Hard to believe it’s time to celebrate another go ’round the Sun for KrebsOnSecurity! Today marks exactly seven years since I left The Washington Post and started this here solo thing. And what a remarkable year 2016 has been!

7-2016

The word cloud above includes a sampling of tags used in stories on KrebsOnSecurity throughout the past year. It’s been a wild one, riddled with huge attacks, big cybercriminal busts and of course a whole mess of data breaches.

The biggest attack of all — the 620 Gbps distributed denial-of-service (DDoS) assault against this site on Sept. 22 — resulted in KrebsOnSecurity being unplugged for several days. The silver lining? I now have a stronger site and readership. Through it all, the community that has grown up around this site was extremely supportive and encouraging. I couldn’t be prouder of this community, so a huge THANK YOU to all of my readers, both new and old.

It’s fair to say that many of the subjects in the word cloud above are going to continue to haunt us in 2017, particularly ransomware, CEO fraud and DDoS attacks. I am hopeful to have more on the “who” behind the September attacks against this site in the New Year. I promise it’s going to be a story worth waiting for. Stay tuned.

Also, many of you have asked whether we can have a more responsive theme on this blog. It is true that the site hasn’t been updated appearance-wise since it launched seven years ago, and that it’s long overdue for a facelift. We were on track to have that done by today’s blog post, but for a variety of reasons this will have to wait until the early New Year. Thank you for your patience.

My aim from the beginning with this site has been to focus on producing original, impactful reporting on computer security and cybercrime, and to keep the content free for anyone and everyone. That remains my intention. For those of you who have Adblock installed, please consider adding an exception for my site: For security reasons (see malvertising for more info), this site has not allowed third-party content since late 2011, and all of the handful of ads that run here are hosted locally and have been fully vetted.

As always, below are links to some of the most-read stories on the site this year. Thanks again for your readership, encouragement and support!

Oct. 21: Hacked Cameras, DVRs Powered Today’s Massive Internet Outage

Oct. 3: Who Makes the IoT Things Under Attack?

Sept. 25: The Democratization of Censorship

Sept. 13: Secret Service Warns of ‘Periscope’ Skimmers

Sept. 10: Alleged vDOS Proprietors Arrested in Israel

Sept. 8: Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years

Aug. 26: Inside ‘The Attack that Almost Broke the Internet’

Feb. 18: This is Why People Fear the Internet of Things

Feb. 16: The Great EMV Fakeout: No Chip for You!

Jan. 30: Sources: Security Firm Norse Corp. Imploding

Source: krebsonsecurity

InterContinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide including Holiday Inn, says it is investigating claims of a possible credit card breach at some U.S. locations.

An Intercontinental hotel in New York City. Image: IHG

An Intercontinental hotel in New York City. Photo: IHG.

Last week, KrebsOnSecurity began hearing from sources who work in fraud prevention at different financial institutions. Those sources said they were seeing a pattern of fraud on customer credit and debit cards that suggested a breach at some IHG properties — particularly Holiday Inn and Holiday Inn Express locations.

Asked about the fraud patterns reported by my sources, a spokesperson for IHG said the company had received similar reports, and that it has hired an outside security firm to help investigate. IHG also issued the following statement:

“IHG takes the protection of payment card data very seriously. We were made aware of a report of unauthorized charges occurring on some payment cards that were recently used at a small number of U.S.-based hotel locations.  We immediately launched an investigation, which includes retaining a leading computer security firm to provide us with additional support.  We continue to work with the payment card networks.”

“We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements.  If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”

Headquartered in Denham, U.K., IHG operates more than 5,000 hotels across nearly 100 countries. The company’s dozen brands include Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, and Crowne Plaza.

Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton HotelsTrump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt.

