I am quite a big fan of Verizon’s data breach investigations reports and am using their analysis regularly in security discussions. Verizon publishes these reports every spring since 2008 and I see them as especially valuable as they are pulling data from 70 contributing organizations covering over 79’000 security incidents, over 2’100 confirmed breaches and from over 60 countries.
The 2015 report was published recently (available here: 2015 Verizon DBIR) and while it isn’t exactly an easy read I agree with Rapid7’s marketing video that credential theft is the biggest takeaway. Patching is another highlight (or rather lowlight) and that detecting breaches still takes much too long (205 days). The latter is something that I can confirm from the experiences of our incedent response and recovery teams and it is very worrying to think what attackers have time to do for such a long time in an ICT infrastructure.
On the patching topic. A colleague of mine – James Kavanagh, the National Security Officer of Microsoft Australia, wrote a good blog post on “If you do only one thing to reduce your cybersecurity risk…” that I recommend to read and further information is then available in the report “Security Patching in Complex Environments”.
Below Rapid7’s video with highlights from the Verizon DBIR
The US RSA conference is probably the world’s leading security conference with about 30’000 participants and took place last week in San Francisco. Scott Charney, Microsoft’s CVP Trustworthy Computing, gave a noteworthy keynote on Enhancing Cloud Trust that can be watched here. It is well worth the time.
The announcements made by us and the presence that Microsoft had at the conference was impressive. The main theme was very clearly that we truly live in a mobile first, cloud first world and that with the explosion of devices and apps come new challenges. Security has been a top priority for Microsoft for a long time already and Microsoft is committed to providing customers with transparency and control over their data in the cloud. Here are the highlights that we announced:
More information can be found on Scott Charney’s blog on “Enabling greater transparency and control” that also has further links to more in-detail information on the individual technologies mentioned above.
The European Union is quite active on security and especially cybersecurity issues but is less present in the media for it than for example the US. To raise awareness on current reports and recommendations that I see as relevent please find some links below. We can now debate if this is too much, just raight or not enough but for that discussion knowing more about what actually exists or is in process is a prerequisite of course.
Joint Supervision Tool for Telecom Security
On 9 April, ENISA published a joint framework to supervise the security of services and personal data processing by telecom providers in the EU in accordance with Article 13a and Article 4. Full report is available here.
Electronic Evidence – a Basic Guide for First Responders
On 25 March, ENISA published a report based on past work done in the field of good practices for CERTs and LEAs in the fight against cybercrime. The main aim of the report is to provide a guide for first responders with a special emphasis in evidence gathering.
National/Governmental CERTs – ENISA’s Recommendations on Baseline Capabilities
On 20 March, ENISA published recommendations on baseline capabilities. The document covers ENISA’s updated considerations for capabilities of so called national / governmental CERTs, thus teams who serve the government of a country to protect critical information infrastructure. The primary target audience of this document are these CERTs and those policy-making bodies in the European Union Member States that are responsible for initiating and planning the establishment and operation of a national / governmental CERT. Still quite an interesting reading.
Standardisation in the Field of Electronic Identities and Trust Service Providers
On 24 March, ENISA published a paper that explains why standards are important for cybersecurity, specifically in the area of electronic identification and trust services providers. Additionally, the paper also discusses concrete standardisation activities associated with electronic IDs and trust service providers, providing an overview of standards developed under the mandate from the European Commission and others, related to eIDAS Regulation. It concludes with a proposal of a standard on cryptographic suites for electronic signatures and infrastructures, put forward by ENISA and related to the ETSI TS 119 312. Full report is available here.
Motion for a European Parliament Resolution on Cybersecurity
On 30 March, Italian MEP Nicola Caputo published a motion for resolution on cybersecurity and calls on the Council and the European Commission to strengthen the EU’s response capability to this global threat, to strengthen network and information security and to support Member States in their research and innovation aimed at promoting public and private digital security. steps on the dossier were not disclosed. Interesting though that the security of IoT (Internet of Things) starts to become also a policy topic. I expect that we will see more to come and hope that it will help in addressing the real challenges that we face.
I recently gave two live webinars as part of a security webinar series of Microsoft Switzerland where I covered aspects of cloud resilience and achieving resilience against modern cyberthreats. The webinars are in German and if you are interested you can get access to the recording below.
Webinar 1: Schutz vor Gefahren aus dem Cyberspace
Die heutigen Gefahren aus dem Cyberspace sind immer grösser, Angriffe werden immer ausgefeilter, die Hacker selbst immer professioneller. Traditionelle Schutzmechanismen, wie beispielsweise Virenschutzprogramme und Firewalls, sind angesichts der neuen Entwicklungen nicht mehr ausreichend. Erfahren Sie in diesem Webinar alles über die Vorteile eines dynamischen Sicherheitskonzepts, das Ihre IT-Landschaft basierend auf den Prinzipien Protect – Detect – Respond effektiv vor modernen Cybergefahren schützen kann und für hohe Resilienz sorgt. Das Webinar ist hier verfügbar.
