become much more focused on what their sensitive data is, where that sensitive data resides and who’s accessing that data, while having measures in place to make sure it's not compromised.  In summary, the perimeter of your control has gone away, things are not in a central location and the days of having them in a fenced off area are gone. 

IT and top management have to ask themselves, has this data been classified? Is there anyone touching it who should not? If it has been compromised we need to make sure there’s s a wrap-around – that it goes to the cloud encrypted. If an authorized person is accessing that data from their home PC they have to go thru the VPN, and have to go through certain pathways. It's really evolving. I think we will see a significant uptick in data loss prevention and awareness. I just came off a tour in Texas and California. Two of the states’ main agencies are looking at CASB right now. I expect the rest of the country will soon follow.