The Standard Cybersecurity Model Is Fundamentally Broken

By: sikur

Every year companies around the world invest hundreds of billions of dollars in cybersecurity products, services, and training—yet malware compromise and massive data breaches are still a regular occurrence. According to data from Cybersecurity Ventures, cybersecurity spending for the five years leading up to 2021 is expected to exceed $1 trillion—with a “T”—but the annual global losses from cyber attacks is expected to hit $6 trillion by the same year. Clearly, there is something fundamentally wrong with the standard model of cybersecurity.

Common Cybersecurity Strategy is Insane

The way companies approach cybersecurity is literally insane—at least according to the popular quote attributed to Albert Einstein: “The definition of insanity is doing the same thing over and over again and expecting different results.”

Imagine if your house was like the cybersecurity market. You invest thousands of dollars every year in the best tools and services to ensure it is safe and secure. You have cutting edge technology to detect burglars and prevent unauthorized access, and innovative solutions to prevent fires and guard against flooding. Now, imagine that every year your house gets broken into and all of your possessions stolen, and then it burns to the ground…and you start over and do it again. That is basically the prevailing model for cybersecurity.

Meanwhile, the cybersecurity industry as a whole right now seems to be perceived as a hot commodity. Companies that don’t traditionally operate in the security space are investing in the cybersecurity space and buying up industry-leading companies that are household names. Intel acquired McAfee (and eventually spun it back off), BlackBerry bought Cylance, and Broadcom has purchased both CA and—more recently—Symantec.

Many organizations try to throw money at the problem. They assume that if they just allocate more budget and purchase the right products and services, they will be secure. However, some of the largest and most expensive data breaches in history occurred at companies with significant investments in cybersecurity tools and platforms, and that have huge teams of cybersecurity experts and vast resources at their disposal.

In other words, cybersecurity is a very lucrative business, but buying more of it does not guarantee you will be secure. In fact, it often doesn’t actually deliver on its promise.

Redefining Cybersecurity

I recently had a chance to speak with Matt Moynahan, CEO of Forcepoint, about these issues. He told me that he is extremely concerned with the current state of the cybersecurity industry. “We’re talking about arguably one of the most important industries in the next millennium—where the consequences of failure range from terrorism to nation-state espionage—and the world’s largest cybersecurity company was just acquired by a Singapore chip maker.”

Moynahan stressed that one of the fundamental problems with cybersecurity today is that it is trying to solve for the wrong problem. At the very least, it is an outdated problem. The industry as a whole has been built on—and is still primarily driven by—point solutions designed to “keep people out.” It’s a model that assumes there is an “us” and a “them”, an “inside” and an “outside”—and then strives to ensure that malicious actors from the “them” and “outside” groups can be detected and blocked before they can compromise systems and data.

History—or the headlines on any given week—illustrates that this model is dysfunctional at best.

The core cybersecurity tools like firewalls and antimalware defenses are still necessary, but not necessarily something to spend too much money on. They are cybersecurity “table stakes” and serve a purpose to identify and block a majority of known threats, so they still have value. However, they are clearly not enough on their own.

Moynahan explained it in terms similar to my home analogy. “Imagine living in a bad neighborhood where you can never lock your door. That is your network.”

The new model of cybersecurity revolves around technologies like multifactor authentication, behavioral analytics, and deception technology. Multifactor, or two-factor, authentication raises the bar for gaining authorized access to systems and data in the first place and prevents attackers from slipping in with compromised or stolen credentials alone. Behavioral analysis and deception technology provide more comprehensive monitoring and protection based on the assumption that attackers will get through—that the “them” is “us” and they are already inside.

With that assumption, security becomes less about preventing unauthorized access and more about ensuring the activities of those who have access makes sense and don’t violate any policies. The reality is that most attacks—at the point where they are detected—are “inside” attacks, because whether they are performed by a disgruntled employee or an external attacker using stolen or compromised credentials, they appear to be from an “authorized” user from the perspective of the IT department.

