2014 Review^2 – squared

I.e. 2014 review of the reviews:

Start with a good one Securosis https://securosis.com/blog/summary-thats-a-wrap

” First, the news. This was the year of Target and Sony. Symantec finally breaking up. All sorts of wacky M&A. The year family members checked in for the first time in decades, after reading my quotes in articles with “celebrity nudes” in the headlines. Apple getting into payments. My guidance counselor totally left that out when we discussed infosec as a career option.

and

As I have often said, life doesn’t demarcate itself cleanly into 365 day cycles. There is no “year of X” because time is a continuum, and events have tendrils which extend long before and after any arbitrary block of time. That said, we will sure as hell remember 2014 as a year of breaches. Just like 2007/2008, for those who remember those ancient days. It was also a most excellent year for general security nonsense.”

Good paragraphs… then Rich Mogull discusses his family etc.  there are also many good links of articles that happened in the year.

DarkReading discusses vulnerabilities : http://www.darkreading.com/vulnerabilities—threats/2014-the-year-of-privilege-vulnerabilities/a/d-id/1318187

nice nugget paragraph:

” Most IT security professionals are quick to agree that allowing users to run with Administrator-level privileges is an extremely bad idea, especially as you flatten any security barriers the underlying operating system might offer. The most common example is in Microsoft Windows environments where each employee’s Active Directory accounts are added to the local computer’s Administrators group. Even though this is understood to be an unhealthy security practice, it continues to persist — not only in small, underfunded companies, but also in large, established enterprises.”

Here is the Microsoft security bulletin review section from  the Dark Reading post:

  • Of the 85 bulletins, more than half (45) could have played a role in mitigating the potential impact from malware leveraging these vulnerabilities in a least privilege computing environment.
  • Of the 30 security bulletins that were given Microsoft’s highest severity rating of critical, 80% (24) involved vulnerabilities where least privilege would have played a role in mitigating the potential impact against systems.
  • Last but not least are the 39 weaknesses enabling remote code execution (RCE), considered to be Microsoft’s most important classification. RCE bulletins typically cover vulnerabilities that provide an attacker an initial foothold in an organization. Of the 39 RCE vulnerabilities announced in 2014, 34 (87%) could be mitigated in a least privilege environment.

The Kaspersky Security Bulletin 2014:

http://securelist.com/analysis/kaspersky-security-bulletin/68117/kaspersky-security-bulletin-2014-a-look-into-the-apt-crystal-ball/

“For many years, cyber-criminal gangs focused exclusively on stealing money from end users. An explosion of credit card theft, hijacking of electronic payment accounts or online banking connections led to consumer losses in the worth hundreds of millions of dollars. Maybe this market is no longer so lucrative, or maybe the cybercriminal market is simply overcrowded, but it now seems like there is a struggle being waged for ‘survival’. And, as usual, that struggle is leading to evolution.”

This is a good section for some 2015 previews:

What to expect: This will result in a more widespread attack base, meaning more companies will be hit, as smaller groups diversify their attacks. At the same time, it means that bigger companies that were previously compromised by two or three major APT groups (eg. Comments Crew and Wekby) will see more varied attacks from a wider range of sources.

wantedbyfbi

The FBI looking for the Chinese fellows above.  FBI.gov link

“A grand jury in the Western District of Pennsylvania (WDPA) indicted five Chinese military hackers for computer hacking, economic espionage, and other offenses directed at six American victims in the U.S. nuclear power, metals, and solar products industries.”

 

essentially – more malware from more country actors trying to attain their cyber goals.

“In general, APT groups are careful to avoid making too much noise with their operations. This is why the malware used in APT attacks is much less widespread than common crimeware such as Zeus, SpyEye and Cryptolocker.”

Martin McKeay  ran down his important blog posts(I like this one):

Heartbleed and Shellshock: The New Norm in Vulnerabilities – I’ve been talking to a lot of my co-workers lately and we all expect there to be more vulnerabilities of this level in the near future.  On the other hand, I’ve gotten feedback from people basically stating this isn’t anything new, it’s just that the latest vulnerabilities have better PR and logos.  You have to love logos.”

 

LightCyber says http://lightcyber.com/why-no-one-can-protect-their-network/

“Verizon 2014 Breach Investigations Report shows that 88% of Web App attacks are discovered by external parties, and fully 99% of POS (point of sale, retail) attacks are discovered by outsiders. Not only are we failing to prevent attacks, we often don’t even know when we are attacked! That is why Mandiant’s 2014 Threat Report recently revealed that the average attacker was on a target’s network for 229 days before discovery.”

The solution is to

  • perform behavioral-based network level profiling to detect any suspicious activity on the network
  • integrate visibility into host activity and suspicious executables as well as cloud security expert systems
  • flag suspicious traffic with very low false positives

And it can happen with the correct tools with sufficiently staffed network security professionals.

 

 

 

 

Yes, you can contact us to move your company in the camp of “doing the right thing”