Security

Should companies pay ransomware, and is it illegal to?on September 20, 2021 at 11:04 am Feedzy

FeedzyRead MorePost Content

Companies know the danger ransomware poses and that a successful attack is inevitable. If ransomware isn’t detected in time, business-critical data could be encrypted, exfiltrated and posted publicly on file-sharing sites.

Once a company has received a ransom demand, it’s too late to protect its systems. The attack is done, and the company is a victim. The time has come for executives to decide: to pay or not to pay the ransom? Is it even legal to do so?

Reasons companies pay ransoms

While many companies won’t admit it, they’ve paid the ransom to get critical assets back. Companies prefer to remain silent about ransomware attacks when possible. This means the negotiation between threat actors and their victims is shrouded in secrecy.

Given how ransom payment amounts climb every year, many companies decide to pay the ransom. There are several common reasons this is the case:

Faster recovery time. If data restoration takes too long and the company faces a long, costly downtime, paying the ransom looks like the better, and cheaper, alternative.
Damage to business. The harm a company suffers can include revenue loss, reputational harm, etc. Announcing to customers following a data breach that a company got hit with ransomware will hurt its reputation and reduce customer confidence.
Excessive recovery costs. Paying a ransom is a business decision. If the costs to recover from a ransomware attack exceed the ransom payment, why wouldn’t companies take a gamble?
To protect customer or employee data. Companies don’t want customer and employee data exposed. Some attackers threaten to release data they exfiltrated to pressure companies to pay.

Reasons companies should not pay ransoms

Federal agencies and industry analysts agree that paying the ransom does more harm than good to the entire industry. While paying may appear to be a viable option, here is why your business shouldn’t:

It encourages attackers. Paying the ransom provides hacker groups with additional funds to run future attacks. Victim companies might even suffer repeat attacks if word gets out they paid.
It escalates payments. Ransomware groups now commonly ask for another payment. The first gets a company the decryption keys, while the second pays to ensure data is not released.
Data isn’t always returned. Even if a company pays, there’s no guarantee attackers will return the data or that the decryption key gets data back where it was before the attack. According to a 2021 Sophos report, 92% of organizations don’t get all their data back. Only 29% of those organizations that paid recovered even half the encrypted data.
Potential future legal issues. Making the payment could get a company in legal trouble. Paying ransomware attackers can be seen as funding terrorism, depending on the nation-state the hacker group operates out of.

Paying enables the cycle of ransomware to continue. “We’re not going to see attackers reconsider this attack vector until it isn’t as profitable,” said Allie Mellen, analyst at Forrester Research. One way to slow the cycle, she said, was to refuse to pay the ransom. “Attackers will be forced to move onto a different way to make money.”

Is it legal to pay after a ransomware attack?

For the moment, it’s legal to pay the ransom in the U.S., though cybersecurity experts recommend companies do not pay. Given the criticality of assets stolen, a company may decide that it has to pay the ransom and that it is legally allowed to do so.

The U.S. Department of the Treasury released an advisory in October 2020 that said companies could face future legal trouble. Being involved in ransomware payments — whether as the victim, a cyber insurance firm or financial institution — the advisory said, could potentially violate Office of Foreign Assets Control regulations.

“Formal recommendations from the FBI encourage companies not to pay the ransoms because it just escalates the problem,” said Dave Gruber, analyst at Enterprise Security Group, a division of TechTarget. “At some point, to stop ransomware, there has to be some formal legislation in place. How do you stop the current cycle? Either stop paying the ransom or make the penalties for doing so way, way bigger and enforce them.”

Even if a company decides it is in its best interest to make the ransom payment, experts recommend reporting it to the FBI or Cybersecurity and Infrastructure Security Agency. In his experience, Gartner analyst Paul Furtado said companies report incidents more now than previously, even as they pay the ransom. One of his sources is an organization that acts as an intermediary between bad actors and their targets. “Their business continues to increase quarter over quarter,” he said.

Using cyber insurance to make ransomware payments

One way companies can make it easier to survive the financial cost of a ransomware attack is with cyber insurance. The policies offer more than ransom payouts, often assisting with business downtime reimbursement, data recovery efforts, breach investigation and more.

The popularity of cyber insurance has grown over the last couple years. According to a U.S. Government Accountability Office report, the percentage of companies buying cyber coverage rose from 26% in 2016 to 47% by 2020. Unfortunately, companies that do not yet have a policy might find it has become more difficult to obtain. Premiums for cyber insurance increased 28.6% in 2020, and the industry’s loss ratio grew to 72.8%.

To overcome the high cost of ransomware payouts, insurance firms started to adjust the cost of premiums and what policies cover. “They’re very specific. They’re segmented into ransom protection, business interruption protection, third-party risk for lawsuit protections,” Gruber said. You might not receive a quote at all, he added.

To reduce the chance of unaffordable premiums or getting shut out of cyber insurance, companies can determine what coverage they need. They can also reduce risk by implementing multifactor authentication, data backups, patch management and more.

To pay or not pay ransomware is not an easy decision

“It depends” is a common answer from analysts when asked whether to pay or not because each situation is different.

