Network Archives - IT Security Guru

The costs of VPNs: It’s not the printer…it’s the ink

The Gurus — Fri, 30 Jun 2017 09:56:28 +0000

While today’s printer manufacturers might make a little money on their hardware, it’s the ink that brings in the big profits. The same concept applies to razors and razorblades. It turns out it’s also true for something as ubiquitous and seemingly well understood as the virtual private network (VPN).

Today, practically every company has a VPN, and most enterprises have many. Just like the printers and the razors, many companies may think of the VPN appliance, often included in the firewall, as representing the solution in its entirety. But even if you consider the client-side agents, you’ll still only be scratching the surface of the VPN’s reach and its costs.

Designed for performance

Part of the problem lies in the fundamental task that VPNs were designed to perform –connecting users to protected networks in order to access the private, internal applications housed there. There are a number of issues packed into that statement. The first issue is getting the user to the data centre that will offer the best performance. If your enterprise is operating at scale, that usually means regionally dispersed data centres.

But what if a data centre goes down or becomes overloaded? That requires a global server load balancer (GSLB). One could argue that the need for a GSLB is not only due to the VPN, but the fact is that regional data centres often don’t work well without them, but they certainly front the large deployments required for VPN access. That’s not all.

Tackling VPN barriers

The biggest issue with VPNs stems from the fact that just like any other internet-facing device, they must be listening for an inbound request. Just like any other outward-facing device, the VPN is vulnerable to Distributed Denial of Service (DDoS) attacks, so many security-minded enterprises place DDoS protection in front of the VPN. With these come firewalls. Many enterprises sandwich their VPN between external firewalls, which takes all the traffic from the internet, and an internal firewall to manage access control lists, allowing the enterprise to employ another set of load balancers for the resources themselves.

Just like any stack of disparate appliances, each device views the world through the lens of its specific purpose. This means that each data centre must be synched with all the others, multiplying the effort required to maintain a consistent user experience. These problems only grow as your applications move to the cloud.

Maintaining VPNs

There are costs outside the data centre as well. The operating costs for deploying and maintaining VPNs can be considerable. Managing the access control lists in the firewalls, for example, has been difficult enough to keep enterprises from realising the goal of network segmentation, despite acknowledging the need to do so. Not only was there downtime associated with getting users up and running, but there was a very real price tag for the associated helpdesk costs. SSL VPNs (Secure Sockets Layer virtual private networks) solved some problems, but many enterprises have returned to a simpler IPsec model to ensure application connectivity.

The largest potential costs, however, come from the security risks posed by users themselves, who are being placed on the data centre network to get application access. Most users don’t understand the implications of such access, and unless they are actually in IT, it’s not reasonable to expect that they ever will. Most are completely unaware of damage that could be done if their VPN password fell into the wrong hands.

Can VPN actually be secured?

Theoretically, VPNs for work can be secured and enterprises have spent vast sums over the years attempting to do so. Though in practicality, the rise in press-worthy data breaches that can be directly traced to VPN use, says no.

As the specification evolves, it may appear to require that the enterprise walk away from an infrastructure investment that has already been made. Such investment may be perceived as a “sunk” cost, making a new option seem unrealistically costly. In reality, the price tags associated with operating VPNs is often much higher than they appear on the surface. In comparing the solutions, it may be useful to bear in mind the additional hardware required to secure what is essentially an open Internet port in the form of a VPN. When debating the pros and cons of VPNs, operating costs should be considered, particularly as users proliferate and applications move to the cloud.

Of course, as we’ve seen from many high profile cases in the last few years, the cost of a security breach given well-documented VPN vectors must be acknowledged. In other words, it’s not just the cost of the printer; one must factor in the ongoing cost of the ink.

The post The costs of VPNs: It’s not the printer…it’s the ink appeared first on IT Security Guru.

