Posted on June 10, 2011 by Derrick Pyle
Security breaches, server attacks, data loss. No matter what headline, as you’ll see in this week’s IT Security Rewind post, it appears that hackers continue to follow similar patterns of infiltration and escalation.
Bank + Data Beach = Bad Combination: Banking organizations continue to be increasingly susceptible to data breaches. This week the latest victim was Citi Bank. Initial estimates have found that 200,000 customers are already affected. Despite the size of the breach, there is still no confirmation on the actual attack vector that was used to obtain access, but if you are a betting man (or woman) elevated privileges would be a safe bet.
Stuxnet—Plenty of Holes in This Story. The opening line to this ThreatPost article says it all—“The media storm over the Stuxnet worm may have passed, but many of the software holes that were used by the worm remain unpatched and leave Siemens customers open to a wide range of potentially damaging cyber attacks, according to industrial control system expert Ralph Langner.”
In the piece, Langner proceeds to claim that the media paid too much attention to the zero day Windows vulnerabilities that enabled the worm, but overlooked the other security holes that were exposed and utilized. One of those vulnerabilities that still exist is a hard coded password in Siemens WinCC. If uncovered and exploited, as has all too commonly become the case, this vulnerability can provide an attacker with unfettered access to a system’s network.
Insiders as a First Line of Defense: An interesting study out of the Ponemon Institute found that three quarters of UK organizations have suffered data loss in the past year. While these numbers include data that was compromised due to network attacks, or lost due to stolen equipment, the study does shine light on the lack of enterprise-wide employee awareness of data security best practices. According to the report, 53% of UK respondents surveyed believe their employees have little or no awareness about data security, compliance and policies. This data highlights a greater need for data protection strategies to include an emphasis on user awareness, “as people are often the first line of defense.”
What other security headlines do you think are worth highlighting this week?
Posted on June 6, 2011 by Josh Arrington
At the close of each week we look back on the major happenings in the security industry and recap the hottest news in our “IT Security Rewind.” This week however, we decided to mix things up a bit (all this summer weather must be getting to our heads) and instead we’ve listed some of the thought-provoking topics that may not be making headlines but still have major implications for the security industry.
Since Twitter has emerged as an outlet for individuals to engage in conversation and share their opinions, this week we scoured the social channel to see what security industry influencers have to say. Below are some of this week’s Top Security Tweets from thoughts leaders like Josh Corman, Bob Rudis, Chris Nerney and Eugene Spafford. Did you see any other interesting Tweets that we missed? Feel free to add them below.
@joshcorman For the EleventyBillionth time. An APT is not a WHAT, but a WHO and a HOW. It is an ADVERSARY. FREE: http://bit.ly/gGxuD9
@hrbrmstr What I would truly give a big chunk of budget $ for are infosec prods w/focused functions * *wicked-awesome* mgmt & reporting capabilities.
@RSAConference: Top five social media security threats (via @ChrisNerney) http://bit.ly/iqtYAP
@RobotSpaf: Why the bad guys are winning – Computerworld Blogs – Great list. I don’t agree with all of it, but 95% of it… http://tumblr.com/xfz2t3zpfg
Posted on May 31, 2011 by Josh Arrington
What at deal–Free backdoors with every product! Bank of America is stung by an insider! Plus, cyber crime hits the small screen. These are just a few of the headlines we’re focused on for this week’s IT Security Rewind. Let’s dig into the details:
Wireless router, backdoor included: ThreatPost covers an “oops” by Allied Telesis, a Japan-based maker of switches, routers and other networking devices that posted an alleged internal customer support document online that was written to answer questions like “‘How do I obtain a backdoor password for my Allied Telesis device?’” and includes instructions on accessing a “built in Backdoor function” on any Allied Telesis device. Why is this a big deal? ThreatPost says it best: Backdoor administrative accounts and functions are a dirty secret of the hardware industry. Based on the headlines we’ve seen, this dirty little secret is hacker’s pay dirt.
Cost of a data breach = $10 million: IDG News Service has been tracking the Bank of America breach that was first reported by the Los Angeles Times this week. According to reports, a Bank of America insider who sold customer data to criminals cost the bank at least $10 million (US) in losses. While only minimal details of the breach are being released by law enforcement at this time, the efforts to leverage customers’ personal information has been successful in many cases, with one victim reporting that his checking accounts had been rapidly drained of more than $20,000.