To decide, tie the answer to business outcomes, Gartner analyst Paul Proctor said. “It comes down to when business outcomes are impacted by the lack of the stolen data. The organization must weigh if the business loss is worth rolling the dice on making a payment.”

To make it easier to recover and reduce the temptation to pay, companies can follow best practices:

Invest in business continuity (BC) plans and security awareness training. For BC, companies need a backup and restore process.
Consider immutable backups.
Train IT in data restoration so downtime is minimal.
Prevent infiltration with phishing training.

Cyber EO and Meeting Cloud Modernization EffortNews teamon September 19, 2021 at 7:28 pm Feedzy

FeedzyRead MoreBy Stephen Kovac, Vice President of Global Government and Head of Corporate Compliance, Zscaler In wake of recent […]
The post Cyber EO and Meeting Cloud Modernization Effort appeared first on Cyber Defense Magazine.By Stephen Kovac, Vice President of Global Government and Head of Corporate Compliance, Zscaler In wake of recent […]
The post Cyber EO and Meeting Cloud Modernization Effort appeared first on Cyber Defense Magazine.

By Stephen Kovac, Vice President of Global Government and Head of Corporate Compliance, Zscaler

In wake of recent high profile attacks and an evolving hybrid work environment, agencies are working to meet President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity to protect users, devices, and data.

In the recent Zenith Live virtual event, I sat down with cyber leaders from the Department of Health and Human Services Office of Inspector General, Department of Education, and Cybersecurity and Infrastructure Security Agency (CISA).

We discussed zero trust security, FedRAMP, the Trusted Internet Connection (TIC) 3.0 policy, and how agencies can achieve modernization goals and the terms of the EO.

The EO requires agencies to prioritize cloud adoption using Office of Management (OMB) guidance, plan for zero trust architectures using National Institute of Standards and Technology (NIST) special publications, and report their status to OMB and the Department of National Security Advisor for Cybersecurity.

Working to implement these modernization efforts is a journey, not a destination, as agencies work to make a culture shift towards cloud, zero trust, and new technology rather than just checking the boxes.

“Thank God for the EO, I say,” said Gerald Caron, Chief Information Officer for the Department of Health and Human Services Office of Inspector General. “I think it moves us more towards being effective overall – for our agencies to be effective at cyber – not just checking boxes.”

Mitigating Threat with Zero Trust

The EO gave agencies 60 days to implement zero trust as they shift to cloud technology to “prevent, detect, assess, and remediate cyber incidents.”

Zero trust gives agencies strong access management and security tools to prevent unauthorized users from seeing applications and sensitive data – creating a zero attack surface and giving IT teams peace of mind as they monitor their environment.

NIST SP 800-27 zero trust guidance provides a roadmap to migrate and deploy zero trust across the enterprise environment. This guidance outlines the necessary tenants of zero trust, including securing all communication regardless of network location, and granting access on a per-session basis. This creates a least privilege access model to ensure the right person, device, and service has access to the data they need while protecting high-value assets.

The NIST National Cybersecurity Center of Excellence (NCCoE) recently announced its Implementing a Zero Trust Architecture Project where best-of-breed zero trust leaders will collaborate to demonstrate several approaches to implementing zero trust architectures. This coalition will work side by side to realize the opportunity for zero trust to strengthen every agency’s cyber defenses.

“For us, when we talk about zero trust architectures, it’s not just the discussion around technologies, infrastructure, services, cloud, and all the cool things that come together to make it happen,” said Steven Hernandez, Chief Information Security Officer at the Department of Education. “It’s also a very robust discussion around data, because data is at the heart of everything that we’re driving.”

President Biden’s EO also gave agencies 60 days to begin modernizing FedRAMP, and specifically “establish a training program to ensure agencies are effectively trained and equipped to manage FedRAMP requests.”

A FedRAMP-authorized zero trust security model allows IT administrators to wrap policies around users and applications to ensure comprehensive security regardless of where they connect from, and what they connect to.

This approach reduces the attack surface and the risk of users accessing unauthorized data or applications. Additionally, IT administrators have centralized visibility to track, log, and manage all users connecting to the network on any device, in any location – a huge advantage for managing an extensive remote or hybrid environment.

Updated Policy and Modern Security for Complex Environments

The updated TIC 3.0 guidance has opened the door for agencies to adopt modern, hybrid cloud environments. This security approach will be critically important for agencies to secure their cloud capabilities and scale up and down as needed.

“The guidance offers a new security strategy for agencies to explore new opportunities, redefine the perimeter, and flexible architectures, zero trust being one of those we want to talk about,” said Sean Connelly, TIC Program Manager and Senior Cybersecurity Architect at CISA. “New visibility is the most fundamental change in the guidance.”

As employees work in remote or hybrid environments and agencies follow modern TIC 3.0 guidance, agencies can position the security closer to the resources, having everything at one access point.

To secure access points, agencies should adopt a Secure Access Service Edge (SASE) security model, which addresses today’s most common security challenges arising from more applications living outside the data center, sensitive data stored across multiple cloud services, and users connecting from anywhere, on any device.

