Security Posts

Infocon: green

ISC Stormcast For Wednesday, August 21st 2019 https://isc.sans.edu/podcastdetail.html?id=6630
Categorías: Security Posts

Keysight World Delivers A Day of Presentations Showcasing Two IT Trends That Will Affect You in 2019

BreakingPoint Labs Blog - Hace 1 hora 31 mins
During early spring and summer 2019, Keysight (Ixia’s parent company) hosted a serious of technical…
Categorías: Security Posts

Easier path discovery for network troubleshooting

BreakingPoint Labs Blog - Hace 1 hora 31 mins
The cost of managing complex networks is driven up by the time and effort you must spend to…
Categorías: Security Posts

iBypass and Thoughts in a Traffic Jam

BreakingPoint Labs Blog - Hace 1 hora 31 mins
Each of us has sat in standstill traffic, trying to understand why this major highway we drive all…
Categorías: Security Posts

Are you Feeling the Need for Speed?

BreakingPoint Labs Blog - Hace 1 hora 31 mins
If you haven’t seen the official trailer for Top Gun: Maverick, you need to. And if watching the…
Categorías: Security Posts

Net Optics, Anue, BreakingPoint and Veriwave - Great Ixia Acquisitions

BreakingPoint Labs Blog - Hace 1 hora 31 mins
Acquisitions can be tough to get right and easy to get wrong. For example, HP acquired Autonomy for…
Categorías: Security Posts

EVPN over SRv6 – Simplification with Unified Technology

BreakingPoint Labs Blog - Hace 1 hora 31 mins
In my last blog about SRv6, I reviewed SRv6 technology and Ixia’s solution to validate SRv6…
Categorías: Security Posts

Buddy, Can You Spare a Nano-Second?

BreakingPoint Labs Blog - Hace 1 hora 31 mins
Customers in the finance sector often ask the question – “What is latency across an optical tap?”.…
Categorías: Security Posts

Broadcast Industry Revolution - Migration to IP Infrastructure

BreakingPoint Labs Blog - Hace 1 hora 31 mins
The broadcast industry has embraced IP technology and is transitioning from tradition serial…
Categorías: Security Posts

How to Implement Security Monitoring For Critical Infrastructure

BreakingPoint Labs Blog - Hace 1 hora 31 mins
I ran across an interesting statistic a couple weeks ago. According to a Ponemon Institute, report…
Categorías: Security Posts

Hybrid IT Monitoring: The ABCs of Network Visibility

BreakingPoint Labs Blog - Hace 1 hora 31 mins
The recently released 2019 State of the Cloud report by RightScale found that 58% of 800…
Categorías: Security Posts

ISC Stormcast For Wednesday, August 21st 2019 https://isc.sans.edu/podcastdetail.html?id=6630, (Wed, Aug 21st)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts

Facebook’s New Privacy Feature Comes With a Loophole

Wired: Security - Mar, 2019/08/20 - 23:56
"Off-Facebook Activity" will give users more control over their data, but Facebook needs up to 48 hours to aggregate your information into a format it can share with advertisers.
Categorías: Security Posts

Vulnerability Spotlight: Multiple vulnerabilities in Aspose APIs

Cisco Talos - Mar, 2019/08/20 - 20:33

Marcin Noga of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.

In accordance with Cisco's disclosure policy, Talos is disclosing these vulnerabilities after numerous unsuccessful attempts were made to contact Aspose to report these vulnerabilities.

Vulnerability detailsAspose Aspose.Cells LabelSst remote code execution vulnerability (TALOS-2019-0794/CVE-2019-5032)
An exploitable out-of-bounds read vulnerability exists in the LabelSst record parser of Aspose Aspose.Cells 19.1.0 library. A specially crafted XLS file can cause an out-of-bounds read, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
Read the complete vulnerability advisory here for additional information. 
Aspose Aspose.Cells number remote code execution vulnerability (TALOS-2019-0795/CVE-2019-5033)
An exploitable out-of-bounds read vulnerability exists in the Number record parser of Aspose Aspose.Cells 19.1.0 library. A specially crafted XLS file can cause an out-of-bounds read, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
Read the complete vulnerability advisory here for additional information. 
Aspose Aspose.Words EnumMetaInfo code execution vulnerability (TALOS-2019-0805/CVE-2019-5041)
An exploitable stack-based buffer overflow vulnerability exists in the EnumMetaInfo function of Aspose Aspose.Words library, version 18.11.0.0. A specially crafted doc file can cause a stack-based buffer overflow, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information. Versions testedCVE-2019-5033 and CVE-2019-5034 affect Aspose.Cells, version 19.1.0. CVE-2019-5041 affects Aspose.Words, version 18.11.0.0.

