Joyce Brocaglia founder of the Executive Women’s Forum and CEO of Alta Associates joins the Dark Reading News Desk at Black Hat to discuss closing the gender gap in security and what companies are looking for in a chief information security officer.

Article source: Dark http://www.darkreading.com/operations/what-companies-want-in-a-ciso/v/d-id/1322307?_mc=RSS_DR_EDT

When Windows XP reached its end of life, there were approximately 257 outstanding security patches required to bring the OS up to date — and this was considering cumulative versions for both commercial and business, as well as patch supercedence. Since the source code is closed, it never suffered from the fragmentation issues affecting many vulnerabilities, such as what we saw last year with the now infamous Shellshock — impacting a half-billion Web servers and other Internet-connected devices.

On September 24, 2014, when the bug was first disclosed, open source, Linux, OS X, embedded systems, and Unix all were affected and in total, versions available from 1994 (version 1.14) to 2014 could be exploited due to this GNU bash shell vulnerability. But in the intervening 12 months, a lot more needed to be done than just patching a single platform and bringing it up to date. That in itself is something many organizations still find difficult to do today.

Why are these facts important on the one year anniversary of Shellshock? Over time, it’s become more difficult to properly perform a thorough vulnerability assessment of all the vulnerabilities that have been found in the past, many of which are still applicable. However, the biggest issue is the cumulative problem of flaws which are affecting systems. Information security teams must remember that Shellshock and other flaws are not gone even though they’ve disappeared from media headlines. Some systems, due to age, end of life, or a vendor’s incompetence, still remain unpatched today.

While mitigating controls may help reduce or eliminate the risk, the fact remains that any newly identified vulnerabilities aggravate the problem and increase the total vulnerability count with each new flaw. Shellshock, as bad as it was and may be still to this day, is just another critical vulnerability in the process and systems that are not being patched, or even assessed. This creates a cumulative risk problem, which could allow an exploit through multiple vectors verses just one.

While this may seem like common sense, it represents an interesting problem: How long does it take to patch an entire distribution and bring it up to date? Depending how many missing patches exist, more time is needed to remediate and with each new finding the snowballing effect of risk grows.  This is true for any operating system and application, even when a single cumulative security update is available; the more you have to patch, the longer it will take, and the more it costs to do so.

So how can infosec teams reduce the cumulative side effects from new vulnerabilities? Here are five suggestions:

1. Ensure that your organization has a vulnerability assessment and patch remediation process to identify risks. This helps make sure you’re patching quickly. Once a flaw is found, regardless of how, it can be closed in a timely, non-cumulative fashion.
2. When selecting technology vendors, verify that service level agreements include security and maintenance patches, as well as end of life dates for operating systems, embedded devices or applications. This will ensure that as solutions are being deployed, they can be remediated for the life expectancy of the implementation.
3. Vulnerability assessments themselves have evolved greatly from the days of network scanners. Many security tools from IDS/IPS systems, endpoint agents, next generation firewalls, sniffers, etc. can detect vulnerabilities that are dormant or being actively tested in a hostile environment. Do not rely on just one technology to identify risks and missing security patches. Leverage every single one and correlate the information to identify weaknesses and attacks.
4. Credential access is always a problem with sensitive hosts and when un-hardening is just not permissible. When local agents are not permitted to do the work (patch management, Windows update, or even vulnerability assessment agents), consider having a cloned isolated lab environment where remote access is permitted (un-harden duplicate hosts) to perform assessments. The results can then be applied to production. This works well with cloning features present in many virtualization technologies.
5. When network assessment technologies are being deployed, work with the network infrastructure team to logically place scanners as electronically close to targets (not over WAN links) as possible. Avoid scanning through firewalls, other security sensors, and whitelist the scanner only when needed. They should be close enough to each subnet that they have unrestricted access to each target they are responsible for and every port. This includes whether they are hosted in the cloud, as a virtual image, or even a physical scanner in a remote country.

When was the last time you checked under the hood for the cumulative impact of Shellshock or other vulnerabilities? Let’s chat about that in the comments. 

With more than 20 years of IT industry experience, Morey Haber serves as the vice president of technology for BeyondTrust. He joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition and currently oversees solutions for bothvVulnerability and privileged … View Full Bio

Article source: Dark http://www.darkreading.com/shellshocks-cumulative-risk-one-year-later/a/d-id/1322323?_mc=RSS_DR_EDT

The Australian Signals Directorate had previously reported vulnerabilities in a variety of software but it is the first time its work has been publicly recognised.

The agency like its overseas peers dabbles in both defensive and offensive security vulnerability and exploitation research.

It says the disclosure is part of its internal security function.

“As part of its Information Security function, ASD has previously disclosed vulnerabilities to vendors. This is the first time ASD has been publicly credited with the discovery and disclosure,” a spokesperson says.

“ASD vulnerability research work has long served the wider information security community, but until now has not received public acknowledgement.

“ASD will continue to work with vendors on the discovery and public disclosure of vulnerabilities in software and hardware as appropriate.”

The vulnerability (CVE-2015-5416) affects an Autonomy component called KeyView IDOL, which parses non-text documents to suck them into databases. The IDOL GIF parsing remote code execution hole is rated a severity score of 7.5 and allows attackers to execute arbitrary code on vulnerable installations

Victims must fall victim to phishing attacks or otherwise visit malicious pages or open malicious files to be exploited.

“It is possible to trigger a buffer overflow by specifying an overly large ImageWidth within a GIF. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the process.”