Following the SASE model, agencies can invert the traditional security model to move essential security functions to the cloud so users can access data and networks from any location, while security is pushed as close to the user/device/data as possible. With the SASE model, CISA inverted their services, such as the Continuous Diagnostics and Mitigation (CDM) program to secure data where it is generated, and Government Services Administration (GSA) has likewise adjusted their model of Enterprise Infrastructure Solutions (EIS) in the same way.

What’s Next as Agencies Modernize

The updated policies, authorizations, new security measures, and hybrid work environments are pointing agencies towards one initiative – cloud adoption and modernization. Now as agencies unify towards this push, they can learn from one another on this journey.

“I think we’re headed in that direction, we’re going to find ourselves there one way or another, and I think that’s a good thing,” said Hernandez. “I think that by having more people in a centralized environment, with less attack surface, better configuration, and change control – ultimately, we can learn from each other and have a body of practice around centers of excellence that do this well.”

About the Author

Stephen Kovac is the Vice President of Global Government and Head of Corporate Compliance of Zscaler. He is responsible for strategy, productizing, and certification of the Zscaler platform across global governments. He also runs the global compliance efforts for all of Zscaler. In his role, Stephen leads his team’s efforts to advance Federal IT modernization by delivering cloud security solutions through direct-to-cloud connections and zero trust security capabilities. He has pushed for cloud security reform by speaking at events, meeting with agency leaders, publishing, working on pilot programs, and working directly with the Hill. Stephen can be reached online at Twitter, LinkedIn, and at our company website https://www.zscaler.com/solutions/government

New CIOs: 5 Key Steps in Your First 100 DaysNews teamon September 17, 2021 at 3:24 pm Feedzy

FeedzyRead MoreGetting the first 100 days right is critical to achieving momentum, credibility, and long-term success. By Etay Maor, […]
The post New CIOs: 5 Key Steps in Your First 100 Days appeared first on Cyber Defense Magazine.Getting the first 100 days right is critical to achieving momentum, credibility, and long-term success. By Etay Maor, […]
The post New CIOs: 5 Key Steps in Your First 100 Days appeared first on Cyber Defense Magazine.

Getting the first 100 days right is critical to achieving momentum, credibility, and long-term success.

By Etay Maor, Senior Director, Security Strategy, Cato Networks

Starting off as a new CIO in a tough, dynamic environment can be daunting. CIOs must juggle multiple issues like coping with hybrid workplaces, changing cybersecurity and compliance protocols, increasing ransomware attacks and high expectations from the board, to name but a few. New CIOs need to tackle biased perceptions, make a good first impression, assess the current state of processes and policies and determine a strategy to build a foundation that drives innovation.

Other CIO challenges may involve building a deep awareness of the IT organization, developing close relationships with key stakeholders and achieving wide acceptance for strategic goals while also gaining some quick wins that boosts confidence in your talents.

In speaking with countless CIOs about their security posture, I’m always intrigued by what lessons they’d offer new CIOs. In truth, there doesn’t seem to be a single set of ‘guiding principles’ for best launching into a CIO role. There are, however, strategies and tips that repeat themselves in my conversations. Here, then, are five of those often-cited takeaways battle-tested CIOs recommend new CIOs follow in their first 100 days in office.

Get to Know Your Organization and Team

With many stakeholders and team members operating remotely, one of the most significant hurdles a CIO must overcome is to forge meaningful, interdepartmental relationships.

With IT Teams: Start with regular one-on-ones, seek out the issues they regularly wrestle with and assess whether it involves technology, infrastructure, processes or people. Familiarize yourself with the strategy and tactics currently in place and evaluate if these adequately align with overall business goals.
With non-IT Teams: Start with key executives and leadership teams. Understand their role in the business and how they interact with IT. Evaluate recent IT requests and determine whether they have been resolved satisfactorily. Prepare questions relevant to their role but listen carefully to understand their overall strategic vision and expectations from IT.
Determine the state of IT and Security Infrastructure

Conduct a detailed technology risk assessment of your network infrastructure, databases, applications, cybersecurity and back-ups. Evaluate the current state of policies, procedures, compliance, security awareness and service delivery levels. Get to know your vendor-partners and learn the contract status from each, especially big-ticket deals. Know your IT budgets (planned vs. actual). Figure out what stage the company is at relative to their digital transformation process.

As a first measure, benchmark what you can. Three years down the road you should be able to sell a story of sustained improvement. Conduct a baseline assessment and capture metrics from current applications and security practices. This will also help identify what is and isn’t working.

Define your Goals and Chart Out a Plan

Once you’ve got a handle on IT’s position and learned about its resources and capabilities, it’s time to develop swift action plans for urgent and simple issues to help define an overall blueprint of your longer-term company strategy. Your plan should include an executive summary, your department’s strengths and weaknesses; opportunities and threats; new trends, tools and capabilities; the tactics you will use along with costs, time and impact – in short, guiding principles that will drive future decisions.

Incorporate Digital Transformation

Whether it’s changing buyer behavior or securing a large-scale remote workforce, the demand for digital transformation post-pandemic (i.e., digital methods to improve business processes and continuity) has accelerated by several years.