Monitoring behavior is a more proactive and more effective means of detecting suspicious or malicious behavior. Bob may be an employee who is authorized to access employee data and company financial records, but Bob will also have a normal pattern of behavior that can be used to flag unusual activity. If Bob works normal business hours at an office in Tulsa, it’s easy to detect suspicious activity if he suddenly logs in from Tel Aviv at 3am on Saturday. If Bob generally accesses, but does not download, financial data, behavioral analysis can alert IT if Bob suddenly decides to download gigabytes of sensitive information.

By virtually any objective measurement, the traditional model of cybersecurity has failed. It doesn’t make any sense to simply continue pouring money into the next point solution and hope things will turn out differently. It’s time for organizations to recognize that the technology ecosystem and the threat landscape have evolved, and that a new approach is necessary for more effective cybersecurity.


By Tony Bradley

Source: https://www.forbes.com/sites/tonybradley/2019/10/07/the-standard-cybersecurity-model-is-fundamentally-broken/#171a1b111189

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Facebook, WhatsApp Will Have to Share Messages With U.K.

By: sikur

By  and 

Social media platforms based in the U.S. including Facebook and WhatsApp will be forced to share users’ encrypted messages with British police under a new treaty between the two countries, according to a person familiar with the matter.

The accord, which is set to be signed by next month, will compel social media firms to share information to support investigations into individuals suspected of serious criminal offenses including terrorism and pedophilia, the person said.

Priti Patel, the U.K.’s home secretary, has previously warned that Facebook’s plan to enable users to send end-to-end encrypted messages would benefit criminals, and called on social media firms to develop “back doors” to give intelligence agencies access to their messaging platforms.

“We oppose government attempts to build backdoors because they would undermine the privacy and security of our users everywhere,” Facebook said in a statement. “Government policies like the Cloud Act allow for companies to provide available information when we receive valid legal requests and do not require companies to build back doors.”

The U.K. and the U.S. have agreed not to investigate each other’s citizens as part of the deal, while the U.S. won’t be able to use information obtained from British firms in any cases carrying the death penalty.
Details of the accord were reported earlier by the Times.

— With assistance by Kurt Wagner

(Adds Facebook’s comment in fourth paragraph.)
Source: https://www.bloomberg.com/news/articles/2019-09-28/facebook-whatsapp-will-have-to-share-messages-with-u-k-police
Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Advanced Persistent Threat: What You Need to Know

By: Kevin Jones

Today, criminal organizations no longer attack corporations and businesses physically with weapons. Instead, they use computers and malware, aiming to steal vital information that can be used for malicious means. Professional cybercriminal organizations know what they are looking for and will find ways to get it. This is what makes an advanced persistent threat (APT) so scary.

What Is an Advanced Persistent Threat?

An advanced persistent threat is a cyberattack that is long-term, highly targeted, and continuous. An APT attack is organized and has a central objective. Many advanced persistent threats are sponsored, usually by governments or rival competitors, and are aimed at stealing vital information from their targets. The objective of an APT attack could range from surveillance and stealing trade secrets to taking control of a network and completely disabling it.

The Difference From an Ordinary Cyberattack

When comparing an APT attack from an ordinary cyberattack, one can see the huge difference in the scale and resources needed to operate the attack.

Many ordinary cyberattacks target entities with little to no cybersecurity and usually have short-term objectives, like stealing the personal information of clients and the financial activities of companies. Many ordinary cyberattacks are also neutralized by high-level cybersecurity, and regaining access becomes difficult.

An advanced persistent attack, on the other hand, target entities with high-level security, employing different methods of infiltration and taking years to search for vulnerabilities in their target’s system.

Advanced persistent attacks employ low-level cyberattacks, like whaling and injection attacks, to gain access to their target’s system but use personalized malware to remain within the network while evading cybersecurity.

