Better Endpoint Security Would Have Stopped Adult Friend Finder Data Breach – Charles Leaver

Written By Chuck McAuley And Presented By Charles Leaver Ziften CEO

Endpoint Security Is The Best Friend For Adult Friend Finder

Adult Friend Finder, an online “dating service” and its affiliates were hacked in April. The leaked information included credit card numbers, usernames, passwords, dates of birth, physical addresses and personal – you know – preferences. Exactly what’s typically not highlighted in these cases is the financial value of such a breach. Many would argue that having an email address and the associated data might be of little worth. Nevertheless, the same way metadata collection offers insight to the NSA, this type of information offers opponents with lots of leverage that can be used against the general public. Spear phishing ends up being a lot easier when assailants not just have an email address, however likewise area, language, and race. The source IP addresses gathered can even supply exact street locations for attacks.

The attack methodology deployed in this example was not publicized, however it would be fair to presume that it leveraged a kind of SQL Injection attack or similar, where the info is wormed out of the back-end database through a flaw in the web server. Another possible methodology could have been pirating ssh keys from a jeopardized admin account or github, however those tend to be secondary for the most part. Either way, the database dump itself is 570 megabytes, and presuming the data was exfiltrated in a couple of big transactions, it would have been extremely obvious on a network level. That is, if Adult Friend Finder were using a solution that offered visibility into network traffic.

Ziften ZFlow ™ enables network visibility into the cloud to catch aberrant data transfers and credit to specific executing processes. In this case, the administrator would have had two opportunities to discover the irregularity: 1) At the database level, as the data was extracted. 2) At the webserver level, where an abnormal amount of traffic would be sent to a particular address. Organizations like Adult Friend Finder should acquire the essential endpoint and network visibility needed to protect their consumers’ individual data and “hook up” with a company like Ziften.

Breach At Ashley Madison Could Have Been Prevented With Ziften Endpoint Security – Charles Leaver

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO

Life is Too Short to Not Execute Endpoint Security.

Ashley Madison’s tagline is “Life is short. Have an affair.” It appears security falls a bit short at the business, however, as millions of customer records were blasted out for the entire world to see in a recent breach. Publicly, there are only theories regarding who exactly breached the scandalous operation. It could have been an inside job. Other possibilities, such as the notorious hacking group Impact Team, are claiming success over the red-lettered business. However what is apparent is the publicly-published list of thirty two million user identities. In addition, CEO Noel Biderman lost his position, and the company is taking on an insurmountable number of lawsuits.

It has been discovered that bots were communicating with users, and the user population consisted of just a small number of women. In a farcical fashion, the site still mentions it was a winner of a “Trusted Security Award” and ensures total discretion for its users. Their claim of “Over 42,705,000 anonymous members!” on the homepage is as shameful as the service they provide. The taken list of users is so easily available that third parties have already created interactive websites with the names and addresses of the exposed cheaters. Per Ashley Madison’s media page, they “immediately introduced a thorough investigation utilizing the top forensics professionals and other security specialists to determine the origin, nature, and scope of this event.” If Ashley Madison had actually been more proactive in their approaches of endpoint security, they might have possibly been informed of the breach and stopped it prior to data might have been taken.

Advanced endpoint security and forensic applications – such as those provided by Ziften – might have potentially prevented this organization from the shame it has actually endured. Not only might Ziften have actually informed security leads of the suspicious network events in the dead of night of a cyber attack, however it might have prevented a range of actions on the database from being performed, all while letting their security group sleep a little better. Life is too short to let security problems keep you awake during the night.

How One Person Was Effected By The Biometric Data Compromise After The OPM Breach – Charles Leaver

Written By Mike Hamilton And Presented By Ziften CEO Charles Leaver

Increased Security Protection of Personal and Biometric Data Is Needed Following OPM Breach


opm1Recently, I needed to go through a relatively comprehensive background check procedure. At the time it was one of those scenarios where you sign into the portal, offer your social security number, a plethora of sensitive information about you and your household, and trust the federal government (and their specialists) to take care of that personal data.

As I got home the other night and took a seat to start writing this article, I looked at the stack of mail laying on my desk and noticed one of those envelopes with the perforated edges that generally contain sensitive info.

Naturally, you need to open those types of envelopes. Unfortunately at that moment all my worst fears had become a reality.

Exactly what I found was my personal letter detailing that basically every delicate piece of details one may want to know about me – along with similar info on twenty one million other Americans – was accessed during the OPM breach.


