Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Imminent threats

 

Q&A: The drivers behind the stark rise — and security implications — of ‘memory attacks’

By Byron V. Acohido

A distinctive class of hacking is rising to the fore and is being leveraged by threat actors to carry out deep, highly resilient intrusions of well-defended company networks.

Related: Memory hacking becomes a go-to tactic

These attacks are referred to in the security community as “fileless attacks” or “memory attacks.” The latter conveys a more precise picture: memory hacking refers to a broad set of practices, which can include fileless attacks, that constitute this go-deep form of network break-ins.

I had the chance at RSA 2019 to discuss memory hacking with Willy Leichter, vice president of marketing, and Shauntinez Jakab, director of product marketing, at Virsec, a San Jose-based supplier of advanced application security and memory protection technologies.

They walked me through how threat actors are cleverly slipping snippets of malicious code past perimeter defenses and then executing their payloads  – undetected while applications are live, running in process memory.

For a long time, memory hacking was the exclusive province of nation-state backed operatives. But over the past couple of years, memory attacks have come into regular use by common cybercriminals. Garden-variety threat actors are now leveraging memory hacking tools and techniques to gain footholds, move laterally and achieve persistence deep inside well-defended networks.

For a comprehensive drill down, please view the accompanying YouTube video of my full interview with Leichter and Jakab at RSA 2019’s broadcast alley. Here are excerpts, edited for clarity and length:

LW: Can you frame this new class of hacking? …more

MY TAKE: ‘Cyberthreat index’ shows SMBs recognize cyber risks — struggling to deal with them

By Byron V. Acohido

Small and midsize businesses — so-called SMBs — face an acute risk of sustaining a crippling cyberattack. This appears to be even more true today than it was when I began writing about business cyber risks at USA TODAY more than a decade ago.

Related: ‘Malvertising’ threat explained

However, one small positive step is that company decision makers today, at least, don’t have their heads in the sand. A recent survey of more than 1,000 senior execs and IT professionals, called the AppRiver Cyberthreat Index for Business Survey, showed a high level of awareness among SMB officials that a cyberattack represents a potentially devastating operational risk.

That said, it’s also clear that all too many SMBs remain ill equipped to assess evolving cyber threats, much less  effectively mitigate them. According to the Cyberthreat Index, 45 percent of all SMBs and 56% of large SMBs believe they are vulnerable to “imminent” threats of cybersecurity attacks.

Interestingly, 61 percent of all SMBs and 79 percent of large SMBs believe cyberhackers have more sophisticated technology at their disposal than the SMBs’ own cybersecurity resources.

“I often see a sizable gap between perceptions and reality among many SMB leaders,” Troy Gill a senior security analyst at AppRiver told me. “They don’t know what they don’t know, and this lack of preparedness often aids and abets cybercriminals.”

What’s distinctive about this index is that AppRiver plans to refresh it on a quarterly basis, going forward, thus sharing an instructive barometer showing how SMBs are faring against cyber exposures that will only continue to steadily evolve and intensify.

I had the chance at RSA 2019 to discuss the SMB security landscape at length with Gill. You can give a listen to the entire interview at this accompanying podcast. Here are key takeaways:

Sizable need

AppRiver is in the perfect position to deliver an SMB cyber risk index. The company got its start in 2002 in Gulf Breeze, Florida, as a two-man operation that set out to help small firms filter the early waves of email spam. It grew steadily into a supplier of cloud-enabled security and productivity services, and today has some 250 employees servicing 60,000 SMBs worldwide. …more

NEW TECH: How Semperis came to close a huge gap in Active Directory disaster preparedness

By Byron V. Acohido

In today’s complex IT environments, a million things can go wrong, though only a few systems touch everything.

Related: Why Active Directory is so heavily targeted

For companies running Microsoft Windows, one such touch-all system is Active Directory, or AD, the software that organizes and provides access to information across the breadth of Windows systems. Over 80 percent of recent headline-grabbing attacks have involved breaking into  AD — the “keys to the kingdom” if you will.

Semperis is a security company, launched in 2014, that is entirely focused on AD – or, to put it more precisely, on delivering state-of-art AD cyber resilience, threat mitigation and rapid recovery from cyber breaches.

I had the chance at RSA 2019 to visit with Semperis CEO Mickey Bresman. He filled me in on how the company, based in the new World Trade Center in Lower Manhattan, got started; and I learned more about why Semperis is thriving. To hear our full conversation, please give the accompanying podcast a listen. Here are a few key takeaways:

The beginning

Active Directory is a critical part of a vast majority of enterprise networks; some 90 percent of all companies rely on AD. It holds the keys to pretty much everything in your company, as it stores all of the company’s user information. Downtime can result in loss of access to line-of-business applications, lost revenue and, in some cases, a complete organizational shutdown.

With so much at stake, it’s a marvel that AD disaster recovery protocol traditionally has been based on a 60-page white paper that needs to be manually followed. This clunky solution to a potentially catastrophic failure, typically has required bringing in a specialist troubleshooter to get the company up and running again.

This, in fact, was the service Semperis set out to provide when it launched in 2014. At the time, most AD attacks were the work of a malicious insider. In one situation, prior to forming Semperis, Semperis co-founders  parachuted into a live, unfolding disaster recovery assignment: …more

MY TAKE: Account hijackers follow small banks, credit unions over to mobile banking apps

By Byron V. Acohido

As long as cyber attacks continue, financial institutions will remain a prime target, for obvious reasons.

Related: OneSpan’s rebranding launch

Outside of giants JP Morgan, Bank of America, Citigroup, Wells Fargo and U.S. Bancorp, the remainder of the more than 10,000 U.S. firms are comprised of community banks and regional credit unions.

