In the first part of our interview with Juan Antonio Calles, CEO of Zerolynx and CSO of Osane, we saw how to guarantee the security of cloud platforms, and discussed the threats that are currently most relevant to corporate cybersecurity, as well as how to mitigate them. In this second half, Juan Antonio gives us the most important points about concepts such as digital forensic analysis, biohacking, SIRPs and cyber-resilience.

• What is the importance of digital forensics in the business world?

Before carrying out any kind of digital forensic analysis, the first thing will be to find out what has happened, what the aim of the analysis is, and what assets have been affected. We won’t act in the same way to analyze a Windows network affected by a piece of ransomware as we will to investigate how an invoice has been intercepted in a CEO scam. We need to adapt our methodology on case by case basis. Digital forensic analysis is a basic function in companies in order to answer such questions as: what happened? And, how or why was it possible? And this analysis serves not only to investigate an incident, but also to shed some light in case of disputes, employees that steal information, threats carried out via corporate email, among others.

• What is biohacking, and what application could it have for companies?

The term biohacking has a very broad definition, and can refer to several disciplines and movements, from DIY biology, grinders, who alter their bodies to add technology, to nutrigenomics. At Zerolynx, in collaboration with Patricia Rada, doctor of biochemistry at Ciberdem (Center for Network Biomedical Research), we’re carrying out research on storing and concealing encrypted information in DNA. It’s a complex study in which we’re finding barriers that are hard to overcome with the technology that we have available to us nowadays. We’ve done tests on simulators, and we’re now performing real tests on bacterial strains. With appropriate resources, and seeing how interested some organizations are in making sure this moves forwards, we believe that we could see some kind of prototype in a couple of decades. The possibilities are almost limitless, but it is certainly not something we’ll see in companies in the short term.

• What are the 5 most important steps in an effective incident response plan?

Before an incident occurs, we need to be sure to have a business continuity plan and a corresponding contingency plan; we need to have trained our employees beforehand, so that they are able to detect the incident and know how to react properly, according to what has been established at a corporate level.

The first step in a SIRP [Security Incident Response Plan] needs to be detection, and alerting the incident response team. Since the necessary steps for ransomware, a CEO scam, or a fire in the data center aren’t the same, the employees who have detected the incident need to facilitate as much information as possible for the response team, so that they can figure out how to react to a specific threat with a quick analysis. The next step, in order to ensure business continuity, will be to isolate the affected environments, and to collect the corresponding evidence in order to research the origin of the problem and, if necessary, carry out a complete forensic analysis at a later date. This could lead to legal action if malicious actions are detected. In that case, before any action is taken on the affected assets, the company needs to guarantee the corresponding chain of custody, and the cloning and digital signature of the affected assets to ensure the integrity of the information that they contain. The incident will then be scaled, and, if necessary, the corresponding authorities will be notified. Finally, all actions carried out and lessons learned must be cataloged in the interest of improving reactions to subsequent incidents.

• How can a company become cyber-resilient?

Companies need to designate a head of IT security (CISO) with the proper training, and provide them with the necessary resources to carry out this job. This person needs a strong team to back them up, which can work on both the regulatory and compliance aspects of cybersecurity, as well as on the more technical and operative aspects. There are many technologies that can be used to protect corporate assets: systems of backups, firewalls, intrusion detection systems , SIEMs, and so on. Nevertheless, without suitable professionals, all of these measures usually become obsolete and poorly parameterized quite rapidly, and stop working as a real barrier to stop the criminals that threaten companies every day. Any business that doesn’t have the capacity to have its own high-quality cyber-team needs to contract professional services from specialist companies in the sector. A trusted vendor, with protection that adapts to what the company needs, is an important option for companies that do not have their own security measures.

The post Juan Antonio Calles: “Without the appropriate professionals, security measures quickly become obsolete” appeared first on Panda Security Mediacenter.

“Over the last few years, the cybersecurity world has become hugely professional. Spain is becoming an international reference point. Proof of this lies in the large number of cybersecurity events that take place in our country.” These are the words of Juan Antonio Calles, CEO of Zerolynx and SCO of Osane. Before this, he worked as head of the KPMG cybersecurity laboratory, and head of the the Everis hacking center. As well as this, Juan Antonio also has several prestigious certificates, such as Certified Hacking Forensic Investigator (CHFI) from Ec-Council and CISA from ISACA.

According to this IT security expert, the last 15 years have seen a tremendous evolution. “Security jobs used to focus on revising client websites and internal auditing to evaluate the security of the employees’ IT parks. The sector has got to a point now that, back then, was very difficult to predict.”

• As companies increasingly adopt cloud strategies, how can we guarantee their security?

A few years ago, many companies thought they were safe with just a firewall to protect their perimeter. But this of course overlooked the fact that it’s not just external threats that need to be protected against: internal threats are just as important.  Now boundaries are starting to disappear. If we add to this an amorphous cloud containing all our information, spread over several data centers all over the word, with different jurisdictions, the security environment starts to get complicated.

If we are determined to migrate to the cloud, it is vital to check whether we have the capacity to build a cloud over our infrastructure. Where possible, we have to properly evaluate possible vendors, and once decided, try to store data in an encrypted format.

• The firmware of Nintendo Switch was hacked on the same day it was launched. How could Nintendo have avoided this kind of situation?

