A new document provides guidance for businesses planning to implement a zero-trust system management strategy.

The National Security Agency (NSA) today published a document to explain the zero-trust model and its benefits, challenges involved with implementation, and advice to navigate the process.

As cloud, multicloud, and hybrid network environments become the norm for businesses, the resulting complexity, combined with evolving threats, puts many at risk. Traditional perimeter-based network defenses with layers of security tools are often insufficient. Companies need a better way to protect infrastructure and provide granular access to data, services, and apps.

“The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses,” NSA officials wrote.

Zero trust requires strong authentication for both user and device identities. Use of multifactor authentication, which is recommended in this model, can make credential theft more difficult. 

The implementation of zero trust takes time and effort, but it doesn’t have to be done all at once. Many businesses may be able to incorporate zero-trust concepts into existing network infrastructure; however, the transition to a mature architecture often requires additional capabilities. Officials advise planning out the integration as a “continually maturing roadmap,” starting with initial preparation and continuing on to basic, intermediate, and advanced stages.

As with all major projects, there are challenges. Officials note potential roadblocks include lack of support from enterprise leadership or users. If leadership isn’t willing to provide the needed resources to sustain a zero-trust architecture, or users are allowed to bypass policies, then zero trust won’t prove beneficial, they say.

Read the full document here for more details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

Here’s the deal with the information security industry in the United States: our country doesn’t have nearly the number of information security professionals that it needs. According to an estimate from Cybersecurity Ventures, the shortage of US cyber security workers could reach 500,000 people in 2021. The other point worth noting is that the information security professionals we do have are overwhelmingly white and male.  ISC2 data show that just 24% of cybersecurity workers are women. Just 9% of workers self-identified as African American or Black, compared with 13%of the population at large. Just 4% identified as Hispanic, compared with 18% of the overall population. 

Camille Stewart is the Head of Security Policy for Google Play and Android at Google.
Camille Stewart is the Head of Security Policy for Google Play and Android at Google

We know that the shortage of infosec pros poses a cybersecurity risk. Companies across industries struggle to find and then retain information security professionals to staff security operations centers (SOCs) and manage the security of networks in sectors like government, healthcare and retail. 

Episode 148: Joseph Menn on Cult of the Dead Cow also Veracode CEO Sam King on InfoSec’s Leaky Talent Pipeline

But what about the lack of diversity? Do infosec’s racial and gender imbalances create their own kind of security risks? Does a homogenous population of security pros potentially blind the organizations they work for  – and our society – to cyber risks? Does it shut off exploration of potentially beneficial programs, solutions or avenues of inquiry that might help solve the epidemic of cyber security threats and attacks plaguing our society? 

You and your teams are not as effective and as able to address the threat without a diverse lens. 

Camille Stewart, Google

Episode 85: Supply Chain Attacks and Hacking Diversity with Leon Johnson

According to our guest this week: it just might. Camille Stewart is the Head of Security Policy for Google Play and Android at Google. She is also a Cyber Fellow at Harvard University’s Belfer Center for Science and International Affairs. Camille is the author of the essay “Systemic Racism is a Cybersecurity Threat” which ran on the Council of Foreign Relations website back in June of 2020.

In it, Camille argues that understanding how systemic racism influences cyber security is integral to protecting the American people and defending the country from cyber adversaries. 

In this conversation, Camille and I talk about her own journey to information security as a black woman and about the barriers that men and women of color face as they seek to enter information security.

We also discuss her theory on how the information security industry’s struggles to diversify might increase cyber security risks. Camille notes that the country’s history of systemic racism and the different lived experiences of black and white Americans bears on everything from the effectiveness of public information campaigns to hiring and recruiting within the field, to the U.S.’s efforts to foster international agreement on cybersecurity norms.

“We do a disservice to ourselves as practitioners to ignore race and gender,” Camille told me. “They are a direct impediment to the work we’re doing.”

