Author Archives: Kevin Townsend

Industrial Internet Consortium Develops New IoT Security Maturity Model

Posted on by

The Industrial Internet Consortium (IIC) has developed a new IoT Security Maturity Model (SMM), building on its own security framework and reference architecture. This week it has published the first of two papers: IoT Security Maturity Model: Descript… Continue reading Industrial Internet Consortium Develops New IoT Security Maturity Model

Financial Services DDoS Attacks Tied to Reaper Botnet

Posted on by

Recorded Future’s “Insikt” threat intelligence research group has linked the Mirai variant IoTroop (aka Reaper) botnet with attacks on the Netherlands financial sector in January 2018.

The existence of IoTroop was first noted by Check Point in October 2017. At that point the botnet had not been used to deliver any known DDoS attacks, and its size was disputed. What was clear, however, was its potential for growth.

In January 2018, the financial services sector in the Netherlands was hit by a number of DDoS attacks. Targets included ABN Amro, Rabobank and Ing; but at that time the source of the attack was unknown.

Insikt researchers now report  that at least one these financial services attacks — and possibly more — was the first known use of IoTroop to deliver a DDoS attack. “IoTroop is a powerful internet of things (IoT) botnet,” reports Insikt, “primarily comprised of compromised home routers, TVs, DVRs, and IP cameras exploiting vulnerabilities in products from major vendors including MikroTik, Ubiquity and GoAhead.”

The attack itself was not excessively high by modern standards. “The initial attack was a DNS amplification attack with traffic volumes peaking at 30Gb/s,” reports Insikt — far short of the 1.7Tb/s attack that occurred in February.

If the IoTroop assumption is correct, it is clear the botnet has evolved extensively since its discovery last year. Fortinet’s SVP products and solutions reported last month, “the Reaper [IoTroop] exploit was built using a flexible Lua engine and scripts, which means that instead of being limited to the static, pre-programmed attacks of previous exploits, its code can be easily updated on the fly, allowing massive, in-place botnets to run new and more malicious attacks as soon as they become available.”

Insikt reports that the malware can use at least a dozen vulnerabilities and can be updated by the attackers as new vulnerabilities are exposed. “Our analysis,” it says, “shows the botnet involved in the first company attack was 80% comprised of compromised MikroTik routers with the remaining 20% composed of various IoT devices ranging from vulnerable Apache and IIS web servers to routers from Ubiquity, Cisco and ZyXEL. We also discovered Webcams, TVs and DVRs among the 20% of IoT devices, which included products from major vendors such as MikroTik, GoAhead, Ubiquity, Linksys, TP-Link and Dahua.”

This list adds new devices now vulnerable to IoTroop in addition to those noted in the original October 2017 research — which suggests, says Insikt, “a widespread and rapidly evolving botnet that appears to be leveraging publicly disclosed vulnerabilities in many IoT devices.”

Insikt’s research shows the January attack was delivered from 139 different countries, showing a widespread targeting of vulnerable IoT devices around the world. More than half of the attacking clients are located in the Russian Federation, Brazil, Ukraine, China and the U.S.; but this probably has no relevance other than popularity of MikroTik devices in those countries.

Insikt believes that its analysis of the January DDoS attacks makes it almost certain that at least one and probably more were delivered by IoTroop; but that the new devices included within the botnet show its continuing evolution. “The similarity in device composition with the IoTroop/Reaper botnet,” it says, “suggest IoTroop has evolved to exploit vulnerabilities in additional IoT devices and is likely to continue to do so in the future in order to build up the botnet to facilitate larger DDoS attacks against the financial sector.”

The research also found seven IP addresses that it believes are likely to be controllers for the botnet. Insikt urges industry to monitor these addresses for malicious activity since they “are likely to be engaged in aggressive scanning for new vulnerable IoT infrastructure to commandeer as well as be responsible for any Denial of Service, attack commands issued to the botnet clients.”

Protecting consumer IoT devices is less simple, since consumers notoriously adopt an unpack, plug and play approach to new devices. Nevertheless, Recorded Future urges all users to immediately change default manufacturer passwords, to patch firmware wherever possible and required, to invest in a VPN for devices that have remote access (such as IP cameras), and — perhaps less easily for consumers — to disable unnecessary services such as Telnet.

