In recent research, Palo Alto Networks found attackers were targeting home routers to take control and use them for attacks against other websites that can bring them down. Here we explain this type of attack and what you should do.
Why should I care, what can it do to me?
These attacks could affect you in two ways:
They can slow down or disrupt your internet connection,
They can also make you an unwitting participant in attacks against other websites.
What causes this kind of attack?
Weak passwords and out-of-date software can both enable attackers to take complete control of your home router.
How can I prevent it?
Attackers target home routers like this by targeting default passwords and out-of-date software on the routers. An easy thing you can do is restart your router once a week (typically by unplugging it).
You can also stay safe by changing the password on your router and updating the software. If you’re not sure how to do this, contact your Internet Service Provider (ISP) that gave you the router for help.
How does it work?
When devices (in this case, the routers) are under someone else’s control like this, the collection is referred to as a “botnet”, a network (-net) of remotely controlled systems or devices (bot-).
When attackers have complete control of your home router, they can install attack software that they control, turning the device into a “bot”. Attacks can make all the controlled routers in a botnet do anything they want, including sending huge amounts of data to try and bring websites down.
These kinds of attacks are called “Distributed Denial of Service” or “DDoS” attacks. Attackers use them to take down websites for several reasons:
Personal or political reasons
To blackmail websites to pay money or face attack
To act as a diversion for other more serious attacks
Simply to create mischief
About
Threat Briefs are meant to help busy people understand real-world threats and how they can prevent them in their lives.
They’re put together by Palo Alto Networks Unit 42 threat research team and are meant for you to read and share with your family, friends, and coworkers so you can all be safer and get on with the business of your digital life.
Got a topic you want us to write about for you, your friends, or your family? Email us at u42comms@paloaltonetworks.com.
The vulnerability management process has traditionally been supported by a finely balanced ecosystem, which includes such stakeholders as security researchers, enterprises, and vendors. At the crux of this ecosystem is the Common Vulnerabilities and Exposures (CVE) identification system. In order to be assigned an ID, vulnerabilities have to fulfill certain criteria. In recent times, these criteria have become problematic as they exclude vulnerabilities in certain categories of IT services that are becoming more and more common.
This is the first in a series of blogposts that will explore the challenges and opportunities in enterprise vulnerability management in relation to the increasing adoption of cloud services.
Common Vulnerabilities and Exposures
CVE® is a list of entries, each containing an identification number, a description, and at least one public reference for publicly known cybersecurity vulnerabilities[1].
CVEs are identifiers for security vulnerabilities that are—or are expected to become—public. Traditionally, they are assigned by one of two entities: The CNA (CVE Numbering Authority) that exists specifically for that piece of software (e.g. Microsoft, which covers Microsoft software) or a CNA that has been given coverage of said software (e.g. The Debian Project, Distributed Weakness Filing Project, and Red Hat all cover Open Source software to varying degrees). These CVEs are then published in the MITRE CVE database. Finally, they are consumed and republished by other organizations, often with additional information such as workarounds or fixes which makes tracking and remediating those vulnerabilities possible.
Customers of companies or organizations that are CNAs for their own products can be reasonably assured that CVE IDs are assigned to historical, current and future vulnerabilities found in those products.
CVE and Vulnerability Management
The CVE system is the linchpin of the vulnerability management process, as its widespread use and adoption allows different services and business processes to interoperate. The system provides a way for specific vulnerabilities to be tracked via the assignment of IDs. Enterprises, security researchers, penetration testers, software providers and even vulnerability scanning tools all use CVE IDs to track vulnerabilities in products. These IDs also allow important information regarding a vulnerability to be associated with it such as workarounds, vulnerable software versions, and Common Vulnerability Scoring System (CVSS) scores. Without the CVE system, it becomes difficult to track vulnerabilities in a way that allows the different stakeholders and their tools to interoperate.
The decision to assign an ID to a vulnerability is governed by the Inclusion Rules. In order to assign a CVE ID to a vulnerability, the assigner has to take the vulnerability through the Inclusion Rules. Generally, only a vulnerability that fulfills all five criteria will be assigned an ID. For example, one of the Inclusion rules, INC3, states that a vulnerability should only be assigned a CVE ID if it is customer-controlled or customer-installable. A vulnerability in a Customer Relationship Management (CRM) software that is installed on a server owned and managed by an enterprise fulfills that requirement.
