As cities continue to grow smarter, they will also become easier to hack. With millions (if not billions) of dollars going into research for urban domains and the Internet of Things (IoT), there will be more opportunities to utilize technology to define, access and improve smart city services and infrastructure. In these smart cities, information security plays a huge role in protecting the highest levels of confidentiality, availability and integrity for city resources and utilities.

To help guide the development of smart cities, we at Trend Micro have developed a quick ten step cybersecurity checklist as a gut check when implanting new, smart technologies.

1. Perform quality inspection and penetration testing

2. Prioritize security in SLAs for all vendors and service providers

3. Establish a municipal CERT or CSIRT

4. Ensure the consistency and security of software updates

5. Plan around the life cycle of smart infrastructures 

6. Process data with privacy in mind 

7. Encrypt, authenticate and regulate public communication channels

8. Always have a manual override ready

9. Design a fault-tolerant system

10. Ensure the continuity of basic services

Cities will continue to grow smarter over time. Whether these cities are built from the ground up, or built around and over established metropolises, it is always important to balance functionality with security. Cities are created by the people, and for the people. So, it’s only right to protect them.

To read the full report please click here.

Here at Trend Micro we highly value the relationships we’ve build with our partners, especially those that have spanned several years. However, it’s particularly gratifying when those partners choose to recognize our work with an award.

So, excuse us while we toot our own horn’s for a bit.

Recently, we were honored to receive the VMware 2016 Global Partner Innovation Award in the Technical ISV category at the VMware Partner Leadership Summit 2017, held in Ranchos Palos Verdes, Calif. Recipients of a Global VMware Partner Innovation Award were acknowledged in 21 categories for outstanding performance and distinctive achievements during 2016.

For the last six years, Trend Micro has been recognized by VMware for the Japan Partner Award. However, this is the first time we have received the Global Technical Partner Award, and been recognized by the company on a world-wide scale.

“I am pleased to recognize this year’s Global Partner Innovation Award winners, which are given to a select group of partners for their exceptional efforts in 2016,” said Ross Brown, senior vice president, Worldwide Partners and Alliances, VMware. “VMware is proud to see Trend Micro win Partner of the Year and we look forward to our continued collaboration.”

Our teams have diligently worked to specifically build and optimize Trend Micro Deep Security™, powered by XGen™, to secure VMware customers around the world. Modern data centers using VMware products are able to fully protect their hybrid cloud environments from the latest threats without slowing down business operations. Additionally, we recently integrated our Mobile Security for Enterprises with VMware Airwatch to protect organizations from unsecured mobile devices.

We have a long-standing history of innovation and success with VMware. More than 10 years ago we partnered to bring modern security to the software-defined data center and cloud, and since then have continuously enhanced our relationship.

Although this award is a sincere honor, we will not let this remain the pinnacle of our partnership with VMware for long. On the heels of this recognition, our teams will strive for continued success (and hopefully be able to take this award home again next year).

We’ve had many successes along the way with joint product innovation, sales activity, and tech support collaboration, making us particularly proud of an award that recognizes the strength of our partnership.

For more information please read the latest press release.

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

As Smart Cities Grow, They Become Easier to Hack

As cities continue to grow smarter, they will also become easier to hack. With millions (if not billions) of dollars going into research for urban domains and the Internet of Things (IoT), there will be more opportunities to utilize technology to define, access and improve smart city services and infrastructure.  

The Rise of Fileless Threats Abuse PowerShell

Convenience, efficacy, and stealth are the likeliest reasons why cybercriminals are increasingly abusing legitimate tools or services already in the system to deliver their malware. Leveraging them allows these threats to blend in with normal network traffic or IT/system administration tasks, for instance.

The Dark Web Impacts Hidden Services in the Tor-Based Criminal Ecosystem

The goal of our research was to look into the modus operandi of attackers in the Dark Web. In particular, we were interested in learning whether criminals tend to deliberately target and compromise systems run by other criminal organizations or individuals. 

Manufacturers Should Be Mindful of Cybersecurity

Hackers can penetrate the corporate IT network of a manufacturing company, then gain access to a robot’s controller software and, by exploiting a vulnerability remotely, download a tampered configuration file. 

Yara Used to RickRoll Security Researchers

For most security researchers, Yara, a tool that allows them to create their own set of rules for malware tracking, is an invaluable resource that helps automate many processes. However, despite Yara’s reliability, it shouldn’t be the only tool used to monitor new versions of malware.  

Millions of Android Phones Hit by ‘Judy’ Malware

More than 36 million Android devices may have been infected with ad-click malware dubbed Judy. The malware was found on about 50 apps in Google’s Play Store. The apps’ code sends infected devices to a target webpage, where they generate fraudulent clicks on the site’s adverts to make money for its creators. 

Chipotle Cyberattack Affected Restaurants across 47 States

Shortly after Chipotle reported a breach on April 25 that affected more than 2,000 restaurant locations and an undisclosed number of individuals across 47 states, an investigation concluded the point-of-sale (POS) malware attack lasted from March 24 to April 18. 

Security Pros Cancel Bid to Buy Shadow Brokers’ Exploits

A group of cybersecurity researchers launched a crowdfunding effort to raise $25,000 on Wednesday, which is being demanded by the Shadow Brokers, a hacker group. It raised $3,906.62 in 36 hours before the campaign was canceled.  

Gambling Operators Pay Extra Attention to Cybersecurity

Online gambling operators have started to realize the threats posed by cyber criminals and increased the security of their gaming environment. The Internet is such a perilous place that nothing can be left to chance, but the payment method is the most important. 

There are 7 Ways to Protect Your Apple Computers against Ransomware

Malware is somewhat of an anomaly on Macs. For years, Apple users reveled in the knowledge that their OS of choice was impervious to viral infection. Apple even highlighted this lack of threat as a selling point in commercials and marketing for earlier versions of OS X. 

11 Things the Health Care Sector Must Do to Improve Cybersecurity

No industry or sector is immune to hacking. That reality was made painfully clear in mid-May, when a cyberattacker using WannaCry ransomware crippled health care institutions and many other kinds of organizations around the world.

Please add your thoughts in the comments below or follow me on Twitter; @JonLClay.

“Anything that can go wrong will go wrong.” It’s not exactly clear how Murphy’s Law originated, but it seems to always make an appearance at the one time you can’t afford for anything to go wrong. Your laptop starts to malfunction right as you need to finish a project (this happened to yours truly earlier today) – your car breaks down the day you’re about to leave for a trip – or in last weekend’s case with British Airways, your entire IT system goes down on a holiday weekend, resulting in chaos and cancelled flights for tens of thousands of travelers at Heathrow and Gatwick airports. If you read my blog from last week, I mentioned that I am usually suspicious of outages at large venues and will assume that someone has hacked something. It wouldn’t be unreasonable for me to think that the British Airways outage was cybersecurity related.

But as it turns out, the British Airways outage wasn’t a cybersecurity incident at all. What caused it? Plain old human error – the result of an IT worker accidentally switching off the power supply. British Airways’ parent company explained that as a result of the IT worker’s actions, the supply of power to a key data center was lost, which ultimately resulted in an uncontrolled reboot of the system subsequently shut down the entire system. While British Airways will have to deal with fines related to the outage, at least they don’t have to deal with cleaning up what could have been a massive cybersecurity incident. By the way, if you haven’t had a chance to read it, you can read the recent white paper from the Zero Day Initiative that focuses on SCADA vulnerabilities here.

