Cyber Weekly Roundup – March 31, 2017

Weekly Roundup

Cyber Weekly Roundup – March 31, 2017

1.) If You Want to Stop Big Data Breaches, Start With Databases (March 29, 2017)
https://www.wired.com/2017/03/want-stop-big-data-breaches-start-databases/

Summary: Over the past few years, large-scale data breaches have become so common that even tens of millions of records leaking feels unremarkable. One frequent culprit that gets buried beneath the headlines? Poorly secured databases that connect directly to the internet.

While companies commonly use these databases to store tempting troves of customer and financial data, they often do so with outdated and weak default security configurations. And while any type of database can be left open or unprotected, a string of breaches over the last few years have all centered around one type in particular: open-source “NoSQL” databases, particularly those using the popular MongoDB database program. Of course there are many types of hacks that can ultimately lead to data breaches, like using spear phishing to gain access to a network, but securing exposed databases is a relatively easy and concrete step organizations can take to strengthen their data defense.

Why it matters: As more data is collected and stored on net-accessible databases, the importance of data security increases. More vulnerable databases means an increase in attack surface that black hats and cyber criminals can target, and with these successful breaches of information come two opportunities for attackers.

First, users who reuse passwords (the majority of users) risk having their “keys to the kingdom” exfiltrated for malicious use, easily allowing attackers into more important accounts like financial or email. Second, any aggregation of information by an organization that can sift through the data can lead to new insight into future targets through a process called data inference. These exposed databases give well-funded attackers (such as nation states) additional data points to help connect the dots on their targets.

Regardless, hopefully the direct threat of profits to the companies hosting these exposed databases will serve as incentive for these weaknesses to be addressed.

2.) Pentagon sees more AI involvement in cybersecurity (March 16, 2017)
https://defensesystems.com/articles/2017/03/16/cio.aspx

Summary: As the Pentagon’s Joint Regional Security Stacks moves forward with efforts to reduce the server footprint, integrate regional data networks and facilitate improved interoperability between previously stove-piped data systems, IT developers see cybersecurity efforts moving quickly toward increased artificial intelligence (AI) technology.

Why it matters: Machine learning and AI promise to be a boon to cybersecurity professionals in the future, especially in the security operations center (SOC) where events are coming in faster than human responders can monitor them. Using machine learning and AI to do the drudgery of looking for unusual signatures and assigning a priority rating to them, as well as providing aggregated data for incident responders, will no doubt help to reduce the workload of analysts and allow them to work more effectively.
However, there have been plenty of critiques on Machine Learning and AI in cybersecurity of late that are worthwhile to review. Bruce Schneier offers his thoughts on the proliferation of Machine Learning and AI at the 2017 RSA Conference (security.https://www.schneier.com/blog/archives/2017/03/security_orches.html) highlighting an important point on the subject – you can only automate what you are certain about, and cybersecurity offers a lot of uncertainty. Threats change, and the threat actors are agile and adaptive. In addition, it is possible to game machine learning – feed it enough bad data, and attackers can alter the machine’s algorithm and “understanding” of how to achieve its objective. This in turn can lead to false negatives, which could mean that incidents take longer to detect due to a sense of false security offered by the machine.

3.) The Components of Top Security Awareness Programs (March 23, 2017)
http://resources.infosecinstitute.com/components-top-security-awareness-programs/

Summary: A good security awareness program is a great way to inform personnel on any kind of malicious activity targeting an enterprise’s use of cyberspace. It is crucial that organizations’ staff be wary of common fraud schemes, especially those targeting them rather than technical components of the infrastructure. Preparing staff to discover phishing or other types of cyber scams means providing a comprehensive system of training, policies and procedural instructions that could help recognize signs of malfeasance and report suspicious activity and not fall prey of scam artists. End-user training is one of the keys to the successful implementation of any security awareness program.

Why it matters: This is a useful how-to for any organization trying to get their grasp on how to implement an effective security awareness program for their end users. Organizations and even security professionals can sometimes place too much focus on the technical controls that keep our organizations safe – it’s important to remember that beyond the firewalls, we also need to focus on improving the security of our end-users through policy and training.

4.) Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs (March 24, 2017)
https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/

Summary: In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have allegedly mis-issued more than 30,000 certificates.

Why it matters: While not immediately noticeable to the average internet user, this action by Google to downgrade the trust of Symantec issued certificates is a big deal. In order to secure encrypted connections between end users and websites, companies have to prove they are who they claim to be by using a certificate – extended verification certs are the highest level of trust (and most expensive to obtain), and are often used by web services handling sensitive data and credit card info. In essence, Google has determined that these certificates are not trustworthy enough, and in future iterations of Chrome, will be tightening the window since issuance certificates are considered trustworthy on any level.

Interestingly, this event shows that as a Certificate Authority, Symantec is currently “too big to fail,” as mistrusting their certs would have caused widespread outages to a number of sites. Reducing the level of trust in Symantec’s certs is likely the only reasonable solution to inflict a punishment on the business for their mis-issuance of SSL certificates without causing serious internet outages by revoking trust entirely.

5.) Cerber Ransomware Now Evades Machine Learning (March 29, 2017)
http://www.darkreading.com/vulnerabilities—threats/cerber-ransomware-now-evades-machine-learning/d/d-id/1328506

Summary: Cybercriminals have repeatedly shown an ability to innovate past whatever security controls organizations and industry have been able to throw in their way. So it is little surprise that some have begun taking a crack at machine learning tools. Researchers at security vendor Trend Micro recently discovered a new version of the Cerber ransomware sample that appears designed specifically to evade detection by machine learning algorithms.

Why it matters: Never doubt the innovation of black hats and cyber criminals. The arms race between security products and malware continues, with new versions of the Cerber evading static machine-learning. This (as well as the entire history of malware) should serve as a warning to companies who are awaiting the AI revolution to solve their cybersecurity needs – while it may offer another tool in their toolbox, organizations cannot expect machine learning/AI to offer a “silver bullet” against attackers.