Behavior Analytics Use Is The Main Lesson To Be Learned From The LastPass Breaches – Chuck Leaver

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO


LastPass Breaches Have Four Lessons Everybody Can Learn From

Data breaches in 2011 then once again in 2015 were perpetrated against password management firm LastPass. Experts recommend use of password managers, since strong passwords special to each user account are not feasible to remember without arranged support. Nevertheless, putting all one’s eggs in a single basket – then for countless users to each put their egg basket into one giant basket – provides an irresistible target for hackers of every type. Cryptology specialists who have studied this recent breach at LastPass appear cautiously optimistic that major harm has been avoided, however there are still essential lessons we can draw from this episode:

1. There Is No Ideal Authentication, There Is No Ideal Security

Any competent, patient and motivated enemy will ultimately breach any useful cyber defenses – even if yours is a cyber defense business! Sadly, for numerous businesses today, it does not frequently require much ability or persistence to breach their patchwork defenses and penetrate their vast, permeable boundaries. Compromise of user info – even those of highly privileged domain administrators – is likewise quite typical. Again, regretfully, lots of businesses count on single-factor password authentication, which merely invites widespread user data compromise. However even multi-factor authentication can be breached, as was done with the 2011 compromise of RSA SecurID’s.

2. Use Situational Awareness When Defenses Fail

Once the hackers have actually breached your defenses the clock is ticking on your detection, containment, and remediation of the occurrence. Industry data recommends this clock has a long time to tick – numerous days on average – prior to awareness sets in. By that time the cyber criminals have actually pwned your digital properties and picked your business carcass clean. Critical situational awareness is vital if this too-frequent tragedy is to be prevented.

3. Network and Endpoint Contexts Are Fused With Comprehensive Situational Awareness

In the recent LastPass incident detection was accomplished by analysis of network traffic from server logs. The assailant dwell time prior to detection was not disclosed. Network abnormalities are not constantly the fastest method to recognize an attack in progress. A fusion of network and endpoint context supplies a far better choice basis than either context separately. For example, being able to combine network flow data with the originating process recognition can shed much more light on a prospective infiltration. A suspect network contact by a brand-new and unreputed executable is a lot more suggestive taken together than when analyzed individually.

4. After An Authentication Failure, Use User Behavior Analytics

Compromised credentials often create chaos across breached businesses, enabling cyber criminals to pivot laterally through the network and operate mostly underneath the security radar. But this abuse of valid credentials differs noticeably from regular user behavior of the legitimate credential holder. Even rather simple user habits analytics can spot anomalous discontinuities in learned user habits. Constantly employ user habits analytics, particularly for your more privileged users and administrators.

Chuck Leaver – Vulnerability Monitoring Is Required Even For The Hacker Elites

Written By Josh Harriman And Presented By Ziften CEO Charles Leaver


Hacking Team Affected By Lack Of Real Time Vulnerability Tracking


Nowadays cyber attacks and data breaches remain in the news all the time – and not just for those in the high worth industries such as health care, financing, energy and retail. One particularly intriguing event was the breach against the Italian business Hacking Team. For those who don’t recall Hacking Team (HT) is a company that specializes in security software catering to federal government and authorities agencies that want to perform covert operations. The programs created by HT are not your ordinary remote control software or malware-type recording devices. One of their essential products, code-named Galileo – much better called RCS (Remote Control System)– claimed to be able to do practically whatever you require in terms of “controlling” your target.

Yet as skilled as they were in producing these programs, they were not able to keep others from entering into their systems, or discover such vulnerabilities at the endpoint through vulnerability tracking. In one of the most high-profile breaches of 2015, HT were hacked, and the information taken and subsequently launched to the general public was substantial – 400 GB in size. More significantly, the information included extremely harmful details such as emails, client lists (and costs) that included countries blacklisted by the UN, and the crown jewels: Source code. There was also thorough paperwork that included a few really powerful 0-day exploits against Adobe and Flash. Those 0-days were utilized soon after in attacks against some Japanese companies and United States government agencies.

The big question is: How could this occur to a business whose sole presence is to make a software application that is undetectable and finding or producing 0-day exploits for others to utilize? One would believe a breach here would be virtually impossible. Undoubtedly, that was not the case. As of now there is not a lot to go on in terms of how this breach occurred. We do understand however that someone has actually declared responsibility and that person (or team) is not new to getting into locations just like HT. In August 2014, another security company was hacked and delicate files were launched, much like HT. This consisted of client lists, prices, code, and so on. This was against Gamma International and their product was called FinFisher or FinSpy. A user by the name of “PhineasFisher” published on Reddit 40 GB worth data and revealed that he or she was accountable. A post in July this year on their twitter account discussed they also attacked HT. It appears that their message and purpose of these breaches and theft where to make individuals familiar with how these businesses operate and who they sell to – a hacktivist attack. He did publish some details to his approaches and some of these techniques were likely used against HT.