Related: Remotely Exploitable Vulnerability Discovered in MikroTik’s RouterOS 

Related: Mirai Variant Targets ARC CPU-Based Devices 

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

sponsored links

Continue reading Financial Services DDoS Attacks Tied to Reaper Botnet

Improved Visibility a Top Priority for Security Analysts

Posted on by

Security Analysts Require Improved Visibility as well as Improved Threat Detection

Vendors listen to existing and potential customers to understand how to improve their products over time. At the smallest level, they use focus groups. At the largest level they employ market research firms to query thousands or more respondents from relevant employments and industry sectors. Some way in-between, they run their own relatively small-scale surveys primarily for their own benefit.

This is what Boston, MA-based next-gen endpoint protection firm Barkly did, querying some 70 IT and security professionals to understand what mid-market users look for and are not currently getting from their endpoint security controls. Not surprisingly, 60% of the respondents say that adding to or improving protection is their top priority — possibly because 88% of them consider that there are types of attacks (for example, the growing practice of employing fileless attacks) that current security simply does not block.

More surprising, however, is that 40% of the respondents prioritize improving forensic and response capabilities as their current top priority. This may partly be driven by the new breed of regulations — and in particular, GDPR  — that demand increasingly rapid incident disclosure, and remediation of the breach vector to prevent repeats.

Alternatively, this may simply be down to a high ratio of alerts (including both true-positives and false-positives) to human-resources with their current products. While the sample size of the survey is small, forty-five percent of the respondents, Barkly says, “admit they currently don’t have enough time to investigate and respond to the incidents they’re already seeing now. Adding to that workload with complex endpoint detection and response (EDR) solutions without considering current limitations is obviously not a productive answer.”

The need for improved automation to reduce the time for manual involvement also shows in users’ top frustrations with current solutions. Twenty-seven percent of the respondents are concerned with poor visibility into incidents, and 25% are concerned about limited investigative/response features. A further 18% find current solutions difficult and time-consuming to manage.

The need to make incident response faster and simpler is the driving force behind Barkly’s new version 3.0 launched today. Rapid response comes from two new features: endpoint isolation; and file quarantine and delete. The first enables an administrator to instantly remove an affected device from the network while the incident is investigated. 

This is a one-click operation via the Barkly CommandIQ management portal, and can be enacted from any location, on- or off-site at any time via any remote or mobile device with internet access. As soon as the affected device is cleaned or confirmed to be clean, it can just as easily be returned to the network. It means that both an alert and its response can be handled instantly without requiring the security administrator to be in his office or to return to his office first.

The second feature automatically quarantines a blocked malicious executable. This instantly contains the threat, but maintains administrative access to the file for further investigation before deletion. Again, this can be performed either from the administrator’s office desktop, or remotely via a mobile device.

A further two new features help analysts to investigate incidents. The first provides an automated interactive method for users to provide context, which is fed back to the analyst, whenever a file or process is blocked. The second is Incident Path Visualization, enabling analysts to trace malicious processes back to their origins.

Together, these features provide rapid forensic insight into the cause of the incident, allowing the security team to leverage the insights gained to improve their security going forwards.

Barkly version 3.0 adds the ability for automated and rapid response to its existing machine-learning threat detection engine. Its ability to do this via any mobile device means there is no delay if an incident occurs while administrators are off-site. The intention is to enable existing staff levels to handle workloads more efficiently without being stretched too thin, and without requiring additional company manpower.

Related: Mobile Response to Security Alerts Allows Immediate Action Anywhere, Anytime 

Related: Demystifying Machine Learning: Turning the Buzzword into Benefits for Endpoint Security 

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

sponsored links

Continue reading Improved Visibility a Top Priority for Security Analysts

Companies Have Little Control Over User Accounts and Sensitive Files: Study

Posted on by

Lack of Control Over Sensitive Files Leaves Companies Open to GDPR Failure

Security teams are urged to assume intruders are already on their networks. The quantity and frequency of data loss breaches lends credence to that assumption. The implication is that perimeter defenses are insufficient, and that sensitive data needs to be locked down as far as possible within the networks. A new study shows, however, that 41% of companies have more than 1.000 sensitive files open to everyone with access to the network.

