Saturday, October 26, 2013

How the modern world depends on encryption

How the modern world depends on encryption

Credit cards
Encryption helps to ensure that credit card transactions stay secure

Encryption makes the modern world go round. Every time you make a mobile phone call, buy something with a credit card in a shop or on the web, or even get cash from an ATM, encryption bestows upon that transaction the confidentiality and security to make it possible.

"If you consider electronic transactions and online payments, all those would not be possible without encryption," said Dr Mark Manulis, a senior lecturer in cryptography at the University of Surrey.

At its simplest encryption is all about transforming intelligible numbers or text, sounds and images into a stream of nonsense.

There are many, many ways to perform that transformation, some straightforward and some very complex. Most involve swapping letters for numbers and use maths to do the transformation. However, no matter which method is used the resulting scrambled data stream should give no hints about how it was encrypted.

During World War II, the Allies scored some notable victories against the Germans because their encryption systems did not sufficiently scramble messages. Rigorous mathematical analysis by Allied code crackers laid bare patterns hidden within the messages and used them to recreate the machine used to encrypt them.

Those codes revolved around the use of secret keys that were shared among those who needed to communicate securely. These are known as symmetric encryption systems and have a weakness in that everyone involved has to possess the same set of secret keys.

In the modern era, a need has arisen to communicate securely with people and organisations we do not know and with whom we cannot easily share secret keys, said Dr Manulis. This need has given rise to public-key cryptography. Despite the formidable name it encapsulates a simple idea.

Colossus valves Wartime code-cracking machines such as Colossus broke German encryption systems

Essentially, it allows anyone to send a message that only one person (or company or website or gadget) can unlock. It does this using two keys: one public, one private. The public key is used to lock a message. Anyone can get hold of that public key but once a message is locked with it, that message can only be opened with the corresponding private key.

Typically these keys are large numbers and the security of the system depends on the fact that some mathematical operations are easier than others.

For instance, it is far easier to multiply numbers together (public key and plain text message) to get a result than it is to start with that result (the scrambled message) and work backwards. Complicated mathematics guarantees that the right private key will unscramble a message.

Far harder, even for the fastest computer, is starting with that result (the scrambled message) and searching through all the possible combinations of numbers that could produce it.

"Because of the size of the keys is so huge its impossible for an attacker to search through the key space with the resources they usually have," he said. Such "brute force" attacks are pretty much doomed no matter how much computer power attackers bring to bear, he said

Typically the numbers used in these mathematical encryption systems are tens if not hundreds of digits long. This makes it impossible, to all intents and purposes, to search through all potential keys in a reasonable amount of time.

The web and many other modern communication systems employ a hybrid approach, said Dr Manulis, because public key encryption is not very computationally efficient compared to symmetric key encryption.

Supercomputer Even supercomputers would not break the strongest encryption algorithms

On the web, the relatively slower public key cryptography is used initially to establish a secure connection between you and a website. The symmetric system would be no good for this step because there is no way to securely swap the secret key.

However, with a secure channel in place, the faster symmetric system can be used to share a key and then scramble the data passing back and forth.

On mobiles, a similar system is used and encryption keys are held on a handset's sim card to help keep chatter scrambled.
Attacks on these encryption systems take many forms, said Dr Manulis.

"You do not need to break the communication system if you have some spy software on the end point," he said.

In addition, weaknesses have been found in the software used to encapsulate them on computers and phones.

"The algorithms are mathematically proven," he said, " and if there's any problem then it usually comes in the implementation of the algorithm."

In addition, there have been suggestions that the NSA has subverted the process of creating encryption algorithms, to make them easier for it to break.

Official agencies can also force firms, be they websites or mobile operators, to surrender their private keys so they can eavesdrop on supposedly secure communications.

Some have sought to get make encryption more secure by using a technique known as end-to-end encryption.

This differs from more standard systems which can be vulnerable because their scrambling system is, in software terms, separate from the program used to create a message.

If attackers insert themselves between the message making software and the encryption system at either end of a conversation they will see information before it is scrambled.

End-to-end encryption closes this gap by having the message making software apply the scrambling directly. In addition, many of these systems run a closed network so messages never travel over the public internet and are only decrypted when they reach their intended recipient.

End-to-end encryption Some fear that sending data over public networks makes it more susceptible to surveillance

Friday, October 25, 2013

Cloud provider research, due diligence needed to maintain compliance

Christine Parizo, Contributor

Organizations generate more data than ever before through applications, email and other computing tasks. Faced with flat IT budgets, companies are turning to the cloud for storage, software and infrastructure.
This is much to the chagrin of the compliance department, which wakes up in a cold sweat thinking about data security. Experts agree, however, that by conducting due diligence, companies can minimize their cloud-related risk and maintain compliance in the cloud.
"Your security teams have to satisfy themselves that what the cloud provider is doing on a routine basis meets or exceeds what they'd do on-premises," said John Howie, chief operating officer of the Cloud Security Alliance.
But enterprises are limited in how they can conduct this due diligence. For example, a cloud provider audit may not be possible because the provider doesn't want hordes of customers tromping through its data centers. Penetration testing could also shut down an enterprise's service because the cloud provider could view it as a legitimate attack, Howie said.

