Charles Leaver – Take Steps To Protect Your Organization From Ransomware

Published by:

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Ransomware that is customized to enterprise attack projects has emerged in the wild. This is an apparent advancement of consumer-grade ransomware, driven by the larger bounties which businesses have the ability to pay combined to the sheer scale of the attack surface area (internet facing endpoints and unpatched software applications). To the assailant, your business is an appealing target with a big fat wallet simply asking to be knocked over.

Your Organization is an Attractive Target

Easy Google queries may already have recognized un-patched internet facing servers by the scores across your domain, or your credulous users might already be opening “spear phishing” e-mails crafted just for them presumably authored by individuals they know.

The weaponized invoices are sent to your accounting department, the weaponized legal notices are sent to your legal department, the weaponized resumes go to your human resources department, and the weaponized trade publication short articles are sent to your public relations company. That should cover it, to begin with. Include the watering hole drive-by’s planted on market sites often visited by your staff members, the social media attacks targeted to your crucial executives and their families, the contaminated USB sticks strewn around your centers, and the compromises of your providers, customers, and organization partners.

Enterprise compromise isn’t really an “if” however a “when”– the when is continuous, the who is legion.

Targeted Ransomware Is Here

Malware analysts are now reporting on enterprise-targeted ransomware, a natural advancement in the monetization of business cyber intrusions. Christiaan Beek and Andrew Furtak discuss this in an excerpt from Intel Security Advanced Threat Research study, February 2016:

” Throughout the past few weeks, we have actually gotten information about a new project of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automated execution of ransomware), the hackers gained consistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system, several tools were utilized to find, encrypt, and erase the original files as well as any backups.”

Cautious reading of this citation instantly exposes steps to be taken. Preliminary penetration was by “vulnerability exploitation,” as is frequently the case. A sound vulnerability management program with tracked and implemented direct exposure tolerances (measured in days) is obligatory. Given that the opponents “spread their access to any linked system,” it is likewise requisite to have robust network segmentation and access controls. Think about it as a watertight compartment on a warship to avoid sinking when the hull is breached. Of special note, the cyber attackers “delete the initial files along with any backups,” so there need to be no delete access from a jeopardized system to its backup files – systems must just be able to append to their backups.

Your Backups Are Not Up to Date Are They?

Of course, there must be current backups of any files that must endure a business invasion. Paying the ransom is not a reliable option because any files created by malware are naturally suspicious and must be thought about tainted. Enterprise auditors or regulators can decline files excreted from some malware orifice as lawfully valid, the chain of custody having been entirely broken. Financial data might have been modified with deceitful transactions, configuration data might have been interfered with, viruses might have been planted for later re-entry, or the malware file manipulations might simply have had mistakes or omissions. There would be no way to place any confidence in such data, and accepting it as legitimate could even more compromise all future downstream data reliant upon or originated from it. Treat ransomware data as trash. Either have a robust backup strategy – routinely evaluated and verified – or prepare to suffer your losses.

What is Your Preparation for a Breach?

Even with sound backups privacy of affected data should be assumed to be breached since it was read by malware. Even with detailed network logs, it would be impracticable to prove that no data had been exfiltrated. In a targeted attack the assailants typically take data inventory, evaluating a minimum of samples of the data to evaluate its prospective value – they could be leaving cash on the table otherwise. Data ransom demands might merely be the last money making stage in an enterprise breach after mining all other value from the intrusion because the ransom demand exposes the compromise.

Have a Thorough Removal Strategy

One need to assume that skilled opponents have set up several, cunningly-concealed avenues of re-entry at numerous staggered time points (well after your crisis group has actually stood down and pricey experts flown off to their next gig). Any roaming proof remaining was thoroughly staged to deceive investigators and deflect blame. Expensive re-imaging of systems should be exceptionally extensive, touching every sector of the disk across its entire recording surface and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is understood to jeopardize MBR’s.

Likewise, don’t assume system firmware has not been jeopardized. If you can upgrade the firmware, so can hackers. It isn’t tough for hacking groups to check out firmware hacking options when their business targets standardize system hardware setups, permitting a little laboratory effort to go a long way. The industrialization of cyber crime permits the advancement and sale of firmware hacks on the dark net to a wider criminal market.

