Our weekly application security news roundup for April 11 to April 15 2016 features commentary on Badlock, ransomware trends and a new Internet security threat report. Read on for details on the following headlines:
After a three-week delay, Badlock was released to the public yesterday and was less critical than previously thought - generating disappointment in the research community and relief for administrators.
"One of the reasons Badlock isn't a vulnerability worthy of the hype it was given is centered on its attack vector – Man-in-the-Middle. Before anything can happen, an attacker first needs to have already established some type of access on the network, which enables them to see traffic.... Badlock isn't a remote exploit, it's a local exploit, so the attacker already has to be inside the network before it can do damage. If things get to that point, the game's already over."
Techcrunch also covered this story.
Beazley and Munich Re are launching a push into cyber insurance, despite the growing concern that such an effort could be costly for the insurance industry due to the enormous costs in the event of large-scale attacks. The "cyber insurance market is growing by 30 to 40 percent per year. Some estimates see it reaching $15bn of premiums per year by the early 2020s, from about $3bn-$4bn now."
Both Beazley and Munich Re are aiming to take advantage of growth and are offering tailor-made cyber policies with double the amount of coverage. "However, not everyone in the insurance world is so excited about the market. Earlier this year Michel Liès, chief executive of Swiss Re, told the Financial Times that it was too early to say whether cyber was an opportunity or a threat. He added that insurers were having difficulties determining possible future claims."
Many insurers are concerned about the exposure to cyber risk and the uncertain future of cyber security. "The result of all these worries is that some insurers are wary of offering cyber cover, and those that do may limit the amount of exposure they will take on."
Symantec just released its report, unveiling some worrisome trends. “Fifty-four zero-day vulnerabilities were discovered last year, according to a report released this morning by Symantec, more than double that of 2014, and the number of mega-breaches of more than 10 million records also hit a record high,” reports CSO.
The upward trend seems to be an indicator of the growing professionalization of the hacking industry. "People figured out that they could make money by finding zero-day vulnerabilities and selling them to attackers," said Kevin Haley, director of security response at Symantec. "So there became a marketplace, and these things started to have value, and people started to hunt for them."
There were decreases in other areas. Generic phishing emails dramatically decreased as did overall email malware. Bots also decreased in number, probably due to recent successful law enforcement efforts. The exception to this was China, which actually saw a huge increase in bots.
Other stats include: personal identities exposed as a result of breaches rose 23 percent to 429 million; and the number of companies choosing not to report the number of records they have lost rose by 85 percent, from 61 to 113.
NBC News also ran a great breakdown of the report.
According to researchers at Cisco Talos, the latest ransomware, SamSam, is a herald of the new wave of increasingly effective ransomware to come.
Joe Marshall, security research manager with Cisco Talos, predicts “that today’s ransomware authors have begun to shift strategy away from ‘spray and pray’ mentality where ransomware payloads are delivered indiscriminately via exploit kits or mass phishing campaigns. He said, the age of self-propagating ransomware, or ‘cryptoworms,’ is right around the corner,” reports Threatpost.
“This new ransomware is a mix of old and new. It has adopted self-propagating properties of worms and malware of the past. And it has new tricks when it comes to traversing corporate networks laterally to find the most vulnerable targets,” said Marshall, a co-author of the Cisco Talos report “Ransomware: Past, Present and Future” released Tuesday.
DarkReading also covered the story.
U.S. federal, state and local government agencies rank in last place in cybersecurity when compared against 17 major private industries, including transportation, retail and healthcare, according to a new report released Thursday.
The analysis, from security risk benchmarking startup SecurityScorecard, measured the relative security health of government and industries across 10 categories, including vulnerability to malware infections, exposure rates of passwords and susceptibility to social engineering, such as an employee using corporate account information on a public social network.
“Rather than simply waiting for the inevitable data breach to happen, many organizations say they have begun more actively scouting around for and chasing down bad actors and malicious activity on their networks,” reports DarkReading
“Unlike the usual security approaches, threat hunting -- as some of the industry have taken to calling the trend -- combines the use of threat intelligence, analytics, and security tools with old-fashioned human smarts.
“Eighty six percent of respondents in a recent SANS Institute survey of 494 IT professionals said their organizations were engaged in such activity. About 75% said they had reduced their attack surface as a result of more aggressive threat-hunting while 59% credited the approach for enhancing incident response speed and accuracy.”