Technology moves fast - the guidelines for securing “digital identities” is already four years old; old enough to be replaced by the National Institute of Science and Technology (NIST).

The new, final Special Publication (SP) 800-63-3 was released at the end of June. Last July, I wrote about how NIST deemed SMS-based two-factor authentication as no longer secure in their initial draft of the Digital Authentication Guideline.

Now, NIST has integrated those recommendations and more into a final suite of documents known as the Digital Identity Guidelines, widely referenced and used by a number of industries as a standard for how to properly secure digital identities - including government entities, such as federal agencies and contractors that provide services to the federal sector.

Levels of Assurance (LOAs) Replaced By IAL, AAL & FAL

One major update, according to the NIST Digital Identities blog, is the replacement of ‘levels of assurance’ (LOAs) with different areas of assurance, each with levels 1-3, including:

Identity Assurance Level (IAL)

This refers to the identity proofing process, or how an organization can vet a person’s real life identity against their digital identity.

• IAL1 - No requirement to link the applicant to a specific real-life identity.
• IAL2 - Introduces the need for either remote or physically-present identity proofing.
• IAL3 - Physical presence is required for identity proofing.

Authenticator Assurance Level (AAL)

This refers to the authentication process, including how additional factors (multi-factor authentication) can impact risk mitigation.

• AAL1 - Requires either single-factor or multi-factor authentication using a secure authentication protocol.
• AAL2 - Proof of possession/control of two distinct authentication factors is required through secure authentication protocol(s), also known as some methods of two-factor authentication.
• AAL3 - Proof of possession of a key through a cryptographic protocol. NIST recommends using a hardware-based authenticator (one example could be U2F) and one that protects against “verifier impersonation” - that is, resistant to phishing or man-in-the-middle (MitM) attacks. Users should use two distant authentication factors through secure authentication protocol(s).

Federation Assurance Level (FAL)

This refers to the assertion used in a federated environment to communicate authentication and attribute information to a relying party. Federation is what happens when identities cross from one identity domain to another.

• FAL1 - Assertions need to be signed by the identity provider (IdP).
• FAL2 - Assertions must be encrypted by the IdP (and the IdP is the only entity that can decrypt it).
• FAL3 - The user must be able to prove possession of a cryptographic key bound to the assertion.

The different areas/levels of assurance above are meant to give agencies the ability to mix and match IAL, AAL and FAL and use federation where possible.

Other Authentication Updates in SP 800-63-3

NIST also lists out other changes in the final edition of SP 800-63-3 that affect authentication. Here’s just a few:

• Using the term “authenticator” in place of “token”
• Removing knowledge authenticators, recognizing they are special cases of weak passwords
• Putting in requirements for account recovery in the event of loss or theft of an authenticator
• Removing email as a valid channel for out-of-band authenticators

SMS (Officially) No Longer Recommended for MFA

Finally, as mentioned earlier, one of the documents within the suite of Digital Identity Guidelines, SP 800-63B - Authentication and Lifecycle Management (PDF) addresses the types of multi-factor authentication (MFA) methods that are recommended by NIST.

The document lists out the types of multi-factor authenticators that may be used, including:

• OTP (one-time password) device
• MFA cryptographic software
• MFA cryptographic device

As they announced last year, SMS-based MFA is not considered as secure as these other methods, due to the fact it can be bypassed by attackers. Read Duo Aligns With NIST on New Authentication Guidelines to learn more. Instead, organizations can use more secure methods, such as Universal 2nd Factor (U2F) and Duo Push to complete two-factor authentication.

Learn more about how to evaluate different two-factor authentication solutions by downloading Duo’s Two-Factor Authentication Evaluation Guide.

If you’re heading to Las Vegas for a week of back-to-back conferences, well, we are too. And we’ll be there with new tool demos, book signing, plus several parties & awesome DJs. Check out Duo in Las Vegas for a full list of our events and where you can find us.

BSides

BSides is a community-driven information security conference held in 100 cities across 26 countries, with the Las Vegas event as the original and largest BSides conference.

Stop by the Duo & Queercon suite at Tuscany Suites during BSides Las Vegas this year to take a break and grab snacks/beverages. We’ll be there on Tuesday, July 25 and Wednesday 7/26 from 12-5:00 p.m. PT, both days - check our Duo in Las Vegas page next week for our suite number.

Additionally, on Wednesday, July 26, at 3:00 p.m. PT, Duo’s Director of R&D Rich Smith will be signing free pre-release copies of his O’Reilly book, Agile Application Security: Enabling Security in a Continuous Delivery Pipeline at our suite.

Black Hat

Black Hat has run for more than 19 years, providing the latest information security research, development and trends, holding conferences in the U.S., Europe and Asia.

Don’t miss Duo’s security researchers’ demo at Black Hat Arsenal this year - come learn about our new phishing tools, including IsThisLegit and Phinn.

IsThisLegit is a free, open-source Chrome extension and web application dashboard designed to support phishing response management for end users and admins. Phinn is a Chrome extension that uses convolutional neural networks (machine learning) to analyze web page content and alert users of suspected phishing attacks.

The demo will be presented by Duo’s Jordan Wright, Senior R&D Engineer, and Mikhail Davidov, Principal Security Researcher of Duo Labs.

This demo is unique for Arsenal as it covers the full lifecycle of phishing mitigation using tools developed by the Duo Labs team. Jordan and Mikhail will be demoing the new tool on Wednesday, July 26, from 1-2:20 p.m. PT at Business Hall, Level 2, Station 1 as part of the Human Factors track.

Learn more about the IsThisLegit demo at Black Hat.

DEF CON

DEF CON is one of the world’s longest running and largest “underground” hacking conferences, originating in 1992. Last year, more than 20,000 attended, making lines unbearably long and sessions impossible to attend (I’m not bitter). The conference brings together hackers, IT professionals, government agencies and many more to share the latest research and engage in hacking contests.

Duo’s representing at DEF CON 25 this year, throwing the DEF CON 2nd Annual N00b Party and Queercon Kickoff Party.

DEF CON 2nd Annual N00b Party

Join Duo for drinks, dancing (or not dancing) with DJ Keith Myers on Thursday, July 27 from 6:30-8:30 p.m.

Keith Myers at Duo's DEF CON Party in 2016

The party’s at the Octavius Ballroom 25 within Caesar’s Palace, located on the Promenade South Level. Here’s a PDF map to help you get less lost.

It was pretty bumping last year, so make sure you get in line early!

Queercon Kickoff Party

Originating a decade ago as a hacker party at DEF CON, Queercon grew into the largest social network of LGBT hackers around the world.

We’re excited to be hosting the infamous Queercon Kickoff Party, with DJs (Duo’s very own) Selina Style, Abstract and Andrew Gibbons.

Join us on Thursday, July 27 from 8:30-3:00 a.m. PT for drinks, dancing and music - no registration required. Head over to the Forum Tower located at Caesar’s Palace, and tag your party photos #queercon. Check our Duo in Las Vegas page next week for the suite number.

Check out the full listing of events at Queercon 14.

In part 1 of our white paper series, Duo’s Principal Security Strategist Wendy Nather explained the theory behind Google’s BeyondCorp security model - a new approach to enterprise security that mitigates the risks resulting from placing too much trust in the internal network.

In part 2, Moving Beyond the Perimeter: How to Implement the BeyondCorp Security Model, Wendy describes how you can build a new enterprise security model within your organization.

This new architecture focuses on securing what’s beyond the perimeter, including external applications, mobile endpoints and users.

At a high level, BeyondCorp combines validated users and validated endpoint devices with end-to-end encryption between the devices and resources they access. Plus, the model only allows users to access what’s necessary to do their jobs, a practice known as “least privilege.”

Learn more about BeyondCorp from Duo’s co-founders, CEO Dug Song and CTO Jon Oberheide:

Steps Toward New Enterprise Security

To implement this new framework, organizations should consider:

• Enrolling users and endpoints into inventories
• Identifying endpoints as “trusted” with digital certificates
• Enforcing access policies based on validated users and endpoints

Wendy describes each step in more detail, what you will need to complete them, practical caveats, and questions to ask along the way.

The Maturity Process With BeyondCorp

Building a new security model takes time. Duo’s white paper outlines the different stages of implementation and who can reach each stage:

• Early Maturity - Building the Inventories
• Mid-Stage Maturity - Core Deployment
• Peak Maturity - All the Users, Devices and the Apps

“BeyondCorp is not a silver bullet that will take care of all risks; it’s a way of increasing the security level of what used to be viewed as a “safe” environment.”

Making New Enterprise Security Easy to Attain

To make it easier for organizations to implement this new security model, Duo has packaged many of the components into a platform called Duo Beyond.

Our simplified security model includes:

• Device inventory
• Identification of trusted devices
• Access control engine
• Access proxy
• Single sign-on
• Multi-factor authentication (MFA)

Download Moving Beyond the Perimeter White Papers

Download part 1 - Moving Beyond the Perimeter: The Theory Behind Google’s BeyondCorp Security Model to get more detail on the theory behind BeyondCorp, the different components required, and an overview of the security architecture.

Download part 2 - Moving Beyond the Perimeter: How to Implement the BeyondCorp Security Model to find out how to implement the model, including how to inventory users and endpoints, deploy digital certificates, and create effective access policies.

Download Now

For the last 18 years, every role I’ve committed to and every job I’ve had has helped shape who I am and taught me to be stronger. I’ve had great mentors who lifted me up through tough times, but there was always a whisper in my ear, a gut feeling that kept pushing me to find a place where I could express myself, be comfortable in my own skin and grow without restrictions.

Just as I was starting to question what it takes to be part of the tech industry, I found unexpected inspiration. It came when I was thinking about changing the course of my career and I reluctantly went to a job interview with my mind made up that I wasn’t going to join yet another security company. After many weeks of discussions, I was in for a surprise.

The surprise? I joined Duo early this year. It seemed fitting to celebrate my first 90 days here by telling my story, my reason why I chose me, why I chose kindness, why I chose quality of life for my family and above all why I chose Duo.

There are 10 reasons why I joined Duo and how being part of this team has allowed me to fully embrace who I am — a Muslim, a woman in technology, someone who’s passionate to learn and succeed, give back to the community, and bring kindness and compassion into everything I do.

#10 - Culture builds behavior. Behavior builds people. People build companies.

Every company says that they value culture and toot their horns about it during interviews, but at Duo culture is people. From the first time you walk into the office and meet people, watch how they treat each other. You can’t help but notice and admire the openness. We come from different backgrounds and might not agree on everything, but for us culture means being open enough to embrace everyone, warts and all.

