Archive | Editorial Articles RSS feed for this section

2015 InfoSec Trends You Should and Shouldn’t Worry About

2015 Security PredictionsWe’re rushing headlong into the end of the year, which means it’s that time againtime to pull out my crystal ball for WatchGuard’s annual security predictions.

We actually already released next year’s security predictions last week. You can read our press release about them (which includes a shortened version of the predictions) or check out this cool and succinct infographic. In fact, you can even watch a recording of my one-hour prediction presentation. However, for the folks who prefer to read, I’ve gone ahead and posted the longer version of my predictions below.

Also, we decided to do things a bit differently this year. As security professionals we spend a lot of our time looking for trouble and expecting the worse. And in 2014, there were lots of vulnerabilities and threats to be found such as Heartbleed, Regin and Operation Cleaver. However, rather than just focusing on which threat trends you should worry about the most, we thought it might be useful to also share some over-hyped trends, which may not affect you. Hence, five predictions you need to prepare for in 2015, and five you don’t.

Top Five Things NOT to Worry About:

  1. The Internet of Everything Will NOT Bring a Rise of Machines:  Lately, information security (infosec) pundits, myself included, have warned the world about the dangers posed by the thousands of embedded computing devices popping up in stores, which we call the Internet of Things (IoT) or the Internet of Everything (IoE). Things like watches, cameras, Smart TVs, and much more, don’t look like computers, but they are, and we connect them to the same networks as our computers.

As a result, these devices can have the same potential security flaws as traditional computers, and we will see researchers find and demonstrate these flaws. That said, we won’t see malicious cyber criminals hacking these IoT devices at a large scale in 2015. Today’s cyber criminals typically don’t just hack for the heck of it—they need motive. There’s not much value to having control of your Smart watch or TV, so we won’t see hackers targeting them directly… yet. However, these IoT devices do increase the amount of ways we share data with the cloud. Though attackers probably won’t target the IoT next year, they will go after all the personally identifying information (PII) that our computing devices spew into the cloud.

  1. Cloud Adoption Will NOT Continue its Stratospheric Climb in 2015: Security pundits have always been a bit suspicious and slow to adopt certain cloud services, especially when the service requires you to share sensitive data with an external cloud vendor, or give up some control. Despite this, businesses have quickly and widely adopted many cloud services, presumable because they offer so much business advantage. For instance, web hosting and email have become services many companies choose to host elsewhere.

However, this cloud adoption will slow and plateau in 2015. Snowden has made the world aware that nation states intercept information from cloud services, and incidents like “The fappening” prove that the things we share with “the cloud” can leak. Between the “Snowden effect” and a number of popular cloud services leaking data, organizations will be more concerned with where they put certain sensitive information.  This doesn’t mean businesses will stop using the cloud where it makes sense. It just proves that we can’t put everything in the cloud. Administrators should consider security controls that help in this hybrid environment; controls that help them manage their network perimeter alongside of their cloud resources.

  1. Passwords Will NOT Die in 2015, or 2016, or 2017…: Over the past few years, the industry has suffered a number of password-related security incidents; both attackers stealing them en masse, and hackers hijacking high profile accounts. These incidents often illustrate that common folk still use bad passwords and that our reset mechanisms are weak. As a result, many in the industry have predicted passwords will die.

There’re two faults with this logic; first, they overlook the core cause of the issue and, second, we haven’t found a viable alternative. When bulk password thefts happen, the passwords aren’t at fault; rather the fault lies with that lack of security of the organization maintaining them. Furthermore, we haven’t found a perfect replacement for passwords. Biometrics are neat, but fingerprints can get stolen too, and once they are, you can’t ever change them. A better prediction for next year is two factor authentication will become ubiquitous online, and passwords will remain as one of the two factors.

  1. Secure Design Will NOT Win over Innovation: It’s easy to love new technology and gadgets and the innovations they introduce to our lives, making things easier and more delightful. However, humanity’s known for notoriously diving head first into innovation technology without considering the potential consequences. More specifically, security is usually the last thing on our minds when we innovate. This means the newest, most innovative technologies often arrive rife with vulnerability.

