Archive for December 2015
You know the No. 1 attribute of people claiming security certifications don’t matter? They don’t have any. In my years of experience placing security pros in good jobs, it’s that simple. Having the right certifications matters, and here's why.
1. You will make more money. The 682 IT security professionals responding to the security cut of InformationWeek’s 2013 U.S. IT Salary Survey are unequivocal: Security staffers holding any security certification (CISSP, CISA, CISM) average $101,000 in total compensation vs. $87,000 for those with no certs. For managers, the spread is $130,000 vs. $121,000. Do you really need another reason?
2. Certs show your commitment to the security field. I know you’re serious about cybersecurity as a career, otherwise you wouldn’t be reading this. But how will a hiring manager know? Easy -- by scanning resumes to see which applicants are committed enough that they’re willing to spend free time studying and doing homework, often paying for the privilege out of their own pockets.
Just 44% of security staffers and 49% of managers in the salary survey expected to get certification reimbursement.I know a person who burned a full week of vacation and paid for lodging to obtain his Cloud Security certification. As an employer and a hiring manager, that tells me he wants to become better. He’s the type of security professional that any company would be fortunate to have.
3. Certs make you more attractive to potential employers. Building on the above, obtaining a security certification shows you respect the industry and take pride in your profession. That kind of attitude is contagious. Moreover, it shows you’re smart enough to know what you don’t know and look to improve. It takes gumption to acknowledge that there are areas of one’s professional experience that could use a boost.
Team members see this, and it rubs off.All that adds up to a great employee. That hiring managers get this is a no-brainer. In a side-by-side comparison of otherwise equal candidates, most prefer the one with certs.
First detected in 2013, watering-hole attacks are one of the newest (and arguably most sophisticated) security threats facing organisations.
By exploiting undetected vulnerabilities in websites and software applications, hackers can lie in wait for their target - before springing a malware-loaded trap on their unsuspecting victim, and compromising their secure systems.
What is a Watering-Hole Attack?
Unlike standard phishing attacks, watering-hole attacks are low-volume and highly-targeted, designed to create a backdoor for attackers to breach a target organisation:
Attackers first identify a vulnerable website that's regularly visited by employees of a target organisation.
- Malware is then used to infect the website.
- The attackers 'lie in wait' for employees of the target organisation to visit.
- Employees become infected with malware, and carry it back to their own secure systems - creating a security backdoor in the process.
By using watering-hole attacks in lieu of phishing, hackers can bypass increasingly sophisticated anti-phishing technology; and by infecting multiple members of the same organisation, secure systems can quickly become compromised.
Watering-Holes and Zero-Day Vulnerabilities :
Watering-hole attacks are particularly problematic because they infect legitimate, reputable websites - sites that most users would assume to be perfectly safe.
Worse still, watering-hole attacks often go undetected. By using zero-day vulnerabilities, attackers are able to discover and exploit new software vulnerabilities before the vendor is even aware of the problem, or able to issue a fix.
With an estimated 77% of public websites containing some form of exploitable vulnerability, and 16% containing 'critical' vulnerabilities (allowing attackers to compromise a visitor's computer), one in eight of the world's websites is susceptible to a watering-hole attack - making the problem extremely difficult for organisations to avoid.
Real-World Watering-Hole Attacks :
In November of last year, Chinese hackers were able to exploit zero-day vulnerabilities in Microsoft's Internet Explorer and Adobe's Flash Player to compromise the Forbes website.
The site was attacked because of the prevalence of senior executives and professionals using the website. As the COO of anti-malware company Invincea, Norm Laudermilch, noted: “This was clearly a targeted attack against a specific group of organizations” - with several high-profile defense and financial sector organizations successfully targeted as a result.
Defending Against Watering-Hole Attacks :
Watering-hole attacks are hard to recognise; and with so many of the world's websites vulnerable to these types of attacks, it simply isn't viable to prevent your employees from accessing potentially compromised websites.
Thankfully, watering-hole attacks are still a relatively uncommon phenomenon, and though they're growing in popularity, organisation-wide security awareness training is still a viable tool for minimising the likelihood of a successful attack.
If employees are able to recognise the hallmarks of suspicious software, links and websites, the chances of a successful malware infection can be reduced. Even in the event of a successful attack, the risks of serious data loss can be minimised, by ensuring employees understand the right procedures for reporting potential threats to IT and security teams.
Penetration testing (otherwise known as pen testing, or the more general security testing) is the process of testing your applications for vulnerabilities, and answering a simple question: "What could a hacker do to harm my application, or organisation, out in the real world?".
An effective penetration test will usually involve a skilled hacker, or team of hackers. You purposefully ensure that the hacker(s) don't have access to any source code, and ask them to try to gain access to your systems. Penetration tests can be carried out on IP address ranges, individual applications, or even as little information as a company name.The level of access you give an attacker depends on what you are trying to test.
