Cyber security trends for 2018

Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.

Here is a list of relevant cyber security terms for 2018s:

AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.

Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.

Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.

Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.

Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.

Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.

Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.

Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.

Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.

Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.

Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.

Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?

GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.

Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.

HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.

HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.

ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.

Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.

IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).

Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.

Integrate: Many gaps in security are due to an inability for disparate technologies to share information. Integration is key to making sure you get the most from your technology investments.

IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.

Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.

Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.

Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.

Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.

Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.

PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.

Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.

Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.

Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.

Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.

Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?

Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.

Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.

Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.

When: The myth of being able to detect every breach, insider threat or lateral movement has been punctured. Security teams are realizing they need to prepare themselves for “when” they will be breached, rather than “if.”

Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.

Sources:

HTTP/2 (Wikipedia)

Usage of HTTP/2 for websites

HTTPS (Wikipedia)

Firefox, Chrome start calling HTTP connections insecure

Alert (TA17-075A) HTTPS Interception Weakens TLS Security

Blockchain

Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead

Selainlouhinta

Cybersecurity Dangers Will Spike in 2018

We’re hitting rock bottom in cyber — let’s do something | TechCrunch

Virtual Security

Mirai-makers plead guilty, Hajime still lurks in shadows

DARPA Takes Chip Route to ‘Unhackable’ Computers

Another AI attack, this time against ‘black box’ machine learnings

GDPR Portal: Site Overview

General Data Protection Regulation (Wikipedia)

Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already

Miten GDPR pitää huomioida ohjelmistokehityksessä?

Seven Seas Cybersecurity: Captain, We Have a Problem

In the Words of President Ronald Reagan, “Trust but Verify”

Why You Should Question These Most Common Cloud Assumptions

It’s 2018. Do You Know Where Your Data Are?

Improved IoT Security Starts with Liability for Companies, Not Just Legislation

Smart Factory Connectivity for the Industrial IoT

The Race for a Universal IoT Security Standard

Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises

The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.

Resolve to Mitigate Your Business’ Digital Risk in 2018

Emerging Trends in Vulnerability Management

Research reveals customer-facing web and mobile apps as top security challenge

Open Source Vulnerabilities: Are You Prepared to Run the Race?

Device Security for the Industrial Internet of Things

GDPR and Open Source: Best Practices

Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC

ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good

Threat Modeling the Internet of Things: Modeling Reaper

Engineering for Privacy Requires Standards

How to Make Adversaries Work Harder, While We Work Smarter, in 2018

2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices

Facebook Releases New Certificate Transparency Tools

iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group

Open Source Vulnerabilities: Are You Prepared to Run the Race?

U.S. Military to Send Cyber Soldiers to the Battlefield

Machine Learning & Security: Making Users Part of the Equation

Security is Not a Technology Profession

State of IPv6 Deployment 2017

Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018

 


 

 

636 Comments

  1. Tomi Engdahl says:

    Critical Vulnerability Patched in phpMyAdmin
    http://www.securityweek.com/critical-vulnerability-patched-phpmyadmin

    An update released just before the holidays by the developers of phpMyAdmin patches a serious vulnerability that can be exploited to perform harmful database operations by getting targeted administrators to click on specially crafted links.

    phpMyAdmin is a free and open source tool designed for managing MySQL databases over the Internet. With more than 200,000 downloads every month, phpMyAdmin is one of the top MySQL database administration tools.

    India-based researcher Ashutosh Barot discovered that phpMyAdmin is affected by a cross-site request forgery (CSRF) flaw that can be exploited by an attacker to drop tables, delete records, and perform other database operations.

    For the attack to work, an authenticated admin needs to click on a specially crafted URL. However, Barot noted that the attack works as long as the user is logged in to the cPanel web hosting administration interface, even if phpMyAdmin has been closed after use.

    Reply
  2. Tomi Engdahl says:

    Ad targeters are pulling data from your browser’s password manager
    New research shows an alarming new way to track web users
    https://www.theverge.com/2017/12/30/16829804/browser-password-manager-adthink-princeton-research

    Nearly every web browser now comes with a password manager tool, a lightweight version of the same service offered by plugins like LastPass and 1Password. But according to new research from Princeton’s Center for Information Technology Policy, those same managers are being exploited as a way to track users from site to site.

    The researchers examined two different scripts — AdThink and OnAudience — both of are designed to get identifiable information out of browser-based password managers. The scripts work by injecting invisible login forms in the background of the webpage and scooping up whatever the browsers autofill into the available slots. That information can then be used as a persistent ID to track users from page to page, a potentially valuable tool in targeting advertising.

    No boundaries for user identities: Web trackers exploit browser login managers
    https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

    Reply
  3. Tomi Engdahl says:

    Hyperledger 3 years later: That’s the sound of the devs… working on the chain ga-a-ang
    But is anyone actually using it?
    https://www.theregister.co.uk/2018/01/02/hyperledger_at_three/

    The Linux Foundation’s Hyperledger project was announced in December 2015. When Apache Web server daddy Brian Behlendorf took the helm five months later, the Foundation’s blockchain baby was still embryonic. He called it “day zero.”