How Service Providers Win

The Gurus — Tue, 02 May 2017 09:07:12 +0000

Standing still is the kiss of death for any service provider. If you fail to evolve, your competition advances. Ultimately, you’re either left in the dust or rendered obsolete.
It’s imperative for service providers to always look several steps ahead.
Planning for the next technology shift or solution set that helps you optimise you network and your applications will lead to improved and modernised service offerings and new customers. This, in turn, can spark a boost in revenue.

Start Now

Service providers now face their biggest challenges when it comes to service diversification and differentiation — what are you doing that the others are not? And while it’s a hurdle, it’s also a great opportunity to take charge and pull ahead of the pack.
The ability to seamlessly update your networks to prepare for the shift to 5G, the evolving cyber security threat landscape, the massive number of Internet of Things (IoT) devices that will soon connect and the transition to IPv6 will put you out front.
Now more than ever, customers want instant gratification. If a service suffers even the smallest of hiccups or falls behind the curve, that’s a blemish that may never clear. Scalability, high-performance and availability aren’t nice to haves, they’re must haves. And your customers will tell you so — often and with their wallets.

Future-Proof

So what can you do as a service provider to future-proof your network and prepare for what’s next? Here are four steps:

Get ready for 5G: The transition to 5G is coming. Soon. Along with the promise of reduced network latency and much higher data rates, such as the ability to download an entire movie in seconds versus minutes, 5G brings with it a massive influx of connected IoT devices that can pose serious security threats. Start planning for the transition to 5G now to ensure your network is up to snuff.
Preserve IPv4 addresses: As you prepare for IPv4 exhaustion and migration to IPv6, you must have a plan in place. Service providers need solutions that not only preserve your pool of IPv4 addresses, but also provide a seamless migration path to IPv6. By extending the service life of your IPv4 infrastructure, you’ll buy yourself time to plan for IPv6 while reducing costs by avoiding disruptions to business operations.
Focus on scale: Increase the availability and operational efficiency of your applications by implementing solutions that auto-scale as services demand increases. Nothing will hurt you more than service disruption due to popularity. Don’t let your success be your failure. Scale will also be a factor when more devices start connecting to your network when 5G comes fully online.
Think security first: Can you afford downtime or disruption due to a DDoS attack? Remember, a security breach not only costs you downtime, but also reputation damage and customer churn. Ensure you have the proper security in place to protect against volumetric DDoS attacks. In this era of massive, multi-vector attacks, service providers should find solutions that scale to defend against attacks that exceed 1 Tbps.

Are you and your service provider network ready for what’s next?
By Duncan Hughes, Systems Engineering Director, EMEA, A10 Networks

The post How Service Providers Win appeared first on IT Security Guru.

Brit network O2 hands out free Windows virus with USB pens

The Gurus — Tue, 09 Aug 2016 09:34:09 +0000

A marketing campaign by O2 that sent customers USB-embedded pens backfired last week – after it transpired a number of devices contained a “Windows-specific virus.”
The UK cellphone network sent out the USB pens to its business customers followed by a marketing email encouraging them to download a free eBook. That was then followed by another email warning that the USB drive inside the pen contained malware.
The email titled “Urgent: Information about potential virus” warned that some of the promotional USB embedded pens had a Windows-specific virus, that “may not be picked up by out-of-date Anti-Virus software.”

Original Source: The Register
View the full story here.

The post Brit network O2 hands out free Windows virus with USB pens appeared first on IT Security Guru.