The case of the latest version of the firmware (v7.0.0) for the Nintendo console is a special one. It wasn’t a software vulnerability, but rather a problem with the console’s hardware. What happened in January is that they managed to crack the private keys that that version of the firmware is signed with, in order to be able to modify it. In this case, in order to fix it, the console’s hardware needs to be revised, something that Nintendo should already be working on.

On the other hand, in order to avoid software flaws, it is crucial to include security from the very first stages of its design: the so called shift left. Collaboratively integrating security into DevOps workflows, also known as DevSecOps, is an efficient way of preserving the quality and the security of the teamwork, the agility, and the speed of DevOps. These work models have been demonstrably successful compared to traditional models. They allow for the development of higher quality software, which is also more secure, without increasing development times or costs in any significant way.

• What would you say are the leading threats to corporate cybersecurity at the moment?

One of the greatest threats is ransomware, especially for small and medium companies that don’t have the same level of security as larger organizations. One of the most commonly exploited points of entry for this kind of attack are remote accesses, via Team Viewer, VNC and other similar vectors. In order to mitigate such attacks, organizations must be sure to have robust VPNs that allow them to securely access the organization’s resources from outside, with 2FA to ensure that credential theft isn’t enough to gain remote access. Another vital step is restrictive network segmentation to contain any incident that could happen.

Another threat that keeps growing is cryptojacking, exploiting the processing power of exposed computers to mine cryptocurrencies. Practices such as threat hunting would allow organizations to actively find these kinds of threats, and would improve their detection and response capabilities.

Threats to critical infrastructures will continue to grow. This is especially true in the context of industry 4.0 where IT and OT networks are starting to work together, and PLCs and other components of the OT network acquire different transmission capacities to traditional cable-based network. In such complex case studies, it is necessary to create a hostile environment for the adversary. This includes optimal segmentation between OT and IT, avoiding direct exposure of the OT environment to the Internet (including access to vendors), deploying detection and response capabilities on machines that cover both environments, and maximizing the control of privileged accounts.

Finally, one of the threats that we’ll keep coming across in organizations and industrial environments is industrial espionage. Even with particularly high levels of security, there are always weak links that could go unnoticed in traditional pen testing processes. For example, one of the most noteworthy examples is the use of video conference systems. They are rarely well protected, and their communications are more often than not unencrypted.

Don’t miss the second half of our interview with Juan Antonio Calles, where we will discuss cyber-resilience, biohacking, and digital forensics.

The post Juan Antonio Calles: “Threat Hunting could improve an organization’s detection and response capabilities” appeared first on Panda Security Mediacenter.

Román Ramírez is very well known in the world of cybersecurity in Spain. The founder of RootedCon, the most important security event in Spain, and with over 20 years of experience in the sector, he has been Manager of Operations and Security Architecture at Ferrovial for ten years. In this company his role is to manage security operations at a corporate level, as well as to manage security for projects and new developments within the organization. We have arranged to talk to him about corporate cybersecurity in large and small companies, cyber-resilience, and cyberattack trends among other things.

–Do Spanish companies do enough to protect their cybersecurity?

–It’s a complicated question. An IBEX 35 company whose main line of business is related to the financial sector will, of course, have more adequate protections for their assets and a much higher level of cybersecurity. On the other hand, a one-person SME in the construction industry is likely to be on the other end of the scale. In general, companies have the level of cybersecurity that they themselves have planned (that is, that they’ve decided on), though there are areas where, for reasons of cost or culture, there is a lot of room for improvement.

–Is there at least a bit more awareness of cybersecurity?

–Right now, cybersecurity is mainstream. Every day there’s something in the news about it. If that doesn’t make people more aware of cybersecurity issues, what will? In my opinion, awareness training is only effective for people who are already up to speed; we all know what people are like. If we need to get over an obstacle in order to achieve a goal, that’s what we’ll do. No amount of awareness training is going to change that.

–Do you think that the GDPR will make companies take better care of their cybersecurity? Or will we see a myriad of companies being fined for breaching the regulation?

–I think that it’s easier to comply with the GDPR than it was to comply with the previous LOPD (Ley Orgánica de Protección de Datos de Carácter Personal – the predecessor of the GDPR in Spain). We’re moving towards a more “Anglo-Saxon” model, where you’ll be asked for a posteriori guarantees (with proof). I think this is going to help it to spread. And I do think that, with the growing concern for privacy, we’re definitely going to gain something in several different areas. As for the fines, given how hefty they can be, I have a feeling that they’re going to be very cautious when it comes to handing out sanctions.

–What are some possible weak points that companies may have?

–They’re always the same: people and investment. Cybersecurity in any environment is intricately linked to the level of investment. If you have appropriate investment (economic and human), you’ll have an appropriate level of cybersecurity.

–Is it possible that there is a lack of cyber-resilience?

–I think it’s very possible, and it does in fact happen. You might not let your guard down, and you’re always vigilant for threats… And then you face a situation that’s difficult to manage, and where it is hard to be resilient. The trouble with cybersecurity is that it is an environment where there are no predictable ‘positive’ rules (there are plenty of negative rules: if you don’t invest, I can guarantee you that you’re going to have some serious problems). Investing and properly managing security is no guarantee that nothing is going to happen to you. And if something does happen to you, it’s tricky to anticipate outcomes and consequences.

–For years, companies always had a reactive attitude to attacks. Are they becoming more proactive? Or do they still wait for some kind of catastrophe to befall them before they take action?

–Companies that take security seriously systematically test their assets, infrastructure and staff. With Red team processes, constant revisions, threat modelling… it’s unusual to come across organizations that still think reactively.