These smaller institutions, much like the giants, are hustling to expand mobile banking services. Yet, they are much less well equipped to detect and repel cyber attackers, who are relentlessly seeking out and exploiting the fresh attack vectors spinning out of expansion of mobile banking.

I had the chance at RSA 2019 to discuss this war of attrition with Will LaSala, director of security services and security evangelist at OneSpan, a Chicago-based provider of anti-fraud, e-signature and digital identity solutions to 2,000 banks worldwide. The good news is that OneSpan and other security vendors are innovating to bring machine learning, data analytics and artificial intelligence to the front lines. For a drill down on our conversation, give a listen to the accompanying podcast. Key takeaways:

Shifting risks

We’ve seen a shift in bank fraud, especially for small banks and credit unions, over the past couple of years. In the not-so-distant past, banks dealt with online and account takeover fraud, where hackers stole passwords and used phishing scams to target specific individuals.

Now this fraud has moved into the mobile space because nearly every financial institution now has an app, changing the fraud landscape. Organizations like OneSpan now analyze bank fraud through the mobile app landscape through areas like social engineering attacks, screen captures, or changing SIM cards, LaSala told me. …more

NEW TECH: CloudKnox takes aim at securing identity privileges for humans — and non-humans

By Byron V. Acohido

Companies are embracing hybrid cloud deployments like never before, mixing and matching on-premises IT systems with off-premises cloud services.

Related: Machine identities present wide open attack vector

To accomplish this, they must grant and manage access privileges to human identities: remote employees, third-party suppliers and far-flung customers.

Arguably even more vital is the granting of access privileges to thousands more non-human identities – the service accounts that connect modular coding components, like the microservices, software containers and APIs that make up the stretchable fabric of cloud services.

Without this provisioning of access privileges to human and non-human identities, hybrid cloud commerce  would not be possible. And yet, somehow, hybrid deployments have gained wide adoption without fully accounting for an entire new tier of identity risks.

This exposure extends from companies losing track of identities and overprovisioning privileges.  CloudKnox Security, a Sunnyvale, CA-based security vendor, launched last October, specifically to help companies more effectively manage human and non-human identity privileges in the brave new world of hybrid networks.

I had a chance at RSA 2019 to visit with company founder and CEO Balaji Parimi. For a drill down, give a listen to our full interview via the accompanying podcast. A few key takeaways:

Multiplying privileges

Remember the old problem of Microsoft shipping Windows server software with weak administrator passwords as the default? Take that systemic security weakness, put it on steroids, and you get a sense of the exposure lurking in identities today.

For instance, on the human side of things, Parimi informed me that there are 7,800 distinct privileges, or unique actions—granted to administrators across Amazon Web Services, Microsoft Azure, Google Cloud and VMware vSphere.

And then there are magnitudes of order more non-human identities to worry about. “With DevOps, when you check-in your code, it automatically gets built and created into production. All of this is done with a service account, …more

MY TAKE: Microsoft’s Active Directory lurks as a hackers’ gateway in enterprise networks

By Byron V. Acohido

Many of our online activities and behaviors rely on trust. From the consumer side, for example, we trust that the business is legitimate and will take care of the sensitive personal information we share with them. But that level of trust goes much deeper on the organizational side.

Related: The case for ‘zero-trust’ authentication

Employees are given credentials that allow them authorized access to corporate networks and databases. IT leadership has to trust that those credentials are used properly.

That need for trust also make credentials one of the most difficult areas to secure. When someone is using the right user name and password combination to gain access, it is very difficult to tell if the user is legitimate or a bad guy. It is why credential theft has become a lucrative attack vector for cybercriminals, with credential stuffing attacks compromising billions of accounts last year.

Credential theft has led to a rise in attacks on tool that’s pervasively used in companies running Microsoft Windows-based networks. That tool is Active Directory. And because Active Directory is an almost universally-used tool in enterprise settings, it has, quite naturally, emerged as a favorite target of threat actors.

I had the chance to sit down with Rod Simmons, vice president of product strategy at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data, to discuss this at RSA 2019. For a full drill down, listen to the accompanying podcast. Key takeaways: …more

MY TAKE: Why companies should care about 2.2 billion stolen credentials circulating in easy reach

By Byron V. Acohido

Some chilling hard evidence has surfaced illustrating where stolen personal information ultimately ends up, once it has flowed through the nether reaches of the cyber underground.

Wired magazine reported this week on findings by independent security researchers who have been tracking the wide open availability of a massive cache of some 2.2 billion stolen usernames, passwords and other personal data.

Related: Massive Marriott breach closes out 2018

Ever wonder where the tens of millions of consumer records stolen from Marriott, Yahoo, Equifax, Dropbox, Linked In,  Target, Home Depot, Sony, Anthem, Premera Blue Cross, Uber and literally thousands of other organizations that have sustained major network breaches ends up?

This data gets collected and circulated in data bases that the thieves initially attempt to sell for big profits on the dark web, as reported by Motherboard. The work of these researchers shows how, at the end of the day, much of the stolen personal data eventually spills over into the open Internet, where it is free for the taking by  anyone with a modicum of computer skills.

Credential stuffing

The clear and present risk to the average consumer or small business owner is that his or her stolen account credentials will surface in one or more credential stuffing campaigns. This is where criminals deploy botnets to automate the injection of surreptitiously obtained usernames and password pairs until they gain fraudulent access to a targeted account. And once they do, they swiftly try to gain access to accounts on other popular services.

Reddit earlier this month acknowledged that credential stuffers locked down a “large group of accounts.” The social news aggregation site informed the victims that would need to reset their passwords to regain access, and, notably, advised them to choose strong, unique passwords. …more