Verizon DBIR: Identify insider threat warning signs, safeguard IP

Tomado de: http://searchsecurity.techtarget.com

Nearly half of all reported instances of intellectual property (IP) theft involved trusted insiders, according analysis conducted by the Verizon RISK Team, who issued a report with new findings gleaned from the company’s 2012 Data Breach Investigations Report (.pdf) published earlier this year.

Once an employee is showing signs, increased monitoring of their email and web surfing habits may be advisable.

Jeffrey Carr, security consultant

In the Verizon DBIR Intellectual Property Snapshot, (.pdf) the researchers found that while the majority of breach events were executed by external actors, 46% of all events which culminated in the loss of proprietary data involved an employee, highlighting the challenges enterprises continue to face in protecting sensitive information from insider threats.

“The take-home message here is that protecting IP from ‘them’ is an incomplete and inadequate strategy. Understanding that ‘we’ are sometimes our own enemy—and sometimes the enemy targets its own —is important to building good policy and practice for defending the crown jewels,” the report states.

What defines the insider threat?

Most often insider threats materialize in the form of employees who are experiencing higher than average levels of distress, a sign management should be on the lookout for, according to security consultant Jeffrey Carr.

The impetus for the theft of intellectual property by an employee can include a combination of factors including greed, moral ambiguity, or temptation fueled by unfettered access to valuable information.“A company's defensive posture to confront the insider threat needs to include management training in observing early warning signs of employee stress such as financial problems, marital problems, poor job performance, etc. Once an employee is showing signs, increased monitoring of their email and web surfing habits may be advisable. Most companies' employee agreements include provisions for this level of monitoring as long as the employee is using company assets,” Carr said.

“Insider threats are motivated by self-interest and influenced by personal preferences, social context and local culture. As Prospect Theory predicts, trusted insiders are hungry for the possibility of personal gain by stealing IP. Like any other crime, a person needs a combination of means, opportunity, and intent in order to steal intellectual property,” said Danny Lieberman, CTO of Software Associates, a software security consultancy based in Israel.

Defending against the insider threat

One of several technologies available for protecting IP from theft by insiders are Identity Access Management (IAM) tools, which allow companies to control access to sensitive data by assigning legitimate user accounts with variable degrees of permissions for certain databases, applications, and systems. IAM software offers a measure of protection, but it has its shortcomings, according to Lieberman.

“IAM is the most basic security countermeasure for mitigating the risk of insider security breaches, but paradoxically IAM can also provide the means for trusted insider theft of IP. Insiders typically have knowledge of how the system works, the business processes, the company culture and how people interact. They know who administers the rights management systems and who grants permissions. With the right knowledge and social connections, access to sensitive data can be obtained even if it was not originally granted by design in the IAM system,” Lieberman warns.

Another available solution involves implementing Information Rights Management (IRM) tools which use cryptography to protect information contained in sensitive documents and communications from unauthorized access both within as well as outside of an organization’s network.

But IRM also has some drawbacks as well, as it requires the organization to always know in advance which information it specifically wants to control and protect by way of the IRM system. “IRM mitigates the vulnerability of means to an extent, but does nothing to lessen the threat posed by opportunity. Once rights are granted by the IRM system – the user is trusted and has access to the controlled document,” Lieberman said.

A more comprehensive strategy for the protection of intellectual property against misappropriation by trusted insiders is the deployment of a Data Loss Prevention (DLP)solution, which can prevent unauthorized access and the transfer of sensitive corporate data, as well as issue alerts if any attempts are made at either.

“DLP is a data-centric security control, agnostic to permissions controls and applications. Agent DLP runs on the user PC, whereas network DLP runs in the enterprise network. DLP enables the organization to monitor information flowing in and out of the company in order to detect and prevent information leaks. Compared to other solutions, DLP actually mitigates all three vulnerabilities – means, opportunity and intent, since it measures movement of data to unauthorized destinations and is independent of any rights management,” Lieberman said.

Even with basic controls in place, the risk of sensitive data loss by way of trusted insiders will persist. “Insider threats are a serious problem, with no good off-the-shelf solutions,” Carr added.

The Verizon report recommends enterprises make a concerted effort to practicepre-employment screening of employees, enforce separation of duties, and regulate user network privileges in addition to implementing monitoring systems in order to prevent the theft of intellectual property.