–What cyberattack trends do you think are the most worrying these days?

–Where we’re seeing a particular increase is in everything that is less technical and more industrialized: a lot of phishing campaigns, a lot of cryptomining… Despite the consequences that they can have, cryptolockers aren’t the most dangerous thing out there these days. I see the boom in artificial intelligence techniques as something that could enhance the tools used by cybercriminals, which will make defending against their attacks more complex: there’s going to be a lot more automation with even more capacities and abilities.

One thing that I find particularly worrying is that intelligence agencies, where traditionally they were going after bigger targets, have been working on our more mundane level for years now. This is having more and more consequences for businesses, as well as for citizens.

–Imagine you’ve the boss of a SME with 50 employees in front of you, who says that cybersecurity concerns don’t affect him, since his company isn’t important enough to be attacked by anyone. What would you tell him?

–That he’s living in a parallel universe and riding happy unicorns, and that it might be a good idea for him to analyze whether, in order to avoid feeling the pressure of the investment that his company needs, he isn’t fooling himself and taking biased decisions. Because any incident is enough to lead to a business closing down if negligence can be demonstrated, if there are consequences for third parties, sanctions from regulators, or theft of intellectual property (which means that you can be removed from the company because someone that has copied you can do it cheaper than you can).

The post Román Ramírez: “The weak points of cybersecurity are people and investment” appeared first on Panda Security Mediacenter.

These days, the most pressing threats in the cybersecurity sector are the loss of data and information leaks caused by organized criminals. Most of these attacks occur via popular extortion models such as ransomware or cryptojacking, both of which are easy, efficient ways to get results. Brian Honan, renowned consultant, expert in the cybersecurity industry, and advisor to several government agencies is of the opinion that: “criminal organizations adapt quickly to these models and change their attack tactics as soon as they see new possibilities to make money.”

Today we talk to the founder of the Irish Reporting and Information Security Service (IRISS), Ireland’s first CERT (Computer Emergency Response Team). He was also named SC magazine’s Information Security Person of the Year, and was inducted into the Infosecurity Europe Hall of Fame in 2016. Here’s what Brian Honan had to say:

• How can companies avoid the risks related to cryptojacking?

In the case of cryptomining, there are two aspects to take into account. If the browsers on your computer or your mobile devices are affected by a malicious code injection that mines cryptocurrencies, it won’t necessarily affect you directly beyond your devices slowing down. However, at some point in the future, the attackers could use software executed on your device, via your browser, to manipulate you or to attack other people.

The other aspect to bear in mind is that criminals are never going to want to create their own websites, because it’s normally quite costly. They’ll seek out vulnerable websites, or ones that haven’t been updated, to inject malicious code and infect the people that visit them. This is something that could cause some serious reputational damage if it were to happen to a company. Internet security companies could also block your website if they see it as a threat: you lose possible clients, and your image is immediately damaged. 

They’re not the most eye-catching solutions, but keeping operating systems updated and having good IT security software can eliminate most of the cybersecurity risks that you might come across. Your browsers also need to be patched and up-to-date, and we mustn’t forget endpoint security. As we work in a cloud environment, connected devices like printers also need to be protected at all times.

• And what can they do in the case of ransomware?

The solutions are similar: patched and updated systems. But in this case, we need to add solutions such as restricting administrator access on company computers, because users shouldn’t have admin credentials for company devices. A central management system that controls all these protections makes the professionals’ jobs a lot easier. Other tools such as user access controls and application whitelisting reinforce the protection against these kinds of threats.

If it’s a Windows computer, security professionals can restrict access so that .exe files or executable files can’t be launched from temporary folders or from the downloads folder.

• What has changed since the implementation of the GDPR?

At our consultancy, we’ve seen a significant increase in data breach reports. Before the 25th of May, we maybe had two or three leaks a month. Now we’re seeing two or three a day. It’s worth pointing out that these are data losses, not necessarily security violations: lost devices, invoices or files sent to the wrong people…

After the implementation of the GDPR, there’s also a greater awareness of corporate responsibility in terms of personal data and user rights. That is, it’s not that infringement is going up, but complaints are going up because companies notify and report what would have gone unnoticed before.

• What was your job as adviser for Europol’s European Cybercrime Centre (EC3)?

My job consisted of giving them information from within the industry about threats and trends that we cybersecurity professionals see. Detailing how our clients are affected, the different vulnerabilities that appear with new technologies, and promoting public initiatives like nomoreransom.org to unlock files encrypted by ransomware.

The EC3 bridges the gap between the police authorities of the EU member states. It has the capacity, for example, to investigate bitcoin wallets or IP addresses that the authorities provide after attacks, and find connections between them to uncover criminal organizations. EC3 allows us to have more resources to tackle cybercrime and facilitate cooperation between international agencies outside the EU, such as the FBI, or the Russian or Australian police. Criminals no longer respect borders, and, by promoting the exchange of intelligence and international cooperation, we are contributing to the global fight against cybercrime.

The post Brian Honan: “We used to have two or three data leaks a month. Now it’s two or three a day” appeared first on Panda Security Mediacenter.

“Strengthening, separating and segregating networks, and cryptography”. This is what was meant by security when Marta Beltrán began her career 15 years ago. As this author, lecturer and researcher (she is the coordinator of the first cybersecurity degree in Spain) points out “the aim was simply to protect data in motion and data at rest- Since then, we’ve changed how we interact with technology, and we work on different concepts in relation to protection, “we start to talk about managing logon IDs, secure development methodologies, malware and advanced threat protection”.

