News today, CareFirst is reporting that that medical records of 1.1 million customers have been breached. The news casts a shadow over the healthcare industry, which is still recovering from the breach of 80 million records from Anthem earlier this year. In fact, the Washington Post is already reporting that “2015 is already the year of the health-care hack — and it’s only going to get worse.”
The Washington Post reports a third of the US population has been impacted in the past five years:
“Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009, according to Department of Health and Human Services data.”
Additionally, a recent Ponemon study, the “Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data” revealed some very alarming statistics, as CSO reports:
The report also found that it’s not just big, or small, healthcare organizations, but all sized healthcare organizations are at risk to enduring successful attacks against their systems.
According to the report:
91 percent of healthcare organizations had one data breach.
39 percent experienced two to five data breaches.
40 percent had more than five data breaches over the past two years.
The prognosis is not good. Once again, we are witnessing the negative impact that occurs when organizations fail to properly invest in the most foundational aspect of security: PREVENTION. Once again, we have an incident response team investigating the attack, no doubt to report that this was a sophisticated attack that could not have been prevented. This vicious cycle of “cyber indulgences” and assuming compromise is toxic to security.
Cyber attacks are really not all that sophisticated – the real issue is that the traditional security model has not kept pace with the malicious actors. As the recent Verizon DBIR illustrates, 97% of exploits shared 10 common CVEs. As Bromium research as previously demonstrated, “defense in depth” architecture can be easily circumvented by kernel exploits.
It is time to get serious about the condition of information security, both in healthcare and across many other industries with critical data to protect, such as government organizations, financial services and retail.
Bromium provides a proactive approach to threat prevention by isolating attacks through application containerization. Bromium vSentry software transforms endpoint security with a revolutionary new architecture that focuses on protection through hardware-enforced isolation.
By: Ian Pratt, co-founder & CEO
After four successful years of leadership, our co-founder Gaurav Banga is leaving Bromium. I am taking the reins at Bromium for the next chapter of its growth, and am excited to lead the company as we expand our product portfolio and deliver uncompromising security to customers worldwide.
Gaurav has done a fantastic job leading the company to the strong position we now find ourselves in, and I’d like to thank him for his dedication, insight and friendship. We all wish him well.
I’m thrilled also to announce that Ravi Khatod joined Bromium today as Chief Operating Officer. Ravi brings a wealth of experience that is perfectly matched to Bromium’s needs as our development, marketing and sales activities ramp: He has successfully delivered endpoint security products to the enterprise market, and has an intimate understanding of our competitive environment. He will help Bromium to scale with a focus on operational excellence, and has a commitment to customer success and value.
Ravi and I are excited to be working with such a phenomenal team to transform enterprise security in such a profound way using micro-virtualization. There is huge need for our products and we are looking forward to yet another fantastic year. We are committed to Bromium’s success by delivering enduring value to our customers — putting an end to enterprise breaches and empowering end-users.
News last week painted Rombertik as the newest “chicken little” security threat, by which I mean “the sky is falling!” By initial reports, Rombertik was a piece of malware so dangerous that it would destroy your computer if it was detected and would create log files for security analysts more than 100 Gb!
So, is the sky really falling?
Bromium had its suspicion that this super smart and destructive malware was a bit over-exaggerated. Although the initial research claims Rombertik is extremely well obfuscated and complex, our analysis did not find this to be true.
Case in point, by simply opening the malicious exe and dumping the whole image, we obtained the de-obfuscated image. We were able to verify this by comparing the number of strings (URLs, IAT, boot sector messages) to the original research. In our investigation, Bromium found that there were only 44 functions as opposed to the 8,000 described in the blog – and none of these functions seem particularly noteworthy. The payload hooks WSASend in Chrome, HTTPSendRequest in IE and CreateFile in Firefox. What we witnessed were classic injects – all fairly simple stuff. Overall, it is just a simple web inject based stealer.
What of the reports that Rombertik is capable of modifying the Master Boot Record and encrypting files in the home folder?
Yes, Rombertik can infect your MBR as it was described in the original article but on a normal machine it won’t happen. Why? Rombertik will only infect the MBR if either resource section was modified (it checks CRC32) or if the username contains as suspicious substring (such as “sandbox”). On a normal PC, this isn’t going to happen.
So, no, the sky isn’t falling. However, the significance of this malware lies with the attempt by the attacker to address and circumvent the latest security defenses. It appears as if this is just the latest salvo in the never ending battle of attackers finding ways of avoiding the defenders detection efforts. Seems like a good time think about adopting a new approach, isolation, to change the game and quit playing by the attackers rules.
This week at the RSA Conference, I had the opportunity to talk with dozens upon dozens (more than 100) of information security professionals for Bromium’s “State of Security Report Card,” a survey of opinions about popular security solutions. It may seem obvious (especially if you read the headlines), but the survey revealed that firewalls and antivirus are failing to prevent attacks.