Each year, New York, NY-based data protection and governance firm Varonis analyzes the results of its risk assessments on new and potential customers. Its 2018 Global Data Risk Report (PDF) contains the findings of 130 corporate risk analyses conducted during 2017. It looks for free-form data at risk from existing intruders and potential malicious insiders; and the process examined more than 6 billion individual files from 30 different industries across more than 50 countries.

The results clearly show that companies are struggling to control sensitive data contained in free-form text documents. A common problem is leaving files open to global access groups. For example, 58% of companies have more than 100,000 folders open to everyone — and the bigger the company, the worse the problem. Eighty-eight percent of companies with more than 1 million folders have more than 100,000 open folders.

The problem becomes more pressing when those files contain sensitive data — defined here as information subject to regulations such as GDPR, PCI, and HIPAA. The Varonis platform works by looking at both the structure of the network, and the content of the files. In this study it found that 41% of companies have more than 1,000 sensitive files open to everyone.

For these companies any malicious insider or low-privileged intruder can simply access and potentially steal sensitive data, bringing the company into immediate compliance failure. Most regulations either require the principle of least privilege or imply its requirement.

The basis of protecting sensitive files requires two things in particular: the principle of least privilege to restrict access to sensitive documents to authorized persons only; and privileged account management to prevent attackers’ access to and unauthorized use of privileged accounts to access restricted documents. However, the Varonis study shows that companies have as little control over their user accounts as they do over their sensitive files.

A common issue with account management is the failure to remove old accounts. This usually happens when the account is no longer necessary, or its owner leaves the organization’s employment. These are variously known as ‘stale’ or ‘ghost user’ accounts. Varonis found that 65% of companies have more than 1000 stale user accounts. The study does not indicate how many of these stale accounts are also privileged accounts, but with so many sensitive documents open to everyone, an attacker’s access to a privileged account isn’t necessary.

“User and service accounts that are inactive and enabled (aka ‘ghost users’) are targets for penetration and lateral movement,” warns the Varonis report. “If these accounts are left unmonitored, attackers can steal data or cause disruption without being detected.”

The combination of open sensitive files and ghost accounts increases the likelihood of a data breach and compliance failure. The regulation top-of-mind with most security teams right now is the EU’s General Data Protection Regulation (GDPR), with the potential for heavy fines, and due to come into force next month. 

A common perception is that if a firm can demonstrate strong attempts to protect personal data, it will not be prosecuted to the full by European data regulators. Certainly, regulators will take account of any breached firm’s attempts to conform — but overexposed documents and ghost accounts are a de-facto failure.

Last month, the Irish data protection commissioner discussed how she intends to handle her GDPR remit. Ireland is particularly important because it is the European home of many large U.S. firms (such as Facebook, Google, Twitter, Pfizer, Boston Scientific and Johnson & Johnson) that have extensive offices and/or their European headquarters in what is sometimes known as Dublin’s Silicon Docks.

Discussing whether ‘state of the art security’ would be a mitigating factor over any GDPR-relevant data breach, Ireland’s Data Protection Commissioner Helen Dixon told Independent.ie, “it’s a theoretical possibility that if they have applied objectively demonstrable state-of-the-art security and there really appears to have been nothing further they could have done, that would certainly be a mitigation criteria [sic]. But, we haven’t come across it.”

Regardless of all other security controls, if any firm investigated under GDPR has failed to operate least privilege for all documents containing personal data, it will likely be subject to the full sanction of the General Data Protection Regulation — that is, 4% of global turnover.

Related: Organizations Failing Painfully at Securing Privileged Accounts 

Related: Organizations Fail to Maintain Principle of Least Privilege 

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Continue reading Companies Have Little Control Over User Accounts and Sensitive Files: Study

Software-defined Global Network as a Service Firm Meta Networks Emerges From Stealth

Posted on by

Meta NaaS Provides a Software-defined Virtual ‘Overlay’ to Existing Disjointed Physical Networks

Emerging from stealth with $10 million in seed funding led by Vertex Ventures and the BRM Group, Tel Aviv-based Meta Networks has launched Meta NaaS — a secure software-defined virtual private network aimed at redefining the concept of distributed, cloud-employing corporate networks.

