Thursday, January 18, 2018
Home Tags Cyber Attack

Tag: Cyber Attack

It's just the latest "name and shame" effort by the U.S. to publicly denounce (and indict) foreign hackers. The Justice Department is allegedly working on an indictment for Iranian hackers who attempted to infiltrate the operational controls for New York's Bowman Avenue Dam in 2013. Though the attackers did manage to get into some systems at the dam, they were unable to gain any kind of access to more critical controls. However, CNN reports that said hackers allegedly accomplished their intrusion using off-the-shelf tools—which suggests that the hack itself wasn't all that sophisticated.
It is, however, a bit alarming that it didn't take very much for the attackers to make at least a little headway against a fairly large target (albeit one that's just a minor piece of U.S. infrastructure, as some U.S. officials described). "We obviously take seriously all such malicious activity in cyberspace. We are going to continue to use all the tools at our disposal to prevent, deter, detect, counter, and mitigate that kind of activity," said State Department spokesman Mark Toner, when asked about the upcoming indictment at a recent news briefing. The Justice Department is likely to announce its indictment next week.
If so, this would continue the "name and shame" campaign the Obama administration has used to address big-name hacks over the past few years.

That includes the hack of Sony Pictures Entertainment, which the administration publicly called out North Korea for sponsoring in December 2014. The administration also called out China in May 2014 when it filed indictments against five military officials accused of hacking various American businesses.

The indictment noted that the individuals "maintained unauthorized access to victim computers to steal information from these entities that would be useful." China's foreign ministry responded a day later with a statement condemning the United States' own alleged hacking efforts. Iranian cyber attacks are reportedly on the rise at the moment, and the U.S. government is said to be deploying more resources to address the issue.

At the time of the cyber attack on the Bowman Avenue Dam, Iran was also allegedly trying to launch similar probes against financial institutions' systems as well.
The cyber attacks of the future may be hard to spot, and nations may fight over fiber. In recent weeks, the digital security discussion has been focused on a certain fruit-flavored company's public battle with a three-letter agency.

But Kaspersky Principal Security Analyst Vicente Diaz is considering the far larger, and far more complicated, fights that nations might carry on in the digital world. You Don't Need StuxnetIn his presentation at RSA, Diaz made a distinction between three kinds of attacks.

The first were exotic attacks, developed and deployed at great expense by nation states.

Think Stuxnet, the complex malware allegedly developed by the U.S. and Israel to physically disable Iranian nuclear enrichment machinery. The second were so-called "middle-class" attacks, which are assembled by knowledgeable teams of hackers.

The third category encompassed all other attacks, usually carried out by individuals with little to no technical knowledge, who purchase malicious payloads and delivery mechanisms from the digital black market.The problem with complicated nation-state campaigns like Stuxnet is that they make attribution easier. When it comes to determining who is capable of developing and deploying such an attack, "the list of countries is very short," said Diaz. In the future, Diaz predicted that nation states will move away from exotic attacks and focus on middle-class attacks that are as simple and stealth as possible. "Now you don't need to develop Stuxnet-like malware just to attack," said Diaz. "Ukraine was attacked by BlackEnergy, which is not in the same league as Stuxnet." The key is obtaining the physical and digital infrastructure, like the cable that connects the global Internet. "It's good for cyber espionage but also good for attacking an adversary," said Diaz. "You can use it in an offensive way, or you can use it to get information from the people who are using this infrastructure." As an example, Diaz said that if you control the Internet infrastructure, you can simply snatch passing data rather than having to target specific devices.This approach sounds similar to the one used by the NSA in its massive data collection operations exposed by Edward Snowden, which used the position of the United States Internet infrastructure to intercept data traveling around the world. The Fight for Digital TerritoryDiaz believes that the importance of Internet infrastructure will spark conflict between nations. "Control over physical infrastructure is where the next big battles will happen," he said. He pointed to efforts made by Brazil to construct its own trans-Atlantic Internet connection and efforts within Europe to foster the development of Internet business and infrastructure within national borders. Conflicts over control of the Internet could take many forms, and need not be offensive.
Instead, countries might form alliances to create spheres of influence over the Internet.