In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

Source: krebsonsecurity

Phishing is now the No. 1 delivery vehicle for ransomware and other malware. Even with all the phishing prevention solutions available for several years, it’s clear that phishing continues to pose serious risk for today’s businesses that face significant financial loss, exfiltration of data, compromised credentials, loss of productivity and damaged reputations. Consider the following facts:

  • 85 percent of organizations have suffered phishing attacks in the last 12 months.(Wombat Security’s 2016 State of the Phish report) The number and sophistication level of phishing attacks organizations experience has gone up. Two-thirds of the organizations in the study reported attacks that were targeted and personalized, up 22 percent from the year prior. 
  • 30 percent of phishing emails get opened. (Verizon’s DBIR 2016) It’s a delivery tactic that works—zero day attacks are proven to defeat prevention systems—so there is no need for attackers to develop anything more sophisticated to scam money or information from their victims.
  • No. 1 delivery vehicle for malware is email attachments. (Verizon’s DBIR 2016) Despite email filtering and user education, well-disguised content influences the user to click and download.
  • $1.6 million is the average cost of a spear phishing attack. (Cloudmark) Companies hit by a successful spear phishing attack in the past 12 months suffered an average financial cost of $1.6 million.

The evidence is clear, phishing and other email-related attacks exploit either technical vulnerabilities or leverage social engineering to take advantage of human weakness.

With the risks for an inevitable breach so high, it’s clear that companies need to take more active measures in preparing for the inevitable moment when a phishing, spear-phishing or whaling attack is successful. User awareness education, signature-based technologies and email filtering is not enough, especially where zero-day attacks are concerned. To accomplish this, the enterprise must direct its efforts at rapid detection and blocking of successful attempts at a speed fast enough to minimize and/or avoid any significant high value data access or loss.

While many technologies exist today that tackle elements of threat detection, including machine learning, user behavior and entity analytics, threat modeling, etc., the most effective solutions are those that combine the best of these capabilities to deliver rapid, real-time detection and response. Consider techniques and solutions that correlate machine learning, feature, device and user behavior analytics to derive insight, detect legitimate threats and create prioritized alerts that allow enterprise systems to direct or take prescript action immediately, shutting down invasive threats before humans even realize they are there. Automated solutions effective at stopping these threats within minutes exist today. By providing visibility and fully automating the immediate analysis, detection and elimination of threats, these solutions can finally give the enterprise a leg up in defending against any successful phishing attack.

When evaluating solutions to compliment your existing cybersecurity posture around phishing, consider the following questions:

  • Can it detect abnormal use of credentials from that of normal usage?  Can it detect abnormal activity from both north-south through the firewall, and east-west activity within the organization to verify credentials have been lost? Can it monitor credential usage and detect abnormal usage behavior from that of normal usage?
  • Does it avoid false positives by leveraging a combination of data collection and analysis, machine learning, predictive and behavioral analytics and then correlate findings to surface legitimate threats?

False positives can lead to needlessly generating too many incidents that need looking into, and unnecessary remediation. The ideal solution should correlate and verify threat behavior from various sources in real-time so that an accurate depiction of the threat can be detailed and enough information can be correlated together to corroborate the threat is real.

  • Can its architecture scale to process billions of inputs and generate correlated outputs of all related threat behavior in seconds so that it can detect such threats accurately in minutes after compromise?

Knowing the volume and complexity of phishing threats are on the rise, consider systems that can scale to meet even the largest enterprise need.

  • Can it be set-up to be fully automated, including rule sets, analysis, alerts, remediation and reports – so that it works 24x7x365 without need for human involvement?

Automation saves time, which is critical to mitigating the damage of such attacks, while also saving on dedicated 24×7 monitoring resources.

  • Most importantly, has it been proven to be effective in stopping the threat and blocking the exfiltration and/or damage of critical data?
  • Can it write rules to a firewall to block command and control communication? Can it isolate devices that have been infected? Can it write policy to directory services to disable compromised users credentials?  Can all this be done with a single click from the detection application or be fully automated to speed the time to stopping the threat once detected to seconds?

