Monthly Archives: December 2015

Charles Leaver – LastPass Breaches Provide 4 Valuable Lessons And The Need For Behavior Analytics

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

LastPass infiltrations Have 4 Lessons Everybody Can Learn From

Data breaches in 2011 and after that once again in 2015 were inflicted on password management firm LastPass. Experts advise use of password managers, because strong passwords unique to each user account are not feasible to remember without arranged assistance. However, placing all one’s eggs in a single basket – then for millions of users to each put their egg basket into one mega basket – produces an irresistible target for cyber criminals of every type. Cryptology professionals who have studied this recent breach at LastPass appear very carefully optimistic that major damage has actually been prevented, but there are still essential lessons we can learn from this episode:

1. There Is No Ideal Authentication, There Is No Ideal Security

Any knowledgeable, patient and determined foe will ultimately breach any practical cyber defenses – even if yours is a cyber defense business! Regretfully, for numerous businesses today, it doesn’t often require much skill or patience to breach their patchwork defenses and penetrate their vast, permeable boundaries. Compromise of user credentials – even those of highly privileged domain administrators – is likewise rather typical. Once again, regretfully, numerous businesses count on single-factor password authentication, which simply welcomes widespread sensitive data compromise. But even multi-factor authentication can be breached, as was evidenced with the 2011 compromise of RSA SecurID’s.

2. Utilize Situational Awareness When Defenses Are Breached

As soon as the enemies have breached your defenses the clock is ticking on your detection, containment, and remedying of the occurrence. Market data suggests this clock has a long time to tick – numerous days typically – prior to awareness sets in. By that time the cyber criminals have pwned your digital properties and picked your business carcass clean. Important situational awareness is vital if this too-frequent disaster is to be prevented.

3. Network and Endpoint Contexts Are Fused With Comprehensive Situational Awareness

In the recent LastPass incident detection was accomplished by analysis of network traffic from server logs. The assailant dwell time before detection was not disclosed. Network anomalies are not constantly the fastest method to recognize an attack in progress. A fusion of network and endpoint context offers a much better choice basis than either context separately. For example, having the ability to combine network flow data with the originating procedure recognition can shed much more light on a potential intrusion. A suspect network contact by a new and disreputable executable is a lot more suggestive taken together than when analyzed independently.

4. After An Authentication Failure, Use User Habits Analytics

Compromised user data frequently create chaos throughout breached enterprises, permitting enemies to pivot laterally through the network and run mainly underneath the security radar. But this misuse of legitimate credentials differs markedly from regular user behavior of the genuine credential holder. Even rather basic user behavior analytics can spot anomalous discontinuities in learned user habits. Constantly utilize user behavior analytics, specifically for your administrators and more privileged users.


Cyber Attacks On Elite Hackers Could Have Been Prevented With Vulnerability Monitoring – Charles Leaver

Written By Josh Harriman And Presented By Ziften CEO Charles Leaver

Hacking Team Impacted By Absence Of Real Time Vulnerability Tracking

These days cyber attacks and data breaches remain in the news all the time – and not just for those in the high value industries such as healthcare, finance, energy and retail. One particularly intriguing occurrence was the breach against the Italian company Hacking Team. For those who don’t recall Hacking Team (HT) is a company that focuses on monitoring software applications catering to government and police agencies that want to perform hidden operations. The programs produced by HT are not your ordinary remote control software application or malware-type recording devices. One of their key products, code-named Galileo – better called RCS (Remote Control System)– declared to be able to do basically whatever you require in regards to “controlling” your target.

Yet as talented as they remained in producing these programs, they were unable to keep others from entering their systems, or find such vulnerabilities at the endpoint through vulnerability monitoring. In one of the most prominent breaches of 2015, HT were hacked, and the information stolen and subsequently launched to the public was big – 400 GB in size. More notably, the material included extremely damaging info such as emails, client lists (and prices) which included countries blacklisted by the UN, and the crown jewels: Source code. There was also in-depth documents which included a couple of really effective 0-day exploits against Flash and Adobe. Those 0-days were utilized very soon after in attacks against some Japanese businesses and United States government agencies.