------------------------------------------------------------------------------------------------------------

Apreciación Personal

Una de los peligros de las empresas grandes es la filtracion de su informacion valiosa, como es informacion de clientes, datos contables, contraseñas de acceso a información. Pero hay un peligro al que muy pocos le prestan atención, sin embargo es uno de los mas peligrosos. El ataque desde dentro. 

En efecto es mucho mas sencillo para un atacante entrar a un sistema si lo hace directamente, es por esto que aparte de cuidarse del exterior las empresas deberian de preocuparse por el interior, sus trabajadores son un peligro latente, siempre deberian estar vigilados como menciona el Consultor de Seguridad Jeffrey Carr. 

Redes sociales: consejos básicos para no caer en las trampas de los ciberdelincuentes

El Instituto Nacional de Tecnologías de la Comunicación (Inteco) ha advertido esta semana de que las redes sociales están en el "punto de mira" de los ciberdelincuentes, que aprovechan el auge de estas comunidades para conseguir datos personales de los usuarios y propagarvirus, timos y estafas.

Inteco ha informado de que, según la cuarta oleada del Observatorio de Redes Sociales de la Oficina de Seguridad del Internauta (OSI), los ciberdelincuentes están buscando cada vez más a sus víctimas en las redes sociales.

Ha subrayado que la "falsa sensación de seguridad" del usuario, al recibir los mensajes de contactos conocidos, abre muchas oportunidades para explotar trucos de ingeniería social, como la creación de cuentas falsas y el envío de mensajes engañosos.

A este respecto, ha apuntado que, aunque los usuarios de redes sociales están preocupados por la seguridad, "la mayoría no toma las precauciones necesarias para protegerse".

Para evitar engaños, Inteco ha recomendado "usar el sentido común", no hacer clic "en cualquier cosa", no seguir los enlaces que aparecen en páginas sospechosas y no permitir acceder a datos de perfil a aplicaciones de dudosa credibilidad.

Ha incidido en que "ninguna red social" solicita a través del correo electrónico el nombre de usuario y la contraseña, y que si se recibe una comunicación de esas características debe eliminarse.

Además, ha aconsejado comprobar adónde redirigen los enlaces antes de pulsar en ellos, no abrir mensajes de usuarios desconocidos o que no se hayan solicitado, y ser "selectivo" con las personas que se agregan a la lista de amistades.

Apreciacion Personal

Como bien se sabe, una red social es un medio por el cual nos damos a conocer ante el mundo entero, en algunos casos mostrando mayor o menor informacion dependiendo de la persona. Es por eso que se debe prestar especial cuidado en la seguridad que se le presta. La empresa Inteco (Instituto Nacional de Tecnologias de la Informacion de España) recomienda usar el sentido comun, ser mas desconfiado al momento de ingresar a enlaces sospechosos y de esta manera evitar los ataques de ingenieria social.

Age-old vulnerabilities, attack techniques consistently trip enterprises

Tomado de: http://searchsecurity.techtarget.com

TORONTO --- The vulnerabilities of the past are consistently haunting some enterprises, according to a penetration tester who explained Tuesday that enterprise IT security teams often know about persistent weaknesses and system configuration issues but are doing little to correct them.

There's been a whole lot of gaps out there in how we defend systems and they've just remained in place.

Jamie Gamble, senior security consultant, Accuvant Labs

"There's been a whole lot of gaps out there in how we defend systems, and they've just remained in place," said Jamie Gamble, a senior security consultant at Denver-based Accuvant Labs. "We are ignorant as an industry. We still have ignorance toward a lot of things in security."

In his presentation at the SecTor security conference, "The More Things Change: The Vulnerabilities that Time Forgot," Gamble summed up longstanding weaknesses in Windows and Unix systems that continue to go unaddressed at many firms.  Security researchers Dan Farmer and Wietse Venema authored a 1992 paper that challenged conventional thinking, prompting network analysis and some of the first penetration tests. The paper described attack techniques that are still relevant today, he said.

Network segmentation issues such as VLANs that are poorly configured are contributing to a continuous pattern of holes that can be targeted with attack tools and techniques that were built more than a decade ago, Gamble said. Many are not configured to support proper role-based access control, or RBAC.

