Five greatest cybersecurity myths

With the average cost of a data breach now sitting around $6.5 million in the US, businesses will be eagerly looking at how they can avoid being compromised.
With more interest in the industry than ever, we bust the top five myths surrounding cybersecurity:

Myth 1: Small organizations aren’t targeted by hackers
It’s a common misconception that hackers overlook small organizations and focus on large organizations only, but the truth is that virtually every web-based attack (98%) is opportunistic in nature, according to the 2015 Verizon Data Breach Investigations Report (DBIR).
In fact, because of this misunderstanding, small organizations tend to have inadequate levels of cybersecurity (more so than large organizations) and are actually an ideal target for hackers.
What’s worse is that 60% of small organizations that are compromised close down within six months.
Every organization – large and small – needs to strengthen its cybersecurity procedures.

Myth 2: It’s really expensive to be cyber secure and the ROI isn’t worth it
It’s true that being cyber secure costs money, but effective cybersecurity is actually a lot more affordable than people think, and considerably cheaper than suffering a data breach (now averaging $6.5 million).
It’s impossible to put an average cost on being cyber secure as every organization is different – in terms of size, resources, etc. – but organizations can implement ISO 27001, the internationally recognized cybersecurity standard, from as little as $659 with our packaged solutions.
In terms of return on investment (ROI), it’s hard to quantify the savings from an attack that didn’t happen, but the whole idea of cybersecurity is to decrease the costs related to security problems (i.e. incidents). If you manage to decrease the number and/or extent of security incidents, you will save money. In most cases, the savings achieved are far greater than the cost of the safeguards, so you will ‘profit’ from cybersecurity.

Myth 3: Cyber threats are a technology problem so a technology solution will fix them
Implementing the latest AlienVault solution may keep track of attacks or unusual activity, but it won’t get to the root of the problem.
It won’t prevent your staff from clicking on malicious links in emails, from letting a stranger through your organization’s front door, or from sending unencrypted customer data to someone outside the organization.
A comprehensive, holistic approach that covers your people, processes, and technology is the only real answer to achieving true cybersecurity, and ISO 27001 is the only internationally-recognized cybersecurity standard that addresses all of these three areas.

Myth 4: Hackers are your biggest threat
Reports show that your employees are in fact your biggest threat.
“Internal attacks are one of the biggest threats facing your data and systems,” states Cortney Thompson, CTO of Green House Data. “Rogue employees, especially members of the IT team with knowledge of and access to networks, data centers and admin accounts, can cause serious damage,” he says.
As well as disgruntled employees, you also need to be aware of careless or uninformed employees – those who mistakenly leave their work cell phone in a taxi, have weak passwords, or click on links in suspicious emails – and how your partners and suppliers are handling their cybersecurity. These all pose enormous security threats to your systems and data, and tend to be more insidious.

Myth 5: I don’t need cybersecurity – I have cyber insurance

Although cyber insurance seems like a fail-safe, simple way to tackle cybersecurity, it is often the opposite. Many cyber insurers include clauses stating that failing to implement basic cybersecurity measures will void your coverage, so it’s really important to check your policy carefully.
Insurance protection is just one of the ways to mitigate costs; you must also consider having an incident response plan and team in place, extensive use of encryption, business continuity management involvement, CISO leadership, employee training, board-level involvement, and other factors.

Kaspersky Spots Hackers within its Own Network

Kaspersky Lab in Moscow has discovered a strange thing inside its own network. A new nation-state sponsored attack has been linked to members of the Stuxnet and Duqu gang, with the hackers looking to siphon data from within Kaspersky’s own networks.

It was last year that the hackers penetrated and stuck around the networks, Kaspersky said. The attackers did this for a few reasons, according to Kaspersky.

1. To access and steal the gathered intelligence on nation-state attacks that Kaspersky has been investigating and looking into.
2. To understand how Kaspersky’s detection algorithms and software works, in order to navigate a way around them.

The discovery
Kaspersky has earned a reputation in exposing and thwarting plenty of nation state attacks including those such as Stuxnet, Flame, Gauss, Regin, Duqu and more. It was an inevitability that the attackers would settle on targeting Kaspersky eventually.

The breach was discovered when an engineer noticed irregular web traffic in the security firm’s servers while testing a new product developed by the company. Upon investigating further, it was discovered that a dozen systems were also infected.

The Hack and the malicious toolkit
With similarities to the 2011 Duqu hack, the attackers are believed to be the same group behind the creation of the spyware – Duqu. The original attack comprised of six modules and the sharing of an algorithm and plenty of similar coding to hide the malware in plain sight. The new attack however, dubbed as Duqu 2.0 by Kaspersky, is a tremendous 19 mega-byte toolkit that’s rooted with plugins for clandestine recon work as well as data theft tasks. Three zero-day exploits were used as well, in order to stealthily extract data from a remote location and ping to communicate with infected machines.

“The entire code of this [attack] platform is some of the best we have seen ever,” said Costin Raiu, director of the Kaspersky’s Global Research and Analysis Team. “It is incredibly well written. Almost no mistakes anywhere.”