Help Is On Offer With Great EDR Tools

After all of this bad news, there is an answer. When it comes to targeted ransomware attacks, taking proactive actions instead of reactive clean-up is far less uncomfortable. A great Endpoint Detection and Response (EDR) tool can help on both ends. EDR tools are good for identifying exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best eliminated from the environment (Adobe Flash, for example). EDR tools are likewise proficient at tracking all significant endpoint incidents, so that investigators can identify a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers rely on endpoint opacity to assist with hiding their actions from security staff, but EDR is there to make it possible for open visibility of notable endpoint incidents that could signal an attack in progress. EDR isn’t restricted to the old anti-virus convict-or-acquit model, that enables freshly remixed attack code to evade AV detection.

Excellent EDR tools are always vigilant, constantly reporting, always tracking, readily available when you require it: now or retroactively. You would not turn a blind eye to business network activity, so do not turn a blind eye to enterprise endpoint activity.


Charles Leaver – Gartner UEBA Report Highlights Behavioral Analytics New Trends

Published by:

Written By Josh Linder And Presented By Ziften CEO Charles Leaver

The marketplace for business behavioral analytics is developing – again – to support the security use case. In the current Gartner User and Entity Behavior (UEBA) Trends Report, Ziften is delighted to be listed as a “Vendor to Watch.” Our company believe that our established relationships with threat intelligence feeds and visualization tools shows our addition within this research study note.

In the UEBA Market Report, Experts Eric Ahlm and Avivah Litan describe that there is a possible convergence in the sophisticated threat and analytics markets. The notion of UEBA – which extends user behavioral analytics to now include companies, business processes, and self-governing devices such as the Internet of Things – requires deep understanding and the ability to respond rapidly and efficiently.

At Ziften our recognized relationships with risk intelligence feeds and visualization tools reflects our addition within this research note. Our platform offers risk detection across different behavior vectors, rather than taking a look at a single-threaded signature feed. With integrations to orchestration and response systems, Ziften distinctively couples signature-based and behavioral analysis, while bridging the gap from protecting the endpoint to securing the entity. Continuous tracking from the endpoint – including network flow – is crucial to understanding the complete risk landscape and important for a holistic security architecture.

We commend Gartner on identifying four areas for security and analytic vendors to focus on: User Behavior, Host/App Habits, Network Behavior, and External Communications Behavior. We are the only endpoint vendor – today – to monitor both network behavior and external interactions habits. Ziften’s ZFLow ™ uses network telemetry to go beyond the basic IPFIX flow data, and augment with Layer 4 and Layer 5 operating system and user behavior. Our threat intelligence integration – with Blue Coat, iSIGHT Partners, AlienVault and the National Vulnerability Database – is second to none. In addition, our special relationship with ReversingLabs offers binary analysis directly within the Ziften administration console.

Ultimately, our constant endpoint visibility system is pivotal in assisting to discover behavioral risks that are hard to correlate without the use of advanced analytics.

Gartner Report

Six extra innovation pattern takeaways which Gartner readers should think about:

– Application of Analytics to Discovering Breaches Varies
– Data Science for Analytics Technologies Still Emerging
– The Need for Extended Telemetry Drives Analytics Market Merging
– Merging Between Analytics-Based Detection Suppliers and Orchestration/Response Vendors Likely
– SIEM Technologies Positioned to Be Central to Consolidation for Analytics Detection
– Advanced Behavioral Analytics Providers Extending Their Reach to Security Purchasers


Gartner does not back any supplier, service or product depicted in its research publications, and does not advise technology users to select just those suppliers with the greatest ratings or other classification. Gartner research study publications consist of the viewpoints of Gartner’s research study organization and must not be interpreted as statements of reality. Gartner disclaims all warranties, expressed or indicated, with respect to this research study, consisting of any guarantees of merchantability or fitness for a particular function.