"We've seen improvements in system architecture, but VLANs are not being implemented from a security perspective; they're being implemented with a functional perspective," Gamble said. "Even though network segmentation works, it's still very difficult to put it in place."

System to system trust has also opened persistent weaknesses, Gamble said. It started with Rlogin, which allows the user of one system to log into another system without a password. An old technique that still used by pentesters is to target the Rlogin file, exploiting it to allow anyone to log in without password.  SSH was added to improve security, but it has actually done very little to correct the trust weaknesses, he said. A lot of organizations fail to put passwords in the SSH keys. "It's encrypted," he added, "but it doesn't matter."

Weak, poorly protected and mishandled passwords can also be a common way in, according to Gamble. Unix-based systems that use NIS for network authentication may have conditions set exposing a list of user directory passwords to an attacker. Using Lightweight Directory Access Protocol is not necessarily better. An attacker can attempt to root the box and if successful can pull out LDAP passwords from regions of memory, according to Gamble. It is easy to do as long as you can compile on the system, he said.  Even if shell password files are being used to hide distributed passwords from users, they can be cracked easily, he said.

Security researchers say man-in-the-middle (MiTM) attacks are also commonly used by cybercriminals. Tools have gotten better at automating the process, but the attack technique has been known and available before the modern Internet was invented, Gamble said. The attack is very successful today because people often accept connections that have bad certificates, he said. There are many programs designed to create a MiTM condition, eliminate encryption and start stealing credentials.

"Most mitigations in place haven't worked at all," he said. "This stuff has been made so easy that anyone can do it."

Local Unix issues are also a major problem enterprises commonly don't address. "You can do great things with configuring Unix, but if you want to get practical about how it's being set up in big companies, you've got big problems," Gamble said. 

Basic techniques designed in 1992 to target Unix configuration issues are still in use today. Insecure cron jobs or tasks, specifying privileges in the sudoers file could also lead to information exposure. Some firms configure read/write access on everything in the home directory. Gamble said as a result, getting elevated privileges on a Unix box is pretty easy if the attacker has access to it.

Local Unix configuration issues are not being tested and detected. Some weaknesses such as Address Resolution Protocol or ARP poisoning, a network attack, are expensive to fix. Organizations can begin by teaching Unix administrators proper security and proactive auditing to not only look for weaknesses, but address them.

------------------------------------------------------------------------------------------------------------

Apreciacion Personal

Se han hecho grandes avances en cuanto a la seguridad en las empresas pero muchas veces los errores y puertas abiertas simples son dejados de lado y en ocasiones incluso olvidados, esto trae consigo huecos que pueden ser intervenidos por personas con malas intensiones. 

Segun se explica en la noticia anterior, a pesar de conocer estas deficiencias, el equipo de seguridad en TI, no lo toma en cuenta y esto es algo que debe de corregirse si se quiere llegar a una optima protección de la información.

Some activist DDoS attacks growing in sophistication, expert says

Tomado de: http://searchsecurity.techtarget.com

The majority of distributed denial-of-service (DDoS) attacks against corporate and government websites can be easily filtered out by appliances and software, but one expert says a growing number of attacks are from technically savvy individuals and often trip up mitigation systems.

It's cheap and easy to launch an attack but the common person may not know how to go about it.

Jeff Lyon, CEO, Black Lotus

A wide variety of attacks that are driven by activists use relatively unsophisticated tools. They can cause an initial disruption, but business and government websites can recover fairly quickly, said Jeff Lyon, CEO of Los Angeles-based Black Lotus Communications, a DDoS mitigation firm. A growing threat are DDoS attacks driven by extortionists and technically savvy hackers, which are complicated enough to make it difficult to defend against, Lyon said.

"Those attacks tend to be extremely complex because the attackers know that the basic tools so prevalent in the wild aren't as effective because security providers can easily defend against them," Lyon told SearchSecurity.com in a recent interview.

DDoS mitigation has been gaining interest from enterprise IT teams of late. The financial industry has been especially hard hit by DDoS over the last two weeks. JPMorgan Chase and Bank of America both suffered intermittent website problems. U.S. Bank and PNC reported problems with their customer websites Wednesday. The attacks are believed to be originating from a group known as Izz ad-Din al-Qassam Cyber Fighters, a hacktivist group that has been announcing its campaigns on the Pastebin website.

