Monthly Archives: December 2015

Charles Leaver – Four Lessons To Be Learned From Breaches At LastPass And Behavior Analytics

Published by:

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

LastPass Cyber Attacks Have 4 Lessons Everybody Can Learn From

Data breaches in 2011 and after that once again in 2015 were inflicted on password management company LastPass. Specialists advise use of password managers, given that strong passwords unique to each user account are not feasible to recall without organized help. However, positioning all one’s eggs in a single basket – then for countless users to each put their egg basket into one giant basket – creates a tempting target for cyber criminals of every stripe. Cryptology professionals who have actually studied this recent breach at LastPass appear meticulously positive that significant harm has been prevented, however there are still important lessons we can learn from this event:

1. There Is No Perfect Authentication, There Is No Perfect Security

Any proficient, patient and motivated enemy will ultimately breach any useful cyber defenses – even if yours is a cyber defense business! Regretfully, for many businesses today, it does not typically require much ability or perseverance to breach their patchwork defenses and permeate their sprawling, permeable perimeters. Compromise of user credentials – even those of highly privileged domain administrators – is also quite typical. Again, sadly, lots of businesses count on single-factor password authentication, which merely welcomes widespread user data compromise. But even multi-factor authentication can be breached, as was proven with the 2011 compromise of RSA SecurID’s.

2. Utilize Situational Awareness When Defenses Fail

When the enemies have actually breached your defenses the clock is ticking on your detection, containment, and remediation of the occurrence. Market data recommends this clock has a very long time to tick – numerous days on average – prior to awareness sets in. By that time the hackers have pwned your digital assets and picked your business carcass clean. Crucial situational awareness is vital if this too-frequent tragedy is to be avoided.

3. Network and Endpoint Contexts Are Fused With Comprehensive Situational Awareness

In the current LastPass incident detection was achieved by analysis of network traffic from server logs. The cyber criminal dwell time prior to detection was not divulged. Network anomalies are not constantly the fastest way to recognize an attack in progress. A combination of network and endpoint context provides a much better decision basis than either context separately. For example, being able to merge network flow data with the originating process recognition can shed far more light on a prospective infiltration. A suspect network contact by a brand-new and untrustworthy executable is far more suggestive taken together than when analyzed separately.

4. After An Authentication Failure, Use User Behavior Analytics

Compromised credentials regularly create chaos across breached businesses, allowing assailants to pivot laterally through the network and run largely below the security radar. However this abuse of legitimate credentials varies noticeably from typical user behavior of the genuine credential holder. Even rather simple user habits analytics can spot anomalous discontinuities in learned user behavior. Always employ user behavior analytics, specifically for your administrators and more privileged users.


Even The Most Prestigious Hackers Require Vulnerability Monitoring – Charles Leaver

Published by:

Written By Josh Harriman And Presented By Ziften CEO Charles Leaver

Hacking Team Impacted By Absence Of Real Time Vulnerability Tracking

These days cyber attacks and data breaches remain in the news all of the time – and not just for those in the high value industries such as healthcare, financing, energy and retail. One especially intriguing incident was the breach against the Italian business Hacking Team. For those who don’t remember Hacking Team (HT) is a business that specializes in surveillance software catering to government and police agencies that want to conduct concealed operations. The programs created by HT are not your run-of-the-mill push-button control software application or malware-type recording devices. One of their crucial products, code-named Galileo – better called RCS (Remote Control System)– claimed to be able to do pretty much whatever you needed in regards to “controlling” your target.

Yet as skilled as they were in developing these programs, they were not able to keep others from entering into their systems, or find such vulnerabilities at the endpoint through vulnerability monitoring. In one of the most prominent breaches of 2015, HT were hacked, and the material taken and consequently launched to the general public was huge – 400 GB in size. More notably, the material included very destructive info such as emails, client lists (and prices) that included countries blacklisted by the UN, and the crown jewels: Source code. There was likewise in-depth paperwork that included a couple of very effective 0-day exploits against Adobe and Flash. Those 0-days were used soon after in cyber attacks against some Japanese businesses and United States federal government agencies.

The big concern is: How could this happen to a company whose sole presence is to make a software application that is undetectable and finding or producing 0-day exploits for others to use? One would believe a breach here would be next to impossible. Undoubtedly, that was not the case. Currently there is not a lot to go on in regards to how this breach took place. We do know however that someone has actually declared responsibility and that individual (or team) is not new to getting into places similar to HT. In August 2014, another security company was hacked and delicate files were released, similar to HT. This consisted of client lists, prices, code, etc. This was against Gamma International and their software was called FinFisher or FinSpy. A user by the name of “PhineasFisher” released on Reddit 40 GB worth data and revealed that he/she was responsible. A post in July this year on their twitter handle discussed they likewise attacked HT. It seems that their message and function of these breaches and theft where to make people familiar with how these companies run and who they sell to – a hacktivist attack. He did upload some information to his approaches and some of these techniques were most likely used against HT.