Charles Leaver – Ask These 6 Questions For Damage Control Before A Cyber Attack

Published by:

Written By Michael Bunyard And Presented By Ziften CEO Charles Leaver

The reality of modern-day life is that if cyber hackers wish to breach your network, then it is just a matter of time before they will be successful. The endpoint is the most typical vector of attack, and individuals are the greatest point of vulnerability in any company. The endpoint device is where they connect with whatever information that a hacker seeks: intellectual property, information, cyber ransom, and so on. There are brand-new Next Generation Endpoint Security (NGES) systems, where Ziften is a leader, that supply the needed visibility and insight to assist minimize or prevent the opportunities or period of an attack. Methods of prevention consist of lowering the attack surface area through removing known vulnerable applications, curtailing version proliferation, eliminating destructive processes, and ensuring compliance with security policies.

However prevention can only go so far. No solution is 100% effective, so it is important to take a proactive, real time methodology to your environment, viewing endpoint habits, identifying when breaches have taken place, and reacting instantly with remediation. Ziften likewise provides these abilities, typically known as Endpoint Detection and Response, and organizations should alter their frame of mind from “How can we avoid attacks?” to “We will be breached, so exactly what do we do then?”

To understand the true breadth or depth of an attack, companies have to be able to rewind the clock and rebuild the conditions surrounding a breach. Security investigators need answers to the following 6 questions, and they need them quickly, given that Incident Response officers are outnumbered and handling restricted time windows to reduce damage.

Where was the cyber attack behavior initially seen?

This is where the capability to look back to the point in time of preliminary infection is critical. In order to do this effectively, organizations have to have the ability to go as far back in history as necessary to determine patient zero. The regrettable state of affairs in accordance with Gartner is that when a cyber breach happens, the typical dwell time prior to a breach is found is a stunning 205 days. In accordance with the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, cyber attackers had the ability to permeate organizations within minutes. That’s why NGES systems that do not continually monitor and record activity but rather periodically poll or scan the endpoint can lose out on the preliminary important penetration. Likewise, DBIR found that 95% of malware types appeared for less than four weeks, and 4 from five didn’t last 7 days. You need the ability to continually monitor endpoint activity and recall in time (however long ago the attack occurred) and reconstruct the preliminary infection.

How did it act?

What happened piece by piece after the preliminary infection? Did malware execute for a second every five minutes? Was it able to obtain escalated privileges? A constant image of what took place at the endpoint behaviorally is critical to get an investigation began.

How and where did the cyber attack disperse after preliminary compromise?

Normally the enemy isn’t after the details readily available at the point of infection, however rather want to utilize it as a preliminary beachhead to pivot through the network to get to the valuable data. Endpoints include the servers that the endpoints are connected to, so it is essential to be able to see a complete image of any lateral motion that occurred after the infiltration to know exactly what assets were jeopardized and potentially likewise contaminated.

How did the infected endpoint(s) behavior(s) change?

Exactly what was going on before and after the contamination? What network connections were being attempted? Just how much network traffic was flowing? What processes were active prior to and after the attack? Immediate answers to these concerns are critical to fast triage.

What user activity took place, and was there any potential insider involvement?

What actions did the user take before and after the infection happened? Was the user present on the device? Was a USB drive inserted? Was the time period outside their normal usage pattern? These and many more artifacts must be offered to paint a complete image.

What mitigation is needed to deal with the cyber attack and prevent another one?

Reimaging the contaminated machine(s) is a lengthy and costly solution however many times this is the only way to know for sure that all hazardous artifacts have been removed (although state-sponsored attacks might embed into system or drive firmware to stay immune even to reimaging). But with a clear picture of all activity that took place, simpler actions such as getting rid of malicious files from all systems affected might suffice. Re-examining security policies will most likely be necessary, and NGES solutions can assist automate future actions should comparable scenarios emerge. Automatable actions consist of sandboxing, cutting off network access from infected devices, eliminating processes, and a lot more.

Don’t wait till after a cyber attack takes place and you need to call in an army of experts and spend your time and cash piecing the realities together. Ensure you are prepared to respond to these six crucial concerns and have all the responses within your grasp in minutes.