New CIOs must keep this momentum going by identifying and implementing technology that can significantly transform customer and employee experiences. As an example, CIOs can leverage automation and AI to improve product efficiency or augment intelligence to an existing product, giving it a competitive edge. In cybersecurity, CIOs can leverage transformational technologies like SASE (Secure Access Service Edge) to boost cybersecurity, provide high-speed connectivity and reduce IT overheads.

Get Priorities in Order

Choose your battles wisely based on mandates, urgency, business needs, ROI, previous experiences and understanding of market trends. Seize opportunities for quick wins like improving processes, vendor management, SLA timelines and end-user applications. Resist firefighting.

Weigh out the risks and repercussions before you make major decisions. Get executive sponsorship for your actions and priorities. If needed, set up a steering committee to secure buy-in from a diverse group. Determine where the power lines are drawn and what priorities can be addressed first to instill greater confidence across internal stakeholders.

There is no silver bullet for a successful transition. We can all agree that there is a lot to manage and not everything is just about technology. Having an organized approach in place for your first 100 days ensures you cover all your bases, leaning in for a better shot at being successful in your new role along with establishing yourself as a valued and inspirational leader.

About the Author

Etay Maor is the Senior Director of Security Strategy for Cato Networks, provider of the world’s first Secure Access Service Edge (SASE) platform, converging SD-WAN and network security into cloud-native services. Previously, Etay was the Chief Security Officer for IntSights, where he led strategic cybersecurity research and security services. Etay has also held senior security positions at IBM, where he created and led breach response training and security research, and RSA Security’s Cyber Threats Research Labs, where he managed malware research and intelligence teams. Etay is an adjunct professor at Boston College and is part of Call for Paper (CFP) committees for the RSA Conference and QuBits Conference. He holds a BA in Computer Science and a MA in Counter-Terrorism and Cyber-Terrorism.

HTML Smuggling: A Resurgent Cause for ConcernNews teamon September 16, 2021 at 9:36 pm Feedzy

FeedzyRead MoreBy Vinay Pidathala, Director of Security Research, Menlo Security Cybersecurity is never straightforward. While defense techniques, technologies, policies […]
The post HTML Smuggling: A Resurgent Cause for Concern appeared first on Cyber Defense Magazine.By Vinay Pidathala, Director of Security Research, Menlo Security Cybersecurity is never straightforward. While defense techniques, technologies, policies […]
The post HTML Smuggling: A Resurgent Cause for Concern appeared first on Cyber Defense Magazine.

By Vinay Pidathala, Director of Security Research, Menlo Security

Cybersecurity is never straightforward.

While defense techniques, technologies, policies and methodologies continue to evolve at pace, such defenses often trail in the wake of novel cyber attacks that seek out and exploit vulnerabilities in new ways, catching security teams off guard.

Indeed, recent times have provided many headaches for security professionals; Cybersecurity Ventures reveals that cyber attacks in 2021 will amount to a collective cost of approximately $6 trillion – and the situation isn’t forecast to improve any time soon. Where attacks are expected to intensify by an additional 15% a year for the next four years, total cyber attack-centric damages could amount to as much as $10.5 trillion by 2025.

One of the main concerns today is the exponentially growing number of techniques that cybercriminals are adding to their arsenal. Whether that’s malware, ransomware, DDoS attacks or phishing, they continue to expand their techniques, with the next being ever more malicious than the last.

HTML Smuggling explained

HTML Smuggling is a prime example of this in action.

While the broad concept itself is nothing new, the threat is making something of a resurgence having recently been used by Nobelium – the hackers behind the renowned SolarWinds attack that was uncovered in December 2020.

In simple terms, HTML Smuggling provides hackers with a means of bypassing perimeter security through the generation of malicious code behind a firewall. This is executed in the browser on the target endpoint.

Where a malicious payload is constructed in the browser, no objects need to be transferred, which network perimeter security systems might typically detect. As a result, through HTML Smuggling, many commonly used, traditional security solutions, such as sandboxes and legacy proxies, can be sidestepped.

ISOMorph – a new variation

This is what happened in the case of Nobelium’s HTML Smuggling attack that we are calling ISOMorph.

Here, popular talk over voice, video, and text digital communication platform Discord was targeted, the app being home to more than 150 million active users.

With ISOMorph, HTML Smuggling allows the first attack element to be dropped onto a victim’s computer. This is then constructed on the endpoint, removing the opportunity for detection. After installation, the hackers are then able to execute the payload that infects the computer with remote access trojans (RATs), before setting about logging passwords and exfiltrating data.

While the resurgence of HTML Smuggling through ISOMorph is new, it shouldn’t necessarily come as any great surprise. Indeed, from the cyber attackers’ perspective, it is a logical avenue to pursue.

Thanks to the pandemic, remote and hybrid working has become the new norm. Where such working models are now commonly used, the increased use of cloud services and expansion of organizations’ digital footprints has exposed a series of new security related challenges.

Today, the browser plays a more vital role in day-to-day operations than ever before – yet, unfortunately, it remains one of the weakest links in the cybersecurity chain, making HTML Smuggling an all the more attractive proposition to threat actors.

