Thursday, 9 February 2017

Closing the Loop in Cyberspace

CyberBit, the cyber technology company established by Elbit Systems under the direction of Adi Dar, implements in cyberspace a proven military concept: prompt loop closure to contain cyber events. For some time now, the cyber technology industry has been discussing the need to operationalize the cybersecurity process. The idea here is that a company that accomplished that objective on the battlefield would be able to accomplish it in cyberspace, too.
"CyberBit implements a holistic cybersecurity concept, based on four primary elements: intelligence gathering, data analysis, command & control and an enforcement capability," explains Adi Dar, CyberBit's CEO. "Elbit Systems have been involved in cyber technology for more than 15 years. It began with the acquisition of Elron Telesoft in 2001 and the establishment of Elbit's ISTAR Division, and evolved in April 2015 into CyberBit. Back then, they did not call it cyber technology, but the foundations had been cast years ago.
"The establishment of CyberBit followed a management decision to offer Elbit Systems' cyber technology capabilities to the civilian market, too, and to leverage Elbit Systems' cyber technology assets for that end. In the civilian world, you must operate differently. You need unsupervised freedom of operation, you have to develop a brand, stay innovative and respond promptly. In the defense/security world, Elbit is a solid brand, but that does not help if you want to sell a cybersecurity solution to a bank, an insurance company or a retail chain.
"For this reason, CyberBit is made up of two sub-units – one sells products to the HLS world and the other to the civilian world. The company that sells to the civilian world is unsupervised and its employees do not have to undergo a security vetting process. It uses a separate IT network and is run like any other cyber technology company around the world."
"One of the moves we made was the acquisition, in July 2015, of the cyber technology division of the NICE Company," explains Dar. "This move had matured three months after the establishment of CyberBit. The idea was to acquire the assets of the NICE Company in the field of intelligence gathering, combine them with Elbit's knowledge management and C3 capabilities, and combine all of that with the assets of the 4C Company Elbit had acquired back in 2011."
One of the solutions CyberBit offers belongs in the EDR (Endpoint Detection & Response) category. It is a client installed in a core-level workstation/server, under the operating system. It "sees" and records a lot of the processes taking place in the computer. The data from all of the clients throughout the organization are collected by a Big Data system, and used to run algorithms that search for patterns indicating a cyberattack.
"Each workstation produces dozens of megabytes per day," explains Dar. "If the organization has 100,000 workstations, it will amount to a lot of data that should be managed and analyzed every day. Not many companies in this field can accomplish that on such a scale.
"The ability to analyze the data from all of the workstations in the network makes it possible to identify a pinpoint attack against a specific workstation, and mainly to identify attacks where the attacker moves laterally through the network. Pursuant to the identification stage, the client may be issued with an enforcement command to kill processes in that workstation. In this way, the threat is contained very quickly. The combination of a client at the core level and Big Data capabilities gives us an advantage in the market."
Along with collection of intelligence from the clients fitted to the organization's workstations and servers, CyberBit offers legitimate intelligence gathering solutions, which include Open Source Intelligence (OSInt) and intelligence gathering capabilities for stationary or mobile communication networks, including satellite communication networks. "Combining all of these activities enables us to provide a systemic intelligence gathering solution – from the organization and from the outside environment. This improves the organization's ability to identify cyberattacks," says Dar.
Another solution is a SOC (Security Operations Center) management system: a system for managing the organizational cybersecurity operations center, intended to provide transparency into the organization's networks. The SOC should effectively manage the response to cyberattacks.
"This product enables automation of the SOC procedures," explains Dar. "These centers are normally manned by people just starting out in the world of cyber technology. They come to work there for a short period of time, hone their professional skills and leave. Moreover, major organizations deploy multiple SOCs at various locations around the world, so as to avoid overtime pay. It is known as 'Follow the Sun'. When the sun sets over one country, it rises over another country, and the management of the SOC follows the sun.
"If you combine these two elements vis-à-vis the fact that a high-quality cyberattack against an organization can last months, you will realize that without automation of the SOC procedures, the organization will not be equipped to cope effectively with such an attack. At this point, Elbit's experience in the C3 world comes into the picture. In the end, you are talking about numerous sensors that produce logs, and you need an application with a rules engine to provide the analysts at the SOC with a scale of priorities."
Another field of activity in which CyberBit is involved is cybersecurity for SCADA (Supervisory Control and Data Acquisition) infrastructures. These are assets the 4C Company had brought into Elbit Systems. "In SCADA networks, we perform passive monitoring along with the ability to stop inline attacks," says Dar. "The OT system world is simpler than the IT world as it has a finite number of protocols. It is a more structured world. At the same time, since the Stuxnet worm was identified and the electrical infrastructure of the Ukraine was attacked in December 2015, there has been more understanding of the significance of the threat. This is the reason why many countries are developing regulation in the field of SCADA security."

