Category Archives: Uncategorized

  • 0

The Universal Translator in InsightAppSec and AppSpider

Category : Uncategorized

Providing better support for scanning modern web applications

In the face of constantly evolving web technologies, our engineers have responded to the
growing challenge of dynamically testing applications with the Universal Translator. The
Universal Translator acts as a bridge between the two key functions of every DAST: discovery
of the areas in an application where vulnerabilities can be exploited and attack through the
testing of those areas with inputs that may expose security gaps.
The Universal Translator increases flexibility by decoupling the discovery and attack engines
so that all attackable inputs identified by the discovery engine are translated and normalized
into a common universal format that is then understood by the attack engine; this makes it
possible for the same set of attacks to be applied to multiple input and data format types.
Still waiting on a “so what?” Long story short, this departure from just your standard crawling
expands your application area coverage and enables Rapid7 DAST engineers to quickly add
support for future web technologies and emerging attack types.

More here: The Universal Translator


  • 0

The new McAfee Is Extending Our Stride

Category : Uncategorized

With McAfee’s spin-off from Intel completed, our focus has turned to growing the business. Our commitment to the strategy articulated more than two years ago remains unchanged. We are determined to deliver an increasingly integrated solution, to deliver on our product roadmap, and to work with both competitors and partners. We are making great progress toward those objectives.

In June, the WannaCry and Petya attacks struck, creating a firestorm of publicity and disrupting business operations around the globe. Among other things, they exposed the continued use of old and unsupported operating systems in critical areas and they laid bare the lax patch-update processes followed by some businesses. These attacks remind us that the best protection is defense in depth, including zero-day protection to not just block but quickly learn about attacks to improve responses. The lead Key Topic in this threats report analyzes WannaCry and its business impact.

McAfee Quarterly Threats Sept-2017

 


  • 0

Evader by Forcepoint

Category : Uncategorized

What is Evader?

The 2017 NSS Labs NGFW Test reveals many of the leading next generation firewalls are vulnerable to Advanced Evasion Techniques (AETs) that can let exploits and malware (including aggressive ransomware attacks like WannaCry) into your network undetected.

With Evader, the world’s premier software-based testing environment for evasions, you can see how well your firewalls and intrusion prevention systems (IPSs) defend against these threats by:

  • Launching controlled AET-borne attacks at network security devices
  • Interactively combining and adjusting evasions
  • Seeing the results immediately

Note: Evader is not a hacking tool or a penetration test intended to transmit arbitrary exploits. It is offered solely for testing and should not be used against any systems outside your environment.  Using AETs, Evader tests whether or not a known exploit can be delivered through security devices you specify to a target host.

Schedule a Live Interactive Demo of Evader

 


  • 0

Tiered Storage, How to Calculate Your Potential Margins

Category : Uncategorized

For cloud or managed hosting providers, storage is obviously a key underpinning technology for any cloud or hosting infrastructure. What’s not so obvious, however, is how to productize the storage subsystem in a way that aligns with your ideal business model. And it’s not always clear how your customers want to consume it from you, how your ops teams want to support it, and how your CEO wants to report the sales to your board.

We have learned over the past five years that there are many ways to address most of these business challenges, but the discussion about storage tiering never seems to go away.

The good news is that with the quality-of-service (QoS) capabilities at the core of all NetApp® SolidFire® storage architectures, we can develop models that simulate pretty much any type of tiering. The Fueled by NetApp consulting team is available to help you develop the right deployment scenario to support your margin requirements and your customer consumption demandsand to do it predictably and consistently.

Our experienced consultants ideate with you to plan the right tiering model for your business strategies, including, but not limited to:

  • Fixed performance and variable capacity
  • IOPS/GB performance tiering (simulating legacy storage arrays)
  • Avoidance of tiers completely by simply charging for IOPS and gigabytes independently
  • An a la carte offering for which you can sell performance and capacity resources independently, as your customer wants

To get you thinking about the many deployment options, we created a very simple but representative sample storage tiering calculator.

Learn how to build your cloud hosting infrastructure and start monetizing storage today. To get into a deeper discussion about storage tiering, margins, and service differentiation, contact the Fueled by NetApp service provider consulting team. Our industry experts will walk you through what we see other service providers in the industry do with storage tiering, and they will help guide you on your go-to-market journey.

Source: https://blog.netapp.com/blogs/tiered-storage-how-to-calculate-your-potential-margins/

Author: Stuart Oliver


  • 0

Pulse Secure Access Solution Presented by Drawing a Whiteboard Diagram

Category : Uncategorized

Play

 60 mins
Graham Duthie

In this webinar we’ll show you how to tell the Pulse Secure Access story by building up a whiteboard diagram. We include each of our products, including the recently acquired virtual Application Deliver Controller (vADC), and explain how they fit with the Secure Access strategy. This can be a great way to introduce Pulse to new prospects and is an ideal opener before diving into the detail of the individual products.


  • 0

Rapid7 CEO, Rethink IT and Security Organizational Structures

Category : Uncategorized

Companies are under constant pressure to innovate in today’s fast-paced business environment. That might mean creating a better product, improving efficiency, or creating a better customer experience. Unfortunately, the security function tends to be separate from the innovation process or, worse, after the innovation has created a new vulnerability.

That problem will persist unless companies rethink their organizational structures around IT and security. That’s the message that Rapid7 CEO Corey Thomas is delivering in his keynote today at the company’s United 2017 event in Boston. He believes that IT and security teams can work together effectively to innovate, create a better user experience, and adopt new technology without increasing the vulnerability surface.

Thomas sees security and IT functioning separately in most organizations. “Siloes are killing the organization,” says Thomas in an exclusive interview with CSO. “Breaking down the siloes and engineering automation solutions to solve some of the persistent vulnerabilities is a solvable problem.”

Organizational siloes that keep security at arm’s length don’t work. How many times have we seen these stories play out?

  • Company X releases a new, innovative product that meets with some initial success. Later, hackers find a vulnerability that could have been easily addressed during the development process. Company X scrambles to fix the problem and salvage its credibility.
  • Company Y rolls out a web application that collects customer data. Weak authentication allows data thieves access to customer information. That’s when the security team learns about the app’s existence.
  • Company Z migrates key data to the cloud. IT manages the migration but does not adequately involve security. Key questions go unasked, and as a result, improper configuration leaves the data exposed.

“The prevailing assumption is that you innovate first and add security later,” says Thomas. “People believe that security slows down innovation. They also don’t necessarily know the right security vectors, and there is a small kernel of truth to that.”

Thomas adds that it is assumed that any new technology you create will have some unforeseen vulnerability. He believes the way to address that is build update mechanisms into the technology. “By doing that you improve the long-term security of the technology as well as the user experience.”

“We live in a technology system that is highly fragmented. Security is best addressed if you have a holistic, integrated view of both the environment and the assets,” says Thomas. “Organizational structure that’s dominated by a siloed view of the world and siloed operations creates not only a negative IT user experience, but also a poor security experience. Functional siloes are the primary reason that organizations get complaints from so many of their users about the experience they’ve created, and why you have so much finger pointing.”

How should IT and security work together?

IT and security clearly need to work well together, but that will be difficult if they don’t understand each other. “It is impossible to have both IT and security function well without each having the context of the other,” says Thomas. Just passing security vulnerabilities “over the wall” to the IT team is an inefficient process that no longer works, he adds. Thomas cites organizations having success embedding security in core operations. “You see some success in the devops world where some innovators look at how they build security into the development process.”

“Security cannot be successful separate of IT. The ability to have an integrated view and apply security and IT operations closer together is key to having success,” Thomas says.

Thomas believes that communication and collaboration between IT and security are important, but cautions against seeing that alone as a solution. “In some ways, [focusing on communication and collaboration] is a distraction, because it gives in to this notion that you can treat security as an appendage,” he says. “I can have IT processes that are inefficient and don’t work. I can have escalating vulnerabilities in my environment because my attack surface continues to expand as I deploy technologies faster than I manage them. And it’s fine because I just need to communicate technologies that are deploying into the security team.”

“If you have not designed a process that allows you to update and maintain secure technology as it’s deployed, even if you communicate, you’re still going to be behind. Communication and collaboration are absolutely important, but they are not the root cause of the problem.”

What can an integrated IT/security organization do to foster innovation?

In his United 2017 keynote address, Thomas lists four skills that an integrated IT and security organization needs to excel at:

  • Mastery of data is required to understand the environment, the service experience, the risk profile, and identify attacker behavior.
  • Mastery of user and customer experience is about understand not just the needs of the organization but the type of experiences that make those needs not just achievable but highly likely.
  • Mastery of integration is the realization that we don’t create experiences from scratch, but rather extent, leverage, and from other products and services
  • Mastery of automation is about developing the capacity to manage and maintain systems that expand and morph at fast rates.

“This is a very different set of skills than what our organizations thrive at today,” Thomas said in his keynote address, “but many of our society’s biggest challenges have demanded that we think differently and try new approaches.”

He notes that the same data used to troubleshoot an environment from a security perspective—collect log data, do forensics across the environment, identify what applications and users are affected—is the  same data used to troubleshoot performance issues or which of your assets need to be updated. “An integrated view of the environment will ensure that you have the right data to serve all those domains well,” Thomas says.

Thomas encourages security professionals to find opportunities to participate in the innovation process. “Innovation tends to happen in clusters. The extent to which you have people on that journey together really matters,” he says. “Security has done a good job of that historically.”

Two other opportunities for security professionals might be more of a challenge. The first is generating and contributing to data mastery and organization. “Lots of security practitioners tend to create their own data siloes, which contributes to lack of mastery of information and data that’s so critical with the types of challenges that we face,” says Thomas. “Security practitioners can very much contribute and engage here.”

Second, shift focus to addressing root causes of security problems. “Poor management practice and technology management practices are the root cause of so many security vulnerabilities that organizations have,” says Thomas. “That can be addressed through better engineering and automation processes around updating, configuring, and controlling the environment.”

Thomas doesn’t see any company operating with fully, holistically integrated IT and security yet, although a number are on that path as they question some of the foundational assumptions they have about how they operate and organize their technology groups.

“It’s repeated events that change behavior,” says Thomas. “Most people throw technology at [security problems] for a while, and then something really bad still happens. That’s when they do a reassessment. That’s how some of the early movers in this space start to experiment with different ways in how they run and operate their technology operations.”

Source: https://www.csoonline.com/article/3224473/security/rapid7-ceo-rethink-it-and-security-organizational-structures.html


  • 0

Identity Fraud Is Everywhere, Here’s How to Improve Market Fraud Scoring Systems

Category : Uncategorized

A particular type of fraud has emerged in various countries. In markets where prepaid subscriber rates are high and SMS OTP mechanism is still heavily used by banks and service providers; criminals seized on vulnerabilities in existing processes to renew a subscription via SIM card swap. It can be difficult for Mobile Network Operators to enforce restrictive rules to control the identity of the user while changing the SIM, which means that fraudsters pretending to be users can claim for a SIM replacement while pretending they lost their mobile phone.

To illustrate the problems involved, take a look at this example. Chris was sitting in his Nottingham home a fortnight ago when his iPhone suddenly stopped working. Within 75 minutes the fraudsters who had hijacked his phone had, through his online banking app, emptied his bank account of £1,200 and applied for an £8,000 loan in his name. But Chris is just the latest victim of a financial scam that is sweeping Britain: SIM-swap fraud.

But what is SIM swap fraud?

A fraudster gathers data on a bank customer through “phishing” or “social engineering” to gain access to their online/mobile banking portal.

With this data, the fraudster contacts their mobile operator to get their SIM card replaced and/or change Mobile Network Operator while keeping the same mobile number.

With a new SIM and the same mobile number, the fraudster receives bank account authentication codes and/or payment transaction codes (SMS OTP).

The fraudster is now free to log in, create a new beneficiary’s account, transfer and withdraw money.

SIM swap is becoming an increasingly common source of fraud. Asia Pacific, North America and Indian markets are witnessing the most cases of SIM swap fraud. But this phenomenon is global as many countries (UAE, Brazil, Colombia, South Africa, Singapore or Germany, UK to name only few of them) reported SIM Swap fraudulent cases due to the need to fast track enrollment in order to capture potential new customers, while proper identity verification for mobile subscribers is still not enforced.

Mobile phone has become not only a ubiquitous extension of our daily life but also one of our identity master piece allowing banks to identify and authorize credit cards, online transactions, cash withdraw. That is the reason why mobile has also become the main target for criminals.

Clearly, SIM-Swap fraud is a growing problem that needs to be stopped. And we need to address the problem with strong, secure solutions. One solution banks are looking for is to reinforce the end users’ identity verification process to improve risk assessment and better respond to fraud management.

This solution cannot only rely on the data coming from the mobile network operators provisioning system. This is not sufficient to properly inform bank risk assessment engine.

To optimize risk assessment, it is important to establish a set of guidelines, which cover multiple conditions or sources of information.

What if banks could get access to real time mobile operator network information to protect the end-user account?

This would include knowing about SIM and device swap scams, but also access to roaming and location data and if needed device specifics, user behavior analysis, IP intelligence and geolocation, among others. Everything would be securely collected and always obtained with the end-user consent.

To show how such a solution would work, imagine a user is asked to validate a transaction with a one-time password sent to their mobile device. The solution gives real-time insight using the date of any SIM swaps.

The bank can then decide whether the targeted mobile subscriber is falling under fraudulent behavior category and if any further authentication is required (customer care call or step up authentication mechanisms). If a customer’s mobile account has been taken over, the bank can take appropriate action before the fraudsters can seize on a vulnerability and withdraw funds, change passwords or set themselves up as a new beneficiary for any payments.

What about subscriber consent?

Managing user consent in compliance with privacy-by-design regulations is becoming mandatory in a lot of countries. Implicit consent can be managed by a bank contract in some way. But explicit consent is requested more and more by market regulators and requires digital user consent prior to further use by the bank or service provider.

A good way to manage explicit subscriber consent is the use of mobile digital channel communication.

When consent occurs with the subscriber, we can set guidelines based on opt-in models.

Preventing SIM-Swap fraud is really all about stopping that problem at the source, which means making it as difficult as possible for fraudsters to lie about who they are to phone operators and financial institutions.

Are you facing this problem? What solution are you thinking of putting in place?

Source: https://blog.gemalto.com/mobile/2017/09/04/identity-fraud-improve-market-fraud-scoring-systems/

Author: Stéphanie Viriot


  • 0

Blockchain Versus the GDPR

Category : Uncategorized

The EU’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018. It will require all businesses that process EU citizens’ personal data to take lots of measures to protect their privacy. The GDPR also provides EU citizens with a right to erasure: to be able to require that businesses holding their data irrevocably erase the data upon request (also known as the “right to be forgotten”). This right is not absolute and has many exceptions (archiving in the public interest, public health purposes, etc.). But this may end up putting the GDPR on a collision course with blockchain technologies in unexpected ways.

Once data is written to a blockchain, it can be essentially impossible to erase it. This is actually considered a desirable feature of blockchains, but it also may make it impractical—perhaps even impossible—to delete personal data of an EU citizen from a blockchain. And this property of a blockchain is something that simply cannot be altered by legislation.

In the case of the blockchain that the Bitcoin cryptocurrency uses, for example, adding blocks to the chain is the result of performing a significant volume of computations on certain cryptographic calculations. Once a result is accepted as being part of the Bitcoin blockchain, replacing it requires a prohibitive amount of computing power.

Deleting or editing a block that is N blocks back from the end of the Bitcoin blockchain requires an industrious Bitcoin miner to do more work than it took to add all N of those blocks to the blockchain, and this work must be completed before a miner adds the next block. Even for blocks that are close to the end of the chain, this is extremely difficult; for blocks that have been on the blockchain for a significant length of time, it is essentially impossible.

But the information on the Bitcoin blockchain is just information about transfers of Bitcoins from one user to another user, and these users are essentially just identified by a particular public key. Can information that anonymous really be a threat to someone’s privacy?

Quite possibly.

It turns out to be very hard to make data of any kind truly anonymous. Instead, the best that we can do is make it pseudonymous. If we know nothing at all about a person’s identity, he or she has perfect anonymity but absolutely no accountability. If we know everything about a person’s identity, then we have perfect accountability but absolutely no anonymity. Pseudonymity is the range of possibilities between these two cases (including both of the extremes), so it may be useful to think of it as implementing a trade-off between anonymity and accountability. Most personal information falls between the two extremes, even if the data is strongly protected.

For example, the very fact that a person is a citizen of France reveals some information about him because only about nine percent of EU citizens are French. Or the fact that a person has an account at a particular bank reveals some information about him: of the roughly 750 million EU citizens, only a small fraction probably have an account at any particular bank.

Perfect anonymity is very uncommon, perhaps even impossible. Most cases of what we think of being anonymity are more appropriately considered to be a form of pseudonymity, and many forms of anonymization of personal information are more appropriately considered to be forms of pseudonymization.

Research suggests even anonymized data is enough to uniquely identify many people. A good example of this can be found in “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata.” This paper describes how researchers looked at three months of credit card records for 1.1 million people and found that they could uniquely identify 90 percent of individuals from just the date and location of only four of their credit-card transactions. Women and more affluent customers were even easier to identify because their purchases had even more structure than average.

Even anonymous credit card transactions are enough to uniquely identify many people, so it is not hard to believe that anonymous Bitcoin transactions are also enough to uniquely identify many people. And because of this, it is not hard to imagine a situation in which EU regulators decide that the Bitcoin blockchain is a violation of the GDPR. But it is also hard to imagine that they will be able to do anything about it.

This article originally appeared in the August 2017 issue of ISSA Journal.

Source: https://www.voltage.com/blockchain/blockchain-versus-gdpr/

Author: LUTHER MARTIN


  • 0

Retail Network Security Trends and Threats Report

Category : Uncategorized

In this webcast Michael Osterman will share the results of a large survey focused on large retail organizations undertaken by Osterman Research on behalf of Forcepoint. The research finds the top trends and pain points that IT and security professionals face as they attempt to protect their organizations from the growing variety of threats that can steal data, compromise retail systems, and exfiltrate funds from corporate systems.

Register now.


  • 0

Circumventing Application Whitelisting and Misplaced Trust

Category : Uncategorized

Application whitelisting has been an advantageous technique to harden an organization’s endpoints against malware, unlicensed software, and other unknown or unauthorized software. When properly configured, whitelisting certainly has its benefits as it controls which applications and scripts can run and execute. However, traditional whitelisting technologies will limit the user to a binary ‘allow/deny’ mode. This approach may work just fine for smaller organizations that have only a handful of applications, but in large enterprises, this can be extremely challenging to support. The organization would need to either ‘allow the unknown’ and open themselves up to unnecessary risk – or – ‘deny the unknown’ and deal with disgruntled users and operational issues.

Attackers increasingly have sophisticated techniques. If an organization has something of significant value to attackers, then you can certainly expect that they’ll find ways to circumvent application whitelisting policies. Heuristic-based detection and scanning methods can help supplement a risk mitigation strategy against attacks initiated by these bypassing techniques – but – is that really enough to keep up with the very skilled and sophisticated cyber attackers that we see today? A defense in depth strategy at the endpoint with multiple layers of security controls is needed.

Misplaced Trust

When an organization leverages only the free and rudimentary tools for IT administrators to define which applications can and cannot be executed, they inadvertently become more susceptible to attacks that originate on the endpoint. Furthermore, trusting all the binaries that are signed off by the operating system comes with a certain level of risk. Over the years, researchers have come across many executable files that have the ability to very easily bypass some of these basic tools with relatively simple commands and run arbitrary scripts. Some of which were even able to fetch files and communicate over the internetnot good! These free tools can be a great foundational resource but additional security controls are needed to better improve an organization’s security posture.

Reality Meets Application Control

Expecting your IT administrator to be aware of all the applications that exist within a larger organization is unrealistic and nearly impossible in practice. Moreover, analyzing these applications and identifying which should be allowed to execute and which should be denied is equally as challenging. When an organization enables an application control solution, it often takes a whitelisting approach and therefore must specify exactly what is to be trusted. The most common tactic is to trust every binary that is signed off by the operating system vendor – but – not all processes (e.g. child processes) that originated from the trusted process are considered to be fully trustworthy. This is particularly important when you consider the techniques of modern malware that leverage tools like PowerShell to pull code (e.g. Mimikatz) from online source code repositories and execute in memory – thereby bypassing many Anti-Virus, malware detection or whitelisting solutions. Being limited to only ‘allowing’ or ‘denying’ within PowerShell is certainly not the ideal situation.

A more proactive approach is to provide application “greylisting” which allows lesser known applications to run in a restricted mode based on policy whereby they are allowed to run but are for example, denied access to the internet, unable to spawn processes and forced to run at a lower privilege. Operating in a restricted mode allows flexibility to the end user but prevents the applications from accessing corporate resources and system resources as part of a targeted attack.

CyberArk Provides Defense in Depth for Application Control

CyberArk Endpoint Privilege Manager delivers several layers of security beyond what some of the basic, UAC software restricting tools can provide and in so doing is aligned with guidance from NIST Special Publication 800-167, Guide to Application Whitelisting. With CyberArk Endpoint Privilege Manager, users can define whitelists and greylists with flexible rules based upon any combination of various file parameters and not just those based on the file hash, path or publisher (which can easily be sidestepped by a few simple actions). With Endpoint Privilege Manager, an IT organization can provide the level of granularity that allows for specific users on specific machines to run PowerShell, with a pre-defined level of privilege (e.g. standard user, specific privileges [i.e. custom token], etc.).

Additionally, Endpoint Privilege Manager also supports a full range of trusted sources, providing the ability to manage a very large number of the executables within larger-sized organizations (e.g. any file distributed by a corporate software distribution system like System Center Configuration Manager could be defined as a trusted source just by one simple rule). Lastly, this solution provides deep integrations with third-party file reputation systems to help IT administrators determine legitimate applications versus what’s considered to be potentially harmful. The image below shows Endpoint Privilege Manager blocking an unknown .vbs script from running on the endpoint, by using Bginfo.exe (a known executable file signed by the OS vendor that can bypass whitelisting) as the executable host:

Minimizing the endpoint attack surface is top of mind for all IT Security teams and taking a layered approach in securing your endpoints by coupling both privilege management and application control is an essential step in stopping common endpoint attack vectors that organizations often fall victim to.  Our CyberArk Labs Team has demonstrated that a combination of privilege management and application control is 100% effective in protecting against both ransomware and unknown malware.

Author: 

Source: https://www.cyberark.com/blog/circumventing-application-whitelisting-misplaced-trust/


Support