11.5 C
London
Sunday, October 22, 2017

Apple Releases Patch For 'Trident,' A Trio Of iOS 0-Days

Already rolled into the Pegasus spyware product and used to target social activists, the vulnerabilities are fixed in iOS 9.3.5. Apple, today, released patches for a trio of iOS zero-day vulnerabilities that, when used together, enable an attacker to remotely, silently jailbreak the device phone and install highly sophisticated spyware upon it.  The vulnerabilities, collectively called "Trident," are patched in iOS version 9.3.5.

They include CVE-2016-4655, Memory Corruption in Webkit, CVE-2016-4656, Information leak in Kernel, and CVE-2016-4657, Kernel Memory corruption leads to Jailbreak.  The discovery was made by Lookout and Citizen Lab, who worked with Apple on the patch before making the disclosure.

Citizen Lab was tipped off to the bugs first by United Arab Emirates-based human rights defender Ahmed Mansoor, who reported that he had received suspicious text messages.

Citizen Lab and Lookout investigated, and found that Mansoor -- who has been targeted by "lawful intercept malware" in the past -- was now being targeted by Francisco Partners Management's Pegasus spyware product, which was now equipped to exploit this trio of undisclosed iOS zero-day vulnerabilities. For more information, see the blog at Lookout. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

The Secret Behind the NSA Breach: Network Infrastructure Is the Next...

How the networking industry has fallen way behind in incorporating security measure to prevent exploits to ubiquitous routers, proxies, firewalls and switches. Advanced attackers are targeting organizations’ first line of defense--their firewalls—and turning them into a gateway into the network for mounting a data breach. On August 13, the shady “Shadow Brokers” group published several firewall exploits as proof that they had a full trove of cyber weapons. Whether intended to drive up bids for their “Equation Group Cyber Weapons Auction” (since removed), or to threaten other nation states, the recent disclosure raises the question: if organizations can’t trust their own firewalls, then what can they trust? Does the cache of cyber weapons exposed by Shadow Brokers signal a shift in attack methods and targets? We analyzed the dump and found working exploits for Cisco ASA, Fortinet FortiGate and Juniper SRX (formerly NetScreen) firewalls.

The names of the exploits provided by the Shadow Brokers match the code names described in Edward Snowden’s 2013 revelations of NSA snooping. The exploit names are not the only link to the NSA.

By analyzing the implementation of a cryptographic function, researchers at Kaspersky have found the same encryption constant used in malware attributed to the Equation Group (Kaspersky’s nickname for the NSA) and python code in the latest breach. Cyber Attacks with a Side of EXTRABACONResearching one of the Cisco ASA exploits (dubbed EXTRABACON) in our lab, we found that it’s a simple overflow using SNMP read access to the device.

The additional payload bundled with the exploit removes the password needed for SSH or telnet shell access, providing full control over the appliance.

The payload can also re-enable the original password to reduce the chance that the attacker will be detected. The python code handles multiple device versions and patches the payload for the version at hand.

This indicates the amount of operations the group had in the past as the developers probably modified the exploit on a case-by-case basis. We ran the exploit against a supported version of a Cisco ASA in our lab multiple times and it didn’t crash once, showing the prowess of the exploit developers. Our attempt yielded a shell without password protection: Networking Equipment in the CrosshairsWhile the exploits themselves are interesting in their own right, no one is addressing the elephant in the room: attackers increasingly target network infrastructure, including security as a means to infiltrate networks and maintain persistence. While the entire cybersecurity industry is focused on defending endpoints and servers, attackers have moved on to the next weak spot.

This advancement underscores the need to detect active network attackers because they can certainly—one way or another—penetrate any given network. Persisting and working from routers, proxies, firewalls or switches requires less effort than controlling end points; attackers don’t need to worry that an anti-virus agent will detect an unusual process, and networking devices are rarely updated or replaced. Most networks have the same routers and switches from a decade ago. Plus, few forensics tools are available to detect indicators of compromise on networking devices and attackers can gain an excellent vantage point within the network.  Network devices vendors have fallen behind operating system vendors in terms of implementing stronger security measures.

A wide range of networking equipment still run single-process operating systems without any exploit mitigation enabled (Cisco IOS, I’m looking at you) or exhibit the effects of little to no security quality assurance testing.
In recent years, endpoint and mobile operating systems have incorporated security techniques such as address space layout randomization (ASLR), data execution prevention (DEP), sandboxes, and other methods that made life harder for every exploit writer.

The affected networking devices provide none of these security mechanisms and it shows. Not the First and Definitely Not the LastThe Equation Group breach is not the first example of highly capable attackers targeting network devices.

The threat actor behind last year’s Hacking Team breach leveraged a vulnerability in a VPN device to obtain full access to their internal network without any obstacles.

The attacker moved from the networking device to endpoints without using a single piece of malware, only taking what he needed from endpoints remotely or running well known administrative tools.

This is a soft spot in every endpoint solution’s belly; a privileged attacker using credentials to access files is not considered malicious as long he doesn’t use any malicious software. Notice that as we have stated earlier, the attacker, quoted in pastebin, opted for an embedded exploit and not the other options, stating that it’s the easiest one: So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices.

A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.
As always, nation state attacks are usually a step ahead of the entire industry on both the defensive and offensive. We will probably see the same methods employed by less sophisticated attackers as it becomes increasingly difficult to compromise endpoint devices and stay undetected. We have seen this happen before; cybercrime attackers stole techniques from Equation Group, as well as Stuxnet and Flame malware and Reign and other APTs and it will surely happen again with the Equation Group’s recently leaked exploits. In the meantime, here are four recommendations to help fortify network devices against attack: Recommendation 1: Patch your network devices promptly. Replace network devices that have reached their end of support date. Recommendation 2: Restrict access to devices management addresses to the minimum required, and block any unneeded, seemingly benign protocols including SNMP and NTP. Recommendation 3: Manage your device passwords as you would with your administrator accounts by periodically changing your passwords and defining a different password for each device.

Do not use a standard template for passwords.

For example, the password Rout3rPassw0rd192.168.1.1 might seem strong, but after compromising one device, the attacker will know all of the passwords. Recommendation 4: Deploy a network monitoring solution that can profile users and IP-connected devices to establish a baseline of normal behavior and then detect unusual activity originating from network devices.

Attackers have no way of knowing what “normal” looks like for any given network and network detection is the only generic way to stop attackers from compromising network devices. Related Content:   Yoni Allon is responsible for leading the LightCyber research team in monitoring and researching cybercriminal and cyberwarfare actions and ensuring that the LightCyber Magna platform accurately finds these behaviors through its detectors and machine learning. Mr.