To give a few examples of penetration tests you could run:
1.You could give a team of penetration testers a company's office address, and tell them to try and gain access to their systems. The team could employ a huge range of differing techniques to try and break into the organisation, ranging from social engineering (e.g. asking a receptionist if they can take a look in a computer room to run safety checks, and installing USB keyloggers) through to complex application specific attacks.
2.A penetration tester could be given access to a version of a web application you haven't deployed yet, and told to try and gain access or cause damage by any means possible. The penetration tester will then employ a variety of different attacks against various parts of the application in an attempt to break in.
One thing which is common amongst all penetration tests, is that they should always have findings. There is no perfect system, and all organisations can take additional steps to improve their security. The purpose of a penetration test is to identify key weaknesses in your systems and applications, to determine how to best allocate resource to improve the security of your application, or organisation as a whole.
Why Are Penetration Tests Important?
1.They can give security personnel real experience in dealing with an intrusion. A penetration test should be done without informing staff, and will allow an organisation to test whether its security policies are truly effective. A penetration test can be imagined much like a fire drill.
2.It can uncover aspects of security policy that are lacking. For example, many security policies give a lot of focus to preventing and detecting an attack on an organisation's systems, but neglect the process of evicting an attacker. You may uncover during a penetration test that whilst your organisation detected attacks, that security personnel could not effectively remove the attacker from the system in an efficient way before they caused damage.
3.They provide feedback on the most at risk routes into your company or application. Penetration testers think outside of the box, and will try to get into your system by any means possible, like a real world attacker would. This could reveal lots of major vulnerabilities your security or development team never considered. The reports generated by penetration tests provide you with feedback on prioritising any future security investment.
4.Penetration testing reports can be used to help train developers to make fewer mistakes. If developers can see how an outside attacker broke into an application or part of an application they helped develop, they will be more motivated to improve their security education, and avoid making similar errors in the future.
Hours after the start of 20-day Vaikunda Ekadasi festival, unidentified persons hacked the official website of Sri Ranganathaswamy Temple, Srirangam, in the early hours on Saturday.
The hacking came to light when devotees were trying to get information on the website,www.srirangam.org. It displayed messages supporting Kashmiri terrorists and Pakistan.
On information, the temple authorities blocked the page. The website, which was designed and maintained by a private company on behalf of the temple, was restored around 11 a.m. on sunday.
P. Jayaraman, Joint Commissioner, Hindu Religious and Charitable Endowment, told that "all data and information were safe". The website was successfully restored within a few hours. It would continue to provide information to people as usual.
The temple administration would take all possible steps to protect the website from hacking and experts have been asked to study the issue in detail, he said.Cyber police suspect that some Pakistan-based hackers could have hacked the website, which was temporarily suspended.
A formal communication is expected to be sent through the State CB-CID which is the nodal agency to liaise with the Interpol. Consequent to the hacking, the Srirangam police had registered a case under IPC section 504 (Intentional insult with intent to provoke breach of the peace) read with Sections 43 and 66 of the Information Technology Act on a complaint from the temple’s Joint Commissioner.
The sources said the website’s administrator was based in Madurai. The hacking took place at a time when the Tiruchi City Police had drawn up a detailed security scheme for the temple in connection with the ongoing Vaikunta Ekadasi celebrations.
Exactly a year ago, the website of the Thanjavur Maharaja Serfoji Saraswathi Mahal’s official website was hacked. Although the Thanjavur district police registered the First Information Report, the case was subsequently transferred to the CB-CID, said police sources.
Commissioner of Police, Tiruchi city, Sanjay Mathur told that an Inspector attached to the Cyber Crime wing had been asked to inquire into the complaint.
The temple authorities had been asked to strengthen the security features of the website.
The world’s fastest cracking tool Hashcat is now open source. The company has called it a very important step and listed out the reasons that inspired them to take this step.
If you are into password cracking, you might be aware of the fact that Hashcat is one of the most popular CPU-password recovery tools that is available for free. Hashcat is known for its speed and versatile nature to crack multiple types of hashes.
Now, going one step ahead, Hashcat has taken an important step of making Hashcat and oclHashcat open source. Hashcat is a CPU-based password recovery tool and oclHashcat is a GPU-accelerated tool.
In its latest blog post, Hashcat mentions the reasons behind this step. Whenever any software decides to go open source, the license matters the most. Hashcat used the MIT license, that allowed an easy integration or packaging of the common Linux distros, along with packages for Kali Linux.
Due to the adoption of open source path, now it’ll be easier to integrate external libraries in Hashcat. At the moment, hashcat/oclHashcat doesn’t need any external libraries, but if the need arises, now you’ve got the option.
Mentioning another major improvement, Hashcat writes that before going open source, there was no native support for OS X as Apple doesn’t support “offline” compiling of the kernel code. With open source license, now you can easily compile the kernels using Apple OpenCL Runtime JIT.
According to the company, another inspiration for going open source was the implementation of bitsliced DES GPU kernels.
