Charles Leaver – LastPass Breaches Taught Us 4 Lessons And Why Behavior Analytics Is So Important

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

LastPass Breaches Have 4 Lessons That We Can Learn From

Data breaches in 2011 and after that again in 2015 were inflicted on password management company LastPass. Professionals suggest use of password managers, because strong passwords special to each user account are not possible to recall without organized help. Nevertheless, placing all one’s eggs in a single basket – then for millions of users to each place their egg basket into one giant basket – produces an alluring target for attackers of every stripe. Cryptology professionals who have studied this current breach at LastPass appear meticulously optimistic that significant damage has been avoided, however there are still crucial lessons we can extract from this event:

1. There Is No Perfect Authentication, There Is No Perfect Security

Any experienced, patient and motivated adversary will ultimately breach any useful cyber defenses – even if yours is a cyber defense business! Unfortunately, for lots of businesses today, it does not often require much skill or persistence to breach their patchwork defenses and permeate their sprawling, permeable borders. Compromise of user info – even those of highly privileged domain administrators – is also rather typical. Again, unfortunately, numerous businesses rely on single-factor password authentication, which merely invites rampant user data compromise. But even multi-factor authentication can be breached, as was done with the 2011 compromise of RSA SecurID’s.

2. Utilize Situational Awareness When Defenses Are Breached

As soon as the assailants have breached your defenses the clock is ticking on your detection, containment, and fixing of the event. Industry data recommends this clock has a long period of time to tick – numerous days typically – prior to awareness sets in. By that time the enemies have pwned your digital properties and picked your business carcass clean. Important situational awareness is vital if this too-frequent disaster is to be avoided.

3. Network and Endpoint Contexts Are Fused With Comprehensive Situational Awareness

In the current LastPass occurrence detection was achieved by analysis of network traffic from server logs. The attacker dwell time prior to detection was not disclosed. Network abnormalities are not always the fastest way to recognize an attack in progress. A blend of network and endpoint context provides a much better decision basis than either context separately. For instance, being able to merge network flow data with the originating procedure identification can shed a lot more light on a prospective intrusion. A suspicious network contact by a brand-new and unreputed executable is much more suggestive taken together than when evaluated individually.

4. After An Authentication Failure, Utilize User Behavior Analytics

Jeopardized credentials frequently create chaos across breached enterprises, allowing hackers to pivot laterally through the network and run largely beneath the security radar. However this abuse of valid credentials varies significantly from typical user behavior of the legitimate credential holder. Even rather basic user habits analytics can spot anomalous discontinuities in learned user habits. Always utilize user behavior analytics, specifically for your more privileged users and administrators.


Hacker Elites Got Breached Because They Had No Vulnerability Monitoring – Charles Leaver

Written By Josh Harriman And Presented By Ziften CEO Charles Leaver

Hacking Team Affected By Absence Of Real Time Vulnerability Tracking

Nowadays cyber attacks and data breaches remain in the news all the time – and not just for those in the high value markets such as health care, financing, energy and retail. One especially intriguing occurrence was the breach against the Italian company Hacking Team. For those who do not recall Hacking Team (HT) is a company that focuses on security software applications catering to federal government and police agencies that wish to carry out concealed operations. The programs developed by HT are not your ordinary remote control software or malware-type recording devices. One of their crucial products, code-named Galileo – better called RCS (Remote Control System)– claimed to be able to do basically whatever you needed in regards to “managing” your target.

Yet as talented as they remained in producing these programs, they were unable to keep others from entering into their systems, or discover such vulnerabilities at the endpoint through vulnerability tracking. In one of the most high-profile breaches of 2015, HT were hacked, and the information taken and subsequently released to the general public was huge – 400 GB in size. More significantly, the material included extremely harmful info such as emails, consumer lists (and costs) which included countries blacklisted by the UN, and the crown jewels: Source code. There was likewise in-depth documents which included a number of extremely effective 0-day exploits against Adobe and Flash. Those 0-days were used very soon after in cyber attacks against some Japanese businesses and United States federal government agencies.

The huge question is: How could this take place to a company whose sole presence is to make software that is undetectable and finding or producing 0-day exploits for others to utilize? One would believe a breach here would be virtually impossible. Certainly, that was not the case. Currently there is not a lot to go on in regards to how this breach took place. We do know nevertheless that someone has declared responsibility and the person (or group) is not new to entering into places just like HT. In August 2014, another security company was hacked and delicate files were launched, similar to HT. This consisted of customer lists, costs, code, and so on. This was against Gamma International and their software was called FinFisher or FinSpy. A user by the name of “PhineasFisher” released on Reddit 40 GB worth data and announced that he/she was accountable. A post in July this year on their twitter account mentioned they also took down HT. It seems that their message and function of these breaches and theft where to make people knowledgeable about how these companies run and who they sell to – a hacktivist attack. He did publish some information to his techniques and some of these strategies were most likely used against HT.