CoverageThe following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 49756, 49757, 49760, 49761, 49852, 49853
Categorías: Security Posts

A Huge Ransomware Attack Messes With Texas

Wired: Security - Mar, 2019/08/20 - 18:00
A coordinated strike against 23 local governments is called the largest such hack from a single source.
Categorías: Security Posts

What you — and your company — should know about cyber insurance

Cisco Talos - Mar, 2019/08/20 - 17:11

By Jon Munshaw and Joe Marshall. 

It’s no longer a question of “if” any given company or organization is going to be hit with a cyber attack — it’s when. And when that attack comes, who is willing to take on that risk?

For some groups, it may be that they feel they are fully prepared to take on the challenge of defending against an attack or potentially recover from one. But cyber security insurance offers the ability to transfer that risk to an insurance company that can help you with everything from covering lost revenue to providing incident response as soon as you detect an attack.

Even back in 2016, Cisco Talos called the realm of cyber insurance “new and immature.”  But since then, the market has changed drastically, and these kinds of policies are becoming more popular. Still, some businesses have been slow to adopt these policies. According to a study by J.D. Power & Associates and the Insurance Information Institute released in October 2018, 59 percent of businesses still do not have any form of cyber insurance.

But a recent wave of attacks — including the takedown of computer systems in Baltimore, a multi-million-dollar settlement from Equifax over a 2016 data breach, and the recent theft of millions of Captial One customers’ information — shows why it’s important to remain prepared for these kinds of scenarios.

Equifax is still recovering from a massive data breach in 2016 that cost the company hundreds of millions of dollars. A cyber policy the company had covered $125 million in costs associated with the attack, though Equifax admittedly could have used a bigger policy considering the breach cost a total of $1.4 billion.

Is cyber insurance the right choice for your company or organization? We spoke to two cyber insurance experts to get answers to the questions we had around cyber insurance to help you make an informed decision.

How similar is cyber insurance to the insurance we’re all used to (health, car, etc.)? Turns out, not very. Catherine Rudo, the vice president of cyber insurance at Nationwide, said handing out cyber insurance policies is nothing like other, more conventional policies. Rudo agreed to speak with Talos regarding security policies across the board and said her comments do not reflect the traditional Nationwide policy.

“If you compare cyber to property [insurance], I don’t think there’s a direct comparison,” she said. “Cyber stands on its own. It’s something that’s closer to a liability policy … not everyone needs it in the same way, but everyone needs it.”

Rather than the plug-in and play model of other policies like car insurance, where you’d put in the specific make, model, year and amount of coverage needed for your car, and the insurer spits out a quote, each cyber policy is going to be different.

Rudo said each policy must be assessed and written on a case-by-case basis. There’s a wide variety of factors that need to be considered, including intellectual property, potential extortion payments, liability coverage, etc.

For example, the risks inherent with a cyber policy for an electric company would be entirely different than a clothing store that collects point-of-sale payments.

What do insurers do to calculate initial risk in these policies? For an insurance company to underwrite a policy for a company, organization or even government entity, the insurer must evaluate several different areas of security risk.

For example, Rudo said that on most cyber insurance applications, the potential insured must answer questions about patching cadence, the number of endpoints that access their network, what (if any) firewalls are in place and what third-party vendors the company works with.

Leslie Lamb, Cisco’s head of risk management, knows firsthand what the application process is like.

Lamb has been a part of every cyber insurance policy Cisco has ever purchased, and said every year, they reassess the policy and always try to get additional coverage in some form or another. She said Cisco’s CISO, Steve Martino, has met with insurance underwriters every year to discuss what Cisco does to limit exposure to attackers, what new intelligence partnerships are in place and how the company mitigates risk.

“We essentially do a roadshow for them,” Lamb said, adding that the process usually starts about 120 days prior to the expiration of Cisco’s current policy.

There’s also the inherent risk that comes with certain industries. For example, public institutions may have a more expensive policy because they handle a large amount of intellectual property, making them a more enticing target.

There’s also the issue of the size of the business — obviously, larger companies are going to be targeted more often than a mom-and-pop corner store.

Rudo said that the premiums may even increase if the potential insured has a higher appetite for risk than another company or organization.

How long have cyber policies been around? Lamb says a common misconception is that cyber insurance policies have only been around for a few years, when in fact, they’ve existed for about 15 years, even dating back to the Y2K scare.

But Lamb said the popularity of the market has increased dramatically over the past five years.

“It has grown exponentially because of the things that have been happening,” she said. “People are aware of what’s going on...no one is immune to having a cyber incident.”