This won’t change in 2015. In order to invent, and push boundaries, we must take risks. That means security will continue to take a back seat to innovation. That doesn’t mean innovation is a bad thing. We should welcome technologies that make our lives easier. However, it does mean that you, as a security professional, have the tough job of weighing the operational benefits of new technologies against their potential security risks. While infosec professionals cannot afford to become a roadblock against innovation, we also can’t let insecurity creep into our networks under the guise of “good” business.

  1. SDN Will Have Security Implications, But NOT For Years: If you follow technology analysts or keep up with bleeding edge networking, you’ve probably heard all the excitement around the next great networking innovation—Software Defined Networking (SDN). Without going into detail, SDN basically does for networking what hypervisors did for computing… it virtualizes it. At the highest level, SDN is a new network architecture paradigm where the control plane is decoupled from the data place. Rather than letting proprietary networking hardware making fairly static traffic routing decisions that apply equally for all traffic, SDN allows controllers to make dynamic routing decisions that can differ based on the applications sending the traffic, the location of the device, and many other things. SDN will help networking catch up with the dynamic, mobile, cloudy world we live in.

SDN totally changes how we build and control networks, which means it will also completely changes network security. For instance, in an SDN world, network security controls don’t have to be inline. The SDN controller can forward certain traffic to the relevant security controls when necessary—no matter where that security control happens to be on the network. This could make mobile security much easier, but also places much of the network security onus on the SDN controller and proper policy.

Having said all that, our prediction is you won’t have to worry about SDN security next year, or anytime soon! Despite all the hyperbole and excitement from forward-leaning technologists, SDN is quite a ways from primetime adoption. While ISP and cloud providers might start experimenting with it, the average organization is nowhere near changing their network architecture to support it. Think of it like IPv6. We’ve been predicting IPv6 has been coming for years, and one day everyone will have to start using it, yet most organizations still haven’t adopted it. SDN is the next IPv6, so don’t lose sleep over securing it yet.

Top Five Things To Worry About:

  1. Nation States Lock ‘n Load for Cyber Cold War: All significant nations have long started developing their red team and blue team cyber defense and attack capabilities. Between incidents in Estonia and Georgia, Snowden’s revelations, Stuxnet, Regin, and many other incidents, we’ve already learned that nation states are quietly launching espionage campaigns against one another, and even stealing industrial intellectual property.

I expect to see many more nation state cyber espionage incidents next year and suspect we are already in the middle of a cyber cold war, where nation states quietly “demonstrate” their cyber capabilities. While this cyber posturing doesn’t directly affect the average citizen or business, the techniques nation states use are more sophisticated. Whenever these new campaigns surface (and they do), criminal hackers learn quite a bit from them. You should expect the nation state cyber attacks to ”raise the tide for all boats” and elevate the complexity of criminal attacks as well.

  1. Malware Jumps Platforms from Desktop to Mobile Devices – And Bites Hard: More and more malware has been designed to infect multiple systems. Traditionally, we’ve seen small samples of Java attacks and malware that infect both Windows and OSX computers, but an even better combination is malware that jumps from traditional operating systems to mobile platforms, or vice versa. In 2015, WatchGuard expects to see more malware samples like WireLurker, which infects your normal computer before jumping to the mobile devices that you plug into it. The cross-platform malware families could be in a better position to steal banking credentials, especially as more users adopt two-factor authentication with SMS messages to a mobile.

On top of that, attackers will find many new ways to monetize mobile infections, so expect mobile malware to have more teeth in 2015. For instance, after its success on traditional computers, expect to see customized mobile ransomware, designed to make you mobile unusable until you pay up. With the adoption of Apple Pay, we also expect to see more attackers targeting mobile wallets and NFC. You don’t want to shirk on mobile security in 2015.

  1. Encryption Skyrockets – As Do Government Attempts to Break It: Security pros have always recommended encryption to protect data. However, both users and the industry have historically been slow to adopt encryption on a wide scale—likely due to its complexity and resource expense. That is changing. Between Snowden’s revelations and an increase in breaches, we realize “bad actors” are snooping on our communications, and our privacy is at risk.

As a result, our use of encryption, especially HTTPS, has skyrocketed in 2014 and will continue to grow quickly in 2015. Meanwhile, government actors, like the director of the FBI, are petitioning for ways to break our encryption for “law enforcement use.” As an industry, security pros must do three things; continue to leverage encryption whenever possible; fight for the right to retain private, unbreakable encryption; and make sure to build networks that can support heavy use of encryption without slowing bandwidth and adversely affecting business.

