Tag Archives: reports

On Secure Voting Systems

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/03/on-secure-voting-systems.html

Andrew Appel shepherded a public comment—signed by twenty election cybersecurity experts, including myself—on best practices for ballot marking devices and vote tabulation. It was written for the Pennsylvania legislature, but it’s general in nature.

From the executive summary:

We believe that no system is perfect, with each having trade-offs. Hand-marked and hand-counted ballots remove the uncertainty introduced by use of electronic machinery and the ability of bad actors to exploit electronic vulnerabilities to remotely alter the results. However, some portion of voters mistakenly mark paper ballots in a manner that will not be counted in the way the voter intended, or which even voids the ballot. Hand-counts delay timely reporting of results, and introduce the possibility for human error, bias, or misinterpretation.

Technology introduces the means of efficient tabulation, but also introduces a manifold increase in complexity and sophistication of the process. This places the understanding of the process beyond the average person’s understanding, which can foster distrust. It also opens the door to human or machine error, as well as exploitation by sophisticated and malicious actors.

Rather than assert that each component of the process can be made perfectly secure on its own, we believe the goal of each component of the elections process is to validate every other component.

Consequently, we believe that the hallmarks of a reliable and optimal election process are hand-marked paper ballots, which are optically scanned, separately and securely stored, and rigorously audited after the election but before certification. We recommend state legislators adopt policies consistent with these guiding principles, which are further developed below.

Facebook’s Extensive Surveillance Network

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/02/facebooks-extensive-surveillance-network.html

Consumer Reports is reporting that Facebook has built a massive surveillance network:

Using a panel of 709 volunteers who shared archives of their Facebook data, Consumer Reports found that a total of 186,892 companies sent data about them to the social network. On average, each participant in the study had their data sent to Facebook by 2,230 companies. That number varied significantly, with some panelists’ data listing over 7,000 companies providing their data. The Markup helped Consumer Reports recruit participants for the study. Participants downloaded an archive of the previous three years of their data from their Facebook settings, then provided it to Consumer Reports.

This isn’t data about your use of Facebook. This data about your interactions with other companies, all of which is correlated and analyzed by Facebook. It constantly amazes me that we willingly allow these monopoly companies that kind of surveillance power.

Here’s the Consumer Reports study. It includes policy recommendations:

Many consumers will rightly be concerned about the extent to which their activity is tracked by Facebook and other companies, and may want to take action to counteract consistent surveillance. Based on our analysis of the sample data, consumers need interventions that will:

  • Reduce the overall amount of tracking.
  • Improve the ability for consumers to take advantage of their right to opt out under state privacy laws.
  • Empower social media platform users and researchers to review who and what exactly is being advertised on Facebook.
  • Improve the transparency of Facebook’s existing tools.

And then the report gives specifics.

Breaking Laptop Fingerprint Sensors

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2023/11/breaking-laptop-fingerprint-sensors.html

They’re not that good:

Security researchers Jesse D’Aguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft’s own Surface Pro Type Covers. These are just three laptop models from the wide universe of PCs, but one of these three companies usually does make the fingerprint sensor in every laptop we’ve reviewed in the last few years. It’s likely that most Windows PCs with fingerprint readers will be vulnerable to similar exploits.


The Japanese Financial Services Attack Landscape

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2023/07/14/the-japanese-financial-services-attack-landscape/

The Japanese Financial Services Attack Landscape

Recently, we released a major report analyzing the threat landscape of Japan, the globe’s third largest economy. In that report we looked at the ways in which threat actors infiltrate Japanese companies (spoiler alert: it is often through foreign subsidiaries and affiliates) and some of the most pervasive threats those companies face such as ransomware and state-sponsored threat actors.

We also took a look at some of the hardest hit industries and it should come as no surprise that some of the most commonly attacked companies are in industries where Japan currently excels on a global scale. Think manufacturing and automotive, technology & media, and financial services.

In these blog posts we’re going to briefly discuss the findings for one of those industries, but rest assured, more information can be found in our one-page rundowns and the report itself.

Financial services companies are prime targets for attackers around the world but Japan’s robust and global financial industry makes it particularly attractive for cyber criminals and a major risk for millions of people. Attacks on financial services companies often come from two directions, seeking the personally identifiable information, or PII, of customers, and that of employees themselves.

When it comes to customer data, phishing was the most common way attackers sought to access it with 31% of all attacks coming in this form since 2021. Of note, English was the most frequently used language in these phishing attacks. The use of English rather than Japanese, a language that relatively few foreigners speak, highlights the degree to which language barriers impact the targeting of Japan.

Cryptocurrency exchanges were also major targets as cyber attackers, specifically those that are state-sponsored (more on that in the report) seek out crypto due to its ability to operate outside of traditional financial institutions.
For more detail on the threat landscape of the financial services industry in Japan check out our report, or the handy one-page brief specifically looking at this industry.

The Japanese Automotive Industry Attack Landscape

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2023/07/06/the-japanese-automotive-industry-attack-landscape/

The Japanese Automotive Industry Attack Landscape

Recently, we released a major report analyzing the threat landscape of Japan, the globe’s third largest economy. In that report we looked at the ways in which threat actors infiltrate Japanese companies (spoiler alert: it is often through foreign subsidiaries and affiliates) and some of the most pervasive threats those companies face such as ransomware and state-sponsored threat actors.