Charles Leaver – It Is Believed That The IRS Hack Began With Compromised Endpoints

Published by:

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

Internal Revenue Service Hackers Make Early Returns Due to Previous External Attacks

The Internal Revenue Service breach was the most unique cyber attack of 2015. Timeless attacks today include phishing emails intended to obtain preliminary access to target systems where lateral motion is then carried out till data exfiltration takes place. But the IRS hack was various – much of the data required to perform it was previously obtained. In this case, all the hackers needed to do was walk in the front door and file the returns. How could this take place? Here’s exactly what we understand:

The Internal Revenue Service site has a “Get Transcript” function for users to recover previous income tax return details. As long as the requester can offer the proper details, the system will return past and current W2’s and old tax returns, etc. With anybody’s SSN, Date of Birth and filing status, the attackers could begin the retrieval procedure of past filing year’s info. The system also had a Knowledge Based Authentication (KBA) system, which asked questions based on the requested users credit history.

KBA isn’t really fool proof, however. The questions it asks can oftentimes be predicted based on other info already learned the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the following vehicles have you owned?”

After the dust settled, it’s predicted that the hackers tried to collect 660,000 transcripts of previous tax payer details via Get Transcript, where they were successful in 334,000 of those efforts. The unsuccessful attempts appear to have actually gotten as far as the KBA questions where the hackers cannot provide the correct responses. It’s approximated that the attackers got away with over $50 million dollars. So, how did the hackers do it?

Security analysts think that the enemies utilized info from previous attacks such as SSNs, DOBs, addresses and filing statuses to attempt to obtain prior tax return details on its target victims. If they were successful and addressed the KBA questions properly, they submitted a claim for the 2015 calendar year, oftentimes increasing the withholdings quantity on the income tax return form to obtain a bigger return. As discussed formerly not all attempts were successful, but over 50% of the attempts led to significant losses for the Internal Revenue Service.

Detection and response systems like Ziften are focused on recognizing when there are jeopardized endpoints (such as through phishing attacks). We do this by offering real-time visibility of Indicators of Compromise (IoC’s). If the theories are right and the attackers utilized details gleaned from previous attacks beyond the Internal Revenue Service, the compromised businesses might have benefited from the visibility Ziften supplies and reduced against mass-data exfiltration. Ultimately, the IRS appears to be the vehicle – instead of preliminary victim – of these cyber attacks.


Charles Leaver – Comcast Customers Are At Risk From Shared Hacks And Data Exfiltration

Published by:

Written By Michael Pawloski And Presented By Ziften CEO Charles Leaver

The Consumers Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Companies

The private details of roughly 200,000 Comcast customers was compromised on November 5th 2015. Comcast was forced to make this announcement when it came to light that a list of 590,000 Comcast consumer emails and passwords could be bought on the dark web for a token $1,000. Comcast maintains that there was no security attack to their network but rather it was through past, shared hacks from other businesses. Comcast further claims that just 200,000 of these 590,000 customers actually still exist in their system.

Less than two months previously, Comcast had currently been slapped with a $22 million fine over its accidental publishing of almost 75,000 clients’ personal information. Somewhat ironically, these customers had actually particularly paid Comcast for “unlisted voice-over-IP,” a line item on the Comcast bill that specified that each client’s information would be kept private.

Comcast instituted a mass-reset of 200,000 client passwords, who might have accessed these accounts before the list was put up for sale. While a basic password reset by Comcast will to some extent secure these accounts moving forward, this doesn’t do anything to secure those consumers who might have recycled the same e-mail and password combination on banking and credit card logins. If the customer accounts were accessed prior to being disclosed it is certainly possible that other individual information – such as automatic payment info and home address – were already obtained.

The bottom line is: Assuming Comcast wasn’t attacked directly, they were the victim of numerous other hacks which contained data connected to their clients. Detection and Response solutions like Ziften can avoid mass data exfiltration and often reduce damage done when these inescapable attacks occur.