Employees – the weakest link to commercial security risks

The Gurus — Mon, 20 Jun 2016 09:00:09 +0000

Security breaches have become ever present within our society today, with news of breaches, such as those to baby care retailer Kiddicare and social media giant LinkedIn, gracing the front pages most mornings. With cybercriminals having an increasing presence within our rapidly evolving online society, scenarios such as the above are likely to become a more everyday occurrence unless the right measures are put in place.
The cost of the average data breach rose dramatically in the last twelve months^[1], with the average cost for companies increasing to $3.79 million once lost business, compliancy fines and reputational damage are taken into account. To put it another way, the average cost for each stolen record – often containing sensitive and confidential information – is $154, a number not to be sniffed at. As a result businesses are becoming increasingly concerned about protecting the sensitive data that they hold within their business.
Businesses need to understand how cybercriminals are increasingly gaining access to their internal systems before they can mitigate this risk. It may come as a surprise to many of you, but the days of the brute force attack are over, now the bad guys wishing to infiltrate your network are taking a much more calculated approach. According to recent research by Intel^[2], internal factors are now responsible for almost half (42 per cent) of all data loss cases in the UK, demonstrating that employees are often an organisation’s weakest link when it comes to information security.
Most of this is down to phishing scams, where fraudsters attempt to acquire sensitive information, for example usernames, passwords and credit card details or steal money by masquerading as a trustworthy entity via an email, pop-up message, phone call or text message. Once a cybercriminal has an employee’s password, obtained by a phishing scam or any number of other common social engineering techniques, they can access the entire corporate network and the sensitive data held within it.
In fact it is getting so bad that UK-based Action Fraud reveals that it now receives 8,000 reports of phishing scams every month^[3]. Email is by far the most common attack vector with over two thirds (68 per cent) of people who reported a phishing scam saying that is how they were contacted. This compares to 12.5 per cent of people who said they were contacted by phone, 8.9 per cent of people who reported that they received a text message and the rest claiming they were contacted in another way.
The process of phishing is often very swift too. According to a recent report by Verizon^[4], it takes cyber criminals just 82 seconds to ensnare the average victim in a phishing scam, with almost a quarter ( 23 per cent) of people likely to open a phishing email.
Whether it’s down to human error, a phishing scam or an intention leak, organisations of all sizes need to embrace employee education as part of their security policies. Not only will this educate employees on the risk and potentially crippling costs associated with data breaches, but will also provide insight into the types of phishing scams that they are likely to fall victim to. By doing so, employees will have an understanding of the risk that such breaches pose to the organisation and be able to alert the IT team if they are being specifically targeted.
The problem with phishing though is intensified by the fact that modern techniques are getting increasingly hard to spot for even the savviest employees. Whilst education of staff is important, it is also imperative to have a safety net so that you can understand exactly how data is moving in, around and out of your organisation.
Only by gaining greater visibility, analysis and control of all communications channels can businesses mitigate the cost of sensitive data leaving the safety of the organisation. To facilitate this, organisations need to be able to monitor each employee’s use of corporate assets at the most basic level, regardless of whether users are in-office or mobile. Solutions such as cloud application control (CAC) solutions can provide businesses with this visibility and the ability to discover, analyse and control the information staff are accessing or sharing.
With the added pressures of the digital transformation impacting how and where we work, employees are increasingly opting to work outside of the traditional office environment. Because of this businesses need to ensure that the right employees have the right access to company information and systems, no matter where they’re working from. With access privileges morphing depending on whether they are in, or out, of the office. Multi-factor authentication can play a dominant role within an organisation’s cybersecurity strategy to help facilitate visibility of the use of cloud apps – authorised or otherwise – so that they can spot when a phishing attempt may be leading to a sustained data breach and help mitigate the associated fall out.
[1] https://www-01.ibm.com/marketing/iwm/dre/signup?source=ibm-WW_Security_Services&S_PKG=ov34982&S_TACT=000000NJ&S_OFF_CD=10000253&ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=01512328606014640999746&cm_mc_sid_50200000=1464099974
[2] http://www.mcafee.com/us/resources/reports/rp-data-exfiltration.pdf
[3] http://www.actionfraud.police.uk/news/action-fraud-reveals-that-it-receives-8000-reports-of-phishing-scams-every-month-mar16
[4] http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

The post Employees – the weakest link to commercial security risks appeared first on IT Security Guru.

