02.04.2020 Views

Cyber Defense eMagazine April 2020 Edition

Cyber Defense eMagazine April Edition for 2020 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES

Cyber Defense eMagazine April Edition for 2020 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Cybercriminals Exploit Coronavirus with

Wave of New Scams

WatchGuard’s RSA Conference 2020

Recap

Cyber Leads Global Business Risks for First

Time: Allianz Risk Barometer 2020

Facebook’s $550 Million Settlement: A

Warning to Companies Collecting

Biometric Data

How to Avoid Being Breached In 2020

…and much more…

Cyber Defense eMagazineApril 2020 Edition Page 1

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


CONTENTS

Welcome to CDM’s April 2020 --------------------------------------------------------------------------- 6

Cybercriminals Exploit Coronavirus with Wave of New Scams ------------------------------- 22

By David Ruiz, Malwarebytes Labs

WatchGuard’s RSA Conference 2020 Recap -------------------------------------------------------- 29

By Marc Laliberte – Sr. Security Analyst, WatchGuard Technologies

Cyber Leads Global Business Risks for First Time: Allianz Risk Barometer 2020 --------- 32

By Kelly Castriotta, North American Head of Product Development for Financial Lines at Allianz

Global Corporate & Specialty

Facebook’s $550 Million Settlement: A Warning to Companies Collecting Biometric

Data ----------------------------------------------------------------------------------------------------------- 36

By Billee Elliott McAuliffe, Member, Lewis Rice

How to Avoid Being Breached In 2020 --------------------------------------------------------------- 39

By Randy Reiter CEO of Don’t Be Breached

What You Need to Know About DDoS Weapons Today ---------------------------------------- 42

By Ahmad Nassiri, Security Solutions Architect at A10 Networks

Better Network Visibility: Removing the Security Blindfold ----------------------------------- 45

By Cary Wright, VP Product Management, Endace

Enabling Agility to Accelerate Incident Response ------------------------------------------------ 47

By John Attala, Vice President of Worldwide Sales, Endace

Economic Efficiency in Cyber Defense ---------------------------------------------------------------- 50

By Mark Evans, VP Marketing, Endace

Cyber Defense eMagazineApril 2020 Edition Page 2

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Does SASE Tick the Box for The Future of Network Security? --------------------------------- 53

By Yair Green, CTO at GlobalDots

Achieving Effective User Lifecycle Management Through Automation -------------------- 55

By Jeff Stein, Information Security Architect, Reputation.com

Credential Stuffing: Why It’s on The Rise and How to Decrease Your Risk ---------------- 58

By Kevin Landt, VP of Product Management at Cygilant

The Cost of Cybercrime Is Constantly Rising: How to Combat Ransomware Attacks on

SMBs ---------------------------------------------------------------------------------------------------------- 61

By Rui Lopes, Sales Engineering and Technical Support Director, Panda Security

How To Manage Your Small Business In Time Of Crisis ----------------------------------------- 65

By Milica D. Djekic

What the Latest Enterprise Endpoint Security Survey Shows Us: Big Concerns but Hope

for The Future ----------------------------------------------------------------------------------------------- 68

By Jeff Harrell, Vice President of Marketing, Adaptiva

Cyber Defense eMagazineApril 2020 Edition Page 3

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


@MILIEFSKY

From the

Publisher…

New CyberDefenseMagazine.com website, plus updates at CyberDefenseTV.com & CyberDefenseRadio.com

Dear Friends,

Looking back at RSA Conference 2020, the view in our rearview mirror suggests that

convention may have been among the last of the “live” conferences for a while. On

behalf of Cyber Defense Media Group, we are fortunate to be able to build on our

very positive experience there and use that foundation to provide support to others

during this challenging time resulting from the corona virus COVID-19 pandemic.

With this disruptive set of circumstances, we must consider ourselves to be on a battlefield of

asymmetrical warfare. Cyber criminals have access to nearly all of our communications and educational

materials, giving them valuable intelligence on how to defeat our best security practices. On the other

side, we are in the less advantageous position of waiting for their next move to become visible.

While this imbalance may appear to tip the scale against us, it also emphasizes the importance of keeping

each other informed and up to speed on all known attack vectors. Only this way can we hope and expect

to prevail and maintain steadiness and security in the many critical activities in our society and economy.

From our own point of view, this leads us to double and redouble our efforts as both a media participant

and a committed organization to provide the tools to assure a favourable outcome.

With that background, we commit to continuing our monthly magazines as well as daily (or more

frequent) updates on the Cyber Defense Magazine home page. As always, your participation and sharing

from your own experiences are welcome.

Warmest regards,

Gary S. Miliefsky

Gary S.Miliefsky, CISSP®, fmDHS

CEO, Cyber Defense Media Group

Publisher, Cyber Defense Magazine

P.S. When you share a story or an article or information about CDM, please use #CDM and

@CyberDefenseMag and @Miliefsky – it helps spread the word about our free resources even more

Cyber Defense eMagazineApril 2020 Edition Page 4

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


quickly

InfoSec Knowledge is Power. We will

always strive to provide the latest, most

up to date FREE InfoSec information.

From the International

Editor-in-Chief…

The current dynamics of the COVID-19 pandemic would seem to

demand more international coordination, as opposed to a crazy

quilt of national, regional, and local actions.

Statistics are showing very different national and regional

patterns of infection and mortality, even within geographic

regions. Whether it’s the European Community, or the Asian

region, or the Americas, there is a vast difference in the extent of

diagnosed cases, and also of recorded deaths.

In our world of cybersecurity, it’s possible to be both more and

less challenging to seek and effect global solutions. In some ways,

the interconnectedness of the cyber world carries with it a

homogeneity of applications and programs. In contrast, the

cultural diversity and role of national governments tend to

emphasize our differences. As these developments play out, we

will have an opportunity to take the lead in creating cybersecurity

defenses to protect all aspects of IT in our lives, including (but not

limited to) medical, financial, social, and government functions.

In the days ahead, let us agree to put our differences aside in favor

of responding to our common enemies: the COVID-19 itself and

those who would take advantage of this crisis to perpetrate

criminal schemes.

@CYBERDEFENSEMAG

CYBER DEFENSE eMAGAZINE

Published monthly by the team at Cyber Defense Media Group and

distributed electronically via opt-in Email, HTML, PDF and Online

Flipbook formats.

PRESIDENT & CO-FOUNDER

Stevin Miliefsky

stevinv@cyberdefensemagazine.com

INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER

Pierluigi Paganini, CEH

Pierluigi.paganini@cyberdefensemagazine.com

US EDITOR-IN-CHIEF

Yan Ross, JD

Yan.Ross@cyberdefensemediagroup.com

ADVERTISING

Marketing Team

marketing@cyberdefensemagazine.com

CONTACT US:

Cyber Defense Magazine

Toll Free: 1-833-844-9468

International: +1-603-280-4451

SKYPE: cyber.defense

http://www.cyberdefensemagazine.com

Copyright © 2019, Cyber Defense Magazine, a division of

CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a)

276 Fifth Avenue, Suite 704, New York, NY 10001

EIN: 454-18-8465, DUNS# 078358935.

All rights reserved worldwide.

PUBLISHER

Gary S. Miliefsky, CISSP®

Learn more about our founder & publisher at:

http://www.cyberdefensemagazine.com/about-our-founder/

8 YEARS OF EXCELLENCE!

Providing free information, best practices, tips and

techniques on cybersecurity since 2012, Cyber Defense

magazine is your go-to-source for Information Security.

We’re a proud division of Cyber Defense Media Group:

To our faithful readers, we thank you,

Pierluigi Paganini

International Editor-in-Chief

Cyber Defense eMagazineApril 2020 Edition Page 5

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.

CYBERDEFENSEMEDIAGROUP.COM

MAGAZINE TV RADIO AWARDS


Welcome to CDM’s April 2020

As the April issue of Cyber Defense Magazine reaches publication, we find ourselves in a state similar to limbo,

awaiting the next announcement of a cancelled event, a cyber vulnerability exploited by crooks, or a government

initiative imposed under crisis conditions.

Crisis, like necessity, can serve as the mother of both invention and opportunity. In the case of cybersecurity, it’s

clear that there are new vulnerabilities arising from the new patterns of working remotely from locations with less

robust cyber security than the main workplace of the organization.

Anecdotally, only a relatively small percentage of affected organizations had adequately prepared for this

eventuality. Most of the reports reflect “quick-and-dirty” arrangements for office and HQ workers to work remotely.

From a cybersecurity POV, effective preparation would usually be the responsibility of an internal or outsourced

CISO. In concept as well as practice, this would or should include pre-emergency activities and red-teaming

exercises.

Outside the 17 areas of critical infrastructure (see www.dhs.gov for more detailed information) there do not appear

to be standardized procedures to be followed in such events as a pandemic. Even listed sectors of critical

infrastructure have shown lapses; a notable example would be commercial air transport.

Consider how different the health and financial impacts on our nation might have been if there had been pandemic

emergency plans in place on a broad scale to deal with the cybersecurity challenges we face today.

Although not well documented (at least so far), again anecdotally, there have been success stories. Accordingly,

we invite CISOs and others who have been successful to share their experiences. We hope to share this important

body of knowledge in both feature articles on the CDM home page and the May issue.

We trust this information will be of great value to our over 5 million individual reader inquiries each month, as CDM

maintains its position as the leading publication for cybersecurity professionals.

Wishing you all success in your cyber security endeavors,

Yan Ross

US Editor-in-Chief

Cyber Defense Magazine

About the US Editor-in-Chief

Yan Ross, J.D., is a Cybersecurity Journalist & US Editor-in-Chief for Cyber

Defense Magazine. He is an accredited author and educator and has provided

editorial services for award-winning best-selling books on a variety of topics. He

also serves as ICFE's Director of Special Projects, and the author of the

Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As

an accredited educator for over 20 years, Yan addresses risk management in the areas of identity theft, privacy,

and cyber security for consumers and organizations holding sensitive personal information. You can reach him via

his e-mail address at yan.ross@cyberdefensemediagroup.com

Cyber Defense eMagazineApril 2020 Edition Page 6

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 7

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 8

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 9

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 10

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 11

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 12

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 13

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 14

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Your website could be vulnerable to outside attacks. Wouldn’t you like to know where those

vulnerabilities lie? Sign up today for your free trial of WhiteHat Sentinel Dynamic and gain a deep

understanding of your web application vulnerabilities, how to prioritize them, and what to do about

them. With this trial you will get:

An evaluation of the security of one of your organization’s websites

Application security guidance from security engineers in WhiteHat’s Threat Research Center

Full access to Sentinel’s web-based interface, offering the ability to review and generate reports as well

as share findings with internal developers and security management

A customized review and complimentary final executive and technical report

Click here to sign up at this URL: https://www.whitehatsec.com/info/security-check/

PLEASE NOTE: Trial participation is subject to qualification.

Cyber Defense eMagazineApril 2020 Edition Page 15

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 16

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 17

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 18

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 19

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 20

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineApril 2020 Edition Page 21

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cybercriminals Exploit Coronavirus with Wave of New

Scams

By David Ruiz, Malwarebytes Labs

With no vaccine yet developed, and with much of the world undergoing intense social distancing

measures and near-total lockdown procedures, threat actors are flooding cyberspace with emailed

promises of health tips, protective diets, and, most dangerously, cures. Attached to threat actors’ emails

are a variety of fraudulent e-books, informational packets, and missed invoices that hide a series of

keyloggers, ransomware, and data stealers.

