Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Cyber Criminals Operate On A Budget, Too
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jaingverda
50%
50%
jaingverda,
User Rank: Moderator
4/8/2014 | 12:51:29 PM
ReUse not Redo
The low hanging fruit analogy is somewhat disingenious considering today's antivirus scanners. It's long been known a small tweaks to the code base willl evade the scanner's signiture detection. So why would a criminal just like a business spend hours and hours writing new code when all you have to do is tweak a couple methods and maybe swap some variable names around to make the virus work again for a couple days to a couple months. That is the best ROI that the crimanial can have espically with limited resources. It's analgous to throwing the baby out with the bathwater.

The time has come to try and find a new way of writting antivirus though. The hackers and criminals are making to many new virus for the signiture detection to work effectively anymore. Really the best spot to trap this stuff would be at the network level using something similar to deep packet inspection and network analysis on the fly. Ideally the best protection is to maintian a white list which we all know.
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
4/8/2014 | 10:46:00 AM
Re: Same old, same old
Same Old?

No way. 

While Websense may not immediately offer the advice that you ask about, it is up to us as security professionals to stay abreast of new threats, and mitigations.  Sometimes, we have to create the mitigation for our particular environment.

As long as we share the knowledge, the attackers have a weaker foothold on the rest of their targets.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/8/2014 | 9:37:44 AM
RE: Cyber Criminals Operate On A Budget, Too -- security awarenss
Interesting that a CIO would actually perform the test, and publish the names of people who failed it. I would have asked the following: "Did the test cross all levels of the organization, and did anyone in the upper levels fail? If so, were those names published?". Personally, I would have just published statistical results of the test, and delivered counsel each person who failed one-on-one. Very little point in publicly humiliating someone in the organization, and even more so if it turns out  that person did not receive any awarenes training. I'm sure his tactic was effective, but I do question the method.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/8/2014 | 9:26:53 AM
RE: Cyber Criminals Operate On A Budget, Too -- security awarenss
All very good points! And I totally agree with your statement that security awareness starts at the top. I had a conversation not too long ago with a CIO who said he periodically sent out a phishing email to all his employees to test their security awareness. He published the names of people who opened the link & he said it was a very effective tactic.

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/8/2014 | 9:03:21 AM
RE: Cyber Criminals Operate On A Budget, Too -- security awarenss
@Marilyn, there are a viriety of reasons why user awareness training is lacking at organizations. From what I have seen, the biggest obstacle is the cost. For example, in an organization with 3000 users, effective user awareness training can be many hours per person during the course of a year. Even if it is limited to two hours, that's 6000 manhours taken away from user productivity. Although one can argue that training is a plus for users and by extension, for the organization, the benefit of awareness training is not easily measurable in terms of the bottom line. To simplify, assume that the 3000 users' average pay is $10/hour (quite low), and 2 hours of training is dfelivered in a year. That's a $60,000 expense (without training preparation, etc.), and how much did it add to production? Zero! So not only did the organization spend the 60K, but it also lost 6000 hours of productivity. Additionally, an effective training program requires a lot of preparation, coordination, and strategy. Does the organization have the internal resources to adequately deliver the training, or do they have to contract an external resource? Add to that the difficulty of measuring the effectiveness of training. Sure you can administer tests that measure information retention, but how do you measure the effectiveness with respect to the overall security of IT assets? If the organization was not breached, was it because users were more aware of security? Hard to tell. If the organization was breached, was the training money ill-spent? Again, hard to tell. The best way to create an effective awareness training program is to drive it downwards in an organization. The best way to create that environment is to have a champion at the C level who sees the need and commits the necessary resources. Overall, it is a very tough call.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/8/2014 | 8:08:46 AM
RE: Cyber Criminals Operate On A Budget, Too -- security awarenss
Great point about security awareness @GonzSTL. In your experience, what are the major reasons organizatons don't invest in more user awareness training? Is it simply an finial issue or ROI, or are the problems with the effectiveness of the training programs themselves?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/8/2014 | 8:03:31 AM
Patch Management and Windows XP
You raise an interesting -- and timely -- point about patch management, Pierluigi. With the final patch Tuesday for Windows XP being usued today, the opportunites for hackers will be increasing exponentially!

 

securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/2/2014 | 6:56:13 PM
Re: Same old, same old
I'm not surprised, if we analyze the data related to patch management processes we can observe that in the majority of cases the windows of exposure to cyber threats is very long (more that 18 months). In this period it is quite easy to acquire in the underground any kind of tool that is able to exploit well known vulnerabilities.

These exploits are cheap and very effective against all those system that haven't properly managed.

Patch management is a critical component in the product lifecycle ... cybercrime knows it!
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/2/2014 | 4:16:40 PM
RE: Cyber Criminals Operate On A Budget, Too
"same old same old", "low hanging fruit", defense in depth", "best practices" ... all these are cliched phrases, but still remain critical to achieving a high security posture. Undoubtedly, the bad guys are better funded than the good guys, so us good guys cannot outspend the bad guys. We just have to optimize our resources to get the most "bang for our buck" (yes, also a cliche). The unfortunate fact remains that the biggest obstacle to elevating security is security awareness and practices of human beings. Additionally, awareness training costs money - lots of it, relative to the size of an organization. It is a difficult expense to justify because the results are intangible, and metrics that measure effectiveness are difficult to assemble. Now from a bad guy's perspective, why wouldn't he recycle old tools? Why reinvent the wheel when you can modify it at a considerably lesser expense? Why not target the weakest link - a fellow human?
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/2/2014 | 11:59:12 AM
Re: Same old, same old
True. I re-read your post and agree.
Page 1 / 2   >   >>


News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...