Cybercrime – the movie: Got some down time this weekend? Hopefully you had your DVR set for CNBC’s documentary “Code Wars: America’s Cyber Threat,” which originally aired on May 26. The show investigated the prevalence of global cyber threats, with the correspondent Melissa Lee conducting multiple interviews including traveling to profile the leader of a group of Chinese hackers and visit Estonia, a nation whose banking system was taken down for days by hackers. The New York Daily News says, “”Code Wars” aims to scare us about bad guys with computers the same way “Jaws” aimed to scare us about large angry fish.” Missed it? The program will run again on Sunday, May 29 at 10 p.m. ET.
What other security headlines do you think are worth highlighting?
Posted on May 20, 2011 by Josh Arrington
A talk about Siemens SCADA hack gets pulled, Dropbox gets caught lying and could there be hackers in space? These are just a few of the headlines we’re focused on for this week’s IT Security Rewind. Let’s dig into the details:
Liar, liar files aren’t encrypted: The FTC has filed a complaint that Dropbox “has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data.” According to WIRED, the FTC provides evidence that Dropbox employees could view customer data and files. This puts users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits. While Dropbox defends claims that employees couldn’t access files due to company policies it looks like they are in some hot water with the FTC.
Hacker in space: This week Threatpost reported a Romanian hacker, who uses the handle “Tinkode,” has published a screen capture from what he claims is an FTP server at NASA’s Goddard Center. NASA, no stranger to security issues, has been criticized for its lackluster policies on cyber security. They can now add this FTP server to their list of weaknesses. Interestingly enough, this wasn’t “Tinkode’s” first time in space, in April he published the names and e-mail addresses of European Space Agency employees after compromising a server operated by that agency.
The White House focuses on the Utility Industry: While most of last week’s proposed Cybersecurity Legislation focuses on better reporting practices – one area of specific interest is the potential impact on the utility industry. An industry that is continuously looking for guidance on how to protect itself, this proposal will give utility executives some things to consider and clear ramifications for those who don’t take action.
U.S. cybersecurity and Siemens representatives cancel SCADA talk: Attendees at the TakeDown Conference in Dallas may have left disappointed as a scheduled talk on the security vulnerabilities in Siemens industrial control systems was canceled. ComputerWorld’s Rob MacMillan explained, “It is common for security researchers to talk about security bugs once the software in question has been patched. But if the vendor can’t get the issue fixed in time that can create problems for security researchers, who may be expecting to talk about the issue at a hacker conference.”
What other security headlines do you think are worth highlighting?
Posted on May 18, 2011 by Josh Arrington
Microsoft TechEd North America 2011—an international conference that draws IT developers and professionals from around the globe and encourages engagement and collaboration with Microsoft innovators, third party leaders and industry peers—is now in full swing at the Georgia World Congress Center in Atlanta, Georgia. Cyber-Ark will be on hand to demonstrate the advantages of its Privileged Identity Management Suite as well as the advanced auto-discovery functionality for automating the detection process of all forms of privileged accounts, including the service accounts commonly associated with Microsoft Windows Services. To join the conversation surrounding the event, we decided to check in with one of our partners—Avecto, a pioneer in least privilege technology that enables organizations to deploy secure and compliant desktops—to see what they have planned for the show and beyond.
Read on for our brief Q&A with Paul Kenyon, Co-Founder and COO at Avecto:
Cyber-Ark: What does the Avecto team have in store for attendees and followers of TechEd 2011? Any new technologies and products you anticipate will generate a good deal of buzz at the show?
Paul: Avecto will be demonstrating the latest release of our privilege management product, Privilege Guard 2.7. Amongst the various new features in the product we have significantly increased the integration with Windows 7 User Account Control (UAC). We see UAC as a great solution for true administrators and home users, but felt that there was some functionality lacking for corporate environments. In Privilege Guard 2.7 we have filled that gap to make Windows 7 migrations simpler and more secure.
Already, Privilege Guard has received the Windows 7 compatibility accreditation, and the product is a snap in to Group Policy and WinRM (a standard feature in Windows 7) for centralizing our events. Specifically, what we have tried to do is avoid making our customers invest in additional architecture to obtain the benefits we provide—and we anticipate this will be received warmly at TechEd.
Cyber-Ark: Last year, Avecto and Cyber-Ark officially announced a strategic partnership to enable the resale of Avecto’s Privilege Guard products to Cyber-Ark’s Privileged Identity Management Suite customers. Can you share some milestones from this partnership in terms of evolving market demand and customer traction, even anecdotally?
Paul: Well to start, the relationship began with a meeting between myself and Udi Mokady, in Ireland, last year. I had suffered for a fall from my Mountain Bike so was looking a little worse for wear, but needless to say, I didn’t want to miss the chance to get together with Udi whilst it was geographically so convenient to meet. It was at that meeting that it became clear that the synergy between our two companies was too great to pass up on the opportunity to partner.
