Search This Blog

Centralized Access Control to Diverse Applications


Changes in the ways people are working have increased the pressure on organizations to access to their information assets anytime, anywhere. Employees are increasingly using non-desktop devices for work. Information assets now reside on the cloud, often outside of IT control. This requires separate access management that does not scale well. In addition, users are bringing their own applications to the workplace—often on their own devices—creating even greater problems. Through a hypervisor managed cloud it is now possible to simplify cross platform access to applications by centralizing management. Access to any SaaS, Web or Windows applications can be achieved through an Application Catalog that will deliver to end-users, on the device of their choice, on-demand connectivity.

Cross platform management centralizes policy-driven security controls, integrating with enterprise directory environment that enables access to virtualized applications.
From one central platform, IT can manage all SaaS, Web and Windows applications and view their usage. End users gain easy, on-demand access via their preferred devices.

A central Application Manager provides a cloud-identity platform for managing secure access to every SaaS application, regardless of the technology on which it was deployed. The identity access management (IAM) technology in unifies silos into a single identity, leveraging enterprise directories and enabling organizations to define access through enterprise polices. This increases the security, control and accountability for access to all information assets. Managers will gain control over user-access policies and can integrate into their existing workflow systems. Users gain on-demand access to all applications through an easy-to-use application catalog, a single Web-based workspace as result of a single secure login.

SUMMARY
A unified cross-platform capability is a giant step in the direction of simplification of secure access to a wide range of applications. This is particularly useful when applied to mobile applications where access privileges can be distributed to individuals from a central console. Such arrangement will make the deployment of a diversity of mobile devices feasible while maintaining control over access privileges.

Cyber Criminal Charges for Malware


SOURCE: http://www.darkreading.com/attacks-breaches/glut-in-stolen-identities-forces-price-c/240164089

Underground Prices for Stolen Credentials and Hacker Services

Hacker Credentials and Services Details Price
*Visa and Master Card (US)  $4
American Express (US)  $7
Discover Card with (US)  $8
Visa and Master Card (UK, Australia and Canada)  $7-$8
American Express (UK, Australia and Canada)  $12
Discover Card (Australia and Canada)  $12
Visa and Master Card (EU and Asia)  $15
Discover and American Express Card (EU and Asia)  $18
Credit Card with Track 1 and 2 Data (US)  $12
Credit Card with Track 1 and 2 Data (UK, Australia and Canada)  $19-$20
Credit Card with Track 1 and 2 Data (EU, Asia)  $28
US Fullz Fullz is a dossier of credentials for an individual, which also include Personal Identifiable Information (PII),  $25
Fullz (UK, Australia, Canada, EU, Asia)  $30-$40
VBV(US) Verified by Visa works to confirm an online shopper’s identity in real time by requiring an additional password or other data to help ensure that no one but the cardholder can use their Visa card online. $10
VBV (UK, Australia, Canada, EU, Asia)  $17-$25
DOB (US) Date of Birth $11
DOB(UK, Australia, Canada, EU, Asia)  $15-$25
Bank Acct. with $70,000-$150,000

Price depends on banking institution.
Infected Computers 1,000 $20
Infected Computers 5,000 $90
Infected Computers 10,000 $160
Infected Computers 15,000 $250
Remote Access Trojan(RAT)  $50-$250
Add-On Services to RATs $20-$50
Sweet Orange Exploit Kit Leasing Fees  $450 a week/$1800 a month
Hacking Website; stealing data Price depends on reputation of hacker $100-$300

DDoS Attacks Distributed Denial of Service (DDoS) Attacks

Per hour-$3-$5
Per Day-$90-$100
Per Week-$400-$600
Doxing When a hacker is hired to get all the information they can about a target victim, via social engineering and/or infecting them with an information-stealing trojan. $25-$100

Disabling an Application Layer Distributed Denial of Service Attack

Description

It is relatively easy to launch a distributed denial-of-service (DDoS) attack. Hackers deploy already hacked systems so that the targeted network is flooded with junk traffic. The goal is to prevent legitimate visitors from being able to load the site or to use the service under attack. 

A large number of misconfigured systems are located at legitimate companies. Most of the infected servers, from where the congestion creation traffic originates, are Windows-based servers powered by Microsoft’s IIS Web server technology. Some of the more interesting Internet addresses seen launching attacks come from Internet space owned by Adobe, Cisco, Costco, Expedia, Experian, Honeywell, IBM, KPMG, Lockheed Martin, Opera Software, Sony, Symantec Corp., and the U.S. Federal Home Loan Bank of Dallas.