Allon has ...
View Full Bio More Insights

Security Leadership & The Art Of Decision Making

What a classically-trained guitarist with a Master's Degree in counseling brings to the table as head of cybersecurity and privacy at one of the world's major healthcare organizations. Bishop Fox’s Vincent Liu sat down recently with GE Healthcare Cybersecurity and Privacy General Manager Richard Seiersen in a wide-ranging chat about security decision making, how useful threat intelligence is, critical infrastructure, the Internet of Things, and his new book on measuring cybersecurity risk. We excerpt highlights below. You can read the full text here. Fourth in a series of interviews with cybersecurity experts by cybersecurity experts. Vincent Liu: How has decision making played a part in your role as a security leader? Richard Seiersen:  Most prominently, it’s led me to the realization that we have more data than we think and need less than we think when managing risk.
In fact, you can manage risk with nearly zero empirical data.
In my new book “How to Measure Anything in Cybersecurity Risk,” we call this “sparse data analytics.” I also like to refer to it as “small data.” Sparse analytics are the foundation of our security analytics maturity model. The other end is what we term “prescriptive analytics.” When we assess risk with near zero empirical data, we still have data, which we call “beliefs.” Consider the example of threat modeling. When we threat model an architecture, we are also modeling our beliefs about threats. We can abstract this practice of modeling beliefs to examine a whole portfolio of risk as well. We take what limited empirical data we have and combine it with our subject matter experts’ beliefs to quickly comprehend risk. VL: If you’re starting out as a leader, and you want to be more “decision” or “measurement” oriented, what would be a few first steps down this road? RS: Remove the junk that prevents you from answering key questions. I prefer to circumvent highs, mediums, or lows of any sort, what we call in the book “useless decompositions.” Instead, I try to keep decisions to on-and-off choices. When you have too much variation, risk can be amplified. Most readers have probably heard of threat actor capability.

This can be decomposed into things like nation-state, organized crime, etc. We label these “useless decomposition” when used out of context. Juxtapose these to useful decompositions, which are based on observable evidence.

For example, “Have we or anyone else witnessed this vulnerability being exploited?” More to the point, what is the likelihood of this vulnerability being exploited in a given time frame? If you have zero evidence of exploitability anywhere, your degree of belief would be closer to zero. And when we talk about likelihood, we are really talking about probability. When real math enters the situation, most reactions are, “Where did you get your probability?” My answer is usually something like, “Where do you get your 4 on a 1-to-5 scale, or your ‘high’ on a low, medium, high, critical scale?” A percentage retains our uncertainty.
Scales are placebos that make you feel as if you have measured something when you actually haven’t. This type of risk management based on ordinal scales can be worse than doing nothing.   VL: My takeaway is the more straightforward and simple things are, the better.

The more we can make a decision binary, the better.

Take CVSS (Common Vulnerability Scoring System). You have several numbers that become an aggregate number that winds up devoid of context. RS: The problem with CVSS is it contains so many useless decompositions.

The more we start adding in these ordinal scales, the more we enter this arbitrary gray area. When it comes to things like CVSS and OWASP, the problem also lies with how they do their math. Ordinal scales are not actually numbers. For example, let’s say I am a doctor in a burn unit.
I can return home at night when the average burn intensity is less than 5 on a 1-to-10 ordinal scale.
If I have three patients with burns that each rank a 1, 3, and 10 respectively, my average is less than a 5. Of course, I have one person nearing death, but it’s quitting time and I am out of there! That makes absolutely no sense, but it is exactly how most industry frameworks and vendor implement security risk management.

This is a real problem.

That approach falls flat when you scale out to managing portfolios of risk. VL: How useful is threat intelligence, then? RS: We have to ask—and not to be mystical here—what threat intelligence means.
If you’re telling me it is an early warning system that lets me know a bad guy is trying to steal my shorts, that’s fine.
It allows me to prepare myself and fortify my defenses (e.g., wear a belt) at a relatively sustainable cost. What I fear is that most threat intelligence data is probably very expensive, and oftentimes redundant noise. VL: Where would you focus your energy then? RS: For my money, I would focus on how I design, develop, and deploy products that persist and transmit or manage treasure.

Concentrate on the treasure; the bad guys have their eyes on it, and you should have your eyes directed there, too. This starts in design, and not enough of us who make products focus enough on design. Of course, if you are dealing with the integration of legacy “critical infrastructure”-based technology, you don’t always have the tabula rasa of design from scratch. VL: You mean the integration of critical infrastructure with emerging Internet of Things technology, is that correct? RS: Yes; we need to be thoughtful and incorporate the best design practices here.

Also, due to the realities of legacy infrastructure, we need to consider the “testing in” of security.
Ironically, practices like threat modeling can help us focus our testing efforts when it comes to legacy.
I constantly find myself returning to concepts like the principle of least privilege, removing unnecessary software and services.
In short, focusing on reducing attack surface where it counts most. Oldies, but goodies! VL: When you’re installing an alarm system, you want to ensure it is properly set up before you worry about where you might be attacked. Reduce attack surface, implement secure design, execute secure deployments. Once you’ve finished those fundamentals, then consider the attackers’ origin. RS:  Exactly! As far as the industrial IoT (IIoT) or IoT is concerned, I have been considering the future of risk as it relates to economic drivers...

Connectivity, and hence attack surface, will naturally increase due to a multitude of economic drivers.

That was true even when we lived in analog days before electricity. Now we have more devices, there are more users per device, and there are more application interactions per device per user.

This is an exponential growth in attack surface. VL: And the more attack surface signals more room for breach. RS: As a security professional, I consider what it means to create a device with minimal attack surface but that plays well with others.
I would like to add [that] threat awareness should be more pervasive individually and collectively. Minimal attack surface means less local functionality exposed to the bad guy and possibly less compute on the endpoint as well. Push things that change, and or need regular updates, to the cloud. Plays well with others means making services available for use and consumption; this can include monitoring from a security perspective.

These two goals seem at odds with one another. Necessity then becomes the mother of invention.

There will be a flood of innovation coming from the security marketplace to address the future of breach caused by a massive growth in attack surface.  Richard Seiersen, General Manager of Cybersecurity and Privacy, GE Healthcare PERSONALITY BYTES First career interest: Originally a classical musician who transitioned into teaching music. Start in security: My master’s degree capstone project was focused on decision analysis.
It was through this study that I landed an internship at a company called TriNet, which was then a startup. My internship soon evolved into a risk management role with plenty of development and business intelligence. Best decision-making advice for security leaders: Remove the junk that prevents you from answering key questions. Most unusual academic credential: Earned a Master in Counseling with an emphasis on decision making ages ago.
I focused on a framework that combined deep linguistics analysis with goal-setting to model effective decision making. You could call it “agile counseling” as opposed to open-ended soft counseling. More recently, I started a Master of Science in Predictive Analytics. My former degree has affected how I frame decisions and the latter brings in more math to address uncertainty.

