16.8 C
London
Saturday, September 23, 2017
Home Tags DLP

Tag: DLP

The security vendor bolsters the endpoint detection and response capabilities of its Endpoint Threat Platform with the addition of data loss prevention in a bid to reduce risk.
Google knows that if enterprises are going to move their critical services to its cloud, then it has to offer something that AWS doesn’t.

At Google Cloud Next, the company’s leadership made the case that Google Cloud was the most secure cloud. At the conference this week, Google unveiled tools that would let IT teams provide granular access to applications, better manage encryption keys, and enforce stronger authentication mechanisms for applications running on Google Cloud. While some of the features, such as Key Management Service, is similar to the security tools AWS has already rolled out (in this case, the AWS Key Management Service), others, such as DLP API for GCP (Google Cloud Platform), go beyond the infrastructure to protect individual applications.To read this article in full or to leave a comment, please click here
Fredrikstad - 9th February 2017. norxe, the Norwegian manufacturer of DLP projectors, will be exhibiting at ISE 2017.This exciting new startup will demonstrate two P1 projectors on a Partner booth in Hall 12, stand N-44.In addition, the company is delighted to announce the appointment of Iain Ambler as Head of Business Development for the UK.
Iain will be attending ISE along with the rest of the norxe team.
Iain‘s appointment is the latest in what... Source: RealWire
Google today bolstered its G Suite of productivity apps with new controls and tools for IT professionals.

G Suite administrators now have more access to control security key enforcement, data control with data loss prevention (DLP) for Google Drive and Gmail, and additional insights by connecting Gmail to BigQuery, Google’s enterprise data warehouse designed to enable SQL queries, according to Google.All of the changes, which are live today, are designed to elevate G Suite for the enterprise, especially among companies that need more confidence in the controls they can maintain over corporate data, according to Google.To read this article in full or to leave a comment, please click here
When I talk to IT managers, I almost always hear fears of mobile devices as conduits for sensitive corporate data to leave the company.
I don’t know why I keep hearing this.

There’s simply no evidence to support this fear.
In fact, there’s solid evidence that says mobile devices are not a significant—or even moderate—risk factor. Every year, I check the Identity Theft Resource Center’s database of personally identifying information (PII) breaches, which require disclosure by both state and federal laws.
I’m sure many losses go unreported, and the database doesn’t cover corporate information not containing PII.

But if mobile devices were a conduit to data loss, they should show up in this database. Mobile-linked breaches haven’t shown up in previous years, and they didn’t show up again in 2016—despite the fact that nearly everyone these days uses a smartphone. What does show up? Paper records, thumb drives, external hard drives, laptops, hacks into databases and storage systems, and successful phishing attempts. Many of the reported breaches involve lost papers, drives, and laptops, where a data thief probably wasn’t involved.

But many involve active hacking of IT systems where data theft is the goal.

And some involve insiders (contractors and ex-employees) steal data to use themselves, bring to new employers, or—least often—sell to others. None of the lost, stolen, or compromised devices were smartphones or tablets.

That’s probably because encrypted devices need not be reported; they’re presumed safe. iPhones and iPads have long encrypted their contents, and professional-grade Android devices have done that in recent years.
In both cases, a simple IT policy can enforce that encryption.
It doesn’t take a fancy mobile security tool; Microsoft Exchange can do the trick. Well, there was one data breach involving a smartphone: A former hospital manager, after resigning, took patient-identifying information by forwarding certain documents such as patient lists to her personal email account.
She had work email set up on her personal smartphone—a common BYOD scenario—and simply forwarded the work emails to her personal email account.

That’s not a mobile-specific issue—she could have done that from a work computer or a home computer. IT’s remedy for this case is the same no matter the device running the email app: Use restricted email accounts where possible and data loss prevention (DLP) tools where not to identify and perhaps prevent such odd email usage.

And don’t distribute PII or other sensitive information in routine documents in the first place! Also not in the breach list were the cloud storage services that IT managers fret about after they’re done worrying about mobile devices: Apple iCloud Drive, Box, Dropbox, Google Drive, and Microsoft OneDrive. But that omission may be misleading because if a lost (unencrypted) laptop has stored the access credentials for such services—which is common—then the data on that cloud drive is available to a data thief, just as the locally stored data is.

The Identity Theft Resource Center database doesn’t go into great detail of each case, but because a lost (unencrypted) laptop is presumed to be a data breach, that breach extends to any data on that laptop, including cloud-accessed data. Still, we didn’t see cases of these popular cloud storage services as the specific vector of a data breach—despite frequent IT fears to the contrary. In this day and age, IT pros have plenty of security threats to deal with.

Active hacking is the biggest threat, of course, and should get the lion’s share of the resources. The client side should be addressed but not dwelled on. Of the clients in use, mobile is the least risky.

Based on the actual risks, a good place to start is securing laptops, then external drives that people use when they don’t have access to a corporate cloud storage service.

Those devices compromise the biggest client risk.

Encryption is your main line of defense for these devices—for cloud storage, too. For the much smaller risk posed by mobile devices, mobile management tools are both mature and effective; there’s no excuse not to have them in place already.
WatchGuard Wi-Fi Cloud delivers automated wireless threat prevention with interactive engagement and analytics18 October 2016 – WatchGuard® Technologies has announced WatchGuard Wi-Fi Cloud, a secure, scalable and feature-rich Wi-Fi management platform with a new family of high-performance, cloud-ready access points.