DDoS traffic can originate from anywhere in the world, though in a recent case the systems being used in attack came from three countries — Taiwan, India, and Vietnam. These were “Layer 7” assaults — that mimic legitimate Web browsing activity in a bid to avoid detection. This is a form of attacks that targets the application layer of the Open Systems Interconnection model (OSI) model, which standardizes the partitions into layers. The attack will disable specific functions or an application as opposed to an entire network. Attempts to apply DDoS application congestion is often used against financial institutions to distract IT and security personnel from security breaches because of its simplicity.

Executive Guidance

The web addresses that generate traffic for an application level DDoS should block client and server updates as well as transaction transfers. The addresses of the offending sources should be obtained by means of continuous monitoring of offending traffic and then executed at a speed that is warranted by the severity and risk levels of incoming messages.

The already installed firewall or “sand-box” should allow for cataloguing of “white-lists” of only certified sources of communications. Specified offending domains, such as sources from defined countries, should be filtered out altogether.


Prevent Sharing of Data with Scammers

Description

“Consumer data brokers” sell personal identity information for a fee. For instance, these operators extract data from applications for cash advances on expected payday receipts and then resell this information. Consumers sign forms that authorize the payday advancers – scammers – to pull money out of personal bank accounts for a fee.  That is a lucrative business because the scammers earn not only interest payments for loans that may generate over 40% interest charges, but also realize incomes from the resale of valuable personal information. In fraudulent cases a data broker will take payday loan applications of financially strapped consumers and then offers it to information marketers who can then withdraw millions of dollars from consumers’ accounts without authorization.

Payday loan websites are known as publishers. They offer to help consumers obtain payday loans by asking consumers to fill sensitive financial information to evaluate their loan applications and transfer funds to their bank accounts if the loan is approved. Such applications contain the consumer’s name, address, phone number, employer, Social Security number, and bank account number, including the bank routing number. Loan applications are then sold to online lenders, who can pay between $10 and $150 per lead. Raw personal information is also marketed to third parties who are not online lenders but use this data for other scams such as unsolicited sales or for unauthorized charges for products that the consumers never purchased.
.

Executive Guidance

Illegitimate use of sensitive financial information will cause damage to consumers, even if the data is passed through second or third parties. Such cases are usually brought before the Federal Trade Commission’s Bureau of Consumer Protection. The originators of the data will be held to be culpable if they have not applied diligence in verifying the legitimacy of the users of the personal information that was originated in their operations. 




U.S. Puts New Focus on Cyber Defenses? (Revised)

Description

The government focused on trying to identify the hackers, an effort that involved the National Security Agency as well as some of the cyber taskforces in the FBI’s 56 offices field offices and the assistant legal attaches embedded in U.S. embassies overseas. U.S. officials also targeted specific notifications to news entertainment companies. [1]

Businesses, for their part, have long argued for more help from Washington in combating hackers. After J.P. Morgan Chase & Co. this summer suffered one of the worst known hacks on a bank, Chief Executive James Dimon said, “The government knows more than we do.”

At the same time, companies are trying to keep the government at arm’s length on certain parts of cybersecurity. For instance, the U.S. Chamber of Commerce and other lobbying groups have successfully fought off attempts to set minimum cybersecurity standards for industries such as energy, banking and public utilities. Those standards, the companies say, would be too burdensome and, some say, could be used against firms in litigation following a breach.

Business concerns about overregulation, among other factors, have played a role in the collapse of efforts in Congress in recent years to pass legislation that would create incentives for companies to take additional security precautions and share information. Some proposals have paired liability protection for businesses in exchange for meeting tougher security standards. In the time that Congress tried and failed to pass broad legislation, intelligence officials elevated cyberthreats to the top of the list of national security concerns.

Mr. Obama, at a news conference last week, urged Congress to try again next year to pass “strong cybersecurity laws that allow for information-sharing. … Because if we don’t put in place the kind of architecture that can prevent these attacks from taking place, this is not just going to be affecting movies, this is going to be affecting our entire economy.”

The administration says it has taken a variety of steps to coordinate with business. In 2014, it focused on being more open to giving the private sector classified, threat-specific briefings to help them prevent cyberattacks, said John Carlin, assistant attorney general for national security. Mr. Carlin said the government has held more than three dozens such briefings in the past year through an effort that involves a network of specialists who focus on threats posed by foreign nations and terrorist groups. But in this space, the government is not filtering out the malicious traffic,” he said, in part because of Americans’ concerns about privacy, civil liberties and Internet data collection by the NSA.