INC3, as it is currently worded, is problematic for a world that is increasingly dominated by cloud services. In the past, this inclusion rule has worked well for the IT industry as most enterprise IT services have generally been provisioned with infrastructure owned by the enterprise. However, with the proliferation of cloud services, this particular rule has created a growing gap for enterprise vulnerability management. This is because cloud services, as we currently understand them, are not customer controlled. As a result, vulnerabilities in cloud services are generally not assigned CVE IDs. Information such as workarounds, affected software or hardware versions, proof of concepts, references and patches are not available as this information is normally associated to a CVE ID. Without the support of the CVE system, it becomes difficult, if not impossible, to track and manage vulnerabilities.
Conclusion
The Cloud Security Alliance and the CVE board are currently exploring solutions to this problem.
One of the first tasks is to obtain industry feedback regarding a possible modification of INC3 to take into account vulnerabilities that are not customer-controlled. Such a change would officially put cloud service vulnerabilities in the scope of the CVE system. This would not only allow vulnerabilities to be properly tracked, it would also enable important information to be associated with a service vulnerability.
Please let us know what you think about a change to INC3 and the resulting impact on the vulnerability management ecosystem in the comment section below or you can also email us.
Stay tuned for our next blog post where we will explore the impacts that the current Inclusion Rules have on enterprise vulnerability management.
When the general public thinks about today’s exciting technological breakthroughs, the imagery that springs to mind is unlikely to be a crowded pigpen in China or yam fields in the farmland of Nigeria. Yet, rural areas are the frontlines for some of the most important gains technology is enabling in modern society. The growing imprint of technology-driven advancements on the agriculture industry and in rural areas, generally, is one of the tech field’s most promising success stories.
Digital transformation is making its mark on the agriculture industry, with the Internet of Things, blockchain, robotics and drones among the technological forces that are helping to offset modern obstacles with which previous generations of farmers did not have to overcome. In the not-so-distant-past, farmers fretted about the weather, pests and their equipment – and that was about it. Today’s farmers must contend with a range of more sophisticated challenges, such as market volatility, international trade friction, serious labor shortages, borrowing costs and capital availability, and an increasingly complex regulatory environment.
Amid these challenges, in an industry known for razor-thin margins between success and failure, enabling even a 5% increase in yield can make a dramatic difference. Technological innovation increasingly is the path to swinging that equation in farmers’ favor by equipping them with an expanded set of solutions to their challenges. At the same time, for these innovations to serve their important purpose, it is imperative for security professionals to support suppliers’ and distributors’ assurance that these technologies are being deployed safely and securely throughout the supply chain.
Technology enabling a global bounty The recent Forbes AgTech Summit underscored how key industry advancements – such as more reliable pathogen detection, autonomous wheelbarrows and analytics software that allows farmers to more accurately predict crop conditions – are capable of improving profitability for farmers and providing a more robust global bounty that will be increasingly critical as population growth, climate change and soil degradation put strain on the world’s food supply.
Much of the technological progress that is recalibrating the way food is being grown and distributed is attributable to automation. The implications of automation can cut in both directions, often driving improved business outcomes while, in some cases, imperiling job security for current workers. The net impact of automation, though, tilts heavily in a favorable direction when it comes to the agriculture industry. In many countries, including the United States, agriculture workers are in short supply, not because automation has put them out of work, but because of a range of factors that include urbanization and more stringent enforcement of immigration laws. Automation is a potent force in counteracting that labor shortage, producing driver-less tractors and more efficiently planting and harvesting to maintain productivity and prevent wasting crops while people around the world go hungry.
It is not just automation that is serving as a new catalyst for farmers and food producers; a variety of emerging technologies are modernizing business models in rural areas around the world. From a Chinese tech giant deploying AI-powered pig-tracking systems, to a growing number of blockchain implementations that will allow food to be tracked globally throughout the supply chain, more efficiently addressing customer risk, it is encouraging to see technology deployed so creatively in an industry that affects all of us on a daily basis.
The ability to more effectively address food security is especially notable, with blockchain and IoT technology allowing inspectors and consumers to become aware of potential hazards in more timely fashion and avert potential health crises. Dubai has shown leadership in this regard, moving to put in place a food monitoring system that will make its reported $200 billion of annual food imports safer and more secure for its residents.
