RSA blog: Enabling A Virtual SOC Environment

The role of the security operations center (SOC) is changing in a more distributed world. As businesses continue to support remote operations and staff, they need to start thinking about building out a virtual SOC environment to manage their infrastructure long-term. There are several things to consider in building the right virtual SOC. Some of these choices are not as obvious and will require some effort to plan appropriate actions. In my latest post for RSA’s blog, I discuss some of these issues.

Avast blog: An elections security progress report

Twelve Tuesdays from today, the US national elections will take place, and infosec professionals are doing their best to adapt to changing circumstances brought on by both the pandemic and the tense cyber-politics surrounding them. More states are expanding mail-in voting and planning the necessary infrastructure to distribute and process  paper ballots. State elections officials are also deploying better security measures, banding together to form the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). Membership in the  information sharing and analysis center has grown considerably since the 2018 election.

In this blog post for Avast, I review what is going on with election security since we last covered the topic during the March primaries. There have been numerous events in the past week that have brought new context to the intersection of technology and our elections. And I also mention several presentations given at Black Hat and DEFCON that bring us up to date on what is happening with election security.

Network Solutions blog: Mastering Email Security with DMARC, SPF and DKIM

We all know that phishing and email spam are the biggest opportunity for hackers to enter our networks.  If a single user clicks on some malicious email attachment, it can compromise an entire enterprise with ransomware, cryptojacking, data leakages or privilege escalation exploits. Over the years a number of security protocols have been invented to try to reduce these opportunities. This is especially needed today, as more of us are working from home and need all the email protection we can muster. In my latest post for Network Solutions blog, I discuss the trio of email protective technologies that can be deployed to make your email more secure.

Avast blog: What to do about the BootHole vulnerability

Late last month, security researchers discovered a major vulnerability in the software that controls how PCs boot their operating systems. This is one of those issues that sounds scarier than it is. Fixing it will be a major process, especially for Linux system administrators and corporate IT organizations with a mixture of different PC vintages and manufacturers. The problem has been named BootHole, and it could affect up to a billion computers.

If you are running Linux, do your homework before rebooting or upgrading so you don’t make things worse. If you are running Windows, you’re better off waiting for Microsoft to issue a fix.  In the meantime, use basic security hygiene to avoid unwanted access to your machine.

You can read more about this issue in my post on Avast’s blog here.


Avast blog: How to use multi-factor authentication for safer apps

Multi-factor authentication (MFA) means using something else besides your password to gain access to your account. There are many ways to do this – some, such as texting a one-time PIN to your phone are less secure than others, such as using a $25 Google Titan security key (shown here) or the free Authy/Twilio smartphone app. The idea is that if your password is compromised (such as a reused one that has been already leaked in another breach), your account is still secure because you have this additional secret to gain access. Is MFA slightly inconvenient and does it require some additional effort to log in? Typically, yes.

After the Twitter hacks of last month, I took some time to review my own security settings, and found them lacking. This just shows you that security is a journey, and you have to spend the time to make it better.

I go into more details about how to best use MFA to make your social media accounts better protected, and you can read my blog post for Avast here for the step-by-step instructions.

Avast blog: Why Emotet remains an active threat

One of the longest-running and more lethal malware strains has once again returned on the scene. Called Emotet, it started out life as a simple banking Trojan when it was created back in 2014 by a hacking group that goes by various names, including TA542, Mealybug and MUMMY SPIDER. What made Emotet interesting was its well-crafted obfuscation methods. Proofpoint posted this timeline:

Over the years, it has had some very clever lures, such as sending spam emails containing either a URL or an attachment, and purport to be sending a document in reply to existing email threads.

You can read more on Avast’s blog here.

Network Solutions blog: Tools and tips for best practices for WFH network printing

Now that more of us are working from home (WFH), one of the key technologies that can cause problems is surprisingly our networked printers. Hackers target these devices frequently, which is why many IT departments have taken steps to prevent home laptops from connecting to them. In my latest blog post for Network Solutions, I suggest several strategies to help you understand the potential threats and be able to print from home securely, including what IT managers can do to manage them better and what users can do to avoid common security issues.