#9 - Duo’s brand isn’t just about the product, but also the people.

In an industry where many companies foster fear, uncertainty and doubt, Duo’s brand is unique. The color green signifies calm, as opposed to the alarming red and yellow widely associated with information security. And when we call ourselves the Most Loved Company in Security, it’s just as much about who we are as it is what we are. Our human-centered focus and positivity promotes confidence among our customers and empowers us individually within the company.

#8 - Appreciation for doing a good job and giving each other validation is ingrained in every Duo employee.

Every company has a formal awards and recognition program that sets rules and recognizes people... but how many have one where the CEO hands out the microphone to his employees at a companywide event, giving them an opportunity to thank anyone they want, building a line out the door, and resulting in heart-melting stories? That’s a big way we like to thank and recognize each other, but we also find small ways to show our appreciation every day.

#7 - We win or lose as a team, our teammates’ goals are our goals, and we’re kinder than necessary.

While the desire to win is in everyone’s DNA, winning while working with others, and lifting others through both good and bad times, doesn’t come as easily. Duo is committed to moving in that direction, even when it’s hard. When we have a challenge or concern, we bring it out in the open and figure out how to work through it and support each other. For most of the 18 years of my career my email signature has been, “Collaboration is the key to success,” and the drive and passion with which Duo pushes that statement downstream is remarkable.

#6 - We don’t hire people because they fit the mold. We hire because we want people to be themselves.

Before a job interview, people often diligently plan everything: what to wear, what to say, how to say it. Typically, they prepare by reading about the company and tweaking answers to show how they fit in, because conventional wisdom is that companies hire people who are the right fit for the culture. What makes Duo unique in this way is how we hire people for being themselves. And the variety and diversity of Duo team members showcases that we connect with people who are comfortable in who they are and recognize their unique contributions.

#5 - We spend as much time developing a product as we do on making it easy.

As I mentioned in #9, a common theme in our industry is fear. This fear compels some companies to sell like they’re the only ones that can help their potential customers — which is counter to everything we do at Duo. To understand Duo’s product strategy, you need to understand the core belief of our CEO, Dug Song. We believe in making security that’s easy to use and works well, and in radically simplifying security to a point where people can secure themselves without having to rely on a security team or expertise. In Dug’s words, “We are roadies, not rock stars. Mission control, not astronauts. Guardians, not warriors.” We make security simple, and our product exemplifies that.

#4 - I’m not a Diversity statistic for Duo. I have a seat at the table.

Celebrating diversity is increasingly a part of work culture. It's become common for companies to flaunt their diversity statistics to showcase how inclusive they are. And yes, I’ve been part of these statistics in the tech industry. At Duo, diversity isn't a metric that we track and trend to pat ourselves on the back. Rather, it means that I'm truly given the space to share my unique voice.

#3 - My creativity and skills aren’t put in a box. I’m encouraged to do what I excel at, but also to extend my reach.

Something that’s always driven me in my career is a love for problem solving. I get a great joy from examining challenges and seeking solutions. Understanding that preset processes and practices can stifle creativity and new ideas, the freedom to think for yourself and think outside of the box is key to Duo’s culture.

#2 - We don’t have to grow because we can. Our growth is intentional and in preparation for a real future.

I’ve worked in companies where change was the only constant, and it caused me to experience change fatigue. Pace is the name of the game in tech, and if we’re unable to run with it, we can become extinct. At Duo, the environment is similarly prone to change and making quick moves, but the difference here is that every change is carefully considered. That, along with communication, transparency and follow-up, helps discourage change fatigue among ourselves.

#1 - Genius doesn’t have to come at the cost of kindness or happiness.

Often as a company grows, you have to make certain compromises to reach your goals. One compromise I’ve seen too many companies make is overlooking the importance of empathy in team members. They shift toward making hiring choices just for people’s minds and forget their hearts. At Duo, “Be kinder than necessary” is a mantra that resonates not only with customers, but also in action across our internal teams. Of course, it isn’t all rainbows and unicorns, and bad days happen, but as a group we support each other and remind each other of this way of thinking.

Of course, I don't hold a crystal ball. I don’t know what the future holds or how Duo will evolve. What I do know is that as I grow in my career and work toward my goals, Duo will always be the benchmark of what an employer should be. #WeAreDuo!

Malware, ransomware, wipers, whatever you want to call them, they’re quite adept at spreading - whether across the web or laterally across your internal network.

From stopping the initial point of infection to narrowing its path of destruction, here are some tips from the US-CERT (United States Computer Emergency Readiness Team) to help organizations of all sizes stay safe:

Infection Prevention

Taking steps toward good security hygiene can help prevent initial malware infection.

Apply patches - Among others, the Petya/NotPetya malware leveraged a few Windows vulnerabilities to compromise systems that did not have a critical security patch from March 2017, MS17-010. Updating your systems as soon as you’re able to (especially with critical patches) can protect your operating systems from known vulnerabilities.

Set strong spam filters and scan emails - Phishing emails with malicious attachments are sent by threat actors to users with the intent to install malware on their computers. Set up filters to stop these emails from reaching users, and scan emails to filter executable files from reaching users, in addition to detecting threats.

Disable macro scripts - Some of those malicious attachments on phishing emails are Microsoft Office documents that contain macro scripts that download malware onto computers (known as macro malware). US-CERT recommends using Office Viewer software to open Microsoft Office files transmitted via email.

Reported in February by researchers, a new macro malware was observed checking for macOS or Windows on victims’ computers, then using embedded Python code to download a malicious payload targeting their specific operating system, according to BleepingComputer.

Develop and practice employee education - Train users on how to identify scams, malicious links, social engineering, etc. Run internal phishing simulation campaigns to identify risks and potentially vulnerable devices with the help of Duo Insight.

Authenticate inbound email - US-CERT recommends using Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) to prevent email spoofing, which can deceive recipients into trusting fraudulent senders.

Stop or Slow Lateral Movement

After an attacker gains a foothold within your systems, they may use stolen credentials and lack of proper network security architecture to move laterally and your environment, seeking out sensitive data. Here’s how to make it more difficult for them to do so:

Use least privilege - Configure access controls, manage privileged user accounts and only give administrative access to those that absolutely need it to carry out job functions. In the Petya/NotPetya attack, the malware used a tool to collect cached credentials, then scanned networks to find vulnerable machines to infect. A single infected system on your network with administrative credentials could allow for attackers to move laterally and spread malware, as The Register noted.

Limit admin logins - Microsoft explains in more detail how frequently logging into accounts with local admin privileges and keeping active sessions open across multiple machines could allow for easier lateral movement.

Limiting admins to logging into admin accounts only when they need to perform administrative tasks can help reduce risk. Admins should log into standard user accounts, without privileges, as normal practice. Two-factor authentication also increases the difficulty for intruders to steal and reuse credentials to gain access to network devices, according to US-CERT.

Strong password policies - Use unique and strong passwords that are changed frequently, and never use hard-coded or default passwords. NIST’s latest Digital Identity Guidelines publication recommends a minimum of eight characters and a maximum of up to 64, and encourages the use of passphrases (longer sequence of words or text) for stronger security.

Use two-factor authentication (2FA) - Implement a secondary form of authentication to stop attackers from using stolen passwords to move around between systems and applications in your environment. Avoid SMS-based 2FA (as it can be bypassed in a number of ways), and opt for the more secure methods of Universal 2nd Factor (U2F) or push-based authentication.

Advanced solutions allow you to create controls that block access based on location, user or device on a per-application basis. That way, you can choose which user groups should have access to different applications and data, based on the level of sensitivity.

Proper network segmentation - To reduce the impact of and reach of a breach, minimize where you store critical information and restrict access to these systems. Define different network zones based on risk profiles and role-based controls, as SearchSecurity stated.

Who’s at Risk?

To gain insight into who may be at greater risk of a compromise, Duo analyzed our dataset of 4.5 million endpoints (laptops, desktops, mobile phones) to report on the current state of device security health. Using our Duo Insight phishing simulation tool, we also reported on the results of phishing campaigns.

Watch our video to learn more:

And download The 2017 Duo Trusted Access Report: The Current State of Enterprise Endpoint Security today.

Download Report

In Duo’s latest white paper, Principal Security Strategist Wendy Nather explains the theory behind Google’s BeyondCorp security model, the different components required and the overall security architecture.

This white paper is part 1 of 2 in the Moving Beyond the Perimeter series. In part 2, we’ll describe how to implement the security model within your organization.

Why the Need for a New Security Model?

While traditional enterprise security methods focused on securing the perimeter, Google’s new approach addresses risks that extend beyond the perimeter. What’s inside the perimeter is what we traditionally considered as belonging to the enterprise - servers, desktops, network, applications and logins.

But external applications and resources, together with mobile endpoints and users, force us to acknowledge that a good portion of the enterprise isn’t inside the perimeter any more.

The idea is to make users and their devices pass the same tests and controls regardless of whether they’re outside the perimeter or inside. This also has the effect of tightening security on the inside so the perimeter isn’t the only thing keeping the attacker at bay.

To do this, Google launched a new architecture at their company called BeyondCorp.

What Risks Does BeyondCorp Address?

In summary, BeyondCorp addresses attacks that bypass firewall protection at the perimeter, or ones that start inside the internal network (insiders). It also helps mitigate risks associated with cloud-based applications, mobile users, and vulnerable endpoints.

Download the full white paper to get more detailed threat scenarios associated with attackers inside an internal network.

What is the BeyondCorp Implementation?

At a high level:

“Google’s implementation rests on the combination of validated users using validated endpoint devices. This combination is further locked down with end-to-end encryption between these devices and the resources they access. Finally, users are allowed only the bare minimum access needed for their roles (which is also known as ‘least privilege’).”

-- Wendy Nather, Moving Beyond the Perimeter: The Theory Behind Google’s BeyondCorp Security Model

How Can You Implement a Similar Security Model?

Building infrastructure for a new security approach can take time, resources and effort.

At Duo, we’ve made BeyondCorp easily attainable with our new platform, Duo Beyond. It’s a simplified security model containing most of the components, including:

• Device inventory
• Identification of trusted devices
• Access control engine
• Access proxy
• Single sign-on
• Multi-factor authentication (MFA)

Download Moving Beyond the Perimeter: The Theory Behind Google’s BeyondCorp Security Model today to get more detail on the theory behind BeyondCorp, the different components required, and an overview of the security architecture.