Life-saving health measures Agriculture is not the only cornerstone of rural life that is being enhanced by technological innovation. Medical drones in Africa deliver life-saving supplies that are not readily available in local clinics, such as blood, medicine and emergency vaccines. In China this year, a logistics firm initiated delivery of goods to sparsely populated areas that will rely on larger drones transporting products to warehouses and smaller drones connecting rural residents with final deliveries. As with all technological innovations, organizations must deploy the needed safeguards and controls to keep pace with the deployment of these new technologies, with drones in particular posing several legal and security considerations. Organizations must determine their appetite for added risks and liabilities introduced by a drone program, as well as how to meet the related compliance requirements on an ongoing basis.
Undeniably, however, these are significant opportunities for residents of rural areas that would not have been possible as recently as five years ago. Even as global population trends reflect increasing urbanization, the capabilities that are being developed will ensure farmers and rural residents stand to benefit from technological innovations that are taking root every bit as much as city-dwellers. As digital transformation spreads beyond our urban hubs to rural fields throughout the globe, it us up to the security community to perform the due diligence necessary to enable these advancements to truly blossom.
Editor’s note:This article originally published in CSO.
Matt Loeb, CGEIT, CAE, FASAE, Chief Executive Officer, ISACA
In this Q&A, Danielle Kriz, senior director of Global Policy, and Fred Streefland, senior manager of Product Marketing for EMEA, cover the basics of the EU’s Network and Information Security Directive and what it might mean for organizations.
Fred: Let’s talk about a new cybersecurity law in the European Union, the Network and Information Security (NIS) Directive. What is it, who does it apply to, and what do they need to do?
Danielle: It’s the EU’s first law specifically focused on cybersecurity, which I blogged about in May. Through transposition into national laws, it applies in all 28 EU member states.
The NIS Directive aims to improve the cybersecurity capabilities of the EU’s critical infrastructure by setting security and incident notification obligations across many types of organizations offering essential and digital services. The NIS Directive also requires member states to enact national cybersecurity strategies and engage in EU cross-border cooperation, among other measures.
The requirements on industry outlined in the NIS Directive are applicable to two categories of entities: operators of essential services and digital service providers. Although the directive outlines generally what is in these categories, each member state is responsible for identifying the OES established in their territories that are in scope.
Operator of Essential Services (OES): Sectors covered include energy (e.g., electricity, oil and gas companies), transportation (including air, rail, water and roads), healthcare (like hospitals and clinics), certain banking and finance (such as credit) institutions, suppliers and distributors of drinking water, and digital infrastructure (like internet exchange points).
Digital Service Provider (DSP): There are three categories: online marketplaces, online search engines and cloud computing services. The Directive has some small company exceptions for DSPs.
The directive sets security and incident notification obligations on these organizations. They must:
Take appropriate and proportionate technical and organizational measures to manage risks to the security of their network and information systems, and these measures must “have regard to the state of the art.”
Take appropriate measures to prevent incidents affecting the security of their network and information systems.
Notify competent national authorities of security incidents of particular magnitudes.
These requirements are related to the networks and information systems used to provide the covered essential or digital services. The requirements also apply whether the OES or DSP manages its own network and information systems or outsources them.
The EU’s Agency for Network and Information Security (ENISA) has details on the directive.
Fred: How is the NIS Directive rolling out?
Danielle: The NIS Directive sets out objectives and policies to be attained through legislation at an EU member state level. All 28 EU countries were required to put the directive into national law by May 2018 (although the reality is that as of August 2018, some still were behind).
The impact will vary based on how each country previously regulated companies for cybersecurity. Some member states will make big changes and introduce new laws. Other member states might have existing laws into which they will need to integrate NIS requirements.
ENISA has issued non-binding guidelines for NIS so companies may want to look there. But many member states are expected to issue their own requirements. The European Commission has published a useful “state-of-play” of member states’ implementation of the NIS Directive.
Fred: Do non-EU headquartered companies need to worry about NIS?
Danielle: Yes, if they offer any of the covered essential or digital services in one or more EU countries. Regardless of whether a company is headquartered in the EU or not, companies covered under NIS must follow the law in the EU country where they have their main establishment. In fact, even companies providing digital services in the EU with no physical presence in the EU at all may be affected by the NIS Directive.
Therefore, we recommend that organizations operating in EU countries should do research and obtain legal advice on whether NIS applies to them and the exact details of what they must do.
Danielle: Now, let me ask you some questions, Fred. Assuming you are responsible for the security of an organization that needs to comply with the EU Network and Information Security Directive, what does this mean to you and the organization? As a former CISO, what would you do and how would you approach this?