We also took a look at some of the hardest hit industries and it should come as no surprise that some of the most commonly attacked companies are in industries where Japan currently excels on a global scale. Think manufacturing and automotive, technology & media, and financial services.

In these blog posts we’re going to briefly discuss the findings for one of those industries, but rest assured, more information can be found in our one-page rundowns and the report itself.

The Japanese automotive industry is massive in scale. Japanese car brands are ubiquitous the world over making them a major target for cyber criminals. The global nature of their business means many foreign entities affiliated with Japanese companies can be sources of infiltration by attackers. Product security is a major concern and car maker IP is valuable. Often these attacks come in the form of ransomware and they often impact the supply chain of automakers as foreign subsidiaries and partners are ripe targets. Vulnerabilities in product features such as keyless entry and diagnostic tools also make for lucrative bounties for ransomware groups.

But those are not the only data sets that attackers seek. Auto companies may have a great deal of personally identifiable information about their customers. This information can include customer addresses, names, email, and even VIN numbers. They can lead to increased identity theft by threat actors and even fraudulent financial actions.

Customers aren’t the only victims of identity theft as PII of employees at automotive industry companies is also prevalent. Business email attacks are common as these employees are high-valued targets. Phishing attacks can lead to fraudulent financial transactions framed as legitimate business practices.

For more detail on the threat landscape of the automotive industry in Japan check out our report, or the handy one-page brief specifically looking at this industry.

Chinese Hacking of US Critical Infrastructure

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2023/05/chinese-hacking-of-us-critical-infrastructure.html

Everyone is writing about an interagency and international report on Chinese hacking of US critical infrastructure.

Lots of interesting details about how the group, called Volt Typhoon, accesses target networks and evades detection.

Security Risks of AI

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2023/04/security-risks-of-ai.html

Stanford and Georgetown have a new report on the security risks of AI—particularly adversarial machine learning—based on a workshop they held on the topic.

Jim Dempsey, one of the workshop organizers, wrote a blog post on the report:

As a first step, our report recommends the inclusion of AI security concerns within the cybersecurity programs of developers and users. The understanding of how to secure AI systems, we concluded, lags far behind their widespread adoption. Many AI products are deployed without institutions fully understanding the security risks they pose. Organizations building or deploying AI models should incorporate AI concerns into their cybersecurity functions using a risk management framework that addresses security throughout the AI system life cycle. It will be necessary to grapple with the ways in which AI vulnerabilities are different from traditional cybersecurity bugs, but the starting point is to assume that AI security is a subset of cybersecurity and to begin applying vulnerability management practices to AI-based features. (Andy Grotto and I have vigorously argued against siloing AI security in its own governance and policy vertical.)

Our report also recommends more collaboration between cybersecurity practitioners, machine learning engineers, and adversarial machine learning researchers. Assessing AI vulnerabilities requires technical expertise that is distinct from the skill set of cybersecurity practitioners, and organizations should be cautioned against repurposing existing security teams without additional training and resources. We also note that AI security researchers and practitioners should consult with those addressing AI bias. AI fairness researchers have extensively studied how poor data, design choices, and risk decisions can produce biased outcomes. Since AI vulnerabilities may be more analogous to algorithmic bias than they are to traditional software vulnerabilities, it is important to cultivate greater engagement between the two communities.

Another major recommendation calls for establishing some form of information sharing among AI developers and users. Right now, even if vulnerabilities are identified or malicious attacks are observed, this information is rarely transmitted to others, whether peer organizations, other companies in the supply chain, end users, or government or civil society observers. Bureaucratic, policy, and cultural barriers currently inhibit such sharing. This means that a compromise will likely remain mostly unnoticed until long after attackers have successfully exploited vulnerabilities. To avoid this outcome, we recommend that organizations developing AI models monitor for potential attacks on AI systems, create—formally or informally—a trusted forum for incident information sharing on a protected basis, and improve transparency.

Nick Weaver on Regulating Cryptocurrency

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2023/03/nick-weaver-on-regulating-cryptocurrency.html

Nicholas Weaver wrote an excellent paper on the problems of cryptocurrencies and the need to regulate the space—with all existing regulations. His conclusion:

Regulators, especially regulators in the United States, often fear accusations of stifling innovation. As such, the cryptocurrency space has grown over the past decade with very little regulatory oversight.

But fortunately for regulators, there is no actual innovation to stifle. Cryptocurrencies cannot revolutionize payments or finance, as the basic nature of all cryptocurrencies render them fundamentally unsuitable to revolutionize our financial system—which, by the way, already has decades of successful experience with digital payments and electronic money. The supposedly “decentralized” and “trustless” cryptocurrency systems, both technically and socially, fail to provide meaningful benefits to society—and indeed, necessarily also fail in their foundational claims of decentralization and trustlessness.

When regulating cryptocurrencies, the best starting point is history. Regulating various tokens is best done through the existing securities law framework, an area where the US has a near century of well-established law. It starts with regulating the issuance of new cryptocurrency tokens and related securities. This should substantially reduce the number of fraudulent offerings.

Similarly, active regulation of the cryptocurrency exchanges should offer substantial benefits, including eliminating significant consumer risk, blocking key money-laundering channels, and overall producing a far more regulated and far less manipulated market.

Finally, the stablecoins need basic regulation as money transmitters. Unless action is taken they risk becoming substantial conduits for money laundering, but requiring them to treat all users as customers should prevent this risk from developing further.

Read the whole thing.