Click here to open a new tab with extensive graphic information on the 4th Quarter of 2019 DDoS

Weapons

The problem expands beyond pure phishing scams.

On March 14, Twitter user @dustyfresh published a web tracker that found 3,600 coronavirus- and

COVID-19-related hostnames that sprang up in just 24 hours.

On March 17, security researcher and python developer @sshell_ built a tool, hosted by the team at

ThugCrowd, that provides real-time scans for potentially malicious, coronavirus-related domains. Just

click the link and watch possible scam sites get registered every minute.

Further, RiskIQ reportedly tracked more than 13,000 suspicious, coronavirus-related domains last

weekend, and more than 35,000 domains the next day, too.

Cyber Defense eMagazineApril 2020 Edition Page 22

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Here are some of the many email scams that our Malwarebytes threat intelligence team spotted in the

wild, with full details on what they say, what they’re lying about, and what types of malware they’re trying

to install on your machines.

Impersonating the World Health Organization

Earlier this week, we found an email phishing campaign sent by threat actors impersonating the World

Health Organization (WHO), one of the premier scientific resources on COVID-19. That campaign, which

pushed a fake e-book to victims, delivered malicious code for a downloader called GuLoader. That

download is just the first step in a more complex scheme.

GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in

encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its

simplicity and its wide range of capabilities, including swiping content from the Windows clipboard,

keylogging, and stealing browser data. Stolen data is sent back to a command and control server

maintained by the threat actors.

Unfortunately, this GuLoader scam is just one of many in which threat actors posed as WHO

professionals as a way to trick victims into downloading malicious attachments.

Agent Tesla Keylogger Campaign

On March 18, we uncovered an email campaign that pushed victims into unwittingly downloading an

invasive keylogger called Agent Tesla. The keylogger, which experienced a reported 100 percent

increase in activity across three months in 2018, can steal a variety of sensitive data.

As cybersecurity researchers at LastLine wrote: “Acting as a fully-functional information stealer, [Agent

Tesla] is capable of extracting credentials from different browsers, mail, and FTP clients. It logs keys and

clipboards data, captures screen and video, and performs form-grabbing (Instagram, Twitter, Gmail,

Facebook, etc.) attacks.”

The Agent Tesla campaign that we tracked on Wednesday involved an email with the subject line:

Covid19″ Latest Tips to stay Immune to Virus !!

The email came to individuals’ inboxes allegedly from the WHO, with a sender email address of

“sarah@who.com.” Notice that the sender’s email address ends with “.com” when legitimate WHO email

addresses instead end with “.int.”

The email alleges to include a PDF file about “various diets and tips to keep us safe from being effected

with the virus.” It is signed by a “Dr. Sarah Hopkins,” a supposed media relations consultant for the WHO.

Cyber Defense eMagazineApril 2020 Edition Page 23

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


A quick online search reveals that the WHO has a public website for contacting its media relations

representatives, and that none of those representatives is named Sarah Hopkins. Also, note how “Dr.

Hopkins” has a phone number that doesn’t work, at +1 470 59828. Calling the number from a US-based

phone resulted in an error message from the mobile service provider.

The above scam is just one example of an email campaign that both impersonates the

WHO and attempts to deliver Agent Tesla.

Agent Tesla Campaign 2

On the same day we found the above-mentioned Agent Tesla scam, we found another that mirrored its

tactics and payload.

The second Agent Tesla scam arrives in individuals’ inbox with the email subject line “World Health

Organization/Let’s fight Corona Virus together”

Savvy readers should spot a flaw. The unnecessary space placed between the words “Corona” and

“Virus” mirrors a similar grammatical error, an unnecessary hyphen, in the GuLoader scam we’ve seen

previously.

The entire body of the email reads verbatim:

We realise that the spread of the COVID-19 coronavirus may leave you feeling concerned, so we

want to take a moment to reassure you that your safety and well-being remains our absolutely

top priority.

Please be assured that our teams are working hard and we are monitoring the situation and

developments closely with the health and governmental authorities of all countries we operate in.

See attached WHO vital information to stay healthy.

we personally thank you for your understanding and assure you that we will do our utmost to limit

disruptions this event brings to your travel plans while keeping your well-being our top priority.

This campaign attempts to trick victims into downloading a fake informational packet on coronavirus, with

the file title “COVID-19 WHO RECOMMENDED V.gz.” Instead of receiving trustworthy information,

victims are infected with Agent Tesla.

While this campaign does not include as many smoke-and-mirror tactics, such as a fake media

representative and a fake phone number, it can still do serious damage simply by stoking the fears

surrounding COVID-19.

Cyber Defense eMagazineApril 2020 Edition Page 24

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


NetWire Remote Access Trojan

Finally, we found a possible WHO impersonator pushing the NetWire Remote Access Trojan (RAT).

RATS can allow hackers to gain unauthorized access to a machine from a remote location.

These types of Trojans can have devastating effects. If Remote Access Trojan programs are found on a

system, it should be assumed that any personal information (which has been accessed on the infected

machine) has been compromised. Users should immediately update all usernames and passwords from

a clean computer and notify the appropriate system administrator of the potential compromise. They

should also monitor credit reports and bank statements carefully over the following months to spot any

suspicious activity on financial accounts.

The NetWire campaign included a slapdash combo of a strange email address, an official-looking WHO

logo inside the email’s body, and plenty of typos.

Sent from “Dr. Stella Chungong” using the email address “brennan@caesars.com,” the email subject line

is “SAFETY COVID-19 (Coronavirus Virus) AWARENESS – Safety Measures.” The body of the text

reads:

To whom it may concern,

Go through the attac=ed document on safety measures regarding the spreading of Corona-virus.

Common symptoms include fever, cough, shortness in breath, and breathi=g difficulties.

Regards.

Dr. Stella Chungong

Specialist whuan=virus-advisory

The litany of misplaced “=” characters should immediately raise red flags for potential victims. These

common mistakes show up in a wide variety of malicious email campaigns, as threat actors seem to

operate under the mindset of “Send first, spellcheck later.”

Other Malspam Campaigns

Most of the coronavirus scams we spotted online are examples of malspam—malicious spam email

campaigns that cross the line from phony, snake-oil salesmanship into downright nefarious malware

delivery. Here are a number of malspam campaigns that our threat intelligence team found since March

15.

First up is this strange email titled “RE: Due to outbreak ofCoronavirus,” which arrives to users’ inboxes

from the vague sender “Marketing,” with an email address of “info@bcsl.co.ke.” A Google search reveals

that bcsl.co.ke appears to point to Boresha Credit Service Limited, a debt collector based in Kenya.

Cyber Defense eMagazineApril 2020 Edition Page 25

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


The short email reads:

Hello,

We have been instructed by your customer to make this transfer to you.

we are unable to process your payment as the SWIFT CODE in your bank account information is

wrong,

please see that enclosed invoice and correct SWIFT CODE so we can remit payment ASAP

before bank close.”

Again, scrutinizing the details of the email reveals holes in its authenticity.

The email is signed by “Rafhana Khan,” a supposed “Admin Executive” from the United Arab Emirates.

The email sender includes this extra bit of info that leads us nowhere: TRN No. 100269864300003.

What is a TRN, and why would it be included? At best, we can assume this is the individual’s “tax

registration number,” but think about the last time anyone signed an email with the US equivalent—their

tax identification number. You’ve probably never seen that before, right? That’s because tax IDs are

meant to be private, and not shared in email signatures. We can assume that the threat actors included

this bogus bit of info to add some imaginary credibility. Really, it’s just nonsense.

The email’s attached invoice, once again, pushes GuLoader to the potential victim.

HawkEye credential stealer

Another spotted malspam example pushes neither GuLoader or Agent Telsa. Instead, it tries to trick

users into downloading a malware called HawkEye, a credential stealer that has plagued users since at

least 2013.

According to the cybersecurity news outlet Security Affairs, HawkEye “is offered for sale on various

hacking forums as a keylogger and stealer, [and] it allows to monitor systems and exfiltrate information.”

The HawkEye scam comes packaged in an email with the subject line “CORONA VIRUS CURE FOR

CHINA,ITALY” from the alleged sender “DR JINS (CORONA VIRUS).” Again, potential victims receive a

short message. The entire email body reads:

Dear Sir/Ma,

Kindly read the attached file for your quick remedy on CORONA VIRUS.

The email sender lists their place of work as the non-existent, misspelled RESEARCH HOSPITAL

ISREAL at the address NO 29 JERUSALEM STREET, P.O.C 80067, ISREAL.

Cyber Defense eMagazineApril 2020 Edition Page 26

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


UK email scam pushing GuLoader

On March 15, we also found an email scam targeting victims in the UK and pushing, yet again, GuLoader.

This time, threat actors promised updated statistics on the number of confirmed coronavirus cases in the

United Kingdom.

The malicious email comes from the sender “PHE” with the email address paris@mfa.go.ke, which, like

one of the examples above, appears to come from Kenya.

Because threat actors have one, overplayed tactic in these types of campaigns—putting in low effort—

the content of the email is simple and short. The email reads:

Latest figures from public health authorities on the spread of Covid-19 in the United Kingdom.

Find out how many cases have been reported near you.

There is no email signature, and not even a greeting. Talk about a lack of email etiquette.

Campaign Targeting Spain

Finally, we found another campaign on March 18 that targets Spanish-speaking victims in Spain. The

email, titled “Vacuna COVID-19: prepare la vacuna en casa para usted y su familia para evitar COVID-

19,” pushes GuLoader.

The email is signed by “Adriana Erico,” who offers no phone number, but does offer a fax number at 93

784 50 17.

Protect Yourself

Threat actors are always looking for the next crisis to leverage for their own attacks. For them,

coronavirus presents a near-perfect storm. Legitimate confusion about accurate confirmed cases, testing

availability, and best practices during social distancing makes for a fearful public, hungry for answers

anywhere.

The best places for information are the WHO and the US Centers for Disease Control and Prevention

(CDC). You can find updated statistics about confirmed COVID-19 cases from the WHO’s daily, situation

reports here. You can also find information on coronavirus myths at the WHO’s Myth Busters webpage,

along with its Q&A page.

This is difficult, this is new, and for many of us, it presents a life-altering shift. It’s important to consider

that, right now, banding together as a global community is our best shot at beating this. That advice

extends to the online world, too.

Cyber Defense eMagazineApril 2020 Edition Page 27

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


While coronavirus might have brought out the worst in cybercriminals, it’s also bringing out the best

across the Internet. This week, a supposed “Covid19 Tracker App” infected countless users’ phones with

ransomware, demanding victims pay $100 to unlock their devices or risk a complete deletion of their

contacts, videos, and pictures. After news about the ransomware was posted on Reddit, a user

decompiled the malicious app and posted the universal passcode to defeat the ransomware. The

passcode was then shared on Twitter for everyone to use.

About the Author

David Ruiz is a writer and reporter for Malwarebytes Labs, an online blog

about cybersecurity, online privacy, hackers, data breaches, and digital

rights. David primarily covers online and data privacy issues, along

with US and global regulation. David can be found on Twitter

@davidalruiz and at https://blog.malwarebytes.com/author/davidruiz/

Cyber Defense eMagazineApril 2020 Edition Page 28

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


WatchGuard’s RSA Conference 2020 Recap

By Marc Laliberte – Sr. Security Analyst, WatchGuard Technologies

Every year, tens of thousands of IT and information security professionals gather at Moscone Center in

downtown San Francisco to take in the latest security trends and technology from hundreds of exhibitors

and speakers at RSA Conference. In just a few short days, it’s almost impossible to see and learn

everything a conference of this magnitude has to offer, but I did my very best.

Here’s a brief recap of several key happenings, trends and takeaways from my time at RSA Conference

2020:

COVID-19 Concerns Were Front and Center

Taking place amid the growing global unease over the spread of COVID-19, the show went on as planned

despite the fact that big industry names like IBM, AT&T and Verizon pulled out of the conference and

banned their employees from attending entirely. With the specter of a global pandemic hanging overhead,

many attendees practiced heightened, borderline obsessive personal hygiene and settled for distanced

hand waves in lieu of handshakes as we walked the expo floor and attended various sessions discussing

the latest security trends, threats, technologies and best practices. It’s still early, but very clear at this

point that we’re only just beginning to get a sense of how this outbreak will impact the security industry

itself and world at large.

Cyber Defense eMagazineApril 2020 Edition Page 29

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


A Focus on The Human Element in Security

This year’s theme was “The Human Element,” a fitting premise given that individuals play just as

important a role in securing the digital world (or failing to) as any emerging technology, vendor product

or service, or new research finding. The RSA Conference opening keynote addresses played to the

theme by calling for changes to better harness the strengths and potential of the human behind the

computer.

RSA President Rohit Ghai advocated that a shift toward publicly celebrating cybersecurity wins, instead

of only focusing on cybersecurity losses or failures will help inspire security professionals and move the

industry forward. Wendy Nather, head of advisory CISOs at Cisco’s DUO Security, followed up with calls

to democratize security with the goal of enabling buy-in and personal ownership of security from end

users. Almost everywhere you went at RSA Conference this year, the human element of security was a

topic of discussion.

The Cryptographers’ Panel

Rounding out the opening keynotes was a staple of RSA Conference – the Cryptographers’ Panel, where

several prominent cryptography and security experts took the stage to answer questions about a wide

range of industry topics. They covered problems with facial recognition, increasingly popular “right to be

forgotten” laws and much more. The panelists didn’t always come to the same conclusions, but all agreed

that there are realistic concerns with advanced technology like AI and Machine Learning that will need to

be resolved before these tools become more widely adopted.

IoT Security Insights

Beyond the human element, Internet of Things (IoT) security was major trends across speaking sessions

throughout the week. From securing healthcare IoT products to creating baseline IoT security standards,

adoption and security concerns continue to grow worldwide in this slice of the industry. In one talk late in

the week, Gary Hayslip of SoftBank Investment Advisers used his previous experience as CISO of the

city of San Diego to discuss the concerns of deploying IoT and other technologies in smart cities, covering

topics like increased complexity, patch deployment issues and limited security budgets leading to the rise

in breaches impacting municipalities in recent years.

Privacy Considerations

Privacy was another major focus at RSAC Conference 2020. I saw Daniel Ayoub and Dean Winert of

Lexis Nexis Risk Solutions present fascinating research on web browser fingerprinting and its privacy

and security implications. They started and ended their session by weighing the benefits of browser

fingerprinting in fraud prevention against the drawbacks (which I personally found enlightening as digital

privacy has always been a passion of mine). Daniel and Dean made several good points about the

Cyber Defense eMagazineApril 2020 Edition Page 30

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


enefits of identifying anomalies in metadata from user authentications to identify potential account

compromises that could give credit to keeping the privacy-invading information available to websites.

When all was said and done, this year’s RSA Conference squeaked through right before San Francisco

enacted a ban on events at city-owned facilities like the Moscone Center. Even though the event was

overshadowed at times by concerns about the spread of COVID-19, the content and takeaways from it

were compelling and quite important for industry participants to consider in today’s threat landscape. IoT

adoption continues to skyrocket, bringing with it increasing security risks for organizations. The tradeoffs

between privacy and security are still very much open to discussion and debate. And of course, the

humans responsible for addressing these challenges and improving our collective security aren’t going

anywhere.

About the Author

Marc Laliberte is a Senior Security Analyst at WatchGuard Technologies.

Specializing in networking security protocols and Internet of Things

technologies, Marc’s day-to-day responsibilities include researching and

reporting on the latest information security threats and trends. He has

discovered, analyzed, responsibly disclosed and reported on numerous

security vulnerabilities in a variety of Internet of Things devices since

joining the WatchGuard team in 2012.With speaking appearances at

industry events including RSA and regular contributions to online IT,

technology and security publications, Marc is a thought leader who

provides insightful security guidance to all levels of IT personnel.

Marc can be reached only at @XORRO or via http://www.watchguard.com.

Cyber Defense eMagazineApril 2020 Edition Page 31

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Leads Global Business Risks for First Time: Allianz

Risk Barometer 2020

By Kelly Castriotta, North American Head of Product Development for Financial Lines at Allianz Global

Corporate & Specialty

For the first time ever, Cyber incidents (39% of responses) ranks as the most important business risk

globally in the ninth Allianz Risk Barometer 2020, relegating perennial top peril Business Interruption (BI)

(37% of responses) to second place. Awareness of cyber threats has grown rapidly in recent years, driven

by companies increasing reliance on data and IT systems and a number of high-profile incidents. Seven

years ago, cyber ranked 15th with just 6% of responses.

The annual survey on global business risks from Allianz Global Corporate & Specialty (AGCS)

incorporates the views of a record 2,718 experts in over 100 countries, including ceos, risk managers,

brokers and insurance experts.

Here are some of the reasons why cyber has overtaken the top spot and is likely to remain a leading

business risk for the foreseeable future.

Data breaches larger and more expensive

As companies collect and use ever greater volumes of personal data, data breaches are becoming larger

and costlier. In particular, so- called mega data breaches (involving more than one million records) are

more frequent and expensive. In July 2019, Capital One revealed it had been hit by one of the largest

Cyber Defense eMagazineApril 2020 Edition Page 32

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


ever breaches in the banking sector with approximately 100 million customers impacted. Yet this breach

is by no means the largest in recent years.

Data breaches at hotel group Marriott in 2018 and credit score agency Equifax in 2017 were reported to

have involved the personal data of over 300 million and 140 million customers respectively. Both

companies faced numerous law suits and regulatory actions in multiple jurisdictions – the UK’s data

protection regulator intends to fine Marriott $130mn for the breach, among the earliest and largest fines

under the EU’s new privacy laws to date.

The General Data Protection Regulation (GDPR) rules that came into force across Europe in 2018 will

likely bring further fines in 2020. The European Data Protection Board (EDPB) released a preliminary

report stating that of the 206,326 cases reported under the GDPR across 31 countries in the first nine

months of its implementation, the national data protection agencies had only resolved around 50% of

them.

A mega breach now costs an average of $42mn, according to the Ponemon Institute, an increase of

nearly 8% over 2018. For breaches in excess of 50 million records, the cost is estimated to be $388mn

(11% higher than in 2018).

Ransomware brings increasing losses

According to the EU’s law enforcement agency, Europol, ransomware is the most prominent cyber crime

threat.

Already high in frequency, incidents are becoming more damaging, increasingly targeting large

companies with sophisticated attacks and hefty extortion demands. Five years ago, a typical ransomware

demand would have been in the tens of thousands of dollars. Now they can be in the millions. The

consequences of an attack can be crippling, especially for organizations that rely on data to provide

products and services.

Extortion demands are just one part of the picture. Business interruption brings the most severe losses

from ransomware attacks, and in some cases ransomware is a smoke screen for the real target, such as

the theft of personal data. Industrial and manufacturing firms are increasingly targeted but losses tend to

be highest for law firms, consultants and architects, for which IT systems and data are their life blood.

Bec attacks result in billion-dollar fraud

Business email compromise (BEC) – or spoofing – attacks are increasing in frequency. BEC incidents have

resulted in worldwide losses of at least $26bn since 2016 according to the FBI in the US.

Such attacks typically involve social engineering and phishing emails to dupe employees or senior

management into revealing login credentials or to make fraudulent transactions.

Cyber Defense eMagazineApril 2020 Edition Page 33

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Litigation prospects rising

Many large data breaches today spark regulatory actions, but they can also trigger litigation from affected

consumers, business partners and investors. When they do, legal expenses can add substantially to the

cost.

Data breach litigation in the US is a developing situation. A number of large breaches have triggered

class actions by consumers or investors. Outside the US, a number of countries have expanded group

action litigation rights. For example, in Europe, the GDPR makes it easier for victims of a data or privacy

breach to seek legal redress.

In addition, claimant law firms and litigation funders are actively looking to bring class actions for data

breaches in Europe and elsewhere – a class action against British Airways following its 2018 data breach

was recently given the go- ahead in the UK courts. Consumer groups are also looking to test the GDPR

and challenge some organizations’ interpretation of the new law.

M&A can bring cyber issues

Cyber exposures have emerged as a hot topic in mergers and acquisitions (M&A) following some large data

breaches. For example, the 2018 Marriott breach was traced to an intrusion in 2014 at Starwood, a hotel

group it acquired in 2016.

Even the best protected companies will be exposed if they acquire a company with weak cyber security

or existing vulnerabilities. The acquiring firm could be liable for any damage from incidents which predate

the merger.

Ultimately, considering potential cyber vulnerabilities and exposures needs to become a higher priority

for businesses during M&A, as many companies are not doing enough due diligence in this area. At the

same time, once a deal has been completed many companies do not address any weaknesses in

acquired systems quickly enough.

Political factors play out in cyber space

The involvement of nation states in cyber-attacks is an increasing risk for companies, which are being

targeted for intellectual property or by groups intent on causing disruption or physical damage. For

example, growing tensions in the Middle East have seen international shipping targeted by spoofing

attacks in the Persian Gulf while oil and gas installations have been hit by cyber-attacks and ransomware

campaigns.

Sophisticated attack techniques and malware may also be filtering down to cyber criminals while nation

state involvement is providing increased funding to hackers. Even where companies are not directly

targeted, state- backed cyber-attacks can cause collateral damage. In 2017 the notpetya malware attack

primarily targeted the Ukraine but quickly spread around the world.

Cyber Defense eMagazineApril 2020 Edition Page 34

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Risk mitigation

Preparation and training are the most effective forms of mitigation and can significantly reduce the

likelihood or consequences of a cyber event. Many incidents are the result of human error, which can be

mitigated by training, especially in areas like phishing and business email compromise, which are among

the most common forms of cyber-attack.

Training could also help mitigate ransomware attacks, although maintaining secure backups can also

limit the damage from such incidents. Business resilience and business continuity planning are also key

to reducing the impact of a cyber incident, although response plans need to be tested, practiced and

regularly reviewed.

More information on the Allianz Risk Barometer 2020 is available here:

• Top 10 global business risks

• Full report

• Individual country and industry sector results

About the Author

Kelly B. Castriotta is the Regional Head of Product Development in

North America for Financial Lines at Allianz Global Corporate Specialty.

Ms. Castriotta develops new products for all Financial Lines in North

America, including cyber, directors and officers liability and all

professional liability offerings. Most recently, Ms. Castriotta led the

company’s initiative to address non-affirmative cyber across nearly 100

discrete product lines.

She can be reached online at https://www.agcs.allianz.com/

Cyber Defense eMagazineApril 2020 Edition Page 35

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Facebook’s $550 Million Settlement: A Warning to

Companies Collecting Biometric Data

Facebook’s significant settlement could incite future class action lawsuits, further emphasizing the need

for companies to comply with biometric privacy laws.

By Billee Elliott McAuliffe, Member, Lewis Rice

Thanks to a class action suit filed against Facebook under the Illinois Biometric Information Privacy Act

(BIPA), Facebook users in Illinois may receive part of a $550 million settlement. The settlement

compensates users for Facebook’s utilization of facial recognition technology known as “tagging” without

the user’s consent. If approved by the California district court, this settlement could spur others to bring

similar lawsuits, putting businesses throughout the country at risk.

So, what are biometrics and biometric privacy? Biometrics is the measurement and analysis of unique

physical or behavioral characteristics, such as fingerprints or voice patterns, especially as a means of

verifying personal identity. Hence, biometric privacy is an individual’s right to keep his or her biometric

information private and to control how that information is collected and used by third parties.

Biometric privacy laws, including BIPA, are like many new privacy laws that have promulgated over the

last few years. All are informed consent laws, which generally require third parties gathering the biometric

data, including fingerprints, facial scans, retina scans, DNA, gait analysis or voice recordings, to provide

notice of their collection and use, the reason for the use, and how the data will be destroyed. Additionally,

third parties must obtain permission from individuals to use their biometric information. Failure to provide

both notice and control could result in liability for the data collector and users.

In Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court ruled the mere failure to

comply with statutory requirements of BIPA by any entity that collects, maintains, stores or transfers

biometric data is enough injury to allow the affected consumers to sue for damages and injunctive relief.

This means no data breach, wrongful disclosure or actual injury to the consumer is required for a business

to be subject to civil liability under BIPA.

Cyber Defense eMagazineApril 2020 Edition Page 36

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


To avoid potential liability, all businesses handling information subject to BIPA should review their

policies, procedures and methods for collecting, using, storing and protecting biometric data.

And it is not just Illinois companies that need to comply. In Patel v. Facebook, the case resulting in the

$550 million settlement, Facebook argued that if any BIPA violations did occur, they did not primarily

occur in Illinois, as Facebook’s servers are located in California. However, the California federal district

court hearing the case disagreed, suggesting that a consumer’s mere use of Facebook in the State of

Illinois was enough to make BIPA applicable. This extraterritorial holding in Patel, along

with Rosenbach’s ruling that statutory non-compliance is sufficient injury to bring suit, means all entities

must be aware of these laws and the restrictions on the use of biometrics.

In order to ensure compliance with BIPA, every business should audit its operations to understand if it

collects or uses any biometric data through systems such as time clocks that require fingerprints, security

access systems utilizing palm prints or facial recognition, or even surveys gathering biometric data for a

wellness program. If your business does collect or use biometric information, then it must determine

whether it is protected under any biometric privacy law.

While Illinois’ BIPA was the first and remains the most robust, Texas and Washington also have specific

biometric privacy statutes. Additionally, many states include biometric information within their data breach

notifications and other privacy and employee protection statutes. Certain biometric data is also protected

under the federal Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information

Nondiscrimination Act (GINA) and the Fair Credit Reporting Act (FCRA), which imposes requirements

and restrictions on employers conducting background checks.

Unfortunately, as with many other privacy laws, the types of biometrics that are protected and the

requirements that must be implemented are different under each law. Therefore, understanding what is

protected and the steps that must be taken to ensure full compliance may require a consultation with

legal counsel.

After the business has determined what laws apply and the requirements of those laws, it will need to

review and appropriately revise its policies, procedures, and methods of collecting, using, storing and

protecting biometric information. Generally, revisions include giving notice to individuals, obtaining their

consent for the collection and use of their data, and including documented retention schedules and

guidelines for the destruction of the information.

The Facebook settlement shows that failure to comply with biometric privacy laws can result in substantial

liability for companies. Under Illinois’ BIPA, individuals can receive more than $1,000 for negligent

violations or $5,000 for intentional violations. Under Texas’ Capture or Use of Biometric Identifier Act

(CUBI), violations could result in civil penalties of up to $25,000 per violation. In Washington, the attorney

general has the right to seek up to $500,000.

Because these lawsuits can be quite costly, businesses must review the information they collect and

determine if any actions need to be taken to comply with biometric privacy laws. If they don’t, they may

get “tagged” like Facebook.

Cyber Defense eMagazineApril 2020 Edition Page 37

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Billee Elliott McAuliffe is a member of Lewis Rice practicing in the firm’s

corporate department. Although she focuses on information technology,

Billee also has extensive experience in corporate law, including

technology licensing, cybersecurity and data privacy, and mergers and

acquisitions. She is a member of the American Bar Association and the

Bar Association of Metropolitan St. Louis. Billee can be reached online at

bmcauliffe@lewisrice.com and at https://www.lewisrice.com/.

Cyber Defense eMagazineApril 2020 Edition Page 38

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


How to Avoid Being Breached In 2020

By Randy Reiter CEO of Don’t Be Breached

Recent Data Breaches Disclosed in 2020

In February, 2020 the United States Department of Defense (DOD) disclosed a data breach that occurred

at its IT and telecom agency the Defense Information Systems Agency (DISA). DISA does the IT and

telecommunications support for the White House, diplomats and military troops. The breach exposed

Personally Identifiable Information (PII) of its employees between May and July 2019. DISA has about

8,000 civilian and military employees. The employee personal information breached is believed to include

social security numbers.

Other major 2020 data breaches include:

• January, 2020. Wawa who has 850 US convenient stores reported that Hackers put up the

payment card details of more than 30 million Wawa customers for sale on Joker’s Stash on the

Dark Web where cyber criminals buy and sell payment card data.

• January, 2020. 250 million Microsoft "Customer Service and Support" (CSS) records were

exposed online. The leaked database contained data on customers including their email

addresses, IP addresses, locations, case numbers and internal notes marked confidential.

Hackers potentially could try to trick users into paying for support solutions by impersonating

Microsoft support representatives.

Cyber Defense eMagazineApril 2020 Edition Page 39

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


• March, 2020. UK telecommunications provider Virgin Media reported that the personnel

information of 900,000 customers was exposed in a data breach. Customer names, home

addresses, email addresses, phone numbers and date of birth were leaked.

• March, 2020. US telecom giant T-Mobile suffered another data breach. Cyber Hackers gained

unauthorized access to sensitive information on customers and employees.

How to Protect Confidential Database Data from Insider Threats and Hackers?

Confidential database data includes: credit card, tax ID, medical, social media, corporate, manufacturing,

law enforcement, defense, homeland security and public utility data. This data is almost always stored in

Cassandra, DB2, Informix, MongoDB, MariaDB, MySQL, Oracle, PostgreSQL, SAP Hana, SQL Server

and Sybase databases. Once inside the security perimeter a Hacker or Rogue Insider can use commonly

installed database utilities to steal confidential database data.

Non-intrusive network sniffing can capture and analyze the normal database query and SQL activity from

a network tap or proxy server with no impact on the database server. This SQL activity is very predictable.

Database servers servicing 10,000 end-users typically process daily 2,000 to 10,000 unique query or

SQL commands that run millions of times a day.

Advanced SQL Behavioral Analysis of Database Query and SQL Activity

Advanced SQL Behavioral Analysis of the database SQL activity can learn what the normal database

activity is. Then from a network tap or proxy server the database query and SQL activity can be nonintrusively

monitored in real-time and non-normal SQL activity immediately identified. Non-normal SQL

activity from Hackers or Rogue Insiders can be detected in a few milli seconds. The Hacker or Rogue

Insider database session can be immediately terminated and the Security Team notified so that

confidential database data is not stolen.

Advanced SQL Behavioral Analysis of the query activity can go even further and learn the maximum

amount of data queried plus the IP addresses all queries were submitted from for each of the 2,000 to

10,000 unique SQL queries sent to a database. This type of data protection can detect never before

observed query activity, queries sent from a never observed IP address and queries sending more data

to an IP address than the query has ever sent before. This allows real-time detection of Hackers and

Rogue Insiders attempting to steal confidential web site database data. Once detected the security team

can be notified within a few milli-seconds so that a data breach is prevented.

Cyber Defense eMagazineApril 2020 Edition Page 40

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Randy Reiter is the CEO of Don’t Be Breached a Sql Power Tools

company. He is the architect of the Database Cyber Security Guard

product, a database data breach prevention product for Informix,

MariaDB, Microsoft SQL Server, MySQL, Oracle and Sybase databases.

He has a Master’s Degree in Computer Science and has worked

extensively over the past 25 years with real-time network sniffing and

database security. Randy can be reached online at

rreiter@DontBeBreached.com, www.DontBeBreached.com and www.SqlPower.com/Cyber-Attacks.

Cyber Defense eMagazineApril 2020 Edition Page 41

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


What You Need to Know About DDoS Weapons Today

By Ahmad Nassiri, Security Solutions Architect at A10 Networks

A DDoS attack can bring down almost any website or online service. The premise is simple: using an

infected botnet to target and overwhelm vulnerable servers with massive traffic. Twenty years after its

introduction, DDoS remains as effective as ever—and continues to grow in frequency, intensity, and

sophistication. That makes DDoS defense a top cybersecurity priority for every organization. The first

step: understanding the threat you face.

To help organizations take a proactive approach to DDoS defense, A10 Networks recently published a

report on the current DDoS landscape, including the weapons being used, the locations where attacks

are being launched, the services being exploited, and the methods hackers are using to maximize the

damage they inflict. Based on nearly six million weapons tracked by A10 Networks in Q4 2019, the study

provides timely, in-depth threat intelligence to inform your defense strategy.

Here are a few of our key findings.

Cyber Defense eMagazineApril 2020 Edition Page 42

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Reflected Amplification Takes DDoS to the Next Level

The SNMP and SSDP protocols have long been top sources for DDoS attacks, and this trend continued

in Q4 2019, with nearly 1.4 million SNMP weapons and nearly 1.2 million SSDP weapons tracked. But in

an alarming development, WS-Discovery attacks have risen sharply, to nearly 800,000, to become the

third most common source of DDoS. The shift is due in part to the growing popularity of attacks using

misconfigured IoT devices to amplify an attack.

In this key innovation, known as reflected amplification, hackers are turning their attention to the

exploding number of internet-exposed IoT devices running the WS-Discovery protocol. Designed to

support a broad variety of IoT use cases, WS-Discovery is a multicast, UDP-based communications

protocol used to automatically discover web-connected services. Critically, WS-Discovery does not

perform IP source validation, making it a simple matter for attackers to spoof the victim’s IP address, at

which point the victim will be deluged with data from nearby IoT devices.

With over 800,000 WS-Directory hosts available for exploitation, reflected amplification has proven highly

effective—with observed amplification of up to 95x. Reflected amplification attacks have reached recordsetting

scale, such as the 1.3 Tbps Memcached-based GitHub attack, and account for the majority of

DDoS attacks. They’re also highly challenging to defend; only 46 percent of attacks respond on port 3702

as expected, while 54 percent respond over high ports. Most of the discovered inventory to date has

been found in Vietnam, Brazil, United States, the Republic of Korea, and China.