The infiltration of the infection
Here’s how precise the infection and attack was:

• The first target was a singular employee in Kaspersky’s Asia-Pacific offices, breaching the employee’s system with zero-day exploits.
• Although the employee had the most up-to-date patches installed, zero-day exploits are programmed to cause problems by targeting vulnerabilities that aren’t even known as vulnerabilities yet, by the software developer. No patches were available, as a consequence.
• A spear-phishing campaign may have also been used, as data breach response showed deleted browsing history and a complete wipe of the mailbox in the employee’s work system, in order to prevent Kaspersky from analyzing the infection fully.
• This wipe occurred merely 4 hours before the system was identified as “patient zero,” with the attackers knowing that the game was up.
• The attackers are likely to have come to such a conclusion when Kaspersky took many of the company’s crucial security systems offline, after discovering the breach.

And finally Eugene Kaspersky company’s CEO and founder stated that “Kaspersky Lab customers and partners were not affected and are not at risk,”.

Deep Inside Malicious PDF documents

When we start to check the PDF files that exist in our Pc or Laptop we may use antivirus scanner but in this days it seems not good enough to detect malicious PDF that counties a shell code because, as attacker mostly encrypt it’s count -ant to bypass the antivirus scanner and in many times target a zero day vulnerability that exit in Adobe Acrobat reader or in updated version.
Before we start analyze malicious PDF we going to have a simple look at PDF structures as to understand how the shell code work and where it locate.

PDF components
PDF Header
The first line of pdf show the pdf format version the most important line that give to you the basic information of the pdf file for example “%PDF-1.4 means that file fourth version.

PDF Body
The body pdf file consist of objects that compose contents of the document, these objects include fonts, images, annotations, text streams and user can put invisible objects or elements, this objects can interactive with pdf features like animation, security features. The body of the pdf supports two types of numbers (integers, real numbers).

The Cross-Reference Table (xref table)
The cross- reference counties links of all objects and elements that exist on file format, you can use this feature to see other pages contents (when the
users update the PDF the cross-reference table gets updated automatically).

The Trailer
The trailer contains links to cross-reference table and always ends up with %%EOF to identify the end of a PDF file the trailer enables a user to navigate to the next page by clicking on the link provided.

Malicious PDF through Metasploit
Now after we have talking a tour inside PDF file format and what it contains we will start to install old version of Adobe Acrobat reader 9.4.6 and 10 through to 10.1.1 that will be vulnerable to Adobe U3D Memory Corruption Vulnerability. This exploit are exist in Metasploit framework so we going to create the malicious PDF and analysis it in KALI Linux distribution. Start opens the terminal and type msfconsole. We going to setting some Metasploit variables to be sure that everything is working fine.

*After choosing the exploit type we going to choose the payload that will execute during exploitation in the remote target and open Meterpreter session. The file has been saved on /root/.msf4/local.

So we going to move the file to Desktop for easier located by typing in the terminal
root@kali :~# cd /root/.msf4/local
root@kali :~# mv msf.pdf /root/Desktop

PDFid
Now we going to use pdfid to see what the pdf continue of elements and objects and JavaScript and see if something interesting to analyze. The PDF has only one page maybe its normal. There are several JavaScript objects inside… this is very strange. There is also an OpenAction object which will execute this malicious JavaScript So we going to use peepdf.

Peepdf
Peepdf its python tool very powerful for PDF analysis, the tool provide all necessary components that security researcher need in PDF analysis without using many tools to do that, it support encryption, Object Streams, Shellcode emulation, Javascript Analysis, and for Malicious PDF it Shows potential Vulnerabilities, Shows Suspicious Elements, Powerful Interactive Console, PDF Obfuscation (bypassing AVs), Decoding:
hexadecimal – ASCII and HEX search.

Analysis
If we going to start analysis go to the directory of the PDF file then start with syntax /usr/bin/peepdf–f msf.pdf.
*choose the LHOST which is our IP address and we can view through typing ifconfig in new terminal
*finally we type exploit to create the PDF file with configuration we created before

We use –f option to avoid errors and force the tool to ignore them. This the default output but we see some interesting things first one we see is the highlighted one object 15 continue JavaScript code and we have also one object 4 continue two executing elements (/AcroForm & /OpenAction) and the last one is /U3D showing to us Known Vulnerability for now we will start to explore this objects by getting an interactive console by typing syntax /usr/bin/peepdf –i msf.pdf

The tree commands shows the logical structure of the file, and starting explore object 4 (/Acro-Form).
When we type object 4 it gave you another objects to explore for now we didn’t see any impotent information or seems suspicious except object 2 (XFA array) that gave us the element <fjdklsaj fodpsaj fopjdsio> and seems to us not continue something special. Let’s move to the another object (Open Action).
Now we can see JavaScript code, that will be executed when the pdf file will be opened. The other part of the JavaScript code is barely obfuscated like writing some variables in hex and in this code we can see a heap spraying with shell code plus some padding bytes. The attackers typically use unicode to encode their shell code and then use the unescape function to translate the unicode representation to binary content (now we are sure that defiantly a malicious pdf)

Defend
We defend our network from that type of malicious files by providing strong e-mail and web filter, IPS and by application control: disable JavaScript and Disable PDF rendering in browsers, Block PDF readers from accessing file system and Network resources. Security awareness.