Charles Leaver – Trump Hotels Were Breached Because Of Point Of Sale Vulnerabilities That Were Not Visible

Published by:

Written By Matthew Fullard Presented By Charles Leaver CEO Ziften

Trump Hotels Point-of-Sale Susceptibility Emphasize Need for Faster Detection of Anomalous Activity

Trump Hotels, suffered a data breach, between May 19th 2014 and June 2, 2015. The point of infection utilized was malware, and contaminated their front desk computers, POS systems, and restaurants. However, in their own words they declare that they “did not discover any evidence that any consumer information was taken from our systems.” While it’s soothing to discover that no evidence was found, if malware exists on POS systems it is most likely there to steal details related to the credit cards that are swiped, or increasingly tapped, inserted, or waved. A lack of evidence does not suggest the lack of a criminal offense, and to Trump Hotel’s credit, they have provided free credit monitoring services. If one is to examine a Point-of-Sale (or POS) system however you’ll discover something in abundance as an administrator: They hardly ever alter, and software applications will be nearly uniform across the implementation environment. This can provide both positives and negatives when considering securing such an environment. Software changes are slow to happen, need extensive screening, and are hard to roll out.

However, since such an environment is so homogeneous, it is also a lot easier to determine Point of Sale vulnerabilities when something brand-new has actually changed.

At Ziften we monitor all executing binaries and network connections that occur within an environment the second they take place. If a single Point of Sale system started to make new network connections, or started running brand-new software, no matter its intent, it would be flagged for further review and examination. Ziften also gathers endless historic data from your environment. If you want to know exactly what took place six to twelve months earlier, this is not an issue. Now dwell times and AV detection rates can be determined using our incorporated threat feeds, along with our binary collection and submission technology. Likewise, we’ll tell you which users initiated which applications at exactly what time across this historic record, so you can learn your preliminary point of infection.

POS issues continue to plague the retail and hospitality industries, which is a shame provided the relatively uncomplicated environment to monitor with detection and response.


Charles Leaver – Marriott Could Have Prevented Their Point Of Sale Breach With Continuous Endpoint Visibility

Published by:

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

US retail outlets still appear an appealing target for cyber criminals looking for credit card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, impacting consumers at 14 hotels across the nation from September 2014 to January 2015. This event follows White Lodging suffered a comparable cyber attack in 2014. The attackers in both cases were reportedly able to jeopardize the Point-of-Sale systems of the Marriott Lounges and Restaurants at a number of locations run by White Lodging. The cyber criminals were able to acquire names printed on consumers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. POS systems were likewise the focus of recent breaches at Target, Neiman Marcus, Home Depot, and more.

Traditionally, Point-of-Sale (or POS) systems at lots of USA retail outlets were “locked down” Windows devices running a minor set of applications tailored towards their function – phoning the sale and processing a deal with the Charge card bank or merchant. Modern Point of Sale terminals are basically PC’s that run email applications, internet browsers and remote desktop tools in addition to their transaction software applications. To be reasonable, they are usually released behind a firewall program, however are still ripe for exploiting. The best defenses can and will be breached if the target is valuable enough. For example, remote control tools used for management and updating of the POS systems are frequently hijacked by hackers for their purposes.

The credit card or payment processing network is an entirely different, air-gapped, and encrypted network. So how did cyber attackers manage to take the payment card data? They stole the data while it was in memory on the POS terminal while the payment procedure was being conducted. Even if retailers don’t store charge card information, the data can be in an unencrypted state on the Point of Sale machine while the payment deal is confirmed. Memory-scraping POS malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are utilized by the data thieves to gather the credit card info in its unencrypted state. The data is then normally encrypted and retrieved by the cyber attackers or sent to the Internet where it’s retrieved by the thieves.

Ziften’s service provides constant endpoint visibility that can discover and remediate these kinds of risks. Ziften’s MD5 hash analysis can spot new and suspicious processes or.dll files running in the POS environment. Ziften can also kill the procedure and collect the binary for further action or analysis. It’s also possible to spot POS malware by alerting to Command and Control traffic. Ziften’s integrated Threat Intel and Customized Risk Feed options allows customers to notify when Point of Sale malware communicates to C&C nodes. Finally, Ziften’s historical data enables clients to kick start the forensic evaluation of how the malware got in, what it did after it was set up, and executed and other machines are contaminated.

