6 Biggest Business Security Risks and How You Can Fight Back

IT and security experts discuss the leading causes of security breaches and what your organization can do to reduce them.

Security breaches again made big news in 2014. Yet despite years of headline stories about security leaks and distributed denial-of-service (DDoS) attacks and repeated admonishments from security professionals that businesses (and individuals) needed to do a better job protecting sensitive data, many businesses are still unprepared or not properly protected from a variety of security threats.

Indeed, according to Trustwave’s recent 2014 State of Risk Report, which surveyed 476 IT professionals about security weaknesses, a majority of businesses had no or only a partial system in place for controlling and tracking sensitive data.

So, what can companies do to better protect themselves and their customers’, sensitive data from security threats? CIO.com queried dozens of security and IT experts to find out. Following are the six most likely sources, or causes, of security breaches and what businesses can, and should, do to protect against them.  Continue Reading

Enterprises Finally Recognize Users As Endpoint's Weakest Vulnerability

The Ponemon State of the Endpoint report shows endpoint management continues to grow more difficult.

As enterprises grow mature in their IT security practices, more of them are attributing endpoint risks to user behavior, rather than fixating on the vulnerabilities attackers ultimately use to break into systems, a new Ponemon Institute survey shows. Querying 703 IT and IT security practitioners, the State of the Endpoint study shows that 78% consider negligent or careless employees who do not follow security policies as the biggest threat to endpoint systems.

"Rather than looking to fix a particular device vulnerability with a single, silver bullet technology, this new study shows IT attributes risk to people," says Chris Merritt, director of solutions marketing for Lumension, which funded the survey. "Cybercriminals launch their attacks, and it's the job of IT and, quite frankly, every user to defend against them. This is a welcome culture shift, but unfortunately, it doesn't necessarily make things any easier."

In fact, 71% of respondents reported that managing endpoint risk has grown more difficult over the last two years. Though they reported user behavior as the biggest obstacle to managing endpoints effectively, the task is not being made any easier by the proliferation of devices connected to consumer cloud applications. Approximately 68% cite the significant increase in the number of personal devices connected to the network as a top endpoint security concern, and 66% point to the use of commercial cloud applications in the workplace as a big problem.

Meanwhile, attacks continue to accelerate. Nearly 70% of respondents said malware at the endpoint increased in severity last year. Approximately 80% of organizations reported web-borne malware as the most frequent attack vector, and the biggest increases in attacks came by way of zero-day attacks, APTs, and spearphishing. The applications most likely to be used by attackers were Adobe applications, applications using Java, and third-party cloud productivity apps.

The combination of user risks, proliferation of devices and apps, and increased attacks has 68% of organizations reporting that endpoint security is becoming a more important component of their overall IT security strategy.

"IT continues to battle malware at the endpoint," said Dr. Larry Ponemon, chairman of the Ponemon Institute. "While it is positive news that companies are making the security of endpoints a higher priority, to win the war they need to recognize the criticality of minimizing employee negligence and investing in technologies that improve the ability to detect malicious attacks."

Those investments will continue to grow at many organizations, with 45% of respondents reporting that they'll get more money to spend on security in 2015. As they figure out how to spend it, 95% of organizations report that they're moving away from prevention-oriented strategy and toward a detect-and-respond approach. They'll do that by employing big data and threat intelligence to analyze threats better in real-time.

This content was originally posted @ http://www.darkreading.com/endpoint/majority-of-enterprises-finally-recognize-users-as-endpoints-weakest-vulnerability/d/d-id/1318617?

Thunderstrike Mac Attack Achieves Persistence

An attack on MacBooks, called Thunderstrike, has been uncovered that makes use of the laptops’ physical Thunderbolt interface to achieve persistent boot rootkits.

Security researcher Trammell Hudson is prepping a demonstration of the attack for the 31st Chaos Communication Congress in Hamburg. It’s based on a two-year old vulnerability, and will show how hackers can use malicious code to infect a MacBook's boot read-only memory (ROM), which is stored in a chip on the motherboard.

This results in the installation of persistent firmware modifications into the EFI boot ROM of Apple's popular MacBooks. The ROM is executed before the OS is loaded, so that it can simply hijack the OS kernel and take over the system. That also means that updating Mac OS X and/or replacing the hard disk drive will have no effect on the malware.

The bootkit can be easily installed by an evil-maid via the externally accessible Thunderbolt ports. Once installed, it can prevent software attempts to remove it and could spread virally across air-gaps by infecting additional Thunderbolt devices.

"It is possible to use a Thunderbolt Option ROM to circumvent the cryptographic signature checks in Apple's EFI firmware update routines," Hudson said, describing his presentation. "This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems."

