Month: October 2014

Posted on

Palo Alto Networks News of the Week – October 18

Here is this week’s top Palo Alto Networks news.

Palo Alto Networks announced this week that we have extended our enterprise security platform to bring next-generation security right to the public cloud – all while preserving speed and efficiency. Find out more.

Sometimes Patch Tuesday comes and goes with little excitement or fanfare; this month was different. Unit 42 explains the significance of October’s “Super Tuesday,” and check out the new critical Internet Explorer vulnerability impacting versions 6, 7, 8, 9 and 10 discovered by a Palo Alto Networks researcher.

Sebastian Goodwin with Palo Alto Networks is at Black Hat Europe in Amsterdam and wanted to share his experience at a great hands-on workshop at the conference, “PDF Attack: A Journey From the Exploit Kit to the Shellcode,” hosted by Jose Miguel Esparza.

This week three Google researchers revealed details around the latest attack on SSLv3, code named POODLE. The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack allows an attacker who is already in the network path between the client and server to decrypt portions of the SSL session, including HTTP cookie data used for authentication. Unit 42 further examines this attack.

Brian Tokuyoshi highlights security risks of devices connected to the Internet of Things (IoT) and how to secure them against unauthorized network access.

Congratulations to our September PA-7050 Picture It winners, Brad & Manish!

Palo Alto Networks recently won Mobile Security Solution of the Year, honoring GlobalProtect, at the 2014 Computing Security Awards in London. Many thanks to everyone who voted!

Join us on next Wednesday, October 22 for a webinar hosted by David Guretz, a Palo Alto Networks engineer and IT security expert to learn more about the hot topic of network segmentation in financial services. Register.

Did you catch Palo Alto Networks at GITEX Technology Week in Dubai this week? Check out scenes from the show.

Pamela Warren attended and spoke at AFCEA TechNet Europe last week in Paris. She participated in a panel delving into Modern Cyber Defence and whether it requires “built-in security.” Find out her key takeaways from the event.

 

Last week we brought our top partners from Europe, the Middle East and Africa to Barcelona for our 6th Annual NextWave Partner Conference. Watch this video to hear from our executives and partners about what propelled growth behind our Enterprise Security Platform in 2014 — and what will keep EMEA on an upswing throughout the next 12 months.

Palo Alto Networks returns to Infosecurity: The Netherlands on October 29 and 30. Visit our booth to hear about threats hiding in plain sight on your network, plus additional important insights from our 2014 Application Usage and Threat Report.

We invite you to view a webcast featuring ISA99 Managing Director Joe Weiss and Palo Alto Networks SCADA Product Marketing Manager Del Rodillas, who will discuss cybersecurity for SCADA and ICS with an Oil & Gas SCADA security practitioner and explain real world use cases and cyber incidents.

 

Here are upcoming events around the world that you should know about:

Customer Forum: Hear from our experts on Advanced Threats

  • When: October 22, 2014 8:30 AM – 12:30 PM MST
  • Where: Calgary, AB

Expose The Underground – Prevent Advanced Persistent Threats

  • When: October 22, 2014 10:30 AM – 12:00 PM GMT+4:00
  • Where: Online

Hiding in Plain Sight – What’s Really Happening on Your Network

  • When: October 22, 2014 2:00 PM – 3:00 PM BST
  • Where: Online

Opplev styrken i Next-Generation Brannmurer [Norwegian]

  • When: October 22, 2014 1:00 PM – 2:00 PM CET
  • Where: Online

Palo Alto Networks webinar – Control your Own Cyberspace

  • When: October 22, 2014 2:00 PM – 3:00 PM CET
  • Where: Online

Palo Alto Networks: Live Demo

  • When: October 22, 2014 9:00 AM – 10:00 AM PST
  • Where: Online

Customer Forum: Hear from our experts on Advanced Threats

  • When: October 23, 2014 8:30 AM – 12:30 PM PST
  • Where: Vancouver, BC

Preventing Cyberattacks in Your Datacenter

  • When: October 23, 2014 11:00 AM – 12:00 PM PST
  • Where: Online

Presales Technical Enablement Workshop

  • When: October 28, 2014 9:00 AM – 5:00 PM EST
  • Where: Tampa, FL

Hiding in Plain Sight – What’s Really Happening on Your Network [Dutch]