It’s past time for retailers to step up the game and search for brand-new solutions to secure their consumers’ payment cards.


Charles Leaver – In Order To Learn From Their Previous Errors Experian Need To Use Continuous Monitoring

Published by:

Written By Josh Applebaum And Presented By Charles Leaver Ziften CEO

Experian Need To Learn from Past Errors And Implement A Continuous Monitoring Solution

Operating in the security sector, I’ve always felt my job was hard to explain to the typical individual. Over the last couple of years, that has actually changed. Regrettably, we are seeing a brand-new data breach announced every few weeks, with much more that are kept secret. These breaches are getting front page headlines, and I can now discuss to my friends exactly what I do without losing them after a few sentences. Nevertheless, I still question what it is we’re learning from all of this. As it turns out, many businesses are not learning from their own errors.

Experian, the worldwide credit reporting firm, is a business with a lot to learn. A number of months ago Experian announced it had actually found its servers had actually been breached and that client data had been taken. When Experian revealed the breach they reassured consumers that “our consumer credit database was not accessed in this incident, and no credit card or banking info was taken.” Although Experian made the effort in their announcement to assure their consumers that their financial details had not been taken, they elaborated further on what data actually was stolen: clients’ names, addresses, Social Security numbers, birth dates, driver’s license numbers, military ID numbers, passport numbers, and additional information utilized in T- Mobile’s own credit evaluation. This is scary for two reasons: the very first is the kind of data that was taken; the 2nd is the fact that this isn’t the very first time this has actually taken place to Experian.

Although the hackers didn’t leave with “payment card or banking details” they did walk away with personal data that could be exploited to open new credit card, banking, and other financial accounts. This in itself is a factor the T-Mobile consumers included ought to be nervous. However, all Experian consumers ought to be a little worried.

As it ends up, this isn’t really the very first time the Experian servers have been jeopardized by hackers. In early 2014, T-Mobile had actually announced that a “reasonably small” number of their customers had their personal details taken when Experian’s servers were breached. Brian Krebs has an extremely well-written blog post about how the hackers breached the Experian servers the first time, so we won’t enter into excessive information here. In the very first breach of Experian’s servers, hackers had exploited a vulnerability in the organization’s support ticket system that was left exposed without initially needing a user to confirm before utilizing it. Now to the scary part: although it has actually become widely understood that the hackers made use of a vulnerability in the company’s support ticket system to provide access, it wasn’t up until not long after the 2nd hack that their support ticket system was shut down.

It would be difficult to imagine that it was a coincidence that Experian chose to close down their support ticket system mere weeks after they announced they had been breached. If this wasn’t a coincidence, then let’s ask: exactly what did Experian find out from the first breach where consumers got away with sensitive client data? Companies who save their clients’ delicate info must be held accountable to not just protect their consumers’ data, but if likewise to make sure that if breached they plug up the holes that are discovered while examining the attack.

When businesses are investigating a breach (or possible breach) it is important that they have access to historical data so those investigating can attempt to piece back together the puzzle of how the cyber attack unfolded. At Ziften, we offer a solution that permits our customers to have a continuous, real-time view of the whole picture that occurs in their environment. In addition to supplying real-time visibility for identifying attacks as they happen, our constant monitoring system records all historic data to enable customers to “rewind the tape” and piece together what had taken place in their environment, despite how far back they have to look. With this new visibility, it is now possible to not only discover that a breach occurred, but to likewise discover why a breach occurred, and hopefully learn from past errors to keep them from happening again.


Charles Leaver – Isn’t It Time We Learned From Incidents Such As The UCLA Health Data Breach?

Published by:

Written By Craig Hand And Presented By Ziften CEO Charles Leaver

UCLA Health Data Breach Probably Down To Inferior Security

UCLA Health announced on July 17th 2015 that it was the victim of a health data breach affecting as much as 4.5 million health care clients from the four health centers it runs in the Southern California region. As stated by UCLA Health authorities, Personally Identifiable Information (PII) and Protected Health Information (PHI) was accessed however no proof yet suggests that the data was stolen. This data went as far back as 1990. The authorities likewise specified that there was no proof at this time, that any charge card or financial data was accessed.