    Driving Hyperledger was the notion of a blockchain, a distributed ledger whose roots are in digital currency Bitcoin, for the Linux ecosystem – a reference technology stack that those comfortable with a command line could experiment with and build their own blockchain systems and applications.

    So where are we three years on?

    The Hyperledger stack has grown. July 2017 saw the release of version 1.0 of fabric, while some other projects have joined the mix.

    There’s a Hyperledger-based blockchain framework called Iroha, Cello for hosting business blockchains on multi-tenant infrastructures – ticking the “as a service” box that other initiatives like Ethereum have already satisfied – and Indy, a digital identity framework including libraries and reusable components for identity management.

    The idea here is to provide a decentralized identity system, solving one of the big problems with centralized identity frameworks, which is that the system (or a person with centralized access) could be compromised.

    Great. But is anyone actually using it?

    “We do have anecdotal evidence around IBM closing 400 business deals around blockchain-based technology, and Hyperledger is their technology of choice,”

    While uptake of Hyperledger might range somewhere between embryonic and uncertain, the numbers of those expressing support for Hyperledger has certainly grown.

    Ethereum connection?

    Also on board is Monax (formerly Eris). This is particularly notable because Monax bought with it an Ethereum virtual machine to more closely align the Ethereum and Hyperledger communities.

    Hype cycle ahead

    Traditionally, in this industry, the presence of lots of people in a community talking something up combined with little physical evidence of deployments have been sure signs that the subject in question is being over hyped. Is Hyperledger, therefore, suffering from a case of hype?

    As with much emerging tech it’ll have to go through the regular Gartner hype cycle first. That particular analyst firm reckons it’s on its way down into the trough of disillusionment.

    It expects blockchain to reach a healthy, stable plateau in five to 10 years

    A solution looking for a problem? It doesn’t have to be

    In the meantime, blockchain will have its fair share of credulous onlookers trying to apply it to business problems that don’t yet need it. Bennett isn’t one of them.

    “We need to drive the technology further, but we need to look at use cases end to end. With a lot of them the real issue isn’t tech, but market structure,” she told The Reg. “You have to change the market structure or blockchain won’t do it. And that may involve engaging with regulators.”

    That might be harder than it looks.

    One is technical. Remember all those projects? Pelz-Sharpe calls them “bits and pieces” from all over the place

    Similarly, getting regulators in various nations to agree to use the blockchain to handle international shipping paperwork – let alone agree on the same standard – will be no mean feat.

    “Its biggest strength is that Fabric was built by IBM – but also its biggest weakness,” he says, fretting that Apache Software License or not, some competitors may be turned off by Big Blue’s central involvement.

    Reply
  4. Tomi Engdahl says:

    UK security chief: How ’bout a tax for tech firms that are ‘uncooperative’ on terror content?
    Because the state has a great track record of recouping tax from internet giants
    https://www.theregister.co.uk/2018/01/02/ukgov_moots_tax_for_uncooperative_tech_firms_over_terror_content/

    Tech firms are indirectly costing the UK government millions in “human surveillance” of extremist content and should have a windfall tax levied against them to make up for it, according to security minister Ben Wallace.

    Wallace said that inaction from internet giants means the cost of tackling terror content is “heaped on law enforcement agencies” – and the state should be able to recoup that in some way.

    “I have to have more human surveil­lance. It’s costing hundreds of millions of pounds. If they [internet firms] continue to be less than co-operative, we should look at things like tax as a way of incentivis­ing them or compen­sating for their inaction,” he told The Sunday Times.

    “Because content is not taken down as quickly as they could do, we’re having to de-radicalise people who have been radicalised. That’s costing millions. They [the firms] can’t get away with that and we should look at all options, including tax.”

    Facebook, Google and WhatsApp among tech titans told to join fight against terror or face tax blitz
    Security minister denounces ‘ruthless profiteers’
    https://www.thetimes.co.uk/article/facebook-google-and-whatsapp-among-tech-titans-told-to-join-fight-against-terror-or-face-tax-blitz-plv9778nv

    Internet giants face a multimillion-pound tax raid unless they agree to help combat the terrorist threat to ­Britain, which is at its worst “for 100 years”, the security minister revealed last night.

    Ben Wallace accused internet firms of being “ruthless profiteers” that cost government a fortune by failing to assist the security ­ser­vices in identifying terrorists and stamping out extremism online.

    Reply
  5. Tomi Engdahl says:

    Many GPS Tracking Services Expose User Location, Other Data
    http://www.securityweek.com/many-gps-tracking-services-expose-user-location-other-data

    Researchers discovered that many online services designed for managing location tracking devices are affected by vulnerabilities that expose potentially sensitive information.

    Fitness, child, pet and vehicle trackers, and other devices that include GPS and GSM tracking capabilities are typically managed via specialized online services.

    Security experts Vangelis Stykas and Michael Gruhn found that over 100 such services have flaws that can be exploited by malicious actors to gain access to device and personal data. The security holes, dubbed Trackmageddon, can expