About Curtis Franklin Jr. Senior Editor at Dark Reading

This author has not yet filled in any details.
So far Curtis Franklin Jr. Senior Editor at Dark Reading has created 11 blog entries.

6 Open Source Tools for Your Security Team

2021-01-06T10:35:34-05:00

Open source tools can be great additions to your cloud security arsenal. Here are a half-dozen to get you started. 1 of 7 Open source tools are a fact of life in application development. A growing number of open source security tools makes the noncommercial license a realistic option for more security teams. Traditionally, open source tools have been viewed as options for academic institutions and smaller companies. But current-generation open source tools, developed with an emphasis on scale and deployment flexibility, have been developed with larger enterprises in mind. Dark Reading looked at a range of tools and system across the open source landscape to find a half-dozen that enterprise security teams will want to know about. Several are at the beginning of their product lives; one is at the end, though it is still useful. In most cases, these tools compete against commercial offerings, though in every case the open source option provides qualities (aside from purchase price) that make them worthy of consideration for specific situations. How is your security team using open source tools? Are they for specific purposes, the majority of the enterprise security tool set, or not sufficiently reliable to be on the enterprise roster at all? Let us know in the Comments section, below. (Image: WrightStudio VIA Adobe Stock) Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio Recommended Reading: 1 of 7 More Insights

6 Open Source Tools for Your Security Team2021-01-06T10:35:34-05:00

Delivering Santa from Third-Party Risk

2020-12-24T10:36:09-05:00

2020 has made even St. Nick susceptible to the risks associated with the coronavirus pandemic. Fortunately, cybersecurity experts are ready to help the merry old elf with advice on reducing risks to his global operations. (image by deagreez, via Adobe Stock) The annual flight for Santa Claus comes in just a few days, and he's got some issues. The good news is that Saint Nick hasn't popped up on any list of SolarWinds' customers. We also know that Dr. Fauci himself vaccinated Santa against COVID-19. The bad news is that Santa has to deal with many of the same issues that every other enterprise on Earth has faced in 2020: workers sent to their homes, supply chains disrupted, and IT systems stretched to cover it all. It turns out that Santa is faced with a classic supply chain problem: He must ensure that his product is delivered to a strict schedule, under a strict budget, while maintaining organizational  secrecy, and keeping customer personal information absolutely secure. How can he do that when circumstances are so unusual? Dark Reading went to a number of industry experts and asked for the advice they would give Santa on this critical set of security issues. They responded in full and acknowledged that the implications of Santa's decisions can have an impact on those far from the North Pole. "When Santa delivers that package to your kids, it's important to consider the implications of where the toy or gift was made. We should consider whether the elves are really working from quarantine or have they been social. Perhaps they have been forced into a traditional production environment as the time crunch to deliver gifts at mass scale mounts. While there is no evidence that COVID has impacted the elf or reindeer population, it should be a consideration," says Brandon Hoffman, CISO at Netenrich. "In 2020, the supply chain was compromised before it even started," says Tyler Reguly, manager of security research and development at Tripwire. That notion of a compromised supply chain came up repeatedly -- along with the idea that, in spite of compromise, operations must continue. As for the compromises, Reguly points out an obvious place for infiltration to begin: "Santa’s email has been published and that domain name provides a starting point for malicious individuals to seek out additional systems and potentially public facing infrastructure." So with the problem explained and obvious, what should Santa do? "Santa should be looking at his third-party vendors and giving them a foundational security requirement or assessment of what they need to be doing so that he can feel comfortable," says Kiersten Todt, managing director of the Cyber Readiness Institute. She points out that Santa has to be clear that the steps that his third-party vendors are taking equate to the risk he's willing to accept and not willing to accept. The idea of "risk appetite" is something that several experts touched on in their comments, and Ekaterina Kilyusheva, head of the information security analytics research group at Positive Technologies says that there are concrete steps that Santa should take within his historic appetite for risk: Check elves' recommendations to prevent recruiting an attacker from the Grinch group. Ensure that all gift providers maintain high level of information security. Check storage system of the lists of good children in advance so that the Grinch cannot include himself or his allies in it through the backdoor, and restrict access by third parties. Deliver gifts to elves for packaging only through trusted channels and trusted suppliers. Ensure that using secret combinations to test the reindeer before handing over wrapped gifts is a mandatory procedure for an elf. Ensure that elves record the facts of transfer of wrapped gifts to reindeer by means of a hoof print in the act of acceptance and transfer. Coordinate the routes of the reindeer, and install a tracking system on them so that not a single reindeer with gifts is stolen along the way. Regularly conduct training and test elves for their knowledge of the basics of safe handling of confidential information so that they can easily recognize phishing and inform Santa about attempts to kidnap Christmas. Finally, Jeff Roth, southeast regional director at NCC Group waxed poetic in responding to Dark Reading's query about Santa and third-party risk. With apologies to Clement Clarke Moore... "It is the weeks before Christmas and all through the house, the criminal and state actors were hacking with a click of their mouse. "All the companies, governments, and citizen still reeling from pandemic fatigue were not ready to stop these adversaries' mayhem and greed. The bad guys attack without fear or shame, even stopping poor Rudolph from his Reindeer games. "Backdoors, zero days, and counterfeits abound. Poor Santa's elves' supply chains were all down. For without secure critical infrastructures in place, how could they build all the gadgets and toys and bring smiles to our faces? "But out of this darkness came a sound of glee, Santa's cyber warriors were protecting their supply chain for all his elves to see.  "It started with IOC detection coupled with well-engineered layered defense protection. Santa's cybersecurity program started to spread; the adversaries now had something to dread. Yes, we will find you and address your threats with purpose, focus and speed, to stop you, state actors, criminals, and other Grinches indeed.   "So goes the lesson for all to remember: Keep your security focus 24/7 and all year, not just December." Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio Recommended Reading: More Insights