DDoS is Going Mobile

Unlike more stealthy exploits, DDoS attacks are loud and overt, allowing defenders to detect their launch

point. While these weapons are globally distributed, the greatest number of attacks originate in countries

with the greatest density in internet connectivity, including China, the United States, and the Republic of

Korea.

A10 Networks has also tracked the hosting of DDoS weapons by autonomous number systems (ASNs),

or collections of IP address ranges under the control of a single company or government. With the

exception of the United States, the top ASNs hosting DDoS weapons track closely with the countries

hosting the majority of attacks, including Chinanet, Guangdong Mobile Communication Co. Ltd., and

Korea Telecom.

In another key trend, the prevalence of DDoS weapons hosted by mobile carriers skyrocketed near the

end of 2019. In fact, the top reflected amplified source detected was Guangdong Mobile Communication

Co. Ltd., with Brazilian mobile company Claro S.A. the top source of malware-infected drones.

Cyber Defense eMagazineApril 2020 Edition Page 43

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


The Worst is Yet to Come

With IoT devices coming online at a rate of 127 per second and accelerating, hackers are poised to enter

a golden age of possibilities. In fact, new strains of DDoS malware in the Mirai family are already targeting

Linux-powered IoT devices—and they’ll only increase as 5G brings massive increases in network speed

and coverage. Meanwhile, DDoS-for-hire services and bot herders continue to make it easier than ever

for any bad actor to launch a lethal targeted attack.

The A10 Networks report makes clear the importance of a complete DDoS defense strategy. Businesses

and carriers must leverage sophisticated DDoS threat intelligence, combined with real-time threat

detection, to defend against DDoS attacks no matter where they originate. Methods such as automated

signature extraction and blacklists of the IP addresses of DDoS botnets and available vulnerable servers

can help organizations proactively defend themselves even before the attacks starts.

For additional insight, including the top IoT port searches and reflector searches performed by attackers,

download the complete A10 Networks report, “Q4 2019: The State of DDoS Weapons,” and see the

accompanying infographic, “DDoS Weapons & Attack Vectors.”

About the Author

Ahmad Nassiri is the security solutions architect for A10 Networks’

Eastern region. Nassiri is responsible for supporting pre-sales efforts of

A10 Networks’ security solutions portfolio. He is also focused on

providing visibility to market, trends and developments within the

security field to help A10 Networks expand its security solutions

offering. Before joining A10 Networks, Nassiri was asystems engineer

at Arbor Networks, focused on network security and monitoring solutions for global networks. In this role,

he assisted with the pre- and post-sales engineering support for Arbor’s service provider-focused account

teams. Nassiri has also held sales/systems security engineering roles with Verisign’s Network

Intelligence and Availability (NIA) division. During his tenure, he was focused on security intelligence,

cloud-based DDoS protection, and managed DNS services. Earlier, he held numerous security and

engineering roles with BT Global Services.

Ahmad can be reached online at (anassiri@a10networks.com) and at our company website

https://www.a10networks.com/

Cyber Defense eMagazineApril 2020 Edition Page 44

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Better Network Visibility: Removing the Security

Blindfold

By Cary Wright, VP Product Management, Endace

Recent research shows that enterprise teams are very concerned about the ability to protect their

networks from cyber threats. Concerns run the gamut: insufficient insight into network activity, lack of

integration between security tools, inability to respond to threats quickly enough, resource constraints,

and obsolete solutions. Enterprises are frustrated with existing security solutions that don’t provide

sufficient visibility, agility and economic efficiency. This article is the first of a three-part series from

Endace, and looks at the issue of network visibility.

Without the right tools in place, detection and resolution of security events is cumbersome and often

inconclusive. Lacking sufficient visibility into network activity, organizations are left vulnerable.

A recent enterprise survey conducted by Enterprise Management Associates reveals that only 31% of

incursions were identified and stopped at the earliest two stages of the Lockheed Martin Kill Chain model.

This indicates that most threats proceed to the dangerous exploitation phase. A key reason for being

unable to stop a compromise early enough is the overflowing backlog of issues that are never

investigated. 89% of enterprises surveyed by ViB say a lack of visibility into network activity prevents

them from reacting promptly, with confidence.

At first glance, you might think lack of network visibility is caused by a lack of data. But the issue often

isn’t a lack of data, but an inability to correlate data collected in order to provide useful insights. It’s like

trying to assemble a collection of scattered jigsaw puzzle pieces when you don’t have a picture of the

final result. Enterprise teams are overwhelmed by the sheer volume of data to analyze from multiple,

disparate sources: log files, SNMP traps, monitoring tools, etc. Often this data is scattered across the

infrastructure, hard to correlate, and incomplete because of blind spots in network coverage, which make

seeing the full context of security threats difficult or impossible.

Cyber Defense eMagazineApril 2020 Edition Page 45

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


When teams efficiently collate data sources to provide full context around detected issues, then data

becomes “actionable information” used to investigate and resolve problems quickly and accurately.

Network metadata and full-packet capture data together give teams the perfect combination of evidence

for investigating and resolving security threats.

Network metadata delivers a summary of activity across your infrastructure that provides insight into the

behavior of users, devices, applications and threats. This summary can be easily stored and correlated

with other data sources from endpoints, applications, AAA, firewall logs and other key elements. Having

diverse datasets in one place helps investigators triangulate on potential issues rapidly. Since all this is

a summary of what happened, access to full packet data is often needed to confidently understand the

breadth of a security event. Fortunately, metadata provides an index into full packet capture data that

enables teams to quickly and accurately reconstruct events, in context, to see exactly what has occurred

and respond at once.

This combination of network metadata with full packet history facilitates quick and confident investigations

and threat resolutions. Analysts can query and mine the metadata, then quickly get definitive evidence

by drilling down to the packets. The combination of network metadata and packet data also provides the

all-important context for data from other sources – such as log files and alerts from monitoring – by

providing a timeline and record of affected hosts against which these data sources can be correlated

easily.

Access to the right data at the right time with the combination of metadata and full packet capture

facilitates end-to-end visibility, and enables enterprises to detect, triage, investigate and respond to

threats and incidents with speed, certainty and confidence. It lets teams efficiently assemble the pieces

of the data puzzle to create a clear picture of precisely what’s happening on their network.

The second article in this series will address how to increase agility and accelerate incident response.

About the Author

Cary Wright, VP Product Management at Endace, has more than 25

years’ experience in creating market-defining networking, cybersecurity

and application delivery products at companies including Agilent, HP,

Ixia and NEC. sales@endace.com, www.endace.com.

Cyber Defense eMagazineApril 2020 Edition Page 46

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Enabling Agility to Accelerate Incident Response

By John Attala, Vice President of Worldwide Sales, Endace

In the first article in this series, Endace VP of product management Cary Wright discussed the importance

of end-to-end network visibility in protecting valuable enterprise data, and how the combination of network

metadata and full packet data provides definitive evidence of network activity. To leverage this data

effectively, however, it is crucial to make it available to the tools and teams throughout the enterprise for

examining and resolving issues more quickly and accurately. Which brings us to the topic of this article:

agility.

Agility, as it relates to cyberdefense and performance management, can mean two things:

1) faster, more efficient investigation of, and response to, threats/issues (“agile incident response”); and

2) rapid installation and deployment of new solutions to address these threats and issues (“agile

deployment”).

Agile Incident Response

Research published last year revealed that SecOps, NetOps and DevOps teams are buried in alerts,

each of which typically requires a resource-intensive investigation and resolution process involving

multiple personnel. Sadly, the norm is that there simply isn’t sufficient time to triage, prioritize and

investigate all the alerts.

In addition, many of the tools SecOps and NetOps teams use don’t integrate well with each other, so

beleaguered teams must switch from tool-to-tool ( “swivel chair integration”) to determine actual network

activity – resulting in time delays, stress, and organizational risk.

Cyber Defense eMagazineApril 2020 Edition Page 47

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Integrating network metadata and full packet information into security and performance monitoring tools,

so analysts and teams can pivot directly to the related packets, can dramatically simplify and accelerate

investigations, reducing alert backlog and analyst fatigue. The end result is streamlined investigation

workflows, more efficient and productive teams, richer contextual information for dealing with threats and

– crucially – faster, more accurate incident response.

Agile Deployment

The same research report cited above found that 90% of respondents reported the process of acquiring

and deploying security, network or application performance platforms is challenging. It’s a fact: selecting

and deploying new security and performance monitoring tools can take months to years when an

organization must consider budget, evaluation, selection, purchase, installation and integration. It’s a

slow process.

Further compounding the acquisition problem is that once purchased, these security and performance

monitoring solutions are expected to last their full depreciation cycle – even though security threats and

network standards frequently change and evolve. The end result is organizations are often stuck with

solutions which are no longer fit-for-purpose, requiring a “rip-and-replace” to meet new threats or resolve

performance issues.

The lack of ability to quickly evolve systems to meet new threats or address new requirements is

hampering organizations’ ability to protect and manage their networks effectively. Attackers, on the other

hand, aren’t constrained by the same CAPEX and budget issues – often using the victim’s own

infrastructure to host their attacks – enabling them to be extremely agile in staging their attacks.

To counter this, organizations need more agile deployment. One solution is to adopt a standardized,

open hardware platform as the foundation for security and performance monitoring: a platform that can

provide full packet capture, metadata indexing and deep storage, allow standard RESTful API

connections to existing toolsets, and enable virtualized hosting of the network security and performance

analytics applications that best suit the organization’s environment.

Adopting a standardized platform ensures a good foundation (accurate, time-stamped, quickly

searchable data), the RESTful API ensures existing workflows are maintained and minimizes training,

and virtualizing monitoring and analytics solutions enables the speed and flexibility to deploy required

solutions on-demand.

The standard, open platform approach allows for maximum agility and has the potential to deliver the

same benefits enterprise datacenters have realized through virtualization: rapid deployment, massive

flexibility, operational efficiencies, and huge cost savings.

The next article in the series will discuss the economics and cost savings in more detail.

Cyber Defense eMagazineApril 2020 Edition Page 48

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

John Attala is vice president of worldwide sales at Endace. He has more

than twenty years’ experience in providing network visibility, forensic

solutions, and security services to global enterprise, service providers and

government agencies.

John Attala can be reached online at www.endace.com.

Cyber Defense eMagazineApril 2020 Edition Page 49

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Economic Efficiency in Cyber Defense

By Mark Evans, VP Marketing, Endace

The previous two articles in this series addressed Visibility and Agility as key requirements for

stronger cyber defense. This last article in the series looks at the third leg of robust cybersecurity:

Economic Efficiency.

According to recent research, gleaned from more than 250 global enterprises, organizations use, on

average, ten different security management tools. In large enterprises, that number jumps to between 10

and 18 different security solutions.

The research also showed that even though organizations have deployed numerous security solutions,

at great cost, they:

• Don’t have enough tools in the right places to detect and investigate security events (80% of

respondents!)

• Find the challenge of constraints caused by Capital Expenditure (CAPEX) “significant” (75%)

• Take 6-12 months OR LONGER to acquire and deploy new solutions (budget, testing, product

selection, deployment) (90%)

Cyber Defense eMagazineApril 2020 Edition Page 50

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Additionally, organizations said they “lack visibility into network activity”, have “difficulty responding

quickly enough to threats” and “find it hard to integrate tools and correlate data”

It’s clear then, that despite considerable investment in security, organizations are still not achieving their

desired objectives. They are constantly on the back foot, unable to keep ahead of a rapidly evolving

threat landscape. And, as covered in previous articles in this series, teams are overwhelmed by alert and

platform fatigue due to lack of visibility and inefficient workflow processes that constrain productivity.