• In 2014, you wrote Cloud Computing, Technology and Business. How do you think the cloud has changed in terms of security?

I would say that we’re starting to protect our cloud systems. Until now, products and services have been created that are marked by the needs of the client, only worrying about how well they work, but not at all about security. Security was usually added on at the end of the creation process. In the last two years, we’ve taken a quantitative and qualitative leap as far as cloud security is concerned. We’re starting to be more aware of its importance, and of the fact that, for example, externalizing part of the technological infrastructure doesn’t mean forgetting about the risks that we’re running. The provider is no longer the only source that needs to concern itself with the company’s security. Most users are now aware that there exists a shared responsibility, that there are threats when it comes to contracting cloud-based services, and the measures and protection that need to be taken are different for each of these specific services. An antimalware agent isn’t the same for a PC as for a cloud-based service.

• Constant innovation can be a challenge in terms of security. How do you manage to stay up-to-date?

You need to have a clear strategy. There are certain sectors where the appetite for innovation is part of their key strategy, and so this allows them to advance more quickly and to take more risks. Others, such as the industrial sector, or critical infrastructures, tend to be more conservatives because citizens and governmental administrations depend on their services (airports, nuclear power stations, power plants). In the case of startups, which are very cloud focused, and usually have everything externalized, it isn’t that it suits them to be innovative, rather that they must innovate to survive. This is why they tend to assume more risks, and their innovation can’t have a negative impact on the security environment. This is always going to depend of the sector, the business, the country. At the university, what we try to do is to have as much technological transparency as possible. We allow ourselves to be more innovative, to think big, in order to convey that innovation to companies, to the productive sector, and to administration. This exchange of knowledge is important: subjects that are researched at the university need to reach companies.

• How important is it to train employees?

Training and awareness, in both personal and professional environments, are very important. People aren’t always aware of the risks they run in the personal ambit, or of the fact that it can have consequences in the professional sphere: the use of unprotected networks and devices from which people often access personal banking, or where sensitive information is stored, or  from which people access corporate accounts. In the case of the professional sector, the internal risks, which are so common, most of the time aren’t down to malice, rather to carelessness or imprudence, or even a lack of awareness of the rules. Companies must take security seriously, provide training about company policy (about laptops, networks, having secure passwords). We must implement security from the very beginning, have a clear idea of what can be accessed and what can’t, and designate a security contact with whom to make contact in case of incidents.

• What cybersecurity advice would you give a company that wants to stay safe in a new ecosystem?

I would tell them that it’s important to apply common sense and to stay protected at an appropriate level, according to the risks that they’re facing. From a technological point of view, there aren’t as many limitations as it may seem. That is, there are already cybersecurity solutions for almost every problem that we could have to face. I would also say that it’s important to approach security from an incremental standpoint. Once you know the risks you’re facing, you can’t expect to resolve them all in one day, because they are always going to be changing. As you try to mitigate risks, other new risks are going to appear. Companies must start out from a base scenario and go on improving non stop, acquiring new knowhow, and new practices to face up to constant threats.

The post Marta Beltrán: “There are cybersecurity solutions for almost every problem that we could have to face” appeared first on Panda Security Mediacenter.

In the first half of our interview with Pablo González, Technical Manager and Security Researcher at Telefónica, and former expert at ElevenPaths, Telefónica’s cybersecurity unit, we covered the evolution of attacks in recent times, and the trends that are defining the cybersecurity sector. In this second part, Pablo analyzes the tools and the knowhow that are helping companies to improve their cybersecurity.

Do you think attacks are getting more complex or that the cyberattackers are becoming professionalized?

In some cases the attacks are more complex; they exploit vulnerabilities or take advantage of more complex bugs, although in other cases this isn’t so. At times it’s tempting to think that a security incident is the result of very complex tactics, whereas in actual fact, it turns out the attackers managed to get in using basic phishing tactics on an employee, or because someone within the organization extracted the data, without an appropriate traceability control. On the other hand, attackers are becoming more specialized, and know how to use the latest trends in order to turn a profit. This is quite normal, since there is an increasing amount of research, more and more information that is accessible, and the volume of data in the security sector grows every day.

Do you think advanced cybersecurity solutions are a priority when it comes to protecting endpoints, now that the number of endpoints is always growing? What role do you think predictive intelligence will play in cybersecurity solutions in the coming months or years?

If we understand cybersecurity as a model in which every layer and every area must be protected – similar to an in-depth defense model in a military environment – any correctly configured solution that helps to improve security, and to reduce the threats and their impact, is a priority. Without a shadow of a doubt, predictive intelligence will help improve cybersecurity solutions. It will become one of the cornerstones for tools within the industry. The importance of getting ahead of situations and risks will be fundamental to the continual improvement of cybersecurity.

Your specialty is pen testing: What tools do you use to carry out these analyses?

You need to have a set of environments and tools that you feel comfortable with. The specific names aren’t important. What matters is exploring the needs that must be fulfilled and what a specific tool can bring at each moment. Of course, in many environments you end up using the same tools and your own manual dexterity. You need to keep an eye on the new tools that appear and that can make your job easier.

How important are ethical hackers in the current business world?

Ethical hacking is a fundamental part of the current business world. The fact that companies need to feel safe in a digital environment in order to go about their business means that ethical hacking vital to improving security, both of this digital environment and of the companies’ activities.

You’re also a lecturer in the cybersecurity sector. How important is teaching in this industry?

Awareness, knowledge, training… they’re all the base of security culture for any company – or at least they should be. Security is fundamental for organizations and Internet users to be able to carry out their activities naturally and safely. Teaching has an important role in the industry, and can come in many forms: universities, private companies, books, blogs, articles, magazines. It can even be self-taught. What’s more, a lot of the time you need to be self-taught in order to assimilate different knowledge, to put it into practice in controlled environments and to be able to better understand the possible situations, risks, and threats.

Employee training is also one of the bases for creating a security culture within an organization. It is vital for the organization and, undoubtedly, the most complex thing to achieve. Initiatives such as gamification , innovation, and challenges can help turn employees into driving forces for security in companies.

How can a company increase its cyber-resilience? What security measures are indispensable?

There are different ways, but the most important is to really want to be resilient. In my opinion, there are a few things to bear in mind:

• Having a team that responds effectively and efficiently to any incident. One that is trained and that can analyze possible situations and make decisions.
• The use of prediction and intelligence techniques is vital for companies these days.
• Correlating events and cases will give a global vision of the situation.
• Having recovery measures that allow an organization to return to a previous state in case of a serious incident.

What’s more, we mustn’t forget that having knowledge within the organization is also vital.

Indeed, here at Panda Security we are convinced that the best way to help companies to be cyber-resilient is not just to work every day to offer the best advanced cybersecurity solutions; it’s also necessary to contribute to increasing knowledge of this field. To do this, keep up to date with expert opinion published monthly on our blog.

The post Pablo González: “Predictive intelligence will help improve cybersecurity” appeared first on Panda Security Mediacenter.

Despite new intrusion methods and the spread of attacks, for Soledad Antelada, what’s really changed in cybersecurity is people’s awareness and how the media treats the topic. Systems Engineer at the cybersecurity department at the Lawrence Berkeley National Laboratory and an expert in the sector, she believes that cybersecurity has evolved from a small underground movement to entering the collective consciousness to become a global phenomenon.

Soledad Antelada, one of the most influential Hispanic women in the technology world, has a key task: guaranteeing security of a system in which thousands of people work. The Berkeley Lab is a prestigious scientific research center which has produced 12 Nobel Prize winners. It is a United States national laboratory managed by the University of California. The department of cybersecurity is in charge of protecting the laboratory and the entire network of institutions dependent on the US Department of Energy. An expert in cybersecurity, she tells us what the keys are to protecting these kinds of institutions.

Pentesting to stay ahead of cybercriminals

Soledad works as an external agent, that’s to say, she pretends to be an attacker to penetrate a network to get into a system and jump from one network to another. “I always act as an intruder”, she adds. To do this, she uses scanning and exploit tools or develops her own. Among her favorites are Python, SSH Brute Force, Nessus for scanning systems, and Burp and Netsparker for scanning web applications. To exploit, she uses “a lot of manual scanning or metasploit and SQL injection”.

Antelada stresses the importance of penetration testing at Berkeley Lab: “This type of tool is a priority for us. We want to find out about vulnerabilities first and take care of them, before attackers discover them”. She also says that at the Department of Energy, cybersecurity audits are performed to evaluate the security of the lab. According to Soledad, “during the audit period, they evaluate the general vulnerability of the lab. If they don’t find anything, then we are doing our job”.

“Patience is the best virtue in pentesting”, she adds. “It takes a lot of trial and error to discover on your shift what the bad guys are trying to do 24/7. And then have to fix it to boot.”

Tips for security professionals in a connected world

Soledad thinks the sector has to “invest more in highly qualified people than in teams”. By supporting experts and strengthening cybersecurity departments, both companies and public institutions can stay ahead of the curve and don’t have to wait for an attack to defend themselves. Antelada adds that, in the US, greater importance is given to the sector. “Regardless of the government in power, cybersecurity is a priority for the entire country.”

For Soledad, employee education is also a priority. According to her, this will become more important as the Internet of Things grows. She explains the case at Berkeley Lab: “There we’ve got all kinds of instruments connected to the network, such as lasers and microscopes, which are also attack vectors.” If the security of these devices is compromised, “the scientists that use this equipment need to be contacted and shown how to fix the vulnerability.”  It’s not just about fixing the problem, but educating users about the vulnerability, how they found it, and how to fix it. This, says Soledad, “helps users adopt the right mindset regarding cybersecurity and from then on they can be on the lookout for suspicious behavior.”

Also, to protect institutions, cooperation of different areas in an organization is fundamental. “There should be real support between employees of the departments. Among those in charge of storing and managing data, system managers, software developers, etc., all should be connected with the cybersecurity department because they cannot work on their own, they depend on the administrators to protect them.”

Women in the cybersecurity sector

At Girls Can Hack, Soledad tries to get women interested in technology to encourage them to get involved in what has traditionally  been a masculine sector. “I’m the first and only woman at the Berkeley Lab cybersecurity department, says Antelada, “and even though the number of women at companies is still very low, I’ve seen a change and women are now beginning to take an interest in the field.”

To change this, what does Soledad suggest that to women who want to get involved in the sector? “Just do it. It’s a very dynamic field that needs a lot of people and diversity. Cybersecurity departments are monotonous, which is a flaw. Security problems are diverse, and the more varied the departments are, the easier and more creative the solutions will be. 

The post Soledad Antelada: “In the US, cybersecurity is a national priority” appeared first on Panda Security Mediacenter.

