Security Pros Must Join Forces to Combat the Internet of Evil Things

InfoSecurity Magazine

Security Pros Must Join Forces to Combat the Internet of Evil Things

Aug 26, 2015

By Dave Porcello


Vulnerable IoT devices and low-cost, plug-and-play cyber-espionage tools represent an emerging threat vector: the ‘internet of evil things’ (IoET). Dave Porcello argues infosec pros need to better understand this threat and collectively develop a standardized framework and taxonomy to enable IoET information exchange

The line between personal and business communications has blurred beyond recognition. Business computing is no longer the beige box that sits on your desk or the company-issued PDA. Instead, today’s IT infrastructure is an unmanaged mix of company-issued equipment, personal devices (BYOD) and off-network IoT or ‘smart devices’ outside the ownership and control of the enterprise.

While device vendors rush to capitalize on consumer IT and the ‘internet of everything’, important questions are being left unanswered. How can such a diverse assortment of devices and technologies be effectively policed to ensure the security of our personal and business networks? How can personal privacy be maintained in a world where everyday objects are constantly recording the user’s every move?

In a recent study, 83% of over 600 information security professionals indicated they were concerned about rogue and unauthorized devices operating within their organization without their knowledge. What’s worse, 69% revealed they are unable to even detect the wide array of computing devices currently in use across their enterprise.

Security professionals recognize this threat, but are still finding themselves unable to combat it effectively. With estimates predicting there will be up to 40 billion connected devices in operation by 2020, there is precious little time to develop effective defenses against this ever-expanding threat vector.

(Original Article)

Keep these cyberthug holidays marked on your calendar

CSO Online

Keep these cyberthug holidays marked on your calendar

Aug 19, 2015

By David Geer


It’s no happy day for enterprises when cyber thugs celebrate their favorite ‘holidays’—special days when they attack with even more cunning and fervor. Learn these days and get ready to respond to related exploitations.

  1. Software Support Retirement / End of Support Day. This is the date when support ends for any OS or software package. Unsupported software leaves enterprises open to attack. Because the vendor will no longer make general releases of security patches, each new hole attackers uncover will remain vulnerable.

To prepare for this day and defend the enterprise against such attacks, investigate the availability of extended support offered by the vendor at a premium. Weigh that cost against an investment in deploying the latest software product or version that replaces the older product. Either of these avenues is going to cost you.

If neither option will fit your budget, consider a refresh roadmap that includes well-supported open-source software for applications where the reward outweighs the risk. This software can be more affordable to update.

(Original Article)

True Disruption: What It Will Really Take

In between Black Hat meetings, demos, briefings and networking events, I headed down the streets of Las Vegas to AGC Partners’ Distrupt!on 2015 to participate in some hard-hitting conversations about the current state of the cyber security industry – and where we’re going.

It’s no secret that cyber threats are proliferating at terrifying speeds and increasingly making their way into the mainstream. AGC co-founder Maria Lewis Kussmaul’s opening remarks pointed to one of the major challenges that we, as an industry, face in getting ahead of these threats: the security ecosystem tricotomy, comprised of three, distinct groups of technology providers:

  • The “old guard” technology companies – from Symantec to McAfee to HP – who have fallen behind and gotten lost in this new threat landscape
  • The “undecided” companies, i.e. Cisco and IBM, who have dipped their toes in the water but haven’t moved their offerings beyond table stakes
  • The hungry, early-stage companies, such as Palo Alto Networks, that are working hard to crack the code and emerge as the next-generation security leader, but face challenges in innovating and scaling rapidly enough to make it happen

One particular area where this segmentation is palpable is threat intelligence. A hot industry buzzword for years, threat intelligence products and services are finally delivering real value and profit to customers and investors. But despite the slew of new data and analytics available, organizations are still struggling to harness this information and preemptively get in front of threats to shut them down before real harm is done. A panel of experts, led by Wendy Nather of the Retail Cyber Intelligence Sharing Center, discussed how, despite the surge in threat intelligence offerings, Fortune 100 companies are still unprepared to handle the advanced threats looming on the horizon. One only has to pick up a newspaper to realize the severity of the problem: the string of headlines announcing crippling cyber attacks on major corporations seems never-ending.