Reducing Cost and Increasing Efficiency

Network security functions typically rely on specialist hardware that can capture network traffic at high

speed for analysis, therefore many solutions are appliance-based. As a result, organizations must deploy

many different appliances to deliver the range of required security functions (IDS/IPS, data leakage

prevention, malware detection, email scanning, etc.)

This has a number of cost and budget implications:

1. Hardware-based appliances are expensive to purchase and maintain.

2. Organizations pay for packet capture capability in each appliance they purchase.

3. Hardware purchases consume so much budget that organizations can’t afford to deploy solutions

everywhere they need them, leaving blind spots.

4. Functionality is inextricably tied to appliance hardware - upgrading functionality often means a

“rip-and-replace”. Without CAPEX budget for replacements, organizations must make do with

solutions that are well past their “use by” date.

Virtualization has delivered significant benefits in the datacenter: lower cost, simpler infrastructure,

efficient hardware utilization, greater flexibility and rapid deployment. However, organizations have been

unable to virtualize their network security solutions to realize these same benefits due to the lack of a

common hardware platform.

What’s needed is a hardware platform that provides high-performance, hardware-based packet capture

and recording that can be shared by all the tools and teams that need to analyze packet data. This

approach eliminates unnecessary functional duplication and allows security and performance monitoring

tools to be consolidated onto a common platform.

The cost of this common infrastructure can be shared across SecOps, NetOps, DevOps and IT teams,

reducing Operational Expenditure (OPEX) and CAPEX costs and facilitating closer collaboration. New

functionality can be deployed without replacing hardware.

Cyber Defense eMagazineApril 2020 Edition Page 51

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Increasing Productivity

With packet history integrated into all their tools, analysts can more efficiently detect, investigate and

resolve security threats; moving from an alert or suspicion directly to evidence quickly and accurately.

This is vastly more productive than the current swivel-chair integration resulting from managing multiple,

non-integrated hardware appliances.

This series looked at three key issues facing enterprises in protecting and defending their networks:

Visibility, Agility, and Economic Efficiency. By addressing all three issues together organizations can

gain the clarity, confidence, and certainty necessary to effectively protect against cyberthreats.

About the Author

Mark Evans has worked in the technology industry for more than 30 years,

starting as a developer and moving into CIO and CTO roles prior to joining

Endace as Vice President of Marketing. He has also written extensively as

an expert columnist for many technology publications. www.endace.com,

@endace.

Cyber Defense eMagazineApril 2020 Edition Page 52

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Does SASE Tick the Box for The Future of Network

Security?

By Yair Green, CTO at GlobalDots

The enterprise of today works with an upgraded portfolio which can be viewed as the result of an overall

digital transformation. This in turn has brought about the need to rethink and enhance the consequences

for the network. In response, Gartner introduced the concept of Secure Access Service Edge (SASE) as

a new enterprise networking technology, whereby organizations could ditch time-honoured networking

and security designs by merging network and security point functionality globally into a consolidated,

cloud-native service.

There is certainly a shift these days where we are seeing organizations transitioning all of their users,

applications and data (currently located on-premise), to a general move into the cloud, towards edge

applications and a workforce that is spending more of its time working out of the office - ‘on the road’.

Together, the forces of cloud, mobility and edge have all brought pressure upon the enterprise’s old and

weary network and security architecture. It doesn’t help to have data spread out all over SaaS

applications, or across the increasing number of cloud applications. Whilst there is no doubt that such a

digital transformation can improve overall agility and competitiveness, it will also require a rethink with

respect to how the enterprise connects and secures their connections. As the landscape evolves, so

must technology. Perhaps it was inevitable then that something like SASE should make an appearance.

The digital transformation has forced the enterprise to evolve by running more applications in the cloud

as SaaS rather than on-premise - more of their data and workloads live in cloud data centers and more

Cyber Defense eMagazineApril 2020 Edition Page 53

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


of their workforces are mobile - mobile users routinely accessing the cloud and increasing numbers of

employees working off-site. The two main challenges for organizations as they ponder how to network

and secure offices, users and resources, will be the cloud and mobility. When the data center is no longer

at the core of enterprise activity then where do you inspect traffic and where do you apply policy?

Similarly, if the networks are going to be built by connecting resources and users that exist in large part

outside of physical buildings, then how will the business deliver optimal network experiences? Of course

it can be done - it does require though, binding together a potentially disparate range of security

technologies so that enterprise is satisfactorily protected; this could prove both costly and timeconsuming

for most businesses. In an ideal world, there should be one way to network any kind of

resource, location or user, without leaving the business vulnerable to the wide array of security threats.

Organizations have been all too busy trying to use additional services as a stopgap, as a way to paper

over the cracks; but this just complicates things and drives costs upwards. This approach won’t work in

today’s digital landscape. By pushing security as close to the user as possible, SASE helps to reduce

cost and complexity by focusing on the users that are accessing the applications; it can all be done

through one single service now. Also, SASE ensures that all connections are inspected and secured, no

matter what. Bear in mind the unique challenges of risk whereby both users and applications are so

widely spread apart. In addition, where you have security enforced close to the users, SASE delivers a

much better user experience overall. Traditionally, the old model brought the user to the security, but

that’s not such a great UX scenario.

Whilst some might argue that SASE’s primary focus IS user experience. There’s no doubt that SASE will

be a major disruption to both network and network security architecture. Ultimately businesses will need

SASE if they wish to continue their adoption of cloud-native computing and increase their adoption of

edge computing platforms. Lessons will have to be learned regarding specific security and risk

management actions that will need implementing as SASE adoption picks up. When we see a truly full

competitive solutions marketplace, then big business will be in a position to gauge more accurately how

capabilities are delivered. In the meantime, businesses will require a converged, secure and clouddelivered

access to the edge in order to adopt this shift. Digital transformation is shifting the focal point

away from the data center, to the identity of the user.

About the Author

Yair Green is the CTO of GlobalDots, and a Cloud, Security and Web

Performance Evangelist.

www.globaldots.com

Cyber Defense eMagazineApril 2020 Edition Page 54

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Achieving Effective User Lifecycle Management Through

Automation

By Jeff Stein, Information Security Architect, Reputation.com

When considering the security of an enterprise, a key area ripe for automation should be user lifecycle

management. The topic is important not only to the security of an organization but also to the overall

function of an enterprise. By achieving effectiveness through automation in your user lifecycle

management process you will not only increase the productivity of your operational teams through the

reduction of work required to manage the user lifecycle, but also add effective security controls to your

information security program.

User lifecycle management covers the full array of activities executed during the lifetime of a user at an

enterprise. It begins with the initial contact of a prospective employee or business partner to the eventual

onboarding of the user into their defined role at the organization. Any changes to user access or status

and role at the organization are also covered in the lifecycle. The lifecycle management then comes full

circle and is completed through the offboarding process when the user ends their responsibilities at the

enterprise.

From a security prospective, user lifecycle management should be an important domain to include in your

security program. While many of the operational tasks related to the lifecycle management are associated

with Human Resources or Information Technology business units, the need to instill security controls into

the related workflows and processes is paramount. This is because, one of the core functions of user

lifecycle management pertains to access control which is fundamental to a security program because it

deals with the identity, authentication and authorization of users in the enterprise.

Cyber Defense eMagazineApril 2020 Edition Page 55

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


The need to automate the provisioning (creating) or deprovisioning (removal) of tasks related to the user

lifecycle management process is derived from ensuring that there is better accountability in the

operational tasks associated with access control. To not only have a well-defined lifecycle management

process but also to ensure that those processes are initiated through automation, reduces the number of

administrative controls required to validate proper completion of tasks and replaces them with more

reliable technical controls.

In my previous experiences as a Security Engineer, as well as my current role as an Information Security

Architect for Reputation.com, an industry leader in online reputation management providing customers

with a full range of solutions to handle their presence online, I have found that any time you replace a

reliance on a human task with an automated technical one, the likelihood of a breakdown in process is

reduced. It also frees up the human element to be leveraged in the process in a more intelligent way than

previously utilized. Once repeatable tasks can be replaced with automation, the person can be used as

a means to validate on a regular basis that the automated technical control has not failed. This is done

through measures such as auditing and approval reviews for sensitive circumstances or types of access.

Another simple way of looking at this is to use your human staff for intelligent processes and automate

the mundane repeatable processes that do not deviate from the norm.

When looking to automate the user lifecycle at an enterprise there are numerous technical tools at your

disposal. Whether you choose to leverage internal scripts or programs, or utilize a managed technical

solution, is a personal preference pertaining to your available budget and technical skill sets on staff.

However, if you implement the tooling to automate user lifecycle management, in my opinion, it is more

important to ensure you include a number of key components in your automated lifecycle strategy and

technical design, which will support your tooling.

The first component to ensure you incorporate into your lifecycle management should be an allencompassing

source of truth for your user records. Whether this is a directory service or a human

resource information system (HRIS), the key is to ensure that it is accurate and continually maintained.

Your source of truth should be the foundation to building out user lifecycle management and automate it

because it will serve as the starting point for the overall process. In essence, until the user is in your

source of truth the lifecycle has not yet begun.

Additionally, access control should be properly built in to your strategy. As mentioned above, access

control is a key security process and having proper controls in place will ensure you have security baked

into your design and automation process. Consider using role-based access control (RBAC) or attributebased

access control (ABAC) as a model for designing your access control component. When I have

personally rolled out user lifecycle management automation, I have done a combination of the two.

However, relying primarily on RBAC will be easier to implement or at least serve as a starting point for

your design.

The final component, which should be included into the lifecycle management strategy should be

ensuring that data between your source of truth and any source of records that are utilized by various

applications in your enterprise are updated as a part of your automation. This is again important in

keeping your source of truth accurate as well as ensuring aspects such as deprovisioning or a status

change in the user’s role, function properly. Once these three key components have been worked into

your lifecycle management design, the tooling you choose will layer on top and function efficiently. It will

Cyber Defense eMagazineApril 2020 Edition Page 56

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


also offer a higher level of implementation success and a holistic approach to your workflow and

processes.

Automation provides an excellent means to layer repeatable and scalable security controls into an

organization. By automating the user lifecycle management process you can ensure better accountability

into the operational tasks associated with access control in the enterprise. Proper tooling combined with

a well-maintained source of truth, an effective access control model and baking in the updating of

information between sources allows you to add effective security controls to your information security

program.

About the Author

Jeff Stein, is currently the Information Security Architect at Reputation.com,

an industry leader in online reputation management. His prior experience

includes the FinTech space and both the United States House of

Representatives and the United States Senate. In addition to holding

numerous security and IT certifications, including his CISSP, he received a

Master of Science in Information Security and Assurance from Western

Governors University. Jeff can be found online on his blog,

https://www.securityinobscurity.com and reached at both jeff@sioblog.net or on twitter at

@secureobscure and at our company website https://www.reputation.com and on twitter at

@Reputation_Com.