Lamb said many multi-national companies have had cyber insurance policies as long as they’ve been around, but middle-market companies are just starting to pick up on the trend now.

Are there limits to how much a policy may pay out for one attack alone? This will vary from policy to policy, but most of the time, yes.

Rudo said companies seeking out cyber insurance policies will shop around between companies looking for which insurer can offer them a larger “policy aggregate,” meaning the total amount the policy will cover.

Another option could be to take out a policy covering a certain number of records that could be stolen in an attack.

“There are some policies that have a limit for how much they’ll spend, but they’ll have a number of records,” she said. “Some policies will say they’ll give ‘X’ million for your data breach, and another may say they’ll cover ‘X’ number of records. These policies don’t tabulate the amount, just the number of records taken.”

What happens after you’re attacked? Bad news — you’ve been attacked and are now infected with ransomware. Good news, you purchased a cyber insurance policy.

This varies from policy to policy, but some insurance companies will even go as far to provide boots-on-the-ground incident response and forensic assistance to help you recover your data and restore operations as quickly as possible.

Here’s why that makes sense for the insurer: If they can help you recover your data, the damages realized will not be as severe and thus reducing the monetary amount of claim and the restoration of activity to the victim as quickly as possible.

In some cases, the insurer will act as an intermediary between the attacker and the victim to help pay the ransom if that’s the route the victim wants to take.

“If a customer chooses to pay the ransomware, the insurance company will pay it, and the insurance company will sometimes facilitate [the payment],” Rudo said. “They can access a vendor to help with the ransomware payment. An insurance company will also respect the wish of the client if they choose not to pay the ransom.”

For example, an insurance company can even assist the victim in converting traditional currency into cryptocurrency, which the attacker may request as payment.

To hear Talos’ take on whether to pay the ransom in these kinds of attacks, you can check out our roundtable here.

Once the insured has completely recovered from an attack, the insurer will usually re-evaluate the policy and premium. The insurance company will look at things like if the initial attack vector was remediated, if the attacker was completely eradicated from the system and what new protections may be in place post-infection.

What is the timeframe for which the policy will cover an attack? For example, what would happen if an attacker had been in a victim’s system for a year, but the insured only took out a policy six months ago? These policies pay out on discovery. So, for example, if a retailer had a card-skimming malware sitting on their system since January, but the company only took out a policy in October, the attack would still be covered if they discovered the breach in November of that same year.

“These policies are on a discovery basis,” Rudo said. “The policy begins when the buyer has discovered the loss. The only way there might be an exclusion is if there’s a retroactive date [on the policy].”
What is Cisco’s role in all of this? Last year, Cisco, Aon, Apple and insurance company Allianz collaborated to launch the industry’s first cyber risk management solution.

The solution combines cyber resilience evaluation services from Aon, technology from Cisco and Apple, and options for enhanced cyber insurance coverage from Allianz.  “Enhancements” to the traditional insurance policy that this program offers, may include severance pay for CISO’s in the event of a termination after a breach, special support agreements if the insured uses a certain percentage of Apple products and a shorter waiting time for coverage to kick in, according to Lamb.

Organizations using Cisco Ransomware Defense are eligible for such enhancements from Allianz.

Other considerations 
  • Rudo said intellectual property is generally not covered by security policies because it is too difficult to quantify. 
  • There are other liability policies that may be available to cover attacks that cause harm to a third party. For example, if an internet-of-things device was hacked in a way that it malfunctioned and injured a user, a cyber insurance policy would generally not cover that, but a separate liability policy would. 
  • Many insurance companies will have “cyber security panels” that step in during some attacks to aid and provide advice to the victim. Lamb said Cisco is currently part of a few of these types of panels, and is looking to join more. 
Categorías: Security Posts

Flex Your Time-Sensitive Networking (TSN) Conformance Testing

BreakingPoint Labs Blog - Mar, 2019/08/20 - 16:46
Many times, my customers tell me that validating time-sensitive networking (TSN) is a big challenge…
Categorías: Security Posts