Oh, and incidentally, there’s the fact that my biometric identity was also compromised:


At this point, even though “federal professionals” think that it’s not a big problem, my iPhone disagrees with them. Bruce Schneier wrote an outstanding piece on this, so I will not belabor the points he makes. However at some time all of us need to ask some tough questions:

When is this going to stop?

Who is accountable for stopping it?

Who is going to actually stop it?

Who is going to be held responsible when breaches take place?

These kinds of breaches are why at Ziften we are so passionately building our next-generation security tools. While we as a security community might never ever entirely stop or prevent these kinds of breaches from taking place, possibly we can make them a lot more difficult and time consuming. When you think about it, up until the community states “enough is enough” this is going to continue to take place on a daily basis.

Behavior Analytics Are Crucial Because You Need To Learn From LastPass Breaches – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

LastPass infiltrations Have Four Lessons That We Can Learn From

Data breaches in 2011 then once again in 2015 were perpetrated against password management firm LastPass. Professionals recommend use of password managers, considering that strong passwords unique to each user account are not possible to recall without organized help. However, putting all one’s eggs in a single basket – then for countless users to each place their egg basket into one super basket – creates an alluring target for cyber criminals of every type. Cryptology specialists who have actually studied this recent breach at LastPass appear meticulously optimistic that significant damage has been avoided, however there are still essential lessons we can extract from this event:

1. There Is No Ideal Authentication, There Is No Perfect Security

Any knowledgeable, patient and iinspired foe will eventually breach any useful cyber defenses – even if yours is a cyber defense organization! Sadly, for lots of enterprises today, it doesn’t often require much skill or persistence to breach their meager defenses and permeate their sprawling, permeable perimeters. Compromise of user credentials – even those of extremely privileged domain administrators – is also quite common. Once again, regretfully, lots of businesses depend on single-factor password authentication, which merely invites rampant sensitive data compromise. However even multi-factor authentication can be breached, as was proven with the 2011 compromise of RSA SecurID’s.

2. Call Upon Situational Awareness When Defenses Are Breached

When the assailants have actually breached your defenses the clock is ticking on your detection, containment, and remedying of the incident. Industry data recommends this clock has a long period of time to tick – hundreds of days usually – before awareness sets in. By that time the attackers have pwned your digital properties and picked your business carcass clean. Critical situational awareness is vital if this too-frequent tragedy is to be averted.

3. Network and Endpoint Contexts Are Fused With Comprehensive Situational Awareness

In the recent LastPass incident detection was achieved by analysis of network traffic from server logs. The opponent dwell time prior to detection was not disclosed. Network anomalies are not always the fastest way to recognize an attack in progress. A combination of network and endpoint context supplies a much better choice basis than either context separately. For example, being able to merge network flow data with the originating process recognition can shed much more light on a potential intrusion. A suspect network contact by a new and disreputable executable is much more suggestive taken together than when evaluated independently.

4. After An Authentication Failure, Utilize User Behavior Analytics

Jeopardized user data often wreak havoc throughout breached businesses, enabling attackers to pivot laterally through the network and run mostly below the security radar. However this abuse of valid user data varies considerably from regular user behavior of the legitimate credential holder. Even rather rudimentary user behavior analytics can find anomalous discontinuities in learned user habits. Constantly use user habits analytics, specifically for your more privileged users and administrators.

Charles Leaver – Vulnerability Monitoring Could Have Stopped Elite Hacker Breach

Written By Josh Harriman And Presented By Ziften CEO Charles Leaver

Hacking Team Impacted By Absence Of Real Time Vulnerability Monitoring

Nowadays cyber attacks and data breaches remain in the news all of the time – and not just for those in the high worth markets such as healthcare, finance, energy and retail. One particularly interesting event was the breach against the Italian business Hacking Team. For those who don’t recall Hacking Team (HT) is a company that focuses on security software applications accommodating government and police agencies that want to conduct hidden operations. The programs produced by HT are not your ordinary remote control software application or malware-type recording devices. Among their key products, code-named Galileo – better called RCS (Remote Control System)– claimed to be able to do pretty much whatever you needed in regards to “controlling” your target.