The results of this survey serve as yet another proof point in a long line of data about the shortcoming of legacy security solutions. Even if you cling to the belief that AV is not dead, RSA conference attendees seem to be aware that these solutions are failing.
Specific findings from the “State of Security Report Card” include:
- Organizations have room for improvement in prioritizing security – Bromium asked RSA conference attendees to grade their organization on its ability to prioritize security by allocating the resources it requires, but only eight percent of respondents gave their organization an A. Forty-two percent of respondents gave their organization a B, thirty-two percent of respondents gave their organization a C and 18 percent of respondents gave their organization a D. Interestingly, no respondents were willing to give their organization a failing grade.
- Firewalls and Anti–virus are failing to prevent attacks – Bromium asked RSA conference attendees to grade a variety of security solutions on their ability to prevent attacks and address the priorities set by their CISO, but only firewall and anti-virus received any failing grades. Twenty percent of respondents gave firewalls a failing grade and 25 percent of respondents gave antivirus a failing grade. Among the most popular responses, 42 percent of respondents gave firewalls a B and 36 percent of respondents gave antivirus a C.
- Next-generation solutions are performing above average – Next-generation firewalls, network sandboxes, endpoint isolation, host monitoring and threat intelligence solutions all performed well. None of these solutions were given a failing grade by any respondents. Among the most popular responses, 58 percent gave next-generation firewalls a B (17 percent gave it an A), 54 percent gave advanced threat protection/network sandboxes a B (20 percent gave it an A), 64 percent gave endpoint isolation/sandboxing/host monitoring a B (17 percent gave it an A) and 44 percent gave threat intelligence a B (17 percent gave it an A)
- Information Sharing Initiatives Show Promise; Face Hurdles – Bromium asked RSA conference attendees both if their organization would benefit from information sharing initiatives, such as those outlined in President Obama’s Executive Order, as well if their organization would participate. The overwhelming majority (78 percent) said they would benefit from information sharing initiatives, but less than half (48 percent) said they would participate. There is clearly a disconnect in these results, which suggest that information security professionals are concerned about how information sharing initiatives will aggregate and anonymize their organization’s data.
It’s that time of the year again! No, not Tax Day, the release of the Verizon Data Breach Incident Report, which provides analysis of more than 79,000 security incidents and 21,000 breaches. The report itself is 70 pages long, which you can take the time to review for yourself here.
Here are some high-level statistics that you may find interesting:
- On average, across all organizations, five malware events occur every second. Of course, this may occur in spikes and some organizations will experience a much lower volume while others experience a much higher volume.
- 70-90 percent of malware samples are unique to the organization they attack, rendering signature-based detection irrelevant.
- 75 percent of attacks spread from victim zero to victim one in less than 24 hours, again rendering signature-based detection irrelevant. In fact, the vast majority of attacks only exist for 24 hours…hardly enough time for malware researchers to create and disseminate the signatures to prevent them.
To quote the report:
“Criminals haven’t been blind to the signature and hash matching techniques used by anti virus(AV) products to detect malware. In response, they use many techniques that introduce simple modifications into the code so that the hash is unique, yet it exhibits the same desired behavior.
One common theme through the report is that five sectors are being attacked more than any other. Government agencies reported 303 instances of data loss and an astronomical 50,000 security incidents. Financial services reported 277 instances of data loss and 642 security incidents. Technology companies reported 95 instances of data loss and 1,496 security incidents. Manufacturing reported 235 instances of data loss and 525 security incidents. Retail reported 164 instances of data loss and 523 security incidents.
Logically, these sectors are being attacked more than others because they hold the most valuable information. Financial services and retail maintain bank accounts and credit card numbers. Manufacturing and technology hold intellectual property. Government agencies retain state secrets. Clearly, cyber criminals follow the money, which is why it is so important to change the economics of cyber security.
In the same way that each of these sectors is attacked for the unique information it contains, there are three demographics of actors in cyber-attacks that each prefer unique attack vectors. Activists (or hacktivists) prefer to attack Web applications 61% of the time. Organized crime prefers to use malware (or crimeware) in 73 percent of its attacks. State-sponsored attacks default to cyber-espionage in 97% of attacks.
It is interesting to note that as the sophistication of the actor increases from activist to criminal to state-sponsored agent, so too does the sophistication of their attack increase from Web application disruption to malicious attacks to advanced persistent threats.
Many organizations may likely dismiss concerns of cyber-espionage, but ultimately, cyber-attacks have more in common than they do apart. The Verizon reports mentions that historically 71% of known vulnerabilities had a patch available for more than a year before a breach.