Thunderstrike also has a clever replication technique. "Additionally, other Thunderbolt devices' Option ROMs are writable from code that runs during the early boot and the bootkit could write copies of itself to new Thunderbolt devices," he said. "The devices remain functional, which would allow a stealthy bootkit to spread across air-gap security perimeters through shared Thunderbolt devices."

--Tara Seals US/North America News Reporter, Infosecurity Magazine

Microsoft OneDrive - Encryption Keys Uploaded?

Microsoft OneDrive in NSA PRISM

A sends:

1) Bitlocker keys are uploaded to OneDrive by 'device encryption'.

"Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected.


If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created."


2) Device encryption is supported by Bitlocker for all SKUs that support connected standby. This would include Windows phones.

"BitLocker provides support for device encryption on x86 and x64-based computers with a TPM that supports connected stand-by. Previously this form of encryption was only available on Windows RT devices."


3) The tech media and feature articles recognise this.

"... because the recovery key is automatically stored in SkyDrive for you."


4) Here's how to recover your key from Sky/OneDrive.

"Your Microsoft account online. This option is only available on non-domain-joined PCs. To get your recovery key, go to ...onedrive.com..."


5) SkyDrive (now named OneDrive) is onboarded to PRISM. (pg 26/27)


Source http://cryptome.org/2014/11/ms-onedrive-nsa-prism.htm

We Should All Jump to the ‘Erasable Internet’

This month’s news provides yet another occasion for a friendly public-service reminder to anyone who uses a digital device to say anything to anyone, ever. Don’t do it. Don’t email, don’t text, don’t update, don’t send photos.

At least, don’t do it if you have any expectation that what you say will remain private — a sentiment that’s usually taken for granted in human communication, but that we should all throw to the winds, at least until we figure out a way to completely rethink how we store and manage our digital data.

Because here’s the thing about the digital world that we must remember. Nothing you say in any form mediated through digital technology — absolutely nothing at all — is guaranteed to stay private. Before you type anything, just think: How will this look when it gets out? What will Angelina Jolie think if she finds out about this? If Angelina won’t like it, don’t send it. Because Angelina will find out. So will the rest of the world.

This might seem like an extreme, perhaps jaded response to the hack at Sony Pictures Entertainment, which has resulted in the disclosure of thousands of private documents ranging from trivial to merely embarrassing to grossly serious.

The disclosures make the case for creating what I’ve called “the erasable Internet.” Last year, after the stunning rise of Snapchat, an app that sends pictures and messages that disappear after the recipient receives them, I argued that we were witnessing the birth of a new attitude toward data online.

Snapchat showed that saving everything — the default assumption of digital communication since its birth — wasn’t the only way to navigate the digital world. “Erasing all the digital effluvia generated by our phones and computers can be just as popular a concept as saving it,” I argued — and if we moved toward that model, the Internet might be a more private, and less dangerous and damaging place.

The Snapchat Internet is now being built. A range of start-ups across the world, including Snapchat itself, are working to create communications systems that are not based on saving as a default. Someday, perhaps someday soon, it may be possible to quickly and easily send messages that you can be fairly confident are secure.

But the erasable Internet is not really here today. And we should start acting like it. Despite the increasing popularity of programs that don’t store all of our data by default, almost everything we do on computers today is recorded and stored somewhere, often in places over which we don’t have any control.

Even Snapchat itself has been too loose on privacy. In May, it settled charges with the Federal Trade Commission, which had accused the company of collecting more data about users than it had disclosed, and of leaving users’ messages vulnerable to being captured using simple workarounds.

This suggests two ways to respond to the Sony attack. First, assume everything is public. Go about your business as if all you do on a computer is vulnerable to intrusion and exposure. Second, agitate for a world in which saving is not the default.

“Everyone is so excited about the cloud, but the cloud is really a drunken Xerox machine making copies of pretty much everything that everyone has said anywhere and spewing it all over the place,” said Howard Lerman, the co-creator of Confide, a messaging app that works like the corporate version of Snapchat.

Messages on Confide are deleted as soon as they are read. The app even includes a clever user-interface trick that requires scrolling a finger across the screen to read text, a measure that reduces the chance of someone capturing and distributing a screen image of a message. According to Mr. Lerman and his partner, Jon Brod, the Sony attack has prompted a surge of interest in Confide. “This was our biggest week ever,” Mr. Lerman said.

He sees Confide as a replacement for the business phone call.

“For you to be truly secure, the stuff that you say shouldn’t be lying around in places you have no control over,” Mr. Lerman said. “It used to be, 20 years ago, that the stuff you said in a conversation would be gone. That’s not true anymore.”

But the problem with Confide, Snapchat and every other ephemeral app is that not everyone uses them. To communicate with much of the world today, we’ve got to rely on insecure systems like email. That means we’ve got to remember to watch what we say and how we say it.