Because physical audits sometimes aren't possible, reputable cloud service providers should have certifications. In the United States, the two major certifications are ISO/IEC 27001:2005 and SOC 2. The ISO/IEC 27001:2005 certification provides a definition for how to run an information security management system. It does not, however, say whether "you're particularly good at it, and it doesn't say that you have the controls in place [that] are actually working," Howie cautioned. "It just certifies that you have an information security system that understands these problems and is trying to improve."

The SOC 2 certification, which is the replacement for SAS 70 and is based on the audit standard AP 101, contains the five "SysTrust" principles developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants: confidentiality, integrity, availability, security and privacy, according to Howie.
"Privacy is a little bit of a misnomer, because it's not privacy of the customer's data," he said. Rather, it means the privacy of the cloud provider's customer, not the customers of the company that signs up for service.
To ensure the cloud provider's controls are adequate and working, SOC 2 requires an audit by a large firm. An SOC 2 report is then presented that contains detailed information about vulnerabilities and the environment as a whole. These details often make cloud providers hesitant to let customers see the results of SOC 2 reports, Howie said.

Ask providers relevant questions

Before choosing a cloud provider, companies need to ask prospective vendors some hard questions to ensure they'll stay on the right side of regulators. "It's about asking questions around what arrangements are going to be in place to protect your information … from the creation stage to the processing, the storage, the transmission and, of course, destruction," said Steve Durbin, global vice president of the Information Security Forum. Eventually, the contract with the provider will end, and organizations need to know what will happen to their data when that occurs, he added.
Other questions should include how secure the connection is, including whether a VPN is required to connect, and what the availability is, Durbin said. Companies also need to ask encryption-related questions, including whether the data needs to be encrypted, what facilities the cloud provider has to encrypt data and whether data should be encrypted before being transmitted to the cloud service, he added.
Physical security is also important, according to Mac McMillan, current chairman of the HIMSS Privacy and Security Policy Task Force and CEO of Austin, Texas-based IT security consulting firm CynergisTek. Questions should include how the cloud provider controls physical access and how systems are protected from other customers' data in colocation situations.
Finally, companies should check on the status of the cloud provider's insurance, McMillan said. For example, if there's a security breach, it's important to know if the provider will indemnify the customer and pay for the notifications, he said.

Beware the fine print during contract negotiations

The due diligence doesn't stop at the negotiating table. There is no one provision to include in the contract to maintain compliance in the cloud, but careful language can help limit liability, according to Robert Scott, managing partner at Southlake, Texas-based technology law firm Scott & Scott LLP.

More on compliance in the cloud and security

Use cloud SLAs to reduce risk, improve data recovery processes
Risk management approach needed to offset cloud security concerns
"If you outsource to a third-party cloud service provider to handle or store personally identifiable, financial or healthcare information that's regulated in any way, the law has a non-delegable duty that you can't just outsource these legal responsibilities," Scott said. Even changes to payment card industry compliance standards, which now apply to third-party services, do not absolve enterprises of maintaining regulatory compliance in the cloud, he said.
Enterprises need to ensure that their cloud services providers agree to be bound by the same regulations that they are, Scott said. For financial institutions, that means adhering to regulations such as the Gramm-Leach-Bliley Act, for example.
One thing to be wary of in contracts is provisions where the cloud services provider asks the enterprise to agree to limit data breach liability, Scott cautioned. "Such a provision could work to significantly limit the availability of insurance and/or the ability to recover for privacy-related claims that result from a data breach," he said.
Contracts are always negotiable, and any reasonable cloud provider will be willing to negotiate with a customer regarding legitimate regulatory compliance, data security and privacy concerns, Scott said. "They're not going to be a successful cloud service provider without being sensitive to customer concerns in those areas," he said.
About the author:
Christine Parizo is a freelance writer specializing in business and technology. She focuses on feature articles for a variety of technology- and business-focused publications, as well as case studies and white papers for business-to-business technology companies. Prior to launching her freelance career, Parizo was an assistant news editor for SearchCRM.
Let us know what you think about the story; email Ben Cole, associate editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Monday, October 21, 2013

Breaches: Holding Retailers Accountable

Breaches: Holding Retailers Accountable

Vermont's Settlement with Merchant Could Set Bar for Others

By , October 10, 2013.
Breaches: Holding Retailers Accountable The Vermont Attorney General's $30,000 settlement with a breached retailer is significant because it demonstrates that states can play a role in holding retailers accountable for losses associated with card fraud, one banker says.
As a result of this case, more banking institutions may ask state attorneys general to conduct investigations after card fraud is linked to a retailer, says Marjorie Meadors, who oversees card fraud prevention for Louisville-based Republic Bank & Trust, a community bank with $3.2 billion in assets. That's because attorneys general enforce state laws, which may call for timely breach notification and establish security requirements, including compliance with the Payment Card Industry Data Security Standard.


