Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Imminent threats

 

MY TAKE: Account hijackers follow small banks, credit unions over to mobile banking apps

By Byron V. Acohido

As long as cyber attacks continue, financial institutions will remain a prime target, for obvious reasons.

Related: OneSpan’s rebranding launch

Outside of giants JP Morgan, Bank of America, Citigroup, Wells Fargo and U.S. Bancorp, the remainder of the more than 10,000 U.S. firms are comprised of community banks and regional credit unions.

These smaller institutions, much like the giants, are hustling to expand mobile banking services. Yet, they are much less well equipped to detect and repel cyber attackers, who are relentlessly seeking out and exploiting the fresh attack vectors spinning out of expansion of mobile banking.

I had the chance at RSA 2019 to discuss this war of attrition with Will LaSala, director of security services and security evangelist at OneSpan, a Chicago-based provider of anti-fraud, e-signature and digital identity solutions to 2,000 banks worldwide. The good news is that OneSpan and other security vendors are innovating to bring machine learning, data analytics and artificial intelligence to the front lines. For a drill down on our conversation, give a listen to the accompanying podcast. Key takeaways:

Shifting risks

We’ve seen a shift in bank fraud, especially for small banks and credit unions, over the past couple of years. In the not-so-distant past, banks dealt with online and account takeover fraud, where hackers stole passwords and used phishing scams to target specific individuals.

Now this fraud has moved into the mobile space because nearly every financial institution now has an app, changing the fraud landscape. Organizations like OneSpan now analyze bank fraud through the mobile app landscape through areas like social engineering attacks, screen captures, or changing SIM cards, LaSala told me. …more

NEW TECH: CloudKnox takes aim at securing identity privileges for humans — and non-humans

By Byron V. Acohido

Companies are embracing hybrid cloud deployments like never before, mixing and matching on-premises IT systems with off-premises cloud services.

Related: Machine identities present wide open attack vector

To accomplish this, they must grant and manage access privileges to human identities: remote employees, third-party suppliers and far-flung customers.

Arguably even more vital is the granting of access privileges to thousands more non-human identities – the service accounts that connect modular coding components, like the microservices, software containers and APIs that make up the stretchable fabric of cloud services.

Without this provisioning of access privileges to human and non-human identities, hybrid cloud commerce  would not be possible. And yet, somehow, hybrid deployments have gained wide adoption without fully accounting for an entire new tier of identity risks.

This exposure extends from companies losing track of identities and overprovisioning privileges.  CloudKnox Security, a Sunnyvale, CA-based security vendor, launched last October, specifically to help companies more effectively manage human and non-human identity privileges in the brave new world of hybrid networks.

I had a chance at RSA 2019 to visit with company founder and CEO Balaji Parimi. For a drill down, give a listen to our full interview via the accompanying podcast. A few key takeaways:

Multiplying privileges

Remember the old problem of Microsoft shipping Windows server software with weak administrator passwords as the default? Take that systemic security weakness, put it on steroids, and you get a sense of the exposure lurking in identities today.

For instance, on the human side of things, Parimi informed me that there are 7,800 distinct privileges, or unique actions—granted to administrators across Amazon Web Services, Microsoft Azure, Google Cloud and VMware vSphere.

And then there are magnitudes of order more non-human identities to worry about. “With DevOps, when you check-in your code, it automatically gets built and created into production. All of this is done with a service account, …more

MY TAKE: Microsoft’s Active Directory lurks as a hackers’ gateway in enterprise networks

By Byron V. Acohido

Many of our online activities and behaviors rely on trust. From the consumer side, for example, we trust that the business is legitimate and will take care of the sensitive personal information we share with them. But that level of trust goes much deeper on the organizational side.

Related: The case for ‘zero-trust’ authentication

Employees are given credentials that allow them authorized access to corporate networks and databases. IT leadership has to trust that those credentials are used properly.

That need for trust also make credentials one of the most difficult areas to secure. When someone is using the right user name and password combination to gain access, it is very difficult to tell if the user is legitimate or a bad guy. It is why credential theft has become a lucrative attack vector for cybercriminals, with credential stuffing attacks compromising billions of accounts last year.

Credential theft has led to a rise in attacks on tool that’s pervasively used in companies running Microsoft Windows-based networks. That tool is Active Directory. And because Active Directory is an almost universally-used tool in enterprise settings, it has, quite naturally, emerged as a favorite target of threat actors.

I had the chance to sit down with Rod Simmons, vice president of product strategy at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data, to discuss this at RSA 2019. For a full drill down, listen to the accompanying podcast. Key takeaways: …more

MY TAKE: Why companies should care about 2.2 billion stolen credentials circulating in easy reach

By Byron V. Acohido

Some chilling hard evidence has surfaced illustrating where stolen personal information ultimately ends up, once it has flowed through the nether reaches of the cyber underground.

Wired magazine reported this week on findings by independent security researchers who have been tracking the wide open availability of a massive cache of some 2.2 billion stolen usernames, passwords and other personal data.

Related: Massive Marriott breach closes out 2018

Ever wonder where the tens of millions of consumer records stolen from Marriott, Yahoo, Equifax, Dropbox, Linked In,  Target, Home Depot, Sony, Anthem, Premera Blue Cross, Uber and literally thousands of other organizations that have sustained major network breaches ends up?

This data gets collected and circulated in data bases that the thieves initially attempt to sell for big profits on the dark web, as reported by Motherboard. The work of these researchers shows how, at the end of the day, much of the stolen personal data eventually spills over into the open Internet, where it is free for the taking by  anyone with a modicum of computer skills.

