Information Technology

Microsoft unveiled a new partnership with cyber insurance company At-Bay on Wednesday, announcing that it was seeking to help the insurance industry “create superior and data-driven cyber insurance products backed by Microsoft’s security solutions.”

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

At-Bay claimed their insureds are seven times less likely to experience a ransomware incident than the industry average and noted that they provide insights to their customers about ways they can better protect themselves. Starting on October 1, companies in the US that are already Microsoft 365 customers will be eligible “for savings on their At-Bay cyber insurance policy premiums if they implement specific security controls and solutions, including multi-factor authentication and Microsoft Defender for Office 365.”Ann Johnson, Microsoft’s corporate vice president of security, compliance & identity business development, explained that for cyber insurance to play a meaningful role in overall risk management, buyers and sellers need the benefit of data and clear visibility into what is covered and factors either minimizing or multiplying risk exposure. “Microsoft’s partnership with At-Bay brings important clarity and decision-making support to the market as organizations everywhere seek a comprehensive way to empower hybrid workforces with stronger, centralized visibility and control over cloud applications boosting security and productivity,” Johnson said. The company said in a statement that At-Bay’s portfolio companies have had their cybersecurity strengthened by certain incentives they provide, including improved policy terms and pricing.Microsoft said it will work with At-Bay to find other ways customers can limit their risk exposure and proactively address vulnerabilities.

Microsoft noted that it is working with other insurers to protect their customers and reduce the risk of loss, which has grown significantly over the last few years, causing steep increases in premiums. “Insurance carriers, agents, reinsurers and brokers are required to understand and assess cybersecurity threats for each of their insureds. With this complexity, insurers are seeking increased visibility into each company’s security environment and hygiene to better underwrite new policies,” Microsoft said in a statement. “To address this, Microsoft is teaming with key insurance partners to offer innovative data-driven cyber insurance products allowing customers to safely share security posture information through platforms like Microsoft 365 and Microsoft security solutions.mAll data and details about a covered company’s technology environment will be owned and controlled entirely by that customer, but customers can opt-in to securely share them with providers to receive benefits like enhanced coverage and more competitive premiums.” At-Bay CEO Rotem Iram said insurance policies are effective tools that help define the cost of certain cybersecurity choices of a company. “By offering better pricing to companies that implement stronger controls, we help them understand what matters in security and how best to reduce risk,” Iram said. “Working with Microsoft enables us to educate customers on the powerful security controls that exist within Microsoft 365 and reward them for adopting those controls.” More

A new report has identified significant vulnerabilities resulting from the mis-implementation of Elastic Stack, a group of open-source products that use APIs for critical data aggregation, search, and analytics capabilities.Researchers from cybersecurity firm Salt Security discovered issues that allowed them to not only launch attacks where any user could extract sensitive customer and system data but also allowed any user to create a denial of service condition that would render the system unavailable. The researchers said they first discovered the vulnerability while protecting one of their customers, a large online business-to-consumer platform that provides API-based mobile applications and software as a service to millions of global users.Once they discovered the vulnerability, they checked other customers using Elastic Stack and found that almost every enterprise with it was affected by the vulnerability — which exposed users to injection attacks and more. Salt Security officials were quick to note that this is not a vulnerability with Elastic Stack itself but instead a problem with how it is being implemented. Salt Security technical evangelist Michael Isbitski said the vulnerability is not connected to any issue with Elastic’s software but is related to “a common risky implementation setup by users.”He noted that Elastic provides guidance about how to implement Elastic Stack instances securely but noted that the responsibility falls on practitioners to make use of the guidance. “The lack of awareness around potential misconfigurations, mis-implementations, and cluster exposures is largely a community issue that can be solved only through research and education,” Isbitski told ZDNet. 