Fred: Every operator of essential services or digital service provider in the EU needs to comply with this NIS Directive (with some small company DSP exceptions). You mentioned the requirements: they need to take measures that have regard to state-of-the-art technologies to manage the risks of their network and information systems. They must take appropriate security measures to prevent and minimize the impact of security incidents. Besides this, they also have the obligation to report security incidents of a certain magnitude to their national authority.
As a responsible person for information security, you need to become “in control” of the risks of your network and information systems. So, I would focus on what matters and start with getting visibility into the security of your network and information systems.
This means understanding:
– Which networks and information systems support the covered services and how they are currently secured.
– Whether the products and services you use to protect those networks/systems account for the state of the art.
– What measures you are taking to prevent and minimize the impact of incidents on those networks and systems.
– If you are able to track and identify the impact of incidents that may occur so that you are able to notify authorities as needed.
I also recommend reading a recent blog by Greg Day, our CSO for EMEA, that explains how CISOs can view the NIS Directive as a positive opportunity for change.
Danielle: Again, from the CISO perspective, what is the final takeaway you’d like to share?
Fred: It is imperative to get proper visibility into your networks, information systems and data. In my opinion, that’s a prerequisite for effective security and compliance.
Palo Alto Networks is committed to assisting our customers on their road towards NIS Directive compliance. If you want to know how we can help, please attend our upcoming EU NISD webinar.
The information provided in this blog, concerning technical legal or professional subject matters, is for general awareness only, may be subject to change, and does not constitute legal or professional advice, nor warranty of fitness for a particular purpose or compliance with applicable laws. Always consult a qualified lawyer on any specific legal problem or matter.
The fluid technology and regulatory landscape calls on IT compliance professionals to be more flexible and proactive than in the past to remain effective, according to Ralph Villanueva’s session on “How to Design and Implement an Adaptive IT Compliance Function,” Monday at the 2018 GRC Conference in Nashville, Tennessee, USA.
The IT compliance function serves as an important bridge between the audit and IT departments, in addition to articulating business-related IT and security initiatives to management, and recommending and implementing appropriate compliance frameworks.
Business model changes, legal considerations, government requirements and evolving industry regulations are among the common reasons that organizations may need to more frequently explore switching their frameworks than in the past. Villanueva, IT security and compliance analyst with Diamond Resorts, referenced the General Data Protection Regulation (GDPR), which became enforceable in May, as an example of a recent regulatory shift that could have significant compliance ramifications. Additionally, he cited industries such as banking, healthcare and gaming as having special requirements calling for the use of compliance frameworks.
While acknowledging that the need to explore new or additional frameworks can cause “compliance anxiety” and organizational resistance, considering the corresponding investments in time and resources, Villanueva said effective use of people, processes and technology can make the process worthwhile in the long-run. Given the increasing need to implement different frameworks to deal with a growing set of compliance complexities, Villanueva laid out five steps to be actively compliant across several frameworks while remaining in line with budget realities:
Understanding beats memorizing. Compliance professionals who truly understand the intent of the framework are best positioned to adapt them to their organizations.
Know your organization. Having a clear handle on the organization’s business model, mission and array of information and technology resources allows for more strategic compliance.
Anticipate how today’s trends will influence what you do tomorrow. Variables such as the need to incorporate more mobile device security and use of emerging technologies such as artificial intelligence (AI) and machine learning may call for recalibrating compliance processes.
Know that some fundamentals never change. Despite the volatile landscape, Villanueva said there still needs to be focus on established compliance priorities such as application controls and segregation of duties.
Keep learning. Investing in personal development and prioritizing networking are some of the best ways to keep current and “future-proof” career paths.
Villanueva cited COBIT 5, NIST 800-53, ISO 27001:2013 and PCI-DSS 3.2 as examples of useful frameworks for compliance professionals, and said identifying commonalities among different frameworks can make for a more efficient approach. Villanueva recommended IT compliance frameworks because they:
Simplify compliance;
Reduce the likelihood of missing compliance requirements;
Maximize everyone’s time;
Allow for clearly understood expectations;
Are commonly accepted by control stakeholders.
The importance of compliance professionals should not be overlooked. Aside from potential legal ramifications resulting from inadequate compliance, Villanueva said having strong compliance programs in place is critical to deter corruption and costly illegalities.
“We’re here to make sure that crime doesn’t pay,” Villanueva said.