How Bug Bounty programs work

AlienVault Blogs - Mar, 2019/08/20 - 15:00
With cybercrime on the rise, companies are always looking for new ways to ensure they are protected. What better way to beat the hackers than to have those same hackers work FOR you. Over the past few years, corporations have turned to Bug Bounty programs as an alternative way to discover software and configuration errors that would’ve otherwise slipped through the cracks. These programs add another layer of defense, allowing corporations to resolve the bugs before the general public is made aware or harmed by the bugs. Bug Bounty programs allow white-hat hackers and security researchers to find vulnerabilities within a corporation’s (approved) ecosystem and are provided recognition and/or monetary reward for disclosing them. For the corporation, this is a cost-effective way to have continuous testing, and when a vulnerability is found, the monetary reward can still be significantly less than a traditional pen test. Hunter & Ready started the first known bug bounty program in 1983, adopting the motto “Get a bug if you find a bug”; Anyone who found a vulnerability would receive a Volkswagen Beetle. In 1995, Netscape Communications Corporation coined the phrase ‘Bug Bounty’ when they launched a program, which offered rewards to anyone who could find flaws in their Netscape Navigator 2.0 Beta. The idea of a bug bounty program didn’t immediately take off. It took Google launching their program in 2010 to really kickstart the trend, but according to HackerOne, by the end of 2018, over 100,000 total vulnerabilities have been submitted and $42 million has been paid out. In 2018 alone, an estimated $19 million was rewarded, which is more than all of the previous years combined. The vulnerability that was reported the most was cross-site scripting, followed by improper authentication, with a high number of big payouts recorded in the financial services and insurance sectors and information disclosure vulnerabilities rounds out the top three, with most of these bugs being reported in the electronics and semiconductor industry. Today, about 6% of the Forbes 2000 global companies have Bug Bounty programs, including companies like Facebook, United Airlines, and AT&T. AT&T was the first telecommunication company to announce the launch of their program in 2012. AT&T’s Bug Bounty program has a fairly wide scope, allowing almost any vulnerability found within their environment to be eligible for a reward. As other telecommunication companies started their program, AT&T was used as a resource to provide insight on what works well and what doesn’t.  While there are hundreds of bug bounty programs, no two programs are exactly alike. There has been a big shift away from internally managing these programs to outsourcing to third parties. Although these programs are most talked about in the technology industry, organizations of all sizes and industries have started having Bug Bounty programs, including political entities. Both the European Union and the US Department of Defense have launched programs in recent years. The EU launched their program in January 2019, inviting ethical hackers to find vulnerabilities in 15 open source projects that the EU institutions rely on, providing a 20% bonus if the hacker provides a solution for the vulnerability they reported. The DoD Defense Digital Services team launched ‘Hack the Pentagon’ in 2016 for all public facing sites, rewarding $75,000 for 138 vulnerabilities. Bug Bounty Rewards typically range from a few hundred to a few thousand dollars, but there are higher rewards available. In 2019, the first researcher reached $1 million total in earnings, and the average payout for a critical bug increased 6% from 2017 to $2,041. The payouts vary greatly depending on the type of vulnerability, the exploitable information, and the company. Multi-factor Authentication (MFA) Bypass is one of the most lucrative vulnerability, with payouts up to $100,000, and the government was the highest paying industry. It is anticipated that payouts will continue to rise, reaching $100 million by 2020. As hackers continue to get smarter, it’s critical that companies utilize all options to avoid a security breach. Bug Bounty Programs have become a great option for corporations of all sizes.
Categorías: Security Posts

Beers with Talos Ep. #59: The tardy episode

Cisco Talos - Mar, 2019/08/20 - 14:34



Beers with Talos (BWT) Podcast episode No. 59 is now available. Download this episode and subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.
Recorded 8/2/19 - Yes, I know what today’s date is. We got really busy last week and I am sorry that the podcast is late. Really, I wish I wasn’t writing these notes at 12:#0r4-j3pofw…. What? Anyway, we talk about malvertising and dig into that ecosystem a bit looking at some of the competing priorities (hint: none of them are your privacy). We also discuss BlueKeep making its debut in Canvas and surely soon to follow in other fine pen testing platforms. We use that opportunity to review a little bit of RDP knowledge and defense. We’re recording again tomorrow and I really don’t want to hear what my co-hosts will say if this isn’t out by then, so I’m going to go hit publish now.

The timeline:
  • 01:18 - Roundtable - No one cares about security, end of the dark times is neigh, Cockney Joel
  • 11:50 - Malvertising - how it works and how to stop it (hint: block all the ads)
  • 31:30 - BlueKeep in Canvas - a review in RDP vulnerability
  • 45:00 - Parting shots and closing thoughts
Some other links:
==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler) and Nigel Houghton (@EnglishLFC).

Hosted by Mitch Neff (@MitchNeff)

Subscribe via iTunes (and leave a review!)
Check out the Talos Threat Research Blog
Subscribe to the Threat Source newsletter
Follow Talos on Twitter
Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

Categorías: Security Posts

Finally, a Lightning YubiKey to Kill Password Clutter on Your iPhone

Wired: Security - Mar, 2019/08/20 - 14:00
First promised back in January, the first YubiKey for iOS will help cut down on painful password clutter starting ... now.
Categorías: Security Posts
Distribuir contenido