Work-mad Britons taking office on their holidays

The Gurus — Mon, 13 Jun 2016 09:54:52 +0000

Holidays are meant to be a time to disconnect, unravel and indulge in the pleasures life has to offer – you’ve earned it after all that hard work right?
Well for many UK workers, it appears this is not the case. New research by OneLogin, a cloud based identity and access management provider, has found that over a third of the UK workforce access work apps whilst on holiday and a quarter of us look at work apps before anything else in the mornings. Undoubtedly a surprise to people who advocate a healthy work-life balance, the findings indicate employees are effectively never leaving the office, as almost half (46%) of respondents having one to two work apps on their mobile device and almost a quarter (23%) admitting to have more than three – which they all check daily outside of work.
Studies in the past have proven that overworked employees who can’t disconnect from their work reduces productivity and encourages apathy towards work – in this instance, it could also lead to major slip-ups of the security variety.
Namely that this opens up a vast point of attack – every device used by employees, whether private or work-related, could become the weak link in the chain. A lost work phone or laptop on holiday being found by the wrong person could give them access to a whole world of confidential data. Sharing of information through unsecured devices can be intercepted. The use of a compromised network, when a device hasn’t got effective safeguards in place around the sensitive data it carries, can allow hackers to steal said data. Briton’s work obsession is now putting corporate data at risk.
Although three-quarters have security software set up on their work devices (potentially due to organisation’s security policies), employees are making a habit of bypassing simple security procedures. One-in-ten would readily give colleagues access to their work device (11 per cent) and a further one-in-ten (9 per cent) would grant their partners access. 35 per cent would actually share their passwords for work-related technology (devices, apps and emails) with close friends and family. By default these additional people are then granted access to the corporate network.
“Whether we like it or not, the UK is becoming a nation of workaholics, quite literally carrying work around in our pockets, on public transport with us, on holiday, and even to the bathroom”, comments Per Stritich, VP of EMEA at OneLogin. “Remote and desk-less employees are of course largely beneficial to organisations in terms of productivity and scaling down on costs. However, the correct measures need to be put in place to ensure remote workforces are accessing data securely and that it’s not placed in the hands of others. For example, single sign-on technologies and IAM solutions will ensure only the employee can access work data, no matter who else gets their hands on the device.”
All this remote working that technology has made possible has been hugely beneficial in opening up businesses and helping them operate globally. However with so much more now to secure than in past, it’s evident employers have to come to terms with this new facet of business life. We have the solutions and the skills necessary to use remote working safely, but for some reason many enterprises simply haven’t made it happen.
So Britons, leave the phone at home or make sure it’s secured! Some companies have policies in place and the world’s security experts have a million and one suggestions for how best to ensure you don’t expose corporate networks to compromise through employee devices. What’s most important is the security is fit-for purpose and can keep up with how your business is structured now, as well as in the years to come.

The post Work-mad Britons taking office on their holidays appeared first on IT Security Guru.

Five most common myths about Web security

The Gurus — Tue, 24 May 2016 11:02:58 +0000

Running behind trendy APTs we tend to forget about common-sense approach and holistic risk assessment.

