Monthly Archives: March 2016

Two-thirds of security pros waste a 'significant' amount of time chasing false positives

Larry Ponemon

Larry Ponemon

We are pleased to present the findings of The State of Malware Detection & Prevention sponsored by Cyphort. The study reveals the difficulty of preventing and detecting malware and advanced threats. The IT function also seems to lack the information and intelligence necessary to update senior executives on cybersecurity risks.

We surveyed 597 IT and IT security practitioners in the United States who are responsible for directing cybersecurity activities and/or investments within their organizations. All respondents have a network-based malware detection tool or are familiar with this type of tool.

Getting malware attacks under control continues to be a challenge for companies. Some 68 percent of respondents say their security operations team spends a significant amount of time chasing false positives. However, only 32 percent of respondents say their teams spend a significant amount of time prioritizing alerts that need to be investigated.

Despite such catastrophic data breaches as Target, cyber threats are not getting the appropriate attention from senior leadership they deserve. As shown in the findings of this research, respondents say they do not have the necessary intelligence to make a convincing case to the C-suite about the threats facing their company.

The following findings further reveal the problems IT security faces in safeguarding their companies’ high value and sensitive information.

Companies are ineffective in dealing with malware and advanced threats. Only 39 percent of respondents rate their ability to detect a cyber attack as highly effective, and similarly only 30 percent rate their ability to prevent cyber attacks as highly effective. Respondents also say their organizations are doing poorly in prioritizing alerts and minimizing false positives. As mentioned above, a significant amount time is spent chasing false positives but not prioritizing alerts.

Most respondents say C-level executives aren’t concerned about cyber threats. Respondents admit they do not have the intelligence and necessary information to effectively update senior executives on cyber threats. If they do meet with senior executives, 70 percent of respondents say they report on these risks to C-level executives only on a need-to-know basis (36 percent of respondents) or never (34 percent of respondents).

Sixty-three percent of respondents say their companies had one or more advanced attacks during the past 12 months. On average, it took 170 days to detect an advanced attack, 39 days to contain it and 43 days to remediate it.

The percentage of malware alerts investigated and determined to be false positives. On average, 29 percent of all malware alerts received by their security operations team are investigated and an average of 40 percent are considered to be false positives. Only 18 percent of respondents say their malware detection tool provides a level of risk for each incident.

Do organizations reimage endpoints based on malware detected in the network? More than half (51 percent) of respondents say their organization reimages endpoints based on malware detected in the network. An average of 33 percent of endpoint re-images or remediations are performed without knowing whether it was truly infected. The most effective solutions for the remediation of advanced attacks are network-based sandboxing and network behavior anomaly analysis.

Download and read the rest of the report.

Two-thirds of security pros waste a ‘significant’ amount of time chasing false positives

Larry Ponemon

Larry Ponemon

We are pleased to present the findings of The State of Malware Detection & Prevention sponsored by Cyphort. The study reveals the difficulty of preventing and detecting malware and advanced threats. The IT function also seems to lack the information and intelligence necessary to update senior executives on cybersecurity risks.

We surveyed 597 IT and IT security practitioners in the United States who are responsible for directing cybersecurity activities and/or investments within their organizations. All respondents have a network-based malware detection tool or are familiar with this type of tool.

Getting malware attacks under control continues to be a challenge for companies. Some 68 percent of respondents say their security operations team spends a significant amount of time chasing false positives. However, only 32 percent of respondents say their teams spend a significant amount of time prioritizing alerts that need to be investigated.

Despite such catastrophic data breaches as Target, cyber threats are not getting the appropriate attention from senior leadership they deserve. As shown in the findings of this research, respondents say they do not have the necessary intelligence to make a convincing case to the C-suite about the threats facing their company.

The following findings further reveal the problems IT security faces in safeguarding their companies’ high value and sensitive information.

Companies are ineffective in dealing with malware and advanced threats. Only 39 percent of respondents rate their ability to detect a cyber attack as highly effective, and similarly only 30 percent rate their ability to prevent cyber attacks as highly effective. Respondents also say their organizations are doing poorly in prioritizing alerts and minimizing false positives. As mentioned above, a significant amount time is spent chasing false positives but not prioritizing alerts.