TippingPoint Security Management System (SMS) v4.6 Now Available!

Earlier this week, we released version 4.6.0 build 101914 of the TippingPoint Security Management System (SMS). SMS v4.6.0 is a general availability release that includes the following enhancements:

For a complete list of enhancements and changes, customers can refer to the product Release Notes. For Release Notes and other documentation, go to https://tmc.tippingpoint.com/TMC/. For questions or technical assistance, customers can contact the TippingPoint Technical Assistance Center (TAC). For more information on SMS Threat Insights, click here.

Zero-Day Filters

There are 13 new zero-day filters covering one vendor in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Foxit (13)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

We all know the IT security industry is suffering from chronic skills gaps and shortages around the world. In the US things are no different, with an estimated talent shortfall of around 40,000 jobs for information security analyst roles alone. While various initiatives have been proposed, few have managed to make a dent on the growing problem.

That’s where Trend Micro’s Capture the Flag (CTF) competition comes in, offering a fantastic way for IT and security professionals to enhance and expand their skill sets. Through initiatives like this we have a real opportunity to better equip the industry with the skills it needs to combat modern online threats.

A skills crisis

The skills problem is well on its way to becoming a full-blown crisis. Citing UK government research, industry non-profit ISACA has predicted there will be a global shortage of two million cybersecurity professionals by 2019. Meanwhile, the Center for Cyber Safety and Education’s Global Information Security Workforce Study claimed the shortfall will be 1.8m in five years’ time. It warned of a looming “skills cliff edge” as older professionals go into retirement with a lack of suitable replacements coming through from younger generations.

In short, there are far too few professionals entering the industry and, partly as a result, many of those that are just starting out don’t have the hands-on experience or skills to turn themselves into effective cybersecurity practitioners. The issue is particularly acute when we break it down by gender. In fact, only 14 percent of the North American cybersecurity workforce are women, slightly higher than the global average of 11 percent but still regrettably low and certainly not equivocal to other industries.

It doesn’t take much effort to join the dots. We need more skilled cybersecurity professionals to keep data safe and systems secure amid a rapidly evolving threat landscape. Organizations today are facing an unprecedented barrage of online threats. From targeted attacks to zero day threats, DDoS attacks to SCADA and IoT threats – the sheer volume and breadth of challenges facing industry professionals today is staggering. They’re battling a diverse and determined set of online foes, from hacktivists to state sponsored hackers and traditional financially motivated cybercriminals. Then there are insider threats to manage and the complexities of hybrid cloud, IoT, bring your own device (BYOD) and other systems which have only served to expand the organization’s attack surface even further.

Capture the Flag

That’s why Trend Micro’s Capture the Flag competition is back for a third year. The idea is to support and enhance the practical skills of IT and security professionals, of today and the future, stretching their knowledge into new areas including targeted attacks, IoT threats and attacks on Industrial Control Systems (ICS). The hope is that by supporting the development of engineers and programmers in these kinds of areas – which we’re seeing a lot of demand for – we can make the world a safer place in which to exchange digital information.

So what is it and how do you enter?

The competition comes in two stages, an online qualifying event and the finals to be held in Tokyo.

The online qualifier is in a “Jeopardy” format, requiring participants to solve challenges in various categories. The top 10 teams will then advance to compete in the final. This will comprise a combination of “attack and defence” and Jeopardy formats.

The final winning team will be awarded JPY 1,000,000 (around US$8,700), Zero Day Initiative Rewards Program points, and automatic qualification for the HITCON CTF 2017 Final to be held in Taipei, Taiwan.

For the final, players’ three night accommodation will be covered by Trend Micro. In addition, travel expense will be subsidized for a maximum of JPY200,000 per team (conditions apply.) Whether experienced or new to the field, or working in IT, security, or manufacturing, Trend Micro CTF welcomes anyone who would like to test, learn and enhance their knowledge and skillset.

Our late CTO Raimund Genes was a passionate advocate of cybersecurity and the need for our industry to attract and nurture the best talent, so it’s fitting that Trend Micro CTF 2017 is now named the Raimund Genes Cup.

To register for the online qualifier and for more information about Trend Micro CTF 2017 – Raimund Genes Cup, please visit: www.trendmicro.com/tmctf.

Zero-day vulnerabilities – newly discovered exploits that haven’t been previously identified – are now emerging more often. Worse still is the fact that these dangerous flaws sometimes aren’t pinpointed until hackers have already exploited them.

According to a prediction from Cybersecurity Ventures founder and Editor-in-Chief Steven Morgan, the frequency of zero-day exploits – which were a once-per-week occurrence in 2015 – could increase to once-a-day within the next four years.

A rise in cyberattacks is nothing new – this has been a trend within the technology industry for years now. This doesn’t mean, however, that researchers and developers shouldn’t take steps to quell the number of exploitable vulnerabilities present in critical software and IT systems.

Changing the tide: Vulnerability research

Enter vulnerability research, a growing trend that’s making waves in the cybersecurity industry. Vulnerability research is typically an undertaking for the engineering team, and oversees the use of advanced techniques in an effort to identify flaws or issues within software that could potentially be used for attacks, breaches or other security incidents.

This process means that zero-day threats and other software problems are identified sooner, hopefully before they fall into the hands of cybercriminals. In this way, infections launched thanks to new vulnerabilities decrease, and the attack vectors available to hackers drop.

An uphill battle: Special skills required

However, as Dark Reading contributor Rutrell Yasin pointed out, one doesn’t just jump into this kind of research. Vulnerability and security research require certain skills and capabilities, especially given the fast-paced nature of the current threat landscape.

“The discipline is suited for those people who have an innate curiosity of how software can be broken down or bypassed so you can do things with it that weren’t intended to be done,” Yasin wrote.

What’s more, researchers must be “immersed in technology” and have a high interest in understanding the operations and potential malicious uses of different systems as well as the ways in which they integrate with one another.

“Security engineers see the world differently than other engineers,” noted information security expert Bruce Shneier. “Instead of focusing on how systems work, they focus on how systems fail, how they can be made to fail and how to prevent – or protect against – those failures.”

The best researchers are those that consider themselves jacks of all trades, Yasin noted, but also have certain specialties. In this way, those specialized skills can be put to work in a way that benefits the research and helps pinpoint vulnerabilities that may have otherwise been overlooked.

Benefits abound on both sides of the coin

The advantages of vulnerability research aren’t hard to see. As attacks continue to increase in frequency and severity, vulnerability research provides an opportunity to reduce the available attack surface. As Morgan noted that this surface grows by 111 billion new lines of code annually, any efforts to cut down on available attack exploits is good news for users, code developers and the software vendors they work for.

As threat analyst Weimin Wu pointed out, vendors that leverage vulnerability research results to their advantage can considerably improve the solutions they’re creating for users, and take a proactive stance against the latest hacking tactics.

“It allows vendors to anticipate the exploit landscape, and craft solutions in advance accordingly,” Wu wrote.