Almost 3 terabytes of data stolen in the Panama Gate scandal will shortly become searchable online. Mossack Fonseca, the breached legal firm behind one of the largest data leaks in the history, had numerous high-risk vulnerabilities in its front-end web applications, including its Client Information Portal. Actually, few hacking groups would spend money on expensive zero-days and complicated APTs, when the information can be easily stolen via insecure web applications. Moreover, even if your corporate website doesn’t contain a single byte of sensitive data, it’s still a perfect foothold to get into your corporate network.
Today many people, including cybersecurity professionals, underestimate the importance of web application security, focusing their attention rather on APT detection, enterprise immune systems and other activities applicable when it’s already “too late” to react to prevent the breach. A common-sense approach suggests that before installing expensive anti-burglar equipment and alarm in a house, the owner should first close the doors and the windows and probably build a fence around, otherwise you’re throwing money down the drain. Let’s have a look at five most common myths that exist today about web application security, leading to sensational data breaches, huge financial loses and CISO dismissals:
Protection of corporate crown jewels is more important than web apps
No, you cannot secure one part of your network and ignore another one. Information security shall be comprehensive and holistic: you shall analyze all threats, vulnerabilities and thus attack vectors in their integrity. Today, no cybercriminals will try to steal your crown jewels directly wherever they are [securely] stored.
Breaking in via your web applications in pair with spear phishing will probably be one of the cheapest, reliable and silent ways to get into your corporate network and bypass your defense-in-depth. When you perform a risk assessment – think like a professional cybercriminal – keep the costs and time spent [on the attack] as low as possible. When you are mapping attack vectors and vulnerabilities – the more external people that can join your brainstorming session, including law enforcement agencies and victims of data breaches from your industry – the better.
My web applications are secure – I am PCI compliant
No, even if you have successfully passed your last PCI DSS compliance audit, it cannever replace a holistic risk assessment and common-sense approach to security. Even with PCI DSS 3.2 that now requires to have a multi-factor authentication to access the Cardholder Data Environment (CDE), it does not mean that only the web applications within the CDE scope shall be properly protected. A vulnerable subdomain, spear-phishing and a $10,000 exploit-pack can lead to compromise of your technical team machines, opening any doors inside your company network, including the CDE scope (if victim’s machine is backdoored, even 2FA can be easily intercepted and compromised).
Automated vulnerability scanning is sufficient
No, unlike SSL testing for example, fully-automated vulnerability scanning is not enough for modern web applications. Recent research from NCC group compared various vulnerability scanners, and even the best of them had about 50 percent of false-positives. Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory confirmed that neither humans nor Artificial Intelligence has proven successful at maintaining cybersecurity on their own, and proposed a combination of human and machine to achieve the highest results. This is why the leading cybersecurity companies that used to rely on automation, now partner with companies that develop hybrid vulnerability detection technologies. Yes, you should automate as much as you can, but you cannot automate everything.
Penetration testing is the ultimate way to test web security
No, because penetration testing is not scalable and cannot be used in a 24/7 continuous mode. Even if you can afford monthly penetration testing, nobody can guarantee that within the 30-day period no zero-days will go public, or your web developers will not make a dangerous error in the code.
Penetration testing can perfectly complement your continuous monitoring, but it can never replace it. This is why MIT folks say that the future belongs to hybrid systems that combine 24/7 continuous monitoring leveraging machine-learning, but supervised and managed by humans.
WAF can reliably protect web infrastructure
No, even being a must-have technology to prevent simple and automated attacks,WAF cannot prevent exploitation of all the vulnerabilities. Application logic, access control, chained vulnerabilities, authentication and data encryption issues are not the vulnerabilities your WAF can reliably detect and prevent.
High-Tech Bridge performed a detailed research on ModSecurity WAF to demonstrate that some complicated flaws, such as Improper Access Control and CSRF, can be patched via WAF, however it will take so much time and manual efforts that it doesn’t make sense to use WAF for this purpose. Otherwise, in the epoch of agile and JIT software development, you always have to select – either your WAF will block some of the legitimate customers and you will lose your money, or it will overlook some of the attacks allowing hackers to get in. And yes, currently fashionable RASP solutions have similar and even worse problems than WAFs.
Yan Borboën, partner at PwC Switzerland, MSc, CISA, CRISC, comments: “Cyber defense is not only a technological problem which needs to be solved by CISO. All companies’ stakeholders (Board of Directors, C-Levels) must be involved in the cyber defense in order to obtain the right mix between technologies, processes, and people measures. Moreover, in our PwC’s Global Economic Crime survey 2016, we noted that 63% of respondents have not a fully operational incident response plan, even we all know that in today’s business landscape, information security incidents are a question of “when”, not “if”. This would be also a myth that I would recommend companies to tackle. Incidents will happen at your company, so be prepared.”
Five above-mentioned myths are busted with common-sense approach and pragmatic technical analysis. Remember about them when building your corporate cybersecurity strategy and you will avoid numerous pitfalls and problems later.
You can find out more about High-Tech Bridge’s findings on this topic here

The post Five most common myths about Web security appeared first on IT Security Guru.