Together they are a powerful duo, particularly when you throw programming into the mix. Number one priority since joining GE: A talent-first approach in building a global team that spans device to cloud security. Bio: Richard Seiersen is a technology executive with nearly 20 years of experience in information security, risk management, and product development.

Currently he is the general manager of cybersecurity and privacy for GE Healthcare. Richard now lives with his family of string players in the San Francisco Bay Area.
In his limited spare time he is slowly working through his MS in predictive analytics at Northwestern. He should be done just in time to retire. He thinks that will be the perfect time to take up classical guitar again. Related Content: Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups.
In this role, he oversees firm management, client matters, and strategy consulting.
Vincent is a ...
View Full Bio More Insights

Wildfire Ransomware Code Cracked – Unlock For Free

Wildfire ransomware has plagued victims in The Netherlands and Belgium Image: McAfee Labs Victims of the Wildfire ransomware can get their encrypted files back without paying hackers for the privilege, after the No More Ransom initiative released a free decryption tool. No More Ransom runs a web portal that provides keys for unlocking files encrypted by various strains of ransomware, including Shade, Coinvault, Rannoh, Rakhn and, most recently, Wildfire. Aimed at helping ransomware victims retrieve their data, No More Ransom is a collaborative project between Europol, the Dutch National Police, Intel Security, and Kaspersky Lab. Wildfire victims are served with a ransom note demanding payment of 1.5 Bitcoins -- the cryptocurrency favored by cybercriminals -- in exchange for unlocking the encrypted files. However, cybersecurity researchers from McAfee Labs, part of Intel Security, point out that the hackers behind Wildfire are open to negotiation, often accepting 0.5 Bitcoins as a payment. Most victims of the ransomware are located in the Netherlands and Belgium, with the malicious software spread through phishing emails aimed at Dutch speakers.

The email claims to be from a transport company and suggests that the target has missed a parcel delivery -- encouraging them to fill in a form to rearrange delivery for another date.
It's this form which drops Wildfire ransomware onto the victim's system and locks it down. A spam email used to infect victims with Wildfire. Image: McAfee Labs Researchers note that those behind Wildfire have "clearly put a lot of effort into making their spam mails look credible and very specific" - even adding the addresses of real businesses in The Netherlands - arousing suspicion that there are Dutch speaking actors involved in the ransomware campaign. Working in partnership with law enforcement agencies, cybersecurity researchers were able to examine Wildfire's control server panel, which showed that in a one month period the ransomware infected 5,309 systems and generated a revenue of 136 Bitcoins (€70,332). Researchers suggest that the malicious code -- which contains instructions not to infect Russian-speaking countries -- means Wildfire operates as part of a ransomware-as-service franchise, with software likely to be leased out by developers in Eastern Europe. Whoever is behind Wildfire, victims no longer need to pay a ransom in order to get their files back,with the decryptor tool now available to download for free from the No More Ransom site.

The tool contains 1,600 keys for Wildfire, and No More Ransom says more will be added in the near future. READ MORE ON CYBERCRIME

Wildfire, the ransomware threat that takes Holland and Belgium hostage

While ransomware is a global threat, every now and then we see a variant that targets one specific region.

For example, the Coinvault malware had many infections in the Netherlands, because the authors posted malicious software on Usenet and Dutch people are particular fond of downloading things over Usenet.

Another example is the recent Shade campaign, which targets mostly Russia and CIS. Today we can add a new one to the list: Wildfire. Infection vector Wildfire spreads through well-crafted spam e-mails.

A typical spam e-mail mentions that a transport company failed to deliver a package.
In order to schedule a new delivery the receiver is asked to make a new appointment, for which a form has to be filled in, which has to be downloaded from the website of the transport company. Three things stand out here.

First, the attackers registered a Dutch domain name, something we do not see very often.
Second, the e-mail is written in flawless Dutch.

And thirdly, they actually put the address of the targeted company in the e-mail.

This is something we do not see very often and makes it for the average user difficult to see that this is not a benign e-mail. However, when we look at who registered the domain name, we immediately see that something is suspicious: The registration date (registered a few days before the spam campaign started), as well as the administrative contact person seem to be very suspicious. The Word document After the user downloaded and opened the Word document, the following screen is shown: Apparently the document has some macros, containing pieces of English text, which clearly show the intent of the attackers (actually it is the lyrics of the famous Pink Floyd song Money), but also has several variables in the Polish language. The ransomware itself The macros download and execute the actual Wildfire ransomware which consists in the case we analyzed of the following three files: Usiyykssl.exe; Ymkwhrrxoeo.png; Iesvxamvenagxehdoj.xml The exe file is an obfuscated .net executable that depends on the other two files.

This is exactly similar to the Zyklon ransomware that also consists of three files.

Another similarity is that, according to some sources (http://www.bleepingcomputer.com/forums/t/611342/zyklon-locker-gnl-help-topic-locked-and-unlock-files-instructionshtml/, http://www.bleepingcomputer.com/forums/t/618641/wildfire-locker-help-topic-how-to-unlock-files-readme-6de99ef7c7-wflx/), Wildfire, GNLocker and Zyklon mainly target the Netherlands.
In addition, the ransom notes of Wildfire and Zyklon look quite similar.

Also note that Wildfire and Zyklon increase the amount you have to pay three-fold if you don’t pay within the specified amount of time. Anyway, back to Wildfire.

The binary is obfuscated, meaning that when there is no deobfuscator available reversing and analyzing it can take a lot of time.

Therefore we decided to run it and see what happens. Just as we hoped, this made things a bit easier, because after a while Usiyykssl.exe launched Regasm.exe, and when we looked into the memory of Regasm.exe, we clearly saw that some malicious code had been injected into it. Dumping it gave us the binary of the actual Wildfire malware. Unfortunately for us, this binary is also obfuscated, this time with Confuserex 0.6.0.

Even though it is possible to deobfuscate binaries obfuscated with Confuserex, we decided to skip that for now. Why? Well it takes a bit of time, and because by working together with the police on this case, we had something much better in our hands: The botnetpanel code! Inside the botnetpanel code When you are infected with Wildfire, the malware calls home to the C2 server where information such as the IP, username, rid and country are stored.

The botnetpanel then checks whether the country is one of the blacklisted countries (Russia, Ukraine, Belarus, Latvia, Estonia and Moldova).
It also checks whether the “rid” exists within a statically defined array (we therefore expect the rid to be an affiliate ID). If the rid is not found, or you live in one of the blacklisted countries, the malware terminates and you won’t get infected. Each time the malware calls home, a new key is generated and added to the existing list of keys.

The same victim can thus have multiple keys.

Finally the botnetpanel returns the bitcoin address to which the victim should pay, and the cryptographic key with which the files on the victim’s computer are encrypted. We don’t quite understand why a victim can have multiple keys, especially since the victim only has one bitcoin address. Also interesting is the encryption scheme.
It uses AES in CBC mode but the key and the IV are both derived from the same key.