Credential stuffing

The clear and present risk to the average consumer or small business owner is that his or her stolen account credentials will surface in one or more credential stuffing campaigns. This is where criminals deploy botnets to automate the injection of surreptitiously obtained usernames and password pairs until they gain fraudulent access to a targeted account. And once they do, they swiftly try to gain access to accounts on other popular services.

Reddit earlier this month acknowledged that credential stuffers locked down a “large group of accounts.” The social news aggregation site informed the victims that would need to reset their passwords to regain access, and, notably, advised them to choose strong, unique passwords. …more

MY TAKE: ‘Bashe’ attack theorizes a $200 billion ransomware raid using NSA-class cyber weapons

By Byron V. Acohido

A report co-sponsored by Lloyd’s of London paints a chilling scenario for how a worldwide cyberattack could trigger economic losses of some $200 billion for companies and government agencies ill-equipped to deflect a very plausible ransomware attack designed to sweep across the globe.

Related: U.S. cyber foes exploit government shutdown

The Cyber Risk Management (CyRiM) project lays out in detail how a theoretical ransomware attack – dubbed the “Bashe” campaign – could improve upon the real life WannaCry and NotPetya ransomware worms that plagued thousands of organizations in 2017.

The exercise was commissioned by Lloyd’s of London, the Cambridge Centre for Risk Studies and the Nanyang Technological University in Singapore, among others. In their construct, the fictional cyber ring behind Bashe leverages lessons learned from missteps made in WannaCry and NotPetya, with the aim of making Bashe “the most infectious malware of all time.”

It should not be forgotten that WannaCry and NotPetya made use of some of the  69 cyber weapons stolen from the NSA and released publicly by a group known as Shadow Brokers. These weapons were designed by NSA software engineers to take advantage of heretofore undisclosed security vulnerabilities in Windows, Linux, IBM and other core operating systems and applications widely used in commerce and government.

EternalBlue pedigree

Keep in mind, globe-spanning ransomware worms are just one of endless ways the NSA weapons, often referred to as “EternalBlue,” could be leveraged. While the Lloyd’s study focuses on the ransomware scenario, it’s reasonable to believe threat actors of every stripe are developing other ways to utilize EternalBlue-class cyber weaponry.

This creates a responsibility for every organization to consider this report and assess what damage control might entail, says Darin Pendergraft, vice president of product marketing at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data. …more

Q&A: Here’s why robust ‘privileged access management’ has never been more vital

By Byron V. Acohido

Malicious intruders have long recognized that getting their hands on privileged credentials equates to possessing the keys to the kingdom. This is because privileged accounts are widely deployed all across modern business networks — on-premises, in the cloud, across DevOps environments and on endpoints.

Related: California enacts pioneering privacy law

However, lacking robust protection, privileged accounts, which are intended to give administrators the access they need to manage critical systems, can instead be manipulated to enable attackers to move laterally across an organization’s network.

In recognition of the significant security risks privileged accounts can pose, industry research firm Gartner recently released the first-ever Magic Quadrant for Privileged Access Management.1-

Last Watchdog asked Adam Bosnian, executive vice president at CyberArk – the company that pioneered the market – to put into context how much can be gained by prioritizing privilege in today’s dynamic, fast-evolving digital business landscape. Here are excerpts edited for clarity and length:

LW: Why is privileged access management so important?

Bosnian: Privileged access has become the fulcrum of the success or failure of advanced attacks. Nearly 100 percent of all advanced attacks involve the compromise of privileged credentials.

This is a mounting challenge for organizations because privileged accounts exist and ship in every single piece of technology, including servers, desktops, applications, databases, network devices and more.  …more

Q&A: Why emerging IoT platforms require the same leading-edge security as industrial controls

By Byron V. Acohido

The heyday of traditional corporate IT networks has come and gone.

In 2019, and moving ahead, look for legacy IT business networks to increasingly intersect with a new class of networks dedicated to controlling the operations of a IoT-enabled services of all types, including smart buildings, IoT-enabled healthcare services and driverless cars.

Related podcast: Why the golden age of cyber espionage is upon us

This coming wave of IoT networks, architected to carry out narrowly-focused tasks, will share much in common with the legacy operational technology, or OT, systems long deployed to run physical plants — such as Industrial Control Systems (ICS,)  Supervisory Control and Data Acquisition (SCADA ,) Data Control System (DCS,) and Programmable Logic Controller (PLC.)

The global cybersecurity community is keenly aware of these developments and earnest discussions are underway about how to deal with the attendant security exposures. This includes a rising debate about the efficacy of the Common Vulnerability Scoring System, or CVSS.  Initially introduced in 2005, CVSS is a framework for rating the severity of security vulnerabilities in software.

Last Watchdog recently sat down with a couple of senior executives at Radiflow, a Tel Aviv-based supplier of cybersecurity solutions for ICS and SCADA networks, to get their perspective about how NIST and ICS-CERT, the two main organizations for disclosing and rating vulnerabilities, are sometimes not aligned. Radiflow currently is conducting this survey to collect feedback from IT and OT professionals about the ramifications of this conflict.

Radiflow expects to release its survey findings in late January. This is not just another arcane tussle among nerdy IT professionals. New vulnerabilities and exposures are part and parcel of accelerating the deployment of vast distributed systems, fed by billions of IoT sensors. And they must be fully addressed if digital commerce is to reach its full potential. Here are excerpts of my discussion about this with Radiflow’s CEO Ilan Barda and CTO Yehonatan Kfir, edited for clarity and length:

LW: As we move forward with digital transformation and the Internet of Things, is it becoming more urgent to think about how we protect OT systems?

Barda: Yes. The risks are growing for two reasons. One is the fact that there are more and more of these kinds of OT networks, …more