Deployed together, this next-generation secure wireless solution delivers a sophisticated Wireless Intrusion Prevention System (WIPS), while turning Wi-Fi hot spots into powerful consumer research, analytics and push marketing tools. WatchGuard WiFi logo Architected from the ground up to focus on ease of deployment and administration, the WatchGuard Wi-Fi Cloud simplifies even the most complex aspects of Wi-Fi management, making fast, secure and intelligent Wi-Fi accessible to organisations of all types and sizes. WatchGuard Wi-Fi Cloud delivers high-quality wireless performance, while ensuring consistent security policies across all connected devices, even at remote locations.

The patented WIPS technology built into WatchGuard’s new cloud-ready AP120 and AP320 access points automatically classifies wireless devices as Authorized, Rogue, or External, resulting in a very low false positive rate.

This advanced rogue detection process can safely and automatically shut down unauthorised access points and clients, while nearly eliminating the risk of illegally interfering with neighbouring wireless networks. “Today’s savvy businesses realise that safe and reliable Wi-Fi is a basic requirement, but many SMBs and distributed enterprise organisations struggle to deliver it. We’ve developed a comprehensive solution that dramatically simplifies how businesses deploy and manage wireless, while at the same time elevating Wi-Fi security standards,” said Ryan Orsi, director of wireless products at WatchGuard. “In addition to security, the WatchGuard Wi-Fi Cloud makes it easier for organisations to turn Wi-Fi into an extension of their brand, an interactive experience for their customers and a powerful analytics tool.” WIRELESS SECURITYMost traditional wireless network management solutions fail to stop rogue devices from connecting to their networks or block threats like wireless denial-of-service attacks.

Current WIPS technology delivers a high rate of false positives, incorrectly categorising neighbouring hotspots and innocuously connected devices as malicious, which creates unnecessary frustration and end-user complaints. In addition to automatically detecting and disabling rogue wireless devices and attacks, WatchGuard’s industry-leading WIPS also provides customers with: Secure Bring Your Own Device (BYOD) Policy Enforcement – automatically identifies on-network smart devices and blocks unapproved connections. Accurate Location Tracking – pinpoints the location of connected wireless devices or sources of interference, enabling administrators to quickly take action. Flexible Deployment – deployable in configurations to meet any security need.
It can be installed as an overlay on top of an existing WLAN infrastructure or as a stand-alone enforcement system for Wi-Fi prohibited zones. Customers can easily and cost effectively run all of their wireless network traffic through one of WatchGuard's leading network security appliances, thereby providing the same AV, IPS, web filtering, spam blocking, application control, APT blocking, data loss prevention and reputation lookup techniques to wireless traffic.

This protects them against malware planting, eavesdropping and data theft and prevents inappropriate or illegal use of their network. INTERACTIVE ENGAGEMENT AND ANALYTICSThe Wi-Fi Cloud provides visibility into marketing data, including insights into footfall and customer demographics visualised on customisable dashboards. Organisations can easily monetise these insights by tapping into the mobile engagement features, which allow direct and customised communication with individual customers in the form of SMS, MMS and their social network of choice. WatchGuard Wi-Fi Cloud management features also include: Custom Splash Pages and Social Wi-Fi Engagement – captive portals allow businesses to personalise customer Wi-Fi experiences by offering promotional opportunities, surveys and strong authentication through Facebook, Twitter, LinkedIn, Instagram and other social applications. Mobile Engagement – delivers custom messages to customers via SMS, MMS, and social networks, based on predefined triggers including user interaction and length of time on-network. Wi-Fi Analytics - data is collected via passive scans, active scans and user connections in and around your Wi-Fi networks.

Analyses and conceptualises this data to provide insight into traffic patterns, behaviour and demographics of your Wi-Fi users, in addition to generating a visual map of foot traffic patterns on a floor plan. “There is a strong demand among our customers for widely deployable, cloud-enabled solutions and we are excited to add WatchGuard Wi-Fi Cloud to our portfolio,” said Ian Kilpatrick, director at Wick Hill. “This new Wi-Fi cloud functionality expands our ability to sell more to existing customers and to reach brand new customers.

Additionally, Firebox and Wi-Fi Cloud installations will increase partners’ service revenues.

This represents a big win for everyone.” ADDITIONAL RESOURCES: AVAILABILITY:WatchGuard Wi-Fi Cloud subscriptions, along with the AP120 and AP320 are available now.

Customers can purchase them as a stand-alone solution, or as part of a holistic configuration that routes traffic through a Firebox or XTM appliance, to extend best-in-class security services like APT Blocker, WebBlocker, and Gateway AntiVirus into their wireless environments.

For more information, visit https://www.watchguard.com/wifi. About WatchGuard Technologies, Inc.WatchGuard® Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat Management, Next Generation Firewall, secure Wi-Fi, and network intelligence products and services to more than 75,000 customers worldwide.

The company’s mission is to make enterprise-grade security accessible to companies of all types and sizes through simplicity, making WatchGuard an ideal solution for Distributed Enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America.

To learn more, visit WatchGuard.com. For additional information, promotions and updates, follow WatchGuard on Twitter, @WatchGuard on Facebook, or on the LinkedIn Company page.

Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Contacts:Rowena Case, WatchGuard Technologies0203 608 9070, ukmarketing@watchguard.com Peter Rennison, PRPR01442 245030, pr@prpr.co.uk
Bad guys use common techniques to steal data, while companies focus too much on sophisticated attacks, according to the second annual Hacker's Playbook, based on an analysis of nearly 4 million breach methods. Security professionals are figuring out how to block attacks from state-sponsored, advanced, persistent adversaries, said Itzik Kotler, CTO and co-founder at penetration company SafeBreach, which produced the report. "But if you look at the different hacks, they're not all carried out by nation-states," he said. "They're carried out by script kiddies and cyber criminals." In fact, while conducting penetration tests on behalf of its customers, SafeBreach found that old standbys are extremely effective. There are few adversaries skilled enough to create zero days.

