Tag Archives: Dell SecureWorks

3 Things on Cyber All Firms Must Know

Managed security services providers, or MSSPs, continue to rise in presence and impact—by giving companies a cost-effective alternative to having to dedicate in-house staff to network defense.

In the thick of this emerging market is Rook Security. I spoke with Tom Gorup, Rook’s director of security operations, about this at RSA 2017. A few takeaways:

Outsourced SOCs. MSSPs essentially function as a contracted Security Operations Center, or SOC. Most giant corporations, especially in the financial and tech sectors, have long maintained full-blown SOCs, manned 24/7/365. And so the top MSSP vendors, which include the likes of AT&T, Dell SecureWorks, Symantec, Trustwave and Verizon, are aggressively marketing MSSP services to midsize companies, those with 1,000 to 10,000 employees.

See also: 7 Key Changes for Insurers’ Cybersecurity  

At the other end of the spectrum—catering to very small businesses—you have consulting technicians, operating in effect as local and regional MSSPs. These service providers may have one or two employees. They make their living by assembling and integrating security products developed by others, working with suppliers such as SolarWinds MSP, which packages and white labels cloud-based security solutions for very small businesses.

So what about the companies in between, those with, say, 50 to 999 employees? Security vendors recognize this to be a vastly underserved market, one that probably has pent-up demand for MSSP services.

What MSSPs provide. For midsize and large enterprises, MSSPs deliver an added layer of expertise that can help bigger organizations actually derive actionable intelligence from multiple security systems already in place, such as firewalls, intrusion detection systems, sandboxing and SIEMs. The top MSSPs tap into all existing systems and provide deeper threat intelligence services, such as device management, breach monitoring, data loss prevention, insider threat detection and incident response.

For small businesses, local MSSPs focus on doing the basics to protect endpoints and servers. This relieves the small business operator from duties such as staying current on anti-virus updates, as well as security patches for Microsoft, Apple, Adobe and Linux operating systems and business applications that are continually probed and exploited.

 Who needs one? Every business today is starkly exposed to network breaches. So who could use an MSSP? The calculation for midsize and large organizations is straightforward. The goal is to provide more data protection at less cost, based on thoughtful, risk-based assessments. The most successful MSSPs will help company decision-makers build a strong case for their services.

See also: Quest for Reliable Cyber Security  

At smaller companies, the first question to ask is this: How mature is my security posture to begin with?

Gorup observes: “Is security even on the radar right now? In smaller organizations, you might have just one person, part-time, working IT. Security is kind of secondary. I’d recommend seeking more advisory services to help detect phishing attacks, help build some processes, help understand what technologies you should invest in. This will allow growth to occur. And then you can make a natural transition into building an SOC or seeking SOC services.”

Nigerian Scammers Have a New Target

Nigerian 419 scams have been around seemingly forever, seducing one victim at a time.

But now some veteran 419 con men have shifted their focus to targeting small- and medium-size businesses for systematic thievery that pivots off how SMBs have come to rely on email as a payment tool.

Classic 419 advance-fee scams trick one individual at a time into putting up seed capital to help a persecuted Nigerian prince, or some other wealthy person caught in a bind, transfer a large sum into the U.S. The carrot—a promised share of the transferred funds—never materializes, of course.

But the new form of attack eliminates the need to orchestrate an elaborate ruse just to dupe an individual victim. Instead, the predators lurk in the shadows of the internet, weasel their way onto business email systems and then wait patiently for opportune moments to intercept funds on the move between two companies.

See also: New Attack Vector for Cyber Thieves  

The emergence of these attacks demonstrates just how susceptible SMBs participating in the global supply chain are to hackers of modest technical skill.

Intelligence about this new technique comes from Joe Stewart and James Bettke, researchers at Dell SecureWorks’ Counter Threat Unit, who conducted intensive surveillance on one Nigerian ring, in particular, that has scored big.

Waiting for money to flow

SecureWorks researchers have observed this gang orchestrate several payment diversions per week, typically stealing $30,000 to $60,000 per caper, including one theft earlier this year of $400,000 that a U.S. chemical company attempted to wire to a supplier in India.

“They’ll work on several deals at a time,” Stewart says. “They have plenty of other companies they’ve compromised, so they’ll just go from mailbox to mailbox to see what new deals are coming in and start preparing for the high-end payments.”

Stewart says certain members of this ring began years ago carrying out classic Nigerian 419 scams. They’ve progressed to SMB wire fraud by teaching themselves how to apply tried-and-true hacking techniques to payment practices routinely used as part of the global B2B supply chain.

How the scam works

The gang uses a simple tool to crawl the internet and scrape employee email addresses from corporate websites, Bettke says. Those employees are then bombarded with viral email. The goal is to infect one machine and then use that as a foothold to ultimately secure privileged access to the company’s web email server.