This doesn’t add much security and defeats the sole purpose of having an IV in the first place. Conclusion Even though Wildfire is a local threat, it still shows that ransomware is effective and evolving.
In less than a month we observed more than 5700 infections and 236 users paid a total amount of almost 70.000 euro .

This is also due to the fact that the spam e-mails are getting better and better. We therefore advise users to: Be very suspicious when opening e-mails; Don’t enable Word macro’s; Always keep your software up-to-date; Turn on Windows file extensions; Create offline backups (or online backups with unlimited revisions); Turn on the behavioral analyzer of your AV. A decryption tool for Wildfire can be downloaded from the nomoreransom.org website. P.S. the attackers agree with us on some points:

Meet The 2016 PWNIE Award Winners

Contest celebrating the best and worst in information security celebrates its 10th year. 1 of 16 Image Source: PWNIE Awards The PWNIE Awards turned 10 years old this year and perhaps the most surprising thing was that nobody won for Epic Fail for 2016.

Could it be that it was just too hard to top the Office of Personnel Management (OPM) hack of last year?  Hard to say, but the award winners this year range from the best in security research out of the IEEE to the whimsy of the Best Song category. Here's a look at this year’s winners as well as links to their research. Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology.
Steve is based in Columbia, Md.
View Full Bio 1 of 16 More Insights

How Bitcoin Helped Fuel An Explosion In Ransomware Attacks

More often than not, hackers will demand a ransom payment be made in Bitcoin Image: Proofpoint Ransomware is booming. Be it Locky, CryptXXX or one of the countless other variants of the data-encrypting malware, cybercriminals are making hundreds of th...

Threat intelligence report for the telecommunications industry

 Download PDF Introduction The telecommunications industry keeps the world connected.

Telecoms providers build, operate and manage the complex network infrastructures used for voice and data transmission – and they communicate and store vast amounts of sensitive data.

This makes them a top target for cyber-attack. According to PwC’s Global State of Information Security, 2016, IT security incidents in the telecoms sector increased 45% in 2015 compared to the year before.

Telecoms providers need to arm themselves against this growing risk. In this intelligence report, we cover the main IT security threats facing the telecommunications industry and illustrate these with recent examples. Our insight draws on a range of sources.

These include: The latest telecoms security research by Kaspersky Lab experts. Kaspersky Lab monitoring systems, such as the cloud antivirus platform, Kaspersky Security Network (KSN), our botnet tracking system and multiple other internal systems including those used to detect and track sophisticated targeted (advanced persistent threat, APT) attacks and the corresponding malware. Underground forums and communities. Centralized, specialized security monitoring systems (such as Shodan). Threat bulletins and attack reports. Newsfeed aggregation and analysis tools. Threat intelligence is now a vital weapon in the fight against cyber-attack. We hope this report will help telecoms providers to better understand the cyber-risk landscape so that they can develop their security strategies accordingly. We can provide more detailed sector and company-specific intelligence on these and other threats.

For more information on our Threat Intelligence Reporting services please email intelligence@kaspersky.com. Executive summary Telecommunications providers are under fire from two sides: they face direct attacks from cybercriminals intent on breaching their organization and network operations, and indirect attacks from those in pursuit of their subscribers.

The top threats currently targeting each of these frontlines feature many classic attack vectors, but with a new twist in terms of complexity or scale that place new demands on telecoms companies. These threats include: Distributed Denial of Service (DDoS) attacks. DDoS attacks continue to increase in power and scale and, according to the 2016 Data Breach Investigations Report, the telecommunications sector is hit harder than any other. Kaspersky Lab’s research reveals that in Q2, 2016, the longest DDoS attack lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days), with vulnerable IoT devices increasingly used in botnets.

Direct DDoS attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are hit.

They can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack. The exploitation of vulnerabilities in network and consumer devices. Our intelligence shows that vulnerabilities in network devices, consumer or business femtocells, USBs and routers, as well as root exploits for Android phones, all provide new channels for attacks – involving malware and technologies that individuals, organisations and even basic antivirus solutions cannot always easily remove. Compromising subscribers with social engineering, phishing or malware.

These classic techniques remain popular and can easily be mastered by entry-level cybercriminals, although 2016 sees changes in how more sophisticated attackers conduct their campaigns.

Growing numbers of cyber-attackers now combine data sets from different sources, including open sources, to build up detailed pictures of potential targets for blackmail and social engineering purposes. Insider threat is growing.

Detailed profiles of targets are also used to recruit insiders to help perpetrate cybercrime.
Some insiders help voluntarily, others are cooerced through blackmail.
Insiders from cellular service providers are recruited mainly to provide access to data, while staff working for Internet service providers are chosen to support network mapping and man-in-the-middle attacks. Other threats facing telecommunications companies include targeted attacks; poorly configured access controls, particularly where interfaces are publicly available to any Internet user; inadequate security for 2G/3G communications; and the risk of telecoms providers being drawn into unrelated attacks that exploit telecoms resources, and suffering collateral damage as a result. Typical threats targeting telecoms Overview We can divide the main threats facing the telecommunications industry into two, interrelated, categories: Threats targeting telecommunication companies directly.

These include DDoS attacks, targeted attacks (APT campaigns), network device vulnerabilities and human-related threats like insider access, social engineering and the risk of allowing third parties to access information. Threats targeting subscribers of telecoms services – particularly the customers of cellular service providers (CSPs) and Internet service providers (ISPs).

These include malware for mobile devices, subscriber data harvesting, end-user device vulnerabilities, and more. Threats directed at telecoms companies DDoS DDoS (distributed denial of service) attacks remain a serious threat to telecoms providers around the world as attackers discover ever more ways of boosting the power and scale of attacks. Kaspersky Lab’s DDoS intelligence report for Q2, 2016 notes that websites in 70 countries were targeted with attacks.

By far the most affected country was China, with South Korea and the US also among the leaders. 70.2% of all detected attacks were launched from Linux botnets, with cybercriminals paying close attention to financial institutions working with cryptocurrency.

Another trend observed in Q2 was the use of vulnerable IoT devices in botnets to launch DDoS attacks. The telecommunications sector is particularly vulernable to DDoS attacks.

According to the 2016 Data Breach Investigations Report, the telecommunications sector was hit around twice as hard as the second placed sector (financial exchanges), with a median DDoS packet count of 4.61 million packets per second (compared to 2.4 Mpps for exchanges.) The impact of a DDoS attack should not be underestimated.

Direct attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are affected. With a growing number of connected devices and systems supporting mission-critical applications in areas such as healthcare and transport, unexpected downtime could be life threatening. Further, DDoS attacks can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack. A good example of the first is the 2015 cyber-attack on the UK telecoms company, TalkTalk.