The concept of the cybersecurity manager is evolving, as the role shifts from the traditional “gatekeeper” to a more universal, company-wide security facilitator. Zane Lackey, our guest this month, is one of the most important white hat hackers in the world, and author of books such as Mobile Application Security and Hacking Exposed: Web 2.0. Currently, Lackey is the co-founder and CSO of Signal Sciences, a web application protection platform, and is also a member of the Advisory Board of the Internet Bug Bounty Program and the Open Technology Fund.

Although new infrastructures, services, and applications are being created, such simple things as security failures at the endpoint or a lack of two-factor authentication systems continue to be the cause of the global attacks making headlines.

We began the interview by recalling Zane’s days as a white hat hacker.

 Panda Security: What techniques do you use to detect a vulnerability and expose a threat to avoid an attack?

Going back to my pentesting days, which was quite a while ago at this point, the most common things I would look for were the assumptions made in the design of the system. Then I would look for ways those assumptions might be violated. On the defensive side, I took that mindset thinking about how to empower development teams and DevOps teams. That was one of the biggest lessons learned for me — going from a white hat, security consulting, pentesting kind of thing over to becoming a CISO and building a security organization, is really focused on how to give the engineering team as much visibility into what’s going on in production as possible.

PS: How do programs like Internet Bug Bounty help to resolve vulnerabilities that have been discovered? After a flaw is discovered, how do you act?

 I know there have been some changes in the Bug Bounty program recently, so I don’t want to say anything that would be incorrect there, but I think that from having run multiple Bug Bounties in the past, the important thing is trying to establish good communication with the researchers that come in. Because a lot of times, you’ll get a report that is partial or doesn’t contain all the info that is needed to reproduce the issue. So being able to say, “Hey, these are the five bits of information that we need so we can take this to the relevant service team or application team”, can help communication on both sides. And at the same time, trying to communicate back to the researchers so it’s not just a black box for them. Trying to be as transparent as possible on both sides — that’s what really leads to a good Bug Bounty experience, both for the researchers and for the organizations that actually work with them.

 I think anyone who’s run a Bug Bounty program gets used to seeing all kinds of things. You see everything from systems that you didn’t know about, to pretty much every type of vulnerability, even ones that you don’t think that you have. So I really strongly believe in the value of these programs, and I think they complement pentesting very well. Combining the two can really help most security programs out there. The reason I like Bug Bounty programs so much in combination with pentests is because it allows you to focus your pentests on very specific areas rather than trying to have them test everything when they don’t have time for that. So you can use your bug bounties to try and get very wide coverage, and you can use your pentests to try and get very focused and specific coverage.

PS: The NHS has recently hired white hat hackers to identify cyberthreats. Do you believe ethical hackers are indispensable in today’s organizations to avoid breaches and strengthen defense?

 For every organization, you need to be thinking about how people actually attack your systems. So white hat hackers, and pentesting, and bug bounties, those are all a piece of it. They’re not the full story, but they’re a piece of it. You don’t want to be doing security just for compliance, or just trying to check the box of different defenses to put in place. I challenge folks to have the number one thing that they’re thinking about as they’re trying to build a security program be: how would an attacker actually attack my organization? And really use that to drive the defensive programs that you put in place. And that’s where red teaming, white hat hackers, bug bounties, and all these ways to test your system can be a very powerful feedback loop. Because they can show, when your systems are being attacked, “this is where they went.” And that can focus your defenses.

So I really strongly believe in balancing offense and defense and using one to guide the other, and not just trying to do one in isolation.

PS: How can you implement DevOps to make companies safer?

I truly believe that embracing DevOps and embracing Cloud can make you safer. The reason for that is, in any development methodology, you’re still going to have vulnerabilities. So as soon as you recognize that fact, the logical conclususion is that the development technology that will allowyou to react the fastest is the one that can make you safest. In the old model of waterfall and changing applications very slowly, the problem was there was no way to react quickly. So this is why DevOps, Cloud, and the shift to Agility can actually make us safer.

PS: What can we learn from massive data breaches like Equifax, which happened via a web application vulnerability?

I’d say there are two things to learn from the breaches that we see every day. One is that, 99% of the time, they are the completely common, off-the-shelf things — its things that weren’t patched, it’s a weak password, its malware on an endpoint, etc. So going back to a previous comment, I would encourage all organizations to not think about the “insane, state-sponsored zero-day that’s crazy complex”, but rather to focus on the basics: how do you get coverage over malware on your endpoints? How do you get two-factor authentication on all your accounts? And how do you get coverage over the web application layer?

Because I think the other lesson that we’re all just starting to see in terms of the breaches but which we’ve been seeing in the trenches the last few years, is that historically the security risk was at the infrastructure layer and the network layer, so we always thought firewalls and IDSs and things like that could mitigate it. But over the last several years the risk has all moved up to the application layer and out to the endpoint. So learning where your risk actually sits is the number one lessor we should be learning as an industry right now, across the breaches that we’ve been seeing.

PS: Do you think companies will be ready for the GDPR? What will they need to do to be compliant and protect their data?

With any new compliance regime, there’s a lot of concern with it up front because no one is exactly certain what it looks like yet. So I think it will be a little fuzzy at first, then you’ll see products and services emerge to help with it and you’ll see a much clearer picture of what the auditors are cctually looking for and what steps really need to be taken as part of that.

Security and compliance are two separate things that sometimes overlap in small pieces. So defending your data, and not just being compliant with something, you have to ask: how do I defend my endpoints? How do I defend my web applications and my APIs and other things at the application layer? Because those two buckets are where so much of my risk is. So you should focus on getting visibility into those, getting effective controls into place around malware on the endpoints, two factor authentication for as many services as you can put it on, and then getting coverage and visibility and protection for your application layer.

