Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Key Biscayne Hit by Cybersecurity Attack
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/5/2019 | 7:35:42 PM
Re: Burnt by the Stove
I am definitely in agreement with you there. All the points you stated were right on. But you have to ask yourself, if we continue to do the same thing (definition of insanity is continue to do the same thing expecting a different outcome) and the Ransomware continues to get into the system, that means one of three things:
  • The security systems we have in place are not doing their job and the people managing them are not up to par
  • We need to start looking at security from a different perspective or approach, because quite frankly, this is not working and apply a different set of rules
  • Finally, we have address the issue with executives and they along with the rest are not listening to our concerns

I brought numerous points and suggested to the group on "how do we secure a protocol (IPv4) that is not securable (this question from a buddy of mine by the name of Mike)"? How are we addressing different scenarious using the same methods using the same tools and Ransomware still gets through? That means our design and concepts of thinking has to change, look at what Kevin Mitnik said:

He stated, AV is basically useless, he was able to exploit a vulnerability in the application (Adobe Acrobat Xi or 11) where the AV scanned it twice and said it was ok (he even said McAfee is good for only making video, wow). Look at what he found, the malware is installed on your machine and this is with PDFs. This is just one example of how the hacker is getting into the network, the file is being downloaded to the desktop, then file starts to encrypt your filesystem within one minute of file being opened.

What I have found is that we need to start looking at the following:
  • Move to IPv6, utilize IPsec ESP/AH (Encapsulated Secured Payload and Authenticated Headers) VPN capability
  • Install HIDS on the workstations/desktops (this will help with the execution of applications that could be considered problematic)
  • Encryption should not be an option, it should be required
  • NIPS (Network Intrusion Prevention System) should be installed as well, this will help with identying traffic that comes in and out of the network and it can stop the application from processing or continuing
  • NGFW (NG = Next Generation Firewall) - should be able to capture and filter traffic that is considered nefarious
  • NGAV - we have AVs that perform machine learning, we need to purchase and enable this software because the signature approach is no longer working, we need the software to be able to make decions based on what it has learned
  • There should be a centralized brain where the logs, NIDPS (Network Intrusion and Prevention System), HIDS, NGFW, NGAV all tie into the same system but this SIEM is intelligent enough and fast enough to create quasi-Big-Data  correlations, this should be done in real-time; also, the system needs to be intelligent enough to make a decision based on the level of confidence without user intervention
  • We need to invoke two user access/authentication to data (require two users to turn a key at the same time while one works on that system, similar to way missiles are launched)

Todd
bushmann
50%
50%
bushmann,
User Rank: Apprentice
7/5/2019 | 10:40:36 AM
Re: Burnt by the Stove
I take a different view on this - blame the Security folks including myself. We keep talking the same thing over and over, like compliance checkboxes, audit list, regulations, organizational change cultures, etc but how about viewing all these as our security partners/tools contributing to secure assets in a holistic and comprehensive way. Business executives understand these checkboxes, whereas security folks don't and keep crying fault. When a breach occurs in your organization, who stands in front of the media, security folks or your business?

Security is a part of the overall business and must be viewed as a trusted advisor/partner to the business in identifying risk, educate business owners about risk, recommend controls to reduce risk but the business ultimately makes the final business decision because they own the risk. Who pays for any security controls/programs in your organization? Who do you report to in your organization - business, right?

As security professionals, let's embrace regulations, compliance, audit, and whatever tools that we can use to help business reduce their risk exposure. Stop complaining and finger-pointing. Let's take a hard look inwardly and realize that we too contribute to this issue, that's why security for the longest time have no seat at the table with the board.

My two cents

 
rcash
50%
50%
rcash,
User Rank: Strategist
7/1/2019 | 5:26:08 PM
Compliance mentality trains reaction
We are all on a journey towards Information Security and a significant obstacle is the paradigm imposed on a given organization by 'the compliance mentality'. It suggests that there is a plateu or end point where nothing else is needed, and then during cyclical risk-assesment comes the reactionary and predictably goal-oriented checklists and their check boxes.  This antagonizes maturiy progress due to the instituionalized inertia it creates.  Sincerely, there needs to be a sober industry-wide relook to what copmpliance means, and how it can effectively get businesses to a specified level of security without quenching the desire to be effectively proactive.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 2:37:14 PM
Re: ransomware
I agree with you, but we have to have people who are willing to listen. With this new generation of security and executives, hopefully they will be more open to the conversation than our predecessors.

If not, then their rise to prominence will be riddled with age old problems.

Todd
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2019 | 10:34:31 AM
Re: ransomware
Agreed. These are the day to day discussions that as security practioners we must have. "What is the risk?, What is the assessed value?" The important thing is to have an audience with key stakeholders that truly understand the importance of security and don't just think of the funciton as a compliance checkbox.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/29/2019 | 8:27:22 PM
Re: ransomware
Interesting, I do agree with the relevance of data but to your point, if the data has  been depreciated (not used for sometime or years), then the issue may not be as relevant, but do you report it to GDPR (even if you have controls or appliances in place to address the issue, that is usually an executive decision).

But yes, I do agree it depends on the value of data but when you talk to an executive, they often go overboard so it depends who are talking to and at what time of day, lol.

That's not good enough
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/29/2019 | 7:44:28 PM
Re: Burnt by the Stove
"This is exactly true. Until get hit not understanding true importance of being protected from attacks."

Most definitely. It's still very unfortunate however that organizations are still on the path of reacting over being proactive.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/29/2019 | 7:42:52 PM
Re: ransomware
Agreed but really depends on the data stolen. For something like this yes but if the data was PHI then it could affect patient care.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/29/2019 | 6:20:12 PM
Re: Burnt by the Stove
Well that is what your security staff is there for. If the staff cannot express their concerns to executive members, then there needs to be a conversation with the oversight commitee or the Chairman's office that can push their initiative. It will take time but it can happen (they need to build alliances first before moving forward and maybe educating the internal staff members so their message will come from everyone - IT Social Awareness).

T
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/29/2019 | 6:16:48 PM
Re: ransomware
Interesting, tell that to the admin staff and executive offices, they are in a panic when this happens.

You can't tell them anything, lol.

T
Page 1 / 2   >   >>


Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.