Monthly Archives: April 2016

How much should independent security advice affect your security strategy and capital spending?

30 April 2016

Last week Richard Bass asked the question ‘How much do independent test results affect your security purchases?’ on IT Central Station. In my opinion, independent test results are a good starting point, but I would not rely entirely on them.

In this context, the question about independent security advice should be addressed as well. How much should independent security advice affect your security strategy and capital spending?

This week the Verizon 2016 Data Breach Investigations Report 2016 was published. Figure 8 on page 10 shows the evolution of two important indicators, the Time-to-Compromise (T2C) and the Time-to-Discover (T2D).

Figure 8: Verizon 2016 Data Breach Investigations Report

Figure 8: Verizon 2016 Data Breach Investigations Report. Picture Credits: Verizon 2016 Data Breach Investigations Report

In 2005 the percentage of attacks that took days or less (T2C days or less) for successful initial exploitation was at about 75%. Over the time the cyber criminals refined their methods. In 2015 about 98% of all attacks came to success within days or less.

In contrast the percentage of attacks that were detected within days or less (T2D days or less) goes up from about 15% in 2005 to about 25% in 2015 (blue regression line). This is a real fiasco, in particular if you consider that organizations massively invested in SIEM solutions over the past 10 years.

In January Gartner Group published the advice ‘Shift Cybersecurity Investment to Detection and Response‘. Is this advice meant seriously? With Figure 8 in mind? My answer is: I don’t think so.

We need a good mixture of prevention and detection/response to recover lost ground in the defense of cyber-attacks. Goal of prevention and detection is to increase the Time-to-Compromise (T2C up) and to dramatically decrease the Time-to-Detect (T2D down).

A cyber-attack usually happens in six phases:

Six Phases of a Cyber Attack

Six Phases of a Cyber Attack

A break-down of the overall goals ‘T2C up’ and ‘T2D down’ to the individual phases leads to the following questions:

Does the strategy or solution

  1. Increase the Time to Compromise?
  2. Diminish the attacker’s ability to become persistent?
  3. Diminish the attacker’s ability to install tools or use existing tools?
  4. Diminish the attacker’s ability to move laterally in the network?
  5. Reduce the Time to Detect?

Back to the initial question. How much should independent security advice affect our security strategy and capital spending?

Independent security advice is a good starting point, but we should ask some key questions to evaluate whether a strategy or solution really makes a difference.

Have a good weekend.

How much do independent test results affect your security purchases?

24 April 2016

I got this question by email last Wednesday.

‘… Do we need more independent testers? Better proof of independence? Sites like this obviously aim to bring that evidence to the user from the user. But I see reviews for Endpoint solutions that I know are factually ineffective at catching threats ranking in the top 1-5 which is surprising…’

In my opinion, independent test results are a good starting point, but it makes no sense to rely completely on them, since the satisfaction with a security solution depends largely on criteria that cannot be simulated in test environment.

First of all, it is of crucial need to have a clear understanding of the threats and vulnerabilities one wants to mitigate with a solution. What are the risks the organization is exposed to? What are the threats? What threats do we want to address with a new solution? What risks do we want to mitigate with the solution?

Some hours of brainstorming in an interdisciplinary team are required to get this right. The resulting checklist is the basis for the further product pre-selection.

Once this is clear the pre-selection process can start. Most vendors claim to solve all security problems of the world with their solution, but in reality, most of the solutions mitigate few threats only. At least at the end of the pre-selection process it is very important to have an idea about the threats that a solution mitigates effectively.

With this, one has a good chance to find a solution that fits to his needs. The criteria used for pre-selection as well as the results can be easily communicated in peer reviews.

Unfortunately, there are some other factors which affect the effectiveness of security solutions and the ease of their implementation. Such factors include e.g.

  • the existing IT landscape of an organization,
  • the integration of the solution into the IT and security landscape of an organization,
  • the integration of the solution into the business, IT and security processes,
  • the maturity of the IT and security processes, and
  • the skills of the IT staff.

The successful implementation and satisfaction with a solution depends in a large part on these factors. Therefore, these factors should be the basis for the final selection process. Unfortunately, these factors are mostly not communicated in peer reviews.

From my point of view more independent testers or better proof of independence will not solve the problem. It would be very helpful if we could simulate in advance how a security solution fits in an organizations existing IT and process landscape, and how a security solution affects the security level of an organization.

Ok, sounds like science fiction, but we all need to have some dreams, at least sometimes. Let us start with publishing the pre-selection checklists and information about the IT landscape, of course in anonymized form.

Have a good week.

Attention! Attention! Ransomware Cerber talks to you

16 April 2016

I use Adobe Flash Player only if there’s no other way. The plugin is deactivated by default, and activated only in the case I view an SC Magazine seminar.

Nevertheless, the latest security flaws, in particular CVE-2016-1019, must be patched as soon as possible. Because this bug was being exploited in drive-by download attacks that infect computers with ransomware Cerber after visiting tainted websites.

New on Cerber is that it has a computer-generated voice. And, that the malware is delivered by a drive-by download. With this, the first line of defense, your users, is of limited effectiveness because they are unable to determine that they were tricked.

From my point of view, a next generation endpoint protection tool, that containerizes all applications which connect to the Internet, is the means of choice in the defense of drive-by attacks. Since I am a strong advocate of the Zero-Trust Network concept, I recommend to containerize applications even if they access internal network resources only.

In addition, containerization frees us from the patching treadmill, at least to some extent, since we are no longer forced to install every patch on thousands of computers.

Unfortunately, Microsoft missed the opportunity to run Flash Player more secure in Windows 10.

Process Explorer View of Edge and FLashPlayer

Process Explorer View of Edge and Flash Player. Click to enlarge.

Edge runs by default at integrity level AppContainer. This makes sure that access to system resources is widely blocked. By contrast, Flash Player has access to lots of system resources because it runs at Medium Integrity Level.

Have a good weekend, and patch your Flash Player!

Don’t ‘Enable Macro if you can’t read the entire document’!

9 April 2016

Since some weeks so-called file-less malware is experiencing a new boom. File-less malware is used in cyber-attacks for some years now. New is, that no executable is downloaded from a C&C server. Once the Trojan has become persistent it downloads a PowerShell script from the C&C server and uses PowerShell for encrypting the victim’s files.

PowerShell gives the attacker access to the Windows cryptographic functions. In this case, the AES standard is used. For more details, please see this analysis on

Actually, this is nothing new. Even the delivery method, in this case a spear phishing attack with a Word document, is well-known. And in the case that editing is deactivated for security reasons, the attacker provides concise instructions for activation:

PowerWare Ransomware Instructions to disable Macro Security

PowerWare Ransomware Instructions to disable Macro Security. Picture Credits:

The great challenge is to keep user awareness high. Hopefully this will prevent users to go ahead as follows:

Have a good weekend.

User awareness training – the forgotten first line of defense in the fight against ransomware

2 April 2016

Ransomware attacks seem to increase dramatically at the moment. In particular hospitals all over the world suffer gravely from attacks. Last Thursday, the governments of the United States and the Canada published the joint Cyber Alert (TA16-091A):

‘The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.’

In section Solution advice is given for preventing infections and for risk mitigation. To be honest, this alert should be a mandatory reading for all administrators.

But user awareness training is shabbily treated, although it is the first line of defense and training material is available. The Stop.Think.Connect Toolkits offer target group specific training materials and tip cards. In the Industry Employee Tip Card eight simple tips are given, e.g.

  1. Don’t share any of your user names, passwords, or other computer or website access codes.
  2. Only open emails or attachments from people you know.

Let me add my favorite tip:

  1. Don’t use your company username, password and email address for private purposes.

Have a good weekend, and start with awareness training on next Monday.