Broken Piggybank

Norsk Hydro lose more than NOK 300-350 millions in a week after attack

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

There’s not much news about what happened last week when Norsk Hydro was attacked by unknown cyber criminals on March 19, but the estimated costs is around NOK 300-350 million. While we don’t know exactly what happened it is confirmed that this was a ransomware virus spreading in their system, encrypting files and taking down critical systems. The ransomware in question is LockerGoga, and was officially first seen in January this year. It is unknown exactly how the virus was introduced in to Hydros systems, as the have not identified any phising-emails.

When LockerGoga has infected a system, it locks out all users from the system it just infected, and starts encrypting files. This means that it can be hard for users to even see the ransom-note that pops up on the desktop. LockerGoga also does not have any instructions on how to pay the ransom, but rather instructs the system-owner to make contact for payment and amount through email addresses.
So far this attack raises a lot of questions, as the modus operandi has never been seen before, with very sophisticated attacking capabilities and no clear agenda.
You can read more about the attack and LockerGoga on threatpost

Top 5 Security News

THE BANK THAT CAN SLEEP WELL AT NIGHT

MedMera Bank was looking for a partner who could take responsibility for the operation of the bank’s payment flow systems and meet extremely high standards of security and availability. The choice fell on Basefarm, which since 2015 has had overall responsibility for operation of the bank’s central payment system.

When in 2015 MedMera Bank saw a need to upgrade its operations environment, it sought a supplier that could meet the very high standards of security, delivery and availability that apply in the payment world.

“We also needed a partner who was proactive and kept up with the constant development of the industry,” says Carita Weiss, CIO of MedMera Bank.

Following a long procurement and evaluation process involving several possible operations providers, the choice finally fell on Basefarm and its PCI DSS hosting platform in Sweden.

Read the whole customer case here – MedMera Bank costumer case

Do you want to know more about about our SOC?

Basefarm Security Operation Center

What is a security operation center and why do you need it?

Hundreds of Vulnerable Docker Hosts Exploited by Cryptocurrency Miners

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Docker is a technology that allows you to perform operating system level virtualization. An incredible number of companies and production hosts are running Docker to develop, deploy and run applications inside containers.

You can interact with Docker via the terminal and also via remote API. The Docker remote API is a great way to control your remote Docker host, including automating the deployment process, control and get the state of your containers, and more. With this great power comes a great risk — if the control gets into the wrong hands, your entire network can be in danger.

Read more

Top 5 Security News

Backdoored GitHub accounts spewed secret sneakerbot software

RSAC 2019: TLS Markets Flourish on the Dark Web

Web Authentication: What It Is and What It Means for Passwords

Google Discloses Unpatched ‘High-Severity’ Flaw in Apple macOS Kernel

How To Spoof PDF Signatures

Password Managers Are Worth the Risk, Readers Say

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

“Password managers are great. They combine security with convenience by storing all your credentials in one place, allowing you to use strong, complex passwords that you don’t have to remember.” wrote Forbes in an article last week.

Threatpost did a reader poll examined risk, vulnerabilities, 2FA, the human element, attitudes on spreadsheets and more when it comes to password managers.

Read more

Top 5 Security News

‘Thunderclap’ vulnerability could leave Thunderbolt computers open to attacks

Multiple threat actors are targeting Elasticsearch Clusters

In the cloud, things aren’t always what they SIEM: Microsoft rolls out AI-driven Azure Sentinel

Dow Jones Watchlist of risky businesses exposed on public server

A Second Life For The “Do Not Track” Setting – With Teeth

Security Software & Tools Tips – February 2019

In this monthly post, we try to make you aware of five different security related products.
This is a repost from my personal website Ulyaoth.

This month we have chosen for the following:
* IBM QRadar
* Snyk
* Haven
* HashiCorp Vault
* Nikto

IBM QRadar

Information from the IBM Qradar website:

QRadar Community Edition is a free version of QRadar that is based off of our core enterprise SIEM. Users, students, security professionals, and app developers are encouraged to download QRadar Community Edition to learn and become familiar with QRadar.