This demonstrates the challenge of patching vulnerable machines (something I have written about before). Security teams and operations teams often find themselves at odds. A poorly implemented patch can cause more harm than good, yet waiting to implement a patch leaves an organization vulnerable to attack.
The Verizon report underscores this dilemma since just 10 CVEs accounted for 97% of exploits. Clearly, information security teams should prioritize implementing critical patches to make these attacks more difficult for attackers. And yet, some of the CVEs stretch back more than a decade to 1999. There is no silver bullet when it comes to patching (unless you consider an isolation-based solution like Bromium that pro-actively protects vulnerable machines).
One last trend that I would like to highlight in the Verizon report is phishing. Verizon found that 2/3 of cyber-espionage attacks during the past two years have utilized phishing. Additionally, Verizon found that 23% of end users will open phishing emails. Finally, a phishing campaign of just 10 emails has a 90 percent chance of compromise.
This resonates very closely with recent research conducted by Bromium, which determined that 23% of information security professionals believe that end user behavior with email introduces the most risk.
The Verizon report highlights the problem with end users:
“It may not be obvious at first glance, but the common denominator across the top four patterns accounting for nearly 90% of all incidents—is people. Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC and ID-10T über-patterns.”
Ultimately, end users remain the weakest link in the information security chain, which is why Bromium is committed to restoring trust in end user computing.
It’s been a depressing start to the year as far as breaches and malware go, and I’ve seen a worrisome trend toward “cyber-despondency” in the sentiment of many CISOs. When orgs with huge security budgets are still easily rolled and we see warnings of a “Cyber Armageddon”, what can we do?
After all, who are you to contradict Keith Alexander when he says “There are only two kinds of companies – those that have been hacked, and those that will be”? He really ought to know. Even if you detected Equation malware you’d have to destroy your PCs to get rid of it. BYOD is a joke if every call can be intercepted or if malware was installed by the device OEM.
CSO magazine says we’ve passed the cyber-tipping point. And worse still, a leading CISO, Alex Stamos of Yahoo recently declared the security market to be broken – bemoaning the point-solution nature of the vendor landscape and pointing out the failure of vendors to solve the problems they claim to.
So what are you going to do? Now is not a time for inaction or blame. On the contrary, it is time for security Pros with courage to demand change – starting with your own infrastructure and IT management organization. It’s time for courage in the face of cyber-nihilism. Here’s the full piece.
News this week that the Retail Cyber Intelligence Sharing Center (R-CISC) is collaborating with the Financial Services ISAC (FS-ISAC) on its new threat intelligence portal. The R-CISC is working with the FS-ISAC to share threat information, in an attempt to improve security within their industries. The portals will remain independent, yet integrated.
According to a Dark Reading interview with Brian Engle, executive director of the R-CISC:
“[The R-CISC] evaluated a number of different platforms to help enable information-sharing for retailers…and given the statge of [R-CISC’s] maturity, and the amount of interaction with the financial services industry, we selected FS-ISAC’s portal and technology platform. Our portal rides on the same technology as the FS-ISAC’s, but there’s a separate instantiation for retail.”
The R-CISC was created in 2014 after a rash of high-profile retail breaches, including Target and Home Depot. The threat intelligence portal represents a significant upgrade for the retail industry, which had previously been sharing threat intelligence, such as indicators of compromise, through email distribution lists.
The push for threat intelligence sharing is a great initiative for the retail industry. The STIX format developed at Mitre has become a de-facto standard for threat sharing between major Financial Services during the past year. It allows an organization to share key threat data – including the addresses of remote servers used in the attack and the malware fingerprint, among other attributes, in a suitably anonymized form, without breaching confidentiality. STIX and other open threat indicator formats are of great importance because they allow sharing of information between different vendor tool-sets. Contrast this with the proprietary formats of traditional signature feeds from major anti-virus vendors, and you should realize this is a major advance for the industry.
Kudos to the retail industry for its effort in implementing this threat intelligence initiative. Of course, the more cynical among us may believe that these threat intelligence initiatives are putting the cart ahead of the horse. Case in point, this week, MWR Infosecurity published its report, “Threat Intelligence: Collecting, Analyzing, Evaluating,” which contends:
Threat intelligence is at high risk of becoming a buzzword. With so many disparate offerings and so much pressure to be ‘doing’ threat intelligence, organisations risk investing large amounts of time and money with little positive effect on security.
However, the report does take a pragmatic approach:
However, by taking threat intelligence back to its intelligence roots and applying the same strict principles, a far more effective strategy can be devised. As is the case with traditional intelligence, tackling cyber threats demands rigorous planning, execution and evaluation. Only then can an organisation hope to target its defences effectively, increase its awareness of threats, and improve its response to potential attacks.
This is good advice. At the end of the day, the value of threat intelligence is only worth what you can do with it.