Your Website Probably Wasn’t Hacked Through A Backdoor

When it comes to dealing with hacked websites our experience is that information coming from web hosts often isn’t great. When you consider how terrible many security companies dealing with websites are, it isn’t very surprising that companies that don’t claim that expertise would be bad as well.

Last week over on the blog for our Plugin Vulnerabilities service we discussed one issue that comes up from time to time, which is web hosts claiming that the source of a hack is whatever software that happens to be located where a hacker placed a malicious file. Often times the hacker just randomly place their malicious files, making the location of the file a weak piece of evidence as to the source of the hack in most cases.

Another recent example of this involved someone who contacted about a website that was hacked, cleaned, and then was getting re-infected everyday. In that situation our first question is always if the person that cleaned up the website determine how it was hacked. Seeing as someone doing a cleanup should attempt to determine how a website was hacked, that will tell you if the person doing the cleanup was doing things properly (the response almost always indicates they haven’t). It also important since the re-hacking could indicate that the security vulnerability that allowed the website has not been fixed and knowing what was believed was the cause would provide a better understanding of the situation.

In this case they said that there web host had been hacked through a backdoor (apparently the person that did the cleanup did not determine how the website was hacked). For those not familiar a backdoor would be code that allows a hacker remote access to the website internals. In most cases a backdoor could not be source of a hack since the backdoor would have to have gotten on the website. Usually the hacker will exploit a vulnerability to allow them to place a backdoor on a website and then use the backdoor to perform further actions on the website, so the backdoor isn’t the source of the hacking, only a result of it.

The main exception to this is that occasionally a malicious individual will be able to plant a backdoor into non-malicious code, say sneaking it in to an otherwise legitimate WordPress plugin in the Plugin Directory. That is by no means a common occurrence though.

If your web host or someone else is telling you your website was hacked through a backdoor, you should ask them how it got there to understand if they are correct about the source of if they failed to understand the actual source.

Which Cybersecurity Data Should You Trust?

Vault2

 

Limitations of security data
We are constantly battered by cybersecurity data, reports, and marketing collateral—and we shouldn’t treat all of this information equally. Security data has inherent limitations and biases, which result in varying value and relevance in how it should be applied. It is important to understand which data is significant and how best to allow it to influence your decisions.

A tsunami of security metrics, reports, analyses, blogs, papers, and articles vie for our attention. Sources range from reporters, researchers, professional security teams, consultants, dedicated marketing groups, and even security-operations people who are adding data, figures, and opinions to the cauldron. We are flooded with data and opinions.

It was not always this way. More than a decade ago, we lived in an information desert, where even speculations were rare. Making decisions driven by data has always been a good practice. Years ago, many advocates were working hard to convince the industry to share information. Even a drop is better than none. Most groups that were capturing metrics were too frightened or embarrassed to share. Data was kept secret by everyone while decision makers were clamoring for security insights based upon industry numbers, which simply were not available.

 

The impact of data secrecy
In the past, fear, uncertainty, and doubt ruled. People expected the worst, and unscrupulous security marketers took advantage, fanning the flames to sell products and snake oil. Those were dark times, promulgated with outlandish claims like “we solve security,” “total protection,” and “complete security solution.” Why customers chose to believe such nonsense (when the problem and the effectiveness of potential solutions could not be quantified) is beyond me, but many did. Trust in the security solutions industry was absent for a time.

Slowly, a trickle of informative sources began to produce reports and publish data. Such initiatives gained momentum, with others joining to share in limited amounts. This was the turning point. Armed with data and critical thinking, clarity and common sense began to take root. The transition was not perfect or quick, but the introduction of data from credible sources empowered security organizations to better understand the challenge and effectively maneuver against threats.

As the size of the market and competition grew, additional viewpoints joined the fray. Today, we are bombarded by all manner of cybersecurity information. Some are credible, while others are not. There are several types of data being presented, ranging from speculations to hard research. Being well informed is extremely valuable to decision makers. Now, the problem is figuring out how to filter and organize the data so that we are not misled.

As part of my role as a cybersecurity strategist, I both publish information to the community and consume vast amounts of industry data. To manage the burden and avoid the risks of believing less-than-trustworthy information, I have created a quick guide to help structure the process. It is burned into my mind as a set of filters and rules, and I have committed it to paper/screen to share.

I categorize data into four buckets. These are speculation, survey, actuarial, and research. Each has its pros and cons. The key to managing security data overload is to understand the limitations of each category, its respective value and its recommended usage.

Cybersecurity Data-Table

For example, survey data is the most unreliable, but does have value in helping us understand the fears and perceptions of the respondent community. Research data is normally very accurate but notoriously narrow in scope and may be late to the game. One of my favorites is actuarial data. I am a pragmatic guy.  I want to know what is actually happening so I can make my own conclusions. But there are limitations to actuarial data as well. It tends to be very limited in size and scope, so you can’t look too far into it. It is a reflection of the past, which may not align to the future.