The big concern is: How could this happen to a company whose sole existence is to make software that is undetected and finding or developing 0-day exploits for others to use? One would think a breach here would be next to impossible. Clearly, that was not the case. Currently there is not a lot to go on in regards to how this breach took place. We do know nevertheless that someone has declared responsibility and the individual (or team) is not new to getting into locations much like HT. In August 2014, another monitoring business was hacked and sensitive files were launched, just like HT. This consisted of client lists, prices, code, etc. This was against Gamma International and their software was called FinFisher or FinSpy. A user by the name of “PhineasFisher” released on Reddit 40 GB worth data and revealed that he or she was accountable. A post in July this year on their twitter handle discussed they likewise attacked HT. It appears that their message and function of these breaches and theft where to make individuals aware of how these businesses operate and who they sell to – a hacktivist attack. He did publish some information to his methods and some of these strategies were most likely used against HT.

A last concern remains: How did they break in and exactly what safety measures could HT have implemented to prevent the theft? We did understand from the launched documents that the users within HT had extremely weak passwords such as like “P4ssword” or “wolverine.” In addition, one of the primary employee systems where the theft may have happened used the program TrueCrypt. However, when you are logged on and utilizing the system, those hidden volumes are accessible. No information has been released as of yet regarding how the network was breached or how they accessed the users systems in order to download the files. It appears, though, that companies have to have a service such as Ziften’s Constant Endpoint Visibility running in their environment. By keeping an eye on all user and system activity notifications might have been created when an activity falls outside of typical habits. Examples are 400 GB of files being published externally, or understanding when vulnerable software applications are working on exposed servers within the network. When a service is making and selling sophisticated security software – and possessing unidentified vulnerabilities in commercial products – a better plan ought to have implemented to minimize the damage.


Charles Leaver – Could Anthem Healthcare Data Leak Been Avoided With Endpoint Visibility?

Written By Justin Tefertiller And Presented By Charles Leaver Ziften CEO


Continuous Endpoint Visibility Would Have Improved Healthcare Data Leak Avoidance


Anthem Inc found a big scale cyber attack on January 29, 2015 against their IT and data systems. The health care data leak was thought to have actually taken place over a numerous week duration beginning around early December 2014 and targeted personal data on Anthem’s database infrastructure as well as endpoint systems. The taken info included dates of birth, complete names, health care identification numbers as well as social security numbers of consumers and Anthem workers. The specific number of people impacted by the breach is unidentified however it is approximated that almost 80 million records were taken. healthcare data tends to be one of the most lucrative income sources for hackers offering records on the dark market.

Forbes and others report that enemies utilized a process-based backdoor on clients linked to Anthem databases in combination with compromised admin accounts and passwords to slowlysteal the data. The actions taken by the hackers posing and running as administrators are exactly what ultimately brought the breach to the attention of security and IT groups at Anthem.

This kind of attack illustrates the need for continuous endpoint visibility, as endpoint systems are a consistent infection vector and an open door to sensitive data saved on any network they may link to. Basic things like never ever before observed procedures, new user accounts, odd network connections, and unapproved administrative activity are typical calling cards of the beginning of a breach and can be quickly identified and alerted on with the best tracking tool. When alerted to these conditions in real time, Incident Responders can pounce on the intrusion, discover patient zero, and ideally alleviate the damage instead of allowing enemies to wander around the network undetected for weeks.


Charles Leaver – 30 Restaurants Impacted In 8 Months After PF Chang Data Breach

Written By Charles Leaver Ziften CEO

The PF Chang dining establishment chain recently released brand-new information about the security breach of its credit card systems throughout the nation. The dining establishment chain revealed that the breach impacted more than 30 restaurants in 17 states and went on for 8 months prior to being discovered.

While the investigation is still ongoing, in a statement PF Chang’s reported that the breach has actually been contained and customer monetary data has actually been processed securely by the dining establishment since June 11. The compromised systems used by the chain were removed till it was clear that their security could be ensured, and in the meantime credit cards were processed by hand.

Rick Federico, CEO stated in a statement “The potentially stolen credit and debit card data consists of the card number and sometimes likewise the cardholder’s name and/or the card’s date of expiry.” “However, we have not identified that any particular cardholder’s credit or debit card data was stolen by the attacker.”

PF Chang’s was notified of the breach, which they referred to as a “extremely advanced criminal operation,” in June when they were called by the Secret Service about cyber security concerns. As soon as they were informed, the restaurant worked with third-party forensic investigators to find how the breach was able to happen, at which time they discovered that harmful actors had the ability to exploit the chain’s credit card processing systems and potentially gain access to customer charge card details.

Organizations concerned about similar data breaches affecting point-of-sale terminals must implement endpoint threat detection to keep very important systems safeguarded. Endpoint protection involves monitoring delicate access points – like POS systems, bar code readers and staff member mobile phones – and reducing risks that appear. Constant endpoint visibility is necessary to recognize dangers before they compromise networks and guarantee business security.