Executive Guidance

The emphasis of sharing information about the sources and origins of attacks may be partially helpful, but pales into insignificance with sharing of information what defenses were successful in intercepting cyber heists. There are millions of potential attacks, from diverse sources, per day. It is the capacity of the defenders to block and ultimately eliminate cyber heists. If help from the government would be helpful that would primarily require sharing of information about cases of successful deterrence by the defenders, not generalized intelligence about potentially unknown sources of attacks.


[1] http://www.wsj.com/articles/u-s-puts-new-focus-on-fortifying-cyber-defenses-1419553122

Steel Furnace Hacked and Shut Down

Description

A blast furnace at a German steel mill suffered "massive damage" following a cyber attack on the plant's network. Details of the incident emerged in the annual report of the German Federal Office for Information Security (BSI).

Attackers used booby-trapped emails to steal logins that gave them access to the mill's control systems. This led to parts of the plant failing and meant a blast furnace could not be shut down as normal. The unscheduled shutdown of the furnace caused the damage, said the report.

The attackers were very skilled and used both targeted emails and social engineering techniques to infiltrate the plant. Attackers used a "spear phishing" campaign aimed at particular individuals in the company to trick people into opening messages that sought and grabbed login names and passwords. The phishing helped the hackers extract information they used to gain access to the plant's office network and then its production systems.

Once inside the steel mill's network, the "technical capabilities" of the attackers were evident, as they showed familiarity with both conventional IT security systems but also the specialized software used to oversee and administer the plant. BSI did not name the company operating the plant nor when the attack took place. In addition, it said it did not know who was behind the attack or what motivated it.

Executive Guidance

A steel plant control furnace control system should not be connected to the Internet. Every network link should be examined for possible connections. Terminals in the furnace control circuits should not be ever used for administrative and certainly not for personal purposes.

The root causes of security failures can be can be traced back to the use of reusable passwords and the ease of compromise, whether via phishing or eavesdropping or keystroke capture malware. This is a classic example of the air-gap mythology that endures in industrial control system environments.  Most companies have built a critical infrastructure without concerns about cyber security when in fact they should be more concerned about damage to operations than to fear is simply losing data.

The architecture that physically separates critical control IT from everything else is mandatory.

Significance of the SONY Hack


Description

The leak of SONY movie actor’s e-mails to the public has stirred huge amounts of attention. Some of it was salacious, which provided for days of commentary on the news shows. Much of the discussion centered on the question what was the source of the hack. Was it North Korea? The President and the FBI entered into the conversations although they could offer only conjectures but no hard facts. Hundred of on-line pundits kept on line with opinions, though all of it could be classified only as educated guesstimates. 

Missing were facts that could illuminate what happened. It was clear that the SONY hack was result of a distributed bot attack that accessed SONY by circuitous routs from several countries. The bot-master was too many Internet-connections (e.g. “hops”) removed so that it could not be traced. In the SONY breach names, addresses, identifying numbers and the full text of messages were stolen other than embarrassment, no damage occurred. The entire hack could turn out to be an extremely profitable event and be seen as a clever joke.

Cyber crime researchers cannot dismiss the SONY happening as a joke. Its widespread attention has highlighted that cyber attacks happen. Cyber criminality is now a global business. With all of the attention of the public as well as government agencies devoted to guessing whether North Koreans were the culprits, the ease with which SONY servers yielded their data was not questioned. In my view that is a mistake, which characterizes the current cyber deterrence efforts. 

The SONY compromise was a low-grade cyber heist for which the attack software is available for a laughable small sum of BitCoins. The heist can be launched from thousands of readily available Information Services Providers. The total SONY attack could have been executive in a matter of minutes. Traces leading to sources would then disappear without trace.

Meanwhile, defense software and operating countermeasures are readily available and affordable. They should be applied, but that would require executive commitments, which in most cases have not been forthcoming. IT, that until now has been allowed to operate as a largely self-contained function, has now become subject that warrants attention at the most senior levels. I do not believe that legacy IT shops, largely without Board of Director interventions have as yet been able to mature into a framework where security dictates how IT architecture is implemented.

Executive Guidance

My concern is not the geographic origin of the attackers, but the capabilities of the local defenders. There has been no accountability for any flaws or bugs in the SONY e-mail servers. The defenses were not adequate.

There is no way of avoiding every conceivable cyber attack. However, the full force of what is now available as cyber defenses must be put in place as a deterrent. Network systems must be from now on designed with security as a primary requirement even at the price of economy and convenience.