The majority of attackers use and reuse common techniques -- which is exactly what SafeBreach did when running its penetration tests. Corporate environments typically offered many exfiltration channels, including HTTP, IRC, SIP and Syslogs. Take, for example, Internet Relay Chat which dates back to before the Web was invented. "It is not sophisticated at all," he said. "And, to our knowledge, it has no business value.

But it can still be used to initiate a connection out of a company and carry data." Syslogs are event logs from network and security products sent to external aggregators for consolidation and analysis -- and are usually not scrutinized by security.

They should be limited to specific servers, encrypted, or sent via a VPN tunnel. Simiarly, SIP, which is used for voice-over-IP communication sessions, needs to be limited to specific, pre-identified servers. And HTTP is the most common type of outbound traffic, and is the easiest protocol to take advantage of, according to SafeBreach.

These communications need to be monitored and inspected by data loss prevention platforms. When it comes to getting into a company in the first place, companies are still not locking down many common approaches. For example, executable files in attachments were successful in a quarter of all attempts.
So were Microsoft Office macros and visual Basic scripts. And one of the oldest tricks in the book -- encrypted zip files downloaded via HTTP -- still works. The kinds of files should be limited by policy or inspected by next-generation firewalls, SafeBreach recommended. And the top five most successful malware kits have been around for a year or more, including Citadel, Dridex, Hesperbot, SpyEye and Cryptolocker. Finally, human error was a common problem.

The most damaging mistake was misconfiguring malware sandboxes and proxies.

For example, sandboxes were often not set up to cover all ports, protocols, file formats, and encrypted traffic.

And misconfigured proxies allow attackers to move laterally within corporate networks. This story, "Enterprises outsmarting themselves with security, while attackers easily use common techniques" was originally published by CSO.
Don't just accept the defaults and hope for the best Wherever you look there's yet another SME or enterprise migrating to Office 365.

This says a lot for the attractiveness of cloud-based office suites, and perhaps it also says something about the attractiveness of letting someone else look after one's SharePoint and Exchange servers rather than having to fight with their maintenance and upkeep internally. It also says a lot about the security of the platform: if there were any serious concerns there wouldn't be so many people using it (the figure I have to hand cites 60 million business customers as of spring 2016). What this tells us, though, is not that it's the Fort Knox of cloud-based office software: it merely says that it's secure enough for commercial organisations to accept it into their infrastructure.

Any system has scope for improvement, or for the user to layer further security mechanisms on top to make the setup even more attractive.
So what does Office 365 give us, and what can we do to take it further, security-wise? Underlying directory services One of the reasons people tend to trust Office 365 is that it's based on the directory service that everyone knows and is familiar with: Active Directory.

Cloud-based AD integrates with its on-premise peer very straightforwardly, and although in the past one tended to use outward federation (that is, AD was hosted and managed in-house and federated/synchronised to an external AD server) the story is now far more bi-directional, so you can manage the AD setup either internally and externally and it'll sync in either direction. Let's face it, it's difficult to criticise the fundamental security capabilities of a cloud-based AD setup because we've all been using it in-house for years and years. Securing other apps The other benefit you get if you adopt the Enterprise Mobility Suite on top of Office 365 is the ability to bring the user authentication of a variety of apps into a single user database.
Interestingly EMS gives you more than you'd be able to do with an in-house AD setup.
So as well as providing native AD authentication you can point all manner of other stuff at it – ODBC lookups, LDAP queries, Web services and of course other native AD servers.

But more interestingly there's a pile of specific support for a wide range of popular cloud-based apps (Salesforce is the one that's generally cited, so let's not buck the trend) and so you can move away from your plethora of separate user databases and toward a single integrated directory service. Two-factor authentication The problem with centralising your authentication, though, is that the impact of a breach on your central authentication database is far greater than a breach on a single application's own internal user database.
So the first thing you'll probably want to add to your Office 365 setup is two-factor authentication (2FA).

To be fair to Microsoft they do provide a 2FA mechanism of their own, but many of us already use third-party 2FA (RSA's SecurID is probably the best known, though more recently I've used Symantec's VIP offering) and it's understandable to want to stick with what you know.

And without trying to sound disparaging to Microsoft, there's something to be said for picking a different vendor for your 2FA in the interests of putting your eggs in more than one vendor basket. Happily the 2FA vendors are happy to sell you their 365-connectable offerings as they're becoming nicely established and stable. Edge protection We mentioned earlier that managing your own in-house Exchange setup can be something of a chore, and quite frankly who can blame you for wanting to ship it off to the cloud for Microsoft to look after it? I've seen it done more than once, and the relief on the faces of the mail server admins was palpable.

But I also wouldn't blame you for considering persevering with and potentially even expanding some or all of the edge protection you have for inbound email – it's been common for many years to adopt a hosted anti-malware and/or anti-spam offering and to funnel all your inbound email through it on its way to the Exchange server.
So of course Microsoft's mail infrastructure has its own anti-malware mechanisms (and they're very proud of it) but again, by sticking with a third-party offering layered around it you can bring an additional layer of security, visibility and reassurance to yourself and your management. Going in the other direction, Data Leakage Protection (DLP) is also something that you're increasingly likely to need these days, what with the tendency toward accreditations such as PCI-DSS and ISO 27001.