Download Now

In part 2, Moving Beyond the Perimeter: How to Implement the BeyondCorp Security Model, in which we’ll describe how to implement the BeyondCorp security model, including how to inventory users and endpoints, deploy digital certificates, and create effective access policies.

Subscribe to our newsletter to get notified when part 2 is available for download.

Two months after the global WannaCry ransomware outbreak, a new wormlike malware variant has more recently plagued 64 countries, disrupting operations worldwide.

According to Microsoft’s Windows Security blog, the first signs of infection hit more than 12,500 machines in Ukraine, then spread outward to infect the U.S., Russia, Germany, Belgium, Brazil and others.

The malware has affected A.T.M.s and nuclear plant radiation monitors in Ukraine. Other companies affected include FedEx in the U.S., worldwide shipping giant A.P. Moller-Maersk, a French construction materials company Saint Gobain and Mondelez International, Inc. (owner of chocolate brand Cadbury), BNP Paribas Real Estate and many more, as reported by Reuters.

While initially reported to be a ransomware variant with code similar to the Petya ransomware, further analysis and research has revealed otherwise.

Is it Ransomware?

Some researchers say no, for a number of different reasons. The intent behind ransomware is to make money by encrypting data and holding it for ransom - ransomware can restore and decrypt files.

But this type of malware appears to be wiping the first sectors of the disk, rewriting the master boot record to make restoration of infected disks impossible, according to a blog post by Matt Suiche, founder of CloudVolumes, now VMWare. He also suggests the malware was disguised as ransomware as “a lure for the media” - piggybacking off the notoriety of the WannaCry incident.

In a separate analysis of the “high-level code of the encryption routine” used in the malware, Kaspersky Lab also confirmed that there is “little hope” for victims to recover their data, as threat actors cannot decrypt infected disks - even if victims pay up.

Kaspersky Lab researchers explained that threat actors need the installation ID in order to decrypt a victim’s disk. While previous versions of Petya ransomware do have the information necessary for key recovery, the malware used in this attack doesn’t have it - meaning threat actors supposedly can’t extract the information needed for decryption, as Ars Technica reported.

However, there are also reports that the malware is acting as ransomware, asking for $300 bitcoin, a relatively low amount that has indicated to researchers that the attack may not be profit-motivated.

Additionally, extortionists encourage users to communicate with them via email, and have provided each victim with the same bitcoin address - different from typical ransomware that uses the anonymous network Tor for communication, and assigns a unique bitcoin address to victims.

According to Information Security Researcher, the grugq, the worm is camouflaged to look like Petya, with “significant code sharing.” But further research indicates the malware was not designed to make money, but rather to spread quickly and cause damage.

Targeting Windows Systems

The worm uses a few different infection vectors, including a modified version of the Windows ETERNALBLUE exploit (also used by WannaCry to infect systems), harvested password hashes and PsExec tools - plus, good old phishing emails with malicious attachments.

A single infected system on your network with administrative credentials can spread the malware to others via PsExec and WMIC. The malware uses a tweaked build of open-source Mimikatz (a credential-theft/security-testing tool for Windows) to extract network administrator credentials out of the machine’s running memory, according to a very detailed and thorough account of the malware’s behavior by The Register.

Much of the discussion around the malware’s behavior is centered around its ability to move laterally within an organization’s networks after initial infection. Lesley Carhart discusses the abuse of poor network security architecture in her blog post, Why NotPetya Kept Me Awake (& You Should Worry Too):

“Of course, unpatched (or not recently rebooted) Windows hosts were vulnerable to MS17-010 exploitation. Beyond that, lateral movement with WMI and PsExec is very effective in environments with poor network security architecture and implementation. Flat networks without segmentation were vulnerable. Networks where their use was permitted were vulnerable. Networks where desktop users commonly had workstation admin or domain admin permissions were vulnerable, and networks where these privileges were not restricted or tightly controlled were more so.”

An analysis by Kaspersky Labs reports that the EternalRomance exploit was also used to infect machines with the malware. EternalRomance is a remote code execution exploit targeting Windows XP to Windows 2008 systems.

Patching Windows systems with the March update, MS17-010 protects computers against this exploit. However, due to many different factors, organizations with the most critical functions appear to struggle with software updates, keeping them vulnerable to known exploits.

Spreading Through Third-Party Software

Some of the initial infections were due to a legitimate software update from a Ukraine accounting software firm, as reported by ZDNET.

Microsoft has confirmed that they have evidence that a few initial, active infections can be traced back to the tax accounting software, MEDoc, developed for use in the supply chain by the Ukrainian company, M.E.Doc.

The malware infected Ukrainian hosts via the legitimate MEDoc updater process on the morning of Tuesday, June 27, pushing out an executable download to customers that appeared to be sent from the software vendor - but contained the malware.

Some advice to help avoid infection, whether it’s ransomware or malware: patch your software and update devices as soon as possible. Back up your data regularly and offline, and use the principle of least privilege to restrict the permissions of administrators and users to only what they need to do their jobs. Users should also exercise caution when it comes to downloading files from email or allowing updates.

Making Incident Response Tangible

Every security incident is unique, just like every medical emergency. Regardless of the differences, the goals are very similar: identify the problem, prevent further damage and fix what has been broken. The disconnect from one event to another is the rate at which we respond, which should be based on severity, not category.

There is great risk to an organization that throws all available resources at one problem just because that is what's on the burner at that particular time. What we end up sacrificing is proper coverage for other events. Not to mention, having ‘too many hands in the pot’ could lead to missing important steps due to a lack of organization and structure.

To reduce this risk, organizations need to put a greater emphasis on the triage phase of their incident response efforts. This is the key moment when security analysts take the first pieces of available information and use critical thinking skills, intuition and previous experience to judge the severity of the event based on the damage it has caused or is likely to cause, not solely on the category in which it belongs.

9-1-1, What is Your Emergency?

We have all undoubtedly heard this phrase in movies or on television. The calm voice of a 9-1-1 dispatcher who is ready to take whatever information the often panic-stricken person on the other end of the line is able to give them. Are they reporting a car accident? A shooting? A fire? A hangnail on their big toe? Every time the phone rings in an emergency call center, the nature of the call is different, but one thing is certain: someone needs help.

Once the information is received by the dispatcher, the information is then relayed to local emergency medical services (EMS) first responders and their job, just like that of an information security analyst, is to make an initial assessment of severity to determine the priority level of the call - which means they don’t always go lights and sirens!

There is a very strong parallel between the decision that EMS workers and analysts make when it comes to the priority at which an incident should be responded to. And like EMS, when a major breach or incident occurs, it's up to analysts’ to respond in a way that reduces and prevents further damage when every second counts! We are also first responders. While we may not hold people’s lives in our hands, we are responsible for ensuring that the livelihood of our fellow employees remains intact.

There are several common phases of incident response as it relates to information security. At Duo, we break our incident response process into the following phases:

• Detection
• Reporting/Alerting
• Triage
• Analysis
• Containment
• Mitigation
• Follow-up

Believe it or not, EMS follows a very similar structure when responding to calls, which also starts with detection and reporting. This is followed by EMS workers figuring out exactly what the problem is (triage and analysis) before they can give proper medical care (containment and mitigation). After all of that is complete, there is paperwork to be done (follow-up).

Regardless of whether we are talking about human lives or computer systems, incident response starts with two primary elements, detection and reporting, which are the lifeblood to the most crucial phase of incident response: triage.

Triage

Proper detection and reporting is crucial to ensure that the triage phase is most effective. These phases can occur in numerous ways, but ultimately boil down to relying on either tools or people.

Unfortunately, tools and people are not perfect. False positives can occur from a detection and reporting standpoint, just as easily as things can be overlooked. In an emergency situation, panic sets in, causing our judgment and perspective to change, which could alter the information necessary to triage properly.

For an analyst, an important part of triage is being able to identify the function and information impact of the event that has occurred. The table provides a general standard to describe the high, medium and low ranking levels:

The table below shows a side-by-side comparison of EMS and security-related incidents which have been triaged as high, medium and low. Subtle differences between each level show how the priority of an incident can change between incidents of the same category; in this case, a car accident and a phishing campaign.

Known Information Following the Detection and Reporting Phases

Priority Level	EMS	Security
High	Male, mid-20s, currently unconscious following a car accident	Employee notices hundreds of messages containing an attachment have been sent from their account on their behalf
Medium	Male, 26 years old, experiencing dizziness following a car accident	Employee clicked the link within a phishing message and entered their credentials into a fake website
Low	Male, 26 years old, involved in a car accident with a broken wrist	Potential phishing message reported without clicking links or opening attachments

In all three of these examples, severity of the incident was taken into consideration, which helped to determine the priority level.

Triage is the phase that can make the difference between a good and bad outcome because it changes how and when we respond.

The examples in the table show that a high priority level resulted in EMS workers needing to arrive on scene as quickly as possible because the patient’s life was at stake. The analysts in the high priority example also needed to respond as quickly possible because damage was already being done using the employee’s account.

As we can see from the table, the category of the incident did not determine how the events were responded to. Not every car accident and phishing campaign result in a worst case, high priority scenario, and the triage phase helps us to see those differences.

Triage is an Initial Assessment

The main goal of the triage phase is to help set the tone for how and when the next phase (analysis) is executed, keeping in mind that the status or an event can change at any moment. Priority levels can increase or decrease during the incident response process depending on what new information is received throughout the investigation. This will most commonly happen during the analysis phase because it is the first opportunity to actually see what the problem is first-hand, rather than relying on tools or people to detect and report.

How Duo Does Incident Response

Duo is changing the way traditional incident response (IR) is conducted. Rather than relying on analysts with little experience to triage incoming incidents, we push that responsibility to those with more experience. This is much different than they way traditional IR programs are run.

Often, more experienced analysts are called to action when an incident is larger than someone with less experience can handle. We have flipped this because it helps us to better assign resources during the first few moments after an incident is identified, which is critical.

Another way that Duo is doing IR differently is by employing a Kanban board for tracking incidents. This helps analysts to quickly see where an incident is within the investigation process at any point in time, which provides structure and organization. We can also identify the priority level at a glance based on the color coding. The Kanban board helps us to make sure investigations continue to move forward while tracking all of the pertinent information.

All of this data is used for our monthly retrospective meetings where we talk about our IR process: what went wrong, what went well and where can we improve? We also have an additional column for ‘review.’ This is an opportunity for a more experienced analyst to review the work of their coworkers to ensure nothing was missed.

