A Risk-Based Approach to Rating and Correcting Individual Cyberrisk

LAS VEGAS—At this week’s Black Hat conference, some information security professionals turned to a key issue to control enterprise-wide cyberrisk: hacking humans. As phishing continues to be one of the top threats for businesses, hackers and security professionals here continue to try and make sense of why this threat vector is so successful and how to better defend against these attacks.

In a session called “Blunting the Phisher’s Spear: A risk-based approach for defining user training and awarding administrative privileges,” Professor Arun Vishwanath presented some of his research on the “people problem” of cybersecurity, proposing a new model for quantifying the cyberrisk posed by individuals within the enterprise and tailoring training to best mitigate the risk they pose. While many corporate training programs stage fake phishing emails and then lecture those who fail, he said, this model continues to be ineffective, as proven by the increase in these attacks and their efficacy across all industries. People are not the problem, Vishwanath asserted, rather it is in our understanding of people.

Vishwanath and his colleagues have come up with a model to explain how users think, the Suspicion, Cognition, Automaticity Model (SCAM). Faulty ideas about cybersecurity practices, popular myths and other irrational beliefs lead to illogical and unsafe practices. Automatic behaviors also play a significant role in risky behavior, particularly with mobile devices and the ritualistic checking of email – users open messages mindlessly and get so used to clicking links, downloading files or entering credentials that they do not really factor logic into these decisions.

Based on this model of why individuals act in risky ways, he recommends developing a Cyber Risk Index (CRI) based on a short, 40-question survey given to individual employees to evaluate the cyberrisk they specifically pose, which can also be aggregated across divisions, sectors and organizations. As the results highlight different areas of weakness that lead to the employee’s risky behaviors, the CRI can dictate the best ways to that individual and mitigate the risk.
phishing risk training What’s more, this quantitative score of individual cyber hygiene can be used to track changes in risk posture over time and to improve current decision processes regarding privileged access to the organization’s systems to better control data at risk.

Check out Dr. Vishwanath’s whitepaper for more on this approach.

Information Security Teams Drastically Underfunded, Understaffed

LAS VEGAS—As the information security industry’s hackers, IT professionals, technology developers and even Hillary Clinton’s campaign descend on Las Vegas for this year’s Black Hat conference, Black Hat has released the results of a survey from last year’s convention, offering an insider’s look at the state of cyberrisk. The report offers a failing report card for current investment on cyberrisk and some key feedback for the C-suite about current risk exposure.

The Rising Tide of Cybersecurity Concern is the second annual Black Hat attendee survey. Last year’s results included the alarming findings that 72% of respondents felt it likely that their organizations would have to deal with a major data breach in the year ahead, while approximately two-thirds of respondents said they did not have enough staff, budget, or training to meet those challenges.

Unfortunately, these top security experts have only grown more concerned. As cyberrisks proliferate – and attention from the C-suite increases – 15% “have no doubt” they will have to respond to a major security breach in the next year, with another 25% considering it highly likely and 32% calling it somewhat likely.

Yet information security teams are not getting the funding, staffing or training they need to combat this top risk. Only 26% of those polled said they have enough staff to simply defend against current threats. Black Hat reports some 63% of security professionals say their departments do not have enough budget to defend their organizations against current threats, with 20% saying they are “severely hampered” by a lack of funding.

The training critical to effectively managing evolving cyberrisks also presents a considerable concern for many security professionals. Two-thirds of respondents said they feel they do not have enough training and skills they need to perform all of the tasks for which they are responsible — up from 64% last year. Ten percent of respondents said they feel “ill-prepared” for many of the threats and tasks they face each day.

Experts considered the top new cyberrisks:

blck hat enterprise security

The weakest links in enterprise security:

When asked why security initiatives fail, some 37% of respondents (a plurality) pointed toward this shortage of qualified people and skills, with a lack of commitment and support from top management the second-most frequently cited response at 22%.

blck hat enterprise security

“Organizational priorities such as compliance and risk measurement consistently reduce the time/budget available for security professionals to resolve issues they consider the most critical,” Black Hat noted. “These pressing issues include targeted attacks, social engineering, and internal application security troubleshooting. Although the 2015 report revealed this trend, rather than a reverse in expenditure behavior, the issue has continued to increase.”

Additional findings from the survey include:

  • 37% see the re-emergence of ransomware as the greatest new threat to appear in the last 12 months
  • The attacker that 36% of security professionals fear most is the one with internal knowledge of the organization
  • While the emergence of the Internet of Things (IoT) has garnered much attention in recent years, only 9% of those surveyed are currently concerned with IoT security. However, 28% believe this will be a concern two years from now. This ranking has not altered since 2015.

Miller and Valasek Show the Real-World Impact Hackers Can Have

Charlie Miller and Chris Valasek at Black Hat USA 2015Photo: Black Hat USA 2015

LAS VEGAS—At Black Hat 2015, Charlie Miller and Chris Valasek gave one of the most highly anticipated and best-attended presentations, even far beyond the elite infosecurity experts gathered here this week. The already notable duo of hackers made international headlines two weeks ago when they demonstrated more than a year’s worth of work figuring out how to hack into and remotely control unaltered cars—and used Wired reporter Andy Greenberg as their test driver.

Greenberg’s article and video of the test paint a compelling portrait of just what Miller and Valasek’s hack means in practice. “As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission,” Greenberg wrote. “Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed down to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”

From a couch in Miller’s basement 10 miles away, they were able to seize control of the Jeep, and their methods could be applied to any car operating the same technology: Uconnect, an internet-connected computer feature in hundreds of thousands of cars that controls the entertainment and navigation systems, enables phone calls and, with a subscription purchase, offers a Wi-Fi hotspot. The hackers’ exploit can also be used for surveillance, using the Jeep’s GPS to track location to measure speed, and even drops pins on a map at regular intervals to trace its route. And, because of the system’s cellular connection, this can be done on any car from anywhere with access to the same cellular network (Sprint) as long as hackers know the car’s IP address.