Meadors says many banking institutions, including her own, usually report fraud incidents to local and federal law enforcement authorities, rather than state attorneys general. "Maybe we should pursue the breach angle with state agencies in the future," she says. "Some additional fines from the state agencies would further encourage smaller merchants to take a closer look at how they are updating their [point-of-sale] software."

Actions in Vermont

Last month, the Williston, Vt.-based grocery chain Natural Provisions agreed to pay a $15,000 fine to settle allegations that it failed to promptly notify customers of a breach dating back to 2012. Natural Provisions also agreed to spend $15,000 on security upgrades to its point-of-sale system.
According to Vermont Attorney General William Sorrell, Natural Provisions' lax security contributed to the breach that resulted in tens of thousands of dollars in fraud losses linked to compromised cards.
"When banks traced the fraud back to Natural Provisions, the store was informed that it was the likely source of the fraud," Sorrell states in a notice about the settlement. "Under Vermont law, a company must notify the attorney general within 14 days of the discovery of a breach, notify its customers within 45 days, and quickly take steps to remedy the breach. Natural Provisions failed to meet these standards. After it first obtained information that a security breach might have occurred at its store, it did not commence taking remedial action to resolve the security vulnerability for more than a month."
The attorney general's notice also notes: "Some consumers had their credit cards compromised, had cards reissued, and had the new cards compromised after use at Natural Provisions."
In the settlement with Natural Provisions, Sorrell claims Natural Provisions failed address, in a timely manner, security weaknesses that allowed its payments network to be compromised and an undetermined amount of card data was stolen.
Natural Provisions did not respond to Information Security Media Group's request for comment.
But Assistant Attorney General Ryan Kriger says the reason for the enforcement action from the state was Natural Provisions' failure to immediately fix the problem once it was brought to the store's attention.
"It took them more than a month to start taking any steps," Kriger tells Information Security Media Group. "They were notified and did't take steps. We in the Attorney General's office didn't find out about it until even later than that."
Kriger says many small business struggle to maintain adequate POS security, and in Vermont the AG's office has worked with numerous businesses to assist them after a breach. In the case of Natural Provisions, however, so much time passed that the state felt enforcement action had to be taken, he says.
"Hopetufully it will make other small businesses realize this is a serious matter," Kriger says. "As a small business, you need to be thinking about security; you need to have a plan in place; and you need to follow the law. ... State AGs are in best position to enforce more security with these local businesses."

Vendors' Responsibilities?

Meadors of Republic Bank & Trust says breaches at smaller retailers, such as Natural Provisions, which processes approximately 5,500 payment card transactions per month, are relatively common. But it's not just the retailers that are to blame, she contends.

Some [POS] software companies are not properly educating their merchants about the risk and the need to keep the software updated and patched," Meadors says.
"We have been told that often the software companies or their resellers are not sending out patches or updates, even when the merchants have paid for them. It will probably take some merchants bringing lawsuits against their software providers to get any action."
Another recent retailer breach, which was traced back to a POS software vulnerability, affected numerous small merchants in Kentucky and Indiana in early 2013. That software vulnerability led to a malware attack that exposed hundreds of debit and credit accounts in and around Louisville, Ky. (see Retailers Attacked by POS Malware).

Setting an Example

Dan Mitchell, a data security attorney for Maine-based Bernstein Shur, says Vermont's actions against Natural Provisions likely were meant to set an example.
"The interesting thing about this one is that the Vermont breach notification statute has a set deadline by which data breach notification has to be provided," Mitchell says. "There are only a handful of states that have a specific amount of time for notification. And Vermont only recently amended their breach notification statute in May 2012. Prior to that, they had similar requirements like other states that did not specify the 45-day rule."
Given the publicity this case has gotten, other states could soon follow Vermont's lead and amend their breach-notification statutes to include timelines as well, Mitchell says. "I don't think other states are going to look at this and say Vermont is being really strict and unrealistic."
The lesson for other merchants, or any entity that processes cardholder data, is that security has to be taken seriously, Mitchell adds. "If they are transacting data, then, regardless of size, they could potentially do a lot of harm if they are breached. They need to be secure."
David Navetta, who is the co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee, notes: "What is unique in this case is that it involves a relatively low-profile company. Many regulators are generally less aggressive with smaller organizations because they realize that some of these smaller companies face technical and resource challenges when it comes to security."