A last concern remains: How did they break in and exactly what safety measures could HT have taken to prevent the theft? We did learn from the released documents that the users within HT had really weak passwords such as like “P4ssword” or “wolverine.” In addition, one of the main staff member systems where the theft might have happened made use of the program TrueCrypt. However, when you are logged in and utilizing the system, those concealed volumes are accessible. No information has been published since as to how the network was breached or how they accessed the users systems in order to download the files. It is apparent, though, that companies need to have a system such as Ziften’s Constant Endpoint Visibility running in their environment. By keeping an eye on all user and system activity alerts might have been generated when an activity falls beyond normal behavior. Examples include 400 GB of files being published externally, or understanding when vulnerable software applications are running on exposed servers within the network. When an organization is making and providing sophisticated security software – and possessing unknown vulnerabilities in commercial deliverables – a much better strategy needs to have been in place to minimize the damage.


Charles Leaver – Could Endpoint Visibility Have Prevented The Anthem Healthcare Data Leak?

Written By Justin Tefertiller And Presented By Charles Leaver Ziften CEO

Constant Endpoint Visibility Would Have Improved Healthcare Data Leak Avoidance

Anthem Inc discovered a big scale cyber attack on January 29, 2015 against their IT and data systems. The health care data leakage was thought to have taken place over a numerous week period starting around early December 2014 and targeted personal data on Anthem’s database infrastructure as well as endpoint systems. The taken details consisted of dates of birth, complete names, healthcare identification numbers as well as social security numbers of clients and Anthem employees. The precise number of people affected by the breach is unidentified but it is approximated that nearly 80 million records were stolen. health care data tends to be one of the most profitable income sources for hackers selling records on the dark market.

Forbes and others report that hackers utilized a process-based backdoor on clients linked to Anthem databases in addition to compromised admin accounts and passwords to slowlytake the data. The actions taken by the hackers posturing and operating as administrators are what ultimately brought the breach to the attention of security and IT groups at Anthem.

This kind of attack shows the need for continuous endpoint visibility, as endpoint systems are a constant infection vector and an avenue to delicate data stored on any network they may link to. Simple things like never ever before observed processes, brand-new user accounts, unusual network connections, and unapproved administrative activity are common calling cards of the beginning of a breach and can be easily identified and notified on with the right tracking tool. When alerted to these conditions in real time, Incident Responders can pounce on the invasion, discover patient zero, and ideally reduce the damage rather than allowing enemies to wander around the network undetected for weeks.


Charles Leaver – The PF Chang Data Breach Lasted 8 Months And Affected 30 Locations

Written By Charles Leaver Ziften CEO

The PF Chang dining establishment chain recently released brand-new information about the security breach of its credit card systems across the nation. The restaurant chain revealed that the breach impacted more than 30 locations in 17 states and went on for eight months prior to being spotted.

While the investigation is still continuing, in a declaration PF Chang’s reported that the breach has been contained and consumer monetary data has been processed securely by the dining establishment since June 11. The compromised systems used by the chain were decommissioned until it was clear that their security could be guaranteed, and in the meantime charge cards were processed by hand.

Rick Federico, CEO stated in a declaration “The potentially taken credit and debit card data includes the card number and sometimes likewise the cardholder’s name and/or the card’s date of expiry.” “However, we have actually not figured out that any specific cardholder’s credit or debit card data was stolen by the intruder.”

PF Chang’s was alerted of the breach, which they described as a “extremely advanced criminal operation,” in June when they were called by the Secret Service about cyber security concerns. When alerted, the restaurant employed third-party forensic detectives to discover how the breach had the ability to happen, at which time they discovered that harmful actors were able to exploit the chain’s charge card processing systems and possibly gain access to customer credit card info.

Organizations concerned about similar data breaches affecting point-of-sale terminals need to implement endpoint threat detection to keep critical systems protected. Endpoint security involves monitoring sensitive access points – like POS systems, bar code readers and employee mobile phones – and mitigating threats that appear. Continuous endpoint visibility is essential to determine threats before they jeopardize networks and make sure business security.