Lyon said some of the DDoS campaigns are layer 7 HTTP attacks that look like real users. Systems that use behavioral analysis and signatures often have to be manually tuned to filter out the right traffic and rule out false positives, he said.

"In order to defend against that specific type of attack you have to have a method in place to determine which traffic is robots and which traffic is humans and be able to implement a filtering rule" Lyon said. "That's where the real challenge is right now."

In this interview, Lyon talks about the transition from extortion-driven DDoS attacks in 2003 to more hacktivist-style attacks, which began in about 2007. Today, hacktivists primarily use social networking to gain enough followers and collaboratively take out websites while a determined individual can rent a botnet or create their own DDoS tool to carry out a targeted attack, Lyon said.

Give us a brief history of DDoS and tell us about Black Lotus:

Jeff Lyon: Black Lotus is a managed availability security firm. We started our company up in 1999. Back then was when the first USCERT advisories came out saying there's this new phenomenon called a DDoS [distributed denial-of-service] attack. About four years after that, attacks really started occurring against the enterprise. Back in 1999 attacks were really against criminal enterprises or against ecommerce or larger start-up companies. Around 2003 is when attacks really started impacting online casinos, poker rooms and that's when extortion became a major target of a DDoS attack. As the years went on, namely about 2007 is when the hacktivism trend began to occur. It stopped being just an extortion tool. It started being used if you didn't like someone or you wanted to tell someone to do something, you could go ahead and use a DDoS attack. Consequently 2007 is where DDoS mitigation became a really big business.

Why do you think was there was an evolution from financially motivated DDoS attacks (extortion) to politically motivated or statement-driven attacks?

Lyon: Mainly it's because anonymity is much more prevalent. If you are making a statement against a company or an organization you can use a medium like Twitter or any other type of social media to generate opinions and get people to attack a target. What has happened with Anonymous is that everyone can get together and launch a low orbit ion cannon (LOIC) type of attack. Everyone stays relatively anonymous. It's more of a collective that's making the attack. This is very difficult for law enforcement to wrap their hands around and actually prosecute individuals even though they are undertaking those initiatives. With extortion, they are able to use more traditional tools to investigate the crime because there is a money trail.  It may be difficult to figure out who launched the attack but when there is extortion involved you are able to say this is where the money went after someone made a ransom payment.

Are some hacktivist-driven DDoS attacks making it more difficult for Black Lotus and other DDoS mitigation firms?

Lyon: What we find is that the more common Anonymous type of attacks—the ones you see in the media—are actually relatively easy to defend against. These types of attacks take advantage of the collective and other people making a statement. When you see someone on Twitter announcing a target to attack, what they are doing is trying to take advantage of that company's inability to defend itself against the attack, but it's really not that complex to defend against.  

It seems like a lot of DDoS attacks use fairly unsophisticated methods, flooding websites with malicious traffic that can be easily filtered out, is that the case?

Lyon: The attacks will run the gamut with different technologies in use. The ones we hear so much about, especially the ones that are launched by relatively unsophisticated folks wanting to take part in a protest, are pretty unsophisticated attacks. In order for them to occur the organizers of these attacks have to distribute tools to their followers. Once that tool is distributed then security experts and analysts can take it apart and figure out what needs to be done to defend against that particular type of attack and build those signatures used in mitigation appliances and other security products.

The ones that are extremely difficult are actually not in the realm of hacktivism. They could be extortion attacks. They could be attacks against competitors or they could be hacktivism, but not the mass-media hacktivism we're all so familiar with. Those attacks tend to be extremely complex because the attackers know that the basic tools so prevalent in the wild aren't as effective because security providers can easily defend against them. The attacker must build a tool or use a tool that is lesser known and much more difficult to raise a defense. The one that comes to mind are these layer 7 HTTP attacks that look like real users. No matter what your signature looks like there are attacks coming in that match your legitimate traffic. They look exactly the same. In order to defend against that specific type of attack you have to have a method in place to determine which traffic is robots and which traffic is humans and be able to implement a filtering rule. That's where the real challenge is right now.  

So there are some hacktivist DDoS attacks that can be sophisticated?

Lyon: These will be the hacktivists that are themselves computer hackers. They are very well educated in the use of computers and computer networks. For example you might have a website with a religious or political view that is unpopular with a specific person or specific hacker and that hacker takes a personal interest in taking down that website. That particular type of attack still qualifies as hacktivism. It's still an activist style attack, but not the common type person launching an attack.