Once control of the email server is in hand, daily monitoring for purchase order communiques begins. Preparation of lookalike email, as well as arrangements to wire funds into bank accounts set up to launder stolen payments, also gets underway.

See also: Scammers Taking Advantage of Google

None of this requires any special hacking expertise; the necessary software and tutorials are widely available online, Bettke says.

At the optimum moment, i.e., when a wire transfer payment request is sent through, the gang intercepts that legit request and replaces it with one sent from a lookalike domain carrying instructions to divert the payment to a bank account they control.

“All of this communication takes place over email,” Bettke adds. “The attacker is essentially doing digital check washing, taking that invoice and just changing the destination bank account details to divert the funds.”

Bracing for more attacks

SecureWorks turned their findings over to international law enforcement, specifically the Economic and Financial Crimes Commission, as well as Nigerian authorities. No arrests have resulted yet. Stewart expects variants of this type of attack to scale up in the months ahead, thanks to the low entry barrier, comparatively low risk of getting caught and high monetary gain.

This means any organization that has come to rely on email communiques to carry out high-dollar wire transfers should be on high alert. A thorough assessment of how your organization uses web email is the first step, and deeper due diligence is definitely in order.

This article originally appeared on ThirdCertainty.

Will 2015 Top 2014 in Security Exposures?

It’s hard to imagine how 2014 could be surpassed as the worst year for massive identity theft and data loss exposures.

The news developments of 2014 were relentless and mind-numbing. Heartbleed and Shellshock rose to the fore as two of the nastiest Internet-wide vulnerabilities ever to come to light. Heartbleed exposes the OpenSSL protocols widely used by website shopping carts. And Shellshock enables a hacker to take control of the module used to type text-based commands on Linux, Unix and Mac servers.

“These are problems in the very fabric of what the Internet is built on,” says David Holmes, security evangelist at F5 Networks.

Click here to receive fresh analysis of breaking developments from top cybersecurity and privacy experts.

Meanwhile, Target, Nieman Marcus, Dairy Queen, Home Depot, JP Morgan and SonyPictures led a parade of organizations disclosing major data breaches. Indeed, the tally of data breaches made public in the U.S. hit a record 783 in 2014, nearly 30% higher than in 2013, according to the the Identity Theft Resource Center.

“The ubiquitous nature of data breaches has left some consumers and businesses in a state of fatigue and denial about the serious nature of this issue,” says Eva Velasquez, chief executive offer of the ITRC.

The scary part

Now here’s the scary part: The pace hasn’t slowed in the first few weeks of 2015.

Consider that the financial services sector has spent billions over the past decade on the best defensive technologies and systems money can buy. Yet a low-level Morgan Stanley financial adviser was able to exfiltrate account records, including passwords, for six million of the Wall Street giant’s clients.

Meanwhile, forensic analysts at Dell SecureWorks recently uncovered a novel strain of malware circulating deep inside a corporate network. It’s being referred to as a “skeleton key.” With a skeleton key an intruder can fool the authentication protocols on widely used Microsoft Active Directory systems by typing arbitrary passwords. This enables the attacker to do such things as gain unfettered access to webmail and virtual private networks (VPNs).

“It’s much easier to be an attacker than a defender,” observes Jeff Williams, director of security strategy for Dell SecureWorks’ Counter Threats Unit. “As a defender, you must protect all paths of access, whereas the attacker only needs to find one foothold from which to mount an intrusion.”

If nothing else, the headlines of 2014 should grab the attention of company owners, directors and senior executives. No one wants to make it to the ITRC’s list of U.S. breaches for 2015.

SMBs exposed

But small and medium-sized businesses (SMBs) should pay heed as well, says William Klusovsky, a security specialist at NTT Com Security. SMBs should grasp that they are part of a wider supply chain and that modern day cybercriminals are intensively hunting for all weak links, he says.

Small business owners should “understand your businesses processes, be aware of your risk profiles and be able to explain that to your partners,” Klusovsky advises. “And then within reason implement the protections you can afford.”

A good place to start, for companies of any size, is to step into an attacker’s shoes, Dell SecureWorks’ Williams says. “Identify paths of entry and put mitigations in place, whether that be two-factor authentication, removing unneeded services, implementing, monitoring or training staff,” Williams says.

Security consultants can be valuable guides, and third-party managed services can do the day-to-day heavy lifting. But the due diligence must come from the business owner.

The business owner should plan to “remain engaged and active in the conversations with that security service provider,” Williams says.

Over time, all business owners need to develop some level of skill about security policies and procedures and look to infuse that knowledge into the company’s infrastructure.

See more at Third Certainty