Website:

https://developer.ibm.com/qradar/ce/

Snyk

Information from the Snyk website:

A developer-first solution that automates finding & fixing vulnerabilities in your dependencies.

Website:

https://snyk.io/

Haven

Information from the Haven website:

Haven is for people who need a way to protect their personal spaces and possessions without compromising their own privacy. It is an Android application that leverages on-device sensors to provide monitoring and protection of physical spaces. Haven turns any Android phone into a motion, sound, vibration and light detector, watching for unexpected guests and unwanted intruders. We designed Haven for investigative journalists, human rights defenders, and people at risk of forced disappearance to create a new kind of herd immunity. By combining the array of sensors found in any smartphone, with the world’s most secure communications technologies, like Signal and Tor, Haven prevents the worst kind of people from silencing citizens without getting caught in the act.

Website:

https://guardianproject.github.io/haven/

HashiCorp Vault

Information from the HasiCorp Vault website:

Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.

Website:

https://www.vaultproject.io/

Nikto

Information from the Nikto website:

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Website:

https://cirt.net/Nikto2

Photo by MILKOVÍ on Unsplash

Microsoft IIS DoS, patch install not enough

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Microsoft announced a bug in the Internet Information Services (IIS) where malicious HTTP/2 packets would consume 100% CPU until restarted. Microsoft have published patches that would allow a MS IIS administrator to mitigate this vulnerability, but would not define any sane default values for the thresholds in question, so installation of the patch itself is not enough. The patch will only enable the options for setting threshold values, it will not set them. Luckily this is only an attack on availability, so you will know when you get attacked, and when the attack is over, a so called Denial of Service (DoS) attack. It will not affect confidentiality of data stored or integrity of the website published.

Read more

Top 5 Security News

 
 

SECURE PAYMENTS WITH PAYEX

Why Payex chose basefarm to help build and run their pci dss operational platform

PayEx needed to design, build and run their state of the art Nordic payment solution catering robustness, flexibility and cost efficiency. The platform needed to be PCI DSS compliant as it exchanges, processes and stores huge amounts of card data and financial information. The solution is mission critical and margins and reputation are built over time, by delivering payment services with high quality, competence and value. They needed a secure and stable environment and a partner with solid systems for operations and interaction, as well as an “advisor” regarding technology.

Basefarm designed the platform in close collaboration with PayEx. Since the PCI solution went live in the summer of 2011, it has now passed 300 million transactions with excellent performance, peaking at around 1.3 million transactions per day. PayEx use Basefarm actively and proactively in decision-making regarding the environment and other challenges related to technology.

Read the whole customer case here

Read more about PCI DSS AS A SERVICE

8 security trends 2019

True to tradition, Basefarm’s Head of Security Operation has looked deep into his crystal ball to see what the new year holds. Here are 8 security trends to look out for in 2019.

1. Workforce gap necessitates different solutions

According to the (ISC)2 organisation, we have a shortage of three million cybersecurity professionals. Without the shortfall, the organisation’s 138,000 membership would be even larger. Europe alone has a workforce gap of 147,000. The shortfall calls for a different approach to meeting security needs, for example, through competence-sharing with other enterprises or security operations centres (SOC).

2. DDoS attacks are becoming less common but more powerful

Distributed Denial of Service (DDoS) attacks is a major worry. Initially, this type of attack was designed to sabotage, but the aim nowadays is often to steal important data and then blackmail the victims. The trend among perpetrators is not to spread their efforts widely, but rather to focus the attacks more aggressively.

3. Cryptojacking less risky for the attackers than DDoS

The downside for the bad guys of DDoS and many other cyberattacks is the risk of discovery. For this reason, many are turning to cryptojacking instead. Cryptojacking involves infiltrating a large number of computers in order to “mine” cryptocurrency. It is a quick way for cybercriminals to earn money, by getting thousands of computers to work for them for free. There’s no obvious damage done and many people are scarcely aware of the extra processing power and electricity used. If the victims discover the intrusion, they will often just be content to block access.