Cyber Defense eMagazineApril 2020 Edition Page 57

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Credential Stuffing: Why It’s on The Rise and How to

Decrease Your Risk

By Kevin Landt, VP of Product Management at Cygilant

Reports of high-profile data breaches like Equifax’s, LinkedIn’s or Yahoo’s always cause an initial,

widespread panic -- and for good reason. But after having massive amounts of their sensitive information

exposed such as usernames and passwords, many consumers and organizations move on far too

quickly. Whether it’s because they assume there’s nothing they can do to rectify the situation or due to a

lack of understanding of their risk level, too many individuals and companies remain dangerously

oblivious to what happens after a data breach.

Post-breach, many cybercriminals turn to the Dark Web to purchase data stolen from high-profile data

breaches. For instance, recently eight hacked databases containing data for 92.75 million users were put

up for sale on the Dark Web Marketplace "Dream Market" for 2.6249 bitcoins (about $9,400 USD at the

time). Hackers will then use their newly acquired, stolen data to fuel credential stuffing attacks, i.e. attacks

that leverage stolen account credentials to gain unauthorized access to user accounts through largescale

automated login requests directed against a web application.

Unlike credential cracking, credential stuffing doesn’t rely on brute force or attempts to guess passwords.

Instead, cybercriminals simply automate the logins for thousands to millions of previously discovered

credential pairs using standard web automation tools or tools designed specifically for credential stuffing

(e.g. services that manipulate login requests to make them look like they came from many different

browsers and/or products that integrate with platforms designed to defeat Captchas). On average,

hackers find matches between stolen credentials and a website about only one percent of the time,

Cyber Defense eMagazineApril 2020 Edition Page 58

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


however with every new large-scale breach, the credential stuffing process becomes easier and more

effective.

To combat credential stuffing, both consumers and companies need to recognize the danger these

attacks pose and adhere to the following four best practices:

1. Monitor data breaches -- It’s critical to stay apprised of large-scale breaches so that if/when you

have an account with a company that experiences a data breach, you can immediately change

your password. Also, if you use the same username and password for other accounts, be sure to

change those passwords as well. Keeping up with the near-daily occurrence of data breaches

can feel like an overwhelming task, so consider leveraging tools like this to determine if any of

your credentials have been leaked at any time.

2. Improve your passwords -- One of the top factors driving the credential stuffing epidemic is poor

password hygiene. Never reuse the same username and password across multiple sites, change

your passwords regularly, make sure each password has no resemblance to the old, don’t use

the same core word(s) and refrain from placing the same special characters in the same positions.

Password managers can help by creating and easily managing the types of highly secure

passwords that are impossible to remember.

3. Implement two-factor authentication -- By turning on two-factor authentication whenever

available, an additional authentication is requested when you enter your password. This provides

another vital layer of protection in the event of a network attack and should always be turned on.

4. Blacklist suspicious logins -- Companies should consistently track logins that result in fraud

and then blacklist the associated IP addresses. Also, if users are located in a specific region, they

can create geofences that block traffic that comes from elsewhere. Such tactics can make the

proxy lists cybercriminals rely on to mask their mass login attempts far less effective, not to

mention more complex and costly. Web-based security products can also be leveraged to block

a single IP address or a range of IP addresses that result in too many unsuccessful login attempts.

A recent report from Akamai found that an average of 4.15 billion malicious login attempts from bots were

detected in both May and June of 2018, and that’s up from an average of 3.75 billion per month between

November 2017 and June 2018. Credential stuffing attacks will continue to become even more prevalent

in the years ahead, especially as data breaches expose hundreds of millions of usernames and

passwords on a regular basis.

By recognizing the credential stuffing problem head on and abiding by simple cybersecurity best

practices, however, both consumers and companies alike can drastically reduce their risk and at the

same time make cybercriminals’ jobs far more challenging.

Cyber Defense eMagazineApril 2020 Edition Page 59

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Kevin Landt is VP of Product Management at Cygilant and has over

a decade of experience helping Security and IT Operations teams

increase efficiency and reduce risk. At Cygilant, he leads a team of

PMs dedicated to providing enterprise-class security-as-a-service

for companies of all sizes. Prior to Cygilant, Kevin held director and

leadership roles at Opsgenie (now part of Atlassian), Kanguru

Solutions, and Intel.

Cyber Defense eMagazineApril 2020 Edition Page 60

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


The Cost of Cybercrime Is Constantly Rising: How to

Combat Ransomware Attacks on SMBs

By Rui Lopes, Sales Engineering and Technical Support Director, Panda Security

Cybercrime is an undeniable constant in the business landscape these days. The cost of cybercrime is

constantly rising—it is estimated that by 2021, it will have reached $6 trillion worldwide. Cyberattacks on

large companies tend to grab headlines all around the world because of their spectacular impact.

However, there is one sector that, though it doesn’t normally generate headlines, suffers devastating

effects of ransomware attacks: small- to medium-sized-businesses (SMBs).

According to Beazley Breach Response Services, 71% of ransomware attacks target SMBs. The average

ransom demand for this kind of attack is $116,234. In more general terms, 43% of all cyberattacks target

this kind of company, while just 14% of these businesses are prepared to defend against their effects. In

the business world, cybersecurity awareness is the main challenge: employees’ actions are often the first

line of defense against a cyberattack. To ensure that a cyber incident does not cause serious damage to

a company, it is important that its employees follow a series of vital tips:

• Never open attachments from unknown senders. 92% of the malware in the world arrives via

email.

• Don’t plug in an unknown USB device. It may contain malware that could cause grave problems

for the company.

• Get into the habit of updating passwords. This way, even if a password is leaked in a data breach,

it won’t become a security risk.

• Updates for endpoints, devices and for third-party applications are an important barrier against

security breaches.

Cyber Defense eMagazineApril 2020 Edition Page 61

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


That being said, the best way to combat ransomware is by not becoming a victim in the first place. To

that end, here are five immediate steps that SMBs can take to avoid ransomware attacks.

Step 1: Set Operating Systems to Automatically Update

The first step to avoiding ransomware is to update your operating system (OS). Anything connected to

the web works better when the OS is updated. Tech companies like Microsoft and Apple regularly

research and release fixes for “bugs” and security patches for vulnerabilities in their systems. It’s a

cybersecurity game of cat and mouse. Cyberthieves search for “holes,” and companies race to find them

first and “patch” them.

Users are key players in the game because they are the ultimate gatekeepers of their operating systems.

If your OS isn’t up to date, you can’t take advantage of the security updates. Plus, your computer runs

better with an updated OS.

Set your OS to update automatically and you won’t need to remember to do it manually. While Windows

10 automatically updates (you have no choice), older versions don’t. But setting auto updates is easy,

whether you’re on a Mac or PC.

Step 2: Screenshot Bank Emails

Cybercriminals use trojans or worms to infect your computer with ransomware. So, avoiding these will

help you avoid ransomware. Worms and trojan malware are often spread through phishing email scams,

which trick users into opening email attachments containing viruses or clicking links to fake websites

posed as legitimate ones.

One of the best tips for keeping phishing emails at bay is learning to identify them. Hackers send phishing

emails that look like they come from banks, credit card companies or the IRS. Phishing emails kickstart

your fears and anxieties by suggesting there are “problems with your account” or insisting that “Urgent

action is required.” Who wouldn’t be scared if their bank sent them an email saying, “You are overdrawn

in your account”?

Cybercriminals use this fear to distract people so they will overlook the telltale signs of the phishing email

like misspellings or common fear-inducing subject lines.

Take screenshots of all of the legitimate emails from your bank, credit card companies, and others

business that manage your sensitive information. Use these screenshots to compare with future emails

you receive so you can spot phishing phonies and avoid ransomware.

Cyber Defense eMagazineApril 2020 Edition Page 62

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Step 3: Bookmark Most Visited Websites

The next step in your ransomware-avoidance journey is to bookmark all of your most visited websites.

Just as with phishing emails, cybercriminals build websites that look like bank or credit card sites. Then

they trick users into clicking a link and visiting them. From there, hackers steal your sign-in credentials or

infect your computer with malware.

Think twice before you visit a website by clicking a link in an email, comments section or private

messaging app. Instead, bookmark your most visited or high-value websites and visit them through your

browser.

Step 4: Backup Data to the Cloud and a Hard Drive

This step is a no-brainer. Ransomware works if you only have one copy of your data. If it’s irretrievable,

then cyberthieves have the upper hand, but if you have multiple copies, you have taken away the power

behind the threat.

Back up your data to both a cloud service and a hard drive. That way, you have a copy that’s available

anywhere there’s internet access and one that’s physically accessible all the time. Both types of storage

are relatively inexpensive and will certainly prove worth it if you’re ever a ransomware target.

After backing up your data, set up a schedule so you can keep your data current. If you haven’t backed

up your data in six months, you’re probably just as vulnerable to ransomware attacks as having no backup

at all.

Step 5: Install Cybersecurity Software

Ransomware is constantly evolving as hackers develop new, more dangerous strains. For users,

preemptive steps rock, but unless you download and install comprehensive cybersecurity software, your

data is still vulnerable to malware infection.

Here’s a phrase worth remembering: ransomware is a nightmare. After cyberthieves encrypt your data,

the chances of recovering it are slim to none…and slim just left town. The story of ransomware doesn’t

have the Hollywood, happily-ever-after ending. It will definitely leave you teary-eyed…just for the wrong

reasons.

Cyber Defense eMagazineApril 2020 Edition Page 63

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Rui Lopes has spent the last 15 years working for Panda Security and

currently heads up the Pre-Sales Engineering team in North America.

A cybersecurity expert with extensive industry knowledge, he’s

passionate about solving complex technical challenges for customers

and educating them on the latest cybersecurity developments. He

holds several technical certifications and has contributed to multiple IT

publications as an IT Security columnist. Rui can be reached online at https://www.linkedin.com/in/ruilopes-6966161/

and at our company website https://www.pandasecurity.com/en-us/.

Cyber Defense eMagazineApril 2020 Edition Page 64

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


How To Manage Your Small Business In Time Of Crisis

By Milica D. Djekic

It's always a challenge to manage your small business, but especially in times of crisis. Such a situation

requires special skills, such as crisis management skills, pragmatism and critical thinking. How can we

create the a new generation of the business leaders who are capable of responing to all these demands?

Human psychology would suggest that the child is the parent of someone’s personality and it’s quite

obvious that if we want to produce the new leaders we should try to teach them starting at the very

beginning of the life. The fact is so many young individuals spend the majority of their time on the web

and as it is quite well known that cyberspace is often the busiest spot of the people’s activities. It’s quite

impressive how good the new generations deal with cyber technologies and, apparently, modern

strategists should use such a finding in order to direct the youth into some sort of the usefulness to the

entire society.

The point is if we want the competitive human resources in the decades ahead, we should begin working

hard on that project now. A good education system matters, but will that be enough to make the new

generation of the people think, deal and make decisions in such a manner? The answer to this question

could be quite unclear, but what we see at this stage is that, de facto, we need something both impactful

and simple at the same time. In addition, we should study the psychology of the child’s development or

probably try to cope with some habits being adopted early on and later used to define someone’s life

choices.

So, what would be such common to all kids worldwide and how would they build on their first habits? The

quite obvious stuff is all kids anywhere would love to play games and in that way develop their first skills

and social contacts. We all would remember Monopoly and the experiences about how some simple

banking works in practice. Nowadays children would also love to play these games, but in cyberspace.

