Archive for ISA

Guest Post: More On Meltdown and Spectre vulnerabilities From ISA

Posted in Commentary with tags on January 6, 2018 by itnerd

By Bryan Pollitt, Vice-President, Professional Services at ISA

These vulnerabilities are different than most we see, because they are tied to hardware and not to an application or operating system. Hardware vulnerabilities are far rarer. The Meltdown and Spectre vulnerabilities that were discovered by a team of independent researchers including Google’s Project Zero are likely to be the worst processor bugs ever discovered.

The first of these vulnerabilities has been dubbed “Meltdown” because it essentially melts the security boundaries normally enforced by hardware. It takes advantage of a feature on almost all modern processors called “speculative execution” or “out-of-order execution” which allows the processor to execute instructions in a non-sequential manner so that the CPU spends less time idle. It leverages a race condition between instruction execution and privilege checking in order to read memory mapped data that it should not be able to.

The second of these vulnerabilities is called “Spectre” which has been described by researchers as a whole class of potential vulnerabilities in modern processors. Spectre focuses on “branch prediction”, which is a part of speculative execution. Unlike the Meltdown vulnerability, Spectre does not rely on a specific feature of the processor memory management and protection system. It is a more generalized idea that has so far been demonstrated to work against user level programs.

Since the vulnerabilities were made public this week, we’ve been working with our clients to help them understand what they can do to secure themselves. The key point here is these vulnerabilities make attacks very hard to detect. It’s very difficult from a forensics perspective to see an attack was successful.

In order to take advantage of the vulnerabilities, a cybercriminal would need a user’s device to run code. One way an attacker might execute code is to get someone to browse a website the attacker set up that uses Javascript. If an organization runs Web filtering technologies, it should strengthen policies around what sites users can visit to prevent them from visiting known bad sites, or unknown sites. Many organizations have very liberal policies on their Web filtering that don’t offer strong protection.

Organizations should also be more diligent around their e-mail policies. For example, HTML e-mail should not automatically resolve the URLs in e-mail messages. Users should also be told not to run attachments unless they are certain they are safe. It’s key that organizations ensure executable code that takes advantage of the vulnerabilities does not get into their environment.

In terms of remediation, Microsoft has released a security patch for all currently supported Windows versions to address the Meltdown vulnerability. We recommend organizations test and deploy the patch as soon as possible.

Leave a comment »

Infographic: Ransomware: Last Dance For Data?

Posted in Commentary with tags on December 15, 2017 by itnerd

isa_ransomware_vertical.png

Source: ISA

Leave a comment »

Canadian Cyber Security Firm Launches New Standalone Incident Response Readiness Service

Posted in Commentary with tags on December 14, 2017 by itnerd
ISA, a Toronto-based cyber security firm with over 20 years of experience helping organizations of all sizes solve complex challenges relating to IT security, today launched its new standalone Incident Response Readiness Service designed to help Canadian organizations respond to cyberattacks in hours rather than days. The expanded service is the result of positive customer feedback from ISA’s years of experience providing incident response as well as the need for this type of offering due to the evolving cyberattack landscape. It takes a proactive approach to cyber security and helps customers cope with ever more sophisticated attacks.

A proactive approach is key because attacks are becoming more sophisticated. For example, cybercriminals are increasingly using file-sharing to distribute their malware payloads, according to recent data from ISA’s Cybersecurity Intelligence and Operations Centre (CIOC).

It’s easier to carry out an attack by moving within an organization rather than relying on e-mail attachments, Pollitt explained. According to customer network data gathered from the ISA CIOC, there was a 500 per cent increase in a file sharing exploit known as Samba, between Q2 and Q4 2017.

Learning the Samba (exploit)

A good example of the Samba exploit is “EternalBlue” because it was the underlying vulnerability in Windows that was exploited by the WannaCry ransomware to spread from network to network. Samba is an open source implementation of the Server Message Block networking protocol, which allows Linux systems to share file and print services with Windows machines. There were other separate flaws in Samba’s implementation of SMB not related to EternalBlue that could potentially lead to attacks as well.

Ransomware attacks that spread through exploits like Samba are, by their nature, extremely difficult to defend against and require a proactive security approach. The main reason is that in order for any business to go about its day-to-day activities, people need to share files. It would be unrealistic and ultimately detrimental to an organization’s survival to shut that file-sharing capability down.

Better to be prepared than sorry

It’s no secret that cyberattacks are on the rise. Recently an organization contacted ISA to help with a malware incident. The organization’s servers had gone offline and were rebooting. There was no patch management and the internal team was unprepared to deal with the threat.

ISA’s security team was able to identify a complex, multi-stage, zero-day threat for which there was no protection available and contain it before the malware reached its second stage. If the malware had deployed fully, it would have used the organization’s servers to mine virtual currency.

Taking action with Incident Response

ISA’s Incident Response Readiness Service provides an initial triage within 30 minutes of an attack, 24 hours a day, seven days a week through access to ISA’s CIOC. Without the Incident Response service, recovering after an attack can take days compared with hours.

ISA recommends implementing a documented Incident Response Plan based on a six-stage approach that ensures readiness throughout the Incident Response lifecycle.

  1. Preparation – Review of existing security infrastructure, preparing identification and response plans, and implementation of incident response tools and processes.
  2. Identification and Assessment – Timely detection of security incidents and determination of their nature and potential impact.
  3. Containment – Immediate action, using documented processes, to limit damage and prevent any further loss or impairment.
  4. Eradication – Evaluation of systems to ensure the security incident is fully remediated.
  5. Recovery – Restoration of data and network availability, as well as confidentiality and ongoing integrity.
  6. Lessons Learned – Review and assessment of the events and processes that have taken place, and application of improvements to the plan.

ISA recently published a whitepaper on its six-step plan, which can be downloaded here.

Leave a comment »