Cyber Weekly Roundup – April 7, 2017

Written April 7th, 2017

Post Tags: cloud, Cyber, cyber weekly roundup, IoT, news, ransomware

1.) Half of Security Pros Ignore Some Important Alerts (April 4, 2017)


Summary: Short-staffed, more than half of organizations admit they ignore alerts that should be investigated because they lack resources to handle the overflow.

Why it matters: This article goes beyond what the title suggests. We know that our SOCs can’t possibly detect, triage, and respond to every event and security pros will debate that it’s a people or technologoical issue. Stern correctly points to the lack of any centralized tool to aggregate the various alerts from the myriad of security devices across the SOC. While chasing down every alert is like rattling off the numbers for Pi, it’s incmbent on the SOC manager to balance out the work of reviewing events versus investigating and responding to incidents.

2.) Someone is putting lots of work into hacking Github developers (March 29, 2017)


Summary: Open source developers who use Github are in the cross-hairs of advanced malware that can steal passwords, download sensitive files, take screenshots, and self-destruct when necessary. Dimnie, as the reconnaissance and espionage trojan is known, has largely flown under the radar for the past three years. It mostly targeted Russians until early this year, when a new campaign took aim at multiple owners of Github repositories. One commenter in this thread reported the initial infection e-mail was sent to an address that was used solely for Github, and researchers with Palo Alto Networks, the firm that reported the campaign on Tuesday, told Ars they have no evidence it targeted anyone other than Github developers.

Why it matters: Attacks against the supply chain are likely to become more common as software continues to incorporate established libraries and frameworks within their products.  The cybersecurity community saw an example of this problem recently with the Apache Stuts vulnerability turning up in Cisco and VMWare products, and we should only expect that it will become more prevalent in the future.   One potential solution is continuing the evolution of asset management to include open source code in their software and software vendors providing details on the open source code included in their products.

3.) Should a DISA-like agency take over cyber, IT for all civilian agencies? (March 27, 2017)


Summary: Momentum is building for a new cybersecurity agency in the Homeland Security Department. The idea initially proposed by Rep. Mike McCaul (R-Texas), chairman of the Homeland Security Committee, received some crucial support on March 22 when two former federal cyber executives threw their weight behind the idea.

Why it matters: Miller highlights the pros of having DHS have a DISA-like organization as the cybersecurity “belly button” for federal agencies. If this were implemented properly, this would be a great accomplishment in standarizing and prioritizing cyber within the federal space.

4.) New Malware Intentionally Bricks IoT Devices (April 6, 2017)


Summary: A new malware strain called BrickerBot is bricking Internet of Things (IoT) devices around the world by corrupting their storage capability and reconfiguring kernel parameters.  Detected via honeypot servers maintained by cyber-security firm Radware, the first attacks started on March 20 and continued ever since, targeting only Linux BusyBox-based IoT devices.

Why it matters: This attack could be a case of cyber vigilantism. The devices being bricked by this malware are well known vectors for malware, and completely bricking a device is one way to attempt to reduce the attack surface of the botnet. While it’s entirely possible this is the work of a malicious actor purely for the purposes of a ‘permanent denial of service’ against poorly secured IoT devices, this type of malware for destructive purposes only is unlikely, given the potential for profit with malware. It will be interesting to see if these types of attacks are sufficient to compel manufacturers to change the security configuration on their devices.