Our ‘finalize documentation’ column is where we put incidents that have helped to inspire a change to our IR process. The ticket will remain in this column until the changes have been made, at which point, it will be moved to ‘done.’

Pulling It All Together

I decided to compare EMS to security incident response because I wanted to relate incidents back to something that was easier to grasp - human life. Not only is it tangible, it is also something that we can all (hopefully) easily relate to.

We can all imagine ourselves in the shoes of the EMS worker who is going to respond to a car accident. Understanding that a person who is unconscious is in a more severe situation than someone with a broken wrist is relatively simple. We can picture the rate of speed at which we would respond to each of those scenarios. Incident response is not as easy to relate to because you can’t ‘touch’ a breach or compromise that is occurring. We have to rely on the data in front of us to decide whether or not we respond with lights and sirens, just like EMS workers.

Triage is critical because it has the ability to make or break your entire investigation. Organizations that want to improve their IR process should consider making their more experienced analysts responsible for the triage process, which includes assigning resources. Experience in this phase is important because it is more than automatically assigning a category to the incident.

Now that most of us have dried our tears, it’s time to take a clear-eyed look at what the WannaCry debacle uncovered, and the most recent MaybeNotPetya attack highlighted this week.

Taken by themselves, there were no new elements: ransomware; a known vulnerability; a worm spreading via a protocol that we knew should not be exposed to the Internet; abuse of operating system utilities; and an anti-sandboxing function in the WannaCry malware. We knew there were countless vulnerable systems running software that was out of support, out of date, or simply unpatched. None of this was a surprise to anyone in security.

What always seems to take some by surprise, however, is that no matter how much we talk about patching, it doesn’t happen in many cases. In fact, organizations with the most critical functions appear to struggle with software updates. It’s almost as if talking about the problem and “raising awareness” isn’t enough to actually solve it. Like the old joke about the scientist and the frog, if you cut off all four legs, the frog mysteriously loses its hearing.

So what’s keeping these organizations vulnerable, and what can we do about it, other than scolding harder until morale improves? Here are some of the factors:

If the system isn’t under your control, you can’t update it. The issue is widespread, especially among organizations below the security poverty line, but it applies just as much to financial trading terminals and banks as it does to the network run by a centralized higher education system. Voiding the warranty and licensing terms by doing your own patching is not an option for most enterprises, even assuming you know how to do it.

Organizational constraints, particularly in the public sector. Taxpayers aren’t going to pay to update hardware and software that are working just fine. Legislative mandates, spending cuts and administrative rules designed to place controls on government also interfere with the agility necessary to keep up with security threats.

“Built to last” directly conflicts with “update early and often.” When you’re paying millions of dollars for an MRI machine and suite, you expect it to last for decades, and indeed it was built for that purpose. The idea of changing it by updating the software on a weekly or monthly basis was unthinkable when most of these were built. Because patient safety is paramount, healthcare systems cannot be updated if doing so will threaten their availability. Even if the software is patched, it requires a new round of safety certifications that take months.

Any system with external, highly entangled dependencies will take longer to update — even years, as integration testing, certifications, regulatory alignment in multiple countries, and staged deployment must all be carefully scheduled. Such entangled systems will also tend to have a longer tail, as trailing populations of users with more restrictions take longer to catch up. Microsoft discovered this with Windows XP, a perfectly functional operating system that works so well that it’s been deployed in everything from kiosks to equipment, and has been running for years. Acknowledging this reality, the company has issued updates for the large and critical body of legacy systems out there.

Expecting every company to adopt DevOps and be a Netflix isn’t practical; we go to war against malware with the systems we have, not the ones we wish to have, or that security principles state we ought to have. We need to address decades of legacy systems and organizational constraints, as well as the plain fact that nobody knows today how much effective security should cost a given enterprise; we don’t even know whether it’s affordable.

But we know we have to make changes, and we have to help critical industries that are trapped by their circumstances. Some ideas being floated around include a “cash for clunkers” program for healthcare; standing up more secure infrastructure to which SMBs could migrate, with help, is another one.

Educating non-IT vendors and manufacturers so that they start building in security will take a long time, and in the meantime, the number of truck rolls to fix legacy equipment is probably staggering. Re-aligning security incentives, both financial and legal, could affect the economy on the same scale as affordable healthcare. There is no “just” about it, but it’s time to do it.

In the meantime, there are some short-term measures that enterprises can take to address these and similar threats. One list is here; another is here; there are others in varying degrees of practicality. Good luck, and keep the hankies handy.

A healthcare cybersecurity task force comprised of several members of the information security industry and U.S. agencies released a detailed and prescriptive 96-page report (PDF) on improving security in the healthcare industry earlier this month.

According to the task force, a few of the challenges the healthcare industry faces includes:

• Theft of patient data. Patient data fuels improved patient care and new treatment development, but can also be used for fraud, identity theft, stock manipulation, etc.
• Complex, multi-user environments. Large, complex health systems involve many different players; payers, physicians, research institutions, medical device developers, etc., increasing environment complexity.
• A matrix of federal and state regulations. Many different laws can develop barriers to innovation and ease of use.

These are some of the difficulties healthcare organizations face when it comes to properly securing their systems:

• Significant resource constraints. Operating margins can drop below one percent, and many organizations can’t afford in-house information security or even security-designated IT staff.
• Lack of visibility. A shortage of resources results in the lack of infrastructure and systems to identify, track, analyze and translate threat data into actionable information.
• Legacy systems. Both small and large organizations have unsupported, outdated hardware, software and operating systems that can’t easily be replaced, which opens them up to the risk of large numbers of vulnerabilities.

Citing the rash of ransomware that has plagued all types of healthcare organizations and systems, the report emphasized the need for more education and awareness about security in the healthcare industry.

“Healthcare cybersecurity is a key public health concern that needs immediate and aggressive attention.”

-- Report on Improving Cybersecurity in the Healthcare Industry; the Healthcare Industry Cybersecurity Task Force

Where can organizations turn for risk management guidance?

The report recommends leveraging the NIST Cybersecurity Framework - identify, protect, detect respond and recover - as a way to help manage security risks at a macro level. It’s not healthcare specific, so the task force recommends using FDA guidance for medical device risk management. They also recommend referring to NIST’s Special Publication on Securing Electronic Health Records on Mobile Devices.

The task force will address the following imperatives to increase security within the healthcare industry:

1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
2. Increase the security and resilience of medical devices and health IT.
3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
4. Increase health care industry readiness through improved cybersecurity awareness and education.
5. Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
6. Improve information sharing of industry threats, risks, and mitigations.

Security Recommendations in the Healthcare Industry

Within each imperative statement, the report lists many recommendations and action items, the bulk of which is too vast and detailed to properly summarize here.

But here’s a few of the key points:

Recommendation 2.1: Secure Legacy Systems

The task force refers to legacy medical devices and electronic healthcare record (EHR) applications operating without the ability to get receive security updates to protect against the latest vulnerabilities.

Organizations should identify, classify and develop an approach to updating legacy systems, which is easier said than done, of course.

The report lists action items to help this cause, including suggestions for the government and industry to develop incentives to phase out legacy technology and create better procurement processes for the future.

Action Item 2.1.3: Real-Time Updates and Patches

Another action item require organizations to make real-time updates and patches, making compensating controls available to end users. They also need to have policies in place to receive and implement available updates.

One way Duo helps with this action item is by checking the security health of each device at authentication - those include indicators of out-of-date software and whether or not devices are company or employee-owned.

If a device needs to be updated, you can create a policy that notifies the user to immediately update before they log into your systems. This preventative approach makes it easier for IT staff short on resources to enforce real-time updates.

Recommendation 2.4: Strong Authentication

One common scenario in a hospital setting requires clinicians to sign into multiple computers throughout facilities to access patient medical records, order diagnostic tests, prescribe medication, etc. - they most often are using a single factor to log in, up to 70 times per shift.

The report states that:

"...single factor approach to accessing information is particularly prone to cyber attack as such passwords can be weak, stolen and are vulnerable to external phishing attacks, malware and social engineering threats."

The report’s Action Item 2.4.2 recommends adopting the NIST SP 800-46 guidelines for remote access, including the use of two-factor authentication to secure access to electronic healthcare record (EHR) system or health information exchanges external to the hospital or clinical environment.

Duo’s Guide to Securing Patient Data

Learn more about Duo for Healthcare, including how Duo’s two-factor authentication can help healthcare organizations meet Health Insurance Portability and Accountability Act (HIPAA) guidelines for mitigating risks associated with remote access to systems containing patient data.

Download our Guide to Securing Patient Data. To help you navigate patient data security, our guide will:

• Summarize relevant health IT security legislation, including federal and state
• Provide information security guidelines on remote access risks and solutions
• Provide extensive security resources and a real hospital case study
• Explain how to protect against modern attacks and meet regulatory compliance with two-factor authentication

Download the Report

More than 80 percent of hacking related breaches leveraged stolen and/or weak passwords, according to the Verizon 2017 Data Breach Investigation Report. Two-factor authentication (2FA) is one security solution that can mitigate the risk of a data breach and should be deployed everywhere to protect your users and information systems.

Legacy 2FA solutions haven’t been able to scale with modern computing environments and can introduce security risks and coverage gaps within your organization. Because of this, many large enterprise organizations are switching from RSA SecurID (notorious for a high price tag and adding friction/complexity) to Duo’s two-factor solution (reliable, secure and easy).

Security Strategy

Most organizations are looking for security technologies that align to their long-term strategies. They want solutions that are built for today’s world but have the vision to evolve to advance their security programs. Many organizations made the switch because they feel RSA SecurID is outdated, and they were interested in a 2FA solution that’s not only more relevant today but also designed for tomorrow.

A Brief History

In the 1980s-90s, the client-server computing model reigned supreme, and RSA SecurID was built for this era. But over the past 30 years, technology has evolved and RSA SecurID has struggled to keep pace. Duo’s two factor was designed to protect the modern era.

In the client-server era, compliance was the primary driver for adopting security solutions like two-factor authentication. It was a checkbox exercise for privileged user accounts and provided limited coverage to the rest of the organization.

Today, compliance is only one piece of an organization's security philosophy. The current drivers for two-factor authentication adoption are to provide sound security and risk management to every user and every application. Data breaches are a daily occurrence that affect countless organizations, but two-factor authentication assists in mitigating the potential for a data breach and is a fundamental baseline and building block for a successful security program.