Wednesday, October 16, 2013

Unusual account behaviors, strange network patterns, unexplained configuration changes, and odd files on systems can all point to a potential breach

Top 15 Indicators Of Compromise
Ericka Chickowski
Unusual account behaviors, strange network patterns, unexplained configuration changes, and odd files on systems can all point to a potential breach                    

In the quest to detect data breaches more quickly, indicators of compromise can act as important breadcrumbs for security pros watching their IT environments. Unusual activity on the network or odd clues on systems can frequently help organizations spot attacker activity on systems more quickly so that they can either prevent an eventual breach from happening -- or at least stop it in its earliest stages. According to the experts, here are some key indicators of compromise to monitor (in no particular order):
1. Unusual Outbound Network Traffic
Perhaps one of the biggest telltale signs that something is amiss is when IT spots unusual traffic patterns leaving the network. "A common misperception is that traffic inside the network is secure," says Sam Erdheim, senior security strategist for AlgoSec. "Look for suspicious traffic leaving the network. It's not just about what comes into your network; it's about outbound traffic as well." Considering that the chances of keeping an attacker out of a network are difficult in the face of modern attacks, outbound indicators may be much easier to monitor, says Geoff Webb, director of solution strategy for NetIQ. "So the best approach is to watch for activity within the network and to look for traffic leaving your perimeter," he says. "Compromised systems will often call home to command-and-control servers, and this traffic may be visible before any real damage is done." 2. Anomalies In Privileged User Account Activity
The name of the game for a well-orchestrated attack is for attackers to either escalate privileges of accounts they've already compromised or to use that compromise to leapfrog into other accounts with higher privileges. Keeping tabs on unusual account behavior from privileged accounts not only watches out for insider attacks, but also account takeover. "Changes in the behavior of privileged users can indicate that the user account in question is being used by someone else to establish a beachhead in your network," Webb says. "Watching for changes -- such as time of activity, systems accessed, type or volume of information accessed -- will provide early indication of a breach." 3. Geographical Irregularities
Whether through a privileged account or not, geographical irregularities in log-ins and access patterns can provide good evidence that attackers are pulling strings from far away. For example, traffic between countries that a company doesn't do business with offers reason for pause. "Connections to countries that a company would normally not be conducting business with [indicates] sensitive data could be siphoned to another country," says Dodi Glenn, director of security content management for ThreatTrack Security. Similarly, when one account logs in within a short period of time from different IPs around the world, that's a good indication of trouble. "As to data-breach clues, one of the most useful bits I've found is logs showing an account logging in from multiple IPs in a short time period, particularly when paired with geolocation tagging," says Benjamin Caudill, principal consultant for Rhino Security. "More often than not, this is a symptom of an attacker using a compromised set of credentials to log into confidential systems." 4. Other Log-In Red Flags
Log-in irregularities and failures can provide excellent clues of network and system probing by attackers. "Check for failed logins using user accounts that don't exist -- these often indicate someone is trying to guess a user's account credentials and gain authorization," says Scott Pierson, product specialist for Beachhead Solutions, explaining that unusual numbers of failed log-ins for existing accounts should also be a red flag. Similarly, attempted and successful log-in activity after hours can provide clues that it isn't really an employee who is accessing data. "If you see John in accounting logging onto the system after work hours and trying to access files for which he is not authorized, this bears investigation," says A.N. Ananth, CEO of EventTracker. 5. Swells In Database Read Volume
Once an attacker has made it into the crown jewels and seeks to exfiltrate information, there will be signs that someone has been mucking about data stores. One of them is a spike in database read volume, says Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks. "When the attacker attempts to extract the full credit card database, it will generate an enormous amount of read volume, which will be way higher than you would normally see for reads on the credit card tables," he says. 6. HTML Response Sizes
Adams also says that if attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. "For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20 to 50 MB, where a normal response is only 200 KB," he says. 7. Large Numbers Of Requests For The Same File
It takes a lot of trial and error to compromise a site -- attackers have to keep trying different exploits to find ones that stick. And when they find signs that an exploit might be successful, they'll frequently use different permutations to launch it. "So while the URL they are attacking will change on each request, the actual filename portion will probably stay the same," Adams says. "So you might see a single user or IP making 500 requests for 'join.php,' when normally a single IP or user would only request that page a few times max." 8. Mismatched Port-Application Traffic
Attackers often take advantage of obscure ports to get around more simple Web filtering techniques. So if an application is using an unusual port, it could be sign of command-and-control traffic masquerading as "normal" application behavior. "We have noticed several instances of infected hosts sending C&C communications masked as DNS requests over port 80," says Tom Gorup, SOC analyst for Rook Consulting. "At first glance, these requests may appear to be standard DNS queries; however, it is not until you actually look at those queries that you see the traffic going across a nonstandard port. " [Your organization's been breached. Now what? See Be the first to comment.] 9. Suspicious Registry Or System File Changes
One of the ways malware writers establish persistence within an infected host is through registry changes. "Creating a baseline is the most important part when dealing with registry-based IOCs," Gorup says. "Defining what a clean registry is supposed to contain essentially creates the filter against which you will compare your hosts. Monitoring and alerting on changes that deviate outside the bounds of the clean 'template' can drastically increase security team response time." Similarly, many attackers will leave behind signs that they've tampered with a host in system files and configurations, says Webb, who has seen organizations more quickly identify compromised systems by looking for these kinds of changes. "What can happen is that the attacker will install packet-sniffing software to harvest credit card data as it moves around the network," he says. "The attacker targets a system that can watch the network traffic, then installs the harvesting tool. While the chances of catching the specific harvesting tool are slim -- because they will be targeted and probably not seen before -- there is a good chance to catch the changes to the system that houses the harvesting tool." 10. DNS Request Anomalies
According to Wade Williamson, senior security analyst for Palo Alto Networks, one of the most effective red flags an organization can look for are telltale patterns left by malicious DNS queries. "Command-and-control traffic is often the most important traffic to an attacker because it allows them ongoing management of the attack and it needs to be secure so that security professionals can't easily take it over," he says. "The unique patterns of this traffic can be recognized and is a very standard approach to identifying a compromise." Gorup agrees that DNS exfiltration can be "extremely loud." "Seeing a large spike in DNS requests from a specific host can serve as a good indicator of potentially suspect activity," he says. "Watching for patterns of DNS requests to external hosts, compared against geoIP and reputation data, and implementing appropriate filtering can help mitigate C&C over DNS."

