News & Updates

Enlarge (credit: flickr user: Hsing Wei)

The “wisdom of the crowd” is a simple approach that can be surprisingly effective at finding the correct answer to certain problems. For instance, if a large group of people is asked to estimate the number of jelly beans in a jar, the average of all the answers gets closer to the truth than individual responses. The algorithm is applicable to limited types of questions, but there’s evidence of real-world usefulness, like improving medical diagnoses.

This process has some pretty obvious limits, but a team of researchers at MIT and Princeton published a paper in Nature this week suggesting a way to make it more reliable: look for an answer that comes up more often than people think it will, and it’s likely to be correct.

As part of their paper, Dražen Prelec and his colleagues used a survey on capital cities in the US. Each question was a simple True/False statement with the format “Philadelphia is the capital of Pennsylvania.” The city listed was always the most populous city in the state, but that’s not necessarily the capital. In the case of Pennsylvania, the capital is actually Harrisburg, but plenty of people don’t know that.

Read 10 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

According to the release notes the latest version of WordPress 4.7.2 addresses three security, including  XSS, SQL Injection flaws.

The WordPress development team has pushed the WordPress 4.7.2 version that fixed three security issues, including a cross-site scripting and a SQL injection vulnerability.

The new update comes just two weeks after WordPress released its previous version. Two weeks ago WordPress released the WordPress 4.7.1, a security release for all previous versions that according to the release notes addressed eight security flaws and other 62 bugs.

“WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.” reads the official announcement published on the WordPress’ blog.

WordPress 4.7.2

The SQL injection affected the WordPress’ WP_Query class that is used to access variables, checks, and functions coded into the WordPress core. The expert Mohammad Jangda discovered the class is vulnerable when passing unsafe data. The flaw didn’t affect the core of the WordPress CMS, but there was the risk that plugins and themes would cause further vulnerabilities.

“WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).” states the announcement published by WordPress.

The cross-site scripting vulnerability fixed with this last update affected the class that manages the posts list table. The flaw was discovered by the member of WordPress’ Security Team Ian Dunn.

The third flaw resided the Press This function that allows WordPress users to publish blog posts with a web browser bookmarklet.

“The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.” states WordPress advisory.

According to the WordPress team, the previous WordPress 4.7 release has been downloaded over 10 million times since its release on December 6, 2016.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – WordPress 4.7.2, hacking)

The post WordPress 4.7.2 release addresses XSS, SQL Injection vulnerabilities appeared first on Security Affairs.

Source: Security affairs

Five members of an international cybercrime gang have been arrested as a result of an investigation coordinated by the Europol.

A joint operation conducted by the Europol and the Asian law enforcement allowed to arrest five members of an international organised cybercrime gang focused on cyber attacks on ATMs, three of them have been convicted.

It has been estimated that the group caused to the banks around EUR 3 million losses.

One arrest has been made by the Romanian National Police, three arrests by the Taiwanese Criminal Investigation Bureau and one arrest by the Belarusian Central Office of the Investigative Committee.

The crime organization recruited members online, most of them were citizens of more than one country a strategic choice because allowed the gang to have support in different countries facilitating the travels of the components of the gang.

Crooks were launching spear-phishing attacks aiming to distribute a malware to compromise the internal networks of the banks and gain control over the network of ATMs.

Europol operation

According to the Europol official announcement, the modus operandi employed was very complex and involved:

  • spear-phishing emails with attachments containing malicious programmes,
  • penetration of the banks’ internal networks,
  • compromising and controlling the network of ATMs,
  • special computer programmes which deleted most of the traces of the criminal activity, etc.

Cyber criminals were also able to use the software to delete almost all traces of the criminal activity.

Members of the organised crime gang were recruited online, with most members being citizens of more than one country, something which helped them travel across the globe.

The Europol had a pivot role for the success of the international law enforcement operation.

“The majority of cybercrimes have an international dimension, taking into account the origins of suspects and places where crimes are committed. Only through a coordinated approach at the global level between law enforcement agencies can we successfully track down the criminal networks behind such large-scale frauds and bring them to justice,” says Steve Wilson, Head of Europol’s European Cybercrime Centre (EC3).

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Europol, cybercrime)

The post Europol coordinated operation against international cybercrime ring appeared first on Security Affairs.

