The unprecedented distributed denial-of-service attack that took down DNS host Dyn last Friday – and by extension caused outages at sites including Twitter, Netflix, Spotify and Amazon – pushed the problem of unsecured IoT devices into the mainstream consciousness. A reported 1.2 Tbps of traffic was directed at Dyn from some half-million zombie nodes vulnerable to Mirai malware. Many of them were CCTV cameras and their attached digital video recorders, say researchers at Flashpoint.
The Mirai source code is publicly available and doesn’t require all that much technical acumen to exploit. It scans for IoT devices with default usernames and passwords, hijacks them and adds them to botnet armies. Would-be attackers can even buy DDoS attacks as a service.
For partners, there are some basic steps to take. Changing factory password and username combos on any device connected to the Internet is a basic, but clearly often ignored, first line of defense. Our free report on protecting customers from DDoS attacks will help you assemble a full plan.
And in the spirit of “never let a good crisis go to waste,” expect new offerings to combat the threat.
This week, for example, Aerohive Networks announced an IoT security capability for Wi-Fi and wired networks that runs on top of its Software Defined LAN solution and uses 802.1X and the company’s Software Defined Private Pre-Shared Keys to restrict network access to known and authenticated devices. Other capabilities include visibility into and control over what applications are running, traffic policy enforcement at the firewall, and cloud-based centralized management.
Including the WLAN in a DDoS protection plan makes sense given that most IoT devices have wireless connectivity capabilities and may have been plugged in by facilities teams with little thought of the potential for compromise.
With the Private Keys, each connected device can have a unique password, with Aerohive managing the certificate function. The system can manage IoT devices that don’t support 802.1X, and the company says customers or partners can create and revoke “tens of thousands of unique keys for individual or groups of devices on the same SSID that can be managed and distributed via the cloud, mobile applications or user self-registration.”
There’s also the ability to throttle bandwidth and quarantine suspect applications or IoT devices.
Symantec acquired Blue Coat in August, and this week it announced the integration of Blue Coat’s security telemetry into the Symantec Integrated Cyber Defense Platform. In addition, Symantec Data Loss Prevention now incorporates the Blue Coat Elastica CloudSOC Cloud Access Security Broker, renamed Symantec CloudSOC, for protection of data in the cloud. Symantec and Blue Coat products automatically exchange data on millions of malicious files and URL threat indicators daily.
CEO Greg Clark said in a statement that the Integrated Cyber Defense Platform enables Symantec products to block 500,000 additional attacks per day for the company’s 175 million endpoint, 63 million email and 80 million web security customers.
“Symantec research teams have unparalleled visibility into the entire threat landscape, including the most advanced attacks, and Blue Coat researchers have been categorizing, mapping and fingerprinting the Internet with a view into the darkest parts of the web and malware trade craft,” said Clark.
This “integration plus cloud equals visibility” message isn’t unique to Symantec. Large and small security providers are pursuing the broadest and deepest insights possible through artificial intelligence and collaborative alliances, such as the Blue Coat & Symantec TAP ecosystem, C3 Alliance and Intel Security Innovation Alliance Partner Directory (I’ll be reporting from the Intel Security Partner summit next week). It’s all good news for partners, as long as you keep track of which suppliers are working together.
Symantec says the combined threat telemetry has already produced some wins, including finding that a China-based cyberespionage group was targeting Hong Kong political organizations with spear-phishing emails, and that campaigns involving Trojan.Odinaff malware have targeted roughly 100 financial institutions worldwide.
The Symantec technology works by comparing new websites in real time with screenshots of known phishing sites using machine learning and advanced image analysis. The company says it has identified and blocked 137,000 new phishing campaigns since its release. Meanwhile, the Symantec DLP Cloud and CloudSOC offering helps protect data in 60-plus cloud apps, including Office 365, Box, Dropbox, Google Apps and Salesforce. DLP policies can be configured to selectively encrypt or tokenize data in SaaS applications.
There is some fine print: Trustwave defines “malware” as a client-side exploit triggered during web browsing, including vulnerabilities in browsers and browser plug-ins, and the guarantee applies only to newer versions of the gateway and for businesses that use the service at recommended protection levels. The remedy for missed malware is one free month of service. Cleanup is on the customer’s or service provider’s dime.
Trustwave has more than 1,000 channel partners worldwide and says “the vast majority” of its secure web gateway sales go through the channel, though it wouldn’t give specifics. The technology doesn’t use signatures or sandboxes; rather, traffic is routed through its cloud-based service.
