New Security Realities of COVID-19 World

This year hackers got brand new opportunity to get richer based on Covid-19 hype. McAfee detects more and more criminal attempts to exploit current events. This is why organizations and business have to be on aware and understand what new attack methods are used by cybercriminals in Covid-19 world.

Phishing letters now became the best tool for cybercriminals. Amount of such a content has considerably grown over the past few months. Users get faked letters as if from World Health Organization about sales of masks and medications, coronavirus tests and other medical merchandise (subject of such a message would usually be the most relevant for the addressee from specific region).

Phishing letters either contain links to sites with malicious content or to the documents with exploits or malicious macros. The goal of these activities is to get malicious code to the workstation with the purpose of stealing user or payment data. Hackers also try to lure the victim to a faked web resource with such phishing letters.

Criminal web site would imitate appearance of the bank site or payment system where users are offered to enter personal data. Crypto extorter, cyphering the victim PC, deleting shadow file copies and demanding ransom is one more variant of malicious software. It is well known, that today most attacks are conducted not by humans but by autonomous software solutions, collecting information about victims from different sources and sending phishing letter automatically. Information needed for such attacks is often collected from social networks and other open sources, which demands practically no efforts from criminals. For instance, in user files metadata, which are often in open access, there can be found email addresses, IP-addresses, OS versions etc.

This is a very often occasion when hackers us previously stolen user databases to launch attacks. Criminals may deploy any new attack within just several hours, based on social engineering techniques and emotions of potential victims. The best defense from such attack is awareness and informing company employees of cybercriminal methods.

by Trilight

How to Create Safe Passwords

Creating good and reliable passwords is quite a difficult task for many. It becomes especially intimidating when you start considering unique password for each site you visit. Tens of unique passwords like OEjlkasdf34-absde@! will make anyone feel a bit perplexed and gloomy.

A typical response to this problem will be simple and insecure. A user will use one password for all services and resources, or will create several equally simple (to remember) and unreliable passwords. Or there will be some sticker with passwords brightly hidden beneath the keyboard.

Looks like there is a collision between strong passwords you can not remember and weak passwords you can remember but can not use if you want to avoid unauthorized access to your data. First let’s see what a strong (and weak) password is.

Strong vs Weak Password

A strong password will have sufficient length, use various upper and lower case letters with numbers and symbols. It will not contain dictionary words or ties to your personal information.

Passwords like MyPassword1 might look ok considering above advise but they are not. Word password and any other dictionary word is not a good idea for password.

Anna1989:& does contain upper and lower case, as well as numbers and symbols, but it seriously flawed. Name and year of birth can be easily discovered from open sources and they will be, in case a hacker needs your data.

C0ntekst* is a bit more secure, as it has letter o substituted for number 0, and there is a deliberate error in spelling. Yet, it’s too short unfortunately. It will not take too much time for code-breaking software to guess it.

What shall I do?

Luckily, there are several easy to use and efficient tricks you can use to create strong password which will not force you enroll for memory improvement trainings.

Phrases with Personally Valuable Information

Think of something you are unlikely to forget and build a password on its basis. The2o12’sTripT0Pariswas0key is not that difficult to remember but is truly difficult to crack.

Acronyms or shortcut codes

EksEksEksElIz0key4MaiFriend: XXXL is ok for my friend. Spelling errors, numbers instead of letters and words, easy to recall information. Good example, still you can easily make it even better. Just think about using:

Smileys

Let’s take our example based on our friend’s anthropometry and add some emotion: EksEksEksElIz0key4MaiFriend:-). It’s always good to have a big friend. One of the benefits is when you are glad it makes your passwords even stronger and you will not forget in what way 🙂

Surely, there are many more efficient techniques to build strong passwords. But you don’t have to use them all to make your passwords strong and easy to remember. Just master those listed above and always remember: mix numbers and letters, upper and lower cases, add symbols, make errors and KEEP THEM LONG!

by Trilight

Cybersecurity Threat Alert NXNSAttack June 1, 2020

On May 19, 2020, academics from the Tel Aviv University and The Interdisciplinary Center in Israel discovered a vulnerability in the implementation of DNS recursive resolvers that can be abused to launch disruptive DDoS attacks against any victim. The attack leveraging the vulnerability has been dubbed NXNSAttack by the researchers and detailed in their research paper.