Cyberwar Lessons from the War in Ukraine

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2023/02/cyberwar-lessons-from-the-war-in-ukraine.html

The Aspen Institute has published a good analysis of the successes, failures, and absences of cyberattacks as part of the current war in Ukraine: “The Cyber Defense Assistance Imperative ­ Lessons from Ukraine.”

Its conclusion:

Cyber defense assistance in Ukraine is working. The Ukrainian government and Ukrainian critical infrastructure organizations have better defended themselves and achieved higher levels of resiliency due to the efforts of CDAC and many others. But this is not the end of the road—the ability to provide cyber defense assistance will be important in the future. As a result, it is timely to assess how to provide organized, effective cyber defense assistance to safeguard the post-war order from potential aggressors.

The conflict in Ukraine is resetting the table across the globe for geopolitics and international security. The US and its allies have an imperative to strengthen the capabilities necessary to deter and respond to aggression that is ever more present in cyberspace. Lessons learned from the ad hoc conduct of cyber defense assistance in Ukraine can be institutionalized and scaled to provide new approaches and tools for preventing and managing cyber conflicts going forward.

I am often asked why where weren’t more successful cyberattacks by Russia against Ukraine. I generally give four reasons: (1) Cyberattacks are more effective in the “grey zone” between peace and war, and there are better alternatives once the shooting and bombing starts. (2) Setting these attacks up takes time, and Putin was secretive about his plans. (3) Putin was concerned about attacks spilling outside the war zone, and affecting other countries. (4) Ukrainian defenses were good, aided by other countries and companies. This paper gives a fifth reasons: they were technically successful, but keeping them out of the news made them operationally unsuccessful.

NSA on Supply Chain Security

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/11/nsa-on-supply-chain-security.html

The NSA (together with CISA) has published a long report on supply-chain security: “Securing the Software Supply Chain: Recommended Practices Guide for Suppliers.“:

Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components, and harden the build environment. But the supplier also holds a critical responsibility in ensuring the security and integrity of our software. After all, the software vendor is responsible for liaising between the customer and software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities.

Software suppliers will find guidance from NSA and our partners on preparing organizations by defining software security checks, protecting software, producing well-secured software, and responding to vulnerabilities on a continuous basis. Until all stakeholders seek to mitigate concerns specific to their area of responsibility, the software supply chain cycle will be vulnerable and at risk for potential compromise.

They previously published “Securing the Software Supply Chain: Recommended Practices Guide for Developers.” And they plan on publishing one focused on customers.

New Report on IoT Security

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/09/new-report-on-iot-security.html

The Atlantic Council has published a report on securing the Internet of Things: “Security in the Billions: Toward a Multinational Strategy to Better Secure the IoT Ecosystem.” The report examines the regulatory approaches taken by four countries—the US, the UK, Australia, and Singapore—to secure home, medical, and networking/telecommunications devices. The report recommends that regulators should 1) enforce minimum security standards for manufacturers of IoT devices, 2) incentivize higher levels of security through public contracting, and 3) try to align IoT standards internationally (for example, international guidance on handling connected devices that stop receiving security updates).

This report looks to existing security initiatives as much as possible—both to leverage existing work and to avoid counterproductively suggesting an entirely new approach to IoT security—while recommending changes and introducing more cohesion and coordination to regulatory approaches to IoT cybersecurity. It walks through the current state of risk in the ecosystem, analyzes challenges with the current policy model, and describes a synthesized IoT security framework. The report then lays out nine recommendations for government and industry actors to enhance IoT security, broken into three recommendation sets: setting a baseline of minimally acceptable security (or “Tier 1”), incentivizing above the baseline (or “Tier 2” and above), and pursuing international alignment on standards and implementation across the entire IoT product lifecycle (from design to sunsetting). It also includes implementation guidance for the United States, Australia, UK, and Singapore, providing a clearer roadmap for countries to operationalize the recommendations in their specific jurisdictions—and push towards a stronger, more cohesive multinational approach to securing the IoT worldwide.

Note: One of the authors of this report was a student of mine at Harvard Kennedy School, and did this work with the Atlantic Council under my supervision.

Prioritizing XDR in 2023: Stronger Detection and Response With Less Complexity

Post Syndicated from KJ McCann original https://blog.rapid7.com/2022/09/21/prioritizing-xdr-in-2023-stronger-detection-and-response-with-less-complexity/

Prioritizing XDR in 2023: Stronger Detection and Response With Less Complexity

As we get closer to closing out 2022, the talk in the market continues to swirl around extended detection and response (XDR) solutions. What are they? What are the benefits? Should my team adopt XDR, and if yes, how do we evaluate vendors to determine the best approach?

While there continue to be many different definitions of XDR in the market, the common themes around this technology consistently are:

  • Tightly integrated security products delivering common threat prevention, detection, and incident response capabilities
  • Out-of-the-box operational efficiencies that require minimal customization
  • Security orchestration and automation functions to streamline repetitive processes and accelerate response
  • High-quality detection content with limited tuning required
  • Advanced analytics that can correlate alerts from multiple sources into incidents

Simply put, XDR is an evolution of the security ecosystem in order to provide elevated and stronger security for resource-constrained security teams.

XDR for 2023

Why is XDR the preferred cybersecurity solution? With an ever-expanding attack surface and diverse and complex threats, security operations centers (SOCs) need more visibility and stronger threat coverage across their environment – without creating additional pockets of siloed data from point solutions.