More: https://hackercombat.com/advanced-persistent-threat-what-you-need-to-know/

Ataques cibernéticos causam prejuízos de US$ 45 bilhões em 2018

By: TI Inside Online

Cyber Incident & Breach Trends Report de 2018, divulgado pela Online Trust Alliance (OTA), traz dados alarmantes sobre ataques cibernéticos. Em 2018, os danos causados pelos cibercriminosos totalizaram US$ 45 bilhões. Cerca de 2 milhões de incidentes de segurança foram reportados. Em suma, o documento apresenta informações interessantes sobre violações de dados e ataques de ransomware, de DDoS e de Business Email Compromise (BEC), entre outras ameaças.

O relatório da OTA é baseado em estatísticas, dados e informações de várias empresas e organizações de segurança cibernética, incluindo o FBI e o Cybersecurity Ventures, por exemplo. Agora, vamos dar uma olhada nos principais pontos do documento.

Principais tópicos do Cyber Incident & Breach Trends Report

Violações de dados

O relatório aponta que cerca de 95% das violações no ano passado poderiam ter sido evitadas. Esse número é alarmante porque indica que as pessoas e as empresas não se preocuparam tanto com a segurança de dados e informações quanto deveriam. E não podemos esquecer que, no caso de um negócio, uma violação de dados pode ter efeitos devastadores, como comprometer a marca e a reputação da empresa.

Ransomware

Segundo o relatório, os danos provocados pelos ataques de ransomware aumentaram cerca de 60% em 2018. O impacto financeiro é estimado em US$ 8 bilhões. Em 2017, os ataques de ransomware causaram perdas de US$ 5 bilhões. Outra informação interessante aponta que o uso de ransomware para atacar empresas tem sido mais comum. Aumentou em cerca de 12% de 2017 para 2018. Esta é mais uma razão pela qual as empresas devem pensar cuidadosamente sobre as informações que manipulam.

BEC (Business Email Compromise)

Um dos pontos que merece atenção no relatório diz respeito aos golpes de Business Email Compromise (BEC) e de Email Account Compromise (EAC). Os danos provocados por este tipo de ataque quase dobraram de 2017 para 2018, foram de mais de US$ 600 milhões para mais de US$ 1 bilhão. O número de incidentes relatados envolvendo BEC e EAC também aumentou no mesmo período, de 16.000 casos para mais de 20.000 casos.

DDoS (Ataque de Negação de Serviço)

Lendo o relatório, fica claro que os ataques de DDoS (Distributed Denial-of-Service attack) ainda são muito utilizados pelos hackers. Em 2018, cerca de 150.000 incidentes envolvendo ataques DDoS foram relatados. No entanto, esse número representa uma redução de mais de 10% em relação a 2017.

Mais: https://tiinside.com.br/tiinside/seguranca/mercado-seguranca/19/08/2019

Compliance Is Not Security: Why You Need Cybersecurity Chops In The Boardroom

By: Frances Dewing

Cybersecurity is now a topic of discussion in every boardroom. A diligent director takes this risk, and their fiduciary duty around it, seriously. But the risk is complex and technical, and most boards don’t have a cybersecurity expert on the list of directors.

So instead, many boards have fallen into the trap of over-reliance on audits and compliance as a determination for whether the company has done its due diligence in preventing a cyber breach. Here’s why this is a problem:

1. Compliance is not security.

Compliance was meant to be a floor, but it has become a ceiling. Industry standard certifications and compliance frameworks (for example, HIPPA, PCI, ISO) are the bare minimum and intended to be generic. A framework can’t account for the nuances of your company operations and environment. These audits only look at a snapshot in time, not the ongoing state of your security. Your company could pass an audit, but a day later a vulnerability could be left unaddressed and your security compromised. I’ll say it again: Compliance is not security. The most cyber-resilient organizations are those that treat compliance as a baseline.

2. Security is a culture, not just a function.

I too often hear “cybersecurity is the CISO’s job.” Sure, the CISO may have functional oversight but the information security team can’t practically micromanage every person’s behavior in the company. Every person has to do their part. Your part might be just following protocol (for example, use unique passwords, don’t forward work documents to your personal device, don’t click links in emails). These small but important habits need to be built into your culture. Build a culture where everyone views security as their responsibility, and you’ll mitigate 90% of your risk.