I hear lots of complaints and criticisms regarding the validity, scope, intent, and usage of data. I have my favorites and those that I refuse to even read. Security data is notoriously difficult. There are so many limitations and biases, it is far easier to point out problems than to see the diamonds in the rough. But data can be valuable if filtered, corrected for bias, and the limitations are known. Don’t go in blind. Apply common sense. Follow a consistent method and structure to avoid pitfalls and maximize the data available to help you manage and maintain an optimal level of security.

The following are a few examples, in my opinion, of credible cybersecurity data across the spectrum of categories. Keep in mind the limitations of each group and don’t make the mistake of using the information improperly! Look to speculation for the best opinions, survey for the pulse of industry perceptions, actuarial for real events, and research for deep analysis:

 

Speculation

Survey

  • Threat Intelligence Sharing survey: McAfee Labs Threats Report March 2016.
  • 20% jump in cybercrime in the United Kingdom since 2014, with nearly two-thirds of businesses expressing no confidence in the ability of law enforcement to deal with it, from PwC.
  • 25% Americans believe they have experienced a data breach or cyber attack, from a Travelers survey.
  • 43% of organizations surveyed indicated increases in cybersecurity will drive the most technology spending, from the 2016 ESG IT spending intentions research report.
  • 61% of CEOs believe cyber threats pose a danger to corporate growth, from a PwC survey.

Actuarial

  • 3 out of 5 Californians were victims of data breaches in 2015, according to the state attorney general, from the 2016 California Data Breach Report.
  • ~35% of the US population: Top 10 health care breaches of 2015 affected about one-third of the US population, from the Department of Health and Human Services Office for Civil Rights.
  • Data Breach Investigations Report, from Verizon.
  • 2016 Annual Security Report, from Cisco.
  • 42 million new unique pieces of malware discovered in Q4 2015, bringing the total known samples to almost 500 million, from the McAfee Labs Threats Report of March 2016.
  • Security Intelligence Report, from the biannual report by Microsoft.

Research

By the way, this very blog should be considered speculation. Treat it as such.

 

Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

The post Which Cybersecurity Data Should You Trust? appeared first on McAfee.

ISAO Group Hosts Productive 3rd Public Meeting

This post first appeared at [email protected]

The Information Sharing and Analysis Organization Standards Organization (ISAO SO) held its Third Public Forum on May 18–19 in Anaheim, California. More than 100 participants from academia, government, and industry sectors, including multiple participants from Intel, assembled to discuss the initial drafts recently published by the IASO SO and its working groups. Until now, the organization has had challenges mainly due to the ISAO SO development effort having to start from a totally blank slate. Over the past six months, the effort established working groups, recruited members, set up a collaboration infrastructure, and actively began developing guidelines for information sharing and analysis organizations.

As with any consensus development effort, quite often it takes time for those involved to develop consensus around direction, scope, and depth of content. It is even harder when the organization assisting the individual working groups is itself brand new. As you might expect, initial struggles were encountered getting the needed infrastructure in place to facilitate collaboration. There were questions as to what each of the working groups was going to be responsible for delivering and where the swim lanes were. Even the shape of the final deliverables was a hot discussion item. I am happy to report those issues are now largely behind us.

On May 18, the ISAO SO and all working group leaders met for the first time in person. It was obvious there were still issues to be addressed, but it was nice to see those issues were focused around the topics that involve overlapping and integrated efforts requiring the work of multiple working groups coming together. One of the positive outcomes of the meeting was a plan to structure the ISAO guidelines documentation to make it much more useful to a global audience.

In addition to the leadership meeting, the individual working groups met to discuss their current draft guidance. The meetings of the Information Sharing Working Group (SWG3) I chair were well attended and extremely productive. We discussed where we were, what we have produced to date, and the plan going forward. After struggling through foundational conversations—trying to define where we want to now focus our efforts given the initial guidance we produced—it was obvious there was a real positive attitude within the working group. From talking with other working group chairs, that spirit seemed to be prevalent throughout.

On May 19, a public meeting was held with discussions on the ISAO Vision, delivered by Dr. Greg White, the Executive Director of the ISAO SO; a CISA Guidance Update presented by Matthew Shabat of the US Department of Homeland Security; and “Interoperability, Automation & Sharing @ Net Speed” given by Dr. Peter Fonash, Chief Technology Officer, Cybersecurity and Communications, also with Homeland Security. Following those, each of the working groups briefly discussed their current work and opened the floor to attendee comments. The conversations were lively and challenging at times and all were very productive. I encourage you to continue the dialogue by commenting on the initial draft guidance.

While there is still a great deal to do and accomplish, it is rewarding to see the ISAO SO effort making substantial progress. As we left Anaheim it was obvious there was real enthusiasm, optimism, and a focused resolve toward advancing the cyber threat information sharing needed to improve our organizational, national, and global security postures.

The post ISAO Group Hosts Productive 3rd Public Meeting appeared first on McAfee.