A 2022 study of security leaders found that the average security team is now managing 76 different tools – with sprawl driven by a need to keep pace with cloud adoption and remote working requirements. Because of the exponential growth of tools, security teams are spending more than half their time manually producing reports, pulling in data from multiple siloed tools. An XDR solution offers significant operational efficiency benefits by centralizing all that data to form a cohesive picture of your environment.

Is XDR the right move for your organization?

When planning your security for the next year, consider what outcomes you want to achieve in 2023.

Security product and vendor consolidation

To combat increasing complexity, security and risk leaders are looking for effective ways to consolidate their security stack – without compromising the ability to detect threats across a growing attack surface. In fact, 75% of security professionals are pursuing a vendor consolidation strategy today, up from just 29% two years ago. An XDR approach can be an effective path for minimizing the number of tools your SOC needs to manage while still bringing together critical telemetry to power detection and response. For this reason, many teams are prioritizing XDR in 2023 to spearhead their consolidation movement. It’s predicted that by year-end 2027, XDR will be used by up to 40% of end-user organizations to reduce the number of security vendors they have in place.

As you explore prioritizing XDR in 2023, it’s important to remember that all XDR is not created equal. A hybrid XDR approach may enable you to select top products across categories but will still require significant deployment, configuration, and ongoing management to bring these products together (not to mention multiple vendor relationships and expenses to tackle). A native XDR approach delivers a more inclusive suite of capabilities from a single vendor. For resource-constrained teams, a native approach may be superior to hybrid as there is likely to be less work on behalf of the customer. A native XDR does much of the consolidation work for you, while a hybrid XDR helps you consolidate.

Improved security operations efficiency and productivity

“Efficiency” is a big promise of XDR, but this can look different for many teams. How do you measure efficiency today? What areas are currently inefficient and could be made faster or easier? Understanding this baseline and where your team is losing time today will help you know what to prioritize when you pursue an XDR strategy in 2023.

A strong XDR replaces existing tools and processes with alternative, more efficient working methods. Example processes to evaluate as you explore XDR:

  • Data ingestion: As your organization grows, you want to be sure your XDR can grow with it. Cloud-native XDR platforms will be especially strong in this category, as they will have the elastic foundation necessary to keep pace with your environment. Consider also how you’ll add new event sources over time. This can be a critical area to improve efficiency.
  • Dashboards and reporting: Is your team equipped to create and manage custom queries, reports, and dashboards? Creating and distributing reports can be extremely time-consuming – especially for newer analysts. If your team doesn’t have the time for constant dashboard creation, consider XDR approaches that offer prebuilt content and more intuitive experiences that will satisfy these use cases.
  • Detections: With a constant evolution of threat actors and behaviors, it’s important to evaluate if your team has the time to bring together the necessary threat intelligence and detection rule creation to stay ahead of emergent threats. Effective XDR can greatly reduce or potentially eliminate the need for your team to manually create and manage detection rules by offering built-in detection libraries. It’s important to understand the breadth and fidelity of the detections library offered by your vendor and ensure that this content addresses the needs of your organization.
  • Automation: Finding the right balance for your SOC between technology and human expertise will allow analysts to apply their skills and training in critical areas without having to maintain repetitive and mundane tasks additionally. Because different XDR solutions offer different instances of automation, prioritize workflows that will provide the most benefit to your team. Some example use cases would be connecting processes across your IT and security teams, automating incident response to common threats, or reducing any manual or repetitive tasks.

Accelerated investigations and response

While XDR solutions claim to host a variety of features that can accelerate your investigation and response process, it’s important to understand how your team currently functions. Start by identifying your mean time to respond (MTTR) at present, then what your goal MTTR is for the future. Once you lay that out, look back at how analysts currently investigate and respond to attacks and note any skill or knowledge gaps, so you can understand what capabilities will best assist your team. XDR aims to paint a fuller picture of attacker behavior, so security teams can better analyze and respond to it.

Some examples of questions that can build out the use cases you require to meet your target ROI for next year.

  • During an investigation, where is your team spending the majority of their time?
  • What established processes are currently in place for threat response?
  • How adaptable is your team when faced with new and unknown threat techniques?
  • Do you have established playbooks for specific threats? Does your team know what to do when these fire?

Again, having a baseline of where your organization is today will help you define more realistic goals and requirements going forward. When evaluating XDR products, dig into how they will shorten the window for attackers to succeed and drive a more effective response for your team. For a resource-constrained team, you may especially want to consider how an XDR approach can:

  • Reduce the amount of noise that your team needs to triage and ensure analysts zero in on top priority threats
  • Shorten the time for effective investigation by providing relevant events, evidence, and intelligence around a specific attack
  • Provide effective playbooks that maximize autonomy for analysts, enabling them to respond to threats confidently without the need to escalate or do excessive investigation
  • Deliver one-click automation that analysts can leverage to accelerate a response after they have accessed the situation

Unlock the potential of XDR with Rapid7

If you and your team prioritize XDR in 2023, we’d love to help. Rapid7’s native XDR approach unlocks advanced threat detection and accelerated response for resource-constrained teams. With 360-degree attack surface coverage, teams have a sophisticated view across both the internal – and external – threat landscape. Rapid7 Threat Intelligence and Detection Engineering curate an always up-to-date library of threat detections – vetted in the field by our MDR SOC experts to ensure high-fidelity, actionable alerts. And with recommended response playbooks and pre-built workflows, your team will always be ready to respond to threats quickly and confidently.