Hashcat offers multiple types of attack modes. Take a look:
- Brute-Force attack
- Combinator attack
- Dictionary attack
- Fingerprint attack
- Hybrid attack
- Mask attack
- Permutation attack
- Rule-based attack
- Table-Lookup attack
- Toggle-Case attack
- PRINCE attack
Ever heard of Shodan and ‘appreciated’ its capabilities? Here, you are going to read about another similar, but a smarter hacker’s search engine. This search engine is called Censys and powered by Google’s infrastructure. Read more to know how it works and its strengths.
If you consider the usability and security factors, the humble routers and modems installed in your homes and offices are one of most important devices. However, time and again, the manufacturers have taken the security issue for granted.
According to the latest research by the Austrian company SEC Consult, more than 3 million modems and routers are vulnerable to on-line threats. This was uncovered with the help of a new search engine Censys, that is aimed to help the security researchers find such screwups.
Notably, world’s biggest search engine Google is providing its infrastructure to power Censys. This search engine is free to use and part of an open source project. “We’re trying to maintain a complete database of everything on the Internet,” says Zakir Durumeric, the University of Michigan researcher who is leading the project.
How Censys works?
Durumeric, along with other scholars, developed a software called ZMap which is used to collect search data and power the search engine. ZMap scans more than 4 billion IP addresses and collects new data every day. Depending upon the received data, Censys knows the encryption method (read “security flaw”) used by the devices beaming internet all around your home.
On its website, Censys writes: “Driven by Internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed.”
About Google’s competition, Censys says that it’s “extremely grateful to Google, who graciously provides much of the infrastructure that powers Censys.”
The major competitor of Censys is “hacker’s search engine Shodan“. While Shodan employs a similar method, but a different and less advanced software. In their first impression, these “creepy” search engines might sound scary, but they are here to find the flaws in our devices and make the internet a safer place.
Tuesday, 8 December 2015
Posted by Siva Priya
Even as organisations improve their security, and begin to filter out the huge amounts of spam emails they receive each and every day, the security landscape is changing.
Phishing attacks have evolved, have a much bigger problem to contend with: Spear phishing.
What is Spear Phishing?
Spear phishing is a type of targeted email scam. Highly personalised emails are sent to the employees of an organisation, from an apparently trusted source. The emails contain some form of malware, or a link to a website harboring malicious code, in order to extract sensitive information and login credentials.
These attacks are often designed for the collection and resale of sensitive information. In some instances, they can even be used to cripple an organisation's IT infrastructure.
Government and professional services industries are at the greatest risk of spear phishing, with large enterprise organisations bearing the brunt of the attacks since 2012. With more employees to target, the chances of success are greater; offering access to huge amounts of sensitive (and valuable) information in the process (Symantec Internet Security Threat Report, 2014).
6 Ways to Reduce the Risks of Spear Phishing Attacks :
1) Raise Awareness of Spear Phishing
Spear phishing attacks rely on a handful of relatively simple principles, and by recognising the hallmarks of these types of attacks, it's possible for employees to identify attempts at spear phishing.
Some common characteristics include:
-Unexpected or confusing emails.
-Written URLs that differ from the hyperlinks attached to them (like facebook.com leading to a -website called facebbook.com or fbaction.net)
-Poor spelling and grammar.
-Requests for personal information.
-The overuse of particular phrases, like 'Re:', 'order', 'payment', 'purchase order', etc.
-The email simply doesn't look right.
2) Create an Inbound Email Sandbox
Email sandboxing is a way of executing your email's software and attachments in a contained environment, separate from your organisation's IT infrastructure. After execution, the sandbox can be deleted, taking any malicious executables with it.
If employees regularly receive emails with malicious attachments, sandboxing your email client can be a great way of allowing employees to engage with their emails, without putting the wider organisation at risk.
3) Create a BYOD Policy
Importantly, sandboxing will only offer protection to emails opened within the organisation's own email client. By accessing those same malicious emails through a personal email client, connected to the organisation's network, malicious software can still compromise the network.
To reduce the risks of this happening, it's important to understand the impact of Shadow IT, and develop a defined Bring Your Own Device (BYOD) policy: a set of codified standards, rules and best practices for the use of personal devices in the workplace.
4) Improve Social Media Awareness
Much of the information used to personalise spear phishing emails is collected from social media. By encouraging social media awareness, and even rolling out social media security training, you'll help employees to secure their personal data, reducing the efficacy of spear phishing in the process.
5) Use a Password Management Tool
Many spear phishing attacks are used to collect usernames and passwords, to gain access to an organisation's software and data. The problem is worsened by employees using the same insecure passwords across multiple accounts, making it easy for hackers to gain access to dozens of secure systems.
A password management tool will make it easier for employees to manage and use unique, secure passwords; reducing the likelihood that a single compromised password will cause a devastating amount of damage.
6) Address the Human Risk to Security
Spear phishing works because it targets the end-user, and in doing so, creates a way to bypass most conventional security systems.
As a result, the only tried-and-tested way to reduce the impact of spear phishing is to educate your employees. This extends beyond spear phishing; by creating a culture of awareness, employees will feel empowered to identify, raise awareness of, and act upon all forms of potential security threats.
To know more..Click Here