This, in turn, helps better safeguard individual consumers and business users, who increasingly rely on software systems to manage sensitive information and support mission-critical operations.

White hats vs. black hats

What’s more, it’s important for researchers and users alike to keep in mind that if these vulnerabilities aren’t pinpointed by white hats, chances are very good that black hats will come across them and use them for malicious purposes at one point or another.

In addition, the work done by vulnerability researchers to identify exploits within one software program will likely benefit every other platform using similar coding and functions. In this way, efforts aren’t unique to the program at hand, but have the potential to benefit the entire software industry, ensuring the same exploitable mistakes aren’t repeatedly made.

Vulnerability researchers hope to identify exploits before they’re discovered and leveraged by black hat hackers.

Vulnerability research in action: Pwn2Own

Thanks to its importance, vulnerability research is now taking place on a larger, more public scale. One prominent example of this is Trend Micro’s Pwn2Own event, which brings together researchers and security experts from all walks of life and awards cash and prizes for the most successful exploit identifications.

This year marked the 10-year anniversary of Pwn2Own, which originally kicked off in 2007. Since then, the event has expanded to include new areas of research – this year, the Zero Day Initiative put more than $1 million in prizes up for grabs in categories including Virtual Machine Escape, Web Browser and Plugins, Enterprise Applications, Local Escalation of Privilege and Server Side.

Last year’s event saw the identification of a range of vulnerabilities. Once hacking teams pinpoint these items, contest organizers send research result details to the vendors so that steps can be taken to improve data safeguards.

“Therefore, as vendors learn more about the vulnerabilities in their software and devices, they can strengthen their cyber security, which in turn bolsters that of their customers,” Trend Micro’s Noah Gamer wrote in a 2016 blog. “How can consumers and businesses alike steer clear of these bugs in the programs they use on a daily basis? Implementing effective cyber security solutions could be the answer to this issue. By investing in these kinds of tools, they can protect their systems and make sure their data is safeguarded against malicious actors.”

This year’s event saw unprecedented interest, and the number of participant registrations required adding a third day to the competition. Researchers engaged in a number of important vulnerability research projects, including attempting a full virtual machine escape through Microsoft Edge, investigating Windows kernel and examining a VMware Workstation buffer.

Overall, vulnerability research will only become an increasingly critical process as the threat environment continues to expand. Any effort to shift the tide of malicious attacks is beneficial for researchers, vendors and users.

To find out more about this year’s Pwn2Own and the results of the competition, contact Trend Micro today.

At Trend Micro we work hard every day to reduce the risk posed by cyber attacks from hacktavists, transnational cybercriminals, and cyber espionage groups. Nowhere is this more pertinent than in the healthcare industry, where everything from data breaches to ransomware attacks impacting medical devices could have a serious impact on patient care. This is why we’re a committed partner of the Health Information Trust Alliance (HITRUST), which is an organization dedicated to improving cybersecurity in the healthcare industry.

The HITRUST Cyber Threat XChange (CTX) is a program Trend Micro has been invested from the start, and we’re delighted to see that our Deep Discovery Inspector appliance is already making countless healthcare organizations (HCOs) more resilient to threats. In fact, new data suggests it generated more than 5,700 IOCs in the month of May alone, including seeing the WannaCry indicators two weeks before the NHS incident.

Lessons learned

The WannaCry ransomware epidemic last month taught us a valuable lesson: that organizations the world over still aren’t following cybersecurity industry best practices, such as those recommended in the HITRUST CSF. Many healthcare institutions were impacted, forcing IT systems and medical devices offline, which in turn led to cancelled operations, chemotherapy treatments and other urgent appointments. As our recent report on the industry illustrates, healthcare organizations are struggling to cope with an increasingly sophisticated and wide-ranging variety of threats. Many CISOs and their teams in the sector have a thankless task trying to make their hybrid infrastructure more resilient with minimal resources. Embedded third party applications powering critical medical devices make prompt patching a challenge, while the move to industrial IoT and cloud services expands the HCO’s attack surface ever further.

The nature of today’s threat landscape makes cybersecurity particularly challenging. The variety and volume of online threats is simply unprecedented. The Trend Micro Smart Protection Network (SPN) alone blocked almost 82 billion threats in 2016; a year which saw a 752 percent increase in new ransomware families. From compromised legitimate websites to malware-laden phishing emails, zero day attacks, information stealers, and ransomware, the list of threats is growing all the time. What’s more, attacks are frequently multi-staged and multi-vector, further complicating detection efforts.

IOC sharing

That’s where HITRUST and its Cyber Threat Exchange (CTX) comes in. HITRUST CTX is designed to accelerate threat detection and response.  It does so by automating the collection and analysis of known and unknown threats and then distributes their respective indicators of compromise (IOCs) in minutes rather than days and weeks. Participating organizations are able to prevent attacks through a hi-tech low-touch strategy that enables machine-to-machine threat information sharing.

CTX reduces the risk of a breach or compromise by sharing intelligence during all stages of an attack as is evident from the May 12th WannaCry outbreak. The HITRUST CTX had detected and shared indicators of that attack several weeks in advance to the participating members, which resulted in immediate protection from a ransomware breach.

From the very start, Trend Micro’s Deep Discovery Inspector appliance has been the primary means for participating CTX organizations to collect, analyze and share IOC information, providing a highly effective cyber threat early warning system for all. The appliance offers:

Thanks to the DDI appliance, the HITRUST CTX can detect advanced threats across the many stages and attack vectors of modern threats, while automating the sharing of intelligence amongst participants so that they are instantly protected from an attack. Ransomware attacks like WannaCry, for example, are thwarted before the initial compromise can even occur.

Observations made by the Enhanced IOC Collection Program when measuring IOCs seen first by HITRUST participants were on average 16 days in advance of other commercial/community and open source feeds. At last, IT security professionals in the healthcare industry can begin to move from reactive fire-fighting to proactive cyber defense.

Trend Micro is committed to its partnership with HITRUST, including expansion of the Enhanced IOC program and closer collaboration to speed the analysis of cyber threat information to ensure actionable information is available sooner.

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

Trend Micro Is Bridging the Cybersecurity Skills Gap with Capture the Flag Competition

We all know the IT security industry is suffering from chronic skills gaps and shortages around the world. In the US things are no different, with an estimated talent shortfall of around 40,000 jobs for information security analyst roles alone. That’s where Trend Micro’s Capture the Flag (CTF) competition comes in.

Cybercriminals Are Using Third-Party APIs as C&C Infrastructure

Companies have made a shift from typical communication methods to modern chat platforms like Slack, Discord, and Telegram. Unfortunately, attackers have also begun to abuse these platforms as command-and-control infrastructures, by exploiting the very trait that makes the platforms attractive to use.

Delve into EternalBlue’s Inner Workings to Better Understand the Exploit

The EternalBlue exploit took the spotlight last May as it became the tie that bound the spate of malware attacks these past few weeks—the pervasive WannaCry, the fileless ransomware UIWIX, the Server Message Block (SMB) worm EternalRocks, and the cryptocurrency mining malware Adylkuzz. 