The advent of public and private cloud services and offerings, together with the growth of mobile computing and remote working, plus the tendency for most companies to combine all of these with their own on-premise resources has had one major and well-recognized effect: there is no longer a physical network perimeter that can be defined and protected. Solutions generally require point products for every device, aimed at protecting the device and its communication to other parts of the network. This rapidly becomes very complex with multiple points of possible failure.

Meta Networks Meta NaaS provides a software-defined virtual ‘overlay’ to existing disjointed physical networks. It is user-centric, draws on the principle of zero-trust, and brings together all aspects of remote users, mobile devices, separate branch offices, on premise data centers and cloud apps within one single software-defined overlay. It creates a new perimeter in the cloud.

Like Google’s BeyondCorp, the user is key. Every user device is given a unique permanent identity at the packet level, but is also given access to an always-on virtual private network (VPN). A global distribution of PoPs ensures high performance in accessing and using the VPN from any location, and all corporate traffic from corporate users is securely sent to the NaaS before being delivered to its destination. This includes both internal resources and internet traffic — and security is handled in the NaaS rather than at the device.

“It’s worldwide,” Etay Bogner, CEO and founder of Meta Networks, told SecurityWeek. “You don’t have to install any appliances. You connect separate offices through their existing routers. On top of the network we are deploying best network security. So instead of having the firewall deployed as an appliance in a specific physical location, we have the firewall functionality within the cloud in every one of the PoPs, and we apply security at those locations.”

The effect is to provide security in even hostile environments — mobile employees working in internet cafes or airport waiting lounges are as secure and productive as if they were still in the office.

Meta NaaS interoperates with other cloud-delivered security solutions, supporting a best-breeds security stack for the enterprise. It delivers identity-based policy routing and packet-level identity verification; and since it is cloud-based, it promises cloud advantages: agility, scalability and cloud economics.

“Meta NaaS is a new zero-trust paradigm for the ‘virtual private network’ that revolves around users rather than physical topology. This shift enables enterprises to effectively restore the perimeter by protecting all employee traffic — both corporate and internet — all of the time,” said Bogner. “What elevates our technology is the cloud-native global backbone and the comprehensive, identity-based network security architecture designed to support millions of users efficiently.”

“Meta NaaS is built around network users, not a physical business location,” comments Ramon Snir, senior developer at Dynamic Yield, an existing customer. This is an advantageous approach for organizations like ours that have applications in data centers and clouds around the world, as well as an increasingly mobile workforce.” 

Bogner is keen to stress that this is not a new rip and replace technology. “Enterprises already have existing investment in on premise security. That doesn’t have to be ripped out,” he told SecurityWeek. But at the same time, when licenses lapse, they don’t have to be replaced. Meta NaaS provides a road map towards a cloud-only security policy. 

“Over time,” added Amy Arie, Meta Networks’ CMO, “the NaaS will offer greater security at lower cost.”

The concept can be seen in its implementation by MyHeritage. The firm has 100 sales reps around the world, with applications housed in two data centers on different continents. Without Meta Naas, this required VPNs in each data center and an IT overhead in maintaining 100 clients — and for the reps to understand which data center they needed. With Meta NaaS it is a single connection to the NaaS. The VPN is always operational, and access policies are maintained in the NaaS.

“Compared to managing VPNs in each of our data centers,” said Moshe Magal, IT team leader at MyHeritage, “the Meta NaaS solution is much simpler and more convenient both for our IT team and our users.”

Meta Networks is the fourth firm founded by serial entrepreneur, Etay Bogner. His first was SofaWare, a network security vendor that was ultimately acquired by Check Point Software. The second was Neocleus, a virtualization vendor acquired by Intel. The third is Stratoscale, an AWS compatible infrastructure and services firm.

Related: Cloud Security Alliance Releases Update to Software Defined Perimeter (SDP) 

Related: Security Challenges of SDN and Cloud: The Critical Role of Visibility 

Related: This is How Google Secures Devices for Its 61,000 Employees 

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

sponsored links

Continue reading Software-defined Global Network as a Service Firm Meta Networks Emerges From Stealth