Tag Archives: editors

Inside the GAO’s Equifax breach report

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the Government Accountability Office’s report on the Equifax breach and the questions it raises.

The U.S. General Accountability Office offered a detailed postmortem on the 2017 Equifax data breach, including new details about what led to the incident.

The Equifax breach report revealed that threat actors began scanning the credit rating agency’s systems for an Apache Struts vulnerability just two days after the vulnerability was publicly disclosed.

And while the Apache Struts bug enabled the attackers to gain a foothold in Equifax’s network, the General Accountability Office (GAO) report shows the vulnerability was just one of the many missteps that contributed to the breach. Those errors include missing 9,000 database queries made by the threat actors in search of valuable data, failing to catch data exfiltration because of a misconfiguration and an outdated recipient list of system administrators who should have been notified of the Apache Struts flaw.

In addition, the Equifax breach report describes how U.S. government agencies were unclear about which — if any — federal agency was coordinating the response effort; the U.S. Department of Homeland Security offered assistance, but Equifax turned it down. Several agencies, including the IRS, U.S. Postal Service and Social Security Administration, used Equifax’s identity verification services at the time of the breach.

What were the biggest lessons learned from the Equifax data breach report? What did the GAO investigation miss? Should companies like Equifax that handle massive amounts of personal data be subject to greater government oversight? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Are the Meltdown and Spectre flaws overhyped?

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss whether or not Meltdown and Spectre deserved to be nominated for the Pwnie Awards’ Most Overhyped Bug.

Were the Meltdown and Spectre flaws as bad as some claimed? That question was raised by the Pwnie Awards at Black Hat 2018 earlier this month.

While the Meltdown and Spectre flaws were nominated for the Most Innovative Research and Best Privilege Escalation Bug awards, the flaws were also nominated for the Most Overhyped Bug award. According to the Pwnie Awards, the “hype train jumped the tracks a bit” with the reaction to Meltdown and Spectre.

While the Most Overhyped Bug award eventually went to another vulnerability, the Pwnie nomination illustrated the ongoing debate over the seriousness of Meltdown and Spectre. While some experts at Black Hat argued the flaws opened up a dangerous new avenue of attacks, others said Meltdown and Spectre aren’t nearly as threatening as other recent bugs.

Were the Meltdown and Spectre flaws overhyped by some media outlets and security researchers? How dangerous can the flaws be if there’s no evidence they’ve been successfully exploited in the wild? Have we seen the worst of Meltdown and Spectre or are more variants coming? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Meltdown and Spectre disclosure in review

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss new insights — and questions — regarding the coordinated disclosure effort for Meltdown and Spectre.

Black Hat USA 2018 offered new insights into the Meltdown and Spectre disclosure process and raised questions about how such coordinated vulnerability disclosure efforts should be handled.

A Black Hat panel discussion provided a behind-the-scenes look at the process from the perspective of Microsoft, Google and Red Hat representatives.

During the discussion, the panelists revealed a number of stumbling blocks that posed problems for not only Intel, AMD and ARM, but the security response teams at various stakeholder companies, as well. For example, because of a miscommunication, Google wasn’t officially informed about the vulnerabilities until 45 days after they were first reported to the chipmakers.

The panelists also discussed the challenge of deciding which stakeholders to include in the Meltdown and Spectre disclosure and response process and when to include those parties.

How could the coordinated vulnerability disclosure process have been handled better? Should the pre-disclosure response and mitigation effort have included more people or fewer? How could Google have been left out of the loop for so long? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions on the Meltdown and Spectre disclosure and more in this episode of the Risk & Repeat podcast.

DHS warns of power grid cyberattacks

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss a new warning from the Department of Homeland Security regarding Russian hackers targeting the U.S. power grid.

The Department of Homeland Security has renewed its concerns over potential power grid cyberattacks.

DHS officials held a briefing this week to discuss the threat of Russian hackers targeting utility companies and industrial control systems in an apparent effort to compromise and potentially cripple U.S. critical infrastructure, according to a report from The Wall Street Journal. The report also claimed the hackers, who were linked to the Russian threat group Dragonfly, last year gained access to the control rooms of U.S. electric companies during an extensive hacking campaign.

While the government has issued warnings about active threats to ICS and critical infrastructure before, the DHS briefing marks the first time the agency has publicly discussed the extent of the power grid cyberattacks. Government officials said the Dragonfly campaign is likely continuing.

What effect will DHS’ briefing have on critical infrastructure security? Is the government’s assessment of the ICS threats accurate? Why did DHS decide to make this information public now? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Closing the gender gap at cybersecurity conferences

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the under-representation of women at cybersecurity conferences and how it affects the infosec industry.