Again there's a selection of DLP tools and policy features with Office 365, but a third-party approach is very much an option. Security monitoring Regardless of whether your installation is on-premise or in the cloud, security monitoring is absolutely critical if you're serious about security.

The market to be in these days is selling Security Information and Event Management (SIEM) software and appliances: storing, collating and analysing log data and the associated response and remediation brings massive benefits, particularly if you're aiming toward some kind of formal security or similar accreditation. Office 365 provides APIs into which SIEM platforms can hook in order to deduce what's occurring in the cloud installation and alert you to potential issues; and as with the likes of DLP and 2FA the vendors of SIEM products are now commonly supporting Office 365 to pretty much the same extent as they support on-premise kit.

Does Office 365 have in-built SIEM? Yes, there are tools that provide you with forensic analysis features and of course there's event logging, but SIEM isn't a core concept for Microsoft and so unless you have a very small setup you'll look to third-party SIEM offerings for the functionality you need, either in a dedicated, targeted SIEM solution from someone like LogRhythm or Splunk or in a multi-function package from the likes of Proofpoint. Backups One of the big differences between the cloud-based world and the on-premise setup is the need for and the implementation of backups.
It's common to decide that the requirement for backups to protect against complete system failure (i.e. disk crashes causing data loss) is much reduced in the cloud thanks to the robust physical implementation of the underlying storage layer.

But remember that physical crashes are just part of the need for backups: the risk of inadvertent deletion of data doesn't go away when you shift the installation into the cloud.

As with some of the other concepts we've mentioned there are built-in tools such as version control and rollback, automatic retention of items in recycle bins, and so on.

But again you're likely to want more, and again you can look to the market as there's a growing selection of options out there. Are we spotting a trend here? We've been talking so far about augmenting Office 365 with security features that don't come as standard, or that do come with the system but are perhaps not so attractive as those of separate products whose developers are more focused on the subject area.

The thing is, though, that aside perhaps from the discussion on backups, little of these supposed shortcomings are unique to Office 365 – they exist in on-premise setups too.

And that makes sense: we're not saying Office 365 is particularly deficient, just that the whole reason all these third party products and services exist is that you can't reasonably expect Microsoft (or any other of your vendors) to have a perfect solution in every specialist field of security as part of its office suite. What do the Office 365 experts think? Aonghus Fraser, CTO at C5 Alliance (), echoes the idea that the service has its own features but they're not the whole story. He notes: “There are a number of areas that should be considered – some are in addition to Office 365 but there are also newer or lesser-known security features or services that can complement that native Office 365 security and cover all bases”. Endpoint security's high on his list. “Whilst there is protection at the server-side for O365 including Exchange and SharePoint Online, it is recommended that a strategy for endpoint protection for devices is implemented.

This can range from leveraging native O365 & Microsoft services such as InTune to ensure that a minimal level of patching and AV is enabled (using Windows Defender) to third party solutions such as Sophos Endpoint which can work on devices and in conjunction with firewalls to detect and isolate compromised devices”. Following up his point about new features that wink into existence, he cites a recently introduced built-in feature: “Advanced Security Management is a new service providing global and security administrators with the facility to detect anomalies in your tenant – alerts for abnormal behaviour, and alerts for activities that might be atypical.

Examples could include logging in from unusual locations, mass download by a single user (suggesting a data leakage risk) or administrative activity from a non-administrative IP address”. The non-technical elements Our original request to Aonghus was for three observations, of which we've just mentioned two; the third is non-technical but absolutely key. He states: “It is essential to ensure that business policies are regularly maintained in line with Office 365 capabilities such as Multi-Factor Authentication and Data Leakage Prevention in order for security to be optimised whilst taking into account employee productivity”. It's key to ensure your business is able to work effectively and in a governed way as you evolve into the cloud world: “An understanding of the implications on users of implementing some security measures is essential to ensure that users are well-informed and do not try to bypass the measures due to lack of understanding or usability or productivity being severely compromised.
If the measures are too draconian users will find a way to circumvent them; business decisions need to align with the security recommendations in order for the right balance to be achieved”. People as a problem Aonghus touched on the issue of ensuring that staff are well informed and don’t try to side-step security measures, but it’s worth remembering that even with a strong staff awareness programme there’s still a risk of inappropriate inactivity.

And you can’t really blame your staff for falling for the occasional phishing attack: some are so sophisticated that even the most aware staff member will be taken in eventually. As Joe Diamond, Director of Cybersecurity Strategy at ProofPoint puts it: “The level of social engineering to craft a convincing lure is what makes phishing so successful. We see this used across attacks that use malware, and those that don’t – such as business email compromise spoofing attacks and phishing for credentials”. Joe continues: “While end user education serves an important role, you cannot rely on it.

Focus on where your users digitally communicate the most – email, social sites, and mobile apps – and put in the protection needed to shield advanced attacks from ever reaching your end users”. As for the complexity of attacks these days: “The attack on customers of National Australia Bank that Proofpoint recently identified is a perfect example of how to the naked eye, the emails and links were virtually indistinguishable from legitimate bank communications.

The email content tricked recipients into entering credentials to verify their account and provide accounts details, before redirecting to the legitimate banking site.

