Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
FYI, Your Attacker is Playing 4D Chess
In This Issue:
- To beat the bad guys, think in graphs rather than lists. You care about lists. The attackers think in terms of security relationships. Learn the difference.
- The Magecart Mess. The Magecart malware, notorious for swiping credit card info from online forms, is spreading. Don’t let it byte you.
- SMBs must go beyond 'checkbox security'. Consider requiring your staffers to get certified in IT security. It could have multiple benefits in the long run.
- You’re never too big to be immune from compromise. Even organizations with pockets deep enough to spend a lot on security are still vulnerable. You can learn lessons from them.
- Apple stays mum on mysterious lockouts. As Apple and Target and others show, you can’t trust anybody. What do you do then?
Behold, the Fields in Which I Grow My Checklists. Lay Thine Eyes Upon It and See That It Is Barren
h/t: John Lambert (@JohnLaTwC) – Github
John Lambert is a Distinguished Engineer and General Manager at Microsoft's Threat Intelligence Center. While we all know credentialism isn't as valuable as it’s often made out to be, Lambert lives up to the prestige implied by the title. In Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win. Lambert lays out why security teams fail in a brutal takedown of the checklist approach to IT security so popular in today's enterprises.
For many, this post will be a difficult read. Lambert accurately identifies not only bad practices, but ineffective and unhelp methods of thinking about security. IT security is about constantly adapting to a rapidly changing threat landscape. Lambert shows clearly that the constraints of our own approach to conceptualizing that threat landscape is itself a threat.
Countermeasure:
Learn to think about indirect attack methods. Then go learn about microsegmentation; proper microsegmentation that proliferates the number of network edges, not just the firewall automation stuff. Reduce the number of attack vectors to core data by throwing up barriers along orthogonal attack routes.
Manage Your Own eCommerce Site? Don't. Magecart Compromises Are Getting out of Control
h/t: Lawrence Abrams - BleepingComputer.com
The Internet is flooded with stories of ecommerce sites being compromised. Two in particular have surfaced as notable. The first is Infowars Store Affected by Magecart Credit Card Stealing Hack. Once you get past the overwhelming schadenfreude of Infowars being the victim, this article proves to be an excellent resource for those interested in the recent Magecart compromise wave. Bleeping Computer includes an interview with security researcher Willem de Groot, as well as examples of relevant malicious code.
For those not looking to go quite as in depth, One in five Magecart-infected stores get reinfected within days is the Magecart article for you. It summarises de Groot's research nicely, but will probably leave you curious enough to dig into the Bleeping Computer piece.
Countermeasure:
If possible, stop using ecommerce sites that are unmanaged. If you must run an ecommerce site on your own servers, read everything de Groot has to say on the topic, and pay very close attention to the securing of those websites. Then invest in not using unmanaged ecommerce sites as soon as humanly possible.
Think SMBs Can't Afford Security? Think Again! Adopt a Security-First Mindset for Victory
h/t: Byron V. Acohido – The Last Watchdog
SMBs are finally acknowledging that a checkbox approach to security isn’t enough. That’s the main takeaway from Q&A: How certifying in-house IT staffers as cyber analysts, pen testers can boost SMB security. This piece is an excellent interview between Acohido and James Stanger, CompTIA’s Chief Technology Evangelist.
Being an interview with someone from CompTIA, the piece focuses heavily on the importance of certification, and serves as an excellent overview of the new vendor-agnostic, security-focused certifications available from CompTIA. One topic briefly touched upon, but which deserved a lot more attention, is the idea that larger SMBs which train up their staff can then contract those staffs out to both customers and suppliers.
Trust is hard to build in business, and security professionals are hard to find. It isn’t unheard of for organizations that sit in the middle of value chains to build digital services that they then resell both upstream and downstream. IT security should be a consideration for SMBs in this space; who knows your vertical better than you?
Countermeasure:
Take the time to consider infosec training as a potential revenue source. Secure not only your network, but the networks of your customers and suppliers as well. If your customers spend less money on fines and disaster recovery events, they have more to spend on you. Similarly, secure suppliers can charge you less money. Everyone wins when you train your nerds in infosec, then share them with partners.
Large Orgs Drop Ball, Get Pwned. Popcorn Sold. Lessons Learned
h/t: Pierluigi Paganini – Security Affairs
Security Affairs has a pair of articles on security incidents involving organizations that should be large enough to handle themselves. Both The ‘MartyMcFly’ investigation: Italian naval industry under attack and Facebook flaw could have exposed private info of users and their friends are excellent reading if for no other reason than to keep one's self aware of how even the largest and best-prepared organizations can come under attack.
What's important here is that neither Facebook nor the Italian naval industry are generally lax in their security. They're by no means perfect, but it's reasonable to assume they put more effort into their IT defenses than your average midmarket or SMB organization. The attacks detailed are clever, but not ground-breakingly sophisticated; they should serve as a sobering reminder that it doesn't take a mad genius to break things.
Countermeasure:
Make good friends with red teamers. It’s the things you haven't thought of that will undo you, and we're well past the point where we can embrace the polite fiction that static defenses are adequate for IT security. It's time to schedule regular, active penetration attempts by white hat hackers: no matter how big or small your organization happens to be.
Graham Cluley Delivers a Bowl Full of Cold, Hard, Facepalm
h/t: Graham Cluley – Hot For Security (BitDefender)
Graham Cluley surfaced thrice this week with news items that, while they don't directly impact the day-to-day operations of IT security teams, remind us all why we can't have nice things. In Apple says nothing as Apple ID accounts mysteriously locked down, we’re reminded that Apple's reality distortion field also serves to clamp down on information flowing out of Cupertino's spaceship-shaped HQ.
Target and other high-profile Twitter accounts exploited for cryptocurrency scams, meanwhile, reminds us that we all have to actually pay attention to what we read. Trusted sources of information should not, in fact, be trusted, as they're often compromised to lead readers into some back alley, and ++++====NO CARRIER.
Rounding out the week is Unable to remember his password, man sent letter bomb to Bitcoin exchange, which should serve as reminder both of the importance of ease of use, and that there are a lot of people who take minor inconveniences way too seriously.
Countermeasure:
Remember that while yes, there are lots of little annoyances when it comes to security, there are also things to learn from them. So don't become emotionally invested in the stupid stuff, and don’t overreact. Instead, try to enjoy your weekend.
Tweet of the Week
"Laugh. Cry. Raise a glass to the death of the Unix philosophy."
How systemd architects think – Nick Carver – @Nick_Craver
Must-Read Discussion Threads
Ever been thrown face-first into a new challenge? Ever had that challenge turn out to be securing an entire enterprise? This fellow has, and he has some quick takeaways worth noting.
"Turns out I was basically CISO without the pay at a £2bn company"
~ Kevin Beaumont – @GossiTheDog
Quote of the Week
"Your adversary does not wait for you to finish patching"
~ The Art Of Cyber War – @SunTzuCyber