Tuesday, May 3, 2016

Data Deception As A Defense

Let’s get something out before we start here – Deception isn’t an active blocking technology. It’s not going to stop attackers from breaking into your network and it sure isn’t going to proactively stop attacks from occurring. With that being said, you need it, maybe more than ever. Why is that? Because your defenses aren’t working and by using deception in your network it gives you the best opportunity to control the damage post-breach. With deception, you write the rules and lay traps for attackers as they actively scour for your data. It’s much harder to bypass deceptive technology when the decoys mimic genuine data or systems. The bad guys only have to mess up once and the trap is sprung.
We see attackers use deception all the time: spoofing, stolen accounts, phishing, rootkits, etc  (to name a few), so why aren’t we doing similar tactics to confuse and misdirect them from stealing our data? There are many different types of deception, but for this article we’re focusing on data deception. In order to lay a trap for an attacker using deception in your data you must first understand your data. The first rule of deception is laying a trap that looks real. If the decoys don’t look genuine you’re not fooling anyone and this will spook experienced attackers to hide deeper in your network. If you’re using deception to protect data you need to ask yourself these three questions before laying decoys:
  1. What is your sensitive data?
  2. Where is your sensitive data?
  3. Who has access to sensitive data?
Read more of my article on IdentityFinder's blog and get a better understanding of how to use data deception to protect your assets: http://www.identityfinder.com/blog/attackers-dont-play-fair-neither-should-you/#more-1601

Friday, April 29, 2016

Using Geo IP Data to Tighten Rulesets

The ability to geo-block countries is a great way to limit malicious requests from entering your network or at the very least reduce the footprint of attack from the internet – it’s a great tool to keep in your security tool box. Take a look at my article for Algosec on using GeoIP data in your firewall to tighten rulesets and increase security. 

http://blog.algosec.com/2016/04/using-geo-ip-data-tighten-firewall-rulesets.html

Tuesday, April 12, 2016

TeslaCrypt Still on the Rise

We’ve seen the explosion of ransomware over the past year and it’s showing no signs of stopping anytime soon. Cyber extortionists are not only flocking to this method, they’re evolving it to fit their malicious needs. This is the reason we’ve seen multiple iterations of TeslaCrypt being produced, with each copy being independently developed by another group, to fit the needs of the particular developers or their clients.  You can find everything you need regarding TeslaCrypt in this well written blog post: http://soft2secure.com/knowledgebase/teslacrypt-3-0

With TeslaCrypt being used as a standard in many ways, it’s interesting to see how malicious developers have countered each version of TeslaCrypt to advance their malware with new “features”. These new features allow for the malware to: evade anti-virus, ransom files with better encryption, include additional file types, etc. As the opportunity exists for attackers to make money from this threat we’ll continue to see ransomware infect our networks. I personally don’t think this will be the end of their features and I’m concerned that we’ll start seeing other “data” or “access” ransomed in the near future.  Once the bad guys see a successful way to make money they evolve it, just like they do their tools, to fit their needs. We’re only seeing the tip of the iceberg with TeslaCrypt and other just like it. 

With this being said, the best way not to fall victim to this attack is backing up your files on a regular basis. If you have a recent backup of your data there’s no need to pay someone to get it back. Please, consider backing up your files. A service like SpiderOak is great for this type of “unmapped” backup, where new data is copied up to the cloud for backup right away. If you read the above article you’ll know that mapped drives are part of what TeslaCrypt and other ransomware variants crawl into right away. 

Ransomware is showing no signs of slowing, but if we back up our data, patch our systems and use some common sense with clicking links, we can limit it to an extent. As soon as it’s no longer viable for criminals to make money off this scheme, they’ll move on. It’s up to us to dissuade them.

Friday, April 8, 2016

Why Patching Will Never Get Old

I was asked to participate in Heimdal Security's "Round Up" of experts as to why "Software Patching is Key for Your Online Security". It's something overlooked by many as a first line of defense to protect systems from vulnerabilities.

You can read the responses from all contributors here: https://heimdalsecurity.com/blog/expert-roundup-software-patching/

Thursday, April 7, 2016

WhatsApp Encrypts 1 Billion Users and Promptly Drops Mic

In attempts to find an analogy of the sheer amount of encrypted users using end-to-end encryption of phone, video, chat and images using WhatsApp, I came across this statistic:


That's right, it would take 32 years to count the amount of users (today) that now have  end-to-end encryption using WhatsApp. That's freaking huge. 

I think we'll all remember the Apple vs FBI case as the spark that lite the fire, but in reality the work being done behind the scenes at WhatsApp took place long before the FBI bungled the San Bernardino iPhone. There has been a steady increase in encryption being pushed down to the consumer level, mainly due to privacy concerns with the mistrust of governments and organizations handling data, that has fueled this effort to become commonplace. 

What many will see is the FBI cracking one iPhone and WhatsApp turning on encryption two weeks later for 1 billion users. I don't think this was due to this case alone (the sheer design change would be massive), but needless to say, it didn't help. Once hearing this I can honestly say that I downloaded the app for the first time and will use it along side Whisper Systems, Signal App, for increased privacy and security. 

When thinking about the government requesting data from WhatsApp after encryption being enabled end-to-end, especially after they were starting to focus their attention on them previously, all I could think of was this GIF:
 

via GIPHY

Wednesday, April 6, 2016

How to Defend Your Network Against Ransomware

We've all seen the recent headlines of the sheer destruction that ransomware can bring upon your network, but we haven't seen many tips on defending against it. With many companies paying the ransom to criminals after being infected, it's only promoting them to use it more. If they weren't making money off this scheme they won't be using it, but unfortunately they are.

What I'd like to do with this article is spread some common sense in defending against ransomware and ways to assist with mitigating it once it's in your network. Here's the article I wrote for Tripwire explaining a few methods, since everything we do in security is based on layers, there's not a single defense that's going to stop ransomware by itself.

http://www.tripwire.com/state-of-security/incident-detection/creating-a-malwarerasomware-defendable-network/