To learn more about the current market for XDR and receive additional perspectives, check out Gartner’s Market Guide for Extended Detection and Response.

Additional reading:


Get the latest stories, expertise, and news about security today.

The 2022 SANS Top New Attacks and Threats Report Is In, and It’s Required Reading

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2022/09/14/the-2022-sans-top-new-attacks-and-threats-report-is-in-and-its-required-reading/

The 2022 SANS Top New Attacks and Threats Report Is In, and It's Required Reading

The latest Top New Attacks and Threat Report from the cybersecurity experts at SANS is here — and the findings around cyberthreats, attacks, and best practices to defend against them are as critical for security teams as they’ve ever been.

If you’re unfamiliar with the SysAdmin, Audit, Network, and Security Institute, or SANS, they’re among the leading cybersecurity research organizations in the world, and their annual Top New Attacks and Threat Report is required reading for every security professional operating today.

What’s new for 2022

This year’s report is a little different from previous years. Rather than focusing on threat statistics from the year before (i.e., 2021 data for the 2022 report), SANS opted to focus on data from the first quarter of 2022, providing a more recent snapshot of the state of play in the threat landscape. The reason for this is probably something you could have guessed: the pandemic.

Typically, the TNAT report (we love coming up with acronyms!) is built out of a highly anticipated presentation from SANS experts at the annual RSA conference. Since the pandemic delayed the start of the RSA event this year, the folks at SANS thought it better to focus on more up-to-the-minute data for their report.

What they found is interesting — if a little concerning.

Smaller breaches, bigger risks?

In the first quarter of 2022, the average breach size was down one-third from the overall breach size in 2021 (even adjusted for seasonal shifts in breach sizes). What’s more, there are signs of a trend in breach size decline, as 2021’s overall breach size average was 5% lower than that of 2020. SANS believes this is indicative of attackers focusing on smaller targets than in previous years, particularly in the healthcare sector and in state and local government agencies.

A lower average breach size is good news, no doubt, but what it says about the intentions of attackers should have many on edge. Going after smaller — but potentially more vulnerable — organizations means those groups are less likely to have the resources to repel those attackers that larger groups would, and they pose dangers as partner organizations.

The SANS experts suggest shoring up supplier compliance by following two well-established security frameworks: the Supply Chain Risk Management Reporting Framework provided by the American Institute of Certified Public Accountants (AICPA), and the National Institute of Standards and Technology’s (NIST’s) updated SP 800-161 Supply Chain Risk Framework.

The SANS report also provided telling and important data around the ways in which attackers enter your environment (phishing was the root of 51% of all breaches), as well as the success rate of multi-factor authentication — 99% — in combating phishing attacks.

The RSA panel discussion (and the subsequent report we’re sharing) also look into specific trends and best practices from some of SANS’s experts. In years past, they’ve looked at some key takeaways from the SolarWinds breach, ransomware, and machine learning vulnerabilities. This year, they’ve turned their attention to multi-factor authentication, stalkerware, and the evolution of “living off the land” attacks as they pertain to cloud infrastructure. Each of these sections is worth reading in its own right and can provide some thought-provoking resources as your security team continues to grapple with what comes next in the cloud and attacker spaces.

One space where the SANS experts chose to focus has particular importance to those seeking to mitigate ransomware: attacks on backups. Backups have long been considered your best defense against ransomware attacks because they allow your organization to securely resume use of your data should your environment become compromised (and your data be locked down). However, as backup infrastructure moves into the cloud, SANS experts believe unique attacks against these backups will become more common, because backup solutions are often quite complex and are vulnerable to specific types of threats, such as living-off-the-land attacks.

The annual SANS report is a reliable and instrumental resource for security teams which is why we are proud to be a sponsor of it (and offer it to the security community). You can dive into the full report here.

Additional reading:


Get the latest stories, expertise, and news about security today.

New UFEI Rootkit

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/07/new-ufei-rootkit.html

Kaspersky is reporting on a new UFEI rootkit that survives reinstalling the operating system and replacing the hard drive. From an article:

The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.

Both links have lots of technical details; the second contains a list of previously discovered UFEI rootkits. Also relevant are the NSA’s capabilities—now a decade old—in this area.

Gimme! Gimme! Gimme! (More Data): What Security Pros Are Saying

Post Syndicated from Dina Durutlic original https://blog.rapid7.com/2022/07/19/gimme-gimme-gimme-more-data-what-security-pros-are-saying/

Gimme! Gimme! Gimme! (More Data): What Security Pros Are Saying

Eight in 10 organizations collect, process, and analyze security operations data from more than 10 sources, ESG identified in a new ebook SOC Modernization and the Role of XDR, sponsored by Rapid7. Security professionals believe that the most important sources are endpoint security data (24%), threat intelligence feeds (21%), security device logs (20%), cloud posture management data (20%), and network flow logs (18%).

While this seems like a lot of data, survey respondents actually want to use more data for security operations in order to keep up with the proliferation of the attack surface. This expansion is driving the need for scalable, high-performance, cloud-based back-end data repositories.

More data, more noise

Organizations are increasingly investing in technology to achieve executive goals and deliver on digital transformation strategies – every company is becoming a software company in order to remain competitive and support the new work normal.

With more technology comes greater potential for vulnerabilities and threats. Security operations center (SOC) analysts are an organization’s first line of defense. In order to effectively stay ahead of potential threats and attacks, security teams rely on vast amounts of data to get an overview of the organization and ensure protection of any vulnerabilities or threats.