Yet as talented as they were in creating these programs, they were not able to keep others from entering their systems, or find such vulnerabilities at the endpoint through vulnerability tracking. In one of the most prominent breaches of 2015, HT were hacked, and the material taken and consequently launched to the public was substantial – 400 GB in size. More notably, the material included very harmful info such as emails, consumer lists (and prices) that included countries blacklisted by the UN, and the crown jewels: Source code. There was likewise extensive documentation that included a few very effective 0-day exploits against Adobe and Flash. Those 0-days were used very soon after in attacks against some Japanese businesses and United States government agencies.

The huge concern is: How could this happen to a company whose sole presence is to make software that is undetectable and finding or producing 0-day exploits for others to use? One would think a breach here would be next to impossible. Clearly, that was not the case. Currently there is not a lot to go on in terms of how this breach occurred. We do know nevertheless that somebody has actually declared responsibility and the person (or team) is not new to entering into places just like HT. In August 2014, another monitoring company was hacked and sensitive files were released, much like HT. This consisted of client lists, costs, code, and so on. This was against Gamma International and their product was called FinFisher or FinSpy. A user by the name of “PhineasFisher” published on Reddit 40 GB worth data and announced that he or she was responsible. A post in July this year on their twitter account mentioned they likewise took down HT. It appears that their message and function of these breaches and theft where to make people knowledgeable about how these businesses run and who they provide their services to – a hacktivist attack. He did upload some details to his techniques and a few of these methods were most likely used against HT.

A last concern is: How did they break in and what safety measures could HT have taken to avoid the theft? We did learn from the launched documents that the users within HT had really weak passwords for example “P4ssword” or “wolverine.” In addition, one of the primary staff member systems where the theft might have taken place utilized the program TrueCrypt. However, when you are logged on and using the system, those concealed volumes are accessible. No details have been published at this time as to how the network was breached or how they gained access to the users systems so that they could download the files. It is apparent, though, that businesses have to have a system such as Ziften’s Constant Endpoint Visibility running in their environment. By keeping an eye on all user and system activity alerts might have been produced when an activity falls outside of regular behavior. Examples are 400 GB of files being published externally, or understanding when vulnerable software applications are running on exposed servers within the network. When a company is making and providing sophisticated monitoring software applications – and possessing unidentified vulnerabilities in industrial products – a better plan needs to have been in place to limit the damage.

Endpoint Visibility Could Have Helped Prevent Anthem Health Care Data Leak – Charles Leaver

Written By Justin Tefertiller And Presented By Charles Leaver Ziften CEO

Constant Endpoint Visibility Would Have Improved Healthcare Data Leakage Avoidance

Anthem Inc discovered a big scale cyber attack on January 29, 2015 against their data and IT systems. The health care data leakage was thought to have occurred over a numerous week duration starting around early December 2014 and targeted individual data on Anthem’s database infrastructure as well as endpoint systems. The stolen details consisted of dates of birth, complete names, healthcare identification numbers as well as social security reference numbers of clients and Anthem staff members. The specific number of individuals affected by the breach is unidentified however it is estimated that almost 80 million records were stolen. health care data tends to be among the most financially rewarding income sources for hackers offering records on the dark market.

Forbes and others report that opponents used a process-based backdoor on clients connected to Anthem databases in combination with compromised admin accounts and passwords to graduallytake the data. The actions taken by the hackers positioning and running as administrators are what eventually brought the breach to the attention of security and IT teams at Anthem.

This type of attack shows the requirement for constant endpoint visibility, as endpoint systems are a continuous infection vector and an avenue to delicate data saved on any network they might connect to. Basic things like never before observed processes, brand-new user accounts, unusual network connections, and unauthorized administrative activity are typical calling cards of the onset of a breach and can be easily recognized and alerted on with the right monitoring tool. When alerted to these conditions in real time, Incident Responders can catch the intrusion, discover patient zero, and ideally alleviate the damage instead of enabling enemies to roam around the network unnoticed for weeks.

PF Chang Data Breach Impacted 30 Locations In 8 Months – Charles Leaver

Written By Charles Leaver Ziften CEO

The PF Chang dining establishment chain recently released brand-new details about the security breach of its charge card systems throughout the country. The restaurant chain announced that the breach affected more than 30 locations in 17 states and went on for eight months before being discovered.

While the investigation is still continuing, in a declaration PF Chang’s reported that the breach has been contained and customer monetary data has actually been processed securely by the restaurant since June 11. The compromised systems utilized by the chain were decommissioned till it was clear that their security could be ensured, and in the meantime charge cards were processed by hand.