The hack, alledgedly perpetrated by a couple of teenagers, resulted in the loss of around 1.2 million customers’ email addresses, names and phone numbers, as well as many thousands of customer dates of birth and financial information – all ideal for use in financially-motivated social engineering campaigns.

The forensic investigation revealed that the hackers had used a smokescreen DDoS attack to conceal their main activities. DDoS attacks are also evolving. 2015 saw attackers amplify the power of DDoS attacks by turning them into DrDoS (Distributed reflection Denial of Service) attacks through the use of standard network protocols like NTP, RIPv1, NetBIOS (Network Basic Input/Output System) and BGP (Border Gateway Patrol).

Another approach that is becoming more commonplace is the compromise of end-user routers via network-scanning malware and firmware vulnerabilities.

Today’s faster mobile data transfer speeds and the growing adoption of 4G are also making smartphone-based botnets more useful for implementing DDoS attacks. The worrying thing is that even inexperienced attackers can organize quite an effective DDoS campaign using such techniques. Targeted attacks The core infrastructure of a telecommunications company is a highly desirable target for cybercriminals, but gaining access is extremely difficult.

Breaking into the core requires a deep knowledge of GSM architecture, rarely seen except among the most skilled and resourced cybercriminals.
Such individuals can generally be found working for advanced, international APT groups and nation-state attackers, entities that have a powerful interest in obtaining access to the inner networks of telecommunication companies.

This is because compromised network devices are harder to detect by security systems and they offer more ways to control internal operations than can be achieved through simple server/workstation infiltration. Once inside the core infrastructure, attackers can easily intercept calls and data, and control, track and impersonate subscibers. Other APTs with telecommunications on their radar The Regin APT campaign, discovered in 2014, remains of the most sophisticated ever seen and has the ability to infiltrate GSM networks, while the Turla group, has developed the ability to hijack satellite-based Internet links as part of it’s Command & Control process, successfully obscuring its actual location. Others, such as Dark Hotel and a new cyber-espionage threat actor likely to be of Chinese origin, exploit telecoms networks in their targeted campaigns.
In these cases, the telecoms providers often suffer collateral damage even though they are not directly related to the attack.

Further details on these can be found on Kaspersky Lab’s expert Securelist blog or through a subscription to the Kaspersky APT Threat Intelligence Reporting service. Unaddressed software vulnerabilities Despite all the high profile hacks and embarrassing data leaks of the last 12 months, attackers are still breaching telecoms defenses and making off with vast quantities of valuable, personal data.
In many cases, attackers are exploiting new or under-protected vulnerabilities.

For example, in 2015, two members of the hacker group, Linker Squad gained access to Orange Spain through a company website vulnerable to a simple SQL injection, and stole 10 million items of customer and employee data. SQL injection vulnerability on Orange Spain web site The impact of service misconfiguration In many cases, the hardware used by by the telecommunications industry carries configuration interfaces that can be accessed openly via HTTP, SSH, FTP or telnet.

This means that if the firewall is not configured correctly, the hardware in question becomes an easy target for unauthorized access. The risk presented by publicly exposed GTP/GRX (GPRS Tunneling Protocol/GPRS Roaming Exchange) ports on devices provides a good example of this. As CSPs encrypt the GPRS traffic between the devices and the Serving GPRS Support Node (SGSN), it is difficult to intercept and decrypt the transferred data. However, an attacker can bypass this restriction by searching on Shodan.io for devices with open GTP ports, connecting to them and then encapsulating GTP control packets into the created tunnel. Table 1.

Top 10 countries with GTP/GRX ports exposed to Internet access
The Border Gateway Protocol (BGP) is the routing protocol used to make decisions on routing between autonomous systems.

Acceptance and propagation of routing information coming from other peers can allow an attacker to implement man-in-the-middle (MITM) attacks or cause denial of service.

Any route that is advertised by a neighboring BGP speaker is merged in the routing database and propagated to all the other BGP peers. Table 2.

Top five countries with BGP protocol exposed to Internet access
An example of such an attack took place in March 2015, when Internet traffic for 167 important British Telecom customers, including a UK defense contractor that helps to deliver the country’s nuclear warhead program, was illegally diverted to servers in Ukraine before being passed along to its final destinations. To avoid probable attacks against BGP from unauthorized remote malefactors, we recommend that companies provide network filtering, allowing only a limited number of authorized peers to connect to BGP services.

To protect against malicious re-routing and hijacking initiated through authorized autonomous systems we recommend that they monitor anomalies in BGP communications (this can be done through specialized software solutions or by subscribing to alerts from vendors providing this kind of monitoring.) Vulnerabilities in network devices Routers and other network devices are also primary targets for attacks against telecommunications companies. In September 2015, FireEye researchers revealed the router malware “SYNful knock”, a combination of leaked privilege (root) credentials and a way of replacing device firmware that targets Cisco 1841, 2811 and 3825 routers (see Cisco advisory here). Put simply, SYNful knock is a modified device firmware image with backdoor access that can replace the original operating system if the attacker has managed to obtain privileged access to the device or can physically connect to it. SYNful is not a pure software vulnerability, but a combination of leaked privileged credentials combined with a certain way of replacing device firmware.
Still, it is a dangerous way of compromising an organization’s IT infrastructure. SYNful knock backdoor sign-in credentials request Worldwide distribution of devices with the SYNful knock backdoor The latest information on the number of potentially compromised devices is available through the link https://synfulscan.shadowserver.org/stats/. A second Cisco vulnerability, CVE-2015-6389 enables attackers to access some sensitive data, such as the password file, system logs, and Cisco PCA database information, and to modify data, run internal executables and potentially make the system unstable or inaccessible.

Cisco Prime Collaboration Assurance Software releases prior to 11.0 are vulnerable.

Follow this Cisco bulletin for remediation actions. For further information on Cisco fixes for its devices see https://threatpost.com/cisco-warning-of-vulnerabilities-in-routers-data-center-platforms/115609. Juniper, another network device manufacturer has been found to carry vulnerabilities in its operating system for its NetScreen VPN appliances, enabling third-party access to network traffic.

The issue was reported by the vendor in the security advisory JSA10713 on December 18th, 2015, along with the release of the patch. It appears that the additional code with hardcoded password was planted in the source code in late 2013.