Protect All the Things

Because of the complexity of traditional two-factor technologies (both to the admins and users), most companies only secured a set of privileged employee accounts and systems. In the modern IT environment, users rely on on-premises applications alongside Software as a Service (SaaS) technologies. Due to the sensitivity of these applications, every user and the applications themselves need to be protected with two-factor authentication.

The number of applications that employees use is constantly expanding, and IT and security teams are constantly playing catch-up to secure them. Because of this, the ability to deploy security solutions within days or weeks is paramount. Unfortunately, traditional two factor can take months or even years to deploy. This model won’t scale or function to protect in today’s dynamic landscape. Duo’s cloud-based solution can be deployed in just days or weeks and provides the agility that IT and security teams demand.

We Fight for the User

Back in the day, users were expected to sit in a cube and access business applications through corporate-owned desktops. Modern business users have a different set of technology expectations and require security solutions to be frictionless. They want to work from the location they want, the way they want and on the devices they’re most comfortable with.

Traditional two-factor architectures don’t allow for this flexibility, and their rigidity leads to users circumventing the controls and policies, increasing your organization's security risks. Duo prides itself on creating a security solution that’s built for your users and aligned with how they use technology. Because it works and is transparent, users don’t try to find work-arounds. It’s a win-win for them and your organization.

Save Dough

Traditional solutions are very capital-intensive. They require a large investment up front to get a two-factor solution up and running, plus they require costly renewals. Duo’s SaaS architecture allows you to expand as needed. Our transparent pay-as-you-go offering is billed annually on a per-user basis.

Why are enterprise organizations switching from RSA’s solution to Duo?

RSA SecurID may have worked well for the client-server era, but not so much for the modern IT era. We spoke to customers that made the switch, and this is what they highlighted as key factors that inspired them to choose Duo:

#1 - It’s Easy to Trust

With Duo, there are no “shared secrets.” SecurID is a one-time password (OTP) two-factor solution. Each user is given a token that’s programmed with the network’s shared secret, which is integrated with the date and time to create an OTP. That’s validated against the authentication server, which also knows the shared secret. The server generates its own OTP, which, if it matches the user’s OTP, grants access to the user.

Duo is designed with asymmetric cryptography to sign and verify communications between Duo’s servers and a user’s smartphone. A private key stays on the mobile device and is used to sign all authentication responses, while the public key is used to verify the signature on the server side. That means an attacker can’t access your accounts even if they breached our servers. Learn more in our blog, RSA-Proofing our Duo Push Two-Factor Authentication.

#2 - It’s Easy to Set Up

Duo offers the fastest enterprise-scale deployment of two-factor authentication. One success story involves a large tech company with 15,000 end users. They replaced their RSA partial deployment with Duo’s solution in just two days to their entire employee base, and even integrated 12 different applications.

Duo provides a self-service model without any overhead for your end users. In addition, we roll out automatic software updates on a two-week cycle, requiring no support from your team. Our unlimited app support means you don’t have to pay for additional integrations.

Everything’s in the cloud with Duo – no need to worry about supporting in-house infrastructure. That saves your administrators time when they deploy.

#3 - It’s Easy to Use

For end users, Duo’s solution is designed and built to ensure that it’s extremely easy to use. There’s no training or 50-page guides on how to use it. Users only have to download Duo’s free mobile app and self-enroll in a few quick, easy steps. The whole process usually takes a couple of minutes. Because two-factor authentication is one of the few security solutions that consistently involves end-user interaction, it’s essential that it’s seamless for users.

With RSA’s SecurID, you add strain for your users and create unnecessary hurdles. Duo’s context-rich push notifications simplify the process, requiring only the tap of a button to approve an authentication request. Duo also supports modern devices and functionality, including Apple Touch ID and Apple Watch, so your users can use any of their devices to authenticate.

#4 - It’s Easy to Expand

Why stop at protecting your users with our best-of-breed 2FA? We want to help you build a security platform that helps you secure your company. Our approach is simple and built on Trusted Access. If you trust the user and the device, then access to your applications is granted. Legacy two-factor solutions don’t have an integrated security strategy and only offer expensive, bolt-on products.

Duo’s Trusted Devices gives you information about your laptops, desktops and mobile devices without requiring an agent. This provides you with fleet hygiene information including OS, browser and Flash or Java plugins. For mobile, it includes information on rooted or jailbroken mobile devices. We can couple this with integrations into your Enterprise Asset Management (EAM) and Mobile Device Management (MDM) systems to provide managed versus unmanaged categorization. This is a huge value to companies and ensures that only managed corporate systems are accessing your applications via Duo access policies.

Duo’s secure single sign-on (SSO) provides your users with a consistent login experience for both cloud-based and on-premises applications. Each time an application is accessed via Duo’s secure SSO, the system checks and logs device and user information. As an administrator, you can use this data to enforce granular application access policies. For example, if you have a highly critical application that you only want accessed over a VPN from a corporate managed device with 2FA, you have the ability to enforce that.

#5 - It’s Easy to Afford

The top reason why organizations are making the switch is based on total cost of ownership (TCO). Duo’s TCO is nearly 60 percent lower than RSA’s, which organizations have found to be true in four different areas:

As seen above, initial deployment administrative costs with RSA are much, much higher than Duo’s – Duo accounts for just a tiny fraction (.58 percent). Those costs include management, hardware and host OS licensing; high availability hardware and software; backup hardware and software; professional services; and the cost of IT administrative time.

A major benefit of using a cloud-based solution is that it eliminates the need to support any data center infrastructure for high availability or disaster recovery. Similarly, cutting hardware, software and data center costs also substantially reduces ongoing administrative maintenance expenses. Help desk costs also factor into overall end-user maintenance costs, like replacing and renewing token licenses.

Duo’s patches and upgrades, as well as support, are rolled into one initial price. Duo accounts for only five percent of the costs associated with RSA’s ongoing admin maintenance. If you choose Duo’s phone-based authentication methods, you can effectively eliminate any token support costs and cut down the time it takes to authenticate.

Duo’s pricing is simple and transparent – no hidden costs or additional services tacked on past the initial deployment and support costs, which are bundled into our per-user, monthly or annual pricing.

Learn More About Duo's Two-Factor Solution for the Modern Era

Interested in getting additional insights about how Duo has helped hundreds of businesses make the switch from legacy two-factor authentication and access control solutions to our services? Watch our webinar, Replacing RSA SecurID: Why Hundreds of Organizations Made the Switch.

Duo Labs does a lot of odd research now and again. The whole IoT world can offer up a lot of ups and downs to a researcher, but since we are trying to not only get through this ourselves, we are also trying to encourage others to research.

Therefore, it makes sense to come up with some steps to try and get through the research as quickly and painlessly as possible. It also made sense to “try it out” on a live target. The process we developed, while software-focused, yielded results fairly quickly on our target IoT device, the Milwaukee Tool M18 FUEL with ONE-KEY ½” Drill/Driver.

We discovered that:

• Static passwords used for updates to a master database located on the vendor website were hard-coded into the accompanying IoT app.
• The IoT device in question was expensive, but could be readily identified by a potential thief remotely via Bluetooth scanning.
• GPS data used for inventory tracking in the event of lost or stolen devices could be forged.

In the future, we will take a look at things from a more hardware-centric view, but for now, this should serve as a decent starting place.

The Process and Findings

As usual, instead of filing a short and sweet blog, we ended up with a much larger document better suited for a PDF. This is the plight of the researcher - we find one thing leads to another and another to properly tell the tale. Somehow, we reached a stopping point. We hope you find it both useful and somewhat entertaining, as only a security nerd can be entertained.

Read Bug Hunting: Drilling Into the Internet of Things (IoT).

Phishing - it’s an old technique used in new ways to trick users into clicking malicious links, opening malware-laden attachments and freely giving away their usernames and passwords into convincingly credible-looking web forms. Here’s the latest on new phishing attacks and how one email provider is fighting back:

Phishing Attacks Abuse HTTPS

It’s getting harder for users to identify websites spoofed in phishing attacks now that attackers are using HTTPS to encrypt data sent over the Internet, according to a Cisco blog. Users are often trained to look for the small green lock icon in the address bar of the (in this case, Google’s Chrome) browser to verify the security of a web page.

By signing phishing domains with a certificate, attackers are abusing users’ trust in HTTPS. According to Cisco, these can be obtained from certificate authorities for free, lending spoofed web pages the look of security.

However, while the lock can indicate that the connection might be secure, the content of the page is not guaranteed to be secure. On spoofed web pages, attackers can serve up legitimate-looking login forms that steal user credentials.

While users should also check the actual URL of the link they’re clicking on, sometimes the full address isn’t always visible or is cut off - which can lead to users relying on other indicators of website security that aren’t always reliable.

New Gmail Features Block Malware Attachments

Google recently announced new security features for Gmail customers that can detect phishing via machine learning and warn users about malicious links.

According to Google’s blog, machine learning has helped Gmail achieve 99% accuracy in spam detection, blocking millions of messages daily - and since 50-70% of all Gmail messages are spam, that is major.

Gmail now predicts messages that contain ransomware and malware, and blocks the use of certain file types, including executable and JavaScript files.

Suspicious URL Warning

By integrating with Google Safe Browsing machine learning technology, Gmail can detect and flag suspicious URLs found in email messages, prompting Android users as they click.

This can help prevent users from falling for email phishing attempts to lure them to malicious websites.

Image source: G Suite Updates

Unintended External Reply Warnings

Do you know who you’re actually replying to? Gmail now shows a prompt to warn users as they respond to emails sent to someone outside of your company domain as an extra precaution.

This is helpful to identify accidental CC’ing or email addresses masquerading as company domain names, known as email spoofing. Gmail also uses contextual intelligence to avoid prompting you for existing contacts or someone you interact with regularly.

Spoofed Pentagon Email Addresses

According to ForeignPolicy.com, phishers sent fake emails that appeared to come from the Defense Security Service (DSS), a wing of the Pentagon providing military, defense agency and contractor support.

While there was limited information about the intentions of the attack, the DSS works as an interface between the government and cleared industry to protect U.S. and foreign classified information. A DSS reply to a hidden recipient could result in the unintended disclosure of classified information - this is a prime example of how a feature that stops unintended external replies could help stop an information leak.

Phishing Assessment & Report

Check out our free phishing assessment tool that allows you to send targeted internal phishing emails to members of your organization, Duo Insight. Identify risky users and monitor your company’s risk of being phished with Duo’s interactive dashboards, available through our Phishing Simulator feature as part of our Duo Access edition.