For example, Diaz pointed to a diplomatic agreement between the U.S. and China, where the two countries agreed not engage in cyber attacks for financial gain. Diaz said this agreement was an example of one such alliance, and hinted that it would have wide-ranging consequences. "Obviously these alleged attacks will probably move to some other country because they still need to get this data," he said. Digital resources are already playing a role in warfare and politics.

This week saw confirmation from the Department of Defense that the U.S. was bringing cyber capabilities to bear against ISIS.

Also speaking at the RSA conference, Secretary of Defense Ashton Carter declined to go into specifics about these operations, but said they were focused on disrupting ISIS's command and communications capabilities. What Diaz is describing is more like the groundwork for larger operations.
It's also a shift in how diplomacy, as well as warfare, will be carried out since the fiber traveling through a stretch of land (or ocean) may be as a valuable as the land, its people, or its resources to a nation state developing its cyber capabilities. But perhaps the most important point is Diaz's prediction that attacks will simplify, rather than increase, in complexity.
If Diaz is correct, then the kind of cyber attack that worries NSA Director Rogers might be indistinguishable from the everyday work of a hacker and nearly impossible to spot.
A type of malware that locks computer files and demands a fee for their release has successfully targeted Apple computers.The security researchers from Palo Alto Networks believe it is the first time ransomware has appeared on Macs.The KeRangers m...
With the help of security researchers, Apple over the weekend quickly blocked a cyberattack aimed at infecting Mac users with file-encrypting malware known as ransomware. The incident is believed to be the first Apple-focused attack using ransomware, which typically targets computers running Windows. Victims of ransomware are asked to pay a fee, usually in bitcoin, to get access to the decryption key to recover their files. Security company Palo Alto Networks wrote on Sunday that it found the "KeRanger" ransomware wrapped into Transmission, which is a free Mac BitTorrent client.  Transmission warned on its website that people who downloaded the 2.90 version of the client "should immediately upgrade to 2.92." It was unclear how the attackers managed to upload a tampered version of Transmission to the application's website.

But compromising legitimate applications is a commonly used method. "It’s possible that Transmission's official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred," Palo Alto wrote on its blog. The tainted Transmission version was signed with a legitimate Apple developer's certificate.
If a Mac user's security settings are set to allow downloads from identified Apple developers, the person may not see a warning from Apple's GateKeeper that the application could be dangerous. Apple revoked the certificate after being notified on Friday, Palo Alto wrote.

The company has also updated its XProtect antivirus engine. After it is installed on a system, KeRanger waits three days before connecting to a remote command-and-control server using the Tor system.
It is coded to encrypt more than 300 types of files. The ransom is 1 bitcoin, or about $404. There are few defenses against ransomware.

Antivirus programs often do not catch it since the attackers frequently make modifications to fool security software. The best method is to ensure files are regularly backed up and that the backup system is isolated in a way to protect it from being infected as well. Disturbingly, KeRanger appears to also try to encrypt files on Apple's Time Machine, its consumer backup drive, Palo Alto wrote. Ransomware schemes have been around for more than a decade, but over the last few years have spiked. At first the attacks struck consumer computers, with the aim of extracting a few hundred dollars.

But it appears attackers are targeting companies and organizations that may pay a much larger ransom to avoid disruption. Last month, a Los Angeles hospital said it paid a $17,000 ransom after saying it was the quickest, most effective way to restore its systems.

The ransomware had affected its electronic medical records. Although Apple's share of the desktop computing market is much lower than Windows, cyberattackers have been showing increasing interest in it.