The URL [looked] legitimate, but a letter was swapped with Unicode and encoding in the URL hid suspicious code”. In short Like any system of its kind, Office 365 is sufficiently secure in its basic form but there's always more you can do – either to make it easier to exploit what it inherently does or to add further layers of protection and reporting on top of what you get “out of the box”. You may decide when you move to Office 365 that you can wind down some of the extras you bolted onto your on-premise system simply because technology's moved on and the inherent provision in Office 365 is good, but any cloud email service is fair game for an attacker because a compromise of a single system serves up multiple victims so you're unlikely to want to throw away all the extras that can help you provide a layered security model as you evolve to a cloud setup. Oh, and one more thing: moving to the cloud doesn't make you immune from the long-standing tradition of stereotypical bad practice.

Aonghus gets the last word in this respect: “Accepting the default settings without considering whether, for example, the password expiry policy is appropriate is something that is often left – a 'hope for the best' approach or assumption that Microsoft defaults are right for you is not a good strategy where security is concerned”.

Amen. ®
Nuvias acquires value-added distribution business in DubaiLondon, UK: 7/9/16: Specialist EMEA distributor, the Nuvias Group, announces it has added a fourth region, MEA, to its regional EMEA structure.

The other three Nuvias Group regions are Northern, Central and Southern Europe. Paul Eccleston Head of Nuvias Group Nuvias has acquired SCD, a distributor operating out of Dubai.

The new office will now act as a hub for Nuvias’ MEA activities, covering all parts of the Gulf Co-operation Council[1] (GCC) area, Pakistan and Afghanistan. This is the latest development in the strong growth and development plans of Nuvias, which was established in July 2016. Nuvias is building an EMEA-wide, high-value, specialist distribution business, with a common proposition and consistent delivery.

The strategy is to redefine value distribution to the channel, enabling the channel and vendor community to deliver exceptional business value to their customers and creating new standards of channel success. Also being announced today is the setting up of the Nuvias Cyber Security Practice at the Dubai office, which includes vendors Unitrends (cloud empowered continuity solutions), Malwarebytes (advanced malware prevention and remediation), Black Duck (open source security and management) and Netskope (cloud data loss prevention). Other recent vendor signings for Nuvias in the MEA region include JetNEXUS (load balancing), Lifesize (videoconferencing) and Tintri (VM-aware storage for virtualisation and the cloud). Nuvias has already recruited several new staff for the MEA office bringing the current total up to 16.

These include recent recruit Muneeb Anjum, the new sales director.

Anjum has twelve years’ experience in the IT sector, with a proven track record in managing channel partners across the Middle East and extensive experience in successfully introducing new solutions to market. Paul Eccleston, head of Nuvias Group, commented: “We are delighted to be announcing today the opening of our Middle East and Africa (MEA) region, completing our regional coverage of EMEA. MEA is a very important part of the region and a significant opportunity for us, our vendor partners and our customers. “We have been working hard to bring the cyber security, advanced networking and unified comms capability of Wick Hill and Zycko to this region. With the acquisition of the business in Dubai, operating across the region, and the recruitment of Muneeb Anjum, which will be followed by further additions to the team very soon, this is an exciting development for Nuvias and we look forward to bringing more capability and vendors to the region quickly.” Alasdair Kilgour, regional VP MEA for Nuvias, commented: “It's both exciting and a privilege to be part of the Nuvias team and I look forward to leading the growth of the business across MEA and beyond. We will do this firstly by enabling our vendor partners locally to experience the same high standard of value-added service they already receive from the Group across Europe; secondly by expanding our channel partner community through our solution distribution philosophy; and thirdly by geographic expansion. We are exhibiting at Gitex in October at the Dubai World Trade Centre, which will give us a great platform to show the industry what Nuvias in the MEA region can offer.” [1] Gulf Co-operation Council (GCC)A regional, political organisation consisting of six middle eastern countries – Saudi Arabia, Kuwait, the United Arab Emirates, Oman, Qatar and Bahrain. About Nuvias GroupNuvias Group is the pan-EMEA, high value distribution business being built by Rigby Private Equity (RPE), to redefine international, specialist value distribution in IT.

The Group provides a common proposition and consistent delivery across EMEA, allowing channel and vendor communities to deliver exceptional business value to customers, and enabling new standards of channel success. The Group today consists of Wick Hill, an award-winning, value-added distributor with a strong specialisation in security; and Zycko, an award-winning, specialist EMEA distributor, with a focus on advanced networking.

Both companies have proven experience at providing innovative technology solutions from world-class vendors, and delivering market growth for vendor and reseller partners alike.

The Group has fourteen regional offices across EMEA and turnover is in excess of US$ 300 million. ENDS For further press information, please contact Annabelle Brown on +44 (0) 1326 318212, email abpublicrelations@btinternet.com. Wick Hill https://www.wickhill.com/ Zycko http://www.zycko.com/
Most security tools are focused on keeping external attackers at bay.

But what about the sensitive data that lives inside your network? How do you make sure it doesn't get out, either intentionally or by accident? That's where Data Loss Prevention (DLP...
Cyber Security Labs @ Ben Gurion Universityreader comments 18 Share this story Researchers have devised a new way to siphon data out of an infected computer even when it has been physically disconnected from the Internet to prevent the leakage of s...
 Download the full report (PDF) Technical analysis Indicators of compromise (IOC)Download YARA rules More information about ProjectSauron is available to customers of Kaspersky Intelligence Reporting Service.

Contact: intelreports@kaspersky.com Introduction: Over the last few years, the number of “APT-related” incidents described in the media has grown significantly.

For many of these, though, the designation “APT”, indicating an “Advanced Persistent Threat”, is usually an exaggeration. With some notable exceptions, few of the threat actors usually described in the media are advanced.

These exceptions, which in our opinion represent the pinnacle of cyberespionage tools: the truly “advanced” threat actors out there, are Equation, Regin, Duqu or Careto.