PS: In terms of application security, do you prefer security by programming from within, or do you prefer protecting it from the outside?

The answer is both. For defending applications, how you do that effectively is you think about how to eliminate as many bugs as possible during the development cycle, but at the same time you recognize that there will always be vulnerabilities. So you couple that up with getting visibility and defense into the code that’s actually in production, and not just try to scan for bugs once it goes out and then just ignoring it once it’s out there live on the Internet. I think that’s been a major failing of the SDLC for the past 10 plus years.

The biggest piece of commonality I see amongst organizations that are doing this well is that they try to eliminate bugs before production, they recognize that there will always be vulnerabiliities, so they are really investing very heavily in getting visibility into how those services are being attacked in production and using that to bring that visibility directly to the development teams and the DevOps teams themselves, so that they can self serve with that information and not have to rely on the security teams to defend the services that they’re building.

The post Zane Lackey: “You shouldn’t invest in security just for compliance” appeared first on Panda Security Mediacenter.

Elliot Alderson hides secret information in audio CD files. However, the technique used by the fictional hacker protagonist of “Mr Robot” is far from being a TV whimsy. This is just one of the many steganography techniques used by hackers and cybercriminals to evade security systems.

From the Greek steganos (hidden) and graphos (writing), steganography is a method of hiding data. To analyze how to best handle this surreptitious threat, we spoke with Daniel Lerch, who has a PhD in Computer Science from the Universitat Oberta de Catalunya (UOC), and is one of the top steganography experts in Spain.

Panda Security: How would you define steganography? How is it different from cryptography?

Daniel Lerch: Steganography studies how to hide information in a carrier object (an image, an audio file, a text or a network protocol). While in cryptography the intention is that the message sent cannot be read by an attacker, in steganography the goal is to hide even the fact that any communication is taking place.

The two sciences are not mutually exclusive. In fact, steganography usually uses cryptography to encrypt the message before hiding it. But their objectives are different: not everyone who needs to protect information, also needs to hide it. So steganography would be an additional layer of security.

PS: Who would benefit more from steganography: cybercriminals or security providers?

DL: Without a doubt, cybercriminals. Those responsible for the security of companies and institutions do not need to hide their communications. To keep them safe, cryptography is enough.

Steganography is a tool of great interest for different types of criminals, since it allows communication without being detected. Typical examples are communications between terrorist cells, the dissemination of illegal material, the extraction of business secrets, or their use as a tool to hide malware or the commands that remotely control the malware.

PS: How has this technique evolved in recent times?

DL: Depending on the medium by which steganography is applied, the evolution has been varied.

The medium that has evolved the most is steganography in images. They are so difficult to model statistically that it is very easy to make changes to them without anyone noticing. For example, the value of a pixel in a black and white image can be represented by a byte, that is, a number between 0 and 255. If that value is modified in a unit (hiding a bit) the human eye cannot perceive it. But the issue is that it’s not easy for statistical analysis of the image to detect this alteration either. Images are an excellent way of hiding data, such as video and audio.

Another medium that has received a lot of attention is steganography in network protocols. However, unlike what happens with the images, network protocols are well defined. If we change information in a package it is noticeable, so there is less wiggle room when it comes to hiding data. Although they may seem easy to detect from the outset, these techniques can be effective because of the difficulty of analyzing the large amount of traffic in existing networks.

One of the oldest media carriers, and one which has evolved least in the digital age, is the text. However, steganography in text could make a significant leap thanks to machine learning. In the techniques developed in recent years, the process of hiding information is tedious and requires the user’s manual input to generate a harmless text that makes sense and carries a hidden message. However, the current advances in deep learning applied to NLP allow us to generate more and more realistic texts, so it is possible that we will soon see steganography in text that is really difficult to detect.

PS: What applications does steganalysis have in the field of computer security? What techniques are usually used?

DL: From the point of view of business security, the main applications are the detection of malware that uses steganography to hide itself and the detection of malicious users trying to extract confidential information.

From the point of view of national security agencies, the main applications of steganalysis are the detection of terrorist or espionage communications.

Although most of the steganography tools that can be found on the Internet are unsophisticated and could be detected with simple and known attacks, there are no quality public tools that allow us to automate the process, detecting steganography in network protocols, in images, in video, audio, text, etc.

Maybe this is not possible yet. For example, in the field of steganography in images, the advanced techniques with which it is currently being investigated can hardly be detected using machine learning. If, in addition, the information is distributed among different media, significantly reducing the amount of information per carrier object, its detection with current technology becomes practically impossible.

PS: What role do you believe that steganography will play in the coming years? Will it be used more as an attack weapon, or a defense tool?

DL: Steganography as a defense tool would be unusual, although there are examples, such as the extraction of information by activists in a totalitarian country.

The main role of steganography in the next few years will be seen in its application as a tool to hide malware and to send control commands to the malware. This is already being done, although with fairly rudimentary techniques. The use of modern steganography techniques to hide malicious code will greatly hinder detection, forcing security tools to use advanced steganalysis techniques.

PS: What advice would you give to a computer security professional who is thinking of using steganalysis?

DL: He would probably be interested in detecting malware or exfiltrating data. The first thing is to keep good track of everything, to know what tools exist and when and how to use them. Then, it comes down to practice. Test and validate the technologies that we implement using a wealth of data.