  • When: October 29, 2014 9:30 AM – 5:00 PM EET
  • Where: Utrecht

Next Generation Security Technical Workshop

  • When: October 29, 2014 10:00 AM – 1:00 PM GMT
  • Where: London

Palo Alto Networks: Live Demo

  • When: October 29, 2014 9:00 AM – 10:00 AM PST
  • Where: Online

Palo Alto Networks Next-Generation Security – Ultimate Test Drive

  • When: October 29, 2014 9:00 AM – 1:00 PM EST
  • Where: Hanover, MD

Организация защиты предприятия от сложных постоянных угроз (APT) [Russian]

  • When: October 30, 2014 10:30 AM – 12:00 PM GMT+4:00
  • Where: Online

Palo Alto Networks & Westcon Security Seminar [Italian]

  • When: November 4, 2014 10:00 AM – 2:30 PM CET
  • Where: Roma

Expose the Underground with Palo Alto Networks

  • When: November 5, 2014 6:00 PM – 8:00 PM EST
  • Where: Nashville, TN

Opplev styrken i Next-Generation Brannmurer [Norwegian]

  • When: November 5, 2014 1:00 PM – 2:00 PM MEZ
  • Where: Online

Palo Alto Networks: Live Demo

  • When: November 5, 2014 9:00 AM – 10:00 AM PST
  • Where: Online

11月7日(金)製品体感セミナー [Japanese]

  • When: November 7, 2014 1:30 PM – 5:00 PM GMT+9:00
  • Where: 千代田区

[Palo Alto Networks Research Center]

Posted on

POODLE like it’s 1999

1999 was a pretty interesting year for the Internet and security. To jog your memory, here are just a few of the major events from the ultimate (or penultimate, depending on your point of view) year of the last millennium.

  • The Melissa Virus was infecting millions of hosts using malicious e-mails.
  • Both Napster and MySpace made their first public appearances.
  • Internet Explorer 5.0 was released for Windows 3.1, 95 and 98.
  • The TLSv1 specification was published to replace SSLv3 to improve security of Internet communications.

In the 15 years since TLS was introduced it has been widely adopted, but in many ways SSLv3 has hung on. The two specifications are very similar, but not interoperable and applications that implement TLS are often capable of falling back to SSL to support legacy servers. Cryptologists have slowly chipped away at the security of SSL over the last decade, discovering ways to reveal larger and larger pieces of information from encrypted sessions.

This week three Google researchers announced the latest attack on SSLv3 (named POODLE), which may prove to be the deathblow for this protocol. The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack allows an attacker who is already in the network path between the client and server to decrypt portions of the SSL session, including HTTP cookie data used for authentication.

As all modern browsers and most servers support TLS, this attack should only apply to a small number of connections, but that is not the case. When most browsers fail to connect using TLS, they assume the server must be expecting SSL and downgrade their connections to the vulnerable protocol.  This means that even two TLS-capable systems can be forced into using SSLv3 by an attacker who controls the network path. That attacker can then decrypt parts of the encrypted channel without the server or client’s knowledge.

The only permanent fix for POODLE is disabling the SSLv3 protocol completely. This can be done either from the server side or the client side depending on the applications. To address this issue, our IPS team issued an emergency update this morning, which contains a signature that alerts on any SSLv3 connection.

Severity ID Attack Name CVE ID
low 36815 SSLv3 Found in Server Response CVE-2014-3566

Hits on this signature do not indicate an attack is underway, but any SSLv3 session should be considered vulnerable to POODLE and potentially compromised.

[Source: Palo Alto Networks Research Center]

Posted on

How To Become A CISO, Part 1

Think you’re ready for the top job? Here’s part 1 of a series to help you land that prime chief information security officer position.

So you want to be a CISO, huh? Think you’re ready to lead a small band of white knights into battle against a countless, hidden enemy? Ready to play both savior and scapegoat, depending on what the day brings? Ready to beg, borrow, and steal for the resources you need to protect your company?

Yes? OK, then, you’re ready to do the job… but can you get the job? For the next several weeks, we’re dedicating Mondays to helping you find the path to the big job, which won’t be easy to define.

