June 26, 2014

Computer World: Ethical hacking – Getting inside the minds of cyber criminals

Just when you think you’ve got yourself all covered on the security front, an attack comes out of nowhere and bites you on the arse. You think to yourself: How did I not see that coming?

That’s where penetration testing, or ethical hacking, comes in. The idea is to get a third party to think (and act) like a hacker to test your organisation’s resilience to attack.

And the stakes are high, says Hacklabs senior consultant Jody Melbourne. “Nobody is concerned with targeting websites or going after your database – that’s old,” Melbourne says. “The real bad guys are trying to steal your IP, your business intelligence or business information. [The criminal] is going after you internal network.

“You make a lot more money if you find out that large corporation A is about to acquire large corporation B in a few months, for example. If you hack some board members of a large corporation and find out all of their secret information, read their emails, then that is far more serious than stealing credit cards.”

Melbourne has been employed by both private sector and public sector organisations to test their security, with sometimes alarming results.

He said he’s found it “frustratingly easy” to just walk into many organisations. “I just wave my hand and say ‘I’m walking in here, it’s fine’ and walk straight in,” Melbourne says. “I’m wearing the right clothes, I’m confident, and I look like I’m supposed to be there.”

All it can take then is swapping out a desk phone for a tampered-with handset of the same model. “I plug in a device behind a phone; or I swap out the phone entirely for the exact same model and say ‘I’m here to change the phone, there’s something wrong with it’ and the receptionist says ‘OK’.”

“That whole network and organisation is compromised with a spy phone that I was able to make for $50,” Melbourne says.

Melbourne gave another hypothetical scenario for compromising a network — a hacker dressed like, and acting like, a regular employee just strolls in and connects a Wi-Fi or 3G dongle to an organisation’s network.

“[Then] I’m sitting in a hotel room 500 metres away with full access to your internal network reading your executives’ emails,” Melbourne says. “That’s the landscape now.”

A network could be compromised with just $100 worth of innocuous-looking hardware that most employees wouldn’t even recognise as a threat.

Melbourne said that when engaged by a government department to test their security he was able to compromise the entire agency after gaining access to a computer on its network – with no special tools required.

“A business insider at a corporation might only have mediocre hacking skills, but might actually guess the password of the CEO and get access to all of that information,” Melbourne says.

“That’s far more devastating to an organisation than the most advanced hacker in the world sitting inside that network who has absolutely no business experience, doesn’t know anything about the corporation.

“The hacker could get access to all the corporate documentation, all of the board members, meeting minutes, all kinds of internal IP and emails. But the hacker doesn’t know how the business works so he/she doesn’t know what is valuable and what isn’t.”

Daniel Cabezas, IT security testing services leader at Macquarie Group, says that when he does test email campaigns, he still finds many users clicking on links, downloading files or installing untrusted applications.

“We are doing security awareness courses, but whenever we do testing by sending ourselves email campaigns, there’s still more percentage of our user base who click on things,” he says.

One issue that security teams have to deal with is that hackers are also not necessarily looking to directly break into a company’s systems. Cabezas says they may have more success in hacking a personal computer of an employee to find business information or a work password or account.

“If the malware is trying to target the users at their homes, the reality is that I don’t have that many security controls in my laptop at home. So [criminals] are most successful attacking the home laptop of the users to try and get information about the company they work for. They go to LinkedIn and look for potential employees from the company to attack their personal laptops.”

The rise of bring-your-own device (BYOD) schemes – under which employees can use their own smartphones, tablets and notebooks for work – and an emphasis on flexible working only further complicate the situation.

Cabezas says that there’s usually a struggle to balance user demand for new technology with security.

“We have to determine what the risk of [introducing] the new technology is, but our users are already asking us to implement it,” he says.

“You might have a very functional, well-defined application, and you might think ‘it works the way we expect it to’. But what happens when somebody finds something unexpected?

“Criminals don’t work for X hours a day and then go home. They keep working during the night, during the weekend and they just have to find one hole. So you have to think the way they do. You might say ‘this vulnerability is really difficult to exploit’, but they will take the time and whatever the means to exploit it.”

May 31, 2014

HostingCon in Miami Beach

We will be attending the 2014 HostingCon in Miami Beach in a couple of weeks and look forward to meeting up with industry colleagues.  

April 28, 2014

Critical zero-day vulnerability in Internet Explorer exposes Windows XP to risks (Re-post from TWCN Tech News)

Microsoft said that a critical zero-day vulnerability has been found in Internet Explorer, right from IE6 to IE11, that allows cyber-criminals to exploit it using Drive-by attacks.