But so far, ransomware hasn't been a problem, although some researchers have created proof-of-concept file-encrypting malware for Macs. Last November, Brazilian security researcher Rafael Salema Marques published a video showing how he coded ransomware for Mac in a couple of a days. He didn't release the source code. Also, OS X security expert Pedro Vilaca posted proof-of-concept code on GitHub for Mac ransomware he wrote, another experiment showing how simple it would be for attackers to target the platform.
But its role in the attack remains unclear Fresh research has shed new light on the devious and unprecedented cyber-attack against Ukraine's power grid in December 2015. A former intelligence analyst has warned that launching similar attacks is within the capabilities of criminals, or perhaps even hacktivist groups, since most of the key components are readily available online. Zach Flom, an intelligence analyst at threat intelligence firm Recorded Future and a former US DoD computer network defense analyst, has published a study on the BlackEnergy malware, noting a spike in activity prior to the Ukraine attack that left more than 200,000 people temporarily without power on December 23. "In 2014, shortly after being picked up by APT [advanced persistent threat] groups and becoming more modular, we see a large spike in references to the malware and its increasing usage in European countries, namely Ukraine," Flom notes. "Whether or not the attack was nation state-sponsored, the source code for most of the components that were used is available for purchase and download on the open Web," Flom writes. "It's no longer far fetched that a similar attack could be conducted by non-nation state-sponsored groups for criminal purposes." BlackEnergy has evolved from a "relatively simple" distributed denial-of-service attack tool of early 2007 to a highly capable blob of malware over the last eight years, according to Flom. The warning of potential future misuse of BlackEnergy comes days after a US government report concluded that the December 2015 power outage in Ukraine – which affected 225,000 customers – was caused by outside attackers. Representatives of the US Department of Homeland Security (DHS), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and other US government agencies traveled to Ukraine to collaborate and gain more insight into the attack.

The Ukrainian government and the three impacted power utilities (named elsewhere as Prykarpattya, Oblenergo and Kyivoblenergo) collaborated with the investigation, which concluded that the assault involved a great deal of coordination and planning, culminating with an attempt to destroy evidence on field devices using wiper malware. The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks.

According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.

During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections.

The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access. All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack.

The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. The whole incident has generated a great deal of interest because it's reckoned to represent the first time that hackers have successfully attacked a power grid.

For context, it's worth pointing out that outages caused by squirrels chewing through electricity cables and the like are commonplace.

A growing number of experts have come to regard the Ukraine energy utility attacks as the most significant malware-based hack attack since Stuxnet hobbled Iranian nuclear centrifuges back in 2010. BlackEnergy malware was discovered on the affected companies' computer networks, however it is important to note that ICS-CERT investigators reckon the precise role of the potent cyber-pathogen in the attack remains as yet unclear. Each company also reported that they had been infected with BlackEnergy malware, however we do not know whether the malware played a role in the cyber-attacks.

The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments.
It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated.
It is important to underscore that any remote-access Trojan could have been used, and none of BlackEnergy's specific capabilities were reportedly leveraged. A mining company and a large railway operator in Ukraine were also hit by BlackEnergy, so the run of attacks was far from limited to the power distribution sector.

The possible motivations of the hackers range from an attempt to disable Ukraine economically to a test of the power of their malware against real life targets. Russia is the obvious prime suspect in this malfeasance, and this is supported by plenty of circumstantial evidence, although nothing incontrovertible and certainly no smoking gun. Security researchers at the SANS Institute have put together a reaction to the ICS-CERT report ahead of their own forthcoming study, which will focus on how to defend against similar attacks on industrial control systems in future. Industrial control system security expert Robert M Lee argues that ICS-CERT unnecessarily hedged its bets in calling BlackEnergy a central vector of the attack. "ICS-CERT is very shy in stating that BlackEnergy3 was involved in the incident," Lee writes. "I understand their hesitation, but the use of BlackEnergy3 to harvest credentials in the impacted organizations was very clear from publicly available sources.

The malware, however, was not responsible for the outage.
It just enabled the attackers, as the SANS team and others in the community have said all along," he added. ® Sponsored: Why every enterprise needs an Internet Performance Management (IPM) Strategy
The goal is for ISIS not to know the difference between a cyber attack and just needing to reset their router. ISIS has been successful at recruiting supporters in large part because of its well-oiled social media machine, which cranks out PR-type content that encourages militants to attack non-believers. So what's the best way to throw a wrench in it? If you're an average citizen, you might participate in Troll ISIS Day on social media.

But if you're the U.S. military, you launch sophisticated cyber attacks that target the heart of the clandestine organization's networks. At a briefing this week, top military brass revealed that the U.S.