Most respondents say C-level executives aren’t concerned about cyber threats. Respondents admit they do not have the intelligence and necessary information to effectively update senior executives on cyber threats. If they do meet with senior executives, 70 percent of respondents say they report on these risks to C-level executives only on a need-to-know basis (36 percent of respondents) or never (34 percent of respondents).

Sixty-three percent of respondents say their companies had one or more advanced attacks during the past 12 months. On average, it took 170 days to detect an advanced attack, 39 days to contain it and 43 days to remediate it.

The percentage of malware alerts investigated and determined to be false positives. On average, 29 percent of all malware alerts received by their security operations team are investigated and an average of 40 percent are considered to be false positives. Only 18 percent of respondents say their malware detection tool provides a level of risk for each incident.

Do organizations reimage endpoints based on malware detected in the network? More than half (51 percent) of respondents say their organization reimages endpoints based on malware detected in the network. An average of 33 percent of endpoint re-images or remediations are performed without knowing whether it was truly infected. The most effective solutions for the remediation of advanced attacks are network-based sandboxing and network behavior anomaly analysis.

Download and read the rest of the report.

Car hacking worries FBI, too; and reports of keyless entry hacking won't go away

Bob Sullivan

Bob Sullivan

We know that Americans are concerned about their cars being hacked.  We also know that some consumers believe criminals are “hacking” into their parked cars and committing “snatch and grab” crimes using devices that simulate newfangled keyless entry systems.

Now, we know the FBI is worried about car hacking, too. The agency, along with the National Highway Traffic Safety Administration, issued a bold warning to consumers and manufacturers last week.

“The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” the warning says. “While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk.”

The FBI warning didn’t raise any new concerns; it mainly cites revelations of car hacking from 2015 as impetus for the warning. Still, the notice clearly demonstrates there is a level of activity around car hacking that should have everyone concerned. Drive down the highway sometime (as a passenger) and use your smartphone to see at all the cars sending out Bluetooth connections around you and you’ll get an idea about how connected our vehicles have become.

Meanwhile, consumers continue to report mysterious car break-ins around the country with no signs of forced entry, in situations when they swear their car doors were locked.  In Baltimore, a string of crimes following this pattern frustrated local residents earlier this year.

“What was strange to me was that, while I could tell it was broken into because my jacket was taken and they tossed through the stuff in the car, there were no signs of a breaking. No broken windows or anything,” said one driver. “I called and reported it mostly because I wanted to know how anyone could have gotten in if it was locked and no windows were broken. The officer said people have these things that basically interfere with newer cars electronic/fob locking systems and disable the alarms.”

The reports follow a persistent set of national stories around keyfob break-ins that began with a CNN report two years ago, and was followed by a New York Times story last year that casually suggested drivers store their car fobs in their freezers to keep them safe from hackers. (Notably, the story appeared in the Times’ Style section. The science was a little shallow).

There have also been vague warnings issued by some agencies around the world, like this notice from London Police, or this notice from the National Insurance Crime Bureau,

“The key-less entry feature on newer cars is a popular advancement that lets drivers unlock their cars with the simple click of a button on a key fob using radio frequency transmission. The technology also helps prevent drivers from locking their keys in the vehicle,” it says.  “Not surprisingly, thieves have found a way to partially outwit the new technology using electronic ‘scanner boxes.’ These small, handheld devices can pop some factory-made electronic locks in seconds, allowing thieves to get into the vehicle and steal personal items left inside.”

The existence of such a scanner box is very much in question, as are assertions that such a universal master key can be purchased for as little as $17; so is any notion that the crime is widespread. If any law enforcement agency has seized such a device, we are all waiting for it to be put on display.