How cybercrime has become boring work

To those of us who have seen one of the classic cybercrime movies, hackers are usually social misfits with an ax to grind and come with plenty of attitude. A new academic research paper takes issue with this profile, and indeed its title is somewhat intriguing: Crime is boring.  Let’s take a closer look.

The paper begins by describing how cybercrime has shifted to more cloud-based specialized and subscription services, mirroring the general direction that has happened in the legit IT world. Several years ago, cybercriminals sold their malware — now you can find just about anything for free on open-source marketplaces — again, mirroring this general trend in the legit world.

But as the tech has evolved, so has the units of work done by the typical cybercriminal. These jobs are very similar to maintaining the back-office infrastructures of an insurance company or any global business. The majority of people involved in cybercrime are doing the grunt work, such as evaluating different online services, running various scams and acting as resellers. In the past, cybercriminals could be found on dial-up BBS’ or IRC channels. Now they populate Discord, Telegram and other online chat groups.

As a result, the researchers from University of Cambridge (UK) Cybercrime Center have found that “there has been a change in the kind of work involved in the typical cybercrime economy.” Far from the exciting dramas depicted in the hacker movies, much of the work has become fairly routine and even dull, “the underground equivalent of a typical office job.” Or at least the office jobs that we once had at the beginning of the year.

The research involves interviewing admins who operate a variety of several cybercrime services, such as booters and stressers (which form the underpinnings of denial of service attacks). One person was quoted as saying “Creating a stresser is easy. Provider the power to run it in the tricky part.” They describe three malware situations in more detail: the botnet herders, the evolution of the authors of the Zeus banking trojan, and underground marketplaces hosted on the dark web. The booter services have something in common with legit web services: they need a solid customer-facing portal to track users, collect payments and manage the actual attacks. Some of these booters operate more than a dozen different websites that need to be maintained and to be configured and tested for continual operations. This often means a substantial investment in customer support, such as running a problem ticketing and tracking service or realtime text chat. Sound familiar?

The research pulls together a set of eight key features of the unknown cybercrime worker, ranging from support for broader illegal activity to diffusing risk and maintaining stability and transparency of the criminal infrastructure. I have never thought about cybercrime in this fashion, and it made for some interesting reading. The authors also mention that the often-publicized crackdowns on online criminals can “in fact unite communities, giving them a common sense of struggle and persecution” and purpose. Perhaps a different strategy of having law enforcement interventions that focus on the economics of boredom and encouraging burnout could be a viable substitute instead of the “whack-a-mole” current approach.

Network Solutions blog: How to Secure Mobile Devices from Common Vulnerabilities

The biggest cyber threat isn’t sitting on your desk: it is in your pocket or purse and, of course, we mean your smartphone. Our phones have become the prime hacking target, due to a combination of circumstances, some under our control and some not. These mobile malware efforts aren’t new. Sophos has been tracking them for more than a decade (see this timeline from 2016). There are numerous examples of attacks, including fake anti-virus, botnets, and hidden or misleading mobile apps. If you want the quick version, there is this blog post for Network Solutions. It includes several practical suggestions on how you can improve your mobile device security.

You can also download my ebook that goes into more specific details about these various approaches to mobile device security.

How to minimize your cyber risk with Sixgill

In this white paper sponsored by the security vendor Sixgill, I explain why the dark web is such a critical part of the cybercrime landscape, and how Sixgill’s product can provide cybersecurity teams with clear visibility into their company’s threats landscape along with contextual and actionable recommendations for remediation. I cover the following topics:

  • How the dark web has evolved into a sophisticated environment well suited to the needs of cybercriminals.
  • What steps these criminals take in the hopes of staying hidden from cybersecurity teams.
  • How Sixgill uses information from the underground to generate critical threat intelligence – without inadvertently tipping cybercriminals off to the fact that an investigation is underway.
  • Why Sixgill’s rich data lake, composed of the broadest collection of exclusive deep and dark web sources, enables us to detect indicators of compromise (IOCs) before conventional, telemetry-based cyberthreat intelligence solutions can do so.
  • Which factors businesses and organizations need to consider when choosing a cyber threat intelligence solution.

You can download my white paper here.