More: https://www.forbes.com/sites/theyec/2019/08/15/compliance-is-not-security-why-you-need-cybersecurity-chops-in-the-boardroom/#53c16b8339b8

A security firm says it has discovered a flaw in WhatsApp that would allow hackers to alter your messages

By: Mary Hanbury

A cybersecurity firm has discovered a flaw in WhatsApp that allows hackers to intercept and manipulate messages — potentially changing the identity of a message sender or altering their text.

Attackers could literally “put words in [someone’s] mouth,” Israeli firm Check Point Research said in a press release on Wednesday. It added that this gives the attacker the power to “create and spread misinformation from what appear to be trusted sources.”

Check Point reversed WhatsApp’s encryption algorithm and decrypted the data. Once it did so, it was able to see all the parameters that are sent between the web and mobile version of WhatsApp and manipulate this data.

So, for example, if it wanted to change your message, it captures the outgoing message from WhatsApp, decrypts the data, changes it to whatever it wants it to say, and then encrypts it back.

More: https://www.businessinsider.com/whatsapp-flaw-could-allow-hackers-to-alter-your-messages-2019-8

Google Researchers Disclose PoCs for 4 Remotely Exploitable iOS Flaws

By: Wang Wei

Google’s cybersecurity researchers have finally disclosed details and proof-of-concept exploits for 4 out of 5 security vulnerabilities that could allow remote attackers to target Apple iOS devices just by sending a maliciously-crafted message over iMessage.

All the vulnerabilities, which required no user interaction, were responsibly reported to Apple by Samuel Groß and Natalie Silvanovich of Google Project Zero, which the company patched just last week with the release of the latest iOS 12.4 update.

Four of these vulnerabilities are “interactionless” use-after-free and memory corruption issues that could let remote attackers achieve arbitrary code execution on affected iOS devices.

However, researchers have yet released details and exploits for three of these four critical RCE vulnerabilities and kept one (CVE-2019-8641) private because the latest patch update did not completely address this issue.

The fifth vulnerability (CVE-2019-8646), an out-of-bounds read, can also be executed remotely by just sending a malformed message via iMessage. But instead of code execution, this bug allows an attacker to read the content of files stored on the victim’s iOS device through leaked memory.

Here below, you can find brief details, links to the security advisory, and PoC exploits for all four vulnerabilities:

More: https://thehackernews.com/2019/07/apple-ios-vulnerabilities.html?m=1

New Attack Lets Android Apps Capture Loudspeaker Data Without Any Permission

By: Swati Khandelwal

android side channel attack

Earlier this month, The Hacker News covered a story on research revealing how over 1300 Android apps are collecting sensitive data even when users have explicitly denied the required permissions.

The research was primarily focused on how app developers abuse multiple ways around to collect location data, phone identifiers, and MAC addresses of their users by exploiting both covert and side channels.

Now, a separate team of cybersecurity researchers has successfully demonstrated a new side-channel attack that could allow malicious apps to eavesdrop on the voice coming out of your smartphone’s loudspeakers without requiring any device permission.

Abusing Android Accelerometer to Capture Loudspeaker Data

Dubbed Spearphone, the newly demonstrated attack takes advantage of a hardware-based motion sensor, called an accelerometer, which comes built into most Android devices and can be unrestrictedly accessed by any app installed on a device even with zero permissions. An accelerometer is a motion sensor that lets apps monitor the movement of a device, such as tilt, shake, rotation, or swing, by measuring the time rate of change of velocity with respect to magnitude or direction.

android accelerometer speech reverberations

Since the built-in loudspeaker of a smartphone is placed on the same surface as the embedded motion sensors, it produces surface-borne and aerial speech reverberations in the body of the smartphone when loudspeaker mode is enabled.

Discovered by a team of security researchers—Abhishek Anand, Chen Wang, Jian Liu, Nitesh Saxena, Yingying Chen—the attack can be triggered when the victim either places a phone or video call on the speaker mode, or attempts to listen to a media file, or interacts with the smartphone assistant.