From access to execution

So, what should we be looking out for in the case of an HTML Smuggling attack?

In the case of ISOMorph, Menlo Security’s analysis has shown that attackers are using both email attachments and web drive-by downloads to achieve initial infection.

Thereafter, using JavaScript, they are opting to use a technique often used by web developers to optimize file downloads. This entails the construction of the malicious payload on the HTML page as opposed to making an HTTP request that can then retrieve a desired asset from a web server.

With ISOMorph, the payload in question was an ISO file – a disk image that contains all the required components that would be able to install software. The benefit of the ISO file is that it does not require the endpoint to have any third-party software to install. In this instance, ISOMorph was also able to achieve persistence by creating a Windows directory on the endpoint.

Equally, it is one example of a file type that is exempt from inspection across both web and email gateway devices.

In analyzing the ISO files that were used in the campaigns that we were monitoring, we found that the VBScript will often contain various malicious scripts capable of executing and thereafter fetching additional PowerShell scripts that can download a file to the endpoint.

The malicious code is also executed by proxy by tapping into trusted elements on the endpoint. We saw MSBuild.exe used, for example – a process that is typically whitelisted, allowing the injected code to further avoid detection. Here, ISOMorph used reflection techniques to load a DLL file in memory before injecting the remote access trojan into MSBuild.exe, ensuring antivirus software could then be bypassed.

Prevention and solutions

The resurgence of HTML Smuggling should be cause for concern.

While vaccination efforts continue to ramp up and economies and societies continue to open up once more, the impact of COVID-19 will be felt long after 2021. In the case of work, the many benefits that have been realized from remote and hybrid working models will ensure that such ways of working won’t disappear anytime soon. As a result, the browser will continue to offer hackers new avenues to attack their target endpoints.

For this reason, HTML Smuggling is expected to stay. In the case of ISOMorph, it is proving to be an effective method from which attackers are able to infiltrate victims’ devices and deploy payloads while bypassing traditional network security tools.

So, how can it be combatted? The answer is in the form of isolation technologies.

Developed with the simple purpose of comprehensively protecting users as they use web services – be it email applications, browsers, or otherwise – isolation creates a virtual barricade between the endpoint and external threats from the internet.

While content, such as emails and web traffic, can still be viewed in a seamless manner, it is never downloaded to the endpoint, eliminating the opportunity for malicious code to infiltrate a device and begin exploiting vulnerabilities.

To achieve a robust endpoint protection strategy, isolation must be placed front and center.

About the Author

Vinay Pidathala is Director, Security Research at Menlo Security based in Mountain View, California. Previously, Vinay was at Aruba Networks and also held positions at FireEye and Qualys.

Vinay can be reached online at: @menlosecurity and at our company website: https://www.menlosecurity.com/

Bitdefender releases REvil universal ransomware decryptoron September 16, 2021 at 3:06 pm Feedzy

FeedzyRead MorePost Content

Getty Images/iStockphoto

News
Stay informed about the latest enterprise technology news and product updates.




The REvil decryptor key helps victims recover their encrypted files, as long as the attacks were made before July 13, which is when REvil went off the grid for two months.

Bitdefender and “a trusted law enforcement partner” have created and released a universal decryptor for REvil ransomware.

REvil, also known as Sodinokibi, is a prominent ransomware gang that was recently responsible for the high-profile Kaseya supply chain attack in July. Shortly after the attack — where the ransomware operators demanded a $70 million ransom from Kaseya and its customers — the gang disappeared for nearly two months.

The decryptor key, released Thursday, helps victims recover data from attacks made before July 13 — when REvil initially went dark. As Bitdefender’s blog post noted, victims who had not paid REvil’s ransom were left unable to recover their encrypted data.

In addition to the decryptor key itself, step-by-step documentation on using the key is available.

Bitdefender did not name the law enforcement entity that assisted the vendor in developing the universal decryptor. Moreover, the post stated that, due to the ongoing nature of the associated investigation, they are unable to “comment on details related to this case.”

Bogdan Botezatu, director of threat research and reporting at Bitdefender, told SearchSecurity that estimating the total number of REvil victims is near impracticable.

“It’s next to impossible to estimate how many victims REvil has managed to infect since 2019,” he said. “This is because not all victims report infections or reach out for support. However, we can say that we have seen downloads of the decryptor as soon as we released it today.”

The vendor said it believes “new REvil attacks are imminent” following the gang’s resurgence.

Emsisoft threat analyst Brett Callow said there’s “no reason to believe” that the “old” REvil and resurfaced REvil are different gangs.

“The only new REvil samples I’m aware of are exactly the same as the old samples. They’re new only in that they were recently compiled. There’s been no alteration to the code. Yet,” he said. “There’s no reason to believe that the people who brought REvil sites back online are any different to the people who were previously engaged in the operation.”

Callow added this is likely the case, even though REvil’s current spokesperson posted that Unknown, the previous spokesperson, had disappeared on a cybercrime forum, the claim “should be taken with a pinch of salt.”