Webinar 2: Resilienz und Cloud Computing
Cloud Computing verändert und beschleunigt die Arbeitswelt; standardisierte Services aus der «Rechenzentrumswolke» entlasten Unternehmen von Investitionen in eigene, teure Server-Infrastrukturen. Dennoch bestehen grosse Vorbehalte hinsichtlich Verfügbarkeit, Sicherheit und Datenschutz – speziell in einem Umfeld, in dem Gefahren durch kriminelle Aktivitäten lauern und NSA-/PRISM-Aktivitäten für Rechtsunsicherheit sorgen. In diesem Webinar dreht sich daher alles um Fragen wie Resilienz mit der Cloud, Resilienz in der Cloud oder Resilienz trotz der Cloud. Das Webinar ist hier verfügbar
I am quite a fan of Lenovo devices mostly still from the time where they were IBM ThinkPads. However, when the discussion started on the “Superfish” adware they put onto some Lenovo devices I took a mental step back and asked myself how a company that develops and sells plenty of business devices could make such a bad decision.
There are some good descriptions on what “Superfish” does so I will not repeat that in detail. In the end it seems that the adware hijacks encrypted web sessions and it seems that it may make users vulnerable to https man -in-the-middle attacks that are simple for attackers to exploit. If you are interested in knowing more I recommend that you read the Arstechnica article on that topic.
Lenovo was slow to pick-up on this topic although by now they reacted and the Lenovo CTO said in an interview with the Wall Street Journal that “we didn’t do enough” due diligence before installing Superfish, but that the company doesn’t believe laptop owners were harmed by the app”. You can read here the full article on the WSJ blog.
Another interesting question on why Lenovo pre-loads any software and here is his response: “Hortensius: In general, we get pretty good feedback from users on what software we pre-install on computers. What we’re going to do in the next few weeks is dig deeper, and work with users, industry experts and others to see how we can improve what we do around software that comes installed on consumers’ computers. The outcome could be a clearer description of what software is on a user’s machine, and why it’s there.” It seems that I am clearly not their targeted audience if they say such things. When I get a new computer the first thing I do is to newly install Windows from scratch and with that get rid of any bloatware and adware that might be on there. Then install the necessary drivers (not many any more – Windows 8.1 or 10 is in the majority of cases (if not all) taking care of that) and apply all updates and the computer is running faster, more stable and the disk has quite some more space in most cases than before.
So what to do now if you have a Lenovo computer and are not sure if Superfish runs on there or you know and want to remove it? One way to address this is to run Microsoft’s security software which will detect and remove the Superfish software from the Lenovo device. If you have Windowws 8 or 8.1 on your computer Windows Defender is installed by default so you only need to let it update itself. If you have an older version of Windows you might already have the Security Essentials installed where the same applies to. And if you are not sure check out the website on our free security software that you can download and that will take care of Superfish.
The security snippets series highlights some articles that I read recently. I hope they help in keeping up with the raise of security incidents and trends which becomes more and more difficult with the increasing professionalism of cyber attacks.
Bank Hackers Steal Millions via Malware
as read in the New York Times
The New York Times writes based on Kaperski information that a group of attackers impersonated bank officers and took over cash machines and transferred millions of dollars from more than 100 banks in Russia, Japan, Switzerland, the United States, and the Netherlands into fake accounts set up in other countries. This brings a new scale to Cybercrime.
Evolution and Adaptation in the Security Jungle
as read in Threatpost
Enterprise security teams need to catch up on understanding the methods that modern attackers use. The article on Threatpost does a good job at giving an overview. Active defense is crucial in that aspect and I described that with the protect, detect, response framework also in my whitepaper on achieving resilience against modern cyberthreats.
Visa Wants to Track Your Smartphone to Prevent Credit Card Fraud
as read in the Hacker News
It seems that Visa plans to release a new location-based feature that will help cardholders update their location via smartphone. With credit card fraud still on the raise that could be a good way to fight that. I just hope that it will be clear to the user that another service performs location tracking.
PlugX Is RAT of Choice for Nation States
as read in eSecurity Planet
The “2014 CrowdStrike Global Threat Intel” report finds that the PlugX Remote Access Tool (RAT) is the most observed malware variant used by nation-state backed threat adversaries. I don’t think that this is necessarily so clear as in my view many nation states have more customized and elaborate capabilities but it shows how far such tools have come.