This week’s Risk & Repeat podcast looks at the lack of women at cybersecurity conferences and explores what can be done to improve those numbers, as well as to increase diversity as a whole in the infosec industry.

Earlier this year, RSA Conference came under fire for having just one woman keynote speaker among nearly two dozen keynote spots. The criticism led members of the infosec community to form a new event, dubbed Our Security Advocates, or OuRSA. And while cybersecurity conferences such as Black Hat 2018 will prominently feature women infosec professionals as keynote speakers, there is still a significant gender gap at cybersecurity conferences.

Why aren’t more women speaking at industry events? How can organizations increase the number of women attending and participating in these events? Is the lack of women at cybersecurity conferences a symptom of the larger gender gap in infosec or a contributor to it? SearchSecurity editors Rob Wright and Maddie Bacon discuss those questions and more in this episode of the Risk & Repeat podcast.

U.S. government eyes offensive cyberattacks

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the risks of the U.S. Cyber Command engaging in offensive cyberattacks against foreign adversaries.

The prospect of the U.S. government using offensive cyberattacks against foreign adversaries appears to be gaining steam.

According to the New York Times, the Pentagon approved a policy that empowers the U.S. Cyber Command to initiate constant offensive cyberattacks designed to disrupt foreign networks. The Times report details a vision statement from military leadership that calls for cyber activities that are “short of war” to retaliate against hacking campaigns from adversarial nation states. The Pentagon’s new strategy for the U.S. Cyber Command, which has traditionally led the nation’s cyber defensive efforts, comes in the wake of many recent high-profile cyberattacks attributed to the governments of Russia, North Korea and Iran.

The concept of “hacking back” against cyber adversaries has gained momentum in both the private sector as well as the government. Some cybersecurity experts, however, have warned that the risks and unintended consequences of offensive cyberattacks can put private enterprises in the crosshairs of nation-state hackers.

What are the implications of the U.S. Cyber Command turning its attention to offensive hacking? What activities would be considered short of cyberwarfare? Could the Pentagon’s policy lead to an escalation of cyberattacks? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

More trouble for federal cybersecurity

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the recent federal cybersecurity report, which found the majority of agencies have significant security gaps.

The latest government report on the state of federal cybersecurity brought more bad news for Washington, D.C.

The Federal Cybersecurity Risk Determination Report and Action Plan, which was commissioned by the Office of Management and Budget and the Department of Homeland Security, found the vast majority of government agencies have significant gaps in their security postures. Specifically, the report found that 59 of 96 agencies are considered to be at risk, while 12 agencies are at high risk.

Key issues, according to the report, included ineffective and outdated identity and access management processes, a lack of communication between security operations centers, and a lack of accountability for agency leadership. The report also found that just 16% of agencies have deployed encryption for data at rest.

How serious are the federal cybersecurity report’s findings? What steps should be taken to improve the situation? What are the primary causes of the poor state of security in Washington? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Breaking down the Efail flaws

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the Efail vulnerabilities in PGP and S/Mime protocols, as well as the rocky disclosure process for the flaws.

The unveiling of the Efail flaws in encryption client software led to spirited debates about the rocky disclosure of the vulnerabilities and who, ultimately, was responsible for them.

The vulnerabilities, which were discovered by a team of academic researchers in Germany and Belgium, affect some client software that implements two popular protocols for email encryption in Pretty Good Privacy (PGP) and Secure Multipurpose Internet Mail Extensions (S/Mime). The Efail flaws could allow threat actors to obtain the plaintext of messages encrypted with the affected client software.

The researchers’ technical paper pointed to faulty email clients rather than the protocols themselves, which sparked a debate about who was responsible for the Efail flaws. While some infosec experts argued the developers were on the hook, others such as Matthew Green, professor at Johns Hopkins University’s Information Security Institute, criticized organizations like GnuPG for not taking a more active role in addressing the problem. Additionally, a broken embargo for the branded vulnerabilities led to questions and concerns about coordinated disclosure processes.

Was there an overreaction to Efail? Who takes the majority of the blame for these vulnerabilities? Did the Efail disclosure actually fail? SearchSecurity editors Rob Wright and Peter Loshin discuss these questions and more in this episode of the Risk & Repeat podcast.

Recapping 2017’s biggest trends in networking technology

Editor’s note: Cisco accelerated its shift to software, vendors launched new tools for managing data centers, and analytics, fueled by machine learning, stole the spotlight. Here, a recap of some of the most significant 2017 trends in networking technology.

Data center infrastructure trends in networking

In February, Cisco joined Microsoft to offer Azure Stack services in its UCS server. Throughout the early months of the year, Cisco revenues continued to fall, dropping for a fifth consecutive quarter because of declining sales of routers and switches.