The Three Little Pigs and the Big Bad Botnet

The Gurus — Mon, 16 May 2016 08:38:32 +0000

I’ll huff and I’ll puff and I’ll…bring your web application offline!
The possibility of a business being targeted by some huge zombie army, or botnet, is enough to send shivers down the spine of many seasoned security veterans. Modern botnets are of vast size and power, with more sophisticated features and capabilities than ever before. Modern botnet attacks can be very precise and controlled, being pulsed and sent in different ways to make the attackers impossible to trace and the impact that much more damaging. So who is behind these botnets, what can we expect to see in the future and how can organisations put their fears to bed and defend themselves effectively from them?
Botnets have transformed the DDoS landscape. Once, attacks were the preserve of a small, technical elite who had enough coding skills to launch a strike. But now, DDoS-for-hire botnets have significantly lowered the barriers to entry. A quick Google search and a PayPal account makes botnets readily available for just a few dozen dollars, with no coding experience necessary. And they are becoming increasingly popular – DDoS-for-hire botnets are now estimated to be behind as many as 40 per cent of all network layer attacks.
But while the majority of purchasers are likely to be low-level attackers, seeking to cause mischief and settle personal grievances, more powerful botnets-for-hire are also being utilised by state actors and organised crime syndicates. In recent years, DDoS attacks have been getting bigger and bigger. Our Security Operations Centre recorded a dramatic (25%) increase in very large attacks of more than 10Gb per second among our customer base in the second half of last year. And in terms of individual attacks, the strike on the BBC in January was one of the biggest ever reported, at an enormous 600Gb per second. While these attacks clearly cause significant damage, we believe that their primary purpose is often just to demonstrate their attackers’ capabilities so that they can be sold as a service in the future. The kind of gigantic attacks that make headlines aren’t cheap to rent, and would probably cost upwards of $150,000 to engage. As a result, these are only likely to be utilised by criminal or nation state attackers, who have access to a sophisticated infrastructure with money laundering capabilities.
Looking forward, there is really no limit to the potential size and scale of future botnet-driven DDoS attacks, particularly when they harness the full range of smart devices incorporated into our Internet of Things. By using amplification techniques on the millions of very high bandwidth density devices currently accessible, such as baby video monitors and security cameras, DDoS attacks are set to become even more colossal in scale. Terabit -class attacks may be increasingly common and ‘breaking the Internet’ – or at least clogging it in certain regions – could soon become a reality. The bottom line is that attacks of this size can take virtually any company offline, and are a reality that anyone with an online presence must be prepared to defend against..
But it isn’t just the giant attacks that organisations need to worry about. Before botnets are mobilised, hackers need to make sure that their techniques are going to work. This is usually done through the use of small, sub-saturating attacks which most IT teams wouldn’t even recognise as a DDoS attack. Due to their size – the majority are less than five minutes in duration and under 1Gbps – these shorter attacks typically evade detection by most legacy out-of-band DDoS mitigation tools, which are generally configured with detection thresholds that ignore this level of activity. This allows hackers to perfect their methods under the radar, leaving security teams blindsided by subsequent attacks. If these techniques are then deployed at full scale with a botnet, the results can be devastating.
Besides harnessing enormous power, botnets are also notoriously difficult to spot. Once deployed, they utilise sophisticated techniques to hide their tracks. Their command and control infrastructure can be automated or set on autopilot, they can sleep for long periods of time, they can have ubiquitous bandwidth available at any time of day by waking up different regions at different times – they are a complex and vast maze, often operated by some of the brightest minds in cybercrime. But that’s no reason for organisations to resign themselves to eventually getting attacked. So what are the most effective methods of defence?
The old way was to use a cloud-based scrubbing centre, where the security team can divert traffic for analysis and filtering when they see a DDoS attack. But asking a human to monitor the edge of the network and intervene when they think they’ve spotted a DDoS attack is very labour intensive and won’t react fast enough to the automated attacks of today. Furthermore this won’t apprehend the sub-saturation attacks that experiment on your networks undetected, finding vulnerabilities and testing new methods.
So a proper modern method is one that’s always on, deployed in-line and doesn’t require human intervention in order to maintain clean traffic. The technology, whilst relatively new, is available on premises and from upstream prviders, so there are options open to most organisations no matter their size, budget and likelihood of being targeted. It also frees up your manpower to focus on preventing data exfiltration and other malicious activity taking place, making your staff much mroe productive.
So there you have it – maybe the three little pigs don’t need to worry about the big bad botnet after all! There’s methods on offer to help you build your proverbial “house” (security infrastructure) out of bricks and mitigate the most serious botnet-driven DDoS attacks on their networks.
Dave Larson is Chief Operating Officer at Corero Network Security. To find out more about Corero, head over to their website or follow them on twitter.