In the wake of the Wired article, Sprint has blocked the kind of phone to car traffic and car to car traffic that facilitates remote hacking. What’s more, Fiat Chrysler announced the recall of 1.4 million cars and trucks that could be vulnerable to hacking—more than three times as many as the pair originally estimated may be at risk. Miller and Valasek approached the company with their findings as early as 2014, and said the automaker was responsive to their report. Unauthorized remote access was blocked with a network-level improvement, the company announced shortly after Greenberg’s article went to print. In addition to the recall to update software in the infotainment system, affected customers will receive a USB device to upgrade vehicles’ software with internal safety features.

And lest anyone still question the impact hackers can have on a business’s bottom line, as they were only too happy to point out, here’s a look at Chrysler’s stock from a week before to a week after the Wired story:

chrysler stock

Part of their aim was to increase consumer awareness and provoke greater scrutiny of technology they are being told is safe. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller told Wired. “This might be the kind of software bug most likely to kill someone.” Their research has already effected concrete change beyond the cars recalled. Partially spurred by the team’s earlier demonstrations in the arena, Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut introduced legislation on July 21 that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy. The bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements, Bloomberg reported. “Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car,” Markey said in a statement to Wired. “Drivers shouldn’t have to choose between being connected and being protected…We need clear rules of the road that protect cars from hackers and American families from data trackers.”

Miller and Valasek have done a lot more than present a frightening demonstration of just how vulnerable so many cars are, and it involves everyone here at Black Hat. In their presentation, Valasek opened with a blunt public service announcement: Please stop saying anything is “unhackable,” because you are wrong and you are just going to look silly. Proving that took more than a year of meticulous work, much of which could not be easily reproduced and applied any time soon, but they did prove it, and in doing so, they prompted the first formal safety campaign in response to a cybersecurity threat. That may be the biggest impact, he told the audience: “Hackers did something, fiscal change happened and it wasn’t in infosec—it was in the real world.”

The Rise of Malvertising

malvertising cyber security

LAS VEGAS—One of the hottest topics in cyberthreat detection right now is the rise of malvertising, online advertising with hidden malware that is distributed through legitimate ad networks and websites. On Monday, Yahoo! acknowledged that one of these attacks had been abusing their ad network since July 28—potentially the biggest single attacks, given the site’s 6.9 billion monthly visits, security software firm Malwarebytes reported.

In the first half of this year the number of malvertisements has jumped 260% compared to the same period in 2014, according a new study released at the Black Hat USA conference here today by enterprise digital footprint security company RiskIQ. The sheer number of unique malvertisements has climbed 60% year over year.

“The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred method for distributing malware,” said James Pleger, RiskIQ’s director of research. “There are a number of reasons for this development, including the fact that malvertisements are difficult to detect and take down since they are delivered through ad networks and are not resident on websites. They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users.”

How does malvertising work—and why is it taking off right now? “The rise of programmatic advertising, which relies on software instead of humans to purchase digital ads, has generated unprecedented growth and introduced sophisticated targeting into digital ad networks,” the company explained. “This machine-to-machine ecosystem has also created opportunities for cyber criminals to exploit display advertising to distribute malware. For example, malicious code can be hidden within an ad, executables can be embedded on a webpage, or bundled within software downloads.”

The study also noted that, in 2014, there was significantly more exploit kit activity (which silently installs malware without end user intervention) than fake software updates that require user consent. In 2015, however, fake software updates have surpassed exploit kits as the most common technique for installing malware. Fake Flash updates have replaced fake antivirus and fake Java updates as the most common method used to lure victims into installing various forms of malware including ransomware, spyware and adware.

Last week, enterprise security firm Bromium also released a new study focused on the rising threat of malvertising, finding that these Flash exploits have increased 60% in the past six months and the growth of ransomware families has doubled every year since 2013.

“For the last couple of years, Internet Explorer was the source of the most exploits, but before that it was Java, and now it is Flash; what we are witnessing is that security risk is a constant, but it is only the name that changes,” said Rahul Kashyup, senior vice president and chief security architect at Bromium. “Hackers continue to innovate new exploits, new evasion techniques and even new forms of malware—recently ransomware—preying on the most popular websites and commonly used software.”

One of the riskiest aspects of these exploits is that users do not have to be accessing sites that seem remotely suspect to be exposed. According to Bromium’s research, more than 58% of malvertisments were delivered through news websites (32%) and entertainment websites (26%). Notable websites unknowingly hosting malvertising included cbsnews.com, nbcsports.com, weather.com, boston.com and viralnova.com, the firm reported.

With that in mind, IT and cybersecurity teams have to adapt to meet these new threats, which are evolving far faster than detection tools, including antivirus, behavioral analysis, network intrusion detection, and the basic safe browsing guidelines issued to employees regarding their use of work devices.

“The key takeaway from this report is that, at large, the Internet is increasingly becoming ‘untrustworthy.’ Attackers are now using popular websites to launch malware via online ads, which makes things difficult for IT security teams,” explained Rahul Kashyup, SVP and chief security architect at Bromium. “This risk should be well understood and factored in for any organization while building a ‘defense-in-depth’ security stack. Regular patching and updates definitely help to limit the exposure to potential attacks, but that might not be feasible for large organizations. It is advisable to evaluate non-signature based technologies that can thwart such attacks in a reliable way and prevent infections on end-user devices.”

According to Bromium, the websites that most frequently serve as malvertising attack sources are:

malvertising attack sources