We did an analysis of the data collected from our Duo Insight phishing tool to give you insight into how many people opened emails, clicked on links, entered their credentials and more, using out-of-date and potentially risky devices.

62% of phishing campaigns captured at least one set of credentials.

Download newly released The 2017 Duo Trusted Access Report to get:

• An analysis of the security hygiene of enterprise endpoints
• An overview of industry and geographic trends
• A closer look at the state of mobile security

We collected and analyzed data on 4.6 million endpoints completing over two hundred million authentications a month. The report reveals year-over-year trends on security health indicators, including how up to date enterprise devices are, how many are using mobile security features, what is their risk of getting phished, and much more.

Download Report

On April 11th, Duo Security and Global Risk Institute (GRI) co-hosted an executive breakfast in Toronto to provide an update on current security trends and key information that leaders need to know. While board members and company executives have a growing awareness of the risks and potential cost of data breaches, many of the educational resources available are still aimed at security professionals and are most useful for those in technical roles.

GRI is a member-based research group, with 32 members from financial institutions and government agencies across Canada. The group was formed after the financial crisis to promote research and insights into emerging risks.

The presentations began with Brian O’Donnell, Executive-in-Residence at the GRI and retired bank executive, who started by sharing the results of the GRI’s latest annual member survey. Cybersecurity risks topped the list of member concerns, outranking uncertainty in the housing market, consumer debt challenges, and regulatory changes.

This seems to highlight awareness of new risks as applications and remote access by employees converge, and as contractors and third-party suppliers have significantly broadened the periphery of corporate networks. In response, hackers have been increasing the speed and sophistication of their attacks, resulting in a flood of corporate and government institutions left reeling from successful attacks.

After reviewing feedback from the survey and an overview of recent notable data breaches, Brian discussed a report published published in January by the World Economic Forum called “Advancing Cyber Resilience: Principles and Tools for Boards.” The report outlines a ten-step process with practical strategies and recommended questions for a holistic view of security, including:

• Building a culture of executive security responsibility
• Understanding the intersection of both cybersecurity and the strategic risk posed by technology (e.g. disruption), and ensuring the Board members are both sufficiently aware and knowledgeable to properly govern these risks (defined as Cyber Resilience)
• Accurately modeling which threats pose the greatest risk
• Utilizing an “Enterprise Cyber Risk Management Framework” approach to managing cyber risk, and ensuring that all employees, contractors, third-party suppliers, executives and board members understand the evolving cyber risk faced by the firm, and their role in cyber security

Duo’s presentation focused on the shift to cloud services, the vanishing perimeter, and how organizations can maintain strong security policies whether they are protecting on-site or cloud-hosted resources. Josh Yavor, Duo Security’s Director of Corporate Security and formerly Facebook’s head of corporate information security, gave an overview of the BeyondCorp model and how companies with a traditional perimeter-based security model can make incremental improvements while modernizing their approach to information security.

He then talked through Duo’s approach to Trusted Access - rather than relying on a private intranet behind a traditional firewall:

• At the point of access, Duo checks to make sure the user, their device, and the network they’re on meet the organization’s policy standards.
• The tools available in Duo Access allow organizations to easily enforce policy, conduct health checks on all devices and networks reaching critical systems, and enable self-remediation for out-of-date devices and services by users.
• Duo Beyond gives organizations the ability to enroll and set policy for corporate-managed devices for both internal and external applications, allowing for more nuanced policy settings.

The migration to cloud services and prevalence of users bringing their own devices are forcing businesses to reconsider their approach to effective security. While this poses new business challenges, executive teams willing to evaluate their approach to technology and leadership can leverage these changes for a more resilient, manageable and flexible security program.

Both the GRI and Duo agree on the need for a broader dialogue on these evolving threats in order for institutions to become and remain resilient. Addressing these threats requires commitment to strong security practices by everyone who connects to critical services, or risk being exposed by the hackers as the next “weakest link.”

Patching - while not always easy, affordable or quick - is an important aspect of information security. It’s one of the most basic security hygiene practices we preach, and for good reason. Unpatched, out-of-date software, systems and servers are prime targets of attackers armed with known vulnerabilities and malware.

WannaCry Ransomware Targets Unpatched Systems

The most recent global epidemic of the WannaCry ransomware is a high-profile example of the consequences of not patching Windows operating systems (OS) - affecting over 300,000 computers across the world, the attack brought hospitals, energy firms, government agencies and other critical operations to a halt.

The wormlike ransomware exploited a Windows Server Message Block (SMB) bug affecting unpatched versions of the OS, spreading quickly to other unpatched systems. According to data from Kaspersky Lab, 98 percent of computers affected by the initial attack were running Windows 7. And since Microsoft had released a patch to fix the SMB bug exploited by WannaCry back in March, that means those systems hadn’t been patched for at least two months.

Who’s At Risk?

You can't secure what you can't see. To shed light on who’s at risk of similar attacks, Duo Labs has collected and analyzed our dataset of 4.6 million endpoints, including 3.5 million mobile phones, completing over two hundred million authentications a month - all now available in The 2017 Duo Trusted Access Report.

We found that 59 percent of enterprise endpoints are running an old operating system, Windows 7. Within the healthcare industry, 76 percent of endpoints are running Windows 7. During the WannaCry epidemic, National Health Services (NHS) hospital systems in the U.K. were hit the hardest by the ransomware, while some medical devices in the U.S. were also affected.

While it’s entirely possible to run older software and apply the latest patches, running out-of-date versions of software can also potentially put your organization at higher risk. The latest OS, Windows 10, offers more security features that can proactively deter malware infection, and older versions lack the protection these features offer.

The good news is, our data shows that more than double the number of endpoints are running the latest version Windows 10 - 31% in 2017 compared to 15% in 2016. However, 69 percent of enterprise endpoints are still lagging behind.

Examining Indicators of Device Security Health

We looked at several key indicators of device security health across different industries and geographic locations, including:

• Out-of-date operating systems, browsers and plugins, like Flash and Java
• Mobile device security features, such as full disk encryption, screen lock and Touch ID/fingerprint authentication

Plus, we reveal deeper insights into user behavior and device health with campaign data from our phishing simulation tool, Duo Insight.

Phishing is one common and effective way for users to steal passwords and infect systems with malware. We found that 25% of recipients clicked on the link within a phishing email and another 13% entered their credentials - which, in an actual phishing attack, could potentially expose them and their company to malware and password theft.

Our data also revealed that 68% of recipients of a phishing email had at least one out-of-date device, which increases the risk of getting compromised via known vulnerabilities that target older, unpatched versions of software.

The 2017 Duo Trusted Access Report

Our latest Trusted Access report reveals the different industries, locations and devices potentially at risk, along with our security recommendations on how to protect your organization.

In this report, you’ll get:

• Year-over-year trends of enterprise device and mobile security health
• Industry-specific highlights, including a spotlight on healthcare
• U.K./EMEA (Europe, Middle East & Africa)-specific data
• Phishing simulation campaign statistics
• Security tips, including how Duo’s Trusted Access can help

Download The 2017 Duo Trusted Access Report: The Current State of Enterprise Endpoint Security to get the full report.

Back in April, Google announced that it will be shipping Headless Chrome in Chrome 59. Since the respective flags are already available on Chrome Canary, the Duo Labs team thought it would be fun to test things out and also provide a brief introduction to driving Chrome using Selenium and Python.

Browser Automation

Before we dive into any code, let’s talk about what a headless browser is and why it’s useful. In short, headless browsers are web browsers without a graphical user interface (GUI) and are usually controlled programmatically or via a command-line interface.

One of the many use cases for headless browsers is automating usability testing or testing browser interactions. If you’re trying to check how a page may render in a different browser or confirm that page elements are present after a user initiates a certain workflow, using a headless browser can provide a lot of assistance. In addition to this, traditional web-oriented tasks like web scraping can be difficult to do if the content is rendered dynamically (say, via Javascript). Using a headless browser allows easy access to this content because the content is rendered exactly as it would be in a full browser.

Headless Chrome and Python

The Dark Ages

Prior to the release of Headless Chrome, any time that you did any automated driving of Chrome that potentially involved several windows or tabs, you had to worry about the CPU and/or memory usage. Both are associated with having to display the browser with the rendered graphics from the URL that was requested.

When using a headless browser, we don’t have to worry about that. As a result, we can expect lower memory overhead and faster execution for the scripts that we write.

Going Headless

Setup

Before we get started, we need to install Chrome Canary and download the latest ChromeDriver (currently 5.29).

Next, let’s make a folder that will contain all of our files:

$ mkdir going_headless

Now we can move the ChromeDriver into the directory that we just made:

$ mv Downloads/chromedriver going_headless/

Since we are using Selenium with Python, it’s a good idea to make a Python virtual environment. I use virtualenv, so if you use another virtual environment manager, the commands may be different.

$ cd going_headless && virtualenv -p python3 env  
$ source env/bin/activate

The next thing we need to do is install Selenium. If you’re not familiar with Selenium, it’s a suite of tools that allows developers to programmatically drive web browsers. It has language bindings for Java, C#, Ruby, Javascript (Node), and Python. To install the Selenium package for Python, we can run the following:

$ pip install selenium

Example

Now that we’ve gotten all of that out of the way, let’s get to the fun part. Our goal is to write a script that searches for my name “Olabode” on duo.com, and checks that a recent article I wrote about Android security is listed in the results. If you’ve followed the instructions above, you can use the headless version of Chrome Canary with Selenium like so:

import os  
from selenium import webdriver  
from selenium.webdriver.common.keys import Keys  
from selenium.webdriver.chrome.options import Options`  

`chrome_options = Options()  
chrome_options.add_argument("--headless")  
chrome_options.binary_location = '/Applications/Google Chrome   Canary.app/Contents/MacOS/Google Chrome Canary'`    

`driver = webdriver.Chrome(executable_path=os.path.abspath(“chromedriver"),   chrome_options=chrome_options)  
driver.get("http://www.duo.com")`  

`magnifying_glass = driver.find_element_by_id("js-open-icon")  
if magnifying_glass.is_displayed():  
  magnifying_glass.click()  
else:  
  menu_button = driver.find_element_by_css_selector(".menu-trigger.local")  
  menu_button.click()`  

`search_field = driver.find_element_by_id("site-search")  
search_field.clear()  
search_field.send_keys("Olabode")  
search_field.send_keys(Keys.RETURN)  
assert "Looking Back at Android Security in 2016" in driver.page_source   driver.close()`  

Example Explained

Let’s break down what’s going on in the script. We start by importing the requisite modules. The Keys provides keys in the keyboard like RETURN, F1, ALT, etc.

import os  
from selenium import webdriver  
from selenium.webdriver.chrome.options import Options  
from selenium.webdriver.common.keys import Keys

Next, we create a ChromeOptions object which will allow us to set the location of the Chrome binary that we would like to use and also pass the headless argument. If you leave out the headless argument, you will see the browser window pop up and search for my name.