The post The Three Little Pigs and the Big Bad Botnet appeared first on IT Security Guru.

Social engineering – the most popular hacking method

The Gurus — Mon, 11 Apr 2016 10:56:18 +0000

Csaba Krasznay, Product Manager of Shell Control Box, Balabit (www.balabit.com)
Hackers may have many challenges, but it seems gaining access to a corporate network using social engineering techniques is not one of them.
Social engineering – a technique whereby an individual is tricked into revealing personal or log-in information – is nothing new, but its evolution in recent years is shocking. Recently, the biggest and costliest data breaches (such as OPM or Ashley Madison) were typically caused by targeted Advanced Persistent Threat (APT) attacks which in most cases relied on an initial step that offers a better success rate than brute force: that is, social engineering. It has become an evergreen hacking method – finding a trusting human to divulge sought-after information is easier than finding and exploiting vulnerabilities on a network or corporate system.
The are many reasons for this: there is hardly any financial investment needed, no major coding skills are required, and it is very easy to remotely manage the ‘project’. Hackers can easily rely on a trusting employee to give them the information they need in order to gain access. For an outsider, it is the path of least resistance. In fact, our own recent survey with IT professionals has revealed that outsiders gaining insider access through social engineering techniques such as phishing, is considered the most popular route in for hackers.
From a hacker’s point of view, it is so easy to target a group of employees you can guarantee that even the very best and most secure IT systems will have at least one bona fide user who falls down – and once this happens the most difficult part of the hack is done. Once the door is opened, and outside hackers have become insiders, even the lowest access can be further escalated until they gain privileged access and therefore could cause a significant data breach.
In social engineering, the key to the success is gaining the confidence of the user. Offering a recruitment plan in an email such as the RSA breach in 2011 that cost the company $66 million recovering from the attack, or presenting a fake breaking news opportunity to an eager journalist of Associated Press about explosions at the White House, are just two examples of the creative lengths that hackers can go to, to exploit human nature. They play on human psychology and natural traits inherent in most of us, or try to establish a connection with the user through information which may be freely available on social media or the corporate website.
Know your Enemy: how to identify the misused accounts
Once hackers have gained access past an organisation’s perimeter they could potentially misuse the account of a legitimate user and the damage caused could be devastating. Organisations today need to know their enemy by identifying who is behind their user accounts, and whether it is a legitimate user or a masked hacker. This should be the fundamental priority in every kind of organisation’s IT security strategy. Although traditional access control tools and anti-malware solutions are necessary, these only protect companies’ sensitive assets while hackers are outside of the network.
User Behaviour Analytics tools are able to provide baseline profiling about real employees, that are unique like fingerprints, and can easily detect the abnormal behaviour of user accounts and alert the security team or block user activities until further notice. Such monitoring can highlight any anomalies in users’ behaviour that are worth investigating and not only alert suspicious activities but can also immediately respond to harmful events and block further activities.
Today it is not enough to just defend against outside attackers, organisations also need to identify any unusual behaviour of their own users, as it has become crucial to know who is actually behind an insider account. It is important that staff are constantly reminded of the raging cyber war and to be vigilant in their daily actions – if they receive an email from the CEO for example when he doesn’t normally send emails, that should ring a few alarm bells. Perhaps it’s all just a matter of keep your friends close, but your enemies closer…

The post Social engineering – the most popular hacking method appeared first on IT Security Guru.

Virus infects MedStar Health system’s computers, forcing an online shutdown

The Gurus — Tue, 29 Mar 2016 12:58:12 +0000

A virus infected the computer network of MedStar Health early Monday morning, forcing the Washington health-care behemoth to shut down its email and vast records database and raising additional concerns about the security of hospitals nationwide.
The FBI is investigating the breach, which comes just weeks after similar cyberattacks on at least three other medical institutions in California and Kentucky. Still, MedStar officials said they had found “no evidence that information has been stolen.”

Original Source: Washington Post
View the full story here

The post Virus infects MedStar Health system’s computers, forcing an online shutdown appeared first on IT Security Guru.

Customer Trust and Revenues are where DDoS hits hardest

The Gurus — Thu, 24 Mar 2016 11:45:16 +0000

Corero Network Security has unveiled research from this year’s RSA showing that the most damaging consequence of DDoS attacks is the loss of customer trust.
After polling tech decision makers at RSA, Corero also foud that 34% of respondents felt loss of revenue was the biggest threat.
Dave Larson, Coerero’s chief operating officer, informed us that ‘network or website service availability is crucial to ensure customer trust and satisfaction, and vital to acquire new customers in a highly competitive market. When an end user is denied access to Internet-facing applications or if latency issues obstruct the user experience, it immediately impacts the bottom line.’
DDoS attacks make the media regularly, but get much more attention when there’s actually a firewall failre or a service/website is fully derailed. However Corero’s recent research has found that that there’s been a huge increase in sub-saturation attacks – those which are part of alrge plan, designed to knock one particular aspect of a service or site down as other nefarious activities take place or intelligence is gathered on behalf of the attackers.
Larson noted that small DDoS attacks often escape the radar of traditional scrubbing solutions. Many organizations have no systems in place to monitor DDoS traffic, so they are not even aware that their networks are being attacked regularly.
‘Industry research, as well as our own detection technology, shows that cyber criminals are increasingly launching low-level, small DDoS attacks,’ said Larson. The problem with such attacks is two-fold: small, short-duration DDoS attacks still negatively impact network performance, and-more importantly, such attacks often act as a smokescreen for more malicious attacks. While the network security defenses are degraded, logging tools are overwhelmed and IT teams are distracted, the hackers may be exploiting other vulnerabilities and infecting the environment with various forms of malware.’
Corero also found that many companies rely on upstrea providers to eliminate the attacks, with 30% of respondents saying this was their technique for protection. 85% of those surveyed believe their upstream provider should offer this protection as a service to their subscribers – over half of respondents said they’d pay their provider for this as a premium service.
When looking at the current methods of handling the DDoS threat used by companies, nearly one third (30%) of respondents rely on traditional security infrastructure products (firewall, IPS, load balancers) to protect their businesses from DDoS attacks. ‘Those companies are very vulnerable to DDoS attacks because it’s well-documented that traditional security infrastructure products aren’t sufficient to mitigate DDoS attacks,’ said Larson.

The post Customer Trust and Revenues are where DDoS hits hardest appeared first on IT Security Guru.