Replacing Anti-Virus Software

According to Dar, one of the threats that currently challenges the industry is ransomware. "This is a threat that compels you to resort to real-time blocking, even before the encryption, but it is very difficult to catch before the encryption. If you catch it after the encryption, you will have no guarantee about being able to save the information – and that is a fairly complex challenge.
"Ransomware changed the demands of the clients, and now they want response – not just detection. It is nice if you managed to detect it, but what will the organization do with it? And in order to respond, you need a client on the computer. That leads to a war over the clients. I had a meeting with an information security manager of a bank, who told me that they have nine clients on the computer. The battle today is over the 'real estate' in the workstation or server. Ransomware can damage a large number of end stations, and even servers. We know how to contain the infected devices so as to prevent the threat from spreading. According to some of the estimates in the market, this technology will replace anti-virus software."
Unlike the defense industry, which has a well-defined and relatively 'niche type' target market, with civilian cybersecurity solutions the market is endless. Private clients, SMBs or major clients in every country around the world already need or will need cybersecurity solutions.
"There will be no escaping the transfer of cybersecurity solutions to the cloud," says Dar. "If I could place the EDR in the cloud, while at the same time installing it in all of the client's devices, I would have solved a major percentage of the client's problems. One must understand that smaller organizations do not have an information security team or an SOC. Cybersecurity for SMBs (Small to Medium Businesses) must be provided through their cloud information security service provider or MSSP (Managed Security Service Provider). I am referring to cybersecurity services for organizations with a personnel of 100-150 employees or less that cannot afford to finance more expensive solutions.
"CyberBit is not there yet, but we understand that this is the right direction. We can see a trend of transition to the cloud, although the truly sensitive information as well as the client of the EDR are not being transferred to the cloud yet. That will take time. Soon we will have to make a decision as to whether we want to remain a provider of technology exclusively, or provide cloud services as well.
"It is important to note that CyberBit does not compete against defense/security industries that offer cyber technology products, but against civilian cyber technology companies. For a defense/security industry it is inconceivable to provide cloud services to SMBs. For us it is a very realistic question. It is a part of our future. Elbit Systems established CyberBit in order to develop a civilian cyber technology industry, and the future of that industry is in the cloud and in mass-produced solutions, like anti-virus software. That's where the money is."

InterContinental Hotels Confirms Credit Card Breach

InterContinental Hotels Group (IHG), parent company to Crowne Plaza, Holiday Inn and Kimpton Hotels and Resorts, confirmed on Friday a breach of payment card systems used in 12 of its hotels located in North America and the Caribbean.
According to IHG, which operates 5,000 hotels worldwide, malware was found on servers used to process credit cards. The servers were infected between last August and December; the company declined to say how many payment cards were impacted.
In a statement released Friday, IHG said it found malware installed on servers used at popular destinations such as Michael Jordan’s Steak House and Bar in Chicago, the Holiday Inn San Francisco Fisherman’s Wharf, the Copper Lounge in Los Angeles, and the Palm Bar in Aruba. A full list of locations impacted was posted by IHG.
The hotelier reported on Dec. 28 that it was investigating customer complaints of unauthorized charges on credit cards. At the time, the company said only a limited number of destinations were impacted before revealing more details on Friday.
“Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties,” according to a statement. “Cards used at the front desk of these properties were not affected.”
According to IHG, the malware searched for magnetic stripe track data as it was being routed through servers. Track data included cardholder name, card number, expiration date and internal verification code. There is also no information provided on the strain of malware used in the attacks.
Hotels, restaurants and other hospitality outlets are frequently singled out as victims of opportunistic hackers. Last year alone there were nearly a dozen reports of card breaches. One of those breaches occurred in August and included 20 hotels run by HEI Hotels and Resorts, which owns chains Marriott, Sheraton, and Westin. Similarly, malware was used to siphon payment card data.
The prevalence of malware use to steal payment card data hit a peak in 2014 when it was at the center of several high-profile breaches, including Target and Neiman Marcus.
As recently as last November, security researchers at Trustwave said the Carbanak cybercrime gang, first discovered by Kaspersky Lab, had shifted strategy and began targeting the hospitality and restaurant industries with new techniques and malware. Part of the Carbanak tactics involved targeting hospitality call centers with elaborate ploys to get customer service representatives to accept and download emails with malicious macro-laced documents. The target was credit card data scraped from the memory of point-of-sale systems.
“We have been working with the security firms to review our security measures, confirm that this issue has been remediated, and evaluate ways to enhance our security measures,” IHG wrote in a statement regarding the breach.