11. Unexpected Patching Of Systems
Patching is generally a good thing, but if a system is inexplicably patched without reason, that could be the sign that an attacker is locking down a system so that other bad guys can't use it for other criminal activity. "Most attackers are in the business of making money from your data -- they certainly don't want to share the profits with anyone else," Webb says. "It sometimes does pay to look security gift horses in the mouth."

More Security Insights

12. Mobile Device Profile Changes
As attackers migrate to mobile platforms, enterprises should keep an eye on unusual changes to mobile users' device settings. They also should watch for replacement of normal apps with hostile ones that can carry out man-in-the-middle attacks or trick users into giving up their enterprise credentials. "If a managed mobile device gains a new configuration profile that was not provided by the enterprise, this may indicate a compromise of the user's device and, from there, their enterprise credentials," says Dave Jevans, founder and CTO of Marble Security. "These hostile profiles can be installed on a device through a phishing or spear-phishing attack." 13. Bundles Of Data In The Wrong Places
According to EventTracker's Ananth, attackers frequently aggregate data at collection points in a system before attempting exfiltration. "If you suddenly see large gigabytes of information and data where they should not exist, particularly compressed in archive formats your company doesn't' use, this is a telltale sign of an attack," he says. In general, files sitting around in unusual locations should be scrutinized because they can point to an impending breach, says Matthew Standart, director of threat intelligence at HBGary. "Files in odd places, like the root folder of the recycle bin, are hard to find looking through Windows, but easy and quick to find with a properly crafted Indicator of Compromise [search]," Standart says. "Executable files in the temp folder is another one, often used during privilege escalation, which rarely has a legitimate existence outside of attacker activity." 14. Web Traffic With Unhuman Behavior
Web traffic that doesn't match up with normal human behavior shouldn't pass the sniff test, says Andrew Brandt, director of threat research for Blue Coat. "How often do you open 20 or 30 browser windows to different sites simultaneously? Computers infected with a number of different click-fraud malware families may generate noisy volumes of Web traffic in short bursts," he says." Or, for instance, on a corporate network with a locked-down software policy, where everyone is supposed to be using one type of browser, an analyst might see a Web session in which the user-agent string which identifies the browser to the Web server indicates the use of a browser that's far removed from the standard corporate image, or maybe a version that doesn't even exist." 15. Signs Of DDoS Activity
Distributed denial-of-service attacks (DDoS) are frequently used as smokescreens to camouflage other more pernicious attacks. If an organization experiences signs of DDoS, such as slow network performance, unavailability of websites, firewall failover, or back-end systems working at max capacity for unknown reasons, they shouldn't just worry about those immediate problems. "In addition to overloading mainstream services, it is not unusual for DDoS attacks to overwhelm security reporting systems, such as IPS/IDS or SIEM solutions," says Ashley Stephenson, CEO at Corero Network Security. "This presents new opportunities for cybercriminals to plant malware or steal sensitive data. As a result, any DDoS attack should also be reviewed for related data breach activity." Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Five gardening tips to improve your vulnerability management program