“There’s not a standard path [to the CISO job] like so many other professions,” says Mark Aiello, president of the Boston cyber security staffing firm Cyber360 Solutions. “We can’t even agree on how to spell cyber security.” (Cybersecurity? Cyber-security?)

Even the words “engineer” and “administrator” don’t mean the same thing from company to company. The bad news, then, is that it is hard to know what career steps to take next.

The good news, though, is that the ladder you’re already climbing could lead you to the CISO seat.

Despite the variety of routes to the top, Aiello does identify a few consistent trends:

Most CISOs are hired from outside the company.
Following the perplexing logic that somebody you don’t know must be smarter than somebody you do know, “the vast majority” of organizations look outside their walls for a CISO, Aiello says. However, they will be more likely to hire an insider for the CISO job if it’s a newly created position.

So being in the right place at the right time may help you get that newly minted CISO gig, but beware…

A company’s first CISO has less power than its subsequent CISOs.
“That first CISO tends to not have as many teeth as the second one,” Aiello says. They’re likely to be a step below the true C-suite and report to the chief information officer.

Aiello thinks the CISO should be separate from the rest of the IT organization, because security not only impacts technology. “Security organizations are still relatively small [in size], in comparison to the IT department, but huge in terms of importance.”

Most companies want to hire a CISO who’s already a CISO somewhere else.
This raises a question: How do you get that first CISO job if you can only get one if you already have one? Aiello says you may convince a new employer to take you on if you’ve reached the highest security position at your current company — like director or vice president of security — as long as you have experience within the appropriate industry vertical: finance, healthcare, etc.

CISOs are more likely to come from a technical background.
Though there are people who rise to the security job from outside the IT department — we’ll hear some of their stories in the course of this series — Aiello says that most of today’s CISOs began their careers in an information techology job of some ilk. As the field matures and more IT functions are outsourced, that may change.

A CISSP certification isn’t necessarily required for a CISO.
In order to have climbed the infosecurity ladder high enough to be eligible for the “chief” title, you probably will have needed a CISSP already. However, if you’ve made it this far without one, you probably won’t need one now, says Aiello. A four-year college degree, however, is something a prospective employer will want.

[Is there a cyber security skills shortage? Hear what Mark Aiello and Julie Peeler of ISC(2) said on Dark Reading Radio.]

As the CISO job grows bigger and more important, Aiello says, the key is proactively gathering all the knowledge and experience you can.

“Raise your hand. Volunteer,” he says. If you’ve spent most of your career outside of the nitty-gritty, hard-core IT security world, spend more time learning about the tactical side — the day-to-day tasks of securing a business. If you are from a heavy technical background, learn as much as you can about the business side.

“Understand the problems your technology is there to solve,” he says. “Understand what [the company is] securing and why they’re securing it.”

In the coming weeks, we’ll spin out the origin stories of men and women currently holding the CISO position at a variety of organizations. Come back to Dark Reading next Monday for the first “how I became a CISO” tale.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law — a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.

[Source: Dark Reading]

Posted on

Insider Threats: Breaching The Human Barrier

A company can spend all the money it has on technical solutions to protect the perimeter and still not prevent the attack that comes from within.

Undoubtedly, every InfoSec professional has heard the argument that the perimeter was broken. That was so 1995. The new rage is to break the “human barrier.” You know, those things that run the companies. Increasingly, attackers are using social engineering to target a corporation’s most vulnerable asset: the human. From there attackers hack the systems and completely own the company from the inside out.

A while back, WHMCS, an online banking and bill paying company, was attacked by an outsider with real access credentials pretending to be an insider.  It turns out, the data base administrator for the organization was pretty active on social media. From basic profiling of his public information, attackers were able to garner the answers to his security questions. After a quick phone call and password reset, attackers were able to download 1.1 Gigabytes of credit card numbers and subsequently erased the servers just for kicks. A five-minute phone call opened the window of opportunity for a dox, which turned into total ownership.

That is just an outsider acting as an insider. What about an actual insider that has ill intent towards your company?