How difficult is it for a single person to carry out a fairly sophisticated DDoS attack?

Lyon: If you're not skilled in specifically designing a tool or already active in that realm of trading tools and coding for malicious purposes, your other option is to go to websites or underground forums and essentially buy access to the tools. You can go on a hacker forum and explain you want to attack a website. Someone might come forward and say they control a botnet that has 100,000 systems in it and I'll let you rent that for $10 an hour. It's cheap and easy to launch an attack but the common person may not know how to go about it. Your common person who doesn't know anything about hacking probably won't find these forums and successfully launch an attack.

-----------------------------------------------------------------------------------------------------------

Apreciacion Personal

Lo que al inicio parecia un juego ultimamente es ha intensificado, seguramente a partir de Annonymous conoces el termino DDoS, bueno es basicamente un ataque de sobrecarga por peticiones, si bien se escucha bastante simple, con el tiempo, segun relata la noticia, se ha intensificado en el aspecto intelectual.

Los atacantes ahora conocen muy bien las armas con las que se enfrentan y como defenderse de las trabas que ponen las empresas atacadas. Conociendo todo esto se puede lograr un ataque mas fuerte por eso las empresas de hoy en dia, que crear que pueden ser victimas de un ataque de este tipo deben preparase muy bien, y esto no quiere decir colocar  a una persona a verificar que todo este en optimas condiciones sino tener un equipo calificado para enfrentar estos ataques.

Microsoft plans to release fix for IE zero-day vulnerability

Tomado de: http://searchsecurity.techtarget.com

Microsoft said Tuesday that it plans to release a fix for the recently discovered IE zero-day vulnerability.

The fix will be released in the next few days, according to a blog post by Yunsun Wee, director of Trustworthy Computing at Microsoft.

"While we have only seen a few attempts to exploit this issue, impacting an extremely limited number of people, we are taking this proactive step to help ensure Internet Explorer customers are protected and able to safely browse online," he wrote.

The zero-day flaw affects Internet Explorer 6, 7, 8 and 9, according to a security advisory 2757760 issued by Microsoft late Monday.

Security researcher Eric Romang discovered the vulnerability over the weekend. According to researchers at Boston-based Rapid7, users' computers can become infected by visiting a malicious website. They advised users switch browsers until a security fix is available.

The fix Microsoft will release will be easy to use and will provide "full protection against this issue until an update is available," Wee wrote. Until the fix is available, users should follow the mitigations listed in Monday's advisory, he added.

----------------------------------------------------------------------------------------------------------------------------------

Apreciacion Personal

Zero-Day, tambien conocido como "Dia 0" es justamente un periodo de tiempo en el que un software puede ser atacado. Cuando recien se lanza una solucion de software los verdaderos testera, los usuarios, toman posesion de la misma y la posibilidad de errores aumenta. Cuando un hacker finalmente logra encontrar una vulnerabilidad se le conoce como la vulnerabilidad del Zero-Day. 

Internet Explorer no ha sido la excepcion esta vez y como sus predesedores, las versiones 6,7,8, la version 9 ha caido tambien con esta vulnerabilidad que a partir del dia de hoy Microsoft empieza a hacerse cargo.

Which Information Security Services are Most Popular?

Tomada de: http://www.networkworld.com

Enterprises are increasing their spending on professional and managed security services. According to ESG Research, 58% of security professionals say that their organization’s use of managed and/or professional services for information security has “increased substantially” or “increased somewhat” over the past 2 years.

Just what types of services are they consuming? The list is long and diverse, but according to ESG Research, the top 5 categories are as follows:

• 33%: Security architecture and infrastructure design (i.e. professional/consulting services)
• 30%: Threat intelligence services
• 30%: Network monitoring services
• 30%: Security /risk management /regulatory compliance assessment
• 29%: Web threat management

Beyond this, they are also purchasing services for email security, vulnerability scanning, penetration testing, and staff augmentation amongst other things.

Large organizations typically consume IT services a number of reasons. At the one extreme, they outsource mundane tasks rather than take these on themselves. At the other end of the spectrum, they seek out specialized skills for more esoteric high-value activities. Somewhere in the middle, they purchase services to supplement what they are doing in house. The ESG Research indicates that enterprises are most interested in supplementing internal efforts and paying for outside security expertise.

