Monday, July 28, 2014

Identifying Risk, or Finding a Needle in a Haystack

Newer regulations and industry standards are now mandating a risk-based approach to security that’s forcing many organizations to transition from a compliance check box driven approach to a more proactive risk-based view of security.  Risk is made up of many factors such as compliance posture, threats, vulnerabilities, reachability, and business criticality.  For many years, businesses have focused on achieving compliance or taking preventive measure to strengthen their security posture due to endless data breaches.  When an organization is focused on strengthening its compliance posture to pass an audit, they usually look at control failures and gaps to try to mitigate them. 


On the road to risk management, a variety of factors must be taken into account to derive a holistic view and ensure the efficient alignment of resources for remediation actions.  In mid-sized organizations, there are dozens of regulations that mandate thousands of controls that have to deal with hundreds of pages of security findings that range from vulnerabilities, threats to incidents.  With new technology of big data risk management, it’s emerging to help not only to aggregate compliance, threat, and vulnerability data but more importantly is correlates data feeds with is business risk to the organization.

Building Blocks for a Proactive CyberSecurity Strategy

Over the past six months, cyber-attacks against financial organizations, government sites and critical infrastructure have escalated.  In early spring, financial institutes such as Wells Fargo, Bank of America and JP Morgan Chase has been hit hard by cyber-attacks costing the organizations millions of dollars.  Last month, Homeland Security officials issued a warning from ICS-CERT to warn U.S. companies about attacks on critical infrastructure about chemical and energy companies to take added measures to protect their systems.

Cybersecurity is now our responsibility because these attacks not only pose severe consequences to our government but it also impacts a lot of our private organizations that own our electric and cellular networks.  Under new regulations, the chairman of the Joint Chiefs is making changes to the U.S. military’s standing rules of engagement that dictate when, how and with what tools America will use to respond to an attack.

The building blocks for a robust cybersecurity strategy is to trust no one, inspect and log all traffic, and ensure secure access to all-important assets in the data center.  Compartmentalization or network segmentation is the key component of Zero Trust and is important to limit the exposure of attacks.  Internal employees tend to be the weakest link when it comes to targeted attacks but now that has been expanded to the ecosystem of partners, contractors and supply chains. 


The reality is that there’s a need for a more robust cybersecurity strategy that requires a comprehensive approach to malware that’s similar to the attacker’s lifecycle approach of infecting a network.  This means that identifying all traffic that malware tends to hide and managing the unknown in addition to the virtual sandbox analysis.  The last piece of monitoring that’s needed is a reporting and logging system that can provide visibility into the network and enable proactive actions if something suspicious is found.

Tuesday, May 13, 2014

Heartbleed Vulnerability Still Beating Strong

It’s only been one month since the Heartbleed vulnerability in OpenSSL became public and still many organizations remain vulnerable.  According to Netcraft, only 43 percent of the company sites were scanned and reissued their SSL certificates due to this bug and many more sites are still susceptible.  They also noticed that seven percent of the reissued SSL certificates were reissued using the same private key while fifty-seven percent of the sites took no action.

The Heartbleed vulnerability is due to certain versions of OpenSSL not properly handling Heartbeat extension packets and the ending result of the remote attackers can steal sensitive information from process memory using specially-crafted packers that cause a buffer over-read.  After the Heartbleed vulnerability broke, experts made it clear that the SSL keys needed to be replaced and not reissued.


Exploits have shown that private keys could be stolen from servers and the stolen keys would allow websites to be impersonated and traffic to be decrypted.  With thousands of applications from companies such as IBM, Juniper, Cisco, Symantec, McAfee, and many more are vulnerable to Heartbleed behind their proxies and firewalls.

Thursday, February 20, 2014

Building Blocks For A Robust Cybersecurity Strategy

One of the unique considerations for cyber-attacks is identifying the avenues of attacks. While internal employees tend to be the weakest link when it comes to targeted attacks, cyber-attackers are also now looking at the extended ecosystem of partners, contractors and supply chains for alternative avenues of attack. Additional effort needs to be made to secure, control and safely enable the application access for these extended users.

Inspection and logging of all traffic also needs to extend to targeted, modern malware. The industry is moving toward piecemeal technologies that attempt to tackle this one attack component via virtual sandbox analysis. But, the reality is that a robust cybersecurity strategy requires a comprehensive approach to malware similar to an attacker’s lifecycle approach of infecting a network. This means identifying all traffic and how malware tends to hide (encryption, tunnels, evasive tactics), controlling risky applications and users, and managing the unknowns in addition to the virtual sandbox analysis.

In summary, the building blocks for a robust cybersecurity strategy are not uniquely different from security requirements for a traditional enterprise. However, in most cases, the attackers are more sinister and, more importantly, where there is an attack, the stakes and impact is much higher for all of us.

Wednesday, November 6, 2013

Researchers Discover Many iOS Apps Vulnerable to HTTP Request Hijacking

Researchers at mobile security vendor Skycure have discovered many iPhone apps are vulnerable to HTTP request hijacking attacks that could permit a hacker to use the app to load malicious content.

The company Skycure stated, “"While the problem is generic and can occur in any application that interacts with a server, the implications of HRH [HTTP request hijacking] for news and stock-exchange apps are particularly interesting," blogged CTO Yair Amit.  "It is commonplace for people to read the news through their smartphones and tablets, and trust what they read. If a victim’s app is successfully attacked, she is no longer reading the news from a genuine news provider, but instead phoney news supplied by the attacker’s server."

After they tested a variety of high-profile apps, the firm realized that there are many apps that are vulnerable to attack.  The problem centers on the impact of HTTP redirections.  The attack starts with a classic man-in-the-middle attack in which the vulnerable app sends a legitimate request to a server.  The request is then captures by the attacker, who return a 301 HTTP redirection to a server controlled by the attacker.  If the attack is successful, the 301 HTTP redirection issued by the attacker is kept in the app’s cache and changes it behavior’s that instead of retrieving data from its designated server, the app loads data from the attacker’s server after the man-in-the-middle attack is over.

A 301 HTTP redirection could allow a malicious attacker to persistently alter and remotely control the way the application functions, without any reasonable way for the victim to know anything about it.

Saturday, August 10, 2013

Blog Summary

Over the last ten weeks, I chose to blog on a variety of topics because I wanted to keep my readers abreast on different Information Security topics.  I didn’t want anyone to get bored by looking at the same material every week so I made a point to post information from a variety of websites.

The resources that I used for my blog came from a variety of websites such as McAfee Threat Intelligence, CNET Security and Privacy, and Identity Theft Resource Center.  These are just a few websites that I received information on for my blogs.  They had useful articles about a number of incidents that happened throughout the week in various parts of the world.  I wanted my readers to understand that cyber-attacks come in a variety of ways and platforms.

I believe this blog is useful to information security professionals because it keeps them abreast of the information that’s being put out to the public.  It also gives them the knowledge to understand where cyber-attacks are happening and how they can be prepared to stop them.  This can hopefully give them a foot ahead of the hackers.

The lessons that I learned while blogging are:

  • To use make sure that your posts are of good length
  • To post information that will keep your audience interested
  • Post on good topics

Saturday, August 3, 2013

Android App Contains Windows Worm

There’s a curious case of an Android application on Google Play that contains some traces of malware that poses no security danger for Android devices.  But this application is dangerous to other mobile and PC platforms.  The virus is embedded inside the APK file.  McAfee labs found a Windows worm called GenericMalware.og!ats that reproduces itself in the network shares and a user could run the malicious application by opening the APK in a zip format while running the program.  This malware exists in every Android device that has installed the KFC WOW@25 Menu application.

When an application contains a malicious file it’s usually from the neglect on part of the developer.  The developer possibly used outdated antimalware software and without realizing that the computer was infected, the source code contained a copy of a worm.  From that point on the worm was packaged, signed, and deployed on Google Play without the developer knowing about the infected file.  Even when the infected application is removed from Google Play it still poses a risk to consumers.


When creating an apps, developers should remember to secure their computer, maintain updated antimalware software especially if they intend to distribute the app for others to use.