Security Bulletin February 2018

Contents

1

Which CISO ‘Tribe’ Do You Belong To?

2 WPA3 Wi-Fi Standard

Announced

3 Almost All CPUs are

Vulnerable to Meltdown and Spectre Flaws

4

Maersk Reinstalled 45,000 PCs & 4,000

Servers to Recover From NotPetya Attack

5

Whats Next in IT Outsourcing?

February 2018

1 Which CISO ‘Tribe’ Do You Belong To? New research from Synopsys in their inaurgural CISO report, categorizes CISOs into four distinct groups based on factors related to workforce, governance, and security controls. If you're a CISO or another level of security manager, new research predicts you will fall squarely into one of four "tribes" depending on the nature of your role and how the overall organization approaches cybersecurity. Each tribe has a different approach to serving as a CISO. This is the crux of the inaugural CISO Report published today by Synopsys. The research spanned two years and involved 25 interviews with CISOs at companies including ADP, Bank of America, Cisco, Facebook, Goldman Sachs, JPMorgan Chase, Starbucks, and US Bank. The driving idea was to learn how individual CISOs perform compared with one another, what CISOs actually do all day, and how their work is organized and executed.

Gary McGraw, Vice President of Security Technology at Synopsys.

There is no universal blueprint for the CISO but there are common factors researchers used as a basis for comparison among CISOs they interviewed. These included workforce (organization structure, management, staff), governance (metrics, budget, projects), and controls (framework, vulnerability management, vendors). The three domains helped organize results. Based on the data collected, researchers identified four groups of CISOs. These include: Tribe 1: Security as an Enabler Tribe 2: Security as Technology Tribe 3: Security as Compliance Tribe 4: Security as a Cost Center

The tribe is an assignment that's not just for an individual, it applies both to the CISO and the firm they're in. A CISO's tribe is determined by 18 “discriminators," or factors used to tease CISOs apart. These include CISO-board relations and program management.

Security Bulletin February 2018

The Liquid Security Maturity Review

By providing a structured approach,

based on expert analysis of your

organisation, we provide a clear and

accurate review of where you are

now, allowing you to build a highly

effective cyber security strategy for

the future.

Our Security Maturity Review (SMR) is

a proven first step in helping you

understand where you stand in the

spectrum of security maturity, and

provides the perfect platform for

building a long-term strategy of

effective cyber protection.

The SMR was built with the client’s

internal security strategy in mind, and

it is designed to be an external &

expert pair of eyes assisting an

organisation’s security.

https://liquidit.nz/cyber-

security/security-assessment/

v

1 Which CISO ‘Tribe’ Do You Belong To? (Cont.) Tribe one is the objective tribe in a sense, effectively asserting that the board understands security and the firm as a whole knows security is important. Every business unit is aligned properly with security, because security is part of the way the firm does business. In these organisations, the CISO is the highest-level executive under the CEO. Security is business-centric; every division thinks about computer security and security is part of everybody's job. The enterprise focus and CISO role as a senior executive set this group apart.

Figure 1 – Four categories of CISOs

On the other side of the spectrum, tribe four CISOs are often overwhelmed and under-resourced. They don't really create budgets, and sometimes they don't request budgets. They just get given budgets. Often being middle-management professionals who are not called CISOs but perhaps "director of IT security" or a similar title, their firms are relatively new to cybersecurity and haven't yet begun to prioritize it. Knowing your tribe can help change your tribe, a process that requires a shift in business strategy and leadership. The CISO Project report emphasizes the importance of identifying and managing risk, developing and retaining the right talent, and establishing middle management to serve as a gateway from entry-level security roles up to the C-Suite.

Security Bulletin February 2018

Free Security Scan

Your corporate network offers

access to valuable and sensitive

information. This Information that

must never fall into the wrong

hands.

Can you be sure there aren’t any

hidden “surprises” threatening

your most precious data assets?

No stealthy malware, back doors,

data leaks or other security

vulnerabilities?

Don’t be caught unprepared.

Uncover potential risks on your

enterprise network.

This a FREE deep packet inspection

of the traffic within your

Organisation.

https://liquidit.nz/cyber-

security/security-assessment/

2 WPA3 Wi-Fi Standard Announced People say "one step back is two steps forward.” Well, Belgian security researcher Mathy Vanhoef gave the WiFi Protected Access (WPA) standard a huge step back last year when he disclosed details about KRACK, a vulnerability in the WPA2 WiFi protocol used by billions of devices. The step forward came today when the WiFi Alliance, the organization that decides WiFi standards, published the first details about the upcoming WPA3 WiFi protocol. A first official draft of the WPA3 WiFi authentication protocol will be available later this year, but the WiFi Alliance teased four major features today that users and hardware vendors should look forward in the new standard. At least four new features expected in WPA3. The first feature is protection against brute-force attacks by blocking the WiFi authentication process after several failed login attempts. This is a basic feature found in many web or software authentication systems and makes perfect sense to be deployed with WiFi networks, which are most often subject to dictionary brute-force attacks. The second is the ability to use nearby WiFi-enabled devices as the configuration panel for other devices. For example, a user will be able to use his phone or tablet to configure the WiFi WPA3 options of another device that doesn't have a screen, such as tiny IoT equipment like smart locks, smart light bulbs, and others. The third and fourth features are related to encryption capabilities included in WiFi WPA3. The third is "individualized data encryption," which is a feature that encrypts connections between each device and the router or access point, and the fourth is an improved cryptographic standard that the WiFi Alliance described as "a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, [which] will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial."

Kevin Robinson, Vice President of marketing for the Wi-Fi Alliance.

More details besides these generic descriptions are expected later in 2018.

Security Bulletin February 2018

Well, if you go past the benefits that

it provides over WPA2, it will be the

standard that manufacturers will

have to meet to use the Wi-Fi logo

on their devices. That's pretty much

a must-have these days, as we

rarely see modern tech arrive

without an option to connect

wirelessly.

The updated standard can't arrive

fast enough. Just last year, it was

discovered that a major

vulnerability in WPA2 and WPA

dubbed KRACK—Key Reinstallation

Attack—could allow attackers to

snoop on what is supposed to be

encrypted traffic exchanged

between computers and wireless

access points.

Obviously that's not good.

Why is WPA3 such a

big deal?

3 Almost All CPUs are Vulnerable to Meltdown and Spectre Flaws Google has just published details on two vulnerabilities named Meltdown and Spectre that in the company's assessment affect every computer processor released since 1995. Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.

Figure 2 – The critical vulnderability “Meltdown”

Meltdown Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.

Security Bulletin February 2018

2. Can I detect if someone has

exploited Meltdown or

Spectre against me?

Probably not. The

exploitation does not leave

any traces in traditional log

files.

1. Am I affected by the

vulnerability?

Most certainly, yes.

3. Can my antivirus detect or

block this attack?

While possible in theory,

this is unlikely in practice.

Unlike usual malware,

Meltdown and Spectre are

hard to distinguish from

regular benign applications.

However, your antivirus

may detect malware which

uses the attacks by

comparing binaries after

they become known.

3 Almost All CPUs are Vulnerable to Meltdown and Spectre Flaws (Cont.) Google says it chose the Meltdown codename because "the bug basically melts security boundaries which are normally enforced by the hardware." Spectre Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.

Figure 3 – The critical vulnerability “Spectre” The actual flaws reside in a technique called "speculative execution" that is employed by all modern CPUs. This is a basic optimization technique that processors employ to carry out computations for data they "speculate" may be useful in the future. The purpose of speculative execution is to prepare computational results and have them ready if they're ever needed. If an application does not need the "speculated" data, the CPU just disregards it. Google says that researchers discovered a way to use speculative execution to read data from the CPU's memory that should have not been available for user-level apps.

• Meltdown (CVE-2017-5754)

• Spectre (CVE-2017-5753 and CVE-2017-5715).

Security Bulletin February 2018

While the likes of Google,

Microsoft and chip manufacturers

scramble to fix the Spectre and

Meltdown vulnerabilities, hackers

have been working on fake

patches, riddled with malware and

distributed via dubious websites

claiming to be supported by

security authorities.

The download is called Intel-AMD-

SecurityPatch-10-1-v1.exe - a

filename that looks pretty

legitimate, but when users install it

onto their computer, they'll find

it's actually laced with the Smoke

Loader malware, causing the

computer to connect to domains,

sending encrypted information to

them via additional payloads.

Online criminals are notorious for

taking advantage of publicized

events and rapidly exploiting

them, typically via phishing

campaigns. This particular

example is interesting because

people were told to apply a patch,

which is exactly what the crooks

are offering under disguise.