In addition, if you don’t set the binary location to the location of Chrome Canary on your system, the current version of Google Chrome that is installed will be used. I wrote this tutorial on a Mac, but you can find the location of the file on other platforms here. You just need to substitute Chrome for Chrome Canary in the respective file paths.

chrome_options = Options()  
chrome_options.add_argument("--headless")  
chrome_options.binary_location = '/Applications/Google Chrome   Canary.app/Contents/MacOS/Google Chrome Canary'  
driver = webdriver.Chrome(executable_path=os.path.abspath(“chromedriver"),   chrome_options=chrome_options)

The driver.get function will be used navigate to the specified URL.

driver.get("https://www.duo.com")

The duo.com website is responsive, so we have to handle different conditions. As a result, we check to see if the expected search button is displayed. If it isn’t, we click the menu button to enter our search term.

magnifying_glass = driver.find_element_by_id("js-open-icon")  
if magnifying_glass.is_displayed():  
  magnifying_glass.click()  
else:  
  menu_button = driver.find_element_by_css_selector(".menu-trigger.local")  
  menu_button.click()

Now we clear the search field, search for my name, and send the RETURN key to the drive.

search_field = driver.find_element_by_id("site-search")  
search_field.clear()  
search_field.send_keys("Olabode")  
search_field.send_keys(Keys.RETURN)

We check to make sure that the blog post title from one of my most recent posts is in the page’s source.

assert "Looking Back at Android Security in 2016" in driver.page_source

And finally, we close the browser.

driver.close().

Benchmarks

Head to Headless

So, it’s cool that we can now control Chrome using Selenium and Python without having to see a browser window, but we are more interested in the performance benefits we talked about earlier. Using the same script above, we profiled the time it took to complete the tasks, peak memory usage, and CPU percentage. We polled CPU and memory usage with psutil and measured the time for task completion using timeit.

For our small script, there were very small differences in the amount of time taken to complete the task (4.3%), memory usage (.5%), and CPU percentage (5.2%). While the gains in our example were very minimal, these gains would prove to be beneficial in a test suite with dozens of tests.

Manual vs. Adhoc

In the script above, we start the ChromeDriver server process when we create the WebDriver object and it is terminated when we call quit(). For a one-off script, that isn’t a problem, but this can waste a nontrivial amount of time for a large test suite that creates a ChromeDriver instance for each test. Luckily, we can manually start and stop the server ourselves, and it only requires a few changes to the script above.

Example Snippet

import os  
from selenium import webdriver  
from selenium.webdriver.common.keys import Keys  
from selenium.webdriver.chrome.options import Options

service = webdriver.chrome.service.Service(os.path.abspath(“chromedriver"))  
service.start()

chrome_options = Options()  
chrome_options.add_argument("--headless")  

# path to the binary of Chrome Canary that we installed earlier  
chrome_options.binary_location = '/Applications/Google Chrome   Canary.app/Contents/MacOS/Google Chrome Canary'

driver = webdriver.Remote(service.service_url,   desired_capabilities=chrome_options.to_capabilities())

Snippet Explained

While there are only three lines of code that have changed, let’s talk about what’s going on in them. In order to manually control the ChromeDriver server, we have to use the ChromeDriverService. We do so by creating a service object with a path to the ChromeDriver and then we can start the service.

service = webdriver.chrome.service.Service(os.path.abspath(“chromedriver"))
service.start()

The final thing we have to do is create a WebDriver that can connect to a remote server. In order to use Chrome Canary and the headless portion, we have to pass the the dictionary of all the options since the remote WebDriver object doesn’t accept an Option object.

driver = webdriver.Remote(service.service_url,   desired_capabilities=chrome_options.to_capabilities())

The Payoff

By adding the manual starting of the service, we saw the expected speed increases. The median time for the headless and headed browser to complete the tasks in the script decreased by 11% (4.72 seconds) and respectively 4% (5.29 seconds).

The Wrap-Up

The release of headless Chrome has long been awaited. And with the announcement that the creator of PhantomJS is stepping down as a maintainer, we strongly believe that headless Chrome is the future of headless browsers.

While we covered Selenium in this walkthrough, it is worth mentioning that the Chrome DevTools API can be a useful resource if you’re doing any type of profiling or need to create PDFs of pages that you visit. We hope this helps you get started using the headless version of Chrome whether you’re doing any type of QA testing or are automating all your daily web-related tasks.

Resources

Github Repo

Chrome Links

• Chrome Canary
• Chrome Driver
• Chrome DevTools API

Selenium Links

• Selenium HQ
• Selenium Python Package

In the wake of the widespread ransomware attack launched last Friday that has quickly spread worldwide, the Dept. of Health and Human Services (HHS) sent an email reminder to healthcare organizations, urging them to adhere to the Office for Civil Rights’ (OCR) ransomware guide published last year.

The guide covers how to prevent and recover from a ransomware attack, as well as how the Health Insurance Portability and Accountability Act (HIPAA) plays a role when it comes to breach notification.

While the ransomware attack hit hospitals in the U.K. hard, Forbes has reported on infected medical devices in a U.S. hospital affecting Bayer Medrad radiology equipment used to improve imaging. Bayer will be sending out a patch for its Windows-based devices soon.

Preventing Ransomware With HIPAA

How does the HIPAA Security Rule requirements address the security measures you can take to prevent malware/ransomware?

While not overly specific or technical (like PCI DSS), they do provide a very broad outline of basic measures to take:

• Security Management Process - Conduct a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI).
• Security Measures & Procedures - Implement security measures and procedures to mitigate risks, guard against and detect malware.
• Train Users - Educate employees so they can assist in detecting malware, and know how to report detections.
• Strong Access Controls - Limit access to ePHI to only the users, applications or programs that require access.

For example, the guide acknowledges that there isn’t a HIPAA requirement that explicitly calls for updating network device firmware, but healthcare organizations should identify and address the risks to ePHI when using network devices running on out-of-date firmware.

To secure remote access to systems with ePHI, using two-factor authentication can reduce the risk of phishing or password-related breaches. It’s highly recommended in HHS’s HIPAA Security Guidance, and required for e-prescriptions by the Drug Enforcement Administration (DEA) - known as Electronic Prescriptions for Controlled Substances (EPCS) compliance.

Recovering from Ransomware With HIPAA

There are specific policies and procedures that can help healthcare organizations when it comes to responding and recovering from ransomware:

• Implement a Data Backup Plan - Maintain frequent backups and conduct periodic test restorations to verify the integrity of the data backups. Keep backups offline and unavailable to other networks to avoid infection.
• Establish a Contingency Plan - In addition to a data backup plan, healthcare organizations need to conduct disaster recovery and emergency operations planning. They also need to analyze the criticality of applications and data, while periodically testing contingency plans to make sure their teams are ready to execute. This can help businesses (like hospitals) continue operating while recovering from an attack.
• Security Incident Procedures - Create procedures to detect and conduct an analysis of ransomware; contain the impact and propagation of the ransomware; and remediate vulnerabilities associated with the ransomware attack.
• Post-Incident Procedures - Conduct a deeper analysis of the incident to determine if providing a breach notification is necessary, and incorporate lessons learned into existing security processes to improve incident response effectiveness for future incidents.

Remediating vulnerabilities that may have allowed the ransomware to infect your systems is key to closing security gaps quickly and protecting against another malware infection. One example is applying the Microsoft emergency patches released for older versions of their Windows operating system (OS) to prevent the spread of the WannaCry ransomware.

In addition to keeping your antivirus up to date, you should keep device OS, browsers, plugins and other software updated to protect against publicly-reported vulnerabilities that can be used to compromise access to your users’ devices and healthcare systems. Use an endpoint security solution that can detect risky devices and block them until users update.

Finally, when it comes to breach notification, the HHS states:

The OCR presumes a breach in the case of ransomware attack. The entity must determine whether such a breach is a reportable breach no later than 60 days after the entity knew or should have known of the breach.

Read more about the recent WannaCry ransomware attack, including specific tips to help you prevent malware infection while keeping risky devices from accessing your applications, and learn more about Duo for Healthcare.

Organizations are exploring how to create value and gain a competitive advantage by integrating information security and privacy with their business strategy, according to a 2017 cybersecurity report from PricewaterhouseCoopers (PwC).

Competitive Advantage: Security, Privacy & Usability

The shift in a business models from a one-time sales event to a longer product lifecycle, providing add-on digital services over time drives up customers’ expectations around usability, privacy and security.

That makes these priorities for digital services a must-have for any business attempting to stay competitive in a digital industry.

In a 2016 survey of emerging consumer risks over the next five years, the Traveler’s Risk Index found that 32 percent of Americans are concerned about cyber risk and the Internet of Things (IoT), second to global political and social unrest. Top overall concerns include financial, personal safety, privacy loss and identity theft, mainly related to the threat of bank or financial accounts getting hacked.

Similarly, the same survey found that 54 percent of businesses are concerned with cyber, computer/technology risks and data breaches, among other top concerns about medical cost inflation and increasing employee benefit costs. Another 25 percent feel unprepared to deal with cyber risks.

Business Security Spending Priorities

According to PwC, business spending priorities for the next year include improved collaboration among business, digital and IT (51%), and spending on new security needs related to evolving business models (46%). Another 43% are spending on biometrics and advanced authentication.

Those new security needs include technology like encryption, next-generation firewalls, network segmentation and identity and access management. As Tom Puthiyamadam, Global Digital Services Leader of PwC stated:

Leading companies are integrating cybersecurity, privacy and digital ethics from the outset. And that enables them to better engage with existing customers and attract new ones. Many also see efficiencies in operations, business processes and IT investments.

Multi-Factor Authentication as a Differentiator

The top managed security service used is authentication, at 64 percent, followed by data loss prevention (61 percent) and identity and access management (61 percent).

Respondents reported that advanced authentication (PwC uses this term in reference to multi-factor authentication) technologies have made online transactions more secure, boosted consumer confidence in company security and privacy capabilities, and enhanced the customer experience while protecting brand reputation.