4. IoT made for trouble

The security issues linked to IoT are not new, but the trend is from bad to worse. This is caused, in simple terms, by a steep rise in sales of IoT gizmos. Not only are unit sales increasing, but more manufacturers are also trying to join in the fun. Not all of them take security as seriously as the established big brands. The key concerns here are configuration errors, default passwords and a lack of upgrade options.

5. And you thought GDPR was strict? Now NIS is on the way

GDPR sets a deadline to notify impacted individuals of 72 hours from detection of a data breach. Looking the other way and detecting nothing is not a solution. Businesses therefore need to monitor infrastructure and logs using an in-house or external SIRT (Security Incident Response Team). In certain sectors, breach reporting needs to be done within 24 hours. Key aspects of the NIS Directive apply from November 2018. A lot of businesses will need to get their heads round this.

6. Safer in an unlit back alley than online

According to the UK’s Office for National Statistics, you are 30 times more likely to be robbed online than in ‘real’ life. With people’s purses and wallets containing little more than easily blocked credit cards, street robbery is going out of fashion. Money is moving over to cyberspace, with the thieves hot on its tail.

7. Decryption is sneaking up from down under

The Australian Anti-Encryption Bill was passed on 6 December 2018 and comes into force early in 2019. Under the legislation, the law enforcement authorities can oblige the tech giants like Google, Facebook, WhatsApp, Amazon and Microsoft to grant them access to encrypted data. The measures include removing electronic protection, installing existing decryption software and developing new software. Serious financial penalties await non-compliant companies

8. IT pros and the white hats strike back

Some of the largest and best-known cyberhacks have been down to sloppy IT practices. The black hat hackers are becoming more sophisticated, but so too are the white hat hackers and other infosec professionals aswell/too. Measures that go a long way to protect enterprises include scanning applications and fixing detected vulnerabilities, two-factor/multifactor authentication, more user names and long passwords, patching/installation of security updates and controlling user curiosity about funny-looking emails.

SEE ALSO: Star Wars – good versus evil – white hats against black hats.

Author: Fredrik Svantes, Senior Information Security Manager, Basefarm

Fredrik Svantes is the Head of the Basefarm Security Operations department and has also lead the Basefarm Security Incident Response Team for the past seven years. Previously he has worked for companies such as Blizzard Entertainment, doing detective work on logs for massive online platforms running games such as World of Warcraft. Blog: http://bfblogg.wpengine.com . Twitter: @fredriksvantes .

Multi-factor authentication time?

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

With billions of user credentials being freely distributed online it’s high time to implement multi-factor authentication as the default way to authenticate.

Wired has written an article about the magnitude of leaks:

“Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a patched-together set of breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2–5, which amounts to 845 gigabytes of stolen data and 25 billion records in all.”

Read more

Top 5 Security News

How to improve control and save cost with Service Organization Controls (SOC) reports.

All types of outsourcing of IT services, whether it’s to a local service provider or a global hyperscale cloud provider, have this in common: You can outsource a business process, but you cannot outsource the ownership of your business’s risk.

That is why most companies that outsource must find ways to ensure their service providers are performing according to the rules, the standards and the laws that your business requires.

Traditionally, the way this works is that the companies include “right-to-audit” clauses in their contracts with the service providers. And then, typically once a year, this right is exercised, by having IT auditors visiting the service provider to have a closer look at their set-up, the services they provide, the sites, infrastructure, operational processes, system support and people.

In today’s hybrid, complex and distributed IT world, on-site audits are only able to focus on a very limited set of controls, or they will be extremely time-consuming and expensive. As the contracting party, you normally must cover expenses for IT auditors, your own staff that spends time on preparing, attending and interpreting findings, as well as paying your service provider for the time they spend.

Most of the time, due to time and cost restrains, such audits only scratch the surface at the service provider.