Given the combination of a security skills shortage and the increasingly sophisticated threat landscape, it is highly likely that the security services segment will see healthy growth over the next few years.

---

Apreciacion Personal

Tal y como se aprecia en la noticia, en los últimos años se ha podido ver el crecimiento de las empresas encargadas de la seguridad de la información. Así también, podemos observar que las empresas optan por adquirir servicios de terceros en vez de implementarlos ellos mismos. Esto no quiere decir que ellos no se encarguen en absoluto de la seguridad de su información, en una sección del proceso ellos toman especial cuidado en mantener la información segura.

Esto ultimo ocurre en su mayoria en empresas grandes y le toman especial cuidado a algunos sectores. Seguridad de la Infraestructura, Servicios de Inteligencia contra amenazas y Servicios de Monitoreo de redes.

Marcelo Tinelli habló del Hackeo de su Twitter

Notica Tomada de Ciudad (www.ciudad.com.ar)

Marcelo Tinelli habló del hackeo de su Twitter: "También, con la contraseña que le puse soy un pavote..."

El conductor de ShowMatch explicó cómo vivió la intromisión en su cuenta de la red social e hizo una autocrítica por el "password fácil" que utilizó. Además, confesó cómo es el vínculo con sus hijos. ¡Mirá!

Mucho se especuló con el supuesto genio informático que habría hackeado la cuenta de Marcelo Tinelli en Twitter, pero el propio Marcelo se encargó de disipar las intrigas y admitió haber creado una contraseña muy fácil de adivinar. Además, en el móvil para Este es el show, el conductor de ShowMatch habló de la relación actual con sus hijos.

En cueros, desde la puerta de su camarín en Ideas del Sur, mientras se cambiaba para la grabación de las galas del Bailando, Tinelli aseguró: "Ya recuperé mi cuenta de Twitter, es @cuervotinelli. Lo hackearon, y después cuando uno reporta un hackeo a Twitter, te la suspenden por tres días. Pero también yo soy un pavote... ¡La contraseña que le puse! Soy un tarado. No voy a decir la clave, pero soy un idiota. Creo que la descifraba hasta Juanita (su hija de 9 años). No es que se metió un hacker profesional, yo creo que se metió una amiga de Juanita y ya...".

Luego de manifestar su deseo de que Magdalena Bravi continúe en Bailando 2012, al ver a Francesca, la beba recién nacida de Martín Campilongo y Denise Dumas, Marcelo confesó cómo es el vínculo con sus hijos. "No pienso en este momento en tener otro hijo, ya tengo cuatro… Estuve en todos los partos de mis hijos. Poder sacarlos de la panza de la Flaca (por Paula Robles) fue hermoso. Y en los partos de Sole, que fueron por cesárea, también", reveló el dueño de Ideas.

Pero al instante agregó: “Ser padre es un aprendizaje permanente. Son muchísimas las cosas que los chicos nos enseñan a nosotros. Yo he cambiado mucho como papá. Siento que con mis hijas más grandes tengo una relación mucho más profunda y presente de lo que tenía antes. Juanita es por ahí la que más exige desde la edad que tiene, es puro amor”.

Sobre Francisco, contó: “Lo defenestré durante un año por tener Twitter, y hoy me doy cuenta que es una buena herramienta para comunicar cosas y estar cerca de la gente”.

Evidentemente, Marcelo Tinelli se adapta a los tiempos que corren. Tal vez esa sea la clave de su vigencia. No la de su Twitter, claro.

---

Apreciacion Personal

Aqui tenemos un claro ejemplo de la rápida intromision que puede tener un hacker ante una cuenta desprotegida, con desprotegida no quiere decir que Twitter no haya tenido la proteccion suficiente para con esta cuenta, en este caso la culpa la tiene el mismo Marcelo por haber hecho uso de una contraseña no recomendable para cuentas de esa magnitud, una contraseña sencilla de adivinar, en el medio que sea, siempre representara un peligro inminente y una puerta abierta para los hackers que deseen hacer de las suyas. Es por esto que siempre se debe prestar especial cuidado con la contraseñas, nada muy personal ni nada muy sencillo de adivinar.