However, it’s nearly impossible for organizations to prioritize and mitigate hundreds of risks effectively – and not just due to the skilled resource and knowledge shortage. Security teams need to filter through the noise and identify the right data to act on.

“In security, what we don’t look at, don’t listen to, don’t evaluate, and don’t act upon may actually be more important than what we do,” Joshua Goldfarb recently wrote in Dark Reading.

Focus on what matters with stronger signal-to-noise

Though SOC analysts are adept at collecting vast amounts of security data, they face a multitude of challenges in discerning the most severe, imminent threats and responding to them in an effective, timely manner. These teams are inundated with low-fidelity data and bogged down with repetitive tasks dealing with false positives. In order to reduce the noise, security professionals need a good signal-to-noise ratio. They need high-fidelity intelligence, actionable insight, and contextual data to quickly identify and respond to threats.

With Rapid7, organizations can ensure visibility for their security teams, eliminating blindspots and extinguishing threats earlier and faster. InsightIDR, Rapid7’s cloud-native SIEM and XDR, provides SOC analysts with comprehensive detection and response.

With InsightIDR, security professionals can leverage complete coverage with a native endpoint agent, network sensors, collectors, and APIs. Teams can go beyond unifying data to correlate, attribute, and enrich diverse datasets into a single harmonious picture.

  • Detailed events and investigations Track users and assets as they move around the network, auto-enriching every log line.
  • Correlation across diverse telemetry – Single investigation timeline for each alert, and all the details of an attack in one place.
  • Expert response recommendations – Alerts come with recommended actions from Rapid7’s global MDR SOC and Velociraptor’s digital forensics and incident response playbooks.

Additional reading:


Get the latest stories, expertise, and news about security today.

Security Vulnerabilities in Honda’s Keyless Entry System

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/07/security-vulnerabilities-in-hondas-keyless-entry-system.html

Honda vehicles from 2021 to 2022 are vulnerable to this attack:

On Thursday, a security researcher who goes by Kevin2600 published a technical report and videos on a vulnerability that he claims allows anyone armed with a simple hardware device to steal the code to unlock Honda vehicles. Kevin2600, who works for cybersecurity firm Star-V Lab, dubbed the attack RollingPWN.


In a phone call, Kevin2600 explained that the attack relies on a weakness that allows someone using a software defined radio—such as HackRF—to capture the code that the car owner uses to open the car, and then replay it so that the hacker can open the car as well. In some cases, he said, the attack can be performed from 30 meters (approximately 98 feet) away.

In the videos, Kevin2600 and his colleagues show how the attack works by unlocking different models of Honda cars with a device connected to a laptop.

The Honda models that Kevin2600 and his colleagues tested the attack on use a so-called rolling code mechanism, which means that­—in theory­—every time the car owner uses the keyfob, it sends a different code to open it. This should make it impossible to capture the code and use it again. But the researchers found that there is a flaw that allows them to roll back the codes and reuse old codes to open the car, Kevin2600 said.

Rapid7 MDR Reduced Breaches by 90% via Greater Efficiency to Detect, Investigate, Respond to, and Remediate Breaches

Post Syndicated from Jake Godgart original https://blog.rapid7.com/2022/07/11/rapid7-mdr-reduced-breaches-by-90-via-greater-efficiency-to-detect-investigate-respond-to-and-remediate-breaches/

Rapid7 MDR Reduced Breaches by 90% via Greater Efficiency to Detect, Investigate, Respond to, and Remediate Breaches

When a security operations center (SOC) is operating at a deficit, they increase the possibility of beach reductions. That is, the likelihood they won’t be able to travel to any beaches – or any vacation destinations whatsoever – anytime in the near future. That can lead to burnout, which can lead to security talent loss, which can lead to the entire business being incredibly vulnerable.

So now let’s talk about breach reduction. As in, the charter of any security team.

No team can investigate every alert, but forging a valuable partnership with a Managed Detection and Response (MDR) provider can provide a turnkey solution and near-immediate headcount extension to your SOC.

A June 2022 Total Economic Impact™ study by Forrester Consulting commissioned by Rapid7 found that Rapid7’s SOC expertise – with XDR technology that generated improved visibility – enabled a composite organization using Rapid7 MDR to reduce the likelihood of a breach by 90% in the first year of partnership

The analysis was conducted using a hypothetical composite organization created for the purposes of the study, with insights gleaned from four real-life MDR customers. This composite reflects a security team profile we see often: a small team of two security analysts tasked with protecting 1,800 employees and 2,100 assets. We at Rapid7 see this as a tall order, but it’s one that (unfortunately) represents the state of security operations today.

The study concluded that partnering with Rapid7 MDR services experts enabled the composite organization to achieve end-to-end coverage and cut down on detection and response times. Let’s break down how Rapid7 MDR helped security teams reduce the likelihood of breaches by 90%.

1. Complete visibility into security environments

OK, so extended detection and response (XDR) isn’t exactly apples-to-apples with X-ray technology, but it’s an apt metaphor. Greater visibility, after all, helps to improve your overall security risk posture, and customers interviewed for the TEI study said their organizations were more secure thanks in part to this improved visibility. Rapid7’s InsightIDR uses its XDR superpowers to unify data from all over and beyond your modern environment, so it’s easier than ever to see and respond to a transgression.