As a proof-of-concept, researchers created an Android app, which mimics the behavior of a malicious attacker, designed to record speech reverberations using the accelerometer and send captured data back to an attacker-controlled server.

More: https://thehackernews.com/2019/07/android-side-channel-attacks.html?m=1

25 Million Android Phones Infected With Malware That ‘Hides In WhatsApp’

By: Thomas Brewster

As many as 25 million Android phones have been hit with malware that replaces installed apps like WhatsApp with evil versions that serve up adverts, cybersecurity researchers warned Wednesday.

Dubbed Agent Smith, the malware abuses previously-known weaknesses in the Android operating system, making updating to the latest, patched version of Google’s operating system a priority, Israeli security company Check Point said.

Most victims are based in India, where as many as 15 million were infected. But there are more than 300,000 in the U.S., with another 137,000 in the U.K., making this one of the more severe threats to have hit Google’s operating system in recent memory.

The malware has spread via a third party app store 9apps.com, which is owned by China’s Alibaba, rather than the official Google Play store. Typically, such non-Google Play attacks focus on developing countries, making the hackers’ success in the U.S. and the U.K. more remarkable, Check Point said.

Whilst the replaced apps will serve up malicious ads, whoever’s behind the hacks could do worse, Check Point warned in a blog. “Due to its ability to hide it’s icon from the launcher and impersonates any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user’s device,” the researchers wrote.

They said they’d warned Google and the relevant law enforcement agencies. Google hadn’t provided comment at the time of publication.

More: https://www.forbes.com/sites/thomasbrewster/2019/07/10/25-million-android-phones-infected-with-malware-that-hides-in-whatsapp/#1df131a94470

Hacker Heaven: Huawei’s Hidden Back Doors Found

By: Sydney J Freedberg jr

 

How do you find hundreds of vulnerabilities hidden in millions of lines of firmware code?

WASHINGTON: In a world where Chinese hackers steal everything from F-35 schematics to federal personnel files, why should we worry about Huawei? Because, cybersecurity experts explain, network routers, surveillance cameras and other widely sold devices from Huawei, Dahua, and other Chinese firms are riddled with vulnerabilities — flaws that are easy for attackers to exploit but hard for defenders to find, because they’re buried deep in what’s known as firmware.

Traditional computer security techniques, already fallible enough with regular software, don’t work at all on firmware, which is loaded onto a device when it’s built, runs in the background largely hidden from the user, and can only be updated by the original manufacturer. Most devices networked together in the Internet of Things (IoT), in fact, have too little memory to run security scanning software or anything else besides their purpose-built firmware. But, Finite State founder Matt Wyckhouse and ReFirm Labs co-founder Terry Dunlap told me in interviews, there are now ways to run an automated search through firmware files to find suspicious code.

What those automated watchdogs have found so far is disturbing. In a single 36-hour run, Finite State’s tool checked 1.5 million firmware files from 558 Huawei enterprise networking products — that’s just business systems, not consumer devices — and found the average device had 102 vulnerabilities, at least a quarter of them severe enough to let a hacker get full access easily. That’s much more than comparable Western products, Wyckhouse told me: “These are some of the worst devices we’ve ever tested.”

It’s not just Huawei, Dunlap told me. In 2017, his ReFirm Labs team — some of them, including Dunlap himself, ex-NSA hackers — found a backdoor in the firmware of a surveillance camera made by Dahua, similar to one they’d discovered a few years before in a Huawei router. And the backdoor had been opened: Once ReFirm told their client (a Fortune 500 firm which they won’t name) what to look for, the company’s network operators discovered their Dahua cameras had been sending data out a rarely-used port, right through the company’s firewall, to unknown IP addresses in China.

Dahua at first ignored ReFirm’s inquiries, then claimed the vulnerability was a simple error that had been fixed in the latest update. But when ReFirm looked through the updated firmware, they still found the same backdoor — just relocated in a different place in the code. (Huawei had done the same thing).

More: https://breakingdefense.com/2019/07/hunting-huaweis-hidden-back-doors/