I’m always gardening and looking for great plant deals at local nurseries or practical gardening tips in magazines and newspapers that I can apply to my garden, especially during these dog days of summer.
Recently, as I was browsing the Saturday newspaper for ‘end of season discounts’ at local nurseries, I came across an article about ‘tidying up’ your garden as the end of the growing season approaches.
As I was reading the article, I was intrigued by the similarities of these gardening tips with some common sense security practices you can apply to your infrastructure.
Here’s a list of five gardening tips juxtaposed with my version of a ‘end of summer’ to-do list to tidy up you vulnerability management program. Judge for yourself:
Tip for your..GardenVulnerability Management Program
Visit your gardenThe best deterrent to minimizing garden problems is to catch them early.  By getting out to the garden as often as possible, you can stop problems from becoming bigger.Continuous log monitoring of critical applications, servers, infrastructure and network flows are the best deterrent to catch and fix problems early on before they become compromises and result in loss of data or resources.
Aggressively look for pestsWhile mother nature has ways of dealing with pest challenges, look under leaves and remove by hand, its very effective to target specific pests without harming the beneficials.Malware can attack many different access points and can hide in many discreet locations that can be difficult to detect and remove. Intelligent vulnerability scanning tools use correlated event data from critical assets, network activity and behavioral changes to look for well hidden malware and help security teams prevent breaches by selectively removing vulnerabilities  with the appropriate remediation plans.
Remove diseased leaves and plantsOne of the most effective ways so of keeping plant diseases from spreading is to tackle existing problems. Cut pull or remove parts that look diseased.Malware attacks against infrastructure can be prevented with  endpoint management tools that have the ability to remotely  manage endpoints, hardening them against future attacks and uninstalling suspicious malware.
Refresh your mulchOver a short period, mulch can break down and become less effective, keep a 2 to 3 inch layer over the so it does wonders, from suppressing weed growth, keeping soil borne disease off foliage, to holding in moistureOver time, most security defenses require a refresh.  By subscribing to information threat feeds, you can add a beneficial layer of security to stay on top of the latest threats and update your security defenses with preemptive protection against a wide variety of Internet threats.  IPS virtual patching tools that get regular updates provide that protective layer of security to hold back unwanted malware and at the same time, safeguard your data from leaving your organization.
Cut your lossesWhile some added attention now will re-invigorate plants, cut your losses and pull the ones beyond hope from your gardenOlder generation security tools aren’t effective at protecting your organization from advanced threats, and are difficult to maintain, requiring a significant investment in staff.  Don’t be afraid to cut your losses  and yank these obsolete tools from your environment.  Reinvigorate with a security intelligence platform to optimize your infrastructure and be more proactive with your security defenses.
Taking proactive steps during these dog days of summer will provide just the encouragement you and your plants need to finish strong. This holds true for tidying up your vulnerability management program to ensure the security defenses are in place to protect the fruits of your labor.

Monday, October 14, 2013

Scammers bug Nordstrom registers with $40 devices to skim card data

Scammers bug Nordstrom registers with $40 devices to skim card data

A group of men boldly entered a Florida Nordstrom store and planted skimming devices on the retailer's registers, according to a security journal that publicized the scheme.
A team of three entered first with the mission to scope the premises, taking photos of the register and removing its back panel. Then, a few hours later, a separate group of three installed a keylogging device.
According to Krebs, who obtained an alert on the incident from police in Aventura, Fla., the suspects were caught on Nordstrom surveillance cameras tampering with store registers.
The keyloggers used by the fraudsters can be easily obtained online for about $40, he revealed. Nordstrom discovered that six devices had been planted.
“These hardware keyloggers are essentially PS2 connectors that are about an inch in length,” Krebs wrote. “The tiny data storage devices are usually purple in color to match the color-coded standard for keyboards, and are made to be inserted between the male end of a PS2 keyboard connector and the female receptor on a computer.”
He later added that while the color and shape of the devices indicated they were designed to interface with keyboards, that detail didn't mean that scammers “can't steal data from a credit card reader,” with the devices.
“Many cash registers at retailers have PS2-based card readers, or connect the reader directly to the computer's keyboard,” Krebs explained.
In a Friday email to, Brooke White, a Nordstrom spokeswoman, confirmed that devices were planted on its registers.
“We can confirm that we found and removed unauthorized devices on a small number of cash registers at our Nordstrom Aventura, Florida store,” she wrote. “We take this situation seriously and have been working closely with law enforcement and forensic experts to investigate this and understand any impact on our customers."
Chris Hague, managing consultant on the SpiderLabs research team at Trustwave, a Chicago-based firm that provides anti-cyber crime solutions, told on Friday that criminals have become more brazen over the years, sometimes opting to physically compromise businesses to overcome other implemented security measures.
“Retail merchants over the years have put in tremendous security to protect their devices from compromise,” Hague said. “So the next step [for criminals] is physical compromise. The one thing about skimmers themselves, which makes it really difficult for organizations to detect, is they really have no electronic component coded in – it's just a pass through where the data stream will [run] through the device to get recorded.”
Skimming cases occur most frequently on ATM machines, Hague explained, where fraudsters can simply put a transparent overlay on top of PIN pad devices, which are usually inconspicuous to users.
In a different recent scam, con artists entered target establishments to carry out fraud. Crooks in London, who posed as IT engineers, allegedly waltzed right into Barclays and Santander bank locations to fit computers with keyboard video mouse (KVM) devices. The devices were meant to give them access to multiple computers in the organization's network – to monitor accounts, move money or do any manner of malicious feats.
London police were able to thwart the cyber heist on Santander, but Barclays reported a £1.3 million loss in April, equivalent to around $2 million, as a result of the incident.