The company also announced the appointment of Jim Ritchings as SVP of worldwide channel sales. Previously, Ritchings held the same title at F5 Networks, where he was responsible for F5’s worldwide channel strategy.
“Jim brings to Trustwave a strong background characterized by driving incremental revenue through partnerships on a global basis,” said Trustwave executive VP of global sales, Dave Feringa, in a statement. “With Jim at the helm as our channel chief, he will help Trustwave expand its leadership in cybersecurity and managed security services among our channel partners.”
Trustwave last month expanded its global network of nine federated advanced security operations centers.
The legislation aims to give EU citizens more confidence about the privacy of their personal information. It lays out mandatory and timely data-breach reporting, extends the definition of personal data and enshrines the “right to be forgotten” in law, Flynn told Channel Partners. GDPR won’t be in effect until May of 2018, but he says organizations are already scrambling to understand and implement the necessary changes.
One reason for the urgency: GDPR will dramatically increase penalties for non-compliance, with fines of up to €20 million — significantly higher than the €750,000 penalty under the current Data Protection Directive.
Closer to home, Flynn says New York State has proposed cybersecurity regulations aimed at guarding consumer data and financial systems from cyberattacks.
“The regulations would require all banks and insurance companies operating in the state to designate a CISO, adopt written cybersecurity policies and implement annual penetration tests, among other seemingly basic requirements,” he says. “Notably, under the proposed regulations, board or senior compliance officers would need to certify their organization’s security controls are meeting requirements. This could potentially expose such individuals up to criminal liability if the claim is found fraudulent.”
There’s nothing like the possibility of a public perp walk to catch an executive’s attention, and security-analytics provider Skybox says that its recent Analyzing the Attack Surface survey of 275 IT professionals at global enterprises and government agencies with more than 500 employees shows plenty of room for improvement.
Among findings: Ninety-two percent of organizations use automated tools to detect vulnerabilities on hosts and servers, but only 54 percent use such tools to assess security controls on cloud-based systems and applications. Although most (between 74 and 81 percent) automate the process of pushing patches, about half have primarily or completely manual processes for equally critical functions like remediating misconfigurations on servers and network devices and provisioning firewalls.
“The lack of an automated approach among so many organizations is alarming, especially when you consider that the industry is experiencing a severe shortage of security professionals,” said Flynn.
You may not know the name, but cybersecurity provider Cyberbit says it can help you overcome that security skills shortage through “hyper-realistic training.”
Customers can’t hire the cybersecurity pros they need. That leaves them vulnerable. For partners, a mix of the right suppliers, smart hiring, in-house training and advanced techs can fill the gap. Our free report helps you develop a business plan, pick the right certifications and more. Download now!
The newly expanded Cyberbit Range simulation platform offers hands-on exercises for IT security teams and business leaders; customers typically come from enterprises, universities and government agencies. A partner could replicate its own or a customer’s network setup and security tools lineup and simulate typical traffic so trainees receive realistic drills. New features include virtual and physical SCADA training, cross-functional executive training and new attack scenarios, including ransomware variants.
“Security analysts are expected to both master and operate dozens of new tools continually against threats they have never seen,” said Adi Dar, CEO of Cyberbit, in a statement. “By making real-life simulated training more accessible, Cyberbit Range ensures teams – from SOC staff to executives – are best equipped to manage these targeted attacks.”
The company also provides group training on how to work as a team to manage various attacks. Partners can request a demo to see if the service is a fit before signing on.
Spoofed emails – those entering an organization disguised as coming from a company’s own domain – are a major cause of those successful phishing and ransomware attacks. You can hardly blame an end user for clicking on a message that appears to come from a colleague.
KnowBe4 came up with that 82 percent figure by reviewing thousands of domains run through its no-cost domain spoof test. This analysis revealed that email servers are frequently set up incorrectly, allowing a cybercriminal to impersonate an employee or executive. As part of its spoof testing, KnowBe4 has worked with thousands of IT managers to determine whether they are open to such an attack.
“A typical scenario is a spoofed email that looks like it comes from the IT administrator or ‘IT’ asking an employee to update their email account credentials,” says KnowBe4 CEO Stu Sjouwerman. “The uneducated employee fills out their username and password credentials thinking they are complying to a request.”
With these credentials, attackers can gain access to the network.
KnowBe4 facilitates end-user training by supplying customizable email templates for simulated phishing.
Follow editor in chief @LornaGarey on Twitter.