Cyber Command is hard at work disrupting ISIS's communications networks.
It's an emerging war strategy in the Middle East, and it comes from a relatively new agency—Cyber Command was established in 2009. The goal, according to Secretary of Defense Ash Carter, is to overload ISIS's network so that it can't function effectively. "This is something that's new in this war," he said. "It's not something you would've seen back in the Gulf War, but it's an important new capability and it is an important use of our Cyber Command and the reason that Cyber Command was established in the first place." He was tight-lipped on the specifics of the cyber attacks, except to say that the military wants to "overload [ISIS's] network so that they can't function." But he explained that the cyber strategy essentially shadowed the military's conventional operations, which are designed to isolate various ISIS cells in Syria and Iraq to make it difficult for them to coordinate attacks. There is one key difference between conventional and cyber attacks, though: the element of surprise.

Chairman of the Joint Chiefs of Staff General Joseph Dunford, who was also at the briefing, said the most critical part of hacking ISIS networks is that the source of the attacks is untraceable. "Most importantly, we don't want the enemy to know when, where, and how we're conducting cyber operations," he said. "They're going to experience some friction that's associated with us and some friction that's just associated with the normal course of events in dealing in the information age.

And frankly, we don't want them to know the difference."
A security breach that plunged Ukraine into darkness could happen in the U.S., according to reports. A recent cyber attack on Ukraine's power utilities that plunged hundreds of cities into darkness could be replicated in the U.S., according to Obama administration officials.
Investigators concluded that highly skilled hackers stole the credentials of system operators and learned how to switch off circuit breakers, the New York Times reports. The Ukrainian government condemned the attacks, accusing the Russians of targeting their country's power grid as a form of political intimidation.

A U.S.

Department of Homeland Security report issued on Feb. 25 does not mention Russian involvement, saying only that the Ukranian power companies had been infected with so-called BlackEnergy and KillDisk malware. The report concludes that the hackers conducted extensive surveillance of the power companies' networks in order to gain access credentials.

Then, in a series of coordinated attacks on three facilities less than 30 minutes of each other, they used remote control systems to turn off the circuit breakers, plunging 225,000 people into darkness. It's a scenario that could easily happen in the U.S., and power companies have known for some time that their systems are vulnerable. Just a few days before the Dec. 23 attack in Ukraine, an Associated Press investigation found hackers had infiltrated American power systems so extensively that they could set off massive power outages whenever they want to. Part of the reason for this vulnerability is that U.S. power utilities are largely controlled by private investors who may have little incentive to beef up security, according to the AP.

But government systems aren't immune either, as evidenced by a recent IRS data breach that involved multiple attempts to access taxpayer accounts. That attack was much bigger than the IRS originally thought.

An internal investigation announced last week found that more than 390,000 taxpayer accounts were compromised in addition to those previously discovered, for a total of more than 700,000 affected taxpayers.

That's in addition to an attempt to steal more than 400,000 Social Security numbers in order to generate e-file PINs, which the IRS also announced last month.
Jerome Segura, a senior security researcher with Malwarebytes, was recently stumped by a cyber attack he was studying.
It seemed to keep vanishing. Segura often studies malvertising, which involves seeding ad networks with harmful online advertisements that then appear on websites, potentially delivering malware to a person's computer. It's a particularly insidious type of attack, since a person merely has to view an advertisement to become infected if their computer has a software vulnerability.  "We knew there was something different that malvertisers were doing," said Segura in a phone interview Thursday. The problem was they couldn't replicate the attack by viewing the malicious ad.
It's almost as if the attackers knew they were being watched. Cyber attackers often profile machines -- known as fingerprinting -- in order to attack ones that are being used by security researchers. Machines on certain IP addresses or VPN networks or those running virtual machines won't be attacked. Segura couldn't get another look at the attack until he went home and used his home computer rather than the ones in Malwarebytes' lab. The suspicious advertisement contained a one-by-one pixel GIF image.

That's not usual, as pixels are used for tracking purposes, but this one actually contained JavaScript. The JavaScript exploits an information leakage vulnerability (CVE-2013-7331) in older unpatched versions of Internet Explorer, Segura said.

The vulnerability can be used to parse a computer's file system and figure out if it's running certain AV programs. If a computer checked out, its user was redirected by the advertisement to a server running the Angler exploit kit, Segura said. It is not unusual for cyber attackers to do some quick reconnaissance on potential victims.