Naturally these things take time to hatch but once all the paperwork had been completed and the partnership launched internally we started to see considerable customer interest arise. Only yesterday I spoke with a prospect who is looking at both our products and was keen to make me aware of the value of purchasing technologies that he knows are compliant with one another from day one.
Cyber-Ark: With security, and IT in general, the focus always seems to be on “What’s Next?” With that in mind, how do you foresee enterprise security practices and technologies, both on-premise and in the cloud, evolving come TechEd 2012?
Paul: Most of the organizations we have spoken to are saying similar things; they have invested in anti-virus, firewalls, intrusion prevention and various other technologies at the perimeter but now they want to further secure desktop and servers inside the network. More than that, we have seen the increasing demand on CISO’s to improve customer satisfaction which means that they need to implement technology that improves the security of the business but not directly at the expense of user flexibility.
Posted on May 13, 2011 by Josh Arrington
Welcome back to our weekly “IT Security Rewind” blog series. If there is one thing that IT security professionals know all too well, it’s that there is no such thing as a “slow week.” So while we didn’t witness a series of spectacular breaches as seems to have been the norm over the past few weeks, one in particular is making us think twice before swiping our credit cards through a store’s PIN pad! Here are our top three security stories from the week of May 9:
- A scrapbook that drains your bank account? : When news broke that debit and credit card numbers and PINs had been stolen through PIN-pad tampering at Michael’s, a national fabric retailer based in Irving, Texas, original reports indicated that the breach impacted only Chicago-area stores. But as is often the case, this week Michael’s reported that about 90 PIN pads at stores located throughout the US have allegedly been tampered with. The root cause of the attack is still under investigation—was it simple skimming through the use of an electronic device, or is it possible to implant malware on such a device through a network hack? We’ll certainly be watching for additional details on this story as they are uncovered.
- More SCADA Security Flaws: It is never a good thing when “vulnerabilities” are included in the same sentence as “critical infrastructure.” According to ThreatPost, the “U.S.’s Computer Emergency Response Team (CERT) issued a warning to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks.” ThreatPost and other outlets reported that the vulnerability “can allow malicious code to run with the privileges of the current user.” Very much in the same vein as Stuxnet, we continue to see companies in the electricity, oil and gas, manufacturing and water treatment sectors emerging as the focus of targeted attacks.
- Hacking a CMS? A Help Net Security report uncovered a new vulnerability in Exponent CMS that could enable hackers to “create an arbitrary user with administrative privileges if a logged-in administrative user visits a malicious web site.” Could privileged identity management technology play a role in mitigating this threat? Either way, here is another potentially damaging flaw that could “conduct cross-site request forgery attacks and disclose sensitive information.”
Check back here again soon for next week’s IT Security Rewind, and as always, let us know your take on the news.
Posted on May 6, 2011 by Josh Arrington
Today marks the launch of our “IT Security Rewind” blog series, with our take on some of the week’s most significant and newsworthy industry stories. Our inaugural post highlights recent breaches and examines highly-exploitable vulnerabilities in common software and systems. Let’s take a look at this week’s Rewind:
- Above the law? When it comes to maintaining order and preserving safety, police officers are typically considered a first line of defense. Unfortunately, that doesn’t necessarily mean that their crime prevention technology is impregnable to hackers. As one security consultant proved, it is possible to exploit vulnerabilities in their equipment, specifically a police cruiser’s digital video recorder system. The consultant was able to exploit the hardcoded, default password in the system’s FTP server to gain access to the DVR’s controls and manipulate its use. Just another example in a long line of recent breaches that illuminate the vulnerabilities present in a large number of seemingly innocuous targets (think: digital copiers and scanners, video conferencing systems, and well, police cruiser cameras).
- Don’t ignore ERP: Along those same lines, enterprises beware: According to Dark Reading, another one of those often-ignored network targets susceptible to attack may be your company’s ERP system. According to the report, these systems are often ignored and left vulnerable by unauthenticated attackers that can leverage embedded credentials, like hardcoded passwords, to enter a system and steal sensitive information.
- Passwords at risk [again]: Speaking of lines of defense—how upset would you be if you proactively used a secure password storage service, but then discovered that all of that critical information may be compromised? One of those services, LastPass, is urging their users to change their network passwords after detecting a network anomaly.
No matter where or how data is stored these days, one thing is clear—you need to stay on guard.
That’s this week’s IT Security Rewind! What was your take on the news?