If you use machine learning to perform steganalysis, you must be careful with what data you use to train the system. The model has to be able to predict data it has never seen. It would produce an error if, to validate the model, it were to use data that was used to train it. In machine learning, it is often said that a model is as good as the training data. So if our training data are not complete, the predictions that our model will make will not be reliable. The more data we use to train the model, the less likely it is that it will be incomplete. Otherwise, we run the risk of ending up developing tools that only work well in the laboratory, with our test data.

PS: What role will artificial intelligence and machine learning play in business cybersecurity strategies?

DL: An example would be the automatic detection of security flaws in the software. Also, replacing antivirus software that detects the signatures of known viruses with an artificial intelligence system that identifies viruses based on common characteristics and behavior.

PS: In an environment in where there are more and more connected devices, what security measures should be adopted to protect the privacy of data at the enterprise level?

DL: Security measures in IoT devices have to be the same as those applied to other devices connected to the same network. It may seem strange to have to manage the security of the office thermostat at the same level as a PC, but from the point of view of an attacker, this is as good a point of access to the network as any other.

The post Daniel Lerch: “Steganography is a Tool of Great Interest to Cybercriminals” appeared first on Panda Security Mediacenter.

In this guest collaboration, Alberto Yépez shares his expert vision of innovation in the security sector. Alberto is co-founder and Managing Director of Trident Capital Cybersecurity, the largest global venture capital firm focused on cybersecurity startups. Alberto has extensive experience as an investor in companies such as Alien Vault, Mocana or Bluecat. In addition, he has served as a consultant for the US Department of Defense, is a member of the Board of Advisors of SINET (Security Innovation Network) and actively participates in global initiatives such as the World Economic Forum Partnership for Cyber ​​Resilience.

Panda Security: How has the cybersecurity landscape evolved over the 30 years that you have been in the sector?

Alberto Yépez: I think that cybersecurity has evolved from being a very technical and isolated issue to becoming something that is important for executives and boards of directors. I think that’s the biggest shift from a business perspective. We live in a digital age. Information is a premium, and information comes from data and is produced by applications that provide the context of the data for it to become information. And given that we are trying to protect that information, you see businesses that can succeed or fail just because that information gets compromised.

From a technical point of view, given the complexity and the multiple platforms of computing that we use today, it has become complicated to protect. So every time there is a shift in a computing platform, there are new attack vectors that appear. And in order to defend them, you have to invest a lot of money to protect our mobile devices, our applications in the cloud, our data centers, privacy information for individuals, IoT… now you have this whole interconnected world.

The third thing that has happened, besides business and technical, is that now that we live in a digital age, to rob a bank you don’t need to go in there with a gun to steal the money. You can sit in your living room or your basement, and attack a bank and get the money. Therefore, the threat is real, the cybercriminals have changed, and these are more sophisticated individuals, very technical, that basically do it for different motives — because they are activists, or hacktivists, or they do it because they are really criminals and they want to enrich themselves and use the money or information for ransom. Or, more importantly, as we’ve seen as of late, there are a lot of state-sponsored cyberattacks, where they’re trying to destabilize democracies and governments. They’re trying to attack the national grid, or the critical infrastructure of a government, etc. So the frequency and sophistication of attacks has increased exponentially. Therefore, it is becoming harder to defend, and it all comes back to, if it’s becoming harder, then the amount of money that needs to be invested is increasing, and not just by choice. The whole industry is really in a huge inflection point, where cybersecurity has become a fact of everyday life, both for the individual, the business, and for the government.

PS: What would you say are the most relevant trends in the cybersecurity industry right now?

There’s a shortage of cybersecurity professionals. Therefore the suppliers are trying to build products that are easier to deploy, easier to consume, and they’re using new technologies like the cloud and mobility to make sure that it becomes easier to protect information. In summary, it’s mobile security, cloud security, IoT security, and privacy. Especially in Europe, as you know, there’s a big push for some of the privacy directives, including the GDPR, which are at the front of the mind for business.

PS: How can security benefit from AI and Machine Learning, and what are the risks?

That’s an excellent question. So how do you solve the problem of the shortage of cybersecurity professionals? You bring in automation. Not to replace, so much, but to help the humans. The role of AI is basically to automate tasks of mature segments of the security industry, using human knowledge.

PS: You’ve invested in many successful cybersecurity companies. How do you decide that a company is right for investment? What catches your eye?

We look at five different areas — so this is a good note for entrepreneurs!

Number one, we’re really market driven. We like to get a sense of what the areas are where no commercial technologies exist so emerging solutions can be funded. So we look at, how big is the market?

Number two, we look at the intellectual property — how hard it is to replicate the solution.

Number three we look at the go-to-market strategy — how the company can scale not just by selling one at a time, but by creating alliances. Which is one of the basics to reach a global audience.

Number four we look at the team — whether the people have the experience, the context, the knowledge, and the relationships to be successful.

And number five, we often look at the co-investors. The investor group is important, because companies go through several iterations and several fund-raisings, so you need investors that are committed to support a company through all this.

PS: In ten years from now, do you think the world will be more or less safe? Why?

I would imagine that as more regulations come about, businesses would be more willing, rather than less willing, to invest in cybersecurity. So I think overall there will be the logical tension at balance. We’re going to live in a safer world, but the fact of the matter is that new threats will be created and it will be harder to protect against them.

The post Alberto Yépez: “Businesses Are More Willing to Invest in Cybersecurity” appeared first on Panda Security Mediacenter.