“Elastic Stack is far from the only example of this type of implementation issue, but the company can help educate its users just as Salt Security has been working with CISOs, security architects, and other application security practitioners to alert them to this and other API vulnerabilities and provide mitigation best practices.”The vulnerability would allow a threat actor to abuse the lack of authorization between front-end and back-end services as a way to get a working user account with basic permission levels. From there, a cyberattacker could then exfiltrate sensitive user and system data by making “educated guesses about the schema of back-end data stores and query for data they aren’t authorized to access,” according to the report. Salt Security CEO Roey Eliyahu said that while Elastic Stack is widely used and secure, the same architectural design mistakes were seen in almost every environment that uses it.”The Elastic Stack API vulnerability can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, creating substantial business risk,” Eliyahu said. Exploits that take advantage of this Elastic Stack vulnerability can create “a cascade of API threats,” according to Salt Security researchers, who also showed that the Elastic Stack design implementation flaws worsen significantly when an attacker chains together multiple exploits.The problem has been something security researchers have long highlighted with a number of similar products like MongoDB and HDFS.”The specific queries submitted to the Elastic back-end services used to exploit this vulnerability are difficult to test for. This case shows why architecture matters for any API security solution you put in place — you need the ability to capture substantial context about API usage over time,” Isbitski said.”It also shows how critical it is to architect application environments correctly. Every organization should evaluate the API integrations between its systems and applications, since they directly impact the company’s security posture.”Researchers from the company said they were able to gain access to sensitive data like account numbers, transaction confirmation numbers and other information that would violate GDPR regulations. The report details other actions that could be taken through the vulnerability including the ability to perpetrate a variety of fraudulent activities, extort funds, steal identities and take over accounts. Jon Gaines, senior application security consultant at nVisium, said the Elastic Stack is “notorious for excessive data exposure” and added that a few years ago — and by default — data was exposed publicly. Since then the defaults have changed but he noted that this doesn’t mean that older versions aren’t grandfathered in or that minor configuration changes can’t lead to both of these newly unearthed vulnerabilities. “There are — and have been — multiple open source tools that lead to the discovery of these vulnerabilities that I’ve used previously and continue to use. Unfortunately, the technical barrier of these vulnerabilities is extremely low. As a result, the risk of a bad guy discovering and exploiting these vulnerabilities is high,” Gaines said. “From the outside looking in, these vulnerabilities are common sense for security professionals, authorization, rate limitations, invalidation, parameterized queries, and so forth. However, as a data custodian, administrator, or even developer, oftentimes you aren’t taught to develop or maintain with security in mind.”Vulcan Cyber CEO Yaniv Bar-Dayan added that the most-common cloud vulnerability is caused by human error and misconfigurations, and APIs are not immune.”We’ve all seen exposed customer data and denial of service attacks do significant material damage to hacked targets. Exploitation of this vulnerability is avoidable but must be remediated quickly,” Bar-Dayan said. “Other users of Elastic Stack should check their own implementations for this misconfiguration and not repeat the same mistake.” More

Dell has added new features to its ProSupport Suite for PCs that offer users new endpoint security offerings and enhance their line of commercial PCs. 

The ProSupport Suite for PCs allows IT teams to customize and automate how they manage employee devices, which has become increasingly important as companies continue to invest heavily in remote work.Dell’s updates include new catalog management and deployment capabilities while also giving IT managers the ability to update Dell BIOS, drivers, firmware and applications automatically and remotely. IT teams can also customize how the updates are grouped. The new tools also provide IT teams with a centralized platform to see their entire Dell PC fleet and monitor each device’s health, application experience, and security scores. Dell will also be offering a AI-powered services support software to provide suggestions based on performance trends. The new ProSupport Suite for PCs capabilities will be available to customers by October 19, and the Advanced Secure Component Verification is available now for US customers. The Intel ME Verification and Dell Trusted Device SIEM Integration is also available to all customers in North America, Europe and the Asia-Pacific-Japan region. Doug Schmitt, president of Services at Dell Technologies, said the company prioritised the updates because IT operations have become significantly more complicated, especially with the amount of data and opportunities at the edge. “Our approach to IT services is built on an AI-driven, adaptive, always-on foundation, taking today’s realities and future customer needs into consideration,” Schmitt said. 

“At the end of the day, the new capabilities are about helping IT leaders see ahead and stay ahead while providing workforces around the world the ability to continue collaborating and innovating without disruption.”The company also unveiled the Dell Trusted Devices security portfolio to protect commercial PCs throughout the entire supply chain and device lifecycle. “This comprehensive suite of above- and below- the operating system (OS) security solutions leverage intelligence and help empower businesses to prevent, detect and respond to threats with improved mean-time-to-detect (MTTD) and mean-time-to-resolution (MTTR) of issues,” Dell explained. Dell is adding Advanced Secure Component Verification for PCs that helps customers make sure Dell PCs and key components arrive as they were ordered and built. The Intel Management Engine Verification checks critical system firmware and looks for evidence of tampering, targeting boot processes. IT teams will also have more critical visibility below the OS security events in dashboards offered through the new Dell Trusted Device Security Information and Event Management Integration. More

Researchers have uncovered a new connection between Tomiris and the APT behind the SolarWinds breach, DarkHalo. 

On Wednesday at the Kaspersky Security Analyst Summit (SAS), researchers said that a new campaign revealed similarities between DarkHalo’s Sunshuttle, as well as “target overlaps” with Kazuar.  The SolarWinds incident took place in 2020. FireEye and Microsoft revealed the breach, in which SolarWinds’s Orion network management software was compromised to impact as many as 18,000 customers in a software update-based supply-chain attack.  While many thousands of clients may have received a malicious update, the threat actors appeared to cherry-pick the targets worthy of further compromise — including Microsoft, FireEye, and government agencies.  Microsoft president Brad Smith dubbed the incident as “the largest and most sophisticated attack the world has ever seen.”
Kaspersky
Eventually, the finger was pointed at the advanced persistence threat (APT) group DarkHalo/Nobelium as the party responsible, which managed to deploy the Sunburst/Solorigate backdoor, Sunspot build server monitoring software, and Teardrop/Raindrop dropper, designed to deploy a Cobalt Strike beacon, on target systems.   The Russian, state-backed group’s campaign was tracked as UNC2452, which has also been linked to the Sunshuttle/GoldMax backdoor. 

In June, after roughly six months of inactivity from DarkHalo, Kaspersky uncovered a DNS hijacking campaign against multiple government agencies in an unnamed CIS member state. “These hijacks were for the most part relatively brief and appear to have primarily targeted the mail servers of the affected organizations,” Kaspersky commented. “We do not know how the threat actor was able to achieve this, but we assume they somehow obtained credentials to the control panel of the registrar used by the victims.”The researchers say that the campaign operators redirected victims attempting to access an email service to a fake domain which then prompted them into downloading a malicious software update, made possible by switching legitimate DNS servers for compromised zones to attacker-controlled resolvers. This update contained the Tomiris backdoor.  “Further analysis showed that the main purpose of the backdoor was to establish a foothold in the attacked system and to download other malicious components,” Kaspersky added. “The latter, unfortunately, were not identified during the investigation.” Tomiris, however, did prove to be an interesting discovery. The backdoor is described as “suspiciously similar” to Sunshuttle. Both backdoors are written in the Golang (Go) programming language, the same English language spelling mistakes were in the payloads’ code, and each uses similar encryption and obfuscation setups for configuration and network traffic management purposes.  In addition, both Tomiris and Sunshuttle use scheduled tasks for persistence as well as sleep-based delay mechanisms. The team believes the “general workflow of the two programs” hints at the same development practices.  However, the backdoor has little function beyond the capability to download additional malware, which suggests Tomiris is likely part of a wider operator toolkit.It should also be noted that Tomiris has been found in environments also infected with the Kazuar backdoor, malware that Kaspersky has tentatively linked to Sunburst — while Palo Alto has also connected Kazuar and the Turla APT. Cisco Talos has also recently uncovered a new, simple backdoor now deployed by the Turla APT on victim systems.  Kaspersky also acknowledges this may be a case of a ‘false flag’ designed to mislead researchers and send them down the wrong analysis or attribution paths. Pierre Delcher, senior security researcher at Kaspersky, commented: “None of these items, taken individually, is enough to link Tomiris and Sunshuttle with sufficient confidence. We freely admit that a number of these data points could be accidental, but still feel that taken together they at least suggest the possibility of common authorship or shared development practices.” Previous and related coverage:Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

I’m very excited to share my latest research on best practices for successfully influencing employee cybersecurity behavior. Excited may not be the right word exactly, as this research was born out of the disappointment I started feeling when hearing of security leaders and teams implementing disciplinary sanctions for employees who fail phishing simulations, cybersecurity quizzes, or fall victim to scams such as business email compromise. 

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

This punishment ranges from extreme sanctions, such as disciplining or terminating the offenders or victims, to less severe forms, including forcing employees to sit through more training. While the latter may sound okay, employees disagree. The debate raged about the ethics and effectiveness of these practices. And hence it took me a while to put pen to paper, because I get all sides of this dilemma. This is what I decided: Sure, there is a time and place for disciplinary action, but leaders seemed to jump to it too readily. It seemed as though we could not see that some of the interventions we were putting in place reinforced negative perceptions and resentment of security, humiliated employees, caused psychological damage, and encouraged employees to hide failures and mistakes. Education and shame are not synonyms. You may win the battle, but the war is much bigger. As a security leader, your bigger opportunity is to engage, influence, and benefit your employees as well as your organization’s customers, and even society, and to do this, you need to: Be aware of the impact of each security intervention. When weighing consequences for negative security behaviors, security leaders often think of extreme punishments like formal disciplinary action or dismissal as deterrents. However, employees also view many well-meaning interventions as punitive, particularly if they overtax employee time and productivity and seem to lack empathy. Tread that fine line between engagement (e.g., quizzes), empathy (e.g., ask-and-listen hours), and punishment (e.g., dismissals). Start by designing an environment tolerant of human fallibility — this isn’t purely an awareness or training problem. Before proceeding to punishment — or indeed any sort of intervention — you need to be very clear that you’ve done all that you can to support employees who have made a mistake or have become a victim. Your employees fall for scams — real or simulated — for many reasons, including: your test or simulation is too difficult to detect; your security awareness training is dull and tedious; you’re not helping employees avoid errors; or you failed to design security processes and technologies that stop people from making errors. Find positive ways to influence good security behavior and creativity. Instead of scaring employees into complying with your security rules, use empathy and recognition to create engagement. Employees who feel empowered can focus on solutions without fear. Forrester’s Employee Experience Index shows that empowerment is the most significant predictor of engagement. Initiate positive reporting and messaging (e.g., communicate successes such as “X% completed the exercise this month, up from Y%” and “Clicks are down by Z%, and nonreporting is down by X%.”) so employees are encouraged and respond to self-reported mistakes, nudge behaviors toward the correct action, and recognize and reward positive behaviors as they occur. Consider safety culture, where organizations celebrate success and change behavior via initiatives such as incentives, leaderboards, safety moments, and walls of fame. Choose the appropriate behavior modification action. Outside gross negligence, employees should never suffer when their employer falls victim to a data breach, cyberattack, fraud, or scam. Before making the call about what intervention to use, decide whether your employee is a victim or has been blatantly and regularly breaching the rules. Use our severity versus repetition framework to segment offenders and create different interventions for each type of offender. Make the tough calls when necessary, and always do so ethically. Listening, coaching, and changing processes are all well and good, but at some point, you need to face reality and discipline anyone who has been maliciously flouting the rules. To know when you’ve reached the point of making the tough call, consider these questions: Is their intent malicious? Are they bypassing processes repeatedly for inappropriate reasons, such as their seniority in the organization? If the answer to either of these is yes, you have every reason to act with ethics, integrity, empathy, candor, and transparency. My key takeaway? Make empathy your new superpower in all the big and small things that you do. All of this recognition and behavioral change requires you to become a coach — not a boss– not only for your team, but also for all employees and stakeholders within your organization. Level up your leadership skills by eliminating passive management practices and fostering a strong coaching mindset. It is through this mindset that the suggestions above will seem less of a chore or a practical guide and more of a lifestyle that you and your team can implement. As organizations seek to leverage emerging technology and intelligent automation in new ways, employees need to feel they can innovate and experiment consistent with the security and privacy values of the enterprise. But many organizations manage human risk through a model of control, coercion, and punishment — from penalizing users who fail simulations or training to terminating offenders or victims of breaches. Security programs founded in fear not only drive down employee engagement and inspiration, but also stifle creativity. Instead, organizations must learn how to nurture positive behavior to foster a security culture that deals with human fallibility with positivity, instead of distress, reprimand and shame. To learn more, register for Forrester’s virtual events, Technology & Innovation APAC here and Security & Risk event here. This post was written by Principal Analyst Jinan Budge, and it originally appeared here.    More

An Android Trojan has now achieved a victim count of over 10 million in at least 70 countries. 

According to Zimperium zLabs, the new malware has been embedded in at least 200 malicious applications, many of which have managed to circumvent the protections offered by the Google Play Store, the official repository for Android apps.  The researchers say that the operators behind the Trojan have managed to infect so many devices that a stable cash flow of illicit funds, “generating millions in recurring revenue each month,” has been established.  Believed to have been in operation since November 2020, the “GriftHorse” campaign relies on victims being duped into handing over their phone number, which is then used to subscribe them to premium SMS messaging services.  Victims first download Android apps that appear innocent and legitimate. These apps vary from puzzle games and utilities to dating software, food and drink, with the most popular malicious app — a translator — accounting for at least 500,000 downloads. 
zLabs
Upon installation, however, the GriftHorse Trojan, written in Apache Cordova, constantly bombards the user with messages, alerting them to a fake prize they have won and then redirecting them to a website page based on their geolocation, and, therefore, their language.  Mobile users are then asked to submit their phone numbers for verification purposes. If they submit this information, they are then subscribed to premium services “without their knowledge and consent,” zLabs noted.

Some of the charges are upward of €30 ($35) per month, and if a victim does not notice this suspicious transaction, then they could, theoretically, be charged for months on end with little hope of ever clawing back their cash.  In order to avoid discovery, the malware’s operators use changeable URLs rather than hardcoded addresses.  “This method allowed the attackers to target different countries in different ways,” the team says. “This check on the server-side evades dynamic analysis checking for network communication and behaviors.” zLabs reported its findings to Google who promptly removed the Android apps marked as malicious from Google Play. However, these apps are still available on third-party platforms. 
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Akamai Technologies has acquired Guardicore to enhance the content delivery network (CDN’s) cybersecurity portfolio. 

The deal was announced on Wednesday. Under the terms of the agreement, Akamai will pay roughly $600 million to acquire all outstanding equity.   Tel Aviv, Israel-based Guardicore is a cybersecurity company that offers the enterprise a micro-segmentation solution to reduce the potential attack surface of corporate networks, secure applications, and to meet compliance standards. The firm’s software is based on zero-trust and strict permissions architecture, with process-level rules implemented to bolster secure access across public, private, and hybrid cloud environments.  Akamai says the micro-segmentation solution will be added to the company’s Zero Trust security portfolio, including Web Application Firewall (WAF), Zero Trust Network Access (ZTNA), Domain Name System (DNS) Firewall, and Akamai’s Secure Web Gateway (SWG).  “Their solution enables deep visibility into application flows, across data center and cloud applications, allowing businesses to more granularly understand and protect their infrastructure, from the core of the enterprise to the cloud,” Akamai says. “As a result, breaches can be detected early on so that corrective actions can be taken as quickly as possible.” The acquisition, subject to regulatory approval, is expected to close in Q4 2021. Akamai says that the purchase may generate between $30 and $35 million in revenue over FY2022, with Akamai’s non-GAAP operating margin anticipated to be in the range of 29-30%, returning to a minimum of 30% in 2023.  

“Given the recent surge in ransomware attacks and increasingly stringent compliance regulations, investing in technologies to reduce the spread of malware has become mission-critical,” commented Tom Leighton, CEO of Akamai. “By adding Guardicore’s leading micro-segmentation products to Akamai’s comprehensive portfolio of zero trust solutions, we believe Akamai will be able to provide the most effective way to combat ransomware on the market today.” Guardicore CEO Pavel Gurvich said the team “greatly look forward to joining Akamai to protect the user and the enterprise — no matter what the user is doing or where end-users and workloads are located.” Morgan Stanley & Co. served as Akamai’s financial advisor.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has launched a new development program targeting the Tsunami Security Scanner.

On September 28, Guoli Ma, Sebastian Lekies, and Claudio Criscione, members of Google’s vulnerability management team, said in a blog post that the new program is designed to improve Tsunami’s security detection capabilities.The Tsunami Security Scanner, open sourced in July 2020, was originally an internal Google tool and has since been published and made available to the public.  The scanner is designed to check large-scale enterprise networks for open ports and then to cross-check vulnerability exposure based on the initial reconnaissance results. Plugins can be implemented by users to check for specific security flaws. Tsunami can also check for basic security issues including the use of weak enterprise credentials.  Google says that the new, experimental program will give researchers patch rewards for creating plugins and application fingerprints. The former requires contributors to develop plugins that can be used for enhanced vulnerability detection, whereas the latter asks for web application modules that can be used to detect off-the-shelf web apps in an enterprise network.  The company is most interested in high and critical-severity bugs that can have a real-world impact on enterprise security.  “The vulnerability should have a high or critical severity rating if there is already a CVE ID assigned (CVSS score >= 7.0),” Google says. “If there is no severity assigned yet, the Tsunami scanner team will perform the triage and determine the severity. This usually includes vulnerabilities like Remote Code Executions (RCEs), arbitrary file uploading, security misconfigurations that result in the exposure of sensitive admin panels, and so on.”

The tech giant says that Tsunami also needs more fingerprint data for popular web apps which may contain bugs that impact the security of a wider network. If IT teams do not realize they are present, this could mean they are overlooked in patch processes.  Contributions are overseen by Google’s vulnerability management team.  In July, Google announced a new bug bounty platform, https://bughunters.google.com. The resource center brings together all of the firm’s Vulnerability Rewards Programs (VRPs), including Google, Android, Abuse, Chrome and Play to streamline the vulnerability disclosure process.  It is on this platform that those interested in the Tsunami program can find the in-scope lists for contributions to open source tools and Tsunami.  Financial rewards vary. For web application fingerprints, Google is willing to pay a flat fee of $500 for each fingerprint added to Tsunami’s database. When it comes to plugins, up to $3,133 is on offer, depending on the severity of a vulnerability and whether or not it is emergent. .Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More