Another such an exceptional espionage platform is “ProjectSauron”, also known as “Strider”. What differentiates a truly advanced threat actor from a wannabe APT? Here are a few features that characterize the ‘top’ cyberespionage groups: The use of zero day exploits Unknown, never identified infection vectors Have compromised multiple government organizations in several countries Have successfully stolen information for many years before being discovered Have the ability to steal information from air gapped networks Support multiple covert exfiltration channels on various protocols Malware modules which can exist only in memory without touching the disk Unusual persistence techniques which sometime use undocumented OS features “ProjectSauron” easily covers many of these points. From discovery to detection: When talking about long-standing cyber-espionage campaigns, many people wonder why it took so long to catch them. Perhaps one of the explanations is having the right tools for the right job.

Trying to catch government or military grade malware requires specialized technologies and products. One such product is Kaspersky’s AntiTargeted Attacks Platform, KATA (http://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform).
In September 2015, our anti-targeted attack technologies caught a previously unknown attack.

The suspicious module was an executable library, loaded in the memory of a Windows domain controller (DC).

The library was registered as a Windows password filter and had access to sensitive data in cleartext.

Additional research revealed signs of massive activity from a new threat actor that we codenamed ‘ProjectSauron’, responsible for large-scale attacks against key governmental entities in several countries. “SAURON” – internal name used in the LUA scripts ProjectSauron comprises a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods.

Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes.

For example, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Some other key features of ProjectSauron: It is a modular platform designed to enable long-term cyber-espionage campaigns. All modules and network protocols use strong encryption algorithms, such as RC6, RC5, RC4, AES, Salsa20, etc. It uses a modified LUA scripting engine to implement the core platform and its plugins. There are upwards of 50 different plugin types. The actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted governmental organizations.
It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the encryption software. It is able to exfiltrate data from air-gapped networks by using specially-prepared USB storage drives where data is stored in an area invisible to the operation system. The platform makes extensive use of the DNS protocol for data exfiltration and real-time status reporting. The APT was operational as early as June 2011 and remained active until April 2016. The initial infection vector used to penetrate victim networks remains unknown. The attackers utilize legitimate software distribution channels for lateral movement within infected networks. To help our readers better understand the ProjectSauron attack platform, we’ve prepared an FAQ which brings together some of the most important points about this attacker and its tools.

A brief technical report is also available, including IOCs and Yara rules. Our colleagues from Symantec have also released their analysis on ProjectSauron / Strider. You can read it here: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets ProjectSauron FAQ: 1. What is ProjectSauron? ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes.

As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry.

That usually results in several infections in countries within that region, or in the targeted industry around the world.
Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the LUA scripts. 2. Who are the victims? Using our telemetry, we found more than 30 infected organizations in Russia, Iran, Rwanda and possibly in Italian-speaking countries as well. Many more organizations and geographies are likely to be affected. The attacked organizations are key entities that provide core state functions: Government Scientific research centers Military Telecommunication providers Finance 3. Have you notified victims? As usual, Kaspersky Lab actively collaborates with industry partners, CERTs and law enforcement agencies to notify victims and help to mitigate the threat. We also rely on public awareness to spread information about it.
If you need more information about this actor, please contact intelreports@kaspersky.com. 4.

For how long have the attackers been active? Forensic analysis indicates that the APT has been operational since at least June 2011 and was still active in 2016.

Although it appears to have largely ceased, there is a chance that it is still active on computer systems that are not covered by Kaspersky Lab solutions. 5.

Did the attackers use interesting or advanced techniques? The attackers used multiple interesting and unusual techniques, including: Data exfiltration and real-time status reporting using DNS requests. Implant deployment using legitimate software update scripts. Data exfiltration from air-gapped networks through the use of specially prepared USB storage drives where the stolen data is stored in the area unused by standard tools of the operating system. Using a modified LUA scripting engine to implement the core platform and its plugins.

The use of LUA components in malware is very rare – it was previously spotted in the Flame and Animal Farm attacks. 6. How did you discover this malware? In September 2015, Kaspersky Lab’s Anti-Targeted Attack Platform discovered anomalous network traffic in a client organization’s network.

Analysis of this incident led to the discovery of a strange executable program library loaded into the memory of the domain controller server.

The library was registered as a Windows password filter and had access to sensitive data such as administrative passwords in cleartext.

Additional research revealed signs of activity of a previously unknown threat actor. 7. How does ProjectSauron operate? ProjectSauron usually registers its persistence module on domain controllers as a Windows LSA (Local Security Authority) password filter.

This feature is typically used by system administrators to enforce password policies and validate new passwords to match specific requirements, such as length and complexity.

This way, the ProjectSauron passive backdoor module starts every time any network or local user (including an administrator) logs in or changes a password, and promptly harvests the password in plaintext. In cases where domain controllers lack direct Internet access, the attackers install additional implants on other local servers which have both local network and Internet access and may pass through significant amount of network traffic, i.e. proxy-servers, web-servers, or software update servers.

After that, these intermediary servers are used by ProjectSauron as internal proxy nodes for silent and inconspicuous data exfiltration, blending in with high volumes of legitimate traffic. Once installed, the main ProjectSauron modules start working as ‘sleeper cells’, displaying no activity of their own and waiting for ‘wake-up’ commands in the incoming network traffic.

This method of operation ensures ProjectSauron’s extended persistence on the servers of targeted organizations. 8. What kind of implants does ProjectSauron use? Most of ProjectSauron’s core implants are designed to work as backdoors, downloading new modules or running commands from the attacker purely in memory.

