Monthly Archives: December 2015

Learn From The LastPass Breaches And Implement Behavior Analytics – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

LastPass Breaches Have 4 Lessons Everyone Can Learn From

Data breaches in 2011 and after that once again in 2015 were perpetrated against password management company LastPass. Specialists recommend use of password managers, since strong passwords distinct to each user account are not feasible to recall without organized support. Nevertheless, positioning all one’s eggs in a single basket – then for countless users to each place their egg basket into one super basket – creates an irresistible target for attackers of every type. Cryptology professionals who have studied this recent breach at LastPass appear cautiously positive that major harm has actually been prevented, but there are still essential lessons we can draw from this episode:

1. There Is No Ideal Authentication, There Is No Ideal Security

Any skilled, patient and motivated adversary will eventually breach any practical cyber defenses – even if yours is a cyber defense business! Unfortunately, for lots of enterprises today, it does not typically require much ability or patience to breach their meager defenses and permeate their vast, porous boundaries. Compromise of user info – even those of highly privileged domain administrators – is likewise quite typical. Again, unfortunately, numerous enterprises depend on single-factor password authentication, which simply invites widespread credentials compromise. But even multi-factor authentication can be breached, as was evidenced with the 2011 compromise of RSA SecurID’s.

2. Utilize Situational Awareness When Defenses Are Breached

When the assailants have actually breached your defenses the clock is ticking on your detection, containment, and remediation of the incident. Industry data recommends this clock has a very long time to tick – hundreds of days typically – before awareness sets in. By that time the cyber criminals have actually pwned your digital assets and picked your business carcass clean. Vital situational awareness is vital if this too-frequent catastrophe is to be avoided.

3. Network and Endpoint Contexts Are Fused With Comprehensive Situational Awareness

In the recent LastPass incident detection was accomplished by analysis of network traffic from server logs. The enemy dwell time before detection was not disclosed. Network anomalies are not constantly the fastest method to identify an attack in progress. A fusion of network and endpoint context offers a much better choice basis than either context individually. For instance, having the ability to combine network flow data with the originating process identification can shed far more light on a possible infiltration. A suspicious network contact by a brand-new and untrustworthy executable is much more suggestive taken together than when evaluated separately.

4. After An Authentication Failure, Use User Behavior Analytics

Compromised credentials often wreak havoc throughout breached businesses, enabling cyber criminals to pivot laterally through the network and operate mainly underneath the security radar. However this misuse of legitimate credentials differs considerably from normal user behavior of the genuine credential holder. Even rather rudimentary user behavior analytics can spot anomalous discontinuities in learned user habits. Constantly use user behavior analytics, particularly for your more privileged users and administrators.

 

Charles Leaver – Vulnerability Monitoring Would Have Helped To Prevent Hacker Elites Breach

Written By Josh Harriman And Presented By Ziften CEO Charles Leaver

Hacking Team Affected By Lack Of Real Time Vulnerability Tracking

Nowadays cyber attacks and data breaches are in the news all the time – and not just for those in the high worth industries such as health care, financing, energy and retail. One especially intriguing event was the breach against the Italian company Hacking Team. For those who don’t remember Hacking Team (HT) is a company that concentrates on monitoring software applications accommodating federal government and authorities agencies that want to perform hidden operations. The programs created by HT are not your run-of-the-mill push-button control software or malware-type recording devices. One of their crucial products, code-named Galileo – much better called RCS (Remote Control System)– declared to be able to do pretty much whatever you require in terms of “controlling” your target.

Yet as talented as they remained in developing these programs, they were unable to keep others from getting into their systems, or identify such vulnerabilities at the endpoint through vulnerability tracking. In one of the most high-profile breaches of 2015, HT were hacked, and the material stolen and consequently launched to the public was big – 400 GB in size. More significantly, the information included extremely damaging details such as e-mails, client lists (and prices) which included countries blacklisted by the UN, and the crown jewels: Source code. There was also thorough documentation which included a few very powerful 0-day exploits against Flash and Adobe. Those 0-days were used very soon after in attacks against some Japanese companies and US federal government agencies.