Sunday, October 13, 2013

Tips for National Cyber Security Awareness Month
by on |
Filed under Industry News, Security 101 and tagged , , , , , , , , , , , , , , , , , .
October is National Cyber Security Awareness Month, which means that this is the ideal time for your enterprise to: discover new best practices, educate your employees, enhance your network security technology, and focus on keeping your enterprise safe and successful.
To help you achieve these essential goals, we’re pleased to provide you with a new cyber security tip each day in October. You’ll find them added here on our blog and on our social media feeds. Be sure to check in daily, and share your best tips with us via Twitter @Seculert (use hashtag #NCSAM).

1. Train employees not to click on every link in their emails. Spear phishing attacks are on the increase
2. It isn’t enough to keep your IT infrastructure up-to-date, the challenge is to manage this process properly.
3. Maximize firewall effectiveness by: activating web filtering, scanning logs and customizing settings. Here are some techniques.
4. Create a Cyber Security Plan that also addresses Detection and not just Prevention.
5. Don’t open email attachments from unknown sources.
6. Enable the encryption features on your smartphone. Here’s how.
7. Ensure that employees use unique strong passwords & change them every 3 months.
8. Set the Java security level to “High” or “Very High” or disable it altogether if you can. Article on Java related vulnerabilities.
9. Ensure that Wi-Fi networks are secure, encrypted and hidden + password protect router access.
10. Audit the open ports on your network regularly and block unused ones.
11. Enable automatic updates on installed apps to ensure you receive important security updates when they are released.
12. Use a Sandbox that mimics a device’s natural activity, ie keyboard inputs & mouse movements, to analyze malware.
13. Use full disk encryption on laptops as a best practice.