A fix has been issued. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: TheReg http://go.theregister.com/feed/www.theregister.co.uk/2015/09/23/aussie_spy_agency_gets_first_bug_bounty_credit/

Raytheon|Websense also warns that healthcare organisations are more than 200 per cent more likely to encounter data theft. Carl Leonard, principal security analyst at Raytheon|Websense, said that healthcare organisations are targeted by hackers because of the richness of the data they hold, which once stolen can be monetised via various scams.

“Healthcare records hold a treasure trove of data that is valuable to an attacker,” Leonard explained. “No other single type of record contains as much Personally Identifiable Information (PII) that can be used in a multitude of different follow-up attacks and various types of fraud.”

The rapid digitisation of the healthcare industry, combined with the value of the data at hand, has led to a massive increase in the number of targeted attacks against the sector, according to Raytheon|Websense. Health records not only contain vital information on the identity of an individual (name, address, social security) but also often link to financial and insurance information.

“Access to PII allows an attacker to commit identity fraud, while the financial information can lead to financial exploitation,” Leonard added. “This is a logical and profitable secondary attack area for cyber-criminals who have already dealt in stolen credit card data.”

Healthcare data leaks doubled between 2013 and 2014, leading UK data privacy watchdog the ICO to levy fines totalling £1.3m against NHS organisations.

Malware slingers are targeting healthcare organisations worldwide. Healthcare is 4.5 times more likely to be impacted by Cryptowall (ransomware designed to blackmail users into paying a ransom for the release of their data) and three times more likely to be impacted by Dyre (malware designed to steal financial data), according to Raytheon|Websense.

“As healthcare organisations are committed to delivering excellent patient care, there is a must for a high availability of data stores, and malware authors are aware of this. As a result, they are targeting this industry,” Leonard explained. “Healthcare records also contain information which is up to ten times more valuable on the black market. Malware authors are determined to launch advanced malware in order to secure access to that valuable data.”

The figures from Websense Security Labs’ 2015 Healthcare Drill-Down Report (available here) came from an analysis of “real-world attack telemetry”.

The study (extract below) provides an overview of the modern healthcare industry landscape, where various trends and pressures are creating a febrile environment for hacker exploitation.

Modern medical care is delivered through an incredibly complex network of information technology systems connecting patients, doctors, nurses, pharmacists, technicians, administrators and accountants with electronic health records (EHR), connected medical devices and insurance companies. Driven by the need to improve patient outcomes and lower costs, the rush to embrace digital technology has created a complex network of connected devices, systems and entities where security may be an underfunded afterthought.

Network security is further complicated when IT must balance protecting data from inappropriate access against the fact that lives could be lost if medical personnel cannot access the information they need, when they need it. Data thieves recognise both the incredible value of healthcare information and the vulnerabilities and security gaps which exist in this newly-connected world.

Raytheon|Websense’s concern about the growing security problems in the healthcare sector is shared by other security researchers. The healthcare industry was the one most effected by data breaches, according to a new study by Trend Micro based on an analysis of 10 years of data from the Privacy Rights Clearinghouse. The top three breach methods in the healthcare industry were loss or theft, insider leaks and unintended disclosures.

Trend’s research paper, entitled Follow the Data: Dissecting Data Breaches and Debunking the Myths, analyses data from security breaches between 2005-2015 as logged by PRC. Focusing on leaked data rather than who has been hit by data breaches can yield valuable insights that might otherwise get missed, Trend Micro argues.

“Much of the attention surrounding these breaches has been focused on who’s affected and how they can recover,” a Trend Micro blog post explains. “The stolen data on the other hand is treated as a lost cause. But there is so much more to learn from studying what was stolen. By following the data, we can get a picture of what attackers are looking for, how they use the data, how much it costs, and where it eventually ends up.” ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: TheReg http://go.theregister.com/feed/www.theregister.co.uk/2015/09/24/health_sector_hack_prognosis/

Menlo Park now supports OpenPGP’s standard elliptic curve cryptography public keys meaning security and privacy pundits can post their public keys which will then be used to encrypt email notifications.

It supports NIST curves P-256, P-384, and P-521, and is considering non-NIST curves down the track.

Security software engineers Jon Millican and Steve Weis together with operating systems production bod Phil Dibowitz worked on the initiative.

They say users of the likes of ProtonMail have been calling for encrypted Facebook email support.

“Elliptic curve cryptography offers high levels of security for relatively smaller key sizes and is being widely adopted in modern cryptographic implementations,” the geeks say .

“This new support allows you to post ECC public keys on your profile and have Facebook use them to encrypt email notifications.

“We’ve also heard from several organisations that support for Facebook PGP is a popular request from their customers. “

The team plugs ProtonMail, a zero-knowledge email project born from CERN which supports PGP for Facebook in a way that removes the need for users to juggle Bob and Alice’s keys through a GUI in its webmail and mobile app.

ProtonMail co-founder Andy Yen says the support of strong open crypto standards by big tech could be an ‘unstoppable’ win .

“If we truly want to have a more private and secure internet, working together will be crucial and we applaud Facebook for sticking with open standards,” Yen says .

“As OpenPGP is universal, in the future, we will also be able to integrate with countless other services.”

“We are glad that giants like Facebook are supporting these efforts and if more companies join in, the movement to improve privacy online will be unstoppable.”

ProtonMail users can jettison the old PGP setup and immediately begin to fire encrypted Facebook comms using their OpenPGP public keys. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: TheReg http://go.theregister.com/feed/www.theregister.co.uk/2015/09/24/facebook_crypto_upped/