But Segura said this time around, the attackers are also taking other steps that make it very difficult for ad networks and security researchers to detect bad behavior. The malicious ad, including the one-by-one pixel, was also delivered over SSL/TLS, which makes it harder to detect potentially malicious behavior, Segura said. The malicious ad was carried by Google's DoubleClick and dozens of other ad networks.
It appears the attackers had set up fake domains and even LinkedIn profiles months before to appear they were legitimate before supplying their malicious advertisement to the online advertising companies. "It shows you how deceptive they can be and how many fake advertisers are out there," he said. Segura said he has been in touch with DoubleClick and other online advertising companies, but the malvertising ad is still running in some places. The automated nature of online advertising and the labyrinth of relationships between companies has made filtering malicious ads difficult, he said. "What criminals have figured out is it's easier to infiltrate a third partner that works with Google but doesn't necessarily have the same security screening and tight guidelines," Segura said. Malwarebytes posted a writeup of its research on its blog.
For U.S. taxpayers, the news just keeps getting worse about the cyberattack discovered last year on the IRS's Get Transcript application, At first, it looked like just over 100,000 taxpayers had been affected.

Then, last August, the number was updated ...
Popular brands of wireless mice and keyboards could allow an attacker to send commands to a user’s system, according to researchers. The communications between hundreds of millions of wireless mice and keyboards and the systems to which they are connected could be exploited to allow an attacker to take control of a targeted laptop or desktop PC, researchers from communications-security firm Bastille said on Feb. 23.The attack, dubbed “MouseJacking,” exploits the weak security of the custom communications protocols used by many wireless mice and keyboards, such as those from vendors Logitech, Microsoft and Dell, the company stated.An attacker could, from 100 meters away or more, use the attack to send mouse clicks and key strikes to the targeted systems and by opening windows and issuing commands, essentially take control of the victim's computer, Chris Rouland, founder and chief technology officer at Bastille, told eWEEK.“It really only takes a $15 dongle and about 15 lines of Python code and you can get complete control of the target system,” he said. Bastille's report comes as security researchers continue to warn that the widespread adoption of devices that connect to each other or the Internet–the so-called Internet of Things–will dramatically increase the exposure of both consumers and companies to cyber-attacks. Bastille’s research targets one of the most significant vectors of attacks—the peripherals used to send data to a computer system.The attack, however, only affects peripherals that do not use the Bluetooth standard to communicate between devices. Many companies have created their own communications protocols to avoid licensing fees and to attempt to reduce power consumption, Rouland said.Bastille’s attack takes advantage of poorly implemented communications protocols between the USB dongle that plugs into a computer system and the mouse or keyboard that communicates with that dongle, said Marc Newlin, a security engineer at Bastille, who found the MouseJack vulnerability.All the vendors encrypt the information going between the keyboard and the dongle, but none of the vendors secure the data between the mouse and the dongle, Newlin said.
In these cases, and attacker can just send unencrypted packets and have the system accept the data.Typically, there are two types of attacks, he said.“The dongle is expecting encrypted keystrokes from the keyboard, but in some cases it will accept unencrypted keystrokes,” he said. “In that case, the attacker can spoof a keyboard and send unencrypted keystrokes and they are accepted as if the attacker was sending encrypted keystrokes.”Another scenario allows an attacker to send unencrypted packets, masquerading asa mouse, but sending keystrokes instead.The security issues arise because of the vendors did not adequately secure the protocols, Rouland said.

The maker of the most common wireless chip for such devices, Nordic Semiconductor, provides adequate tools to implement communications securely, but vendors fail to code the software correctly.“When companies implement their own proprietary encryption schemes, it screams red flags to security researchers,” he said. “Because they typically screw it up—and that is certainly the case here.”Because most companies do not allow updates to the peripherals' firmware, solving the issue will require that users replace the devices. Logitech, the largest third-party maker of peripherals, does allow users to update their software and has already released a patch.Still, the fact that most people are not accustomed to updating their mouse or keyboard software will like make patching, or replacing the devices, a slow process, Rouland said.“From a practical perspective, I think we will see this vulnerability exist for quite a long time, and it affects both enterprises and consumers,” he said.
How some cyber espionage and other advanced attack groups don't go dark anymore after being outed.The epic and ugly cyberattack on Sony in 2014 may now be one for the history books, but the attackers behind it remain active and prolific.“They didn’t disappear when the dust settled” after the Sony attacks, says Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab.