Source: Security affairs

Enlarge / Ceviche, as pictured here, is a dish served in many parts of Latin America. It’s made of raw fish cured in citrus juices. (credit: David Silverman/Getty Images)

Days before she was set to go to trial over $12 worth of ceviche sold on Facebook, Mariza Ruelas struck a deal with the San Joaquin County district attorney.

On Friday, prosecutors in the central California county agreed to drop various misdemeanor criminal charges, including operating a food facility without a permit, if Ruelas did 80 hours of community service within a year. She also agreed to not sell or trade food online unless she has the proper permits.

When Ars asked her how she felt on Friday afternoon, Mariza Ruelas said by phone: “Relieved, you know? It’s just like, ugh, finally it’s over.”

Read 17 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Law enforcement authorities from Europe and Russia have arrested five members of an international cyber criminal gang for stealing $3.2 million cash from ATMs using malware.

Three of the suspects, Andrejs Peregudovs (41), of Latvia, Niklae Penkov (34) of Moldova, and Mihail Colibaba (30) of Romania, were arrested in Taiwan by the Taiwanese Criminal Investigation Bureau last summer, have


Source: http://feeds.feedburner.com/TheHackersNews

In an effort to expand its certificate authority capabilities and build the “foundation of a more secure web,” Google has finally launched its root certificate authority.

In past few years, we have seen Google taking many steps to show its strong support for sites using HTTPS, like:

Giving more preference to HTTPS websites in its search rankings than others.

Warning users that all HTTP


Source: http://feeds.feedburner.com/TheHackersNews

In the journey towards business-driven security one of the niche weapon is the roadmap to Advanced Security Operations Centre (ASOC).

Now that we have gotten over from new year’s greetings– let’s get to the basics to refresh as what is required in terms of achieving maturity within your organisations. There is no doubt that this year will bring more sophisticated & coordinated attacks aimed specifically towards the supply chain. Organisations must integrate the concept of business-driven security where security is seen as business enabler rather than operational hindrance. The investment from preventive measures need to move swiftly towards pre-empted and intelligence driven response.

In the journey towards business-driven security one of the niche weapon (if we are allowed to say this) is the roadmap to Advanced Security Operations Centre (ASOC).

Most large organisations nowadays have some level of security monitoring for their networks; even SME’s have security staff although, they tend to be IT Operations staff wearing two hats. If you are managing a Security Operations Centre or are a board member considering their security organisation, there are a few fundamental questions that you must ask yourself.

  • What have we done to Detect and Respond to advanced integrated attacks?
  • Do I know how we address Processes and Procedures relating to Incident Management?
    • Actually do we have any Processes and Procedures???
  • What do we do if we are breached?
    • What do we need to do to reduce the Breach Exposure Time?
  • Is our security program aligned against the threats we face?
  • Do we have a plan in place for the security of our data over the next few years?

These are the sort of questions which will generate some of the answers you are looking to drive the Advanced Security Operations Centre program.

So just what is an ASOC? Is it just a marketing term to get organisations to buy more equipment or is it more of a shift in the way we do our day to day business and Incident Response? I guess for us it is one’s understanding of the difference between a SOC and an ASOC.

A SOC is designed to detect and respond to threats against a network. Put a couple of IDS boxes and Logging/SIEM in place with staff to monitor it and you have a SOC. An Advanced Security Operations Centre  is more of a program where every piece of the defence of the organisations networks is reviewed, understood and proactive appropriate controls, procedures, training (hunting capability) and management are put in place to protect an organisation. In fact it is a whole operational security life cycle for an organisation.

Another term which has been labeled against an ‘ASOC’ is that of an Intelligence Driven SOC. This is mainly because of the interpretation of Intelligence Analysts and use of the information gained to assist with their SOC program. Another popular interpretation is that all their Security Infrastructure is integrated and the SOC is taking a proactive approach to their security. These statements are partially correct, but they don’t form the whole picture. This blog aims to pull all of the pieces together into one (hopefully) holistic view (bed time story book for the new year )

So let’s take a look at an ASOC program which will give us our new build.

The key to an ASOC is understanding both the Business Requirements (which include regulatory considerations), and the Business Risk. These two elements drive everything else within an ASOC program. Once the Business issues have been identified, the Mission for the ASOC can be drafted which will frame all of the other activities which will drive the program.

Next we have to identify the assets we are looking to protect. Whilst a portion of this will have been identified in the Business Risk assessment we are now looking at exactly where we have to place our detection capability. In most cases this is going to involve some level of IDS/IPS or Full Packet Capture (FPC) at the network Gateway(s) (preferably on the inside of the network – although an additional feed from the outside is desirable to identify what threats are “knocking on the door”) and at pinch points within our Enterprise network. We should also identify the log sources and Netflow required for detection Use Cases.

Having identified the technical detection capabilities which are required to initialise a monitoring capability the next step is putting the “Advanced” into the Advanced Security Operations Centre. This is done by taking our Business Risk and Requirements and using them to define a Threat Centric approach to our Business Security Monitoring. To do so we must:

  1. Identify attack vectors and TTP’s (Tools, Techniques and Procedures) to build out Attack Scenarios
  2. Use these Attack Scenarios to enable us to create individual Use Cases and ultimately build a Use Case Library

Whilst we covered off Use Cases in an earlier blog post (which gave the individual requirements to build your Use Case) we will focus here on the Library itself.

Building Use Case Library enables us to identify the required data sources. This may sound trivial and be viewed as a typical requirement for building any SOC however, in taking a view of the entire library we are building, it enables us to identify where we have weaknesses in our detection capability (and as such where we should invest in new equipment or controls). In the example below we can see that Use Case 4 is capable of being deployed with all required data sources available, however to deploy Use Case 3 we require DHCP and VPN logs neither of which is available to the Security Operations Centre at this time. Use Cases 1 and 2 also have a requirement for DHCP and VPN logs but have additional detection capabilities and whilst not ideal can be deployed without DHCP and VPN Logs. Mapping out all of the Use Cases in this way will identify to Management just where our detection capability is compromised and what must be implemented/purchased to resolve these issues.

Advanced Security Operations Centre

Having built the Library and now having alerts flow into the ASOC we must turn to our staffing and this is by far the most important differentiator between a SOC and an ASOC. Typically SOC’s are reactive in their posture whereas ASOC’s are actively looking to develop their detection and hunting capability at all times. To do this a number of traditional SOC roles are utilised but with an addition set of staff and hunters:

  • Traditional
    • L1 & L2 Analysts
    • Platforms Engineers
    • SOC Management
  • Advanced Security Operations Centre Requirement
    • L3 Analysts
      • Malware Analyst
      • Forensic Analyst
    • Content (Use Cases, Signatures & Rules) Engineer
    • Threat Intelligence Analysts
    • Data Scientist
    • Hunters

Whilst all of these roles do not have to be deployed to give us a greater increase in our detection and response capability, the more that are, the better the Advanced Security Operations Centre service will be. For instance Malware and Forensic Analysis could be outsourced whilst keeping the Content Engineers and Threat Intelligence analysts as an internal resource (focused on the specific threats to our organisation). As to when to hire these individuals that would be established in the Target Operating Model (TOM).

The TOM acts as a visual representation of an organisations ASOC and its continuing design decisions. The focus of the TOM is upon the day to day structure of the Advanced Security Operations Centre, how it is managed and governed. It acts as a roadmap for the development of the services as it is gapped at (typically) 6 months, 12 months, 18 months and 24 months with key development aims mapped out over the months and years. Portions of the TOM include:

  • SOC Structure and Roles
  • Staffing
  • Shift Cycles
  • Resource Skills
  • Training
  • Performance Management
  • Processes
  • Incident Response Plan

Technology is a defining factor in any Security Operations Centre but to take this all together and deliver an Advanced package we must look at working smarter, and by that delivering all our tools into “One Single Pane of Glass”. To do so we would use an Incident Management tool which will pull all of our Alert and Incident Information into one centralised location (allowing a global view of the ASOC program (depending on the User Access rights)). Using a centralised tool also allows us to create Incident Response Procedures aligned against the detection rules (as part of our defined Use Cases) which will automatically be added to a new Incident for our analysts to follow. The other advantages of a centralised IM tool are:

  • Ease of Incident Escalation
  • Metrics for the entire ASOC Program
  • Secure Information store of Incident Information (No more e-mails!)
  • Enrichment of Incident data from external sources such as CMDB
  • Automated Integration with other ticketing systems for teams external to ASOC i.e. IT Ops
  • Bespoke Dashboards per User Roll

A word of warning though; No IM is disastrous, but a badly managed IM is even worse! Make sure that when planning your Use Cases that you identify just how many “typical” Incidents are expected. Implementing an IM which replicates every single alert you have is a recipe for failure (and an expensive one at that). Plan your ASOC and hire new staff as is required for your Use Cases and TOM.

However no single tool is ever going to be our “Silver Bullet” and even if it was we still have to make sure that our staff will utilise it in the manner that we as managers are expecting. Which brings us onto our Policies and Procedures. Now just asking one of your technical staff to write a procedure will make their face go ashen “ OH Paperwork!!!!”.  To enable our ASOC to work in a standard and repeatable fashion we must lay out our Standard Operating Procedures which cover everything from turning on the lights in the morning to procedures for Malware Analysis and Forensics. Having these documents pre-produced will allow the ASOC staff to function more effectively and in a targeted fashion to the perceived threats to the organisation. This will also allow smooth on-boarding of new team members and harmonisation among staff with different skillsets and experience. The requirement date for production of these documents can also be aligned in the TOM.

Next we have to look into constantly improving our ASOC and the results that are being given to the company. Metrics play a large part in an ASOC (which any manager or C Level executive will be glad to hear!). Peter Drucker once wrote “What’s measured improves” and this is entirely true of an ASOC. In an age where the one metric everyone wants to know “Have my systems been compromised? Yes/No” you can bet that there are going to be a lot more requests for data if the answer is yes! And rest assured that the answer is always yes!

Just before we get into the sort of things we would look to add to any ASOC Metrics program lets have a look at why we need good metrics:

  • Situation Overview
    • Analyse where the attacks are coming from
    • Regional Trends
    • Where our organisation is most vulnerable
    • Increased visibility of the Security Program (which is a GOOD thing)
  • Performance
    • Identifies which security devices are giving us our best value for detection
    • Identifies analysts which are struggling and require additional training
    • Measures the effectiveness of our Controls
    • Improvements in Patch Management
    • Decrease in Threat Landscape
    • Identifies the Business Units being targeted the most and which reacts better to attacks.
  • Resource Allocation
    • Allow staff planning in line with attack patterns
    • Identify new rolls for recruitments
    • Identify which security devices are no longer adequate for a given throughput of traffic.
    • Target the correct detection capabilities for future purchases.

And the best bit about all of this……. When you require investment for future enhancements in your Security Program you have all of your historical evidence to back it up.

Below are the main subsections for a Metrics program you would require with a few of the typical metric types included:

  • Incidents Metrics
    • Source of Incidents Created
    • Incident % False Positive
    • Incident % Escalated from L1 to L2
    • Incidents Created & Closed
    • Incident Count by Monitored Company/Organisation
    • Heat Maps
  • Categorization and Classification Metrics
    • Actors: Origin
    • Actors: Motive
    • Actions: Vector
    • Actions: Malware.Variety
  • Performance Metrics
    • Incidents Remediated Count by Analyst ID
    • Longest Open Tasks
  • Information from Logs and Packets
    • EPS Rates
    • Top 10 Source Addresses of Alerts
    • Top 10 Alerts
    • Top 20 Denied Inbound by Address
    • …..
  • Tool Efficacy
    • Number of Incidents detected with # Tool
    • Number of Incidents missed with # Tool

The above are just a little introduction to what Metrics would be required as part of an ASOC program (we will delve further into this in a later blog post).

And that is your basic introduction to an ASOC (or at least what we can fit into a Blog post!). We will dig into this subject in greater depth over our forthcoming book. https://www.amazon.co.uk/d/Books/Advanced-Cyber-Security-Intelligence-Corporate/1118997646  ( Dave Gray is the contributing author around threat intelligence and use cases framework). Please remember that Planning out your ASOC build is crucial. To quote an old RAF phrase “Prior Planning Prevents P*ss Poor Performance”.

Azeem Aleem Director RSA Advanced Cyber Defence Practice EMEA

An experienced information security executive with over 15 years of practitioner experience in cyber defense technologies, security operations, counter threat intelligence, data analytics and behavioral classification of cyber criminal. As a subject matter expert, he has made frequent appearance on regional television and radio programs as an expert on cyber threats. A published book author and academic criminologist, he has also authored several periodical on advanced security threats in peer-reviewed journals and security magazines. He is an eminent plenary conference guest speaker both at the national and international level.

Dave Gray: Senior Consultant RSA Advanced Cyber Defence Practice EMEA

David has been in the security business all his adult life having started in the Royal Air Force as his first job. He has worked in the cyber security field for over 10 years now in various cyber defence positions including Network, Malware and Forensic Analysis before leading teams himself.

He has co-developed an open framework for implementing Use Cases into any Security Operations Centre and spoken at a number of International Security Conferences including RSAC and SANS on various cyber-related security topics. David currently works as a Team Leader for RSA ACD deploying security programs and Advanced SOC/CIRC designs to customers in EMEA.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Advanced Security Operations Centre, cyber security)

The post Business Driven Security: The Case of Building an Advanced Security Operations Centre appeared first on Security Affairs.

Source: Security affairs

Enlarge / President Trump has tagged Defense Secretary James Mattis to lead the charge to fix all the cyber things and smash the cyber adversaries. (credit: Getty | Sara D. Davis )

Today, the Washington Post published what appears to be a draft of an executive order to be signed by President Donald Trump. The order, entitled “Strengthening US Cyber Security and Capabilities,” puts flesh on the bones of the “cyber review” promised by Trump during the campaign. It spells out who will conduct the review and what its specific goals are. The order also sets a brisk pace for the review, calling for initial recommendations for the security of “national security systems” and critical infrastructure within 60 days. The review also has a 60-day deadline to provide the president with a list of “principal cyber adversaries.”

This is not the first 60-day cyber fix-it order from the White House. After the breach at the Office of Personnel Management in 2015, the Obama administration ordered a “cyber sprint” across the Federal government to get systems into compliance with security best practices. Results were mixed. The chief information officers of OPM and the Department of Education resigned under pressure from the House Government Oversight Committee after they failed to complete a majority of the mandated tasks.

The new order’s language indicates that the Trump administration will see private network infrastructure as being the federal government’s turf to defend—but that the administration will lean heavily on the private sector to figure out how to defend it. “Federal Government has a responsibility to defend America from cyber attacks that could threaten US national interests or cause significant damage to Americans’ personal or economic security,” the draft order states. “That responsibility extends to protecting both privately and publicly operated critical networks and infrastructure. At the same time, the need for dynamism, flexibility, and innovation in cyber security demands that the government exercise its responsibility in close cooperation with private sector entities.”

Read 3 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

HoloLens Development Edition. (credit: Microsoft)

In an interview with the Inquirer, Microsoft’s Roger Walkden, commercial lead for HoloLens in the EMEA (Europe, Middle East, Africa) region, said that sales of the augmented reality headset numbered “in thousands, not hundreds of thousands.”

HoloLens developer kits first went on sale in the US and Canada in late March last year. Initial deliveries were made in “waves,” with prospective developers having to wait months for hardware to become available. Since then, the hardware has spread to a few more countries—the headsets started shipping to Australia, Ireland, France, Germany, New Zealand, and the UK in November 2016, and they should go on sale in China in the first half of this year. The waiting lists have gone away, so supply constraints have eased up to some extent. But compared to most Microsoft products, the developer kits’ availability is still very restricted.

The HoloLens developer kit is also very expensive. Initially, Microsoft offered only a $3,000 (£2,700) developer kit. This has been joined by a $5,000 (£4,500) “production” version for enterprise customers. Both use the same hardware, but the production version adds a limited warranty, while the developer kit has no warranty and no refunds available for buyers. The $5,000 kit also includes an “enterprise” version of the HoloLens-specific variant of Windows that adds “kiosk mode” (wherein the headset boots directly into an application, making it a single-purpose device) and some management capabilities.

Read 5 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Greetings, Arsians! Courtesy of our partners at TechBargains, we have a new batch of deals to share to kick off your weekend. Now you can get a Dell tower PC at its lowest price yet: snag the Dell XPS 8910 desktop, featuring an Intel Core i5 processor, 8GB of RAM, and a 1TB hard drive, for just $554. That’s nearly $300 off its original price, which is a great deal on a tower that has all the beloved features from the previous 8900 model, plus a few extra perks.

Check out the rest of the deals below.

Featured

Read 8 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/