Cyber Defense eMagazineApril 2020 Edition Page 65

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


So, if you offer them the chance to do so on their own or as a team – you would undoubtedly teach them

thinking in this way.

Kids often have very poor life experience, and the point is to make something so simple in order to

motivate them to use their brains in order to resolve situations appearing on their screen. On the other

hand, many of today’s army officers would select their current occupations just playing strategies and

making decisions about how to manage their people and resources on some military basis.

If you want your kid to learn how to be a good manager, you should lead him into the world of business,

enterprises and management. First, many kids cannot imagine how it works spending your time in the

office, and if you provide them the opportunity to see how it looks and make some kind of interactive and

engaging communications, then those young people would definitely become capable of responding to

tomorrow’s competitive marketplace challenges. Also, if you put some obstacles into such a scenario

making the players deal with some critical situations, you would also make them develop problem solving

skills in crisis management tactics and strategies coming from best practices and experts knowledge.

So, let’s return to the beginning of our topic and let’s introduce some graphical representation showing

how dealing with a crisis in your small business might look. Such an illustration would offer you some

constructive insights and hopefully help you better understand how todeal with those problems. The

diagram is given in the Figure 1.

Figure 1. Crisis conditions in business

As shown in the previous illustration, the small business crisis condition could depend on many factors.

They could include social, environmental, technological and economic conditions, for example. In

practice, the social elements could include political, religious, safety & security and ideological reasons,

while the environmental conditions might include natural disasters, biological factors and even diseases.

On the other hand, the technological and economic pillars could be positive, negative or neutral, for

example.

The fact is if we distinguish all these elements in such a manner, we could straightforwardly develop the

algorithm or the decision making tree about how we could in operational, tactical and strategic way

respond to these challenges. The point is once you figure out what got correlated with what you could

easily recognize some rules of those correlations and realize how they could get applied in sense of the

problem solving algorithms.

In such a case, the cyber defense could be linked to the technological impacts and, in my opinion, anyone

in that field can position himselfto prepare for resolving those concerns. Also, the crisis management skill

is something that would come with experience and it takes some time to become confident in such a role.

Cyber Defense eMagazineApril 2020 Edition Page 66

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Any empirical scenario would differ in some way from another and before you learn to recognize the

similarities between them,you would need a lot of practice in your preofessional experience.

The time of crisis can come at any time, so it’s important to remain rational and realistic in approaching

such a situation from a calm perspective. The small businesses are certainly an importnat part of the

critical infrastructure, and that’s why any economy needs plenty of good ideas and proposals about how

to protect its strategically significant assets.

Emerging technologies will play a valuable role in our everyday life and work, so they could serve us in

making rational decisions and training a new generation of the workforce that will be more competitive

and sophisticated than any generation before them. The task is challenging, but the results could be so

far reaching.

About the Author

Milica D. Djekic is an Independent Researcher from Subotica,

Republic of Serbia. She received her engineering background from

the Faculty of Mechanical Engineering, University of Belgrade. She

writes for some domestic and overseas presses and she is also the

author of the book “The Internet of Things: Concept, Applications

and Security” being published in 2017 with the Lambert Academic

Publishing. Milica is also a speaker with the BrightTALK expert’s

channel. She is the member of an ASIS International since 2017

and contributor to the Australian Cyber Security Magazine since

2018. Milica's research efforts are recognized with Computer Emergency Response Team for the

European Union (CERT-EU) and EASA European Centre for Cybersecurity in Aviation (ECCSA). Her

fields of interests are cyber defense, technology and business. Milica is a person with disability.

Cyber Defense eMagazineApril 2020 Edition Page 67

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


What the Latest Enterprise Endpoint Security Survey

Shows Us: Big Concerns but Hope for The Future

By Jeff Harrell, Vice President of Marketing, Adaptiva

More bad news when it comes to IT security. The fourth annual Enterprise Endpoint Security Survey was

recently released, showing that just 17% of companies believe they have enough staff to handle security

correctly, and vulnerabilities continue to take a remarkably long time to fix, particularly without solutions

that meet their needs. These findings (and more) come as organizations face unprecedented threats.

So, what’s going on?

Vulnerabilities on the Rise

Cybercrime is predicted to cost $6 trillion annually by 2021, with new threats becoming the number one

pain point for endpoint security buyers. Deloitte points out one reason for this is that as workforces

become more distributed and organizations are responsible for securing more devices, it becomes harder

and harder to secure the endpoint, calling it companies’ “weakest security link.”

Shoring up the endpoint is critical, however, because that’s where approximately 80% of cyberattacks

occur—and these attacks are increasing at a blistering pace. Research shows that between 2016 and

2017 there was a 600% increase in attacks against IOT devices alone. Any Google search can turn up a

multitude of other scary stats that underscore just how great today’s cyberthreat is and how it is expected

Cyber Defense eMagazineApril 2020 Edition Page 68

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


to get worse. But the bottom line is vulnerabilities at the endpoint are a tremendous concern, one that

must be addressed if organizations hope to protect their networks, IP, and customer data.

Current Solutions Don’t Solve the Problem

According to the annual Enterprise Endpoint Security Survey, IT professionals cited vulnerability

scanning as their top cybersecurity challenge. One of the reasons shared was that current vulnerability

management scanning solutions don’t solve their problems. In fact, they may increase frustration and

stress by generating reports of hundreds of vulnerabilities that teams can’t address in a timely manner.

Additionally, they suck up bandwidth and hinder network performance.

It’s not as though IT teams are throwing up their hands and pretending that vulnerabilities don’t exist,

however. Ninety-one percent of respondents indicated that “maintaining current, compliant security

configuration” is very or extremely important; they want to improve the speed and scale with which they

can address vulnerabilities—they’re just a bit hamstrung.

Staff Can’t Handle the Surge—And It’s About to Get Worse

But fixing the problem is not simple. In addition to the exponential increase in vulnerabilities and devices

managed, and the fact that vulnerability management solutions can hinder more than help, teams simply

don’t have the staff. Nearly two-thirds of respondents to the Enterprise Endpoint Security Survey

indicated that they struggle to keep up as their teams are stretched to the max, often limiting their ability

to handle security operations the way that they want or wish that they could.

Unfortunately, in light of internal staff shortages, their work is about to get harder. The survey reveals that

only 29% of companies will complete migration to Windows 10 before Microsoft ceases support for

Windows 7 on January 14, 2020. This means that potentially millions of endpoints will present openings

for cyberattackers to take advantage of an outdated OS that is no longer monitored and supported by

Microsoft and that also lacks the latest security features available in Windows 10. While 87% of

companies reported that they will have more than half of their systems running Windows 10, close may

not be good enough. It takes cyberattackers only minutes to wreak havoc. Given that it requires 52% of

organizations surveyed more than a week—and 22% more than a month—to remediate vulnerabilities

after they are discovered, this could spell big trouble.

Automation Must Be Part of the Solution

With staff being swallowed up trying to handle all of the threats and issues their organizations face, and

those threats increasing each day, something’s got to give. Significant talent shortages make finding

Cyber Defense eMagazineApril 2020 Edition Page 69

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


enough skilled IT workers to conquer these issues unlikely. And, even the best funded, best staffed

organizations are fighting a losing battle against the clock. It would be nearly impossible for humans alone

to write the code and execute remediations at the scale that they need to keep all endpoints up to date

100% of the time.

Automation has to be part of the solution. There have been knocks against it—from the time required to

learn how to use new solutions to the limits of present capabilities—but solutions are improving rapidly.

The next generation of vulnerability management solutions includes instant remediation capabilities.

Even if a solution could automatically remediate only 50% of issues, that would be a vast improvement

over the circumstances teams operate in today. It would not only accelerate the speed at which basic

issues are fixed enterprise-wide, it would also open up considerable resources to address more complex

issues in a timely manner.

While enterprise IT security faces a difficult road ahead, all is not lost. The intense commitment of existing

staff to fight cyberthreats coupled with exciting advancements in automation could ensure that the results

of next year’s survey look markedly different. Winning modern cyberwars will require man + machine.

About the Author

Jeff Harrell, vice president of marketing at Adaptiva, manages the

company’s marketing strategies and initiatives across a growing

range of products designed to assist global enterprises with pressing

endpoint management and security needs. With more than 20 years’

experience, Jeff is known for his domain knowledge, creativity, and

vision as well as the ability to execute. In his free time, Jeff can

usually be found looking for birds through a pair of binoculars. For more information, please visit

https://adaptiva.com/, and follow the company on LinkedIn, Facebook, and Twitter.

Cyber Defense eMagazineApril 2020 Edition Page 70

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Meet Our Publisher: Gary S. Miliefsky, CISSP, fmDHS

“Amazing Keynote”

“Best Speaker on the Hacking Stage”

“Most Entertaining and Engaging”

Gary has been keynoting cyber security events throughout the year. He’s also been a

moderator, a panelist and has numerous upcoming events throughout the year.

If you are looking for a cybersecurity expert who can make the difference from a nice event to

a stellar conference, look no further email marketing@cyberdefensemagazine.com


You asked, and it’s finally here…we’ve launched CyberDefense.TV

At least a dozen exceptional interviews rolling out each month starting this summer…

Market leaders, innovators, CEO hot seat interviews and much more.

A new division of Cyber Defense Media Group and sister to Cyber Defense Magazine.


Free Monthly Cyber Defense eMagazine Via Email

Enjoy our monthly electronic editions of our Magazines for FREE.

This magazine is by and for ethical information security professionals with a twist on innovative consumer

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best

ideas, products and services in the information technology industry. Our monthly Cyber Defense e-

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here

to sign up today and within moments, you’ll receive your first email from us with an archive of our

newsletters along with this month’s newsletter.

By signing up, you’ll always be in the loop with CDM.

Copyright (C) 2020, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G.

SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a

CyberDefenseAwards.com, CyberDefenseMagazine.com, CyberDefenseNewswire.com,

CyberDefenseProfessionals.com, CyberDefenseRadio.com and CyberDefenseTV.com, is a Limited Liability

Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465,

Cyber Defense Magazine® is a registered trademark of Cyber Defense Media Group. EIN: 454-18-8465, DUNS#

078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com

All rights reserved worldwide. Copyright © 2020, Cyber Defense Magazine. All rights reserved. No part of this

newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying,

recording, taping or by any information storage retrieval system without the written permission of the publisher

except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of

the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may

no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect

the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content

and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at

marketing@cyberdefensemagazine.com

Cyber Defense Magazine

276 Fifth Avenue, Suite 704, New York, NY 1000

EIN: 454-18-8465, DUNS# 078358935.

All rights reserved worldwide.

marketing@cyberdefensemagazine.com

www.cyberdefensemagazine.com

NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA)

Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 04/02/2020


TRILLIONS ARE AT STAKE

No 1 INTERNATIONAL BESTSELLER IN FOUR CATEGORIES

Released:

https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH

In Development – Hacking the Human Firewall (Q2, 2020) and The Art of Cybere War (Q1, 202):


8 Years in The Making…

Thank You to our Loyal Subscribers!

We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know

What You Think. It's mobile and tablet friendly and superfast. We hope you

like it. In addition, we're shooting for 7x24x365 uptime as we continue to

scale with improved Web App Firewalls, Content Deliver Networks (CDNs)

around the Globe, Faster and More Secure DNS

and CyberDefenseMagazineBackup.com up and running as an array of live

mirror sites.

Millions of monthly readers and new platforms coming…

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!