Delivering Santa from Third-Party Risk2020-12-24T10:36:09-05:00

XDR 101: What’s the Big Deal About Extended Detection & Response?

2020-12-18T10:34:59-05:00

Extended Detection and Response (XDR) could be the security management technology of your dreams...or not. What makes this technical 'evolution' so interesting to so many companies?

XDR 101: What’s the Big Deal About Extended Detection & Response?2020-12-18T10:34:59-05:00

Evidence-Based Trust Gets Black Hat Europe Spotlight

2020-11-24T10:37:57-05:00

An FPGA-based system could change the balance of power between hardware attackers and defenders within IT security. Faith may be a marvelous foundation for many things, but it's a terrible basis for cybersecurity. Andrew "Bunnie" Huang, founder of Bunnie Studios, says that evidence, not faith, should be the foundation on which security is built. "What we're not looking to rely upon is faith-based trust, as in ... I believe that this vendor has a great brand and therefore I will take their word at face value," he says. The problem with a move to evidence-based security is that it's so difficult to rigorously inspect what is going on inside any given chip or system. And without such an inspection, a customer has to trust not just a vendor but the vendor's entire supply chain. "I want to be able to confirm that there are no extra parts in a motherboard," Huang says as he begins to describe a system he calls Precursor, which would allow people to compare what the motherboard looks like versus a published reference of that same motherboard. Huang says that it's important to understand the problem that Precursor is designed to solve. First, the system is designed to give insight into system hardware, not software. It does that with its own hardware based on a field-programmable gate array (FPGA) that will be programmed with the model of what the reviewed system is supposed to be. That model includes details down to the transistor and logic gate level on the tested system. Attackers, especially sophisticated nation-state operators, may be able to build in or take advantage of backdoors that leave no trace, Huang says, but Precursor requires the software required to take advantage of a vulnerability to be much more complex. Instead of adding circuitry that might take advantage of a single counter, Huang says, a successful attacker might have to use techniques that took every counter into account on the hopes that one would "sneak through" the inspection process. That makes the hardware required much larger physically and much more complex. Huang isn't under the illusion that this will be a complete solution to the problem of hardware-based attacks, but it does restore some balance to the battle, he says. "The problem is that in hardware, we didn't even have the cat and mouse game. In hardware, you've got something and you either believed it was what you got or you didn't," he explains. Now, the hardware attackers will have to work around the knowledge that their exploits can be discovered and exposed. The FPGA-based system also will have the ability to push hardware patches to vulnerable hardware, Huang says. That can significantly reduce the cost of remediating vulnerabilities in hardware because entire systems might not have to be replaced in order to close the vulnerabilities. Huang will discuss Precursor and its genesis in the concept of evidence-based trust in the keynote address for Black Hat Europe 2020. The address is scheduled for 9 a.m. to 10 a.m. GMT on Thursday, Dec. 10. Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio Recommended Reading: More Insights

Evidence-Based Trust Gets Black Hat Europe Spotlight2020-11-24T10:37:57-05:00

How Industrial IoT Security Can Catch Up With OT/IT Convergence

2020-11-21T10:33:48-05:00

Ransomware can easily make a connection between IT and OT already. How can blue teams do the same? In June, Honda reported a malware attack that brought customer and financial services operations to a standstill. One of the more dangerous characteristics of the Snake ransomware used in the attack, according to researchers, is that it can easily spread easily from IT to OT networks in companies with converged networks. Operational technology (OT) – or the IoT on an industrial scale – is critical infrastructure for organizations and society, and a critical target for criminals. With convergence of IT and OT systems increasing, what can organizations do to make the converged landscape look as safe and secure as possible? "There's been a lot more attacks in the last couple of years, mostly ransomware-based, which have impacted production facilities and environments," says Andrew Tsonchev, director of technology at Darktrace. In 2019 alone, research indicates attacks on OT targets had skyrocketed by 300%. However, Tsonchev points out that most of the attacks are not coming from the sort of nation-state actors that so many companies fear. Rather, they're coming from garden-variety criminals who now have the tools to take effective aim at OT systems. And those tools come from the same trend that makes OT so important to modern manufacturing companies: IT-OT convergence. "There's increased convergence and connectivity between previously isolated [OT] environments and the IT business systems inside organizations," Tsonchev says. The evolution of IT and OT within organizations has been slow, to a point where they're largely standardized, he adds, but the change in the threat landscape is due to the fact that there's less separation and isolation between the two than there once was. Tsonchev says a hunger for data, from data-driven manufacturing to the data analysis required for just-in-time manufacturing, is one of the driving forces behind this convergence. But data hunger isn't the sole driver. The larger motive, he says, is that businesses are using more centralized and cloud-based data analytics to power their manufacturing. "And to play in that ecosystem, you can't really have a 1990's-style isolated local network," Tsonchev explains. Building BridgesWhile organizations are eager to embrace the possibilities unlocked by bringing IT and OT networks together, many don't go far enough to do so safely, he says. "If you're going to have convergence between different parts of your networked environment, you need to start treating them as one security domain," Tsonchev says, "and you need to be thinking about threat modeling and risks and attack types seamlessly across the two environments." Of course, syncing two environments into one security domain requires building bridges – bridges across technologies, across system architectures, and across cultures. The easier obstacles to overcome are the technological ones, says Tsonchev. As he explains, although IT and OT have largely converged, the security ecosystem has not: The tools typically used to defend OT and IT environments are distinct and different. Tsonchev believes that if attackers aren't going to see these systems as separate entities, then security tools shouldn't either. The bigger challenge, he says, is not in the silicon of servers and networking appliances but in the brains of security professionals. "The harder problem, I think, is the skills problem, which is that we have very different expertise existing within companies and in the wider security community, between people who are IT security experts and people who are OT security experts," Tsonchev says. "And it's very rare to find one individual where those skills converge." It's critical that companies looking to solve the converged security problem, whether in technology or technologists, to figure out what the technology and skills need to look like in order to support their business goals. And they need to recognize that the skills to protect both sides of the organization may not reside in a single person, Tsonchev says. "There's obviously a very deep cultural difference that comes from the nature of the environments characterized by the standard truism that confidentiality is the priority in IT and availability is the priority in OT," he explains. And that difference in mindset is natural – and to some extent essential – based on the requirements of the job. Where the two can begin to come together, Tsonchev says, is in the evolution away from a protection-based mindset to a way of looking at security based on risk and risk tolerance. That evolution can come as part of the critical flow of protecting OT and IT together. "The first and most simple step would be to make sure that everyone who's a stakeholder in security is agreeing on the same picture of reality, that everyone's looking at the same data, everyone's seeing the same tools responding to the same events," Tsonchev says. The last thing a company needs, he says, is for data and the resulting decisions to have to flow back and forth across organizational boundaries in order to respond to events. "You absolutely want to make sure that, however you are approaching this, you're not coming at it from a point of view where those boundary areas are your blind spots, because then the way you're trying to prioritize what you're trying to detect is radically out of whack with risk to the business," Tsonchev explains. And once everyone is looking at the same set of data and agreeing on the same set of priorities, many organizations can focus on the basic similarities between many of the threats and attacks, Tsonchev says. Doing that means they can strip away excess information and get back to the basics where action can be taken to minimize the risk to the company. "If you always bring it back to what we know is the simple and consistent way in which attackers penetrate these environments, then I think the challenge becomes a lot clearer and a lot more manageable," he says. Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio Recommended Reading: More Insights

How Industrial IoT Security Can Catch Up With OT/IT Convergence2020-11-21T10:33:48-05:00

JavaScript Obfuscation Moves to Phishing Emails

2020-10-31T11:38:14-04:00

Attackers are hiding malicious payloads in phishing emails via a technique traditionally used to hide malicious code planted on websites. JavaScript, the ubiquitous scripting language used across Web applications worldwide, is becoming a key ingredient in phishing campaigns looking to plant malicious code on victims' computers, new research shows. Phishing attacks using JavaScript obfuscation techniques rose more than 70% from November 2019 through August 2020, according to Akamai lead researcher Or Katz. Katz says that the reason for the rise in this attack technique is simple. "The fact that JavaScript is a scripting language that runs on the client side gives [attackers] the ability to create content, but only once that content is rendered on the browser of the potential victims, will the actual page be rendered and be presented to the victim," Katz says. "Only at that point in time will you see the actual phishing website asking for credentials or other personal information." In the first of a series of blog posts on his research, he said "content escaping," while not a sophisticated obfuscation technique, is effective at hiding - or obfuscating - the malicious content of a message. It is also far more commonly used on malicious websites than in phishing or scam email messages. It's the technique's growing use in email that caught Katz's attention. JavaScript has been used in fairly simple obfuscation techniques, but the obfuscation is becoming more sophisticated, he found. Take XOR decryption, which he's seeing in more and more campaigns. XOR (exclusive-or) is a technique taken from cryptography that makes contents smaller while creating a block of text that is unique for each message. The result is something that can't easily be defeated by simple signature-matching anti-malware techniques. Katz then took a closer look a specific campaigns using the JavaScript obfuscation techniques. He notes In the second blog post that single malicious email messages are now carrying JavaScript code that uses multiple obfuscation and re-direction techniques, including URL cloaking, content escaping, and polymorphic functions at the same time. These techniques are "just the tip of the iceberg, as more complex techniques, including huge chunks of embedded dead code and anti-debugging, are constantly being used in the wild," he said in the post. He told Dark Reading he believes JavaScript obfuscation will increase in email phishing attacks. "There is a movement from using solely emails as a way to propagate phishing scams into social networks and messaging and social messaging platforms to deliver a lot of those scams," he says. "When you try to distribute attacks through of social media, then you are actually using the power of that platform to do a very rapid kind of distribution that is dependent on the trustworthiness of the people that are distributing them." Because the techniques are being so successful, Katz says that they're not limited to a single criminal organization or geographic area: they're being used worldwide by a wide variety of threat actors. And because they can come from so many sources, and hide in so many ways, Katz says that basic user education may still be one of the most powerful tools to use against them. It starts, he says, with reminding users that an email message that seems too good to be true probably is. And if the URL seems unusual, or appears from an unusual location in a message or on a Web page, that should be a red flag. "Stop at that point, think twice and try to figure out if you need to give any personal information." If it's suspicious enough to make you think, he says, then it's almost certainly suspicious enough to make you stop. Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio Recommended Reading: More Insights

JavaScript Obfuscation Moves to Phishing Emails2020-10-31T11:38:14-04:00

6 Ways Passwords Fail Basic Security Tests

2020-10-29T11:33:25-04:00

New data shows humans still struggle with password creation and management. 1 of 7 Humans are good at some things, like eating too many potato chips or getting annoying songs stuck in their heads. They're not so good at choosing edible wild mushrooms by appearance, for example, nor are they good at choosing strong, safe passwords. Unfortunately, that last item has some serious repercussions in the cybersecurity world. Security.org's new report on password strategies in the US serves as a painful reminder of just how humans fail at the basic task of choosing (and using) a strong password. Many, if not most, of the issues around passwords can likely be laid at the feet of a pair of human traits: We're fallible, and we're stubborn. Put them together and you have a recipe for a system that we can't use well and are reluctant to change. One of the ways that humans demonstrate their problems with passwords is in the continuing reluctance to use a password management program. Experts have long said that password managers are key to making computer and network credentials more secure, yet Security.org's research shows that only 12% of users have a password manager as part of their secure authentication routine. Instead they turn to methods only slightly more reliable and secure than teaching passwords to a nearby parrot: 37% depend on their own memory for password storage while 20% go OG with paper notebooks. Given the high-tech password retrieval systems in use, it's perhaps no wonder that many users choose passwords that are lack sufficient security heft. Based on current research, there are six ways in which users blow the basic task of creating a secure passwords. Or to put it less judgmentally, six ways in which passwords fail to measure up. How many of these "failures" do your passwords exhibit? Or are you one of the few who use technology to help create and manage strong passwords? We've seen the security.org research -- we'd like to know what you and your organization are doing about passwords. Let us know in the comments section. (Image: mangpor2004 VIA Adobe Stock) Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio Recommended Reading: 1 of 7 More Insights

6 Ways Passwords Fail Basic Security Tests2020-10-29T11:33:25-04:00
Go to Top