In a related aside, attackers will also leverage encryption more in 2015, to help their attacks evade our detection. While there is no perfect way to defend against custom encryption, you should consider security technologies that can recognize attacks in HTTPS traffic, and can keep with up with the new volume of encrypted traffic on our networks.

  1. Business Verticals Become New Battleground for Targeted Attacks: There’s always been a mild debate between opportunistic and targeted attacks, and whether one or the other poses the bigger threat. One might say opportunistic attacks are more threatening because they affect everyone and happen at a large scale, whereas another points out targeted attacks tend to be more sophisticated and result in more damaging losses. While both threats pose risk, and can affect everyone, some new trends will tip the favor toward targeted threats next year, while also expanding the affected target base.

Targeted attacks have increased and become more sophisticated largely due to the fact that cyber criminals have matured. They realize writing malware costs something and that they need a return in that investment. They’ve also learned three, sometimes-competing, lessons:

  • The more widespread your attack, the quicker it gets detected.
  • It’s easier to monetize certain stolen data, so the type of victim matters
  • The more victims you can attack at once, the larger your return in investment.

How does a cyber criminal retain the benefits of a stealthy targeted attack, while still pursuing big victim-pools to make lots of money? They do so by targeting business verticals rather than individual organizations. We’ve already seen this begin to happen, with criminals targeting retailers, hotel chains, or game companies as verticals. They’ve even designed custom malware for some verticals (e.g. point-of-sale malware). This trend will continue into 2015, with attackers targeting other verticals, such as financial services, and healthcare. You also won’t have to be a Fortune 500 to become a target. Modern cyber criminals will target businesses of every size, as long as they are part of an interesting, profitable business vertical.

  1. Understanding Hacker Motives Key to Defending: Information security is a relatively new field and is evolving quickly. Until now, security pros have focused mostly on the “how” and “what” aspects of the cyber threat. For instance, we previously paid most attention to the technical ins and outs of how bad guys attacked our networks, or how their malware mechanically worked, and we created our defenses based on those technical understandings.

However, as our field matures we’re learning how important it is to understand the “who” part of the equation as well. The threat actors menacing us have changed greatly in the past decade. They’ve gone from curious and mischievous kids exploring, to cyber activists pushing a message, to organized criminals stealing billions in digital assets, to nation states launching long-term espionage campaigns. Each of these threat actors has different goals, different tactics, and different targets, and there’s even significant nuance among like groups of threat actors.

As defenders, we’re starting to realize that our adversaries’ motives matter greatly in how we defend ourselves. Few organizations have the resources to defend against every possible threat. However, knowing the motives and tactics of various actors helps us understand which ones threaten our organization the most, and how they prefer to attack. In 2015, smart organizations will use threat intelligence and adversary motive to better customize defenses for the type of threat actor most likely to target their organization. For instance, if you work for a restaurant chain, you’re probably most concerned with organized cyber criminals, and might want to tailor your defenses to the attack techniques and PoS malware used by Russian and Ukrainian cyber gangs.

I hope you’ve enjoyed and learned something from this year’s InfoSec predictions. If you want to learn more, download the infographic or watch my 2015 Security Predictions presentation— Corey Nachreiner, CISSP (@SecAdept)

 

 

 

 

Evil Tor Exit Node – WSWiR Episode 127

Security FUD, Black Energy, and Tor Terror

Happy Halloween!

The Internet “threatscape” has changed drastically over the past few years, with many more cyber security incidents each year and tons of information security (infosec) news in the headlines. Can you keep up? If not, maybe my weekly infosec video will help.

In today’s quick update, I rant a bit about infosec misinformation, share the latest on the Black Energy ICS attack campaign, and talk about an Evil Tor exit node that dynamically adds malware to downloads. Press play for the scoop, and enjoy your spooky Halloween weekend.

(Episode Runtime: 10:44)

Direct YouTube Link: https://www.youtube.com/watch?v=HjejYd_9Oik

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Cryptowall Malvertising – WSWiR Episode 126

Windows 0day, iCloud MitM, and Cryptowall Rises

You’re a busy IT guy that barely has time to brush your teeth before running off to work, so who has time to follow security news too? Does this sound like you? If so, let our short weekly video inform you of the most important security news in the time it takes you to enjoy your first cup of coffee.