The backdoor allows any user to log in with administrator privileges using hard-coded password “<<< %s(un=’%s’) = %u”.This vulnerability has been identified as CVE-2015-7755 and is considered highly critical. Top countries where ScreenOS devices are used are the Netherlands, the United States, China, Italy and Mexico. Juniper ScreenOS-powered devices worldwide Another Juniper backdoor, CVE-2015-7756, affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 and allows a third party to monitor traffic inside VPN connections due to security flaws in the Dual_EC PRNG algorithm for random number generation. To protect the organization from misconfiguration and network device vulnerabilitiy, Kaspresky Lab recommendats that companies pay close attention to vulnerabilities in the network services of telecommunication equipment, establish effective vulnerability and configuration management processes, and regularly perform security assessments, including penetration testing for different types of attackers (a remote intruder, a subscriber, a contractor, etc.). Malicious insiders Even if you consider your critical systems and devices protected and safe, it is difficult to fully control some attack vectors. People rank at the very top of this list.

Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness. While insider-assisted attacks are uncommon, the impact of such attacks can be devastating as they provide a direct route to the most valuable information. Examples of insider attacks in recent years include: A rogue telecoms employee leaking 70 million prison inmate calls, many breaching client-attorney privilege. An SMS center support engineer who had intercepted messages containing OTP (One-Time Passwords) for the two-step authentication required to login to customer accounts at a popular fintech company.

The engineer was found to be freely offering his services on a popular DarkNet forum. For attackers, infiltrating the networks of ISPs and CSPs requires a certain level of experience – and it is often cheaper and easier to stroll across the perimeter with the help of a hired or blackmailed insider.

Cybercriminals generally recruit insiders through two approaches: enticing or coercing individual employees with relevant skills, or trawling around underground message boards looking for an appropriate employee or former employee. Employees of cellular service providers are in demand for fast track access to subscriber and company data or SIM card duplication/illegal reissuing, while staff working for Internet service providers are needed for network mapping and man-in-the-middle attacks. A particularly promising and successful attack vector for recruiting an insider for malicious intrusion is blackmail. Data breaches, such as the 2015 Ashley Madison leak reveal information that attackers can compare with other publically available information to track down where people work and compromise them accordingly.
Very often, these leaked databases contain corporate email addresses, including those of telecommunication companies. Further information on the emerging attack vectors based on the harvesting of Open Source Intelligence (OSINT) can be obtained using Kaspersky Lab’s customer-specific Intelligence Reporting services. Threats targeting CSP/ISP subscribers Overview Attacks targeting the customers of cloud and Internet service providers remain a key area of interest for cybercriminals. We’ve revealed a number of malware activities and attack techniques based on internal information and incidents that were caught in our scope.

As a result of analyzing this data the following main threats were identified: Obtaining subscribers’ credentials. This is growing in appeal as consumers and businesses undertake ever more activity online and particularly on mobile.

Further, security levels are often intentionally lowered on mobile devices in favor of usability, making mobile attacks even more attractive to criminals. Compromising subscribers’ devices.

The number of mobile malware infections is on the rise, as is the sophistication and functionality of the malware.

Experienced and skilled programmers are now focusing much of their attention on mobile – looking to exploit payment services as well as low-valued assets like compromised Instagram or Uber accounts, collecting every piece of data from the infected devices. Compromising small-scale telecoms cells used by consumers and businesses. Vulnerabilities in CSP-provided femtocells allow criminals to compromise the cells and even gain access to the entire cloud provider’s network. Successful Proof-Of-Concept attacks on USIM cards. Recent research shows that the cryptography of 3G/4G USIM cards is no longer unbreakable.
Successful attacks allow SIM card cloning, call spoofing and the interception of SMS. Social engineering, phishing and other ways in Social engineering and phishing remain popular activities and they continues to evolve and improve, targeting unaware or poorly aware subscribers and telecoms employees. The attackers exploit trust and naiivity.
In 2015, the TeamHans hacker group penetrated one of Canada’s biggest communications groups, Rogers, simply by repeatedly contacting IT support and impersonating mid-ranking employees, in order to build up enough personal information to gain access to the employee’s desktop.

The attack provided hackers with access to contracts with corporate customers, sensitive corporate e-mails, corporate employee IDs, documents, and more. Both social engineering and phishing approaches are worryingly successful.

The Data Breach Investigations Report 2016 found that 30% of phishing emails were opened, and that 12% clicked on the malicious attachment – with the entire process taking, on average, just 1 minute and 40 seconds. Social engineers and phishers also use multiple ways for increasing the likeness of authenticity in their attacks, enriching their data with leaked profiles, or successfully impersonating employees or contractors. Recently criminals have successfully stolen tens of thousands of euros from dozens of people across Germany after finding a way around systems that text a code to confirm transactions to online banking users.

After infecting their victims with banking malware and obtaining their phone numbers, they called the CSP’s support and, impersonating a retail shop, asked for a new SIM card to be activated, thus gaining access to OTP (One Time Passwords) or “mTan’s” used for two-factor authentication in online banking. Kaspersky Lab recommends that telecommunications providers implement notification services for financial organizations that alert them when a subscriber’s SIM card has been changed or when personal data is modified. Some CSPs have also implemented a threat exchange service to inform financial industry members when a subscriber’s phone is likely to have been infected with malware. Vulnerable kit USBs, modems and portable Wi-Fi routers remain high-risk assets for subscribers, and we continue to discover multiple vulnerabilities in their firmware and user interfaces.

These include: Vulnerabilities in web interfaces designed to help consumers configure their devices.

These can be modified to trick a user into visiting a specially crafted page. Vulnerabilities that result from insufficient authentication.

These can allow for the modification of device settings (like DNS server addresses), and the interception, sending and receiving of SMS messages, or USSD requests, by exploiting different XSS and CSRF vulnerabilities. RCE (Remote Code Execution) vulnerabilities based on different variants of embedded Linux that can enable firmware modification and even a complete remote compromise. Built-in “service” backdoor allowing no-authentication access to device settings Examples of these kind of vulnerabilities were demonstrated in research by Timur Yunusov from the SCADAStrangeLove team.

The author assessed a number of 3G/4G routers from ZTE, Huawei, Gemtek and Quanta. He has reported a number of serious vulnerabilities: Remote Code Execution from web scripts. Arbitrary device firmware modification due to insufficient consistency checks. Cross Site Request Forgert and Cross Site Scripting attacks. All these vectors can be used by an external attacker for the following scenarios: Infecting a subscriber’s computer via PowerShell code or badUSB attack. Traffic modification and interception. Subscriber account access and device settings modification. Revealing subscriber location. Using device firmware modification for APT attack persistence. Most of these issues exist due to web interface vulnerabilities (like insufficient input validation or CSRF) or modifications made by the vendor during the process of branding its devices for a specific telecommunications company. The risk of local cells Femtocells, which are essentially a personal NodeB with an IP network connection, are growing in popularity as an easy way to improve signal coverage inside buildings.
Small business customers often receive them from their CSPs. However, unlike core systems, they are not always submitted to suitably thorough security audits. Femtocell connection map Over the last year, our researchers have found a number of serious vulnerabilities in such devices that could allow an attacker to gain complete control over them.