Smart TV Manufacturer Vizio Fined $2.2M for Tracking Customers

Smart TV manufacturer Vizio tracked data on 11 million of its customers TVs without their knowledge or consent, the Federal Trade Commission announced this week.
The Irvine, Calif.-based company agreed on Monday to pay $2.2 million to settle charges that it collected scores of its customers’ data. While the company tracked what programs users watched it also tracked information corresponding to customers’ sex, age, income, marital status, household size, education level, home ownership and household value.
According to a complaint filed by the agency in the U.S. District Court for the District of New Jersey on Monday, Vizio tracked users through proprietary automated content recognition (ACR) software made by a subsidiary, Inscape Services. While that software has been turned on by default since 2014 on most of Vizio’s televisions, the FTC alleges that in some instances the company remotely installed it on any previously sold televisions that didn’t have the software.
The software feeds Vizio a “second-by-second” transmission on what its consumers watch, regardless of whether its on cable, on demand, a streaming device like Google’s Chromecast or Amazon’s Fire Stick, or even a DVD. According to the complaint, the software has quite the reach and is able to capture “up to 100 billion data points each day from more than 10 million VIZIO televisions.”
In addition to household demographics, the software also siphoned up technical details such as the home’s IP address, wired and wireless MAC addresses, how strong the home’s WiFi was, and even any nearby WiFi networks, the complaint (.PDF) reads.
The complaint alleges the company sold this information to third party companies who first used it to analyze the effectiveness of advertising, and then used it in targeted advertising.
“Defendants provide these third parties with IP addresses, so that the third parties can analyze a household’s behavior across devices, in order to determine, for example, (a) whether a consumer has visited a particular website following a television advertisement related to that website, or (b) whether a consumer has viewed a particular television program following exposure to an online advertisement for that program. The data is used in the aggregate to evaluate the effectiveness of advertising campaigns,” the complaint reads.
The company failed to provide users with any notice their viewing habits were being tracked. It wasn’t until March 2016 – in the midst of investigations against the company – that Vizio sent users a quick pop-up notification on their television notifying them their viewing data was being collected.
“This notification timed out after 30 seconds without input from the household member who happened to be viewing the screen at the time, and did not provide easy access to the settings menu,” the complaint reads.
Going forward the company is being asked to disclose and obtain consent for any information it collects in the future, maintain transparency when it comes to what its doing with its customers’ information, and to develop a data privacy program subject to assessment every two years.
As part of the settlement Vizio is also being asked to erase any data it may have collected before March 1, 2016. Of the $2.2 million paid to settle the matter, $1.5 million will go to the FTC, another $1 million to the New Jersey Division of Consumer Affairs, with $300,000 of that amount suspended.
Vizio, for its part, issued a press release shortly after the settlement was announced on Monday saying it was “pleased to reach this resolution” and that it set a “new standard for best industry practices,” At the same time the also company took a moment to clarify exactly what kind of customer information its ACR program gathered.
According to Jerry Huang, Vizio’s General Counsel, the program didn’t pair viewing data with personally identifiable information; instead, as the complaint specifies, it was used “in the ‘aggregate’ to create summary reports.”
“VIZIO is pleased to reach this resolution with the FTC and the New Jersey Division of Consumer Affairs. Going forward, this resolution sets a new standard for best industry privacy practices for the collection and analysis of data collected from today’s internet-connected televisions and other home devices,” stated Jerry Huang, VIZIO General Counsel. “The ACR program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors.”
“Today, the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and VIZIO now is leading the way,” concluded Huang.
In the FTC’s eyes, Vizio’s statement runs counter to a securities filing previously filed by the company. In the filing, Vizio claims its data analytics program “provides highly specific viewing behavior data on a massive scale with great accuracy, which can be used to generate intelligent insights for advertisers and media content providers.”
The FTC’s Acting Chairman Maureen K. Ohlhausen said Monday that Vizio’s practices, specifically how it failed to disclose the fact it was tracking users, were unfair and deceptive.
“Evidence shows that consumers do not expect televisions to collect and share information about what they watch. Consumers who are aware of such practices may choose a different television or change the television’s settings to reflect their preferences,” Ohlhausen wrote. (.PDF) ”
The FTC filed a complaint against another major technology company, D-Link, earlier this year. In that complaint, the agency alleged the router manufacturer failed to adequately secure its wireless routers and IP cameras, something that could have potentially put its customers’ data at risk of compromise.