A peek at open XDR technology, and defense that held up better than the Kansas City Chiefs.

(image by detakstudio, via Adobe Stock)

(image by detakstudio, via Adobe Stock)

Protecting the Super Bowl from cyberattackers is no small task. In fact, it’s a sprawling, messy mass of challenges converging on a day when (almost) 100 million people are watching.

This year, much of the job fell to ReliaQuest, the official cybersecurity partner for both the Tampa Bay Buccaneers and the NFL Super Bowl LV Host Committee. ReliaQuest CEO Brian Murphy and CTO Joe Partlow lay out the tasks:

Protecting the stadium’s wireless access points and payment systems. Defending the scoreboard from vandalism and sad fans hoping to change the score. Locking down the volunteer staff’s background checks and COVID screening info. Securing coaches’ tablets and comms so their playbooks and play-calling are kept confidential. Making sure injury reports, starting lineups, and other valuable data aren’t leaked to the competition and the gambling public early. The list goes on. It means monitoring threat intelligence reports, scraping social media, shifting defense to respond to shifting threats.

(And, hopefully, doing so as effectively as the Buccaneers’ defense was against the Kansas City Chiefs’ attacks in the Bucs’ 31-9 victory that night.)

It would be a big undertaking in any year, for sure, but in 2021 the pandemic created new challenges, Murphy and Partlow explain.

Attendance in the stadium at Super Bowl LX was slashed from 62,000 to 22,000, but the bigger change affecting infosec was in the viewership outside of the stadium.

“‘Watch parties weren’t happening,” Murphy explains. 

Usually, he says, people gather to watch the game, at restaurants, bars, and friends’ houses with big-screen TVs. This year, instead, people were watching alone, at home, on a variety of devices.

The result: Although the overall viewership ratings were the lowest for a Super Bowl since 2006, live-streaming viewership rocketed up by 65%, according to CBS.

Expecting the bump in online viewers, ReliaQuest also expected an accompanying bump in overall security events leading up to and during the game. The company hypothesized that its overall customer base might experience more attacks during the 2021 Super Bowl than in 2020.

They were right: In fact, ReliaQuest detected a 20.2% increase in total security events, year over year. There were upticks in phishing and ransomware attacks. The most noteworthy change was the increase in malicious streaming services, luring victims with promises like, “Watch the Super Bowl for free! Just download here.”

Defending against the wide variety of threats related to the event requires an array of intelligence, detection, and response tools – security information and event management (SIEM), endpoint detection and response (EDR), and threat intelligence, for starters, and in in this case, pulled together by an extended detection and response product (XDR). Partlow and Murphy explain that their company’s XDR offering is an “open XDR” technology. By “open,” they mean the XDR is vendor-agnostic. It integrates security tools from a variety of security companies – some Carbon Black here, some Tenable there, etc.

This approach can also, for example, simplify a merger or acquisition, Partlow explains.

“Each company probably chose their security tools for a good reason,” he says, “As that [merged] enterprise, I don’t have to rip-and-replace and make it all one logo.”

Although bruised-up Chiefs quarterback Patrick Mahomes might disagree, attacks on Super Bowl Sunday were handled without major incident – “aside from the streaker,” says Partlow. But that, he notes,”was a physical security breakdown.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Recommended Reading:

More Insights

While access to compromised systems has become an increasingly common service, some cybercriminals are going straight to the source: buying code bases and then updating the application with malicious code.

On Dec. 4, users of a simple Android program — a barcode scanner — started witnessing odd behavior when their smartphones suddenly began opening up their browser to display unwanted advertisements.

While the devices exhibited the hallmarks of a malware or adware infection, the compromises puzzled most users since they had not recently downloaded new software, according to an analysis by endpoint security firm Malwarebytes. Instead, the malicious behaviors came from a software update to a popular application — the generically named “Barcode Scanner,” with millions of downloads. An enterprising group bought the code and then pushed a malicious update to every user of the application.