We’ve Reached ‘Peak Ransomware’

Last year Trend Micro reported a 752% increase in the number of ‘families’ of ransomware, but this explosion in popularity along with WannaCry’s highly public attack, could be ransomware’s downfall. It serves as a fantastic awareness-raising tool. 

Ponzi Scheme Meets Ransomware for a Doubly Malicious Attack

The first message to pop up on the computer screen let the victims know they had been hacked. The victim had a choice: Pay the hackers a ransom of one bitcoin, in exchange for regaining access to the computer, or try to infect two new people on behalf of the attackers. 

Ransomware Variants Based on Hidden Tear Continue to Proliferate

Ransomware based on open source code, specifically variants based on Hidden Tear, continues to proliferate. When it was first released, the open source code allowed anyone, even inexperienced developers, to extort victims with ransomware.

Japanese Police Arrest Their First Ransomware-Slinging Menace

Japanese cops have, for the first time ever, arrested a ransomware maker. The 14-year-old from Osaka Prefecture in western Japan was collared on June 5 after police tracked him down as the suspected creator of home-grown ransomware that was being spammed out on social media. 

By 2022 There Will be 350,000 Cybersecurity Vacancies

The General Data Protection Regulation will force organizations to expand their cyber workforce. Two in five governments and companies will expand their cybersecurity divisions by more than 15 percent in the next 12 months. This will lead to a shortfall of 350,000 cyber workers across the continent by 2022. 

Hackers Hid Link to Malware Servers in Britney Spears Instagram Comments

Threat researchers at ESET have discovered that Turla, an espionage group linked to the Russian government, has been leaving comments on Spears’ Instagram posts that tell its malware how to connect to the group’s servers. 

Please add your thoughts in the comments below or follow me on Twitter; @JonLClay.

This week marked the first time an airline misplaced my bags for a significant period of time. Inclement weather forced me to not only change my flight, but also change airlines. Unfortunately, my luggage didn’t get the memo. I dealt with two airlines to find my bags, and I eventually received my bags over 60 hours later. As Geoffrey Chaucer wrote in The Canterbury Tales, “For better than never is late; never to succeed would be too long a period.”

It’s better late than never if you haven’t had the chance to read one of the latest white papers from the Zero Day Initiative. Their paper, “Transforming Open Source to Open Access in Closed Applications,” sheds light on both old and new vulnerabilities found in Adobe Reader’s XSLT engine, including several that needed to be patched more than once. It focuses on techniques for auditing the source code of Sablotron to find corresponding bugs in Adobe Reader. The paper also presents a new source-to-binary matching technique to help researchers pinpoint the vulnerable conditions within Sablotron that also reside in the assembly of Reader. You will also see real-world application of these techniques demonstrated in the paper through a series of code execution vulnerabilities discovered in Adobe Reader’s codebase.

Zero-Day Filters

There are 16 new zero-day filters covering three vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (11)

Trend Micro (4)

VIPA (1)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

It's a recurring theme in sports movies, war stories and crime stories alike: In order to defeat the enemy, one must think like the enemy.

This approach has been taken – oftentimes quite successfully – in an array of settings, including the cybersecurity realm. Security researchers are constantly working to pinpoint and better understand the techniques used by hackers in an effort to create targeted protections for specific threats. What many don't realize, however, is that there's a similar trend growing on the other side of the fence.

Similar to their white hat counterparts, malicious hackers are always looking to advance their capabilities. Instead of leveraging known system vulnerabilities, though, some attackers are now seeking to use the very protection measures organizations deploy to block malicious activity against them.

But how are cybercriminals able to flip the board on the security measures consumers as well as businesses utilize to safeguard their most important data and content? Let's take a look at a few sneaky techniques being employed by today's hackers.

Turning employee training on its head

One of the main cornerstones of many businesses' security stance is specialized training for its employees. This helps workers understand how to spot malicious activity that could be the beginning of an attack, as well as their individual roles in the company's holistic data protection.  In many of these training sessions, employees are taught not to provide sensitive personal or corporate details, unless to an individual or group of authority.

Hackers create official-looking emails to trick victims into clicking malicious links that infect their internal systems.

Knowing this, hackers began utilizing phishing techniques, which hinge on the use of an official-looking message that convinces victims to part with the sensitive information they've been trained to protect. Within these attacks, attackers could create a legitimate-appearing message from an authoritative group like a bank or even law enforcement.

In some cases, when the attack is targeted at a specific person within a certain business, the hacker will go so far as to learn about the individual and establish a message that caters to them specifically. This could include the individual's name, company title and other details in an effort to win the reader over and encourage a click on a malicious link or attachment that infects the system.

Social engineering techniques also seek to leverage standard training against organizations by luring victims in and gaining their trust. Like many attacks, social engineering is often financially motivated – attackers seek out details that can be used to gain a profit, whether through subsequent fraudulent activity or the sale of stolen data.

As Trend Micro noted, social engineering attacks have gotten more sophisticated than ever, and now draw upon current events, celebrity gossip and other news to peak a victim's interest, lead them to a malicious website and steal their data.

As Digital Guardian contributor Nate Lord pointed out, hackers use psychological manipulation to trick users. While, especially within enterprise circles, users are trained to spot this kind of activity, hackers are still having success with social engineering and phishing attacks, appearing legitimate enough to allow for data theft.

Evading security solutions

Phishing and social engineering have been around for quite some time, but this hasn't diminished the impact these attacks have on the businesses falling victim to them. In fact, The Anti-Phishing Group reported that 2016 was a record-breaking year in terms of phishing, which broke the one-million-attack threshold. What's more, SC Magazine reported late last year that more than half of all enterprises – 60

percent – experienced a social engineering attack in 2016.

While these are certainly formidable threats, they pale in comparison with Trend Micro's recent prediction. According to the 2017 Security Predictions report, Trend Micro researchers are forecasting a sharp rise in attacks leveraging specific evasion techniques. These tactics enable a hacker to remain hidden in their malicious activities as they attempt to spur infection, and maintain cloaking even once inside a victim's system.

"We will also see improved means of staying hidden within a network once infiltrated," Trend Micro's Jon Clay wrote. "Ensuring their malware is undetectable will be high on their priority list and this will be accomplished regularly replacing it with new malware designed to be Fully UnDetectable."

In fact, many hackers are now taking part in underground testing to ensure their malicious programs truly are undetectable. Clay explained that hackers are beginning to offer testing services to see how malware stacks up against specific security vendors' products.

In addition, this approach is expanding to target even the most advanced, emerging technical capabilities. This includes targeting and creating evasion techniques specifically for machine learning, enabling attackers to infiltrate these systems and exfiltrate data while remaining hidden from victim's safeguards.

Hackers are getting more sophisticated every day, leveraging increasingly advanced infection measures to bore into victim systems and steal information. While these attacks can be particularly difficult to guard against, the first step in protection is awareness.

Protection against these types of advanced attacks requires a layered-security strategy that helps detect risks across the entire threat lifecycle. In this way, if hackers are able to bypass one layer of security, other subsequent layers can help block the overall threat. 

To find out more about these emerging strategies and how you can secure your organization, contact the experts at Trend Micro today.