Rick Federico, CEO stated in a statement “The potentially taken credit and debit card data includes the card number and sometimes also the cardholder’s name and/or the card’s expiration date.” “Nevertheless, we have actually not determined that any specific cardholder’s credit or debit card data was stolen by the attacker.”

PF Chang’s was notified of the breach, which they described as a “extremely sophisticated criminal operation,” in June when they were contacted by the Secret Service about cyber security concerns. When alerted, the restaurant worked with third-party forensic investigators to discover how the breach had the ability to take place, at which time they found that destructive actors had the ability to exploit the chain’s charge card processing systems and possibly gain access to consumer charge card info.

Organizations worried about similar data breaches affecting point-of-sale terminals should implement endpoint threat detection to keep vital systems protected. Endpoint protection includes tracking delicate access points – like POS systems, bar code readers and worker mobile devices – and mitigating dangers that appear. Constant endpoint visibility is necessary to recognize risks before they compromise networks and make sure business security.

Investing In Endpoint Threat Detection Will Safeguard From Data Breaches – Charles Leaver

Written By Ziften CEO Charles Leaver


Preventing data breaches is a difficult thing to do, but very important to succeed in the existing business climate. Because of the large amount of cyber lawbreakers waiting in the wings to steal individual details, charge card info, and other crucial data from customers, companies need to be aware of the high amount of hazards to information online, and take action to prevent it. Utilizing endpoint threat detection and response systems is one of the very best methods to take care of this issue, as it can allow for a simple method to combat against a variety of various exploits hackers can utilize to obtain access to a business network.

In order to produce a much better, more attack proof system, establishing a strong sense of back-end security is essential. The New York Times’ post on safeguarding data discusses a few, essential procedures that can make a big difference in keeping client information from falling into the wrong hands. A few of the procedures the short article touches on consist of using point-of-sale systems for consumer deals only, committing one computer system to all monetary enterprise, and keeping software up to date. These are wise pointers because they protect against several manners in which hackers prefer to use to breach systems. A PoS system that doesn’t connect to the Internet other than to transmit data to bank servers is more secure than one that isn’t so limited because it minimizes the risk of an infection getting onto the network through the Internet. Making one computer system the single access point for monetary transactions and nothing else can keep viruses or other destructive monitoring software from getting in. In this way, a business can greatly safeguard its customers while not actually taking on that many additional expenses.

Make Sure That Security And Safeguarding Come First

Property Casualty 360 has a comparable list of suggestions, consisting of automating patches to company systems, utilizing file encryption on all devices, imposing strong passwords, and keeping an eagle-eyed approach to e-mail. Encrypting details, especially monetary info, is highly essential. It is possible for a hacker to get monetary details stored as plain text extremely simply without using file encryption steps. Obviously, strong endpoint threat response systems need to be utilized to handle this threat, but security, like clothes in Fall, is best when layered. Utilizing numerous different techniques at the same time greatly minimizes the chance of a given company’s data from being breached, which can, over time, make it much easier to safeguard against any type of damage that might be done.

Lots of breaches happen not when a piece of malware has successfully planted itself on a server, but when an employee’s email account consists of an insecure password. Dictionary words, like “cat” or “password,” need to never ever be used. They are simple to hack and to break in to, and they can cause whole stores of data being stolen. Likewise, a worker mistakenly sending out a list of clients to somebody without checking their intended recipients list can wind up sending a whole fleet of info out to the incorrect individual, effortlessly causing enormous data loss. This sort of leakage needs to be avoided by solid training.

In response to the multitude of dangers out there currently, the best method to handle them is to make use of strong endpoint threat response software in order to avoid losing important data. Utilizing a large variety of different security methods in order to safeguard against all inbound attacks in a wise way to be certain that your company has the ability to weather a range of blows. This type of mindset can keep an organization from being sunk by the big amount of attacks presently striking enterprises.