The only way to capture these modules is by making a full memory dump of the infected systems. Almost all of ProjectSauron’s core implants are unique, have different file names and sizes, and are individually built for each target.

Each module’s timestamp, both in the file system and in its own headers, is tailored to the environment on which it is installed. Secondary ProjectSauron modules are designed to perform specific functions like stealing documents, recording keystrokes, and stealing encryption keys from both infected computers and attached USB sticks. ProjectSauron implements a modular architecture using its own virtual file system to store additional modules (plugins) and a modified LUA interpreter to execute internal scripts.

There are upwards of 50 different plugin types. 9. What is the initial infection vector? To date, the initial infection vector used by ProjectSauron to penetrate victim networks remains unknown. 10. How were the ProjectSauron implants deployed within the target network? In several cases, ProjectSauron modules were deployed through the modification of scripts used by system administrators to centrally deploy legitimate software updates within the network. In essence, the attackers injected a command to start the malware by modifying existing software deployment scripts.

The injected malware is a tiny module that works as a simple downloader. Once started under a network administrator account, this small downloader connects to a hard-coded internal or external IP address and downloads the bigger ProjectSauron payload from there. In cases where the ProjectSauron persistence container is stored on disk in EXE file format, it disguises the files with legitimate software file names. 11. What C&C infrastructure did the attackers use? The ProjectSauron actor is extremely well prepared when it comes to operational security. Running an expensive cyberespionage campaign like ProjectSauron requires vast domain and server infrastructure uniquely assigned to each victim organization and never reused again.

This makes traditional network-based indicators of compromise almost useless because they won’t be reused in any other organization. We collected 28 domains linked to 11 IPs located in the United States and several European countries that might be connected to ProjectSauron campaigns.

Even the diversity of ISPs selected for ProjectSauron operations makes it clear that the actor did everything possible to avoid creating patterns. 12.

Does ProjectSauron target isolated (air-gapped) networks? Yes. We registered a few cases where ProjectSauron successfully penetrated air-gapped networks. The ProjectSauron toolkit contains a special module designed to move data from air-gapped networks to Internet-connected systems.

To achieve this, removable USB devices are used. Once networked systems are compromised, the attackers wait for a USB drive to be attached to the infected machine. These USBs are specially formatted to reduce the size of the partition on the USB disk, reserving an amount of hidden data (several hundred megabytes) at the end of the disk for malicious purposes.

This reserved space is used to create a new custom-encrypted partition that won’t be recognized by a common OS, such as Windows.

The partition has its own semi-filesystem (or virtual file system, VFS) with two core directories: ‘In’ and ‘Out’. This method also bypasses many DLP products, since software that disables the plugging of unknown USB devices based on DeviceID wouldn’t prevent an attack or data leakage, because a genuine recognized USB drive was used. 13.

Does ProjectSauron target critical infrastructure? Some of the entities infected by ProjectSauron can be classified as critical infrastructure. However, we haven’t registered ProjectSauron infections inside industrial control system networks that have SCADA systems in place. Also, we have not yet seen a ProjectSauron module targeting any specific industrial hardware or software. 14.

Did ProjectSauron use any special communication methods? For network communication, the ProjectSauron toolkit has extensive abilities, leveraging the stack of the most commonly used protocols: ICMP, UDP, TCP, DNS, SMTP and HTTP. One of the ProjectSauron plugins is the DNS data exfiltration tool.

To avoid generic detection of DNS tunnels at network level, the attackers use it in low-bandwidth mode, which is why it is used solely to exfiltrate target system metadata. Another interesting feature in ProjectSauron malware that leverages the DNS protocol is the real-time reporting of the operation progress to a remote server. Once an operational milestone is achieved, ProjectSauron issues a DNS-request to a special subdomain unique to each target. 15. What is the most sophisticated feature of the ProjectSauron APT? In general, the ProjectSauron platform is very advanced and reaches the level of complexity of Regin, Equation and similar threat actors we have reported on in the past.
Some of the most interesting things in the ProjectSauron platform include: Multiple exfiltration mechanisms, including piggybacking on known protocols. Bypassing air-gaps using hidden data partitions on USB sticks. Hijacking Windows LSA to control network domain servers. Implementing an extended LUA engine to write custom malicious scripts to control the entire malware platform with a high-level language. 16.

Are the attackers using any zero-day vulnerabilities? To date we have not found any 0-day exploits associated with ProjectSauron. However, when penetrating isolated systems, the creation of the encrypted storage area in the USB does not in itself enable attackers to get control of the air-gapped machines.

There has to be another component such as a 0­day exploit placed on the main partition of the USB drive. So far we have not found any 0-day exploit embedded in the body of the malware we analyzed, and we believe it was probably deployed in rare, hard-to-catch instances. 17.
Is this a Windows-only threat? What versions of Windows are targeted? ProjectSauron works on all modern Microsoft Windows operating systems – both x64 and x86. We have witnessed infections running on Windows XP x86 as well as Windows 2012 R2 Server Edition x64. To date, we haven’t found a non-Windows version of ProjectSauron. 18. Were the attackers hunting for specific information? ProjectSauron actively searches for information related to rather uncommon, custom network encryption software.

This client-server software is widely adopted by many of the target organizations to secure communications, voice, email, and document exchange. In a number of the cases we analyzed, ProjectSauron deployed malicious modules inside the custom network encryption’s software directory, disguised under similar filenames and accessing the data placed beside its own executable.
Some of extracted LUA scripts show that the attackers have a high interest in the software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes. Also, one of the embedded ProjectSauron configurations contains a special unique identifier for the targeted network encryption software’s server within its virtual network.