Drive-by download attacks occur when vulnerable computers get infected by just visiting a website. It’s accepted that Drive-by download attacks continue to be many attackers’ favourite type of attack. This is because the attack can be easily launched through injection of a malicious code to legitimate websites. Once injected, malicious code may exploit vulnerabilities in operating systems, web browsers and web browser plugins such as Java, Adobe Reader and Adobe Flash. The initial code that gets downloaded is usually small. But once it lands on your computer, it will contact another computer and pull the rest of the malicious coder to your system.

Microsoft is expected to release a patch for this vulnerability very soon. But it will be available for supported operating systems. It will not be available for Windows XP as this operating system is no longer supported. This will leave Windows XP users exposed to risks.

Workarounds

Apart from following other steps to secure their Windows XP, users may do the following to mitigate this issue, till a patch to fix it is released:
1.Disable the Flash plug-in within IE
2.Do not click on any doubtful links and immediately close IE if they find something suspicious
3.Use Microsoft’s anti-exploit tool – Enhanced Mitigation Experience Toolkit
4.Unregister the vgx.dll file. Go here to read how to unregister dll files in Windows.
5.Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting
6.Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
7.Consider using an alternative browser on your Windows XP.

March 14, 2014

Rise in cyber security budgets

New data from a  BAE Systems Applied Intelligence survey indicates that about 60 percent of large companies across the U.S., Canada, Great Britain, and Australia have increased their spending on cybersecurity since last year’s Target Breach.  Industries such as banking, technology, law, and mining are now spending up to 15 percent of their entire IT budgets on security.   More than 80 percent of survey respondents expect the number of cyberattacks to rise. The loss of customer data ranked as the companies’ greatest concern, followed by the loss of trade secrets, reputational damage, and service interruption.

Nearly half of the U.S. companies in the survey said a cyberattack would cost them around $15 million, while 29 percent estimated the cost at more than $75 million. The results suggest that breaches would take an extreme financial toll on smaller companies as well.

The Target breach over the 2013 holiday season claimed 40 million customers’ credit and debit card numbers.

 

February 12, 2014

Quatrashield VP Artice on SMB Nation: SMBs Lack the Tools to Fight Cyber Attack

http://www.smbnation.com/content/news/entry/smbs-lack-the-tools-to-fight-cyber-attack

When it comes to cyber-attack, Small and Medium Businesses are at a significant disadvantage. Lacking the resources and expertise of their Enterprise counterparts, SMBs often rely on free or lightweight tools that leave their organizations exposed to attack. Instead of shoring up their cyber-defenses, many SMBs wait for a breach to occur. In some cases this can be too late.

Hacking has never been as easy as it is today. The significant information sharing between hackers has created a publicly-available knowledgebase that is easily accessible to cyber-criminals. Sites such as hackthissite.org serve as a training ground for cyber criminals, hacktivists and even government entities to gain up-to-date information on new attack vectors.

The net result is that SMBs are often the victim of data breaches, phishing, DDoS and watering hole attacks. A recent report commissioned by the Department for Business, Innovation and Skills (BIS) indicates that 63% of small businesses in the UK were attacked by an unauthorized outsider in the last year which is up from 41% a year ago. The research also uncovered that 17% of small businesses know their staff broke data protection regulations in the last year (up from 11% a year ago). [1]

The Enterprise/SMB Technology Model Does Not Apply to Cyber Security

Traditionally, Enterprise and SMB level technologies differ in design and capability – whether they have been built from the ground-up as unique solutions or whether the SMB module is a “light” version of the Enterprise class technology with certain features disabled. The key differentiators between Enterprise and SMB class technology are the expected level of flexibility and sophistication including configuration, deployment, management and reporting. From a scalability perspective, Enterprise level technologies are designed to be deployed in a non-disruptive way to hundreds, if not thousands, of users or access points within an organization spanning multiple offices and geographic territories. SMB level technology is designed for a small number of users or ports and is not intended to scale.

When it comes to cyber-security, the traditional Enterprise versus SMB model does not work. Pricing SMB oriented technology at a more affordable level as a trade-off for limited functionalities may be a good marketing tactic for security vendors selling into this segment, but leaves the SMB with a limited and mostly cosmetic protection against attack.

Firstly, regulatory compliance requirements such as PCI-DSS and HIPAA are applicable to both SMB and the Enterprise size organization. The onus on the part of both size organizations necessitate the implementation of systems and process to protect third party data. Therefore, companies that are mandated to protect their sensitive data may not have the flexibility to rely on basic cyber security technologies that fall short of regulatory requirements. More importantly, Small and Medium businesses are often the direct target of hacker attacks. By relying on a cheap “light” but largely ineffective software, the SMB business maker may inadvertently expose his or her organization to significant risk to cyber-attack.