Guerrero-Saade and fellow researcher Jaime Blasco last week at the Kaspersky Security Analyst Summit in Tenerife, Spain, detailed new activity by the Sony hackers. “It took us two years to correlate all of the information we had  … The same people were launching campaigns using information from the Sony attack,” said Blasco, who is vice president and chief scientist of AlienVault.

The attacks are mainly intelligence-gathering efforts, but occasionally the attacks include wiping disk drives, he said. The attackers, which the US government say came out of North Korea, pummeled Sony, wiping disk drives, and doxing emails and other sensitive information. There has been a noticeable shift in how some advanced threat groups such as this respond after being publicly outed by security researchers. Historically, cyber espionage gangs would go dark. “They would immediately shut down their infrastructure when they were reported on,” said Kurt Baumgartner, principal security researcher with Kaspersky Lab. “You just didn’t see the return of an actor sometimes for years at a time.” But Baumgartner says he’s seen a dramatic shift in the past few years in how these groups react to publicity.

Take Darkhotel, the Korean-speaking attack group known for hacking into WiFi networks at luxury hotels in order to target corporate and government executives.

Darkhotel is no longer waging hotel-targeted attacks -- but they aren’t hiding out, either. In July, Darkhotel was spotted employing a zero-day Adobe Flash exploit pilfered from the HackingTeam breach. “Within 48 hours, they took the Flash exploit down … They left a loosely configured server” exposed, however, he told Dark Reading. “That’s unusual for an APT [advanced persistent threat] group.” The Darkhotel group appears to care less about its infrastructure and more about its advanced attack techniques, he says. “Public exposure isn’t going to affect them,” he says. “The hotel [attack] activity focused on business travelers has come to an end, but the other operations are highly active,” including sending rigged links to Southeast Asia targets via Webmail services. ‘No Such Actor’ Meantime, one of the most advanced and infamous nation-state threat actor groups has been dark for more than a year. Kaspersky Lab still hasn’t seen any sign of the so-called Equation Group, the nation-state threat actor operation that the security firm exposed early last year and that fell off its radar screen in January of 2014. The Equation Group, which has ties to Stuxnet and Flame as well as clues that point to a US connection, was found with advanced tools and techniques including the ability to hack air gapped computers, and to reprogram victims’ hard drives so its malware can’t be detected nor erased. While Kaspersky Lab stopped short of attributing the group to the National Security Agency (NSA), security experts say all signs indicate that the Equation Group equals the NSA. “I would assume they are active but just changed their” communications, says Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “We don’t detect them anymore.” Just how APT groups from various regions react to being outed is often a cultural thing. “The Far Eastern [APTs] don’t seem to care too much” about hiding out after being outed, he told Dark Reading. “The rest of the world cares a bit more.” On exception to that is the attack group behind the US Office of Personnel Management (OPM) breach, he says. “They are different kind of fish.

The moment they got discovered,” they shifted gears, he says. “We found traces of activity related to those guys.

But it was at another level of skills and capabilities versus other Chinese-speaking groups.” Related Content: Find out more about the latest security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full BioMore Insights
IT Pros Fall Short When Protecting Their Networks, Tripwire Finds A new survey by Tripwire finds that while IT professionals are proactive in their attempts to protect networks, they aren't as effective as they need to be. When Are Endpoint Devices Affected? While Tripwire found that nearly all of the IT professionals it spoke with used automated tools to track their networks, it was surprised to discover that few knew when configuration changes were made to endpoint devices.
In fact, 40 percent of respondents said that they had a "general idea" when a computer had been modified, and 17 percent had no idea.

Add that to the 10 percent of respondents who don't track networks at all, and it's a recipe for concern. Network-Linked Configuration Changes Are Another Issue Tripwire found that after an endpoint device had been reconfigured by an attacker, 40 percent of respondents wouldn't detect the change for hours.