It’s a telling point that one victim in the Sony attack was Snapchat itself, whose secret business dealings were uncovered.

In an email to employees after the hack— an email he later tweeted — Evan Spiegel, Snapchat’s chief executive, wrote that he was saddened and angered by the attack, but that it underscored the urgency of Snapchat’s vision for the future of online life.

The central motivation of that vision, he wrote, was to bring a measure of secrecy back into our social lives. Secrets “bring us together,” Mr. Spiegel wrote, launching into an elegiac defense of privacy. He added: “It’s not O.K. that people steal our secrets and make public that which we desire to remain private.”




The Best Thing We Can Do About the Sony Attack Calm Down


First we thought North Korea was behind the Sony cyberattacks. Then we thought it was a couple of hacker guys with an axe to grind. Now we think North Korea is behind it again, but the connection is still tenuous. There have been accusations of cyberterrorism, and even cyberwar. I've heard calls for us to strike back, with actual missiles and bombs. We're collectively pegging the hype meter, and the best thing we can do is calm down and take a deep breath.

First, this is not an act of terrorism. There has been no senseless violence. No innocents are coming home in body bags. Yes, a company is seriously embarrassed—and financially hurt—by all of its information leaking to the public. But posting unreleased movies online is not terrorism. It's not even close.

Nor is this an act of war. Stealing and publishing a company's proprietary information is not an act of war. We wouldn't be talking about going to war if someone snuck in and photocopied everything, and it makes equally little sense to talk about it when someone does it over the internet. The threshold of war is much, much higher, and we're not going to respond to this militarily. Over the years, North Korea has performed far more aggressive acts against US and South Korean soldiers. We didn't go to war then, and we're not going to war now.

Finally, we don't know these attacks were sanctioned by the North Korean government. The US government has made statements linking the attacks to North Korea, but hasn't officially blamed the government, nor have officials provided any evidence of the linkage. We've known about North Korea's cyberattack capabilities long before thisattack, but it might not be the government at all. This wouldn't be the first time a nationalistic cyberattack was launched without government sanction. We have lots of examples of these sorts of attacks being conducted by regular hackers with nationalistic pride. Kids playing politics, I call them. This may be that, and it could also be a random hacker who just has it out for Sony.

Remember, the attackers didn't start talking about The Interview until the press did. Maybe the NSA has some secret information pinning this attack on the North Korean government, but unless the agency comes forward with the evidence, we should remain skeptical. We don't know who did this, and we may never find out. I personally think it is a disgruntled ex-employee, but I don't have any more evidence than anyone else does.

What we have is a very extreme case of attacking. By "extreme" I mean the quantity of the information stolen from Sony's networks, not the quality of the attack. The attackers seem to have been good, but no more than that. Sony made its situation worse by having substandard security.

Sony's reaction has all the markings of a company without any sort of coherent plan. Near as I can tell, every Sony executive is in full panic mode. They're certainly facing dozens of lawsuits: from shareholders, from companies who invested in those movies, from employees who had their medical and financial data exposed, from everyone who was affected. They're probably facing government fines, for leaking financial and medical information, and possibly for colluding with other studios to attack Google.

If previous major hacks are any guide, there will be multiple senior executives fired over this; everyone at Sony is probably scared for their jobs. In this sort of situation, the interests of the corporation are not the same as the interests of the people running the corporation. This might go a long way to explain some of the reactions we've seen.

Pulling The Interview was exactly the wrong thing to do, as there was no credible threat and it just emboldens the hackers. But it's the kind of response you get when you don't have a plan.

Politically motivated hacking isn't new, and the Sony attack is not unprecedented. In 2011 the hacker group Anonymous did something similar to the internet-security company HBGary Federal, exposing corporate secrets and internal emails. This sort of thing has been possible for decades, although it's gotten increasingly damaging as more corporate information goes online. It will happen again; there's no doubt about that.

But it hasn't happened very often, and that's not likely to change. Most hackers are garden-variety criminals, less interested in internal emails and corporate secrets and more interested in personal information and credit card numbers that they can monetize. Their attacks are opportunistic, and very different from the targeted attack Sony fell victim to.

When a hacker releases personal data on an individual, it's called doxing. We don't have a name for it when it happens to a company, but it's what happened to Sony. Companies need to wake up to the possibility that a whistleblower, a civic-minded hacker, or just someone who is out to embarrass them will hack their networks and publish their proprietary data. They need to recognize that their chatty private emails and their internal memos might be front-page news.

In a world where everything happens online, including what we think of as ephemeral conversation, everything is potentially subject to public scrutiny. Companies need to make sure their computer and network security is up to snuff, and their incident response and crisis management plans can handle this sort of thing. But they should also remember how rare this sort of attack is, and not panic.

    Bruce Schneier

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed



US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles