Archive for December, 2015

Chuck Leaver – Learn From The LastPass Breach Lessons And Use Behavior Analytics

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


LastPass Infiltrations Have 4 Lessons Everyone Can Learn From

Data breaches in 2011 and then again in 2015 were perpetrated against password management company LastPass. Professionals suggest use of password managers, considering that strong passwords distinct to each user account are not practical to remember without arranged assistance. Nevertheless, putting all one’s eggs in a single basket – then for millions of users to each put their egg basket into one mega basket – creates an irresistible target for attackers of every stripe. Cryptology professionals who have studied this current breach at LastPass appear very carefully optimistic that significant harm has actually been prevented, but there are still crucial lessons we can learn from this episode:

1. There Is No Ideal Authentication, There Is No Perfect Security

Any competent, patient and iinspired enemy will eventually breach any practical cyber defenses – even if yours is a cyber defense enterprise! Unfortunately, for lots of businesses today, it does not frequently need much ability or perseverance to breach their patchwork defenses and penetrate their sprawling, porous perimeters. Compromise of user info – even those of extremely privileged domain administrators – is likewise quite common. Again, regretfully, numerous businesses count on single-factor password authentication, which simply welcomes rampant sensitive data compromise. However even multi-factor authentication can be breached, as was evidenced with the 2011 compromise of RSA SecurID’s.

2. Use Situational Awareness When Defenses Are Breached

When the enemies have actually breached your defenses the clock is ticking on your detection, containment, and remediation of the event. Industry data suggests this clock has a long time to tick – numerous days typically – prior to awareness sets in. By that time the opponents have actually pwned your digital assets and picked your business carcass clean. Vital situational awareness is vital if this too-frequent tragedy is to be avoided.

3. Network and Endpoint Contexts Are Fused With Comprehensive Situational Awareness

In the recent LastPass event detection was achieved by analysis of network traffic from server logs. The attacker dwell time prior to detection was not revealed. Network anomalies are not always the fastest way to identify an attack in progress. A fusion of network and endpoint context provides a much better choice basis than either context separately. For instance, being able to merge network flow data with the originating procedure recognition can shed a lot more light on a prospective intrusion. A suspicious network contact by a brand-new and disreputable executable is much more suggestive taken together than when evaluated individually.

4. After An Authentication Failure, Use User Behavior Analytics

Compromised user data frequently wreak havoc across breached businesses, enabling enemies to pivot laterally through the network and run mainly underneath the security radar. However this misuse of legitimate user data varies markedly from regular user behavior of the genuine credential holder. Even rather simple user habits analytics can identify anomalous discontinuities in learned user behavior. Constantly employ user habits analytics, especially for your more privileged users and administrators.

Even The Elite Hackers Lack Vulnerability Monitoring – Chuck Leaver

Written By Josh Harriman And Presented By Ziften CEO Charles Leaver


Hacking Team Impacted By Absence Of Real Time Vulnerability Monitoring


These days cyber attacks and data breaches are in the news all the time – and not just for those in the high worth markets such as healthcare, finance, energy and retail. One especially fascinating event was the breach against the Italian company Hacking Team. For those who do not recall Hacking Team (HT) is a company that specializes in monitoring software catering to federal government and authorities agencies that wish to perform hidden operations. The programs developed by HT are not your run-of-the-mill push-button control software or malware-type recording devices. Among their essential products, code-named Galileo – much better called RCS (Remote Control System)– declared to be able to do practically whatever you needed in terms of “managing” your target.

Yet as gifted as they were in developing these programs, they were not able to keep others from entering into their systems, or detect such vulnerabilities at the endpoint through vulnerability monitoring. In one of the most prominent breaches of 2015, HT were hacked, and the information stolen and consequently launched to the general public was big – 400 GB in size. More significantly, the information included extremely damaging info such as e-mails, consumer lists (and costs) which included countries blacklisted by the UN, and the crown jewels: Source code. There was also thorough documents that included a few very effective 0-day exploits against Flash and Adobe. Those 0-days were used very soon after in cyber attacks against some Japanese businesses and United States government agencies.

The huge question is: How could this occur to a company whose sole presence is to make software that is undetected and finding or producing 0-day exploits for others to use? One would think a breach here would be almost impossible. Undoubtedly, that was not the case. Currently there is not a lot to go on in terms of how this breach occurred. We do know however that somebody has claimed responsibility and that individual (or group) is not new to getting into locations similar to HT. In August 2014, another monitoring business was hacked and delicate files were launched, similar to HT. This included customer lists, prices, code, and so on. This was against Gamma International and their software was called FinFisher or FinSpy. A user by the name of “PhineasFisher” published on Reddit 40 GB worth data and revealed that he/she was accountable. A post in July this year on their twitter handle discussed they also attacked HT. It appears that their message and function of these breaches and theft where to make people knowledgeable about how these companies operate and who they sell to – a hacktivist attack. He did submit some information to his techniques and some of these methods were likely utilized against HT.

A final concern is: How did they break in and what precautions could HT have implemented to prevent the breach? We did understand from the released documents that the users within HT had very weak passwords e.g. “P4ssword” or “wolverine.” In addition, one of the main employee systems where the theft might have occurred used the program TrueCrypt. Nevertheless, when you are logged on and using the system, those concealed volumes are accessible. No information has been launched as of yet as to how the network was breached or how they gained access to the users systems so that they could download the files. It is apparent, though, that businesses need to have a solution such as Ziften’s Continuous Endpoint Visibility running in their environment. By keeping track of all user and system activity alerts could have been created when an activity falls beyond regular habits. Examples include 400 GB of files being published externally, or understanding when susceptible software applications are running on exposed servers within the network. When an organization is making and selling advanced surveillance software applications – and having unidentified vulnerabilities in commercial products – a better plan needs to have been in place to restrict the damage.

Chuck Leaver – It Is Likely The Anthem Healthcare Data Leak Could Have Been Avoided

Written By Justin Tefertiller And Presented By Chuck Leaver Ziften CEO


Continuous Endpoint Visibility Would Have Improved Health Care Data Leak Prevention

Anthem Inc found a big scale cyber attack on January 29, 2015 against their data and IT systems. The healthcare data leak was believed to have occurred over a several week period beginning around early December 2014 and targeted personal data on Anthem’s database infrastructure as well as endpoint systems. The taken information consisted of dates of birth, full names, healthcare identification numbers as well as social security numbers of clients and Anthem employees. The specific number of people affected by the breach is unknown however it is estimated that nearly 80 million records were taken. health care data has the tendency to be among the most financially rewarding sources of income for hackers offering records on the dark market.

Forbes and others report that assailants used a process-based backdoor on clients connected to Anthem databases in addition to jeopardized admin accounts and passwords to slowlysteal the data. The actions taken by the hackers positioning and operating as administrators are exactly what ultimately brought the breach to the attention of security and IT teams at Anthem.

This kind of attack shows the requirement for constant endpoint visibility, as endpoint systems are a continuous infection vector and an avenue to sensitive data saved on any network they may link to. Simple things like never before observed processes, brand-new user accounts, odd network connections, and unauthorized administrative activity are typical calling cards of the beginning of a breach and can be quickly identified and notified on given the best monitoring tool. When alerted to these conditions in real-time, Incident Responders can catch the intrusion, discover patient zero, and ideally mitigate the damage rather than enabling opponents to stroll around the network undetected for weeks.

Chuck Leaver – The PF Chang Breach Impacted 30 Locations Over 8 Months

Written By Chuck Leaver Ziften CEO


The PF Chang restaurant chain recently published brand-new information about the security breach of its credit card systems throughout the nation. The dining establishment chain revealed that the breach affected more than 30 restaurants in 17 states and went on for 8 months before being detected.

While the investigation is still ongoing, in a declaration PF Chang’s reported that the breach has actually been contained and customer financial data has actually been processed safely by the restaurant since June 11. The compromised systems used by the chain were decommissioned until it was clear that their security could be ensured, and in the meantime credit cards were processed by hand.

Rick Federico, CEO stated in a declaration “The potentially taken credit and debit card data includes the card number and sometimes also the cardholder’s name and/or the card’s expiration date.” “However, we have actually not figured out that any specific cardholder’s credit or debit card data was taken by the attacker.”

PF Chang’s was alerted of the breach, which they described as a “extremely advanced criminal operation,” in June when they were called by the Secret Service about cyber security issues. As soon as they were notified, the restaurant employed third-party forensic investigators to discover how the breach was able to occur, at which time they discovered that harmful actors had the ability to exploit the chain’s credit card processing systems and possibly gain access to consumer charge card info.

Organizations worried about similar data breaches impacting point-of-sale terminals must carry out endpoint threat detection to keep vital systems secured. Endpoint security involves monitoring sensitive access points – like POS systems, bar code readers and staff member mobile phones – and reducing risks that appear. Constant endpoint visibility is needed to determine risks before they jeopardize networks and make sure business security.