Today’s episode covers another Microsoft zero day flaw, a recent man-in-the-middle (MitM) attack against iCloud, and the latest developments with a nasty piece of ransomware called CryptoWall. Press play below to learn about all that and more, and peruse the Reference section for other stories.

(Episode Runtime: 8:40)

Direct YouTube Link: https://www.youtube.com/watch?v=0y5lBIQ0CEI

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

POODLE Bites SSL – WSWiR Episode 125

October Patch Bonanze, Leaky Apps, and POODLE

Cyber security has gone main stream, which means we’re getting a lot more security news each week than we used to. This week was even busier than usual, with updates fixing hundreds and hundreds of security vulnerabilities, as well as a significant vulnerabilities in a encryption standards. If you’re having trouble keeping track of the most important security info on your own, let our week video summary do it for you.

Today’s episode covers a ton of updates for October’s Patch Day, data leaks affecting SnapChat and DropBox, and a relatively serious SSL vulnerability called POODLE. The video is a bit longer than usual in order to better describe the POODLE flaw. Press play to learn more, and check the references for other interesting stories.

Enjoy your weekend, and beware what you click online.

(Episode Runtime: 16:37)

Direct YouTube Link: https://www.youtube.com/watch?v=AFX9DXDizu4

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

ATM Trojan – WSWiR Episode 124

Nine MS Bulletins, Sneaky DRM, and ATM Trojan

Every week, the security community learns about new attacks, exploits, breaches, security patches, and more. However, keeping track of all this fresh information security (infosec) news can be challenging for most IT practitioners. If you need a little help separating the security wheat from the chaff, this weekly video podcast is for you.

Today’s episode warns you about next week’s upcoming Microsoft patch, covers how Adobe DRM snoops on your reading habits, and shares details about an ATM trojan that has helped its creators steal millions in cold hard cash. Watch the video for details, and check out the reference section for most interesting infosec stories.

(Episode Runtime: 5:45)

Direct YouTube Link: https://www.youtube.com/watch?v=5xi3vtc5bAQ

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review in Writing (Oct.3, 2014)

iOS Trojan, BadUSB PoC, and Gamer Hackers Charged

Normally, I post a weekly video that summarizes the three biggest information and network security stories every Friday. However, due to a busy travel and work schedule I couldn’t find a convenient time to shoot. But fear not… Instead, I’ll post a written summary this week, and continue with the video posts next week. Read on for the latest security news:

  1. “First” iOS Trojan released in the wild – A mobile security company, Lacoon, claims they have found the “first” iOS trojan being used in the wild. They call the malware Xsser mRAT, and it’s related to a similar Android trojan called Xsser. If it infects your mobile device, it’s capable of stealing all kinds of information including texts, emails, passwords, and so forth. Allegedly, the malware comes from Chinese government actors targeting the Occupy Central protesters in Hong Kong. However, the trojan can only infect jailbroken iPhones.
  2. BadUSB malware exploit is now available to the public – In previous videos, I told you about the extremely dangerous new threat against USB devices. At Black Hat this year, Karsten Nohl of SRlabs showed how you could exploit flaws in USB controller firmware to create malicious USB devices that are almost impossible to detect. Thankfully, Nohl did not release Proof-0f-Concept (PoC) code for the attack, since USB manufacturers did not yet have a solution to the problem. However, this week some of his co-researchers decided to release PoC on Github during DerbyCON; apparently in hopes of pressuring USB vendors into figuring out a fix. Personally, I think this was a major mistake. While I think “full disclosure” is a good thing, I believe it should be done responsibly, after giving vendors time to protect their customers. While historically researchers have used early disclosure as a way to pressure companies to do the right thing, this is an industry-wide, standards-level vulnerability with no easy solution. All these researchers have done is make it easier for the bad guys to start exploiting this issue (IMHO).
  3. Four hacker’s charged with stealing millions in IP from Microsoft, Epic, Valve, and the military – This week, legal documents came out detailing the charges against four hackers who stole data and games from many gaming companies, and even the military. The alleged hackers are from the US, Canada, and Australia. According to documents, this group used mostly SQL injection (SQLi) techniques to steal a ton of data. They stole Xbox ONE and Xbox Live information, games like Gears of War 3, and they even stole a military Apache simulator. This case is related to the SuperDAE hacker I mentioned in a video months ago.