The Downside to SMB Level Technologies

Many of the (inexpensive) cyber security tools in the marketplace that are targeted at the SMB segment, offer basic protection that can easily be bypassed by most hackers. For instance, the typical entry-level web application vulnerability scanners is based on open source technologies widely disseminated in the hacksphere. For the small business owner with limited staff, trying the Do-It-Yourself route can be frustrating, resource intensive and takes away from business focus.

Marketers of SMB focused cyber technologies take advantage of the overall confusion in the marketplace and overemphasize basic capabilities. For instance, the Open Web Application Security Project (OWASP) publishes a list of Top 10 application vulnerabilities. The typical Enterprise organization will purchase a tool that scans for twenty or more vulnerabilities and the better technologies are based on artificial intelligence that scan more deeply. When SMB focused tools list product specs, they often include features that are rudimentary.

In our evaluation of sample population of web application vulnerability scanners that target the SMB market, we have identified significant flaws in many of the current commercial offerings. Important capabilities – such as the ability for a scanner to drill deeply within an application layer based on dynamic parameters – are often not bundled in the basic SMB cyber security packages. Many of the tools report vast amounts of false positives, thereby requiring additional follow on investments in costly remediation. More troubling is the number of false negatives – the number of significant vulnerabilities and malware that are simply not caught by even some of the leading SMB targeted software vendors.

The Cloud Is Not a Silver Bullet

Another challenge for SMBs is the confusion about how cloud-based technologies can help them protect their businesses from attack. In many cases, the hype surrounding some cyber solutions in the marketplace may lead the SMB business owner to over-rely on technology to address the cyber threat. For instance, many cloud-based solutions advertise their end-to-end capability and falsely claim that their systems can identify and remove the threat of cyber-attack. There is huge difference between systematically identifying a vulnerability and automatically removing it. Remediation is a complex process often requiring coding or access to system configuration. The claims to the contrary are misleading and can result in an over-reliance on point solutions to address a systemic risk of attack. Furthermore, we are noticing the attack vector moving towards the Cloud as hackers have realized that the Cloud is a single point of information concentration.

Final Thoughts on Technology as a Sole Solution

Not one software solution is going to remove the threat of cyber-attack. Good cyber security practices need to be applied on a company-wide basis and are not simply restricted to the IT department. We are only as strong as our weakest link and a company’s employees, customers and partners are the first line of defense against cyber-attack. From a technology perspective one should always assume that hackers have access to the latest advances in technologies and one should constantly update one’s defense toolset in order to reflect what’s happening in the hacker-sphere. Equally important is to create policies that standardize security practices across the organization.

Although hackers are constantly changing their methods, organizations need guidelines that withstand the test of time. Business of all sizes need to plan carefully and budget wisely when to protect their data assets.

About the author: Mervin Pearce (CISSP-ISSAP) is the Vice President of Professional Services at QuatraShield, a SaaS provider of Enterprise-class cyber security technologies that include web application vulnerability scanners and malware scanners.

January 13, 2014

Announcement: Quatrashield Launches White Label Program for ISP’s to Enter Cyber Security Market

(The Hosting News) – Quatrashield, a SaaS provider of Enterprise-class cyber security technologies, has launched a new partner program for the Hosting Industry. ISP Protection Plus is a white label offering for Hosting Companies to re-sell web application vulnerability scanners, penetration testing and threat remediation services.

The company’s cloud-based software platform is based on military grade technology. Its two leading products – QuatraScan V3000 and QuatraWare M3000 – use advanced artificial intelligence to deeply penetrate a corporate website and identify malware and application vulnerabilities that are often undetected by standard commercial software packages.

ISP Protection Plus offers ISPs the opportunity to create their own branding for the QuatraScan and QuatraWare scanners. Because the solutions are cloud-based, there is no investment in technical infrastructure required on the part of the Hosting Company. In an era where companies are increasingly concerned about the threat of hackers, Hosting Companies can use website security protection services as a competitive differentiator in the marketplace.

Said QuatraShield CEO Johan Grobler: “We believe that ISP Protection plus is an easy entry into the high-end of the cyber security market. Although some ISP’s are re-selling low-end scanners, we allow ISP’s to offer their customers with Enterprise-class cyber-security technologies.”

