News has not been kind to US headquartered technology companies over the past year. From an erosion of faith because of a company’s geographic location, to a series of high profile breaches that are calling into question trust in your IT systems. Technology providers and governments have a vital role to play in rebuilding trust. And so do customers—who need to demand more from their technology providers.
In my recent trip to Europe, and speaking to some balanced, thoughtful, and concerned public officials, it got me thinking. Why do we trust the products we use? Is it because they work as advertised? Is it because the brand name is one we implicitly believe in for any number of reasons? Is it because the product was tested and passed the tests? Is it because everyone else is using it so it must be okay? Is it because when something goes wrong, the company that produced it fixes it? Is it because we asked how it was built, where it was built, and have proof?
That last question is the largest ingredient in product and service acquisition today, and that just has to change. Our customers are counting on us to do the right thing, and now we’re counting on them. It’s time for a market transition: where customers demand secure development lifecycles, testing, proof, a published remediation process, investment in product resilience, supply chain security, transparency, and ultimately – verifiable trustworthiness.
We saw some of this coming, and these are some of the principles I hear customers mention when they talk about what makes a trustworthy company and business partner. Starting in 2007, with a surge that began in 2009, we’ve systematically built these elements into our corporate strategy, very quietly, and now we want the dialogue to start.
I’m challenging customers to take the next step and require IT vendors to practice a secure development lifecycle, have a supply chain security program, and a public, verifiable vulnerability handling process.
I recently recorded the video blog above discussing what it means to be a trustworthy company. I hope you will share your thoughts and experiences in the comment section.
With the April 15th US tax deadline only about 2 months away, a new wave of tax related phishing is underway. In this latest spear-phishing campaign, attackers are attempting to gain access to your system so that they can steal your banking and other online credentials. An interesting twist to this latest campaign is that they seem to be specifically targeting high level security professionals and CTOs in technical companies.
On Tuesday, Talos noticed the beginning of a phishing campaign in our telemetry data. The subject of the emails all revolve around payment confirmation or Federal taxes. Some of the common subjects include:
Payment Confirmation
Federal tax payment received
Federal TAX payment
Payment Service
All customers that have customizations applied to their Clientless SSL VPN portal and regardless of the Cisco ASA Software release in use should review the security advisory and this blog post for additional remediation actions.
Cisco Talos is aware of the public discourse surrounding the malware family dubbed “The Equation Family”. As of February 17th the following rules (33543 – 33546 MALWARE-CNC Win.Trojan.Equation) were released to detect the Equation Family traffic. These rules may be found in the Cisco FireSIGHT Management Console (Defense Center), or in the Subscriber Ruleset on Snort.org. Talos security researchers have also added the associated IPs, Domains, URLs, and hashes to all Cisco security devices to provide immediate protection across the network. Talos will continue to monitor public information as well as continue to independently research to provide coverage to this malware family.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.
While email has not been observed as an attack vector, ESA is capable of blocking the malware used in this campaign.
Midsize organizations are among the earliest adopters of new technologies. In general, they conduct much of their business over the Internet and are quick to embrace new apps, online payment systems, cloud, and Bring Your Own Device (BYOD) technologies. Fast adoption of innovations helps them to compete against larger organizations by meeting customer demands more cost effectively. But these business enablers are also creating security vulnerabilities that adversaries are exploiting for financial gain.
Adversaries aren’t just targeting prized assets like customer and employee data, invoices, and intellectual property. Cybercriminals also recognize that smaller companies are a vector into the networks of larger corporations. A 2013 study conducted by PricewaterhouseCoopers on behalf of the UK Government Department for Business, Innovation and Skills found that 87 percent of small businesses had been compromised, up 10 percent from the previous year. Many small and midsize companies are now mandated by partners to improve their threat defense. Regardless of size, organizations have legal and fiduciary responsibilities to protect valuable data, intellectual property, and trade secrets.