Targeted attacks have come a long way in recent years, leveraging increasingly advanced techniques aimed at specific individuals. Often, these hackers pinpoint a single person within an enterprise, steal their credentials, log into an account, and leverage this position to find sensitive information. Business email compromise, supported by extensive research and tailored messages, is one example of the ways in which hackers are propelling their malicious capabilities to ever-increasing heights.

Now, however, a new threat has come to light: Business Process Compromise. While it sounds similar to BEC, BPC is an entirely new beast.

How BPC works

As this video from Trend Micro points out, as opposed to targeting a specific individual within a victim organization, BPC sees hackers focusing on a certain process the enterprise uses to complete important daily tasks. Once inside the system, hackers seek out activities, loopholes or entire systems ripe for compromise, and use this to their advantage in the attack.

The purpose of this style of attack is to learn as much about an organization's processes as possible, including all of the activities and systems leveraged for business. From here, hackers are able to pinpoint vulnerabilities within these processes and platforms, which can be subtly adjusted or manipulated. In this way, systems continue to function as usual from the company's standpoint. However, the cybercriminal is working in the background to steal data, siphon profits or even steal physical items.

Has BPC been successful?

While a considerably new style of hacking, several high-profile attacks have succeeded thanks to BPC. This includes attacks on the Bangladesh Bank, where hackers compromised processes to the point that they were able to steal authentication credentials enabling bank transfers. This BPC-supported activity resulted in multiple fraudulent transfer requests for more than $100 million.

Not long afterward, Vietnam's Tien Phong Bank was targeted by hackers in a BPC attack. Thankfully, the organization was able to recognize hackers' fraudulent transfer requests, and the theft of more than $1 million was blocked.

Guarding against BPC

Because this style of attack is so new, the first step in protection is simply ensuring awareness of BPC, especially within the IT team. Security managers with knowledge of this type of malicious activity can be in a better position to monitor for suspicious system manipulations and cease wrongful activity in its tracks.

In addition, Trend Micro security experts recommend having a robust view of the network and all of its connected components, as well as ongoing audit policies. This can help IT personnel pinpoint any system adjustments that could point to BPC.

To find out more about this threat and the kinds of cybersecurity solutions that can help guard against it, check out Trend Micro's new interactive BPC online resource here.

As we predicted in 2016, cyberpropaganda is a major growth area for cybercriminals. Per that prediction, “The rise in the Internet penetration has opened the opportunity for invested parties to use the Internet as a free-for-all tool to influence public opinion to go one way or another.” Today, we know this through Wikileaks and self-proclaimed fake news websites.

Reputation Matters 

Reputation is critical to organizations and individuals in our world today. Whether information is true or not sadly doesn’t matter. The reality is – once information is out there, the opinion of the general public is automatically impacted. This gives fake news a great deal of power in both political and business situations, as it can heavily impact the reputation of the targeted group or organization. And we’ve seen it in action – with cyberpropaganda campaigns attempting to sway public opinion surrounding elections in 2016 and 2017, as well as against World Anti-Doping Agency (WADA) and other organizations.

Protecting against it

Trend Micro’s latest report, “The Fake News Machine,” provides in depth analysis of how this works, and how cybercriminals have capitalized on this huge growth area. Researchers Lion Gu, Vladimir Kropotov, and Fyodor Yarochkin dug through online marketplaces, both on the surface and Deep Web, to identify how cyberpropaganda campaigns are being sold. Fake News today stands on three pillars – social networks, tools and services and motivations – which enable the successful propagation and success of these campaigns.

While government and social networking sites are actively working to stop the impactful spread of fake news, individuals can also take steps to impede its effect. Here are some signs users can look for to identify fake news:

Read more about Fake News and how it’s become such a growth are of cybercrime here.

At the FIRST conference in San Juan, Trend Micro’s Forward-looking Threat Research team will be presenting four sessions on a wide range of topics. These sessions will demonstrate a sliver of the research going on at Trend Micro, and some of the partnerships that elevate the research to benefit the global business community. For the past six years, our FIRST membership has provided guidance on what works best regarding research and initiatives.

Research is inspired by the community, and we contribute back as members by presenting our latest findings and best practices.

Are West African Cybercriminals on Safari in Your Network?

• David Sancho presenting June 12 from 2:45-3:30 p.m.

Hunting for Threats in Academic Networks

• Fyodor Yarochkin and Vladimir Kropotov presenting June 13 from 11:15-11:45

Web as Ongoing Threat Vector: Case Studies from Europe and Asia Pacific

• Fyodor Yarochkin and Vladimir Kropotov presenting June 13 from 12:15-12:45

Experiences in Threat Data Processing and Analysis Using Open Source Software

• Morton Swimmer presenting June 16 from 12:15-12:45

What is FIRST?

FIRST is a global community of incident responders. The group deals with attacks, leaks and vulnerabilities to protect their countries – they’re directly exposed to cyber threats on a daily basis. Trend Micro’s partnership with FIRST serves as a sounding board for what works and what doesn’t in regards to security research and protection. For Trend Micro, the information exchange with this community is very important, as their experience and data complements ours and helps provide better protection for customers.

For the past four years, our researchers have presented at FIRST conferences at the global and regional levels, sharing back to the community that supports and helps direct research across the world. There is a high level of sharing among the FIRST community, which makes these events highly valuable.

Why Partnerships Matter

FIRST is one of many collaborations in which Trend Micro researchers partake. These partnerships allow our work to make a larger impact and benefit a wider audience – educating businesses and individuals about the threats they’re facing.

In recent years, Trend Micro researchers have partnered with INTERPOL, NCA, FBI, EUROPOL and others to provide vital intelligence for cybercrime investigations. This includes the arrest of a Nigerian national who led a massive ring of BEC scams.

Collaborating with major industry players demonstrates the value and quality Trend Micro’s research brings to the security community. Partnerships are an integral aspect of the global fight against cybercrime. We plan to continue working with law enforcement and other industry experts.

“There are no threats for Linux servers. Aren’t they built to be secure?”

“Linux servers are secure and hardened, why do we need additional security controls on those?”

“I do understand there are threats out there but I am not aware of any major attacks on Linux servers”

If you find yourself nodding as you read these statements, you’re not alone.

There is a common belief that Linux servers are more secure and less vulnerable than Windows servers.

Although there is some truth in the belief, the reality is that Linux servers (and the applications they host) also have vulnerabilities and by ignoring this, you are putting your business at unnecessary risk.

Widespread and increasing use

There was a time not too long ago when Linux was a ‘geek’ OS, the domain of command line management and limited enterprise use. Those days are definitely gone, clearly illustrated by things like Gartner pegging the global OS growth for Linux at 13.5%[1], as well as the prevalence of Linux in the public cloud environment, as demonstrated by the fact that approximately 90% of workloads in AWS EC2 are running some variant of Linux. With such widespread use for sensitive enterprise applications, it’s no small wonder that there is an increasing focus on attacking Linux servers, as evidenced in the recent ransomware attack in South Korea that used a Linux-focused ransomware attack called Erebus that impacted the web sites, databases, and multi-media files of 3,400 businesses.

Secure, but still vulnerable

With more and more servers moving beyond the enterprise boundary and into the cloud, network protection at the host-level becomes increasingly important, as workloads need to defend themselves vs. having a perimeter around them. And remember, workloads include the applications that sit on top of Linux…it’s more than just the OS.

Having a host-based Intrusion Prevention System (IPS) will help protect against vulnerabilities in core operating system AND the application stack running on top. Great examples of network-accessible vulnerabilities with wide-spread impacts are the recent Apache Struts-2 issue, Heartbleed and Shellshock, but there are many more. And just because a vulnerability, like Heartbleed, is a couple years old doesn’t mean that applications and servers are not still vulnerable. In a recent Shodan survey, it showed that Heartbleed was still an available vulnerability on more than 180,000 servers around the world, with the majority of them in the US!

[1] Gartner, “Market Share Analysis: Server Operating Systems, Worldwide, 2016”, ID#G00318388, May 26, 2017

If you run a web server on Linux (running on at least 37 percent of the web servers out there according to W3Techs), you need protection against vulnerabilities affecting them, including Apache, Nginx, etc.

Table 1: Vulnerabilities Protected by Deep Security

It is very important to not confuse vulnerabilities with threats. While there may be fewer known threats for Linux, if you look at the National Vulnerability Database, there are a similar number of vulnerabilities reported for both Linux, and Windows operating systems.

Malware, designed for Linux

Contrary to popular belief, there is a lot of malware for the Linux platform. While the numbers in comparison to Microsoft Windows are not quite as high, there are still tens of thousands of pieces of malware designed for Linux, including the Erebus ransomware mentioned above.

Deploying ONLY anti-malware is inadequate for protecting servers. However, most attacks on datacenters that lead to breach involve the installation of malware as part of the attack chain.  This is why compliance and security frameworks such as PCI-DSS (Section #3), SANS CIS Critical Security Controls (Section #8), and NIST Cybersecurity Framework (Section DE.CM-4) all continue to recommend anti-malware as a best practice.

Layered security for Linux workloads

It’s clear that there is no silver bullet when it comes to server security, and that businesses should be using a layered security approach to protect vulnerable Linux workloads. Beyond anti-malware and IPS, there are a number of controls that will help to build a robust Linux strategy:

The lesson we learn here is that although Linux is a more secure and reliable operating system option, it’s not your cure-all solution when it comes to security. Like any other OS, some assembly and maintenance is required, and it’s your responsibility to adopt a multi-layered security strategy, including managing regular updates and adding additional security controls to protect the servers AND the applications running on them. To learn more about Linux vulnerabilities and how to protect against them using Trend Micro Deep Security, read our short research paper here.

“What can you sit on, sleep on, and brush your teeth with?” This was the question posed to Steve Martin’s character C.D. Bales in the 1987 movie Roxanne. In a modern take of Edmond Rostand’s 1897 verse play Cyrano de Bergerac, the movie centers around C.D.’s attempt to win the love of a woman while navigating life with his unusually large nose. When C.D. wonders what the point of the question is, his god sister responds, “The point is that sometimes the answer is so obvious, you don’t even realize it. It’s as plain as the nose on your face.” By the way, the answer to the question is so obvious: a chair, a bed, and a toothbrush.

At the Gartner Security and Risk Summit in Washington, D.C., held earlier this week, I heard a recurring theme across the various sessions I attended. The theme was around the fact that the discipline of patching isn’t where it needs to be. As we witnessed with the recent WannaCry ransomware attack, which utilized vulnerabilities that were disclosed by The Shadow Brokers and subsequently patched by Microsoft, many organizations were still affected because they hadn’t patched their systems. The general guidance given at various sessions: Patch your systems. While the answer is so obvious, it may not be practical for some organizations, especially those with thousands of systems. Our solutions can help through the use of “virtual patching.” While virtual patching is a term that is now pretty common in the security world, where we stand out is when vulnerabilities haven’t been patched by the vendor. If a vulnerability comes to us via the Zero Day Initiative, we will have protection for our customers ahead of a patch that’s made available by the vendor. This is even more important if a vulnerability is brought to us for a solution that is no longer supported by the vendor. Interestingly enough, with this month’s Microsoft Patch Tuesday, Microsoft has issued SMB patches for Windows XP, which reached its end of support deadline in April 2014. While Microsoft states that doing this is an exception and not the norm, it could create a false “safety net” for those who haven’t upgraded their systems. The precedent that this might set in the future is an answer that isn’t so obvious.

Microsoft Update

This week’s Digital Vaccine (DV) package includes coverage for Microsoft updates released on or before June 13, 2017. Microsoft released patches for almost 100 new CVEs in Internet Explorer, Edge, Office, Windows, and Skype. A total of 18 of these CVEs are rated Critical. The following table maps Digital Vaccine filters to the Microsoft updates. You can get more detailed information on this month’s security updates from Dustin Childs’ June 2017 Security Update Review from the Zero Day Initiative:

Zero-Day Filters

There are 11 new zero-day filters covering three vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (5)

Trend Micro (5)

Hewlett Packard Enterprise (1)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

New Trojan Android, Xavier, Is an Information-Stealing Ad Library

We have recently discovered a Trojan Android ad library called Xavier (Detected by Trend Micro as ANDROIDOS_XAVIER.AXM) that steals and leaks a user’s information silently. Xavier’s impact has been widespread.

Erebus Linux Ransomware Strikes Again

On June 12, South Korea-based web hosting company NAYANA became one of the latest high-profile victim of ransomware after 153 of its Linux servers were found infected with an Erebus ransomware variant. The ransomware attack affected the websites, database and multimedia files of around 3,400 businesses employing NAYANA’s service.

Spam Run in Europe Uses Hover Action to Deliver Banking Trojan

While many of today’s malware sport relatively new capabilities, most of their authors or operators still use old techniques to deliver them. Malicious macros and shortcut (LNK) files are still used in ransomware, banking Trojans, and targeted attacks, for instance. 

Cyberpropaganda Is a Major Growth Area for Cybercriminals

As we predicted in 2016, cyberpropaganda is a major growth area for cybercriminals. Per that prediction, “The rise in the Internet penetration has opened the opportunity for invested parties to use the Internet as a free-for-all tool to influence public opinion to go one way or another.”

Hack Override Malware Took Down a Power Grid

Hackers appear to be testing the most evolved specimen of grid-sabotaging malware ever observed in the wild. Researchers describe this malware as the second-ever known case of malicious code purpose-built to disrupt physical systems.  

MacOS Security Reputation Challenged by New Ransomware-as-a-Service

Once viewed as nigh-on impregnable, Apple’s reputation for secure products is being challenged once again, this time by ransomware-as-a-service. Mac computers are being targeted by a new strain of malware created to infect the OS. 

The Next Step in Advanced Targeted Attacks Is Business Process Compromise

Targeted attacks have come a long way in recent years, leveraging increasingly advanced techniques aimed at specific individuals. Often, these hackers pinpoint a single person within an enterprise, steal their credentials, log into an account, and leverage this position to find sensitive information. 

Hackers Use Protection Strategies for Attack

It’s a recurring theme in sports movies, war stories and crime stories alike: In order to defeat the enemy, one must think like the enemy. This approach has been taken – oftentimes quite successfully – in an array of settings, including the cybersecurity realm.  