4 Maersk Reinstalled 45,000 PCs, 4,000 Servers to Recover From NotPetya Attack The world's largest container shipping company —A.P. Møller-Maersk— said it recovered from the NotPetya ransomware incident by reinstalling over 4,000 servers, 45,000 PCs, and 2500 applications over the course of ten days in late June and early July 2017. By all accounts, this is a monumental effort from Maersk's IT staff, equivalent to installing a new infrastructure from the ground up. These new details came to light in January 2018, while Jim Hagemann Snabe, Chairman of A.P. Møller-Maersk, participated in a panel on securing the future of cyberspace at the World Economic Forum held in Davos, Switzerland. The incident Snabe was referencing is the NotPetya ransomware outbreak that hit companies around the world.

Jim Hagemann Snabe, Chairman of A.P. Møller-Maersk.

Snabe also said his company estimated the damages caused by NotPetya to between $250 and $300 million. This is also the damages tag that both US pharmaceutics giant Merck and US-based international courier service FedEx also put on the NotPetya aftermath. It was an important wake-up call as they were basically average when it came to cyber-security, like many companies. And this was a wake-up call to become not just good — organisations actually have a plan to come in a situation where their ability to manage cyber-security becomes a competitive advantage. In the subsequent discussions, Snabe also urged fellow Davos World Economic Forum participants to focus on securing cyberspace. Ukrainian officials didn't mince words or time blaming NotPetya on Russia, and recently, even the CIA officially blamed the Russian military's GRU GTsST, or Main Center for Special Technology, as the source of the NotPetya ransomware, in a classified report seen by Washington Post reporters.

Contents

1

HBO hackers demand money, leak more

stolen data

2

Banking Trojan Uses Mouse Movements to Distinguish Users from

Virtual Machines

3

NIST Analyst: Our Security Guidance

Was Wrong

Security Bulletin February 2018

NotPetya Explained

NotPetya is a cyber weapon and a dreaded virus that attacked thousands of computers around the globe and wiped everything off their disks.

Initially, NotPetya was believed to be ransomware, but the source code revealed that it was only masquerading as ransomware, and there is no way users would be able to recover their files.

NotPetya spreads on its own. The original Petya required the victim to download it from a spam email, launch it, and give it admin permissions. NotPetya exploits several different methods to spread without human intervention.

The name NotPetya comes because the malware shares code with ransomware known as Petya.

5 What’s Next in IT Outsourcing? As more companies consider service providers as an extension of their own enterprise, an increasing number are choosing to outsource business functions to trusted partners, especially when it comes to information technology. Here are some trends that will come to the forefront over this coming year, including a growing emphasis on partnerships and a heightened demand for specialization in emerging technologies like IoT and AI.

1. Traditional captive centers will decrease 2. Partnerships will become more critical 3. The growth of emerging tech will increase 4. Companies will focus more on value and less on cost 5. The IT skill shortage will intensify 6. The demand for “Soft skills” will rise

Beginning in 2016 and continuing last year, hiring of skilled IT workers has become increasingly difficult. In 2018 this trend will almost certainly continue as most businesses are becoming increasingly technology driven or at least technology enabled requiring an increasing number of qualified IT resources. IT Professionals with specialized skills will be even more difficult to find and infrastructure / network resources will be in high demand as well. Outsourcing could see significantly increased adoption rates as we move through 2018 and 2019 as increased salaries and skill scarcity increase the attractiveness of working with outsourcing partners to meet many organizations’ IT skills shortage. Today’s customers are highly educated and fully aware of any failures associated with outsourcing. This, combined with the need to deliver IT solutions in time, will increase the need to provide better value to the clients, with transparency. In the process, there will be a fundamental shift in the focus from ‘cost of the services’ to ‘value of those services’.

Security Bulletin February 2018

All of our IT services are delivered from a security-led perspective.

We see IT differently. Fluid not stuck. Future not legacy. Personal not corporate.

Liquid IT | Floor 4, 56 Victoria St, Wellington 6011, PO Box 9410

www.liquidit.nz

All of Government

Connectivity and Security Related Services

Further to our announcement on 18th October last year about being welcomed on to the Security and Related Services Panel by DIA, we can now announce that Liquid have been selected as one of the Telecommunications as a Service (TaaS) providers to deliver a range of Managed Security services and Connectivity services to government agencies. Visit the TaaS supplier directory for further detail or contact us at any time.

Liquid offer a clear alternative to

other integrators:

• We will always be focused on

you and your business outcomes.

• We are small enough to be

agile and to deliver quickly.

• We have developed services

that provide a low barrier of entry

to Government agencies.

• We will always strive to deliver greater value through continually innovating our services for our clients.