Banks Use Analytics to Detect Suspect Employee Behavior

OCT 9, 2013 1:33pm ET

Say you work for a large bank that has been embroiled in a crisis or scandal. In the discovery processes of the inevitable lawsuits that follow, investigators and lawyers (and in some cases, the U.S. Senate) find all manner of incriminating emails that the bank's risk and compliance departments did not know existed.
This scenario has occurred quite a bit in the aftermath of the mortgage crisis. A few classic examples from Standard & Poor's analysts — emails they wrote as they were inflating the ratings of worthless collateralized debt obligations — were made public by Rolling Stone magazine just this summer:
"Lord help our [expletive] scam … this has to be the stupidest place I have worked at," wrote one Standard & Poor's executive.
"As you know, I had difficulties explaining 'HOW' we got to those numbers since there is no science behind it," wrote a high-ranking S&P analyst.
"Let's hope we are all wealthy and retired by the time this house of card[s] falters," wrote another S&P executive.
Memorable gems. But you wouldn't want them discovered in your company.
Ten large U.S. and European banks are using natural language processing technology from Digital Reasoning — one of Bank Technology News' 'Top Ten Tech Companies to Watch for 2012' — to uncover such revealing documents before lawyers and examiners do.
The company launched six Proactive Compliance analytics products six months ago. The software is meant to find emails that reflect unethical behavior and violations of Dodd-Frank, anti-money laundering, Know Your Customer and other rules.
Some European banks use the software to analyze suspicious activity reports for signs of bribery. Other banks use it to find control room violations, to make sure their advisory services are clean, to keep insider information from leaking out of their organization, and to maintain the Chinese wall between trading and research.
Banks' current compliance solutions tend to focus on monitoring transactions and trade orders, Digital Reasoning executives say.
But much valuable information is buried not in transactions, but in emails, instant messages, Word documents, PowerPoint presentations and other forms of "unstructured data" (which basically means, any data not stored in a database).
Three large banks are using Proactive Compliance to catch employees who report that everything is fine but admit behind the scenes that disaster looms, in the manner of JPMorgan Chase's London Whale.
"All their internal systems were saying everything was good, but [trader Bruno Iksil] was busy communicating internally and externally about what he was doing and how he was doing it," says Stephen Epstein, vice president of product marketing at Digital Reasoning. "He was smart enough to conceal pieces of information he knew would be monitored. For instance, he didn't use the word 'portfolio' or 'basket' because those would trigger [compliance scrutiny]. He replaced them with words like 'umbrella.' Looking at the conversation, it was clear he was communicating about a transaction, and at the same time trying to conceal what he was doing in that transaction."
Banks tend to use keywords and lexicons to identify compliance violations in emails, Epstein says, which wouldn't pick up on such evasive messages.  
Digital Reasoning's software "reads" unstructured files using natural language processing technology and looks for patterns in communication. The user feeds examples of the type of behavior a company is looking for into a platform called Synthesys. An example might be, "Today I bought 1,000 shares of IBM for $20,000." Synthesys will try to find people who talked about similar things.
"If someone tries to replace the word 'basket' with 'umbrella,' Synthesys knows that's not what's important," Epstein says. "What's important is the activity — someone bought or sold something and there was a counterparty involved. There's an action — a fire sale. That's the structure it's looking for, not a lexicon or keyword." The software will also take note if certain keywords, like portfolio or basket, are not used. "That makes the conversation more suspicious, because the person didn't use the expected language."
What if a bank doesn't have many real-life examples of, say, bribery to feed into the engine?
Such innocents can upload hypothetical examples, Epstein says. "Most banks have an idea of what constitutes bribery," he says.
The software will comb through the knowledge base and produce examples similar to the artificial examples. Then humans review the results and mark the false positives.
Another use case for Digital Reasoning's compliance modules is Know Your Customer Enhanced Due Diligence, which requires banks to take additional steps to validate information provided by the customer, and/or conduct additional research and inquiry about the customer.
Many bank analysts handle this by conducting Google searches on high-risk entities and customers, Epstein says. For a bank with thousands of clients, it would be too time-consuming to research every customer every quarter, so they tend to do spot-check internet searches for signs a customer defaulted or received a negative comment.
Digital Reasoning is working with two banks to automate the EDD process for public reviews of entities. They upload their entire customer list to Synthesys and point it to public sources of data such as Yahoo Finance and Twitter, using search engines like Google and Bing.
The software builds a queryable "knowledge graph" of customers. An employee could ask to see everything publicly available about a customer, for instance. This could be output as a spider graph or a spreadsheet, or users can toggle between different views.
Digital Reasoning provides APIs to its software so that it can be used by other programs. "We're not in the business of building a dashboard or a case management system, we want to make this information available to other systems within the bank," Epstein says, such as risk management, marketing, and compliance.
The company's next set of solutions will be focused on revenue generation. For instance, one bank wants to mine voice data to flag conversations about large orders.

Thursday, October 10, 2013

NSA Cryptography Warning Does Not Impact PKWARE Security Software

on in Data Security 

When it comes to enterprise data security, it’s important to note that not all encryption algorithms are the same. As there are warnings about the strength of one encryption algorithm making headlines, we feel it’s important to make some distinctions about our own security software.
b2ap3_thumbnail_Encryption_Chain_Strong_Solid_Algo_PKWARE.jpgA crypto algorithm under scrutiny is not in use with PKWARE products.PKWARE does not make any use of the Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) from RSA, the Security Division of EMC, in any of its products, such as SecureZIP, vZip or Viivo. The Dual_EC_DRBG algorithm is the subject of warnings from RSA, which has stated that its encryption might be vulnerable to inspection by the National Security Agency.
As the BBC reported: “RSA, the internet security firm, has warned customers not to use one of its own encryption algorithms after fears it can be unlocked by the NSA … The advice comes in the wake of New York Times allegations that the NSA may have intentionally introduced a flaw into the algorithm – known as Dual Elliptic Curve Deterministic Random Bit Generation – and then tried to get it adopted as a security standard by the US National Institute of Standards and Technology.”
There has been uncertainty over which security vendors are impacted by this warning, as InfoWorld security writer Roger Grimes noted this week. Moreover, there have been warnings about the use of Dual-EC that go back to 2006, as Johns Hopkins cryptographer and research professor Matthew Green points out.
End-to-end encryption remains an invaluable and preferred resource for protecting your enterprise data from snoopers, hackers, breaches and end-user error. Strong encryption algorithms that use mathematical calculations to encode and protect data are at the core of our solutions are in use by tens of thousands of organizations each day. We are consistently reviewing and certifying all cryptographic libraries that are in use by all PKWARE products and we immediately inform customers if we discover any issues.
We have issued a technical advisory reinforcing the strength of our security solutions, a PDF of which you can find here. We’re open to discussions with businesses who are evaluating the best fit for their data security in light of the security warnings from RSA.