The Demand for Crimeware-as-a-Service Is Growing

Malware, botnets, phishing and backdoors are all offered on the cheap as subscription. Today’s successful malware writers are remarkable in their ability to adjust not only their technical capabilities to evade the latest security technologies, but also their business practices. 

Trend Micro’s Forward-Looking Threat Research Team is Presenting at FIRST

At the FIRST conference in San Juan, Trend Micro’s Forward-looking Threat Research team will be presenting four sessions on a wide range of topics. These sessions will demonstrate a sliver of the research going on at Trend Micro. 

National Flight Academy Plans First-of-Its Kind Cybersecurity Camp for Kids

Instead of swimming, surfing or horseback riding, summer camp for some Pensacola-area kids involves sitting in a room filled with computer screens and learning about cybersecurity. Students will practice writing computer code, encrypting messages and thwarting hacking attempts. 

Please add your thoughts in the comments below or follow me on Twitter; @JonLClay.

Ransomware and other advanced attacks are the scourge of the modern IT security team. If allowed to gain access to your IT environment, these attacks could shut down the organization, denying access to mission critical applications & data for potentially days, or even indefinitely. The result? The disruption of service delivery, lost productivity and a hefty hit to reputation and profits.

While traditionally thought of as an endpoint issue – 93 percent of phishing emails are now ransomware – the reality is that ransomware and other advanced attacks are also focused on your servers. The combination of instantly available infrastructure via the public cloud and the increasing velocity of application delivery to create competitive advantage, has made servers an important target for cybercriminals.

Servers are different than a traditional endpoint: the applications and operating systems that run enterprise workloads in the data center, in the cloud, and in containers can be extremely dynamic, making the approach to security different.

A recent Gartner report states that “Server workloads in modern hybrid data centers use private and public cloud computing and require a protection strategy different from end-user- facing devices. Security and risk management leaders should use risk- based models to prioritize evaluation criteria for cloud workload protection platforms.” <Source: Gartner, “Market Guide for Cloud Workload Protection Platforms”, March 2017 G00302941 >

The fundamentals still matter – get patched

Servers are workhorses of the enterprise, driving your business forward and supporting your most valuable data; it’s only natural that the bad guys are heading straight for this part of the IT infrastructure, whether it’s in the data center or in the cloud. Ransomware & advanced attacks are being created to take advantage of vulnerabilities found on servers, including the recent WannaCry ransomware, which leveraged a Microsoft Windows SMB vulnerability to inject itself onto servers and endpoints. Not to be left out, Linux servers – the dominant server for public cloud workloads—are also being targeted, with the recent Erebus attack that had a serious impact on a large web hosting firm (and their 3,400 customers!) in South Korea.

Patching is never easy, but no IT security professional can deny the importance of patching. Modern IT environments are complex systems which require IT departments to manage multiple disparate patching processes, including new approaches like blue-green deployments. For mission critical systems, patches are sometimes delayed because organizations simply can’t afford the downtime needed to test and roll-out fixes. It’s estimated that it takes enterprise firms approximately 250 days for IT and 205 days for retail businesses to fix the software flaws in their enterprise applications. It only takes one exploit to get through for your organization to hit the headlines as the next major ransomware victim. In addition, for either operational or financial reasons, close to two years after end of life many organizations are still running Windows 2003, which means no patches are available and mitigation strategies – often expensive – have to be in place or the risk of exposure goes up exponentially.

Hybrid cloud is complicated

The hybrid cloud includes physical, virtual, cloud and container workloads, with new technologies like serverless functions and processes like DevOps introducing new complexity in the way that your organization operates. While embracing new technologies to gain benefits like increased agility and rapid application delivery make good business sense, the reality is that existing architectures also need to be maintained and secured at the same time. If this means that you have accumulated multiple tools along the way to the hybrid cloud, you are probably feeling significant pain just keeping everything running!

Unfortunately, this complexity can also leave gaps – who isn’t too busy to get everything done, right?—which cybercriminals are only too ready and willing to exploit. You might have put in place perimeter security, for example, but what if a compromised endpoint accesses a vulnerable file server? Then you have an attack which started inside the network, bypassing traditional security controls. And of course, there is no perimeter in the cloud…so what then? 

Layered security is the right answer

The answer lies in advanced server security solutions like Trend Micro Deep Security. It’s been designed to protect workloads across physical, virtual, cloud and container environments with host-based security to shield servers from a wide range of threats including ransomware. Having one product with multiple controls is a great way to both increase security and reduce operational overhead. Powered by XGen™ Security, Deep Security includes a range of cross-generational security techniques that can help stop ransomware from hitting your enterprise servers, enabling you to easily:

With 752 percent growth in the number of ransomware families in 2016, the black hats have found a way to generate enough revenue – $1B in 2016 – to invest significant resources in rapidly evolving their attack strategies. With servers at the center of the enterprise, it’s clear that you need a strategy that both secures workloads wherever they might be – physical, virtual, cloud, containers – and aligns with the need for business agility that modern technology enables.

Find out more about how Trend Micro can help at www.trendmicro.com/hybridcloud.

At Trend Micro, we’re used to fighting it out against a constant barrage of cyber threats facing our customers. But we don’t just want to be number one in cybersecurity: We’re also highly competitive elsewhere. As a company proud of our East Asian links we’re keen Dragon Boat racers, and guess what? Dragon Boat season is now officially in full swing now: not just in traditional countries like Taiwan, but also around the world.

That’s why Trend Micro will be blending technology with tradition when we take on all comers at the long-running Ottawa Dragon Boat festival later this month, following our battling performance at a similar event in Taipei at the end of May.

A tragic tale

The Dragon Boat Festival has many different Chinese names associated with it, but most commemorate the same event: the suicide of poet and minister Qu Yuan back in 278 BC. Qu’s protests at the corrupt Chu government of the day led him to be stripped of his title as minister, and subsequent banishment. After a rival state captured the Chu capital many years later, he is said to have drowned himself in the Miluo river in southern China in a ritual suicide.

It’s claimed that locals who admired the politician-turned-poet raced out in their boats in an attempt to save him, banging their drums in a bid to scare aware the fish circling his body. Or at least, that’s how many interpret the festival’s origins. Given it’s traditionally held on the fifth day of the fifth month of the traditional Chinese calendar it’s also been linked to crop fertility rituals in the region.

Racing for victory

At Trend Micro, all 5,000+ employees across the planet share a common vision: to make the world a safer place in which to exchange digital information. But we’re particularly proud that our unity of purpose in battling cyber threats also brings our disparate teams together in other ways. That’s why despite being located on opposite sides of the globe, our teams in Taiwan and Canada are united not just in a passion for cybersecurity but also Dragon Boat racing.

We sent two teams of more than 60 people to compete in the 2017 Taipei Dragon Boat Festival on 28-30 May, hailing from all parts of the business – R&D to Sales, Technical Support to HR. For anyone who hasn’t seen or taken part, let’s be clear: these are noisy, high-octane, no-holds-barred races – a riot of sound and color but definitely not for the faint-hearted.

