// archives

cyber defense

This tag is associated with 3 posts

Targeted Attacks Video Series

Cybersecurity is currently on the top of the mind of many organizations trying to protect their intellectual property, research, customer and employee databases and other valuable information. In almost every discussion that I have on cybersecurity the topic of targeted attacks is put into the center. This is now even encreasing as we see such attacks being used much more commonly than usually assumed and only a small number of organizations have the resources to limit or even detect them.

The question is then often what a targeted attack really is and to answer that we have created the Targeted Attacks Video Series  on Advanced Persistent Threats (APTs), or what we at Microsoft call Targeted Attacks by Determined Human Adversaries. These five short informational videos summarizes three security whitepapers, Determined Adversaries and Targeted Attacks, Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, and Best Practices for Securing Active Directory.

Take the time to look at them below – it is well worth it:

  • Introduction to Determined Adversaries and Targeted Attacks: Tim Rains, Director, Microsoft Trustworthy Computing, provides background information on these types of attacks and set the context for the rest of the video series.

  • Mitigating Pass-the-Hash Attacks: Patrick Jungles, Security Program Manager, Trustworthy Computing, explains what a Pass-the-Hash attack is and some tested mitigations to help manage the risk associated with credential theft attacks.

  • Anatomy of a Cyber-attack Part 1: Sean Finnegan, CTO of the Microsoft Consulting Services Cybersecurity Practice, walks through a typical targeted attack, step by step, describing how attackers perpetrate these attacks.

  • Anatomy of a Cyber-attack Part 2: Sean Finnegan finishes his briefing on how determined adversaries commit targeted attacks.

  • Importance of Securing Active Directory: Bret Arsenault, Microsoft CISO, discusses the importance of protecting your Active Directory in the context of target attacks.

 

I hope this helps for the next discussion on the topic of targeted attacks – and if you work for an organization that has information with commercial value then that discussion that discussion should start sooner rather than later.

Fighting malicious software – congratulations SWITCH


SWITCH
, the internet registrar for the .ch and the .li domain and also a service provider for Swiss universities and a CERT, has been blocking Swiss websites if they are spreading malicious software and infecting computers of the internet users accessing them. They released today a statistic, that they have been cleaning more than 700 websites since the end of November 2010. This comes to an average of about 150 websites per month although, as they started the process slowly, the average might not be representing the actual work completely.

I am happy to hear about this success of SWITCH making internet users safer by disabling malware disseminating sites. If one takes the relative small numbers of .ch and .li domains and looks at how many domains exist worldwide the amount of infected sites is hard to grasp. The process itself is pretty straightforward. Once an infected site is known the holder of the manipulated website is contacted. SWITCH describes the process as follow “After receiving notification, holders and operators have one working day to clean up the website. If this deadline elapses without a cleanup, SWITCH temporarily blocks the domain in question to protect visitors to the website and informs the Reporting and Analysis Centre for Information Assurance – MELANI. As soon as the problem has been solved, SWITCH reactivates the domain. Combating malware in this way is proving to be effective: in 680 cases, the holders and operators reacted and cleaned up the website within one working day. On 55 occasions, a website was blocked before being cleaned. In 68 cases, it proved impossible to find a definitive solution, because the blocking period permitted by law had expired.”

While the process is clearly not perfect it is definitely a first step and it could be a model for other registrars to adapt. It needs a legal basis and a close cooperation with the government. Maybe this goes in the direction of the need of an internet governance I described earlier? Whatever could be improved – for today it is “congratulations SWITCH”!

Cyberattacks on the rise – or is it higher detection?

While I try to talk not only about US related topics I would like to draw today’s attention to the Fiscal Year 2010 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002 by the Office of Management and Budget (yes I know – sounds exciting). The interesting aspect is that their findings show that U.S. federal agencies had a 39% higher cyber incident affection in 2010 than the previous year. This certainly is a steep increase and something to look at closely. If we look at the attack vectors the use of malicious code (e.g. phishing virus etc) continues to be the most widely used attach approach (30.8%). On the defense side,  66% of IT assets are being managed with an automated asset management capability and 51% have an automated vulnerability management capability.

While the increase is in my view certainly also the effect of an increase in cybercrime, some experts say that it is – at least partly – the effect of a more mature detection capability. We are often behind the attackers in our defensive means and this then leads to the question on how high the level of cyberattacks really are. How much do we detect? How much is reported? Any thoughts?

I appreciate the openness of the reporting by the U.S. white house and can only encourage other nations to do the same. What we need for this though is a cybersecurity law or something similar as a basis. This in turn can then serve as the framework for cooperation and coordination and increase efficiency in detecting and responding to attacks. A first step in knowing what the threat really is and the basis for a better response.

About the Author

Reto is partner at PwC Switzerland. He is leading the Cybersecurity practice and is member of PwC Digital Services leadership Team. He has over 15 years work experience in an information security and risk focused IT environment. Prior to working at PwC he was Microsoft's Chief Security Officer for Western Europe and also has work experience as group CIO, Chief Risk Officer, Technical Director and Program Manager.

more about me and contact info

replica Rolex