Cisco attracted a lot of attention for its Digital Network Architecture (DNA) software initiative, which included a new line of Catalyst campus switches engineered to pave the way for a more intuitive way to program the network. DNA eliminates the need to program devices manually through the command-line interface; instead engineers use a policy-based approach to determine network behavior. Later that summer, Cisco said it would acquire SD-WAN vendor Viptela for $610 million in a bid to consolidate its WAN offerings.

In the fall, Cisco launched Intersight, a software-as-a-service initiative slated to become a management option for the vendor’s Unified Computing System and HyperFlex, a hyper-converged infrastructure platform. It also bolstered its Application Centric Infrastructure SDN software by enabling it to run across multiple data centers.

Other data center news included Juniper’s work on a switch fabric intended for multiple data centers, with a single set of management tools and higher spending on public cloud services. Juniper also made a series of announcements in December that included the release of bot software aimed at automating certain network functions.

Additionally, Dell EMC made its NOS standard on new open networking switches and Arista expanded its spine-leaf architecture for hyperscale data centers. Dell followed up its NOS announcement by releasing a line of high-speed switches for data centers and carriers in the fall.

Vendor consolidation gained traction, with Extreme Networks purchasing the data center business of Brocade, as well as the networking assets of Avaya.

Wireless LAN technology trends

The past 12 months were relatively quiet in WLAN trends in networking, as enterprises worked to deploy systems based on the 802.11ac Wave 2 specification.

One important technological development took place, however, as vendors began to release switches and other components capable of supporting the 2.5 and 5 GbE standard, which was ratified by the IEEE in late 2016. Toward that end, Dell EMC, among others, released multigigabit campus switches for both wired and WLAN deployments.

In February, Arris International said it would purchase WLAN vendor Ruckus Wireless Inc. for $800 million. Arris said Ruckus would continue to operate as an independent unit as it targets its technology to service providers and the hospitality market.

That acquisition was followed by a similar move by Riverbed Technology, which bought wireless LAN vendor Xirrus to complement its SD-WAN portfolio.

In June, Aruba released a core switch, aimed at large campus networks and internet of things applications. The 8400X switch also supports Aruba’s WLAN portfolio of products and software.

Extreme Networks announced plans in July to embed its recently acquired Avaya fabric technology in switches and management software to centralize control of large campus wired and wireless networks. And Aerohive, one of the last remaining independent Wi-Fi vendors, said it would add SD-WAN features to its cloud-based wireless controller in a bid to offer a more comprehensive service package to its customers. It also released a low-cost version of its Connect management platform for smaller deployments.

Network performance management and monitoring

In February, Cisco added policy-enforcement capabilities to its Tetration Analytics engine. The upgrade included a cheaper version for midsize companies. Following on the Tetration update, the vendor also launched cloud management for hyper-converged infrastructure in early March, providing enterprises with more choices in how they oversee the vendor’s  HyperFlex product.

VeloCloud beefed up its SD-WAN software with policy options to make it more responsive to network performance problems. The new capabilities let enterprises dedicate segments of the network to specific traffic. In the event of glitches, the software reroutes traffic to alternative routes.

Intent-based networking (IBN) — policy-based software that tells the network what you want instead of telling it what to do — was one of the biggest trends in networking technology. Cisco said IBN would reshape much of its network management efforts, while startup Apstra Inc. upgraded its software that lets companies configure and troubleshoot network devices from multiple vendors.

The addition of analytics — fueled by machine learning — within network management and monitoring applications also gained steam. ExtraHop Networks added machine learning as a service to its Discover packet capture appliances.

In November, Nyansa upgraded its Voyance remediation engine to flag potential sources of network trouble, improve analytics and recommend fixes.

The Bitcoin boom and its infosec effects

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the recent bitcoin boom and how the cryptocurrency’s rising value could affect the cybersecurity landscape.

The bitcoin boom that saw a dramatic rise in the cryptocurrency’s value in recent weeks could have big implications for information security.

In the last month, the price of a single bitcoin tripled, jumping from approximately $5,700 to more than $17,000. A number of factors, including interest in the opening of the first regulated bitcoin futures exchanges and a hard fork in the cryptocurrency, could be contributing to the bitcoin boom beyond a general increase in buying and selling volumes.

But the surge also comes at a time of rampant global ransomware attacks, many of which demand payment from victims in bitcoin. While some enterprises have disclosed ransomware attacks, experts generally believe that many more attacks are kept quiet.

Could cybercriminals and ransomware attacks be contributing to the bitcoin boom? What will the rising price of the cryptocurrency mean for the cybercrime economy? Will the high value of bitcoin lead to more cyberattacks on bitcoin owners and exchanges, like NiceHash, which recently lost approximately $80 million in bitcoin following a massive data breach?

SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more on the bitcoin boom in this episode of the Risk & Repeat podcast.