Not to be outdone, our Canadian colleagues are going out to stamp their mark on the upcoming Ottawa Dragon Boat Festival, 22-25 June. Dating back to the early 90s, it’s North America’s largest and one of the biggest sporting and entertainment events in Canada’s capital, boasting over 200 teams and 75,000 attendees. If you fancy coming down to cheer on our brave participating Trenders, why not do it from the Trend Micro Paddler’s Paradise, our sponsored area in a prime spot of the shore, offering great views of the races?

We wish all taking part good luck!

Last week, while visiting the product management team for Deep Security, I asked about their latest release. They surprised me by saying the big news is that there IS a release. Confused, I asked them to elaborate…

You see, when you develop software, you’re faced with many choices, one of which is deciding whether to offer software that a customer can run, or a SaaS version and release new features instantly, as they become available to all users.

SaaS has become a very popular option for software developers these days because the speed of adoption is very fast.

However, what happens when an organization needs your service, but compliance, regulation or company policy dictates that the data and software need to live within their own data center? For any number of reasons, they can’t adopt a SaaS offering. Well, then you must turn to software deployment models that traditionally mean major releases every year or two followed by minor releases.

With Deep Security, we recognized that users needed a choice of deployment models. Some chose SaaS for the low management overhead, easy setup and lower cost of having a hosted security console. Others chose software for large data center deployments or hybrid deployments, due to either compliance or company policy. While we support both options, SaaS has been at the forefront of Trend Micro’s new features and services in recent years. It has introduced features like the new user interface, Smart Folders or SAML Authentication first, while the software management console received them as upgrades in the next major release.

That meant that all of the people using the SaaS model in the cloud were moving at cloud speed, while the data center users were stuck on the ground with a speed limit.

Well that is all about to change.

We knew releasing Deep Security 10.0 was a milestone in many ways. The server security solution that stands the test of time was also the end of the traditional monolithic release cycle for our important software users.

The team has worked tirelessly to bring the agility of a SaaS model to customers using software for hybrid cloud deployments. With our new approach to software releases, we will release feature packs that deliver major features as they come available, eliminating the need to wait for the next major release. Starting with Trend Micro Deep Security 10.1, we will bring major updates to software users with feature packs released as features become available prior to the next major release. Bringing this agility to the data center is an impactful step in ensuring our customers have the latest advanced security protection and features at all times. Of course, not all organizations move at the speed of cloud, but having this option is the big step forward for some and a requirement for others.

Deep Security 10.1 will include major advancements like Windows application control, advanced identity management with SAML support, zero-impact updates for the network security functions, and an in-product news feed to keep our users up to date on the latest threats and protection. All this in just a few short months after 10.0 was rolled out to our software customers.

The in-product news feed is another example of moving at the speed of the cloud. Deep Security (SaaS or Software) frequently receives major protection advancements. This new in-product experience allows users to understand the latest threats or product advancements right from the management console. Now all Deep Security users can enjoy the benefits of having the absolute latest protection and features no matter how they deploy. Deep Security has become a living, evolving tool for the data center and cloud alike, with users at the heart of it all.

This is really about bringing operational excellence to hybrid environments. It’s about removing the traditional speed limits from enterprise software and giving you the opportunity to move at the pace of the cloud. It’s time to open this baby up…

Find out more at www.trendmicro.com/hybridcloud

If you have questions or comments, please post them below or follow me on Twitter: @justin_foster.

Within the security researcher community, the Zero Day Initiative (ZDI) program is a well-known entity, representing the world’s largest vendor agnostic bug bounty program. Customers of the TippingPoint Intrusion Prevention Systems (IPS) and Threat Protection Systems (TPS) know the ZDI as the group that buys 0-days so they have protections before the affected vendor releases a patch. Outside of those communities, there may be misconceptions about what happens behind the scenes when dealing with so many bugs.

At a high level, here’s how the program works. An independent researcher finds an otherwise unknown vulnerability (e.g. 0-day) in a piece of software and reports that to the ZDI. The researcher can be from just about anywhere – we have worked with more than 3,000 different researchers from 80+ countries. Being vendor agnostic means the software can be just about anything, too. In 2016, the ZDI purchased 0-days impacting 49 different vendors, including large vendors like Microsoft and Adobe as well as small, industry specific vendors like those in the SCADA realm. Once the bugs are verified by our internal researchers, we buy the bug – offering a variable price based on many factors (i.e. quality of the write-up, ubiquity of the target, ease of exploit, etc.).

Now that we confirmed the bug is real, two different things happen. First, the Digital Vaccine team creates filters for Trend Micro customers, which provides them an overage of 57 days of protection against these 0-days before anyone else. Perhaps more importantly, the bug is then disclosed to the vendor. The ZDI team works with the vendor to ensure a security patch is developed and released to the public. So even if you don’t use any Trend Micro products, your enterprise security is strengthened by the ZDI program. How often does this occur? Well, for the past three years, the ZDI has been the number one supplier of bugs to Microsoft, Adobe, and SCADA vendors amongst others. That equates to more than 2,100 patches just since 2014, and we’ve been doing this since 2005.

Another group familiar with the ZDI program are the vendors receiving our bug reports. Although it may seem to be an adversarial relationship, we do everything we can to assist vendors throughout the process. And vendor size or name recognition doesn’t matter to us – we strive to treat all vendors equitably. We provide accountability to both customers and researchers by listing when vulnerabilities are reported, which is not done by other bug bounty programs. After 120 days, if the vendor hasn’t made a patch available, we release additional information about the bug so that enterprises can gauge the risk to their systems. Unlike some, if the vendor is making significant progress towards a patch, we do extend this deadline provided real work is being done. In fact, there are some that consider us the cheapest and friendliest code audit they didn’t know to ask for, and we’re just fine with that.

Researchers from the ZDI also run the annual Pwn2Own competition, which just celebrated its 10th anniversary. Starting with a simple laptop that had to be exploited (e.g. pwned), a successful attempt earned the researcher the target laptop (thus the own). From those humble beginnings, the contest has evolved into a premier event impacting the security design of the participating targets. The level of difficulty ratchets up, as well. For standard reports through the program, a simple description and demonstration suffices. For Pwn2Own, a fully-functional exploit chain is required for a win. Of course, the prices go up for higher quality exploits, too. This year we awarded $833,000 USD in three days while acquiring 51 new 0-day bugs. These bugs go beyond simple patches. Vendors began implementing defense-in-depth measures and additional protections based on the results of the contest – making each new Pwn2Own more difficult than the last. These improvements reach consumers and enterprise users through updates, making their systems more resilient, as well.

Though little known outside specific circles, the ZDI program has wide-ranging impacts. The program assists in the coordinated disclosure of vulnerabilities, which gives affected vendors the opportunity to issue patches to the public before the bugs are used maliciously. By providing public notification dates, we provide accountability to help ensure vendors don’t ignore researcher reports. The resulting patches and program improvements positively impact the community at large, even though they might not have realized where the research originated. As seen in recent ransomware attacks, proper patch management can be the difference between a nuisance and a multimillion-dollar recovery.

There is no such thing as secure software – at least not any software that actually does anything. As the industry and software itself evolves, we’ll continue to evolve with it. Our goal continues to be finding and disclosing security bugs in popular software, working with independent researchers from around the globe, and reporting these findings to the vendors so they can fix things in a timely manner. It might not always be easy, but it will continue to be worth doing – whether everyone realizes it or not.