“Gangs know the forums are monitored, and so [they] use them as a press release service to spread misinformation,” he said.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

ExpressVPN stands behind CIO named in UAE hacking scandalon September 16, 2021 at 12:18 pm Feedzy

FeedzyRead MorePost Content

Getty Images/iStockphoto

News
Stay informed about the latest enterprise technology news and product updates.




ExpressVPN said it will not cut ties with CIO Daniel Gericke, who was implicated by the DOJ in state-sponsored hacking on behalf of the United Arab Emirates government.

ExpressVPN said it plans to stand by its CIO after Daniel Gericke was named by the U.S. Department of Justice as one of three people who were fined for allegedly providing “hacking-related services” to the government of the United Arab Emirates.

In an announcement earlier this week, the DOJ said that Gericke, 40, Marc Baier, 49, and Ryan Adams, 34, would be paying out fines adding up to $1.68 million in a deferred prosecution agreement (DPA) that settles charges related to their work for an unnamed company that contracted with the UAE government to provide state-sponsored hacking services.

According to the DOJ’s complaint, the trio and their company had contracted with the UAE government between 2015 and 2019 to break into accounts owned by targeted individuals and companies under the brand name “DarkMatter.”

According to the complaint, the accounts were from an unnamed vendor of smartphones and operating systems. Some of those targeted were U.S. citizens or companies based in the U.S.

“These services included the provision of support, direction and supervision in the creation of sophisticated ‘zero-click’ computer hacking and intelligence gathering systems — i.e., one that could compromise a device without any action by the target,” the DOJ said.

“[DarkMatter] employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.”

As part of the deal, the three did not have to admit to any wrongdoing, but will have to pay the fines (Gericke’s share was $335,000) and agree to restrictions on “future activities and employment.”

We’ve known the key facts relating to Daniel’s employment history since before we hired him, as he disclosed them proactively and transparently with us from the start. In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security.

ExpressVPNCorporate statement

In Gericke’s case, those restrictions do not prevent him from continuing in his role as CIO of a top VPN vendor, and ExpressVPN intends to keep it that way. The company, which has more than 3 million users and primarily serves consumers as well as SMBs, said that it has no plans to change Gericke’s position or status and fully stands behind its executive.

What’s more, ExpressVPN said it has long known about Gericke’s work with the UAE and believes that, rather than posing a privacy risk to its customers, his past employment is in fact a benefit.

“We’ve known the key facts relating to Daniel’s employment history since before we hired him, as he disclosed them proactively and transparently with us from the start. In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security,” ExpressVPN said in a statement.

“Daniel has a deep understanding of the tools and techniques used by the adversaries we aim to protect users against, and as such is a uniquely qualified expert to advise on defense against such threats.”

When asked if it was concerned that its CIO’s history of targeting U.S. citizens might deter potential customers from its services, ExpressVPN referred back to its official statement.

“We were confident at the time and continue to be confident now in Daniel’s desire and ability to contribute to our mission of enabling users to better protect their privacy and security,” the statement reads. “He has demonstrated nothing but professionalism and commitment to advancing our ability to keep user data safe and private. Our trust in Daniel remains strong.”

ExpressVPN was acquired this week for $936 million by Kape Technologies, a U.K.-based software company, the day before the DOJ announcement. Kape Technologies also owns rival VPN companies CyberGhost VPN and ZenMate VPN.

SearchSecurity contacted Kape for comment about the accusations and DPA against an ExpressVPN executive, but the company did not respond.

The revelation has alarmed many in the infosec and privacy communities. John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, said on Twitter that the ExpressVPN decision to hire and retain Gericke showed that “the VPN industry is a toxic, dangerous mess.”

David Maynor, independent security researcher and former research scientist at Barracuda Networks, said on Twitter, “For safety reasons maybe skip ExpressVPN and Kape.”

Liam Pomfret, privacy researcher and board member of the Australian Privacy Foundation, tweeted, “If you’re using VPNs to do more than just view overseas streaming services, you really want to move away from ExpressVPN.”

Security news director Rob Wright contributed to this report.

Dig Deeper on Cyberespionage and nation-state cyberattacks

7 tips for building a strong security cultureon September 16, 2021 at 10:51 am Feedzy

FeedzyRead MorePost Content

Every organization across every industry is worried about information security. Another attack takes place nearly every day — often resulting in the exposure of consumer records or threats of attackers using data to extort money from organizations.

While there is no silver bullet for companies to protect themselves from a security breach, there are several things that will help build and support a strong security culture.

Here are seven security culture dimensions and tips for helping employees protect data.

1. Attitudes

This dimension involves the feelings and beliefs employees have toward security protocols and issues, which employees tend to see as necessary evils. Why? The way data security issues are handled in many organizations puts the IT department and workers into adversarial camps. Employees are viewed as malware-laden link-clickers, while IT is the reigning protector of data with the thankless job of cleaning up employees’ messes.

This adversarial view helps nobody. IT and security staff often feel like babysitters, and the rest of the organization views them as controlling overlords.

Establishing a solid security culture requires changing people’s attitudes from resentment to understanding and, ultimately, to compliance and cooperation.