Threat actors will assuredly continue to employ phishing techniques to tempt users with appealing documents and links, but next-generation threat detection and elimination technologies arm today’s organizations with greater capability than ever to catch and eliminate phishing threats before they do damage.

About the author: Gary Southwell is co-founder and chief strategy officer for Seceon, a cyber security startup offering the first-fully automated threat detection and remediation system to detect, analyze and eliminate all cyber-threats in minutes.

Copyright 2010 Respective Author at Infosec Island
Source: infosecisland

With expensive and damaging cybercrime on the rise, companies and organizations across the globe are constantly trying to improve their security stance. As a result, many security vendors have taken advantage of this vulnerability with a FUD approach. The FUD strategy, standing for fear, uncertainty and doubt, is a scare tactic that plays on a prospect’s fears to win a sale. The sales pitch often includes lines like “there are bad things in your network or application” or “this product is your only hope.” The security industry is ripe for FUD tactics as the costs of cybercrime is skyrocketing. The costs are rising because companies are hiring more and more security engineers but the “scale out” approach isn’t efficient as you can never hire more manual resources than the automated attacks that the hackers are launching.

If companies give into the FUD, they’ll continue to buy more and more point solutions in search of the “right one.” This is essentially the same approach as trying to lose weight by purchasing quick fixes, instead of putting together a targeted plan on how to move the needle. Here are four best practices on how to avoid FUD and build security with confidence, assurance and resiliency. 

Demand Transparency

Too few cybersecurity vendors practice transparency. They don’t give users a look beneath the hood of their technology and often overpromise on capabilities. Cybersecurity isn’t some sort of black magic yet security vendors have been treating it that way, framing their product as the sole solution to all the fear, uncertainty and doubt. By not providing this transparency, everyone loses out with a lack of education and improvement. Transparency enables organizations to have full visibility into their software development life cycle – meaning which tools are integrated into what part of the pipeline, if there are any vulnerabilities found and what they are, and recommendations on how to rapidly remediate them. With full transparency and visibility of the whole situation, organizations can protect themselves with confidence, assurance and resiliency rather than falling into FUD. 

Incorporate Security In At Every Stage

The software development life cycle needs to have security tests built in at every stage, from code commit to application delivery. Putting implicit checks into place increases overall confidence that your code and application are much more resilient to application security attacks. This also increases assurance, as everyone knows exactly what tests were performed and what the results were in real-time. Instead of taking the insurance approach, where you simply hope that nothing bad ever happens, take the assurance route by being proactive with your application security testing.

Know Your Strengths and Weaknesses

Most security professionals can’t confidently answer the following question: how secure are we really?

If you don’t have the answer to this seemingly simple yet fundamental question, your security team is working blindly, which puts your company, its reputation and its customers at an unnecessarily increased risk. All organizations should do a full examination of their security processes and vulnerabilities to uncover their security strengths and weakness. Without this knowledge, there is no confidence, assurance and resiliency.

Understand that Security Isn’t a One-Size Fits All

There is no one cybersecurity solution that will be a perfect fit for every company. Each organization has unique security needs, strengths and weaknesses and a good security plan should take all of those factors into account. Too many companies have fallen into the FUD trap that “tool X” or “package Y” will be the solution to every security need. Cybersecurity isn’t a silver bullet so organizations need to do their research to figure out what the best security plan for them entails and not fall into the one-size-fits-all security package built on FUD.

Selling products on the basis of FUD is a scam and security vendors who are guilty of inducing FUD need to make it right. The current state of cybercrime has rightfully put the security industry on edge but we are not helpless and cybersecurity tools shouldn’t been seen as an enigmatic quick fix. Leave FUD behind and build security with confidence, assurance and resiliency by demanding transparency, incorporating security at every stage, knowing your strengths and weakness, and understanding that security isn’t one-size-fits-all. We have access to the best cybersecurity technology but each organization needs to build a personalized security plan built on confidence and assurance to ensure their resiliency.

Copyright 2010 Respective Author at Infosec Island
Source: infosecisland