A last concern remains: How did they break in and what safety measures could HT have implemented to prevent the theft? We did learn from the released documents that the users within HT had very weak passwords e.g. “P4ssword” or “wolverine.” In addition, one of the primary staff member systems where the theft might have happened made use of the program TrueCrypt. Nevertheless, when you are logged on and utilizing the system, those hidden volumes are accessible. No details have been published as of yet regarding how the network was infiltrated or how they accessed the users systems so that they could download the files. It is apparent, though, that businesses have to have a service such as Ziften’s Continuous Endpoint Visibility running in their environment. By keeping an eye on all user and system activity alerts might have been generated when an activity falls outside of normal habits. Examples include 400 GB of files being uploaded externally, or understanding when vulnerable software applications are working on exposed servers within the network. When a company is making and providing sophisticated monitoring software – and possessing unidentified vulnerabilities in commercial products – a better plan needs to have been in place to limit the damage.

Anthem Could Have Avoided Their Healthcare Data Leak – Chuck Leaver

Written By Justin Tefertiller And Presented By Chuck Leaver Ziften CEO


Continuous Endpoint Visibility Would Have Improved Healthcare Data Leakage Prevention


Anthem Inc found a large scale cyber attack on January 29, 2015 against their data and IT systems. The health care data leakage was believed to have taken place over a numerous week duration beginning around early December 2014 and targeted individual data on Anthem’s database infrastructure as well as endpoint systems. The taken details consisted of dates of birth, complete names, health care identification numbers as well as social security numbers of customers and Anthem staff members. The exact number of individuals affected by the breach is unknown however it is approximated that almost 80 million records were taken. health care data has the tendency to be among the most profitable income sources for hackers selling records on the dark market.

Forbes and others report that opponents utilized a process-based backdoor on clients connected to Anthem databases in addition to jeopardized admin accounts and passwords to graduallytake the data. The actions taken by the hackers positioning and operating as administrators are exactly what eventually brought the breach to the attention of security and IT groups at Anthem.

This type of attack illustrates the requirement for continuous endpoint visibility, as endpoint systems are a continuous infection vector and an avenue to delicate data kept on any network they may link to. Simple things like never before observed procedures, brand-new user accounts, odd network connections, and unapproved administrative activity are typical calling cards of the beginning of a breach and can be quickly determined and notified on with the best monitoring tool. When notified to these conditions in real time, Incident Responders can catch the intrusion, discover patient zero, and hopefully reduce the damage rather than permitting hackers to stroll around the network unnoticed for weeks.

30 Locations Affected Over 8 Months In The PF Chang Breach – Chuck Leaver

Written By Chuck Leaver Ziften CEO


The PF Chang dining establishment chain recently published brand-new information about the security breach of its charge card systems across the nation. The restaurant chain revealed that the breach impacted more than 30 locations in 17 states and went on for eight months before being found.

While the investigation is still continuing, in a statement PF Chang’s reported that the breach has been contained and client monetary data has been processed securely by the restaurant since June 11. The compromised systems utilized by the chain were decommissioned until it was clear that their security could be guaranteed, and in the meantime charge cards were processed by hand.

Rick Federico, CEO said in a declaration “The possibly stolen credit and debit card data includes the card number and sometimes also the cardholder’s name and/or the card’s date of expiry.” “However, we have not identified that any particular cardholder’s credit or debit card data was stolen by the attacker.”

PF Chang’s was notified of the breach, which they referred to as a “extremely advanced criminal operation,” in June when they were contacted by the Secret Service about cyber security concerns. Once notified, the restaurant employed third-party forensic investigators to discover how the breach was able to occur, at which time they found that malicious actors had the ability to exploit the chain’s charge card processing systems and potentially gain access to client credit card information.

Organizations worried about similar data breaches impacting point-of-sale terminals should execute endpoint threat detection to keep critical systems secured. Endpoint defense includes tracking delicate access points – like POS systems, bar code readers and worker mobile devices – and mitigating dangers that appear. Continuous endpoint visibility is necessary to recognize hazards before they compromise networks and make sure enterprise security.