While in the past, many companies implemented multi-factor authentication after a breach, nowadays, most are implementing the technology as a preventative measure to secure access to on-premises, cloud and web applications and services, and as a stronger authentication option for their customers to protect their individual banking, social media, iCloud and many other types of accounts.

Global Data Regulations

In addition to being a competitive advantage, there are data regulatory requirements that vary by each country that are also driving changes in enterprise security.

These include the European Union (EU)’s General Data Protection Regulation (GDPR) going into effect April 2018 that mandates data privacy for EU citizens - noncompliance can result in fines of up to 4 percent of the company’s global annual revenue.

Additionally, many U.S. businesses will need to comply with the Privacy Shield, the successor to the Safe Harbor framework that protects EU citizens’ personal data in transit.

There are regulations across Asia as well - in China, recent laws require technology and financial companies to store data in China, submit to security checks and help the government with decryption if requested. South Korea’s Personal Information Act (PIPA), updated last year, has penalties that can amount to nearly $90,000 USD and/or 10 years in prison.

Hong Kong’s Personal Data Privacy Ordinance also sets rules for collecting and handling personal data across borders and to third parties, enforced by fines of over $100,000 USD and five years in prison. A new framework called the Cyber Fortification Initiative requires banks to meet certain security requirements, with major Hong Kong banks to complete evaluations of their cyber risk resilience by mid-2017.

Find out more about how Duo’s Trusted Access platform provides help for different use cases and view our case studies for companies across every industry, compliance needs and size.

Update 5/15:
The ransomware has spread to 200,000 computers in 150 countries, affecting U.S. FedEx, telecoms and gas companies in Spain, 61 NHS organizations, the Russian Ministry of Internal Affairs and many others, according to the Economist and BBC. A few different variations of the malware have been detected.

What you can do:
Microsoft has taken the “highly unusual step” of providing a security update for Windows XP, Windows 8 and Windows Server 2003, available here.

Windows 10 users are not affected, only older versions of the operating system. Other suggestions include disabling the SMB protocol in Windows computers and updating antivirus solutions.

Take other precautions such as using the Chrome browser, and disable Adobe Flash Player. Forward suspicious/possible phishing emails to your security team and don’t click on any links. Back up your data on a physical hard drive disconnected from the Internet, in addition to a cloud service (but beware, it could get infected), as recommended by PCWorld.

Start tracking devices running out-of-date operating systems, browsers, plugins and more with Duo’s Device Insight and block them with Endpoint Remediation to prevent the access of potentially risky software into your systems.

A widespread, worm-like ransomware attack has shut down computers across Europe and Asia, hitting the Spanish telecom provider, Telefonica and operations in major U.K.-based health systems especially hard. Many other mission-critical organizations have also been disrupted, including banks and power companies.

The attack has taken down at least 16 National Health Service (NHS) hospital systems across England, affecting parts of Scotland, as reported by ZDNet. Hospitals in Manchester, Lister Hospital in Hertfordshire and Bart’s Health NHS Trust in London are all affected.

The hospitals have diverted patients to neighboring hospitals and are urging others not to visit their emergency departments. Routine appointments have been cancelled, with entire systems shut down and some hospitals reporting problems with their telephone networks.

Ransomware Leverages Latest Windows Vulnerability

According to NHS Digital, the organization that runs IT systems for the health service, the malware variant used is Wanna Decryptor.

BleepingComputer reports that the ransomware’s name is actually WCry, but is referenced online by various similar names. There have been several reports that the ransomware is using an NSA exploit leaked by Shadow Brokers last month, a vulnerability in the SMBv1 protocol affecting Windows machines.

It uses a self-replicating payload that allows the ransomware to spread across machines quickly without requiring any user action, according to Ars Technica. Below is a photo of the ransomware encryption message that users are seeing on their computers:

#nhscyberattack pic.twitter.com/SovgQejl3X

— gigi.h (@fendifille) May 12, 2017

There were reports early Friday on social media of the ransomware spreading quickly through Russian, Ukraine and Taiwan:

36,000 detections of #WannaCry (aka #WanaCypt0r aka #WCry) #ransomware so far. Russia, Ukraine, and Taiwan leading. This is huge. pic.twitter.com/EaZcaxPta4

— Jakub Kroustek (@JakubKroustek) May 12, 2017

Although Microsoft patched the critical vulnerability in March, not all Windows users or administrators have necessarily applied the security update. Unpatched computers are easy targets of exploitation and malware installation.

Back in January, Barts Health NHS hospitals were hit by a ransomware infection which took its systems offline. According to Barts Health NHS Trust, their antivirus software failed to detect the virus. Another attack last November against the Northern Lincolnshire and Goole NHS Foundation Trust infected their systems with a type of ransomware known as Globe2.

Windows XP Run Rampant in U.K. Health Systems

Running extremely out-of-date operating systems (OSs) like Windows XP can be a contributing factor. And as Duo’s data has shown in the past, the healthcare industry has twice as many Windows machines running XP than our average customer.

An analysis of Freedom of Information Act (FoI) requests by Citrix also supports our findings. A survey of 63 NHS trusts (42 responses) in the U.K. revealed that:

90 percent of hospital organizations were running Windows XP on a small percentage of their overall devices.

But even one device running an unsupported (unpatched and unprotected against new vulnerabilities) OS could be the weak link at a hospital system, allowing for malware infection. Windows XP is particularly bad due the fact it was released in 2001 and is not capable of receiving security updates since April 2014 - meaning a hospital system running the OS could be easily exploited by ransomware that leverages a Windows vulnerability only patched in March.

Protecting Against Ransomware

Updating and patching your software regularly against the latest vulnerabilities is key to protecting your systems against malware infection.

Make sure you have applied Microsoft’s March Update and the MS17-010 update to protect against these types of vulnerabilities that are helping to spread the ransomware to Windows machines worldwide. Check often for emergency patches that are released out of the regular Patch Tuesday cycle for the most critical vulnerabilities.

Learn more by downloading The 2016 Duo Trusted Access Report (our 2017 edition is coming soon!) and The Essential Guide to Securing Remote Access.

We at Duo Labs recently got our hands on the so-called Anti Public Combo List, a dump of 562,077,487 usernames and passwords aggregated from a variety of large-scale data breaches and password dumps. While this means that we can’t say anything about user security behavior in particular contexts, it still provides an uncommonly large view into broad user security choices.

Who Are These Users?

The first question that presents itself when a credential dump lands in your lap is often: who is affected by this breach? We found 8% of the usernames (which are primarily email addresses) appear more than once in the dataset, supporting the idea that this particular dump is, in fact, a collection of individual dumps from separate sources.

We also found that 42% of usernames end in yahoo.com, while 7% end in aol.com, leading us to the conclusion that this is a consumer-heavy dataset, rather than, say, corporate email accounts. The domains with more than 1% representation in the user list is below:

Overall, 51% of the user accounts are some sort of yahoo.* or ymail.* accounts. Certainly some corporate email accounts are included. By filtering for domains of the Fortune 1000 companies and manually removing domains that are used for consumer email (like yahoo.com and facebook.com), we found that only about 1 million (1.7%) of the accounts in the dump were from domains of large companies, which reinforces our assessment that this is almost entirely consumer accounts, comprising 98.3% of the dataset

What Do Their Passwords Look Like?

One measure of password strength is the length of a password. This is a very flawed metric for asserting strength, but you can assert weakness with it: a four-character password is easy to brute force, no matter how many special characters you use.

The set of passwords in this dump follow a nice exponential long-tail distribution in terms of length, peaking at 9 characters at 27%, falling under 1% after 14 characters. The large spike right after 100 occurs, not coincidentally, at 128 bytes, which is the length of a SHA-512 hash in hex.

Upon further inspection, that’s exactly what all of those are: just a bunch of hashes, like fab689475682c7a88be219de0a76f0d6096e487fa0bcdd752048d3aaa76dd9ef47344 b89817434a284d8cb5b0111a2ada7aafcb635570c32149e43b58a990c9d.

Since this appears to be a collection of individual password dumps, it’s likely that the breach in question resulted in the theft of hashes instead of cleartext passwords. When this happens, attackers will try to crack as many passwords as possible, leaving the hashes in place for those they couldn’t quickly crack.

The pitfall of just looking at password length is obvious when considering the password ’refrigerator.’ “After all, it’s a 12-character password! That sounds secure!” Except that all-lower-case letters dramatically reduces the search space, as compared to lowercase, uppercase, numbers and symbols. In this case, it’s an especially bad password, since it’s just a single common dictionary word and would likely be included on a list of common words that an attacker might try before just guessing randomly. One common password restriction is that it must include a number. Either due to users’ adopting stronger security habits or merely due to password requirements, 70% of passwords had at least 1 number. Indeed, the mean number of numbers per password is 2.3.

Uppercase and symbols were not nearly as prevalent, with only 6% and 4% of passwords containing at least one such character, respectively. This lends credence to the argument that it’s merely password requirements that prompt more secure password choices. A surprisingly low result was for the space character, which is allowed by many systems, but was only present in 0.03% of passwords examined.

This suggests that an attacker might be less likely to include space in their set of search characters, and users would be wise to keep in mind that spaces can often be valid password characters when choosing. One easy way to incorporate spaces is by using passphrases: entire phrases that you use as a password, assuming you don’t get stopped by draconian maximum lengths.

The Top 10 Passwords

The top ten passwords contain some fan favorites and aligns closely with other password reports, such as password manager Keeper’s top 10:

If one had to wager a guess, it looks like 6 characters is the most common minimum password length in modern consumer web applications. That really isn’t enough to reasonably protect your password from someone just trying all the possible passwords (i.e., “brute forcing”). NIST recently wrapped up a comment period on new security standards, which include, “Memorized secrets [i.e., passwords or PINs] [shall] be at least 8 characters in length if chosen by the [user].” These days, something more like 12 characters should be what you aim for as a minimum, since attackers can guess faster as computers get faster.

Ok, So Have I Been Pwned?

Funny you should ask that, as that’s the name of an excellent website that collects breached account data so you can see when and how your username/passwords have been leaked (since, by now, almost everybody’s username/password has been leaked at some point). If you are interested in the source for this particular password dump, Troy Hunt, the creator of HIBP, has posted an analysis of the password dump on his blog.

We recommend that you sign up for the free monitoring option, where you get an email if/when your email address shows up in a newly discovered credential dump. If you are a domain administrator, you can also search for all pwned accounts on your domain.