How would such a magic device work?  By tricking your car into thinking your key fob is nearby and opening the door in response to a handle jiggle; or perhaps by amplifying the signal it sends out, or by intercepting that signal and copying it somehow. Or, hackers could “guess” the code for opening a car, if the code were poorly constructed. Here’s a great explanation of how it might work, and why it’s a major challenge unlikely to be used by street thugs.

*Could* such a hack exist? Well, of course, says embedded device security expert Philip Koopman, a professor at  Carnegie Mellon. Koopman actually worked on earlier generation designs for key fobs.

“I would not at all be surprised if the Bad Guys have figured out that some manufacturer has bad security and how to attack it,” he said. “There is nothing really new here, other than general lack of people to admit that if you cut corners on security you will get burned, and an insistence by manufacturers and suppliers that known bad practices are adequate.”

In a blog post six years ago, he warned about the cost sensitivity for auto manufacturors (“No way could we afford industrial strength crypto.”)

Back to today, he offered this speculation on keyless entry attacks.

“It is (possible) that the manufacturers used bad crypto that is easy to hack, possibly via just listening to transmissions and doing off-line analysis. And it is possible to attack by getting near someone when they aren’t near their car and extracting the secrets from their car keys when it is in their pocket, then using that info to build a fake key. The technology is very similar to the US Passport biometric chips, so all the attacks for those are plausible here as well.”

The FBI offers the following advice to consumers: Keep your car software up to date, as you do with your PC; don’t modify your car software; be careful when connecting your car to third parties; and “be aware of who has physical access to your vehicle.”

That last bit of advice might work for people with long driveways, but the rest of us can’t do much about who might be able to walk by our cars on streets and in parking lots.

“While these tips may seem innocuous, they do show the limitations that law enforcement and consumers have in combating the car hacking threat,” said Tyler Cohen Wood, Cyber Security Advisor of Inspired eLearning.  “With the ever-increasing implementation of Internet of Things devices, including devices installed in newer cars, it’s a real challenge for law enforcement to identify different threat vectors associated with vehicle hacking.  There is no real standard for Internet of Things devices from a vehicle standpoint—each automobile manufacturer offers different types of devices as options in vehicles, from entertainment and navigation systems to remote ignition starting devices.  There is no industry standard for operating systems or security protocols on these devices, so it’s difficult for law enforcement to identify the specific threats that the devices pose to the public.”

So what else should you do?  Putting your car “keys” in the freezer is probably a bad idea; it will likely create more problems than it solves.  You might damage the very expensive key, for example, to mitigate a threat that is still perceived as low. But it wouldn’t hurt to take great care with where you leave the key. If you park directly in front of your front door, perhaps you shouldn’t leave the key right there.  Otherwise, read the local police blotter and talk to neighbors about street crime.

Most of all, make sure you really do lock your car doors.

 

Car hacking worries FBI, too; and reports of keyless entry hacking won’t go away

Bob Sullivan

Bob Sullivan

We know that Americans are concerned about their cars being hacked.  We also know that some consumers believe criminals are “hacking” into their parked cars and committing “snatch and grab” crimes using devices that simulate newfangled keyless entry systems.

Now, we know the FBI is worried about car hacking, too. The agency, along with the National Highway Traffic Safety Administration, issued a bold warning to consumers and manufacturers last week.

“The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” the warning says. “While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk.”

The FBI warning didn’t raise any new concerns; it mainly cites revelations of car hacking from 2015 as impetus for the warning. Still, the notice clearly demonstrates there is a level of activity around car hacking that should have everyone concerned. Drive down the highway sometime (as a passenger) and use your smartphone to see at all the cars sending out Bluetooth connections around you and you’ll get an idea about how connected our vehicles have become.

Meanwhile, consumers continue to report mysterious car break-ins around the country with no signs of forced entry, in situations when they swear their car doors were locked.  In Baltimore, a string of crimes following this pattern frustrated local residents earlier this year.

“What was strange to me was that, while I could tell it was broken into because my jacket was taken and they tossed through the stuff in the car, there were no signs of a breaking. No broken windows or anything,” said one driver. “I called and reported it mostly because I wanted to know how anyone could have gotten in if it was locked and no windows were broken. The officer said people have these things that basically interfere with newer cars electronic/fob locking systems and disable the alarms.”