The Rapid7 MDR team’s expertise in cloud-scalable XDR technology enables stronger signal-to-noise capabilities, so you only become aware of alerts that matter and get the peace of mind that comes from knowing we’ve got you covered. After all, being aware of a breach is better than not being aware of one – or having a customer alert you to the existence of a breach, which could lead to a different kind of breach: the relationship.

2. Detect and respond literally all day, every day

According to the Forrester TEI study, interviewed organizations had outdated technology that was used by staff to manually investigate each alert prior to partnering with Rapid7 MDR. These organizations’ security teams lacked expertise, were understaffed, and lacked visibility – the perfect storm to miss security incidents. Interviewees said there would be no way for them to implement a 24×7 detection and response program on their own without using Rapid7 MDR. As an interviewed director of information security for a financial services company said, “If we didn’t acquire Rapid7 MDR, I would have had to do a lot more manual work, and it would have kept me from other tasks.”  

With the modern proliferation of threats, the only thing to do is to have 24x7x365 coverage of your entire network. As referenced above, that can be expensive and near-impossible to maintain, unless you’re gaining leverage with the right MDR partner.

For example, with Rapid7 MDR, customers can opt in to Active Response, which enables our expert SOC analysts to respond to a validated threat on your behalf. The service also removes quite a few headaches, providing the flexibility to configure or cancel responses so that unauthorized quarantines occur less frequently (as they may with automated containment actions).

A customer SOC team will also have their own access to InsightIDR, the underlying technology of Rapid7’s MDR services. With the ability to also run your own investigations, your team will be able to see what we see, and follow along with the process. No black boxes or Wizard of Oz reenactments here.

These days we say that round-the-clock monitoring isn’t just important – it’s a must. A good MDR provider will be able to take on those duties, raising any incidents discovered and validated, day and night. In particular, Rapid7 utilizes a follow-the-sun methodology. This purpose-built monitoring engine leverages incident-response (IR) teams all over the world – Australia, Ireland, the United States, and more – to ensure awake and active detection and response experts are investigating security alerts and only notifying you when there’s an actual incident. From the SOC or remote locations, these IR teams can perform real-time log analysis, threat hunting, and alert validation, for any customer.

Redundancy is key here. Attackers never take a day off, but security professionals working 9 to 5 do. Whether it’s national holidays or vacation season, the majority of attacks occur around these specific times security experts might set their status to “away.”

3. Gain more freedom to focus their energy elsewhere

In the TEI study, Forrester found that Rapid7 MDR was able to provide security teams with greater information and curated alert detections, with the ability to block specific threats. MDR also improved response times to detections by providing teams with a security resource dedicated to security incidents that require any response. This meant internal security teams could focus on other priorities and business objectives without dealing with:

Alert triage and investigations

An interviewed senior cybersecurity analyst at a technology solutions firm said analysts previously spent three to four hours a day on alert management. Now, with MDR, that same process only takes 10 minutes of their time! That means the small team can focus on other elements of their security program knowing there’s another team of experts monitoring their environment around the clock.

Threat response

An interviewed CISO at a healthcare firm reported that their response could take up to two weeks prior to MDR. That’s a long time! With Rapid7 MDR, the security team was able to detect and respond in three days instead. The interviewed senior cybersecurity analyst from the technology solutions firm said response may have taken days prior to Rapid7 MDR, but now the security team can respond in 30 minutes! Greater efficiency (and faster response) meant lower likelihood of future breaches and lower impact of any breaches.

Post-detection reporting

The interviewed cybersecurity analyst from the technology solutions firm said that before Rapid7 MDR, it took an entire day to compile a quarterly executive summary and two monthly reports because it meant parsing through log data and finding the right information. Now with MDR, the report is created for them and their ability to create and deliver this to their team is more efficient. That means they can spend more time protecting the organization, not reporting.

4. $1.6 million in savings over 3 years

When an organization can reduce the likelihood of attacks by 90%, that can result in some serious ROI. How serious? The composite organization profiled in the Forrester study was able to see a breach cost avoidance – or savings – of $1.6 million over three years when partnered with Rapid7 MDR.

The composite organization saw an average of 2.5 incidents per year, with an average cost per security breach $654,846. This average cost included damage to brand equity and customer loyalty. We at Rapid7 are also cognizant of the mental toll those incidents take on the entire business, as well as the loss of forward momentum on any current initiatives – it all comes to a stop when a breach occurs and disrupts. This is why it’s critical to have a team spot threats early and respond to them quickly.

For the more advanced, large-scale breaches, sometimes it requires backup. Luckily, Rapid7 MDR now includes Unlimited IR to ensure major incidents are handled by our Digital Forensics and Incident Response (DFIR) experts. The merger of the MDR and IR Consulting teams accelerates a breach investigation by instantly pulling in senior-level IR experts to an emergency situation and ensuring the response is as efficient as possible.

Rapid7 MDR teams use our open-source DFIR tool, Velociraptor, the same tools and experience you’d receive if you called the breach hotline. These experts leverage multiple types of forensics (file-system, memory, and network), as well as attack intelligence and enhanced endpoint visibility to quickly organize and interpret data. Then? Kick the threat out and slam the door behind them.

Defense in depth

Beyond the need for agile detection and response abilities, preventive solutions are also of critical importance. At a device level, it is of course always prudent to ensure things like multifactor authentication (MFA), antivirus or NGAV (NextGen Antivirus) software, and/or an endpoint protection platform (EPP) – designed to detect suspicious behavior and stop attacks – are part of your preventive behavior.