The supply chain attack is a new technique — buying applications, along with their software base, and then pushing out updates with malicious code — that will likely grow in popularity among cybercriminals, says Nathan Collier, senior malware intelligence analyst at Malwarebytes.

“Now that this has been done, I can definitely see it happening more in the future,” he says. “Honestly, for malware developers it’s kind of genius that they can just do this — let someone else build something, have it on Google Play for years. You are buying the ability to update all of the users to a new version of the app.”

Already, a second group used a similar tactic to infect millions of users with malicious code through a popular Google Chrome extension. In early February, Google removed the Great Suspender utility for Chrome, which reduces the memory consumed by the browser through shutting down old tab processes, after the original maintainer of the open source project sold the code to an unknown group. Users of the extension noticed in October 2020 that new owners had installed updated code on users’ systems without notification — code that appeared to behave similar to adware.

The technique for distributing malicious code comes as developers and security firms are trying to detect attackers who compromise code bases and insert malicious modifications. Skipping the initial requirements of compromising the code base makes the attack simpler, Bishop Fox CEO Vinnie Liu told Dark Reading earlier this month

“The secure development life cycle has for 15 years been focused on preventing the inadvertent introduction of vulnerabilities by developers, and not against identifying and preventing the purposeful insertion of malicious code or behavior into an existing application,” he said. “Developers are unprepared for this. Most enterprise security programs are unprepared for this.” 

Paying for access to a vulnerable system is not necessarily new, however. Cybercriminals services that sell access to already compromised systems have evolved over the past decade; such services now account for a large number of ransomware infections. In 2016, cybersecurity experts were already warning of the emergence of access-as-a-service sites used by cybercriminals. 

Other gray-market groups use a more subtle approach, creating advertising software development kits (SDKs) used by developers to monetize their applications, but then adding aggressive advertising or even malicious code to the third-party component. In August, for example, researchers at security firm Snyk revealed that an SDK used by more than 1,200 iOS applications had adopted code to spy on millions of users

Compromising the supply chain directly is also becoming more common. Many cybercriminals and nation-state operators have targeted popular software and vendors — such as the software compromise that allowed NotPetya to spread and the attack on SolarWinds — as a way to eventually infect companies using the software.

By targeting struggling but popular software projects, however, cybercriminals have added another door into the supply chain for their code. 

The Barcode Scanner app behind the latest case appeared on the Google Play store in 2017 as a legitimate, ad-driven application with tens of thousands of users, according to Malwarebytes. At the time of its sale to an organization named LavaBird LLC, the application had about 10 million downloads and an extensive user base, according to Malwarebytes. LavaBird says the company then sold it to another third party, who made the malicious modifications, Collier says. 

“The clean version was on there for a long, long time … so it was growing and growing and growing before it got taken up by LavaBird,” he says. “They bought it with the intention of selling it as quickly as they can, but the problem is they did zero verification on who they were selling it to.”

Should developers be required to do due diligence on buyers? Collier says he is not so sure. Instead, the company behind the ecosystem — whether Apple, Google, Microsoft, or another — should ensure that security checks on updates are as rigorous as on the original application, especially if the maintainer has changed.

“Google really only looks in depth when the code is first uploaded,” he says. “Looking at the code, this would have been an easy one to detect. I downloaded the app, and within five minutes it was opening up Google Chrome and doing redirects.”

Yet he acknowledged the security firms have to adapt to the new strategy as well.

“To be fair, in Google’s defense, the [mobile security] vendors were not even detecting it right off the bat either,” Collier says. “It was sly, slipped in, and it worked.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

Innovations in quantum computing mean enterprise and manufacturing organizations need to start planning now to defend against new types of cybersecurity threats.