The reports follow a persistent set of national stories around keyfob break-ins that began with a CNN report two years ago, and was followed by a New York Times story last year that casually suggested drivers store their car fobs in their freezers to keep them safe from hackers. (Notably, the story appeared in the Times’ Style section. The science was a little shallow).

There have also been vague warnings issued by some agencies around the world, like this notice from London Police, or this notice from the National Insurance Crime Bureau,

“The key-less entry feature on newer cars is a popular advancement that lets drivers unlock their cars with the simple click of a button on a key fob using radio frequency transmission. The technology also helps prevent drivers from locking their keys in the vehicle,” it says.  “Not surprisingly, thieves have found a way to partially outwit the new technology using electronic ‘scanner boxes.’ These small, handheld devices can pop some factory-made electronic locks in seconds, allowing thieves to get into the vehicle and steal personal items left inside.”

The existence of such a scanner box is very much in question, as are assertions that such a universal master key can be purchased for as little as $17; so is any notion that the crime is widespread. If any law enforcement agency has seized such a device, we are all waiting for it to be put on display.

How would such a magic device work?  By tricking your car into thinking your key fob is nearby and opening the door in response to a handle jiggle; or perhaps by amplifying the signal it sends out, or by intercepting that signal and copying it somehow. Or, hackers could “guess” the code for opening a car, if the code were poorly constructed. Here’s a great explanation of how it might work, and why it’s a major challenge unlikely to be used by street thugs.

*Could* such a hack exist? Well, of course, says embedded device security expert Philip Koopman, a professor at  Carnegie Mellon. Koopman actually worked on earlier generation designs for key fobs.

“I would not at all be surprised if the Bad Guys have figured out that some manufacturer has bad security and how to attack it,” he said. “There is nothing really new here, other than general lack of people to admit that if you cut corners on security you will get burned, and an insistence by manufacturers and suppliers that known bad practices are adequate.”

In a blog post six years ago, he warned about the cost sensitivity for auto manufacturors (“No way could we afford industrial strength crypto.”)

Back to today, he offered this speculation on keyless entry attacks.

“It is (possible) that the manufacturers used bad crypto that is easy to hack, possibly via just listening to transmissions and doing off-line analysis. And it is possible to attack by getting near someone when they aren’t near their car and extracting the secrets from their car keys when it is in their pocket, then using that info to build a fake key. The technology is very similar to the US Passport biometric chips, so all the attacks for those are plausible here as well.”

The FBI offers the following advice to consumers: Keep your car software up to date, as you do with your PC; don’t modify your car software; be careful when connecting your car to third parties; and “be aware of who has physical access to your vehicle.”

That last bit of advice might work for people with long driveways, but the rest of us can’t do much about who might be able to walk by our cars on streets and in parking lots.

“While these tips may seem innocuous, they do show the limitations that law enforcement and consumers have in combating the car hacking threat,” said Tyler Cohen Wood, Cyber Security Advisor of Inspired eLearning.  “With the ever-increasing implementation of Internet of Things devices, including devices installed in newer cars, it’s a real challenge for law enforcement to identify different threat vectors associated with vehicle hacking.  There is no real standard for Internet of Things devices from a vehicle standpoint—each automobile manufacturer offers different types of devices as options in vehicles, from entertainment and navigation systems to remote ignition starting devices.  There is no industry standard for operating systems or security protocols on these devices, so it’s difficult for law enforcement to identify the specific threats that the devices pose to the public.”

So what else should you do?  Putting your car “keys” in the freezer is probably a bad idea; it will likely create more problems than it solves.  You might damage the very expensive key, for example, to mitigate a threat that is still perceived as low. But it wouldn’t hurt to take great care with where you leave the key. If you park directly in front of your front door, perhaps you shouldn’t leave the key right there.  Otherwise, read the local police blotter and talk to neighbors about street crime.

Most of all, make sure you really do lock your car doors.