“At this time” is key here. The details accessed (or potentially stolen, its definitely hard to know at this moment) is essentially good for the life of that individual and potentially still useful past the death of that individual. The details offered to the criminals consisted of: Names, Addresses, Contact numbers, Social Security Numbers, Medical condition, Medications prescribed, Medical procedures performed, and test outcomes.

Little is known about this cyber attack similar to many others we find out about but never ever hear any genuine details on. UCLA Health found uncommon activity in sectors of their network in October of 2014 (although access potentially started one month earlier), and instantly called the FBI. Finally, by May 2015 – a complete 7 months later – detectives specified that a data breach had happened. Again, officials claim that the assailants are probably highly sophisticated, and not in the country. Finally, we the public get to hear about a breach a full two months later on July 17, 2015.

It’s been stated numerous times previously that we as security specialists need to be certain 100% of the time, while the cyber criminals only have to discover that 1% that we may not have the ability to rectify. Based on our research about the breach, the bottom line is UCLA Health had inferior security practices. One factor is based on the easy fact that the accessed data was not encrypted. We have had HIPAA now for some time, UCLA is a well renowned bastion of Higher Education, yet still they failed to secure data in the easiest ways. The claim that these were highly advanced individuals is also suspect, as so far no genuine proof has been disclosed. After all, when is the last time that a company that has been breached declared it wasn’t from an “sophisticated” attack? Even if they declare they have such proof, as members of the public we will not see it in order to vet it properly.

Because there isn’t really enough disclosed details about the breach, its difficult to figure out if any system would have assisted in finding the breach sooner instead of later on. Nevertheless, if the breach began with malware being provided to and executed by a UCLA Health network user, the likelihood that Ziften could have helped in discovering the malware and potentially stopping it would have been fairly high. Ziften might have likewise notified on suspicious, unidentified, or known malware as well as any interactions the malware might have made in order to spread internally or to exfiltrate data to an external host.

When are we going to learn? As all of us understand, it’s not a matter of if, but when, companies will be attacked. Smart organizations are preparing for the inevitable with detection and response services that reduce damage.


Charles Leaver – Data Leak At Adult Friend Finder Preventable With Ziften Endpoint Security

Published by:

Written By Chuck McAuley And Presented By Charles Leaver Ziften CEO

Endpoint Security Is The Best Friend For Adult Friend Finder

Adult Friend Finder, an online “dating service” and its affiliates were hacked in April. The breached information included charge card numbers, usernames, passwords, dates of birth, address details and personal – you understand – preferences. What’s frequently not highlighted in these cases is the monetary worth of such a breach. Numerous would argue that having an email address and the associated data might be of little value. Nevertheless, much the same way metadata collection provides insight to the NSA, this type of information offers attackers with plenty of leverage that can be used against the general public. Spear phishing ends up being a lot easier when assailants not only have an email address, however also area, language, and race. The source IP addresses gathered can even provide pinpoint street locations for attacks.

The attack approach released in this instance was not publicized, however it would be fair to assume that it leveraged a sort of SQL Injection attack or similar, where the data is wormed out of the back-end database through a defect in the webserver. Another possible mechanism could have been pirating ssh keys from a compromised admin account or github, but those tend to be secondary for the most part. Either way, the database dump itself is 570 Mb, and presuming the data was exfiltrated in a few big transactions, it would have been really visible on a network level. That is, if Adult Friend Finder were utilizing a solution that offered visibility into network traffic.

Ziften ZFlow ™ enables network visibility into the cloud to catch aberrant data transfers and attribute to particular executing procedures. In this case, the administrator would have had two opportunities to observe the irregularity: 1) At the database level, as the data was extracted. 2) At the webserver level, where an unusual quantity of traffic would be sent to a particular address. Organizations like Adult Friend Finder must acquire the needed endpoint and network visibility required to secure their consumers’ personal data and “hook up” with a business like Ziften.