Another 22 percent of IT professionals said it could take days to find the configuration change.

By then, the endpoint has been infected and may be replicating its payload across the network. Patches Don't Always Work When examining health care and financial industries—two sectors that must safeguard extremely sensitive customer information—Tripwire discovered that patches don't work nearly as well as IT professionals would like. On the health care side, just 26 percent of IT professionals said that their patches worked 90 to 100 percent of the time.

Financial firms performed even worse, with just 23 percent of respondents saying they have been able to patch issues 90 to 100 percent of the time.

That's a lot of holes left unplugged. Effectiveness of Vulnerability Scanning Systems Is Mixed In one of the few high points in the Tripwire survey, the security firm found that 38 percent of companies know for sure how long it would take for "vulnerability scanning systems" to alert them to an unauthorized device joining the network. However, 21 percent of IT professionals either don't know how long it would take or don't have a vulnerability scanner running on their networks that would search for unauthorized devices. Government Agencies Are Slow to Fix Flaws In its survey of government IT professionals, Tripwire asked how long it takes for vulnerabilities to be discovered and "promptly" patched.

A whopping 15 percent of respondents said issues remain unpatched within 60 days, and a third of IT professionals said fixing the issue will take between 31 and 60 days.

Approximately half of government IT professionals say they can fix vulnerabilities within 30 days. Smaller Companies Are Less Effective at Controlling File Access Malicious users attempting to access sensitive files is obviously one of an IT professional's chief concerns. However, just two-thirds of companies with annual revenue of $5 billion or more can detect when an unauthorized user tries to access networked files.

And for smaller companies, that figure drops to 58 percent.

A surprisingly large number of companies, in other words, have no idea if someone—an employee, hacker or anyone else—is gaining unauthorized access to data files. Finance Industry Automation Leaves Much to Be Desired Heading back to the finance industry, Tripwire wanted to know how much information could be obtained about unauthorized devices connecting to the network. Just 39 percent of respondents said that they could "pick up all the information necessary" to know for sure where and what the device is. Nearly 20 percent of IT professionals say that they have no way of identifying the unauthorized devices.

Those companies, in other words, are flying blind with no way of knowing which devices need to be kicked from the network. Yikes. Hardware Discovery Matters—but It Doesn't Always Work Controlling device access to corporate networks is a first line of defense against malicious hackers. However, just 16 percent of respondents said that they can always find out when hardware connects to the corporate network.

A whopping 40 percent of IT professionals know 50 percent of the time or less when new hardware is connecting to their networks. IT Professionals Lack Key Information to Prevent Hacks According to Tripwire, IT professionals clearly understand that they need to know what's connecting to their networks and when.

The trouble, however, is that it often takes too long to get that information, and all the while, hackers could be running amok, stealing information and crafting nasty scenarios that those IT professionals will eventually need to deal with.

As Tripwire's Director of IT Security and Risk Strategy Tim Erlin notes, the study shows "IT managers and executives … are missing key information that's necessary to defend themselves against cyber attacks." With cyber-attacks on the rise and data at risk, enterprises are trying to take the right steps to detect network breaches and protect data resources, according to the findings of a survey by security firm Tripwire. However, while IT professionals are proactive in their attempts to protect networks, they don't have a clear understanding of the defenses they're employing. What's worse, the study shows that most IT professionals have only a "vague" idea of how long it would take to identify an attack and resolve the issue, which calls into question just how safe corporate data really is.
In fact, many IT professionals won't discover a cyber-attack until months after it's happened—long after perhaps gigabytes of sensitive corporate data have been spirited away.

This slide show covers Tripwire's findings, which are based on a survey of more than 760 IT professionals across both the public and private sectors.
In the end, however, the findings are clear.
IT professionals want to safeguard corporate networks, but they aren't as effective in carrying out that task as they need to be and they are painfully aware of that condition. Don Reisinger is a freelance technology columnist. He started writing about technology for Ziff-Davis' Since then, he has written extremely popular columns for .com, Computerworld, InformationWeek, and others. He has appeared numerous times on national television to share his expertise with viewers. You can follow his every move at