Compromising a femtocell can lead to call interception, service abuse and even illegal access to the CSP’s internal network. At the moment, a successful attack on a femtocell requires a certain level of engineering experience, so risks remain low – but this is likely to change in the future. USIM card vulnerabilities Research presented at BlackHat USA in 2015 revealed successful attacks on USIM card security. USIMs had previously been considered unbreakable thanks to the AES-based MILENAGE algorithm used for authentication.

The reseachers conducted differential power analysis for the encryption key and secrets extraction that allowed them to clone the new generation of 3G/4G SIM cards from different manufacturers. Right byte guess peak on differential power analysis graph Conclusion Telecommunications is a critical infrastructure and needs to be protected accordingly.

The threat landscape shows that vulnerabilities exist on many levels: hardware, software and human, and that attacks can come from many directions.

Telecoms providers need to start regarding security as a process – one that encompasses threat prediction, prevention, detection, response and investigation. A comprehensive, multi-layered security solution is a key component of this, but it is not enough on its own.
It needs to be complemented by collaboration, employee education and shared intelligence. Many telecommunications companies already have agreements in place to share network capability and capacity in the case of disruption, and now is the time to start reaping the benefit of shared intelligence. Our Threat Intelligence Reporting services can provide customer-specific insight into the threats facing your organization.
If you’ve ever wondered what your business looks like to an attacker, now’s the time to find out.

Contact us at intelligence@kaspersky.com

New Brazilian Banking Trojan Uses Windows Powershell Utility

Microsoft’s PowerShell utility is being used as part of a new banking Trojan targeting Brazilians. Researchers made the discovery earlier this week and say the high quality of the Trojan is indicative of Brazilian malware that is growing more sophisticated. The banking Trojan is identified as “Trojan-Proxy.PowerShell.Agent.a” and is one of the most technically advanced Brazilian malware samples discovered, said Fabio Assolini, a senior security researcher with Kaspersky Lab’s Global Research and Analysis Team in a Securelist blog on Thursday. The banking Trojan is being delivered via a phishing campaign where emails are masquerading as a receipt from a mobile carrier.

A malicious .PIF (Program Information File) attachment is used to attack the target’s PC. PIF files tell MS-DOS applications how to run in Windows environments and can contain hidden BAT, EXE or COM programs that automatically execute after the host file is run. In the case of “Trojan-Proxy.PowerShell.Agent.a” the PIF file changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks, Assolini said.

Those changes in the system are made using a PowerShell script. The browser aspect of the attack is identical to how cybercriminals have exploited proxy auto-config (PAC) files in previous attacks, Assolini said. PAC files are designed to enable browsers to automatically select which proxy server to use to get a specific URL. “It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script,” Assolini wrote. Not only are Internet Explorer users affected, but also users of Firefox and Chrome. The malware has no command and control communication.
Instead, once the .PIF file is launched, the “powershell.exe” process is spawned and the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” is cued.

This is an attempt to bypass PowerShell execution policies, Assolini said.

The malware changes the file prefs.js, inserting the malicious proxy change. After being infected by “Trojan-Proxy.PowerShell.Agent.a”, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server.

The proxy domains used in the attack use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands, where there are several phishing pages for Brazilian banks, according to Assolini. According to Kaspersky Lab, Brazil was the most infected country when it comes to banking Trojans in Q1 2016. “Attackers (developing Brazilian malware) are investing time and money to develop solutions where the malicious payload is completely hidden under a lot of obfuscation and code protection,” notes a Securelist post from March.

That stands in stark contrast to Brazilian malware that not long ago was described as simple and easy to detect. Researchers believe Brazilian cybercriminals have upped their game by adopting new techniques as a result of collaboration with their European counterparts.

Attacker's Playbook Top 5 Is High On Passwords, Low On Malware

Report: Penetration testers' five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software. Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian. Organizations would be far better served by improving credential management and network segmentation, according to researchers there. Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks.

The most common of these "root causes" though, were not zero-days or malware at all. The top five activities in the cyber kill chain -- sometimes used alone, sometimes used in combination -- were: abuse of weak domain user passwords -- used in 66% of Praetorian pen testers' successful attacks broadcast name resolution poisoning (like WPAD) -- 64% local admin password attacks (pass-the-hash attacks) -- 61% attacks on cleartext passwords in memory (like those using Mimikatz) -- 59% insufficient network segmentation -- 52% The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering.
Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens after a social engineer gets past step one. "If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian.

The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do." As Abraham explains, one stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way -- should not, but often does.

By implementing mitigations against the attacks mentioned above, an organization ensures "you don't have that cascading effect," from one stolen credential, says Abraham. "The blast radius is very minimal."  The report does, of course, reflect the actions of Praetorian penetration testers, not actual attackers.

But the report states that "Praetorian’s core team includes former NSA operators and CIA clandestine service officers who are able to mimic the kill chains that are outlined in Verizon, Mandiant, and CrowdStrike’s annual breach reports." Indeed, the 2016 Verizon Data Breach Investigations Report attributed more breaches to hacking than to malware, and the use of stolen credentials was the most common sub-category of  hacking.

The M-Trends 2016 Report by Mandiant, a FireEye company, found that stolen credentials were "the most efficient and undetected technique for compromising an enterprise." Abraham says Praetorian pen testers -- and many attackers -- prefer to use system weaknesses over software exploits, for several reasons.

For one, he says, malware can fail or cause system failures, which draw attention to the attacker.
Vulnerability scans are "noisy" and unnecessary, according to the report. Plus, while a software hole can be quickly closed with a patch, "design weaknesses will be present in the environment until the design changes," states the report, meaning they have a long shelf life, because they take a longer time to fix.  Mitigation  There are basic, inexpensive practices and tools that would hugely improve organizations' security without costing them millions, according to the report, but Abraham says that pen testers found that many organizations were missing these basic elements. He recommended that organizations wanting to clean up their act, start with #3 and #4 on the list (pass-the-hash and cleartext passwords in memory), because they're the "most achievable." According to the report: Deploying Microsoft's LAPS tool on workstations and servers will go a long way to protecting against pass-the-hash attacks. Mimikatz and other attacks against cleartext passwords in memory can be largely cleaned up with a basic registry change, installation of Microsoft Security Advisory 2871997, and regular monitoring for any unauthorized registry changes.  Once that's done, Abraham suggests moving on to #1 and #2 (weak domain user passwords and broadcast name resolution poisoning) and leaving #5 (insufficient network segmentation) for last, since it will take the most time to fix. Some (not all) of Praetorian's suggestions in the report include: To strengthen passwords: increase Active Directory password length requirements to at least 15 characters enhance password policy enforcements (expiration, etc.) implement two-factor authentication for all administrator access and remote access. To mitigate broadcast name resolution poisoning: populate DNS servers with entries for all known valid resources disable LLMNR and NetBIOS on end-user workstations. To improve network segmentation -- after proper inventory of systems, data, and review with lines-of-business about employee access: Enforce network Access Control Lists (ACLs) so that only authorized systems have access to critical systems -- on a machine basis, by VLAN, or per user with "next-gen" firewalls. Update network architecture and network diagrams to reflect the new ACLs. For Praetorian's complete mitigation suggestions, see the report.  Related Content: Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

How Diversity Can Bridge The Talent Gap

Women and minorities in the security industry share some hard truths about the security industry's hiring traditions and practices. The dirty little secret about most security job openings today is that they often inadvertently preclude women and minorities. Employers typically have a specific type of person in mind for the job, and the job description is written accordingly, requiring several years of experience, a computer science degree or background, and other technical skills such as certifications or hands-on hacking tool expertise. That’s not typically a diversity-friendly job description – training and tool costs are often out of range for inner-city and small-town candidates.