So, what should you do to satisfy your own or your auditor’s need to get assurance that the services are provided in accordance with your security requirements, and with a quality of service that reduces your risk?

Let us introduce Third Party Attestation Reporting (SOC reports)

What is it?

Service Organization Controls (SOC) reports are prepared and issued by an independent auditing company and include descriptions of the service organizations internal security controls, as well as the auditor’s assessment on the suitability and effectiveness of the controls. The full and unedited reports are distributed to the service organizations customers, and their auditors.

Report types and intended use

There are several types of reporting standards:

  • ISAE3402 / SOC1. This primarily includes internal controls relevant for financial reporting, with the purpose of the compliance with laws and regulations. The intended users of these reports are the customer’s management and their auditors
  • SOC2. This will report on internal controls related to general Information Security, Availability and Confidentiality. For each of these domains the control objectives are predefined by the standard. Intended users are customer’s management, Information Security Managers and regulators.
  • SOC3. This is less detailed reports, usually an executive summary of a SOC2 report. As these reports discloses less details, these reports also typically are made generally available, for instance through the service provider’s website.

SOC1 and SOC2 both come in Type I and Type II.

Type I will be point-in-time based, as they only focus on how the security controls have been defined and implemented by the service organization, at the time of the audit.

Type II reports however, will assess and validate both the suitability of the controls (that the controls are defined and implemented in a way that meet the control objectives), and the effectiveness (that the controls are consistently used by the service organization). To prove the latter, the auditor performs randomized sampling and collect evidence from the entire reporting period, typically one calendar year.

What makes this different from ISO certifications?

There is a great deal of overlap between the Information Security Management standard ISO27001 and SOC attestation reports. The ISO-standard however, allow companies to define their own scope, and their own benchmarks (security policies and goals). So, for anyone to accept a Service Provider’s ISO27001 certification as evidence that the provider fulfills your security requirements, you at least need to understand the scope and the security policies the certification is based on and check that it matches your needs.

ISO audit reports are generally not available to other than the audited party. Customers may be provided the actual certificate, perhaps a copy of the security policies, and a document explaining the scope of the audited management system, but organizations are usually not allowed to distribute the full audit report.

For an ISAE3402 or SOC2 report however, you can get full insight into all parts of the very comprehensive reports. The reports among other things include both the organizations management statements and descriptions of their security controls, as well as the independent auditors test procedures, test results and findings.

Note that SOC reports not is a certification as such, but rather compliance reports produced by an independent auditor.

The main benefits

Getting the appropriate SOC report from your service provider will give you the following benefit

  • Save cost on performing your own audits. Such audits will no longer be required, or will at least need to have a much-decreased scope
  • Get the full picture. As the reports will be based on samples from the full (12 months) reporting period, these reports will cover a lot more than you will be able to assess in customer specific audits
  • Leverage these reports in your own audit and reporting. As these reports are based on internationally recognized standards, your auditors can easily make use of them directly
  • Get insight into your service providers security controls. The reports include the service provider’s description of the control environment, processes and the individual controls
  • Get a verification on the control effectiveness. This will enable you to assess if the service provider’s regular control effectiveness is satisfactory, and where you should focus your improvement efforts.

Win-Win strategy

Even the service provider will benefit from this, as the number of audits will be reduced, and the actual auditing more coordinated and efficient. This eventually should result in lower compliance cost, which should benefit all parties.

The next time you are reviewing the security compliance of your service provider, or the next time you select an outsourcing partner, check if you can get access to their SOC reports. That will make you get better control, at a lower cost. That is what we all want, right?

Find out more about Service Organization Controls HERE

 

Esten Hoel is our SVP Security and Compliance and is part of the Basefarm management team. He has a long history in the IT industry but has also worked within the mobile communication and for the Winter Olympics in Lillehammer in 1994. He is passionate about transforming security to support the people and organizations and he believes that policies, technology and processes are here to help, not to stop organizations, and to enable innovation. His motto is “systematic work, always works”.

Esten Hoel, SVP Security and Compliance, Basefarm