At a more macro level (i.e., a SOC in the security organization of a Fortune 500 company independent of the Forrester study), the following preventive solutions should always be part of the mix:  

  • Vulnerability Risk Management: It’s easier to detect and respond to the bad guys in the environment when you limit the number of doors they can walk through. Vulnerabilities are always at risk of exploitation. Managing that risk is what InsightVM was made to do. It helps to secure your entire attack surface with visibility and behavioral assessment of your network-wide assets, as well as analyzing business context so it can prioritize the most critical issues.
  • Cloud Security: It takes cloud-native to protect cloud-based. InsightCloudSec provides visibility of all of your cloud assets in one, user-friendly place. Get immediate risk assessment with full context across infrastructure, orchestration, workload, and data tiers.    
  • Application Security: More complex apps means more security required. With the ability to crawl and assess these modern web apps, InsightAppSec returns fewer false positives via features like the Universal Translator and its ability to bring flexibility to the security testing process. Finding threats with Dynamic Application Security Testing (DAST) – using the same exploits that an attacker would – is one of the keys to stopping web application-based attacks.
  • Security Orchestration Automation and Response (SOAR): The composite organization from the Forrester study took advantage of Rapid7 MDR’s utilization of Active Response, Rapid7’s Security Orchestration, Automation, and Response (SOAR) technology, as well as skilled SOC experts to quickly respond to and remediate threats.  

By incorporating preventive and responsive solutions, you’ll work less by working smarter. Which, oftentimes, means letting someone else take on key aspects of your program. You can read the entire Forrester TEI study to get the deep-dive from interviewed customers – along with the numbers and stories they shared – on Rapid7 MDR.

But what the study does not quantify is Rapid7’s commitment to partnering with our customers to improve their security maturity, providing expertise that drives returns for your detection and response program where and when you need it. Considering MDR but don’t know where to start? We put together an MDR Buyer’s Guide that includes priority questions to ask when you’re seeking the right partner.

Additional reading:


Get the latest stories, expertise, and news about security today.

Today’s SOC Strategies Will Soon Be Inadequate

Post Syndicated from Dina Durutlic original https://blog.rapid7.com/2022/07/08/todays-soc-strategies-will-soon-be-inadequate/

Today’s SOC Strategies Will Soon Be Inadequate

New research sponsored by Rapid7 explores the momentum behind security operations center (SOC) modernization and the role extended detection and response (XDR) plays. ESG surveyed over 370 IT and cybersecurity professionals in the US and Canada –  responsible for evaluating, purchasing, and utilizing threat detection and response security products and services – and identified key trends in the space.

The first major finding won’t surprise you: Security operations remain challenging.

Cybersecurity is dynamic

A growing attack surface, the volume and complexity of security alerts, and public cloud proliferation add to the intricacy of security operations today. Attacks increased 31% from 2020 to 2021, according to Accenture’s State of Cybersecurity Resilience 2021 report. The number of attacks per company increased from 206 to 270 year over year. The disruptions will continue, ultimately making many current SOC strategies inadequate if teams don’t evolve from reactive to proactive.

In parallel, many organizations are facing tremendous challenges closer to home due to a lack of skilled resources. At the end of 2021, there was a security workforce gap of 377,000 jobs in the US and 2.7 million globally, according to the (ISC)2 Cybersecurity Workforce Study. Already-lean teams are experiencing increased workloads often resulting in burnout or churn.

Key findings on the state of the SOC

In the new ebook, SOC Modernization and the Role of XDR, you’ll learn more about the increasing difficulty in security operations, as well as the other key findings, which include:

  • Security professionals want more data and better detection rules – Despite the massive amount of security data collected, respondents want more scope and diversity.
  • SecOps process automation investments are proving valuable – Many organizations have realized benefits from security process automation, but challenges persist.
  • XDR momentum continues to build – XDR awareness continues to grow, though most see XDR supplementing or consolidating SOC technologies.
  • MDR is mainstream and expanding – Organizations need help from service providers for security operations; 85% use managed services for a portion or a majority of their security operations.

Download the full report to learn more.

Additional reading:


Get the latest stories, expertise, and news about security today.

Ubiquitous Surveillance by ICE

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/07/ubiquitous-surveillance-by-ice.html

Report by Georgetown’s Center on Privacy and Technology published a comprehensive report on the surprising amount of mass surveillance conducted by Immigration and Customs Enforcement (ICE).

Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive review of ICE’s contracting and procurement records, reveals that ICE now operates as a domestic surveillance agency. Since its founding in 2003, ICE has not only been building its own capacity to use surveillance to carry out deportations but has also played a key role in the federal government’s larger push to amass as much information as possible about all of our lives. By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time. In its efforts to arrest and deport, ICE has ­ without any judicial, legislative or public oversight ­ reached into datasets containing personal information about the vast majority of people living in the U.S., whose records can end up in the hands of immigration enforcement simply because they apply for driver’s licenses; drive on the roads; or sign up with their local utilities to get access to heat, water and electricity.

ICE has built its dragnet surveillance system by crossing legal and ethical lines, leveraging the trust that people place in state agencies and essential service providers, and exploiting the vulnerability of people who volunteer their information to reunite with their families. Despite the incredible scope and evident civil rights implications of ICE’s surveillance practices, the agency has managed to shroud those practices in near-total secrecy, evading enforcement of even the handful of laws and policies that could be invoked to impose limitations. Federal and state lawmakers, for the most part, have yet to confront this reality.