We’ve been hearing a great deal about advances in quantum computing for a few years, but 2020 was definitely groundbreaking. Innovation is continuing to gain momentum, and new advances are pushing this revolutionary technology closer to commercial adoption. Some of the most recent milestones include:

  • IBM partnered with leading Japanese universities and corporations in July to bring quantum computers to the workplace through applications for business, finance, and materials development.
  • In August, University of Chicago students announced they had discovered a technique that would enable quantum states to last 10,000 times longer.
  • Google achieved a chemistry milestone for quantum computing in September, stimulating a chemical reaction with its quantum computer and opening a path toward more possible discoveries and inventions.

Although quantum technology will not reach maturity for years, standards bodies and other industry leaders are already considering its impact on cybersecurity and today’s widely used encryption algorithms. ETSI recently released new strategies and recommendations for migrating to quantum-safe schemes. The Accredited Standards Committee (ASC X9) issued a new standard for public key cryptography use of digital signatures.

Big Strides in Quantum, and More to Come
It’s clear that 2020 was a watershed year in realizing large-scale, practical quantum computing, and the innovation will only accelerate. It won’t be long before a major technology company announces it has applied quantum computing to successfully solve a problem that could not be tackled by traditional supercomputers.

We are not yet at the point where algorithms such as ECC or RSA are at risk, because breaking these advanced protections requires large-scale quantum computing power. However, the ability to solve practical problems will be a significant milestone that will spark additional investment in quantum technology — and create a virtuous feedback loop to drive further, faster advances.

What do these advances mean for enterprise and original equipment manufacturing (OEM) organizations? The past year’s progress moves us much closer to a quantum reality. According to a recent survey, 71% of IT professionals believe that quantum computing will present a major security threat in the near future.

Transforming cybersecurity strategies can take a considerable amount of time — sometimes even decades. That means organizations will have to start preparing now if they want to be ready when sufficiently large numbers of quantum computers exist. Enterprises and manufacturers that fail to move forward on their journey now risk being left behind in the years ahead.

Planning a Four-Year Strategy
Although 2020 has been packed with quantum computing advances, it is still impossible to predict a precise date when quantum computing will arrive. Still, to get in front of the curve, it’s advisable to plan to have cybersecurity preparations fully in place by 2025. For some critical systems, it’s important to have defenses in place even earlier.

Why is 2025 an important time frame? The National Institute for Standards and Technology (NIST) recently launched an evaluation process for choosing quantum-safe algorithms, and this process is expected to be completed by 2024. This is an important time frame for OEMs and organizations responsible for embedded security in products, solutions, and processes to keep in view.

Organizations securing long-life valuable data such as financial records, military secrets, healthcare records, and other assets are vulnerable to “harvest and decrypt” attacks. Information organizations need to be preparing now to ensure they secure data at risk today.

Also, devices that are shipping today may still be around when quantum computers arrive and will need to have a plan in place, such as for secure remote updates, to update them to quantum-safe methods. Since those methods are not standardized yet, some products will need two updates to be secure: one to prepare them to securely receive post-quantum updates and another one once post-quantum technologies are more mature.

In addition, organizations securing products and solutions that have significant development timelines, long life cycles, and high cost to repair or recall should take proactive steps. They should begin testing, proof of concept, and infrastructure-upgrade planning to ensure they are ready, before the risk of large-scale, cryptographically relevant quantum computers becomes a reality. Full transition for these types of products should be completed by 2025. Without standards, these organizations will need to deploy hybridized and crypto-agile solutions that maintain NIST Federal Information Processing Standards (FIPS) compliance.

It’s Time to Get Started
Organizations can begin taking initial steps now to prepare for a post-quantum world. Some initial planning considerations for safeguarding devices could include:

  • Does the device require strong security, such as:
    • Public key infrastructure (PKI) and digital certificates?
    • Hardware security modules (HSMs)?
    • Physically embedded roots of trust?
  • How many years does a device need to be secured for? If the answer is seven or more years, you need to start preparing today.
  • How long does the information need to remain confidential? Again, if the answer is seven or more years, it’s time to start preparing now.