A final question is: How did they break in and exactly what safety measures could HT have implemented to prevent the breach? We did understand from the released documents that the users within HT had extremely weak passwords such as like “P4ssword” or “wolverine.” In addition, one of the main employee systems where the theft might have happened made use of the program TrueCrypt. Nevertheless, when you are logged in and using the system, those concealed volumes are accessible. No information has been launched as of yet as to how the network was breached or how they accessed the users systems in order to download the files. It is apparent, though, that companies need to have a service such as Ziften’s Constant Endpoint Visibility running in their environment. By monitoring all user and system activity alerts might have been generated when an activity falls beyond regular behavior. Examples are 400 GB of files being uploaded externally, or understanding when vulnerable software is operating on exposed servers within the network. When an organization is making and selling advanced monitoring software – and possessing unknown vulnerabilities in business products – a better plan must have been in place to minimize the damage.


Charles Leaver – Prevention Of The Anthem Healthcare Data Leak Could Have Been Possible With Endpoint Visibility

Published by:

Written By Justin Tefertiller And Presented By Charles Leaver Ziften CEO

Continuous Endpoint Visibility Would Have Improved Healthcare Data Leak Avoidance


Anthem Inc discovered a big scale cyber attack on January 29, 2015 against their data and IT systems. The health care data leakage was believed to have taken place over a numerous week period beginning around early December 2014 and targeted individual data on Anthem’s database infrastructure as well as endpoint systems. The stolen information included dates of birth, complete names, health care identification numbers and even social security reference numbers of consumers and Anthem staff members. The specific number of people impacted by the breach is unknown but it is approximated that almost 80 million records were stolen. healthcare data has the tendency to be among the most rewarding sources of income for hackers selling records on the dark market.

Forbes and others report that opponents used a process-based backdoor on clients linked to Anthem databases in addition to compromised admin accounts and passwords to slowlysteal the data. The actions taken by the hackers presenting and running as administrators are exactly what eventually brought the breach to the attention of security and IT teams at Anthem.

This kind of attack illustrates the need for continuous endpoint visibility, as endpoint systems are a constant infection vector and an avenue to delicate data saved on any network they might link to. Easy things like never ever before seen procedures, new user accounts, weird network connections, and unapproved administrative activity are typical calling cards of the onset of a breach and can be quickly recognized and notified on given the ideal monitoring tool. When notified to these conditions in real time, Incident Responders can catch the intrusion, discover patient zero, and ideally alleviate the damage rather than permitting attackers to roam around the network unnoticed for weeks.


Charles Leaver – Data Breach At PF Chang Affected 30 Restaurants Over 8 Months

Published by:

Written By Charles Leaver Ziften CEO

The PF Chang dining establishment chain just recently released new information about the security breach of its credit card systems across the country. The restaurant chain announced that the breach impacted more than 30 locations in 17 states and went on for 8 months before being detected.

While the investigation is still continuing, in a declaration PF Chang’s reported that the breach has been contained and customer monetary data has been processed securely by the dining establishment since June 11. The compromised systems used by the chain were decommissioned until it was clear that their security could be guaranteed, and in the meantime credit cards were processed by hand.

Rick Federico, CEO stated in a declaration “The potentially taken credit and debit card data consists of the card number and in many cases likewise the cardholder’s name and/or the card’s expiration date.” “However, we have not identified that any particular cardholder’s credit or debit card data was stolen by the hacker.”

PF Chang’s was notified of the breach, which they referred to as a “extremely advanced criminal operation,” in June when they were contacted by the Secret Service about cyber security concerns. When alerted, the restaurant worked with third-party forensic private investigators to find how the breach was able to happen, at which time they discovered that destructive actors had the ability to exploit the chain’s charge card processing systems and potentially gain access to customer credit card details.

Organizations worried about similar data breaches impacting point-of-sale terminals should implement endpoint threat detection to keep critical systems protected. Endpoint protection involves monitoring delicate access points – like POS systems, bar code readers and employee mobile phones – and alleviating risks that appear. Continuous endpoint visibility is essential to determine hazards before they jeopardize networks and ensure business security.