The huge question is: How could this take place to a business whose sole existence is to make software that is undetectable and finding or producing 0-day exploits for others to utilize? One would believe a breach here would be almost impossible. Undoubtedly, that was not the case. Currently there is not a lot to go on in terms of how this breach took place. We do understand nevertheless that somebody has actually declared responsibility and the individual (or group) is not new to getting into places just like HT. In August 2014, another monitoring business was hacked and delicate files were launched, much like HT. This included client lists, prices, code, and so on. This was against Gamma International and their product was called FinFisher or FinSpy. A user by the name of “PhineasFisher” released on Reddit 40 GB worth data and announced that he/she was responsible. A post in July this year on their twitter account discussed they likewise attacked HT. It seems that their message and purpose of these breaches and theft where to make people familiar with how these businesses run and who they sell to – a hacktivist attack. He did publish some information to his methods and some of these techniques were likely utilized against HT.

A last question is: How did they break in and what precautions could HT have implemented to prevent the theft? We did learn from the launched documents that the users within HT had extremely weak passwords e.g. “P4ssword” or “wolverine.” In addition, one of the main employee systems where the theft might have happened made use of the program TrueCrypt. Nevertheless, when you are logged in and utilizing the system, those concealed volumes are accessible. No information has been published as of yet as to how the network was breached or how they accessed the users systems in order to download the files. It appears, though, that businesses have to have a service such as Ziften’s Constant Endpoint Visibility running in their environment. By keeping an eye on all user and system activity notifications might have been produced when an activity falls beyond normal behavior. Examples include 400 GB of files being submitted externally, or understanding when vulnerable software applications are running on exposed servers within the network. When an organization is making and selling advanced monitoring software applications – and possessing unknown vulnerabilities in business deliverables – a better strategy needs to have implemented to restrict the damage.

 

The Healthcare Data Leak At Anthem May Have Been Prevented By Endpoint Visibility – Charles Leaver

Written By Justin Tefertiller And Presented By Charles Leaver Ziften CEO

Continuous Endpoint Visibility Would Have Improved Healthcare Data Leakage Prevention

Anthem Inc found a large scale cyber attack on January 29, 2015 against their IT and data systems. The health care data leak was believed to have actually happened over a several week period starting around early December 2014 and targeted individual data on Anthem’s database infrastructure along with endpoint systems. The stolen info included dates of birth, full names, healthcare identification numbers as well as social security reference numbers of clients and Anthem employees. The exact variety of individuals affected by the breach is unknown but it is approximated that nearly 80 million records were stolen. healthcare data tends to be one of the most lucrative sources of income for hackers offering records on the dark market.

Forbes and others report that attackers utilized a process-based backdoor on clients linked to Anthem databases in combination with compromised admin accounts and passwords to graduallysteal the data. The actions taken by the hackers posturing and operating as administrators are what eventually brought the breach to the attention of security and IT groups at Anthem.

This type of attack shows the need for continuous endpoint visibility, as endpoint systems are a consistent infection vector and an avenue to sensitive data kept on any network they may connect to. Easy things like never ever before observed processes, brand-new user accounts, odd network connections, and unauthorized administrative activity are common calling cards of the beginning of a breach and can be easily determined and alerted on with the ideal tracking tool. When notified to these conditions in real time, Incident Responders can catch the invasion, discover patient zero, and ideally alleviate the damage instead of allowing assailants to wander around the network unnoticed for weeks.

 

8 Months To Detect PF Chang Data Breach And 30 Locations Affected – Charles Leaver

Written By Charles Leaver Ziften CEO

The PF Chang dining establishment chain just recently published new details about the security breach of its credit card systems across the country. The dining establishment chain announced that the breach impacted more than 30 locations in 17 states and went on for eight months prior to being discovered.

While the investigation is still ongoing, in a declaration PF Chang’s reported that the breach has been contained and client monetary data has been processed safely by the restaurant since June 11. The compromised systems utilized by the chain were decommissioned till it was clear that their security could be ensured, and in the meantime charge cards were processed by hand.

Rick Federico, CEO said in a statement “The potentially taken credit and debit card data includes the card number and sometimes also the cardholder’s name and/or the card’s date of expiry.” “However, we have actually not figured out that any particular cardholder’s credit or debit card data was stolen by the hacker.”

PF Chang’s was alerted of the breach, which they described as a “extremely sophisticated criminal operation,” in June when they were contacted by the Secret Service about cyber security concerns. As soon as they were informed, the restaurant employed third-party forensic detectives to find how the breach was able to occur, at which time they found that harmful actors had the ability to exploit the chain’s charge card processing systems and potentially gain access to consumer credit card information.

Organizations worried about similar data breaches impacting point-of-sale terminals must execute endpoint threat detection to keep crucial systems protected. Endpoint security involves monitoring sensitive access points – like POS systems, bar code readers and employee mobile phones – and reducing risks that appear. Constant endpoint visibility is essential to determine risks before they compromise networks and ensure business security.