As you prepare for your technology transition, take the time to understand the problem, and find out what technologies are available to mitigate it. Find all the cryptography in your organization and start working on a plan to replace it. 

As you become more crypto-agile and prepare for deployment, ask your third-party vendors about their transition plans, and consider replacing any products and services that cannot be upgraded. Take steps to test your transition plans and mechanisms to make sure they work. Then, move aggressively to put a quantum-safe PKI solution in place to support future upgrades, and continue to deploy quantum-safe technologies as they become available.

While quantum computing might easily take a decade or more to go mainstream, this is not a race that an organization can afford to lose. The stakes are higher than ever for maintaining security and compliance. Fortunately, by putting planning into motion soon, you’ll assure your ability to stay several steps ahead of the coming revolution in quantum computing.

Timothy Hollebeek has 19 years of computer science experience, including eight years working on innovative security research funded by the Defense Advanced Research Projects Agency. He then moved on to architecting payment security systems, with an emphasis on encryption and … View Full Bio

Recommended Reading:

More Insights

North Korean Hacker

A prolific North Korean state-sponsored hacking group has been tied to a new ongoing espionage campaign aimed at exfiltrating sensitive information from organizations in the defense industry.

Attributing the attacks with high confidence to the Lazarus Group, the new findings from Kaspersky signal an expansion of the APT actor’s tactics by going beyond the usual gamut of financially-motivated crimes to fund the cash-strapped regime.

This broadening of its strategic interests happened in early 2020 by leveraging a tool called ThreatNeedle, researchers Vyacheslav Kopeytsev and Seongsu Park said in a Thursday write-up.

At a high level, the campaign leverages a multi-step approach that begins with a carefully crafted spear-phishing attack leading eventually to the attackers gaining remote control over the devices.

ThreatNeedle is delivered to targets via COVID-themed emails with malicious Microsoft Word attachments as initial infection vectors that, when opened, run a macro containing malicious code designed to download and execute additional payloads on the infected system.

The next-stage malware functions by embedding its malicious capabilities inside a Windows backdoor that offers features for initial reconnaissance and deploying malware for lateral movement and data exfiltration.

“Once installed, ThreatNeedle is able to obtain full control of the victim’s device, meaning it can do everything from manipulating files to executing received commands,” Kaspersky security researchers said.

Kaspersky found overlaps between ThreatNeedle and another malware family called Manuscrypt that has been used by Lazarus Group in previous hacking campaigns against the cryptocurrency and mobile games industries, besides uncovering connections with other Lazarus clusters such as AppleJeus, DeathNote, and Bookcode.

North Korean Hacker

Interestingly, Manuscrypt was also deployed in a Lazarus Group operation last month, which involved targeting the cybersecurity community with opportunities to collaborate on vulnerability research, only to infect victims with malware that could cause the theft of exploits developed by the researchers for possibly undisclosed vulnerabilities, thereby using them to stage further attacks on vulnerable targets of their choice.

Perhaps the most concerning of the development is a technique adopted by the attackers to bypass network segmentation protections in an unnamed enterprise network by “gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server.”

The cybersecurity firm said organizations in more than a dozen countries have been affected to date.

At least one of the spear-phishing emails referenced in the report is written in Russian, while another message came with a malicious file attachment named “Boeing_AERO_GS.docx,” possibly implying a U.S. target.

Earlier this month, three North Korean hackers associated with the military intelligence division of North Korea were indicted by the U.S. Justice Department for allegedly taking part in a criminal conspiracy that attempted to extort $1.3 billion in cryptocurrency and cash from banks and other organizations around the world.

“In recent years, the Lazarus group has focused on attacking financial institutions around the world,” the researchers concluded. “However, beginning in early 2020, they focused on aggressively attacking the defense industry.”

“While Lazarus has also previously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is currently being actively used in cyberespionage attacks.”