One Billion Data Records Compromised in 2014 Worldwide
as read in Softpedia
The article writes about a report from the Breach Level Index (BLI) which finds a 49 percent increase in data breaches and a 78 percent increase in number of records that were stolen or lost in 2014. While the absolute number might be even higher the massive increase is something that we observe as well.
Microsoft Achieves Globally Recognized ISO/IEC 27018 Privacy Standard
as read in the Microsoft Cyber Trust Blog
This more on privacy and trust than security although that also plays an important aspect. Microsoft on February 16, 2015, obtained the ISO/IEC 27018 privacy standard for Microsoft Azure, Office 365, and Dynamics CRM Online. Brad Smith’s blog has more information on that and is worthwhile reading in my view.
How to Keep Your Webcam Safe from Hackers [Video]
as read in We Live Security
If you follow the link you will see a video that covers five tips to prevent someone from spying on you through your webcam. Something becoming more important after an anonymous website began posting live streams of the world’s unprotected webcams.
I have written the whitepaper “Achieving resilience against modern cyberthreats” and looking at how the intensity of cyberattacks is again on the raise it is getting more important to implement a dynamic security framework.
As our use of mobile computing and social media technologies grows, so does our exposure to risk. On the one hand, the widespread adoption of new mobile, social media, cloud services and big data technologies creates unprecedented opportunities for productivity and flexibility. Yet without the right defenses in place, they can also open us to new kinds of vulnerabilities, as attacks that target devices operating outside the enterprise perimeter are quickly growing in volume and sophistication.
Passive protection is no longer sufficient for ensuring the security of information and IT infrastructures. My new Microsoft white paper, Achieving resilience against modern cyberthreats, explores the ways that governments and enterprises can protect their valuable information by creating a holistic security strategy, built on risk management, to achieve resilience against in an era of constant targeted attacks and determined adversaries.
The paper explores Microsoft’s holistic “Protect, Detect and Respond” approach to security strategy, including key principles for organizations, the importance of trustworthy cloud services, and the steps to take for securing an IT infrastructure in today’s threat landscape. This proactive strategy requires that an organization understand its assets and its exposure, and apply appropriate protection throughout the entire IT ecosystem in a continuous process. It also recognizes that enterprises must manage their inevitable risk – absolute security is not possible, so organizations must go beyond just protecting resources and also establish processes for detecting, responding and recovering from incidents when they occur.
If you are interested see my complet blog post, Achieving resilience against modern cyberthreats at Microsoft on Safety and Defense.
It has been a few weeks since I have flown to Atlanta for work and I was lucky to have had smooth travels. If you know the Atlanta airport however that isn’t necessarely a given. On one hand it is the worlds busiest airport serving close to 30 million passengers every year and then it is in a location that has frequent tunderstorms. When I now stumbled over a video that shows what happens when thunderstorms occur over the area I was amazed by the resulting images. While not as nicely presented as the pictures in my earlier post on the beauty of airtravel it shows the beauty of technology being able to adapt and overcome obstacles.
From now on I will be blogging about topics that I have read somewhere else and that I find noteworthy. You will find them in my new “snipplets” category. Today I am starting with the keypoints of a WIRED Magazine Threat Level article by Kim Zetter. Here are the keypoints:
In a study spanning two years they found severe security issues with common medical equipment used across a large chain of Midwest health care facilities including:
Many hospitals are unaware of the high risk associated with these devices. A wide cross-section of devices shared a handful of common security holes, including:
There are very few devices that are firewalled off from the rest of the organization, once you get a foothold into the network, you can scan and find almost all of these devices.
This reflects unfortunately the discussions that I am having with healthcare Providers across Western Europe. Considering that Cybercrime is only starting to become “mature” (not happy to use this word in a criminal context but it describes it best) then the risks need to be mitigated and hospitals have an important aspect by insisting on secured systems and investing overall into their own IT hygiene.
I travel a lot for work and it brings me in touch with many different people and cultures. Sometimes when I am sitting in a busy airport I look up from my screen and am watching the planes come and go. My thoughts might then trail towards the security discussions that we need to increase with critical infrastructure, the complexity of the logistics behind such an airport or that it is just beautiful to watch a plane take-off.
I found by coincidence a visualization of air traffic over Europe that sheds a new scale on the points above. It emphasizes the need to be able to protect our digital command, control and communication systems involved with managing something as complex as airtravel but at this point I suggest you just click on the movie and enjoy the beauty of it.
The video was created from real flight data, using UK radar data from June 21 and European flight plan information from July 28. If you want to know more check out the original blogpost by Paul Beachamp.