According to the “CERT: Common Sense Guide to Prevention and Detection of Insider Threats,” 65% of all IT sabotage attacks are non technical and 84% of all attacks for financial gain were also non-technical. One call, that’s all. If organizations are unable to keep their own data safe, how can we as customers expect them to keep our data safe?

I see this highlighted daily in the work we do for clients. In a single 10-minute phone call to an enterprise chain store, a non-technical employee can provide my team with enough data to execute a virtual attack or onsite impersonation. The one vector that seems to always work is another insider, a fellow employee. Insiders are automatically trusted and automatically given answers to things that an outsider would never get. Therein lies the danger with insider attack. That trust can be exploited, that automatic authentication can be used to compromise.

Now that we’ve talked a bit about the scope of damage from insider threats it’s important for organizations to clearly understand how these threats manifest.AT&T recently disclosed that an employee was able to access and exfiltrate confidential and personal user information including social security and driver’s license numbers of thousands of customers. This is an example of a malicious insider attack, one in which the employees purposefully expose data.

Angry and disgruntled
In situations with malicious insiders, employees are either angry, disgruntled, or rogue. They are either on the way out or have already been fired and still have access to corporate logins. These attackers are extremely dangerous because they already know their way around the network and can easily access copious amounts of information, without raising a brow. While it seems little can be done about this type of insider attack, the 2014 Verizon Data Breach Report indicates that 85% of insider privilege misuse attacks used the corporate LAN. With the implementation and enforcement of access controls, network behavioral analysis, and security awareness training that encourages employees to report suspicious activity, these types of attacks can be limited.

The second type of insider threat stems from accidental data uploads, failure to dispose of documents securely, and complex interactions with unintended consequences. Regardless of how it happens, negligent insider attacks occur when employees accidentally expose data.

A negligent insider can also take the form of a partner or third-party that has been granted access and accidentally exposes data. How many breaches do we read about that were the results of a laptop, USB key, or file thrown away improperly, and that it contained thousands of records of sensitive data? These breaches are not malicious insiders, but an uneducated and thoughtless insider that causes harm to your company and to your clients.

I believe the only way for an organization to be successful in preventing insider attacks is to progress beyond the thought process that IT is responsible for all information security issues. In every case above, user education along with proper technical solutions can help reduce the results of insider threat.

You can start by asking yourself the following questions:

  • Are policies in place?
  • Does legal and senior management support IT practices?
  • Do these type of programs reward employees instead of scare them?
  • Do we conduct regular audits?

While this approach may seem unrealistic at first, I’ve seen first hand how global organizations can reduce the number of malware related incidents and shut down both insider and outsider threat with simple modifications to process and employee awareness. Organizations are only as strong as the weakest link — the humans. And as long as that simple fact remains true, attackers will always go after this low-hanging fruit. Make yourself, your employees, and your company not the easy pickings, and you might just have a chance of not being the next headline on Dark Reading.

Chris Hadnagy has over 16 years’ experience as a practitioner and researcher in the security field. His efforts in training, education, and awareness have helped to expose social engineering as the top threat to the security of organizations today. He established the world’s first social engineering framework at http://www.social-engineer.org/, providing an invaluable repository of information for security professionals and enthusiasts. That site grew into a dynamic web resource including a podcast and newsletter, which have become staples in the security industry and are referenced by large organizations around the world. Chris also created the first hands-on social engineering training course and certification, Advanced Practical Social Engineering, attended by law enforcement, military, and private sector professionals. A sought-after writer and speaker, he has spoken and trained at events such as RSA and Black Hat. He is also the best-selling author of two books: Social Engineering: The Art of Human Hacking and Unmasking the Social Engineer: The Human Element of Security.

[Source: DarkReading]

Posted on

Palo Alto Networks Wins Mobile Security Solution of the Year

Palo Alto Networks recently won Mobile Security Solution of the Year at the 2014 Computing Security Awards in London, honoring GlobalProtect. 

Many thanks to everyone who voted. Check out photos from this year’s gala here — including our own Alex Raistrick and Steve Gerrard accepting the award!

Palo Alto Networks WildFire was also runner up for Anti Malware Solution of the Year.

Learn more

  • For more on GlobalProtect, check out our resources page here.
  • For more on Wildfire, head here.

[Source: Palo Alto Networks]

English
English
Exit mobile version