Download

by Trilight

McAfee Labs Threats Report

McAfee researchers observed cybercriminals are still using spear-phishing tactics, but an increasing number of attacks are gaining access to a company that has open and exposed remote access points, such as RDP and virtual network computing (VNC). RDP credentials can be brute-forced, obtained from password leaks, or simply bought in underground markets. Where past ransomware criminals would set up a command and control environment for the ransomware and decryption keys, most criminals now approach victims with ransom notes that include an anonymous email service address, allowing bad actors to remain better hidden.

by Trilight

Big Security in a Small Business World 2020. By Cisco

This report Ă˘â‚¬â€ś based on a survey of almost 500 SMBs (defined here as organizations with 250-499 employees) Ă˘â‚¬â€ś reveals that not only do you take security very seriously, but that your innovative and entrepreneurial approach to security is also paying dividends. It’s time to bust some myths about the way in which SMBs are using their cybersecurity resources.

by Trilight

2020 Roundup Of Cybersecurity Forecasts And Market Estimates

  • Enterprises are predicted to spend $12.6B on cloud security tools by 2023, up from $5.6B in 2018, according to Forrester.
  • Enterprise spending on cloud security solutions is predicted to increase from $636M in 2020 to $1.63B in 2023, attaining a 26.5% CAGR.
  • Spending on Infrastructure Protection is predicted to increase from $18.3B in 2020 to $24.6B in 2023, attaining a 7.68% CAGR.
  • Endpoint security tools are 24% of all I.T. security spending, and by 2020 global I.T. security spending will reach $128B according to Morgan Stanley Research.
  • 71% of UK-based business decision makers believe the shift to 100% remote working during the COVID-19 crisis has increased the likelihood of a cyber-breach according to research by Centrify.
  • 70% of all breaches still originate at endpoints, despite the increased I.T. spending on this threat surface, according to IDC.

Cybersecurity now dominates the priorities of every organization as each adapts to a post-COVID 19 world. Remote workers identities’ and devices are the new security perimeter. This is what Zero Trust Security was designed for, and the post-pandemic world is its acid test and crucible. To learn more about how zero trust works, be sure to watch Forrester Principal Analyst Dr. Chase Cunningham’s video, Zero Trust, in Practice here. Dr. Cunningham’s latest book Cyber Warfare – Truth, Tactics, And Strategies, is a good read. Cyber attackers are quick to attack new unprotected threat surfaces created when tens of millions of employees started working from home. In a post-COVID-19 world, cybersecurity is as critical as Internet access itself.

Key insights from the series of cybersecurity market forecasts and market estimates include the following:

  • The global cybersecurity market is currently worth $173B in 2020, growing to $270B by 2026. By 2026, 77% of cybersecurity spending will be for externally managed security services.  While money spent on in-house or internal cybersecurity functions is expected to grow 7.2% each year to 2026, global spending on external cybersecurity products and services is projected to increase by 8.4% annually over the same period. Source: Australian Cyber Security Growth Network, SCP – Chapter 1 – The global outlook for cybersecurity, 2020. 
  • Network, data, and endpoint security are the three leading use cases of A.I. in cybersecurity today, according to I.T. executives. Capgemini interviewed I.T. executives from ten nations to gain new insights into A.I.’s most popular use cases for cybersecurity. The COVID-19 pandemic has accelerated each of these use cases, with endpoint security becoming the most urgent priority, as nearly every organization has employees working from home. Source: Statistica.
  • The global cybersecurity market is predicted to grow from $167.1B in 2019 to $248.26B by 2023, attaining a 10.4% CAGR, according to Statista. Worldwide security spending on Identity Access Management reached $10.58B in 2019. The study also found that spending on security services, the largest segment of the information security market, reached $64.24B in 2019 as well. Source: Statista.
  • 87% of enterprises are seeing mobile threats growing the fastest this year, outpacing other threat types, based on Verizon’s Mobile Security Index 2019. Mobile devices and the identities they represent are the new security perimeter for every organization today.  By killing passwords and replacing them with a zero-trust framework, breach attempts launched from any mobile device using pirated privileged access credentials can be thwarted. Leaders in the area of mobile-centric zero trust security include MobileIron, whose innovative approach to zero sign-on solves the problems of passwords at scale. When every mobile device is secured through a zero-trust platform built on a foundation of unified endpoint management (UEM) capabilities, zero sign-on from managed and unmanaged services become achievable for the first time. Sources: Verizon’s Mobile Security Index 2019 and Verizon Mobile Security Index (MSI) 2020.
  • The global cyber insurance market, as measured by gross written premiums, is forecast to be $8B by 2020, compared to a $124B global cybersecurity market.  Organizations primarily focus their cyber risk management strategies on prevention by investing in technological frontline cyber defenses. Meanwhile, spending on other tools and resources for cyber risk management, such as cyber insurance or event response training, remains a fraction of the technology budget. Source: Microsoft, 2019 Global Cyber Risk Perception Survey, September 2019
  • Over 42% of endpoints experience encryption failures, leaving entire networks at risk from a breach and 100% of all devices experiencing encryption failures within one year. They’re most commonly disabled by users, malfunction, or have error conditions or have never been installed correctly in the first place. Absolute Software’s 2019 Endpoint Security Trends Report found that endpoints often failed due to the fragile nature of their encryption agents’ configurations. 2% of encryption agents fail every week, and over half of all encryption failures occurred within two weeks, fueling a constant 8% rate of decay every 30 days. Multiple endpoint security solutions conflict with each other and create more opportunities for breaches than avert them. The study is based on data gathered from over 1B change events on over 6M devices is the basis of the multi-phased methodology. The devices represent data from 12,000 anonymized organizations across North America and Europe. Each device had Absolute’s endpoint visibility and control platform activated. Source: Absolute Software 2019 Endpoint Security Trends Report.
  • There has been a 667% increase in spear-fishing e-mail attacks related to COVID-19 since the end of February alone. Microsoft thwarts billions of phishing attempts a year on Office365 alone by relying on heuristics, detonation, and machine learning, strengthened by Microsoft Threat Protection Services. Kount discovered that e-mail age is one of the most reliable identity trust signals there are for identifying and stopping automated, fraudulent activity. Based on their research and product development, Kount announced Email First Seen capabilities as part of its AI-powered Identity Trust Global Network, which consists of fraud and trust signals from over half a billion email addresses. It also spans 32 billion annual interactions and 17.5 billion devices across 75 business sectors and 50-plus payment providers and card networks. The following is an overview of Kount’s technology stack and their Email First Seen solution. Source: How To Know If An E-Mail Is Trustworthy, March 11, 2020.
  • Fraud detection, malware detection, intrusion detection, scoring risk in a network, and user/machine behavioral analysis are the five highest A.I. use cases for improving cybersecurity. Capgemini analyzed 20 use cases across information technology (I.T.), operational technology (O.T.), and the Internet of Things (IoT) and ranked them according to their implementation complexity and resultant benefits (in terms of time reduction). The following graphic compares the recommended use cases by the level of benefit and relative complexity. Source: Capgemini, Reinventing Cybersecurity with Artificial Intelligence, A new frontier in digital security

by Trilight

Cisco and Palo Alto Networks appliances impacted by Kerberos authentication bypass

Cisco Systems and Palo Alto Networks have fixed similar high-risk authentication bypass vulnerabilities in their network security devices that were caused by an oversight in the implementation of the Kerberos protocol. Man-in-the-middle (MitM) attackers could exploit these weaknesses to get administrative control over the appliances.

Researchers from security firm Silverfort discovered both vulnerabilities, which are similar and could potentially exist in other Kerberos implementations. Cisco patched the flaw earlier this month and Palo Alto Networks this week.

The Kerberos vulnerabilities

The vulnerability in PAN-OS, the operating system that runs on network security devices and appliances from Palo Alto Networks, is tracked as CVE-2020-2002 and is rated high risk. The flaw exists in PAN-OS 7.1 versions earlier than 7.1.26, PAN-OS 8.1 versions earlier than 8.1.13, PAN-OS 9.0 versions earlier than 9.0.6, and all versions of PAN-OS 8.0. PAN-OS 8.0 has reached end-of-support and did not receive an update.

"An authentication bypass by spoofing vulnerability exists in the authentication daemon and User-ID components of Palo Alto Networks PAN-OS by failing to verify the integrity of the Kerberos key distribution center (KDC) before authenticating users," the company said in its advisory. "This affects all forms of authentication that use a Kerberos authentication profile. A man-in-the-middle type of attacker with the ability to intercept communication between PAN-OS and KDC can login to PAN-OS as an administrator."

A similar vulnerability, tracked as CVE-2020-3125, exists in the Cisco Adaptive Security Appliance (ASA) Software and was patched on May 6. Devices running Cisco ASA Software are affected if they have Kerberos authentication configured for VPN or local device access.

Cisco's advisory contains manual instructions for administrators to check if Kerberos authentication is configured, as well as a table with fixed Cisco ASA versions. However, the company warns that addressing this issue requires making some configuration changes even after the software has been updated.

"Cisco ASA devices are vulnerable and can still be exploited unless the CLI commands validate-kdc and aaa kerberos import-keytab are configured," Cisco said. "These new configuration commands ensure that the ASA validates the KDC during every user authentication transaction, which prevents the vulnerability that is described in this security advisory."

Impersonating the Kerberos Key Distribution Center

Kerberos is a popular authentication protocol in enterprise active directory environments. However, to provide maximum security the protocol has three authentication steps: The user authenticates to the server, the server authenticates to the client, and the Kerberos key distribution center (KDC) authenticates to the server.

"Apparently, KDC authentication to the server is often overlooked," the Silverfort researchers said in a blog post. "Perhaps because requiring it complicates the configuration requirements. However, if the KDC does not authenticate to the server, the security of the protocol is entirely compromised, allowing an attacker that hijacked the network traffic to authenticate to PAN-OS with any password, even a wrong one."

Kerberos KDC spoofing is not actually a new attack and was first reported ten years ago by a security researcher named Dug Song. This suggests that both the Cisco ASA and Palo Alto PAN-OS implementations have been vulnerable for a long time. The Silverfort researchers discovered the oversight while trying to implement a multi-factor authentication solution compatible with third-party security appliances.

The company has the following recommendations for any developers implementing Kerberos:

  • Validate that the implementation of Kerberos requires a password or keytab: To validate the DC, you need to use some kind of shared secret. If your solution does not enable configuring a keytab file, or a service account password, the application is surely susceptible to KDC spoofing.
  • Run Wireshark: Use Wireshark to see what Kerberos requests are sent during authentication. If there is no TGS_REQ, it’s a red flag.
  • Follow protocol RFCs: If you want to implement an authentication protocol yourself, you must follow the protocol RFCs diligently. Silverfort recommends taking the easier route and use an existing implementation of these protocols.
  • Use third-party libraries properly: Some third-party libraries require specific configuration to avoid KDC spoofing. For example, a common library used for Kerberos called pam-krb5, has to have a keytab configured to work properly.

by Trilight