Thanks for following our weekly summary, and be sure to join us next week when I resume the video. Also, don’t forget to check out references to many other interesting security stories below.

Extras Story References:

— Corey Nachreiner, CISSP (@SecAdept)

Shellshock – WSWiR Episode 123

Serious Bash Flaw affects *nix, Mac OS X, and IoT

Normally, my weekly video covers a number of important information and network security stories, in order to keep you informed of the latest threats. However, this week one story is so important I give it the primary focus.

Today’s show covers the critical “Shellshock” vulnerability in Bash. If you use Unix, Linux, or Mac systems, or any other embedded device that might run Linux, you’ll want to watch this episode to learn how this flaw affects you. Click play for more details.

Oh, and don’t forget WatchGuard appliances aren’t affected, and our IPS can protect you. Enjoy your weekend!

(Episode Runtime: 9:23)

Direct YouTube Link: https://www.youtube.com/watch?v=f6X5-bxj-Mw

Episode References:

Extras:

I’m skipping the extra stories this week so you focus on taking care of the Bash flaw.

— Corey Nachreiner, CISSP (@SecAdept)

Printer Doom Hack – WSWiR Episode 122

Apple Patches, Kindle XSS, and Doom Printer Hack

If you want to stay current with the Internet “threatscape,” our weekly video can help. It summarizes each week’s top information and network security news in one convenient place. Subscribe today!

Today’s episode covers, Apple and Adobe security updates, a cross-site scripting flaw that affects Kindle users, and an interesting printer hack that allowed an attacker to run doom on a printer. Watch the video for details and see the Reference section below for more info.

Enjoy your weekend!

(Episode Runtime: 5:39

Direct YouTube Link: https://www.youtube.com/watch?v=aZ7-LdlMYHc

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Old Gmail Leak – WSWiR Episode 121

Patch Day, Home Depot Update, and Gmail Leak

Why go searching for all the week’s information security (infosec) news when you can find it in one convenient place. This weekly vlog summarizes the important security updates, hacks, and threats so you can protect yourself.

This week’s episode arrives a bit late due to my business travel in Europe. Today’s show covers the week’s Microsoft and Adobe patches, the latest news on the Home Depot breach, and a story about a potentially new (but likely old) Gmail credential leak. Watch the video for the details, and check the references below for more info and some extra stories.

I will be continuing my business travel next week as well. So my weekly post may arrive earlier or later than normal. Have a great day!

(Episode Runtime: 4:53)

Direct YouTube Link: https://www.youtube.com/watch?v=I1GZpvQV6dQ

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Black Tuesday: Windows, IE, Lync, and .NET Patches

As you may know, today was Microsoft Patch Day. If you manage a Windows-based network, it’s time to get the latest updates.

According to Microsoft’s summary post, the Redmond-based software company released four security bulletins fixing 41 vulnerabilities in many of their popular products. The affected software includes, Windows, Internet Explorer (IE), Lync Server, and the .NET Framework. Microsoft rates the IE update as Critical, and the rest as Important.

As you might guess from the severity ratings, the IE update is the most important. It fixes over 37 security flaws in the popular browser, many of which attackers could use in drive-by download attacks (where just visiting a web site results in malware on your computer). Furthermore, one of the fixes closes a zero day vulnerability that attackers have exploited in the wild. If you use IE, I recommend you apply its update as quickly as your can. You should also install the other updates as well, however, their mitigating factors lessen their risk, so you can install them at your convenience.

In summary, if you use any of the affected products, download, test, and deploy these updates as quickly as you can or let Windows’ Automatic Update do it for you. For the server related updates, I highly recommend you test them before installing them on production servers, as Microsoft has released a few problem causing updates recently. You can find more information about these bulletins and updates in Microsoft’s September Summary advisory.

Also note today is Adobe’s Patch Day as well, and they released one security update fixing 12 vulnerabilities in Flash Player. If you use Flash, you should update it quickly. Adobe also pre-announced a Reader update earlier this month. However, it appears they have had to delay the update for some reason.

I’ll share more details about today’s patches on the blog throughout the day. However, I am traveling internationally, so the updates may not arrive as regularly as usual. If you are in a hurry to patch, I recommend you visit the links above, and start now.  — Corey Nachreiner, CISSP (@SecAdept).

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: