Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

GUEST ESSAY: Why the hack of South Korea’s weapons, munitions systems was so predictable

By Pravin Kothari

The disclosure that malicious intruders hacked the computer systems of the South Korean government agency that oversees weapons and munitions acquisitions for the country’s military forces is not much of a surprise.

Related podcast. Evidence shows we’re in ‘Golden Age’ of cyber spying

The breach of some 30 computers of South Korea’s Defense Acquisition Program Administration (DAPA), which is part of the Ministry of National Defense, reportedly occurred last October. News reports this week indicate internal documents, including details of arms procurement for the country’s next-generation fighter aircraft, were pilfered from at least 10 of the hacked computers.

The hackers reportedly manipulated server software and succeeded in siphoning records from connected workstations. Though South Korean officials stopped short of blaming North Korea, the latter has a history of cyber spying on the former. In October 2017, for instance, South Korea accused North Korea of stealing the South Korean-U.S. war plans, including strategies to be implemented in event of collapsing diplomatic relations.

Kothari

In many respects, this latest hack, though not specifically attributed, was very predictable. Even in times of detente, you would expect both China and North Korea to be vigorously banging on the cyber front door in South Korea. What’s surprising is that the South Korean data was so easily stolen and that the attackers were able to escalate permissions to administrator level access.

In today’s environment for commercial business, let alone government security and defense agencies, the de rigueur approach for cyber security necessarily includes end-to-end encryption, single sign-on, and two-factor authentication, at minimum.

End-to-end encrypted data, otherwise known as “edge” or Zero Trust encryption, expects an attacker to penetrate the networks over time, but protects the data by encrypting it at all times. That is, the data is protected with encryption while in the database, file stores, in use, in transit, through middleware and through database and application API’s.

Finally, administrator access can be managed through ticketing systems that deeply authenticate the administrator, and then issue a one-time token for them to use to access the systems that require their attention. So each time an admin wants to use the power of their position, they are required to re-authenticate.

Unfortunately, none of these cyber defense best practices were in place in the South Korean defense department.

About the essayist: Pravin Kothari, is chief executive officer, of CipherCloud, which supplies CASB systems.


 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

MY TAKE: Massive Marriott breach continues seemingly endless run of successful hacks

By Byron V. Acohido

I have a Yahoo email account, I’ve shopped at Home Depot and Target, my father was in the military and had a security clearance, which included a dossier on his family, archived at the U.S. Office of Personnel Management, I’ve had insurance coverage from Premera Blue Cross and I’ve stayed at the Marriott Marquis in San Francisco.

Related: Uber hack shows DevOps risk

The common demonitor: All of those organizations have now disclosed massive data breaches over a span of the past five years.

On Friday, Starwood Properties, which merged with Marriott in 2016, disclosed as many as 500 million people who made reservations at their hotels may have had their personal information accessed in a breach that lasted as long as four years.

The Starwood hack appears to come in second in scale only to the 2013 Yahoo breach, which affected as many as 3 billion accounts, while a subsequent Yahoo breach also hit 500 million accounts.

The breach is rightly attracting attention of regulators in Europe and the United States. Marriott shares fell nearly 6 percent to $114.67 in Friday afternoon trading. Here’s a roundup of reaction from cybersecurity thought leaders: …more

New DigiCert poll shows companies taking monetary hits due to IoT-related security missteps

By Byron V. Acohido

Even as enterprises across the globe hustle to get their Internet of Things business models up and running, there is a sense of  foreboding about a rising wave of IoT-related security exposures. And, in fact, IoT-related security incidents have already begun taking a toll at ill-prepared companies.

Related: How to hire an IoT botnet — for $20

That’s the upshot of an extensive survey commissioned by global TLS, PKI and IoT security solutions leader DigiCert. The 2018 State of IoT Security study took a poll of 700 organizations in the US, UK, Germany, France and Japan and found IoT is well on its way to be to be woven into all facets of daily business operations. Meanwhile, IoT-related security incidents have already started to wreak havoc, according to study findings released today.

Among companies surveyed that are struggling the most with IoT security, 25 percent reported IoT security-related losses of at least $34 million in the last two years. Losses include lost productivity, compliance penalties, lost reputation and stock price declines.

Carried out by ReRez Research, DigiCert’s poll queried senior officials at organizations in the fields of healthcare, industrial manufacturing, consumer products and transportation ranging in size from 999 to 10,000 employees. Some 83% of respondents indicated IoT is extremely important to their organization, while some 92% indicated IoT will be vital within two years.

Respondents cited operational efficiency, customer experience, revenue and business agility as their top IoT objectives; currently two-thirds are engaged with IoT, although only a third have completed implementing their IoT strategy.

“Enterprises today fully grasp the reality that the Internet of Things is upon us and will continue to revolutionize the way we live, work and recreate,” said Mike Nelson, vice president of IoT Security at DigiCert. “The companies with a good handle on things have discovered how to leverage robust authentication and encryption regimes to help maintain the integrity of their IoT systems.”

Tiered performances

What I found to be particularly instructive about this survey is that it sheds light on how IoT-related security incidents are playing out in the real world. A series of detailed questions were designed to parse differences between companies handling IoT well versus those struggling with IoT implementation.

Survey results were then divided into tiers; the top tier companies reported the least problems with IoT security issues, while the bottom tier organizations were much more likely to report difficulties mastering specific aspects of IoT security. …more

GUEST ESSAY: What your company should know about addressing Kubernetes security

By Gary Duan

Kubernetes is one of many key enabling technologies of digital transformation that has tended to remain obscure to non-technical company decision makers.

Related podcast: Securing software containers

Kubernetes is an administration console — an open source project from Google that makes containerized software applications easy to  deploy, scale, and manage.

As beneficial as Kubernetes is for orchestrating containerized environments, a maturing set of security best practices must be adhered to for enterprises to ensure that their applications and data are as safe as possible from emerging vulnerabilities and exploits.

The most dangerous attacks on container environments will execute a “kill chain” of events – not striking all at once but instead through a sequence of lateral moves within the dynamic container environment to ultimately take over containers, attack Kubernetes services, or gain unauthorized access.

Attackers are shaping their attacks to take advantage of recently discovered vulnerabilities and systems which have not yet been patched or equipped to counter efforts to exploit them. In addition, the discovery of malicious ‘backdoors’ hidden in popular Docker images is another cause for concern.

Three recent examples illustrate this seemingly endless stream of vulnerabilities that attackers can leverage in a containerized environment: the Dirty Cow exploit, the Linux Stack Clash vulnerability, and the even more recently discovered CVE-2018-1002105 vulnerability in Kubernetes. Here’s how each inflicts damage: …more

Q&A: Here’s why robust ‘privileged access management’ has never been more vital

By Byron V. Acohido

Malicious intruders have long recognized that getting their hands on privileged credentials equates to possessing the keys to the kingdom. This is because privileged accounts are widely deployed all across modern business networks — on-premises, in the cloud, across DevOps environments and on endpoints.

Related: California enacts pioneering privacy law

However, lacking robust protection, privileged accounts, which are intended to give administrators the access they need to manage critical systems, can instead be manipulated to enable attackers to move laterally across an organization’s network.

In recognition of the significant security risks privileged accounts can pose, industry research firm Gartner recently released the first-ever Magic Quadrant for Privileged Access Management.1-

Last Watchdog asked Adam Bosnian, executive vice president at CyberArk – the company that pioneered the market – to put into context how much can be gained by prioritizing privilege in today’s dynamic, fast-evolving digital business landscape. Here are excerpts edited for clarity and length:

LW: Why is privileged access management so important?

Bosnian: Privileged access has become the fulcrum of the success or failure of advanced attacks. Nearly 100 percent of all advanced attacks involve the compromise of privileged credentials.

This is a mounting challenge for organizations because privileged accounts exist and ship in every single piece of technology, including servers, desktops, applications, databases, network devices and more.  …more

Q&A: Why emerging IoT platforms require the same leading-edge security as industrial controls

By Byron V. Acohido

The heyday of traditional corporate IT networks has come and gone.

In 2019, and moving ahead, look for legacy IT business networks to increasingly intersect with a new class of networks dedicated to controlling the operations of a IoT-enabled services of all types, including smart buildings, IoT-enabled healthcare services and driverless cars.

Related podcast: Why the golden age of cyber espionage is upon us

This coming wave of IoT networks, architected to carry out narrowly-focused tasks, will share much in common with the legacy operational technology, or OT, systems long deployed to run physical plants — such as Industrial Control Systems (ICS,)  Supervisory Control and Data Acquisition (SCADA ,) Data Control System (DCS,) and Programmable Logic Controller (PLC.)

The global cybersecurity community is keenly aware of these developments and earnest discussions are underway about how to deal with the attendant security exposures. This includes a rising debate about the efficacy of the Common Vulnerability Scoring System, or CVSS.  Initially introduced in 2005, CVSS is a framework for rating the severity of security vulnerabilities in software.

Last Watchdog recently sat down with a couple of senior executives at Radiflow, a Tel Aviv-based supplier of cybersecurity solutions for ICS and SCADA networks, to get their perspective about how NIST and ICS-CERT, the two main organizations for disclosing and rating vulnerabilities, are sometimes not aligned. Radiflow currently is conducting this survey to collect feedback from IT and OT professionals about the ramifications of this conflict.

Radiflow expects to release its survey findings in late January. This is not just another arcane tussle among nerdy IT professionals. New vulnerabilities and exposures are part and parcel of accelerating the deployment of vast distributed systems, fed by billions of IoT sensors. And they must be fully addressed if digital commerce is to reach its full potential. Here are excerpts of my discussion about this with Radiflow’s CEO Ilan Barda and CTO Yehonatan Kfir, edited for clarity and length:

LW: As we move forward with digital transformation and the Internet of Things, is it becoming more urgent to think about how we protect OT systems?

Barda: Yes. The risks are growing for two reasons. One is the fact that there are more and more of these kinds of OT networks, …more

Port Covington, MD re-emerges as ‘CyberTown, USA’ — ground zero for cybersecurity research

By Byron V. Acohido

When CyberTown, USA is fully built out, it’s backers envision it emerging as the world’s premier technology hub for cybersecurity and data science.

DataTribe, a Fulton, MD-based cybersecurity startup incubator, has been a key backer of this ambitious urban redevelopment project, which broke ground last October in Port Covington, MD, once a bustling train stop on the south side of Baltimore.

Related podcast: Enveil commericializes ‘homomorphic encryption’

The brainchild of Under Armour founder Kevin Plank, Goldman Sachs Urban Development Group and Weller Development, the Port Covington project also has the enthusiastic backing of the large population of cybersecurity companies already thriving in the Baltimore-Washington metropolitan area.

Rendering of completed Chapter 1B development of Port Covington. –Weller Development Company

When the 235-acre waterfront parcel opens for business at the end of 2020, a trio of anchor tenants — DataTribe, Silicon Valley-based cybersecurity venture capital firm AllegisCyber, and technology investment and corporate advisory firm Evergreen Adviser —  expect to be joined by 25 to 30 cybersecurity firms, as well as retail and restaurant tenants.

DataTribe itself was co-founded in 2015 by a California venture capitalist, a former CIA officer and an ex-Navy SEAL. It’s mission has been to seek out and assist government cyber specialists in a position to enter the private sector and build commercial cyber and data science companies. DataTribe recruits talent, then provide seed capital, mentoring, infrastructure and follow-on venture funding.

DataTribe co-founder Mike Janke, the ex-Navy SEAL, told Last Watchdog that Port Covington made sense because Maryland boasts a massive pool of nation-state trained cyber security engineering talent, and has long been the wellspring of pivotal data security and data science advances.

“With more than 100,000 cyber-related engineering and data science professionals, Maryland has the no. 1 cyber workforce in the world, and leads the US in cyber employment for classified nation-state jobs,” says Janke, a six-time company founder and CEO. “In today’s digital landscape, engineering talent is the new oil in the ground, and Maryland has the densest concentration of this new digital oil that you’ll find anywhere on the planet.”

Some 40 security-minded federal agencies are located in Maryland, including the National Security Agency, National Institute of Standards and Technology, Defense Information Systems Agency, Intelligence Advanced Research Projects Activity, USCYBERCOM, NASA and DoD Cyber Crime Center.

…more

GUEST ESSAY: The case for engaging in ‘threat hunting’ — and how to do it effectively

By Mike James

Modern cyber threats often are not obvious – in fact it is common for them to lurk inside a business’ systems for a long time without anyone noticing. This is referred to as ‘dwell time’, and a recent report from the Ponemon Institute indicates that the average dwell time is 191 days.

Related podcast: The re-emergence of SIEMs

In an ideal world there would no dwell time at all, and threats would be identified before they can penetrate business’ defenses. To achieve this for your organization, it is no longer possible just to run reactive cyber security. It is essential that should invest in a proactive approach – that’s why you need to start threat hunting.

Seeking anomalous activity

Threat hunting is the practice of actively seeking out dangers to cyber security by detecting and eliminating new and emerging threats that are able to evade preventative controls such as firewalls and antivirus software.

It consists of actively looking for anomalous activity that has not been identified by existing tools and involves thorough, on-going analysis of data sources such as network traffic and server logs as well as web and email filter traffic.

Businesses that embrace threat hunting are likely to significantly reduce the dwell time of attacks, identify advanced threats that could otherwise be missed, and enhance security controls and processes. Effective threat hunting requires not only the right tools, but an advanced understanding of the latest tactics and techniques used by criminals. So, what do you need to get started? …more

GUEST ESSAY: Top cybersecurity developments that can be expected to fully play out in 2019

By Ofer Amitai

From a certain perspective, 2018 hasn’t been as dramatic a cybersecurity year as 2017, in that we haven’t seen as many global pandemics like WannaCry.

Related: WannaCry signals worse things to come.

Still, Ransomware, zero-day exploits, and phishing attacks, were among the biggest threats facing IT security teams this year. 2018 has not been a dull year as far as breaches. The cycle of exploit to discovery to weaponization has become shorter, and unfortunately, it has become more difficult to protect the enterprise network and the various devices connected to it.

In 2017, roughly 63% of organizations experienced an attempted ransomware attack, with 22% reporting these incidents occurred on a weekly basis. We expect to wind up with close statistics for 2018.

Here are a few trends I expect will dominate cyber security in 2019.

Security and Privacy Merge

Despite the fact that everyone is still trying to understand the new privacy landscape and perhaps because they haven’t fully grasped the new realities, everyone is paying attention. Perhaps it is our ever increasing focus on privacy in general and GDPR specifically.

Perhaps it is because more organizations will be working long hours to embrace the compliance measures that are needed to protect privacy that we won’t see a major lawsuit against a company. All we know is that we have seen an increase in companies seeking NAC solutions to keep up with all the new compliance regulations and it is very satisfying to hear that sigh of relief, when a company has implemented their solution. …more