Posted on April 15, 2011 by Adam Bosnian
Yesterday we were proud to release the results of our 5th annual “Trust, Security and Passwords” survey, a survey that has become a valuable indicator of how organizations view enterprise security threats, particularly related to powerful, anonymous privileged users. The findings are the result of online surveys conducted in the spring of 2011 with 1422 IT staff and C-Level executives across North America and EMEA. This was the first time we reached out to the C-Suite to explore their perspectives on the threat landscape, from both an internal and external perspective. While the results may have changed over the years, each year some of the findings surprise us while others reaffirm existing beliefs. This year was no different…
With nearly constant news cycles associated with cyber attacks and increased awareness around advanced persistent threats (APT), in many ways it makes sense that 57 percent of global C-level executives agreed that in the next one-to-three years, external threats such as cyber-criminals will become a greater security risk than insider threats. This could be due to a belief that there are more technologies available and controls in place to “contain” the insider threat, or simply the greater attention being given to cyber-attacks such as those impacting companies like EMC’s RSA Security Division, Epsilon and WordPress.
While this year’s survey emphasized the rise or external threats, it also showed that many organizations are still struggling with insider vulnerabilities. Nearly 1 in 5 (16 percent) of C-level respondents admitted that cases of insider sabotage had taken place within their enterprise and similarly, 16 percent of those respondents also believe that competitors may have received highly sensitive information or intellectual property including customer lists, product information and marketing plans from sources within their own organization. And, with their broad reach and highly privileged, anonymous access to various networks, systems and applications, nearly half (48 percent) of all global respondents chose the IT department as the most likely to snoop – another internal force to contend with.
Despite the entry point into an organization, the end-target is usually the same: highly sensitive intellectual, financial and customer information, which can be accessed through highly-powerful privileged accounts and passwords. This increased focus on external attacks will undoubtedly lead organizations to scramble to build higher walls to protect their critical data – but security teams need to stop building those walls and start better isolating and protecting that data.
Posted on March 22, 2011 by Adam Bosnian
As the security industry continues to look for answers and insight to RSA’s recent data breach, we found the security best practices suggested to SecurCare customers valuable for nearly every organization that shares, stores or provides access to sensitive data. We need to wait and see what emerges from this latest attack to see what vector was used – but we support and re-emphasize the response by RSA to its customers as it provides some valuable, current and real-world lessons every organization needs to follow.
Following are several that are particularly relevant to our customers and partners, including:
• We recommend customers enforce strong password and pin policies.
• We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.
• We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
• We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
Let’s dive into the concept of enforcing the rule of least privilege for end-users and security administrators– the idea being to provide only that amount of privilege necessary for a given activity. When applied to privileged accounts, those used by administrators or applications to access and manage key systems, applications and databases, it becomes a bit harder to do, since these powerful accounts often provide full, unfettered access to enterprise systems and applications.
However, what’s often overlooked is how these accounts can provide unwanted ‘escalation of privileges’ for Advanced Persistent Threat (APT) attacks. These access points, often in the form of embedded or hardcoded passwords, exist in almost every networked system, application or database. We saw this recently with the Stuxnet virus – entering in through an embedded credential in a SCADA system, as well as in the Operation Aurora attacks on several companies’ source code management systems.
While malicious outsiders and insiders have focused often on the administrative credentials on typical systems like servers, databases and the like, in reality, IT organizations need to identify every asset that has a microprocessor, memory or an application/process. From copiers to scanners, these devices all have similar embedded credentials that represent significant organizational vulnerabilities.
At the end of the day, the use of privileged access to exploit vulnerabilities such as hardcoded passwords is a very real threat that provides malicious hackers with new ways into the enterprise. It’s not just about ensuring that your system administrators are equipped with least privileged access, it’s something that every company—security vendors and enterprises alike—needs to recognize and proactively guard against.
What are some of your favorite security best practices, particularly related to managing, monitoring and controlling privileged access?
Posted on March 17, 2011 by Josh Arrington
- Grossly Underestimating the Privileged Account Security Problem Part 3: Automating Privileged Account Management and Cyber-Ark DNA™ (Discovery & Audit)
- Google’s Insecurities
- Grossly Underestimating the Privileged Account Security Problem Part 2: Defining Privilege with Cyber-Ark CMO, John Worrall
- Grossly Underestimating the Privileged Account Security Problem
- Privileged Access Is Everywhere! Even in Your Glasses.
“The Compromise of Privileged Accounts was a Crucial Factor in 100% of APTs”: CyberSheath Releases the First APT/Privileged Account Research Report
Posted on April 24, 2013
Posted on April 1, 2013
Protecting Privileged Accounts can be the Difference Between “Managing” and “Securing” File Transfers
Posted on January 10, 2013
Copyright 2013 Cyber-Ark Software - All Rights Reserved