The behavior of the component that searches for the server IP address is unusual.

After getting the IP, the ProjectSauron component tries to communicate with the remote server using its own (ProjectSauron) protocol as if it was yet another C&C server.

This suggests that some communication servers running the mentioned network encryption software could also be infected with ProjectSauron. 19. What exactly is being stolen from the targeted machines? The ProjectSauron modules we found are able to steal documents, record keystrokes and steal encryption keys from infected computers and attached USB sticks. The fragment of configuration block below, extracted from ProjectSauron, shows the kind of information and file extensions the attackers were looking for: .*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*|.*user.*|.*name|.*email|.*_id|id|uid|mn|mailaddress|.*nick.*|alias|codice|uin|sign-in|strCodUtente|.*pass.*|.*pw|pw.*|additional_info|.*secret.*|.*segreto.*[^\$]$ ^.*\.(doc|xls|pdf)$ *.txt;*.doc;*.docx;*.ppt;*.pptx;*.xls;*.xlsx;*.vsd;*.wab;*.pdf;*.dst;*.ppk;*.rsa;*.rar;*.one;*.rtf;~WPL*.tmp;*.FTS;*.rpt;*.conf;*.cfg;*.pk2;*.nct;*.key;*.psw Interestingly, while most of the words and extensions above are in the English language, several of them point to Italian, such as: ‘codice’, ‘strCodUtente’ and ‘segreto’. Keywords / filenames targeted by ProjectSauron data theft modules: Italian keyword Translation Codice code CodUtente Usercode Segreto Secret This suggests the attackers had prepared to attack Italian-speaking targets as well. However, we are not aware of any Italian victims of ProjectSauron at the moment. 20. Have you observed any artifacts indicating who is behind the ProjectSauron APT? Attribution is hard and reliable attribution is rarely possible in cyberspace.

Even with confidence in various indicators and apparent attacker mistakes, there is a greater likelihood that these are smoke and mirrors created by an attacker with a greater vantage point and vast resources. When dealing with the most advanced threat actors, as is the case with ProjectSauron, attribution becomes an unsolvable problem. 21.
Is this a nation-state sponsored attack? We think an operation of such complexity, aimed at stealing confidential and secret information, can only be executed with support from a nation-state. 22. What would ProjectSauron have cost to set up and run? Kaspersky Lab has no exact data on this, but estimates that the development and operation of ProjectSauron is likely to have required several specialist teams and a budget probably running into millions of dollars. 23. How does the ProjectSauron platform compare to other top-level threat actors? The actor behind ProjectSauron is very advanced, comparable only to the top-of-the-top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin. Whether related or unrelated to these advanced actors, the ProjectSauron attackers have definitely learned from them. As a reminder, here are some features of other APT attackers which we discovered that the ProjectSauron attackers had carefully learned from or emulated: Duqu: Use of intranet C&Cs (where compromised target servers may act as independent C&Cs) Running only in memory (persistence on a few gateway hosts only) Use of different encryption methods per victim Use of named pipes for LAN communication Malware distribution through legitimate software deployment channels Flame: LUA-embedded code Secure file deletion (through data wiping) Attacking air-gapped systems via removable devices Equation and Regin: Usage of RC5/RC6 encryption Virtual Filesystems (VFS) Attacking air-gapped systems via removable devices Hidden data storage on removable devices These other actors also showed what made them vulnerable to potential exposure, and ProjectSauron did its best to address these issues: Vulnerable or persistent C&C locations ISP name, IP, domain, and tools reuse across different campaigns Crypto-algorithm reuse (as well as encryption keys) Forensic footprint on disk Timestamps in various components Large volumes of exfiltrated data, alarming unknown protocols or message formats In addition, it appears that the attackers took special care with what we consider as indicators of compromise and implemented a unique pattern for each and every target they attacked, so that the same indicators would have little value for anyone else.

This is a summary of the ProjectSauron strategy as we see it.

The attackers clearly understand that we as researchers are always looking for patterns. Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg. 24.

Do Kaspersky Lab products detect all variants of this malware? All Kaspersky Lab products detect ProjectSauron samples as HEUR:Trojan.Multi.Remsec.gen 25.

Are there Indicators of Compromise (IOCs) to help victims identify the intrusion? ProjectSauron’s tactics are designed to avoid creating patterns.
Implants and infrastructure are customized for each individual target and never re-used – so the standard security approach of publishing and checking for the same basic indicators of compromise (IOC) is of little use. However, structural code similarities are inevitable, especially for non-compressed and non-encrypted code.

This opens up the possibility of recognizing known code in some cases. That’s why, alongside the formal IOCs, we have added relevant YARA rules. While the IOCs have been listed mainly to give examples of what they look like, the YARA rules are likely to be of greater use and could detect real traces of ProjectSauron. For background: YARA is a tool for uncovering malicious files or patterns of suspicious activity on systems or networks that share similarities. YARA rules—basically search strings—help analysts to find, group, and categorize related malware samples and draw connections between them in order to build malware families and uncover groups of attacks that might otherwise go unnoticed. We have prepared our YARA rules based on tiny similarities and oddities that stood out in the attackers’ techniques.

These rules can be used to scan networks and systems for the same patterns of code.
If some of these oddities appear during such a scan, there is a chance that the organizations has been hit by the same actor. More information about ProjectSauron is available to customers of Kaspersky Intelligence Reporting Service.

Contact: intelreports@kaspersky.com