Though the true promise of threat intelligence technology has yet to be realized, advancements are certainly being made. Yet as an industry, we could be moving so much faster, and be so much more effective if it weren’t for the complacency of the “old guard,” and the hesitation of the non-committal “undecided.” Imagine if these players – with their massive resources, huge R&D teams, scalable infrastructure and global partnership networks – would just go all in and make cyber security a core focus and top priority. Imagine the possibilities of banding together – leveraging the strengths of the established players and the agility and creativity of the next-generation who have already made cyber security their mission.

What’s happening in our industry today reminds me of the legendary gladiator fights of ancient Rome. The modern day gladiators – the emerging companies, the innovative minds that work for them and the investors who believe in them – are taking extraordinary risk and putting everything they’ve got on the line. Meanwhile, the old guard sits back and simply spectates. But the fact is, time is on no one’s side in this cyber security game. While the big guys watch the little ones fight for survival, the whole city is being stealthily surrounded by a host of formidable, motivated adversaries who will inevitably find ways to break in and take down the entire empire.

Walking back from the conference to Black Hat headquarters, I couldn’t help but sigh when I saw an old-school limo roll by me, plastered in a Symantec ad that read “Advancing Security.” If only that were true.

Kicking Off Black Hat 2015: Detecting the Signs That Give Attackers Away

The Pwnies have officially landing in Las Vegas! As we kick off what is sure to be an exciting week at Black Hat/DEF CON, we’ve been struck by how mainstream (and sobering) this year’s research and vulnerability disclosures are – for security pros and consumers alike. Theoretical conversations about hackers’ abilities to cause destruction – even death – in the future have become today’s reality. We’ve truly entered an era in which virtually anything can be turned into a weapon to cause harm.

For example, in late July, the world was shocked to learn that two security researchers had successfully pulled off a remote takeover of a Jeep – while it was traveling down a public highway at 60+ miles per hour. A WIRED piece this week highlighted a new experiment in which security researchers found a way to seize control of electric skateboards and toss riders. And at Black Hat, security researchers Runa Sandvik and Michael Auger will reveal how to hack a $13,000 sniper rifle via its Wi-Fi connection and exploit vulnerabilities in its software to alter targeting and affect how the ammunition is fired.

Scary stuff.

But there is a silver lining. Just think of a movie scene – when a sniper takes aim at a target, there’s always a quick flash of the gun in the sunlight, or the telltale red point of the laser from the weapon’s scope. There’s always something – albeit subtle – that gives away the shooter’s position. And the same is true of cyber attackers. There are always signs. You just need to know how to spot them.

As in our personal lives, it’s time to accept that the devices we use everyday to do our jobs are inherently insecure. We can no longer rely on anything to be truly safe (read more in our Internet of Evil Things study). That’s why an enterprise-wide device detection and protection strategy is so critical to regaining control from malicious attackers or, more often, employees who unintentionally wreak havoc. This includes:

  1.     Discovery of all Internet-enabled devices (wired, wireless, Bluetooth, cellular, etc.)
  2.     Real-time threat alerts for high-risk devices: unauthorized, known-bad, vulnerable, misconfigured, suspicious
  3.     Identification, fingerprinting, and historical logging for all detected devices
  4.     Continuous discovery of changes in device attributes and device behavior
  5.     Effective rapid threat response capabilities including device “track & disable” & SIEM/WIPS integration
  6.     Auditing and validation of existing security controls, including enterprise wireless infrastructure and device management technologies
  7.     Secure, centralized management with enterprise-class reporting, trending, peer benchmarking, & cross-sensor correlation

Interested in learning more? Stop by the Pwnie Express Black Hat Booth #IC1 for a demo of Pwn Pulse, the industry’s first full visibility and threat detection platform for the enterprise. And while you’re there, head across the hall to our meeting room MBR 217 to meet with internationally renowned security expert, author and Pwnie Express Infosecurity Ranger Jayson E. Street and grab a signed copy of his soon-to-be-released book Dissecting the Hack: The V3rb0t3n Network.