To remedy this, start at the top of the organization. Attitudes about security and data can’t be changed without top-level agreement that cyber is a major risk. Senior executives need to make it clear that data security isn’t the sole responsibility of the IT department, but of everyone in the organization. All employees can protect or put company data at risk.

Tip: Don’t make assumptions about employees’ attitudes. Monitor their attitudes by collecting data not just on what they know, but also on their preferences and opinions related to data security. Then, work to close any gaps.

2. Behaviors

The actions and activities of employees have direct or indirect impact on the security of the organization.

Attitudes drive behaviors. If employees believe data is important and they play a role in protecting it, then their behaviors will reflect those beliefs. Behaviors are expressed as both those things employees do, as well as those things they don’t do. Examples of employee behavior include how they act toward password management or phishing.

Tip: Psychology teaches us people respond positively to rewards and negatively to sanctions. Instead of focusing on what employees do wrong, consider implementing a system of reward for those who demonstrate positive security-related behaviors. For example, formally thank employees for specific security behaviors they have exhibited during a meeting.

3. Cognition

This involves employee understanding, knowledge and awareness of security issues and activities.

Nothing prompts behavioral change like having a clear understanding of the reasoning behind desired behaviors. For employees, understanding how data security affects their personal lives and the lives of their loved ones can generate aha moments that drive positive security behaviors.

Employees who adopt a more secure mindset at home will immediately begin making better security decisions at work. Other employees will observe and, ultimately, emulate their behaviors and actions.

Tip: Don’t just focus on the importance of data security in the workplace. Help employees understand how they are personally affected by poor data security decisions. This can be particularly powerful in today’s hybrid work environments.

4. Communication

High-quality communication channels promote a sense of belonging and provide support for security issues and incident reporting.

Data security-related communication is often dry, full of jargon and conveyed in a punitive tone. The channels used are usually limited and based more on the communicator’s channel preferences than the preferences of those being addressed.

Tip: Keep it simple. Ambiguity and complexity are enemies. Watch language, and be sure information is being presented in a clear and simple way. Use different communication channels to ensure the message conveyed is received by as many stakeholders as possible.

5. Compliance

This dimension involves employees’ knowledge of written security policies and the extent to which employees follow them.

Cybersecurity requires compliance with policies and practices designed to protect company data. Unfortunately, having an annual compliance training is unlikely to increase compliance.

Tip: Inform employees regularly about how their behaviors and actions affect security. Try incorporating gamification into trainings. This strategy will make the experience more meaningful and increase the likelihood of positive change.

6. Norms

Norms involve the knowledge of an adherence to unwritten rules of conduct in an organization.

Every organization has certain shared beliefs — or norms — that drive behavior. It’s the “this is how we do it around here” type of sentiment that influences what employees do or don’t do. A shared norm can keep employees from exhibiting certain types of behavior. Norms are influenced by the following:

Social circles influence behaviors, both good and bad.
This is the extent to which people are committed to others in the group.
Participation in social activities and messages reinforce desired behaviors and values.
This is the reinforcement of shared values and vision.

These four influences are reinforced through social rewards, such as peer recognition, acceptance and inclusion, as well as social sanctions, such as peer disapproval and exclusion.

Tip: Enlist employee advocates for a program. Social pressure helps support and reinforce security-related values.

7. Responsibilities

How employees perceive their role is a factor in sustaining or endangering the security of the organization.

If employees feel data security is the sole responsibility of IT, they will fail to fully understand their role.

Tip: Ensure employees understand the role they play in protecting data. Educate them about their responsibilities so they can willingly help build a strong security culture.

About the author
Perry Carpenter is the author of
Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors. He is chief evangelist and security officer for KnowBe4, the world’s largest security awareness training and simulated phishing platform. He holds an M.S. in information assurance from Norwich University and is a Certified Chief Information Security Officer.

Microsoft September 2021 Patch Tuesday: Mitigations and WorkaroundsCISOMAGon September 16, 2021 at 9:16 am Feedzy

FeedzyRead MoreMicrosoft released fixes for 60 security vulnerabilities in its latest September 2021 Patch Tuesday update. Out of 60 vulnerabilities, 56 were determined as important, and four as critical bugs existing in Microsoft Windows, SharePoint Server, Edge browser, Azure Sphere, Microsoft Edge for Android, Microsoft Visio, Visual Studio, Windows BitLocker, Microsoft Windows DNS, and the Windows […]
The post Microsoft September 2021 Patch Tuesday: Mitigations and Workarounds appeared first on CISO MAG | Cyber Security Magazine.

Microsoft released fixes for 60 security vulnerabilities in its latest September 2021 Patch Tuesday update. Out of 60 vulnerabilities, 56 were determined as important, and four as critical bugs existing in Microsoft Windows, SharePoint Server, Edge browser, Azure Sphere, Microsoft Edge for Android, Microsoft Visio, Visual Studio, Windows BitLocker, Microsoft Windows DNS, and the Windows Subsystem for Linux. The security update also patched a critical zero-day vulnerability CVE-2021-40444 in Windows MSHTML (Trident) engine that was exploited in the wild lately, along with three elevations of privilege vulnerabilities CVE-2021-38667, CVE-2021-38671 and CVE-2021-40447 in Windows Print Spooler.