No Time Off For Hackers At Christmas So Be Prepared – Charles Leaver

Written by Ziften CEO Charles Leaver

During the holiday period it is a time of opportunity for the cyber wrongdoers, syndicates and state sponsored cyber groups to attack your company. A minimized number of IT personnel at work might enhance the chances for undiscovered endpoint compromise, stealthy lateral pivoting, and unnoticed data exfiltration. Experienced attack teams are most likely assigning their top skills for a well-coordinated holiday hackathon. Penetration of your business would likely begin with an endpoint compromise by means of the typical targeted methods of spear phishing, social engineering, watering hole attacks, and so on

With countless business client endpoints readily available, initial infiltration hardly positions an obstacle to seasoned attackers. Standard endpoint security suites exist to secure against previously-encountered known malware, and are basically worthless against the one-off crafted exploits utilized in targeted attacks. The attack group will have reconnoitered your business and assembled your basic cyber defense products in their labs for pre-deployment evasion testing of prepared exploits. This pre-testing may consist of proper sandbox evasion methods if your defenses consist of sandbox detonation safeguards at the enterprise boundary, although this is not constantly required, for example with off-VPN laptops checking out compromised industry watering holes.

The methods which enterprise endpoints may become jeopardized are too many to list. Oftentimes the compromise may just involve jeopardized credentials, without any malware required or present, as verified by industry studies of destructive command and control traffic observed from pristine endpoints. Or the user, and it only takes one amongst thousands, might be an insider enemy or a dissatisfied worker. In any big business, some occurrence of compromise is inescapable and continuous, and the Christmas period is ripe for it.

Given incessant attack activity with unavoidable endpoint compromise, how can enterprises best react? Endpoint detection and response (EDR) with continuous tracking and security analytics is a powerful technique to identify and react to anomalous endpoint activity, and to perform it at-scale throughout many enterprise endpoints. It likewise augments and synergizes with business network security, by providing endpoint context around suspicious network activity. EDR offers visibility at the endpoint level, similar to the visibility that network security supplies at the network level. Together this supplies the full picture needed to determine and react to uncommon and potentially considerable security incidents throughout the enterprise.

Some examples of endpoint visibility of possible forensic value are:

  • Tracking of user login activity, particularly remote logins that may be attacker-directed
  • Tracking of user existence and user foreground activity, consisting of normal work patterns, activity durations, etc
  • Tracking of active procedures, their resource consumption patterns, network connections, process hierarchy, and so on
  • Collection of executable image metadata, including cryptographic hashes, version details, filepaths, date/times of first appearance, etc
  • Collection of endpoint log/audit incidents, preferably with optimal logging and auditing configuration settings (to make the most of forensic value, reduce noise and overhead).
  • Security analytics to score and rank endpoint activity and bubble substantial operating pattern irregularities to the business SIEM for SOC attention.
  • Support for nimble traversal and drilldown of endpoint forensic data for rapid analyst vetting of endpoint security abnormalities.

Do not get a lump of coal in your stocking by being caught unawares this Christmas. Arm your enterprise to contend with the risks arrayed against you.

Happy Christmas!

Does Your Organization Have A Watcher Of Watchers? – Charles Leaver

Written By Charles Leaver CEO Ziften

High level cyber attacks highlight how an absence of auditing on existing compliance products can make the worst sort of front page news.

In the previous Java attacks into Facebook, Microsoft and Apple in addition to other big hitters in the industry, didn’t need to dig too deep into their playbooks to discover a technique to attack. As a matter of fact they employed one of, if not the oldest axiom in the book – they utilized a remote vulnerability in massively distributed software applications and exploited it to set up remote access to software capability. And in this case on an application that (A) wasn’t the latest version and (B) most likely didn’t need to be running.

While the hacks themselves have actually been front page news, the approaches organizations can use to prevent or curtail them is pretty boring stuff. We all hear “keep boxes up to date with patch management software” and “guarantee harmony with compliance tools”. That is industry standard and old news. However to present a concern: who is “watching the watchers”? Which in this case the watchers being compliance, patch and systems management innovations. I believe Facebook and Apple discovered that just because a management system tells you that software is up to date does not mean you ought to believe it! Here at Ziften our results in the field state as much where we consistently discover dozens of variations of the SAME major application running on Fortune 1000 websites – which by the way all are using compliance and systems management products.

In the case of the exploited Java plug-in, this was a MAJOR application with large distribution. This is the type of application that gets tracked by systems management, compliance and patch products. The lesson from this could not be clearer – having some kind of check against these applications is necessary (just ask any of the organizations that were hacked…). But this only constitutes a portion of the problem – this is a major (debatably vital) application we are talking about here. If organizations find it difficult to get their arms around keeping ahead with updates on known licensed applications being utilized, then what about all the unknown and unneeded running applications and plug-ins and their vulnerabilities? Stated simply – if you can’t even understand exactly what you are expected to understand then how on Earth can you understand (and in this case safeguard) about the things you have no idea about or care about?