A panel of diverse and accomplished female security professionals at Black Hat USA earlier this month shared their insight on this and other ways the industry is doing it wrong – and how to encourage more diversity. I served as moderator of the “Removing Roadblocks to Diversity” panel, which featured Jamesha Fisher, Security Operations Engineer at GitHub; Chenxi Wang, Chief Strategy Officer of Twistlock; Rebekah Brown, Threat Intelligence Lead at Rapid7; and Angie Leifson, Security Operations Center (SOC) Analyst at Insight Enterprises. Source: Black Hat USA The lack of diversity in security is a topic I’ve researched plenty this year, but listening to these women share what they see in the trenches every day, the firsthand lessons they’ve learned, and advice the give to other women and minorities, was enlightening.

To be honest, it was a bit frustrating, too, since the number of women in the security industry has remained at about 10% for at least three years now.

African-American women represent just 3% of computer-related jobs, and Latina women, 1%.   There’s also a glaring disconnect today between many job openings in cybersecurity and the types of skills the field now demands.

The panelists pointed to the importance and need in security for non-technical skills and backgrounds in psychology, linguistics, communications, for example. Yet those skills aren’t the norm in a typical job opening. Take Wang, whose career path came via the traditional route of a computer science degree and graduate school.
She said it’s time for a rewrite of inherently biased job descriptions:  “If you had somebody coaching them on writing a job description that is more inclusive, they would have gotten more candidates.
I try to do that myself,” Wang said during the panel. Fisher, who is African-American, said there are few if any junior security positions, which makes it tough for anyone to break into the industry. Minorities have a disadvantage up front. “They may not have the money to buy the training needed to do security to get that competitive edge. Where does this leave people who don’t have the money?” Fisher said. Rapid7’s Brown, whose military career as a linguist in Mandarin ultimately led her to cybersecurity threat intelligence, said the cookie-cutter job description doesn’t cut it today’s world. Having security staff with diverse backgrounds, educations, outlooks, and mindsets is key, Brown said. “If you just put one job description out, you’re never going to be successful,” she said. There’s a mindset problem here as well.
Studies and anecdotal data show that women are less likely to apply for a job if they don’t fit all of the listed qualifications, whereas men apply even if they don’t have all of the listed skills.

But that’s a trend that can be broken, the panelists said. On the flip side, women and minorities often aren’t given the benefit of the doubt like their counterparts when it comes to missing qualifications, Fisher said. White men, for instance, she said, are often given “reasonable doubt” that they will learn the skills they lack on the job.
She urged large companies to use their resources to train and attract more minorities and women to security jobs. Leifson, who graduated from college in December and is now a SOC analyst, had a refreshing view on this:  even when she doesn’t meet all of the qualifications listed in a job opening, she still applies for it. “I still feel confident in my skills,” she said. “Don’t be afraid” to put yourself out there and apply, she said. The social impact of security is also an element that needs to be touted more, the panelists said. “So many people are about the hacking aspect, but nobody is about the defensive aspect.

That has the social impact” that appeals to a broader talent pool, Fisher said. Diversity is one thing, but inclusiveness is another, the panelists said. Hiring more women and minorities is the first step to a truly diverse workforce – organizations then also need to ensure they respect and embrace their workers’ different backgrounds. To view the entire panel discussion and Q&A, check out the video recording here. Related Content: Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

Security Staff Shortages Incur Higher Breach Recovery Costs

New study measures the financial impact of a breach on a company short on IT security staff. The shortage of skilled IT security professionals is not a new topic. Multiple reports have shed light on the talent shortage and the type of security risks associated with an IT department that is short on security skills.

But a report released this week by Kaspersky Lab and partner B2B International shows the potential financial impact of being short-staffed in the security department.  The study, which surveyed nearly 5,000 representatives from companies of different sizes and industries, compared the breach recovery costs for large companies that had enough IT security staff with large companies that were light on security support.

The average cost of recovery for companies with inadequate security support was between $1.2 to $1.47 million, and from $100,000 to $500,000 for companies with a strong and sufficiently staffed IT security team. When an organization has internal IT security staff on the payroll, they become more familiar with the cyclical process of a breach and recovery and are able to learn from each incident and apply that knowledge to the organization’s security posture, says Michael Canavan, vice president of North America for Kaspersky Lab. “This is a large reason why you see the smaller dollar amount with those incidents [at organizations with in-house security staff],” he says.

They’re less traumatic because more information is known, he adds.   The survey also showed that additional staff wages make up a significant portion of the recovery costs -- $14K on average for SMBs and $126K for enterprises -- which was higher than the loss of business opportunities, credit rating, and compensation to clients and partners combined.  Candace Worley, vice president and general manager for enterprise endpoint security at Intel, points out that while nearly $1.5 million for a breach is high, the average cost of a breach is now over $4 million dollars per incident, according to the Ponemon Group's Cost of Data Breach 2016 report. “If a company was unfortunate enough to experience two breaches in a year," she says, then “investing in a security staff is the better way to go.” She also notes that in addition to labor costs, organizations have to account for the brand impact and opportunity cost of a breach in addition to the hard costs. “There’s the domino or cascade of costs,” Worley says.  Tejas Vashi, senior director of Cisco Services, says that while the industry acknowledges that many organizations need more security staff, it takes a long time to bring them on. “Enterprises need to be proactively seeking out the talent and continuously reskilling their existing workforce,” says Vashi, adding that a proactive mindset is very important in the security space right now, for both hiring and threat mitigation. He likens the IT security landscape to a quote from Henry Ford: "The only thing worse than training your employees and having them leave is not training them and having them stay."  Find the full report here. Emily Johnson is an Associate Editor on UBM America's Content Marketing team. Prior to this role, Emily spent four and a half years in content and marketing roles supporting the UBM America's IT events portfolio.

Emily earned her B.A. in English from the University of ...
View Full Bio More Insights