Other critical flaws resolved in the update

CVE-2021-38647 – This remote code execution (RCE) vulnerability affects the Open Management Infrastructure (OMI) program. If exploited, the vulnerability could allow an attacker to execute RCE attacks by sending malicious messages via HTTPS to port 5986.

CVE-2021-36968 – Microsoft stated there is no sign of exploiting this Windows DNS privilege escalation zero-day vulnerability.

CVE-2021-26435: Attackers could exploit this Windows Scripting Engine Memory Corruption vulnerability by sending a specially crafted file to the user and convince the user to open the file. An attacker could host a website containing a specially crafted file designed to exploit the vulnerability in a web-based attack scenario.

CVE-2021-36967: Attackers could exploit this critical Windows WLAN AutoConfig Service Elevation of Privilege vulnerability to obtain the elevation of privileges on the targeted devices.

Diversity of Vulnerabilities

Microsoft stated that Elevation of Privilege (EoP) vulnerabilities accounted for 41.7%, followed by remote code execution (RCE) vulnerabilities (26.7%), information disclosure (16.7%), Spoofing (10%), Security feature bypass (3.3%), and Denial of service (1.7%).

Microsoft strongly recommended users and organizations apply the patches to fix the flaws and prevent potential hacker intrusions.

What Experts Say

Satnam Narang, Staff Research Engineer at Tenable, said, “This month’s Patch Tuesday release includes fixes for 60 CVEs, four of which are rated critical. So far in 2021, Microsoft patched less than 100 CVEs seven out of the last nine months, which is in stark contrast to 2020, which featured eight months of over 100 CVEs patched. This month’s release includes a fix for CVE-2021-40444, a critical vulnerability in Microsoft’s MSHTML (Trident) engine. This vulnerability was disclosed on September 7, and researchers developed several proof-of-concept exploits showing the ease and reliability of exploitation. An attacker would need to convince a user to open a specially crafted Microsoft Office document containing the exploit code. There have been warnings that this vulnerability will be incorporated into malware payloads and used to distribute ransomware. There are no indications that this has happened yet, but with the patch now available, organizations should prioritize updating their systems as soon as possible.”

The post Microsoft September 2021 Patch Tuesday: Mitigations and Workarounds appeared first on CISO MAG | Cyber Security Magazine.

Read Aloud

Microsoft released fixes for 60 security vulnerabilities in its latest September 2021 Patch Tuesday update. Out of 60 vulnerabilities, 56 were determined as important, and four as critical bugs existing in Microsoft Windows, SharePoint Server, Edge browser, Azure Sphere, Microsoft Edge for Android, Microsoft Visio, Visual Studio, Windows BitLocker, Microsoft Windows DNS, and the Windows Subsystem for Linux. The security update also patched a critical zero-day vulnerability CVE-2021-40444 in Windows MSHTML (Trident) engine that was exploited in the wild lately, along with three elevations of privilege vulnerabilities CVE-2021-38667, CVE-2021-38671 and CVE-2021-40447 in Windows Print Spooler.

Other critical flaws resolved in the update

CVE-2021-38647 – This remote code execution (RCE) vulnerability affects the Open Management Infrastructure (OMI) program. If exploited, the vulnerability could allow an attacker to execute RCE attacks by sending malicious messages via HTTPS to port 5986.
CVE-2021-36968 – Microsoft stated there is no sign of exploiting this Windows DNS privilege escalation zero-day vulnerability.
CVE-2021-26435: Attackers could exploit this Windows Scripting Engine Memory Corruption vulnerability by sending a specially crafted file to the user and convince the user to open the file. An attacker could host a website containing a specially crafted file designed to exploit the vulnerability in a web-based attack scenario.
CVE-2021-36967: Attackers could exploit this critical Windows WLAN AutoConfig Service Elevation of Privilege vulnerability to obtain the elevation of privileges on the targeted devices.

Microsoft stated that Elevation of Privilege (EoP) vulnerabilities accounted for 41.7%, followed by remote code execution (RCE) vulnerabilities (26.7%), information disclosure (16.7%), Spoofing (10%), Security feature bypass (3.3%), and Denial of service (1.7%).

Microsoft strongly recommended users and organizations apply the patches to fix the flaws and prevent potential hacker intrusions.

What Experts Say

Satnam Narang, Staff Research Engineer at Tenable, said, “This month’s Patch Tuesday release includes fixes for 60 CVEs, four of which are rated critical. So far in 2021, Microsoft patched less than 100 CVEs seven out of the last nine months, which is in stark contrast to 2020, which featured eight months of over 100 CVEs patched. This month’s release includes a fix for CVE-2021-40444, a critical vulnerability in Microsoft’s MSHTML (Trident) engine. This vulnerability was disclosed on September 7, and researchers developed several proof-of-concept exploits showing the ease and reliability of exploitation. An attacker would need to convince a user to open a specially crafted Microsoft Office document containing the exploit code. There have been warnings that this vulnerability will be incorporated into malware payloads and used to distribute ransomware. There are no indications that this has happened yet, but with the patch now available, organizations should prioritize updating their systems as soon as possible.”