In addition to the company’s malware and application vulnerability scanners, Quatrashield offers Hosting Companies a white labeled value-added professional services including Black Box Penetration Testing and Threat Remediation. “Our goal is provide ISPs with a packaged security offer to their most valuable customers that are looking for more help combatting the threat of hackers” said Grobler.

December 17, 2013

10 Ways to Protect Your Company and Employees from Hacking

10 Ways to Protect Your Company and Employees from Hacking

Here is a link to my blog posting on websitemagazine.com

December 17, 2013

UK Study: SMB’s report more security breaches in 2013

A new study released by PwC and InfoSecurity Europe, indicates that the large increase in security breaches is occurring in the Small Business segment (under 50 employees) and that these businesses are “now experiencing incident levels previously only seen in larger organisations.”   

Below are some of the report highlights: 

  • 63% of small businesses were attacked by an unauthorized outsider in the last year (up from 41% a year ago)
  • 23% of small businesses were hit by denial-of-service attacks in the last year (up from 15% a year ago)
  • 15% of small businesses detected that outsiders had successfully penetrated their network in the last year (up from 7% a year ago)
  • 9% of small businesses know that outsiders have stolen their intellectual property or confidential data in the last year (up from 4% a year ago)
  • 57% of small businesses suffered staff-related security breaches in the last year (up from 45% a year ago)
  • 17% of small businesses know their staff broke data protection regulations in the last year (up from 11% a year ago)

 Good News/Bad News

For the SMB segment, there has been a rise in the cost associated with breaches.  The average cost for to a small business for its worst breach was between 35,000 to 65,000 pounds. 

The silver lining here is that senior management does understand the risk of cyber-crime and there is an increase effort to prioritize investment and education in this arena.

December 8, 2013

New Study: Only 2% of leading online retailer sites use secure HTTPS for e-commerce

A new research reports indicates that very few e-commerce websites automatically protect users by directing them to highly secure HTTPS versions that use always-on SSL.  The study, conducted by High-Tech Bridge analyzed the top 100 e-commerce sites.

According to Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, comments on the findings: “Alarmingly, only 2% (two per cent) of leading global online retailers automatically ensure their customers use the secure HTTPS version of their website when making orders or adding goods to their shopping carts. Also, 7% of websites are failing to enforce their customers to use HTTPS for the most sensitive operations such as login, checkout and payment, while 27% of websites don’t even have an HTTPS version for “non-critical” sections of their website, such as shopping cart management or search for goods.

Here is a summary of findings from the report:

 

  • 0/100 websites have expired or untrusted SSL certificates.
  • Only 1/100 of website certificates expire in less than one month.
  • 99/100 of websites have 2048-bit or even stronger encryption certificate.
  • 2/100 websites do not have SSL certificate at all, leaving their customers totally unprotected.
  • 7/100 websites are putting customer information at risk by failing to enforce the use of HTTPS for the most sensitive operations such as login, checkout and payment.
  • 73/100 websites do not have a secure HTTPS version at all for some “non-critical” online activities of their customers, such as shopping cart management for example.
  • An extremely low 2/100 websites protect users by automatically using a secure HTTPS version (SSL) by default.
  • Only 25/100 websites have SSL EV certificates.
  • 33/100 websites display non-SSL content together with SSL content on their pages.
December 5, 2013

Microsoft’s guidance for protecting the enterprise from attack

Microsoft has released its guidance on best practices to protect enterprises from malicious attack.  Here is a summary of the report recommendations:

  1. Keep all software up-to-date:  Attackers will try to use vulnerabilities in all sorts of software from different vendors, so it is important for organizations to keep all of the software in their environment up to date and run the latest versions whenever possible.
  2. Demand software that was developed with a security development lifecycle:  Until you get a software update from the affected vendor, test it, and deploy it, it’s important that you manage the risk that attackers will attempt to compromise your environment using these vulnerabilities.
  3. Restrict websites: Limit web sites that your organization’s users can visit.  This likely won’t be popular in the office, but given the majority of threats found in the enterprise are delivered through malicious websites, you might have the data needed to make a business case.
  4. Manage security of your websites: Many organizations don’t realize that their websites could be hosting the malicious content that is being used in these attacks.  Organizations should regularly assess their own web content to avoid a compromise that could affect their customers and their reputation.
  5. Leverage network security technologies: technologies like Network Access Protection (NAP), Intrusion Prevention System (IPS), and content filtering can provide an additional layer of defense by providing a mechanism for automatically bringing network clients into compliance (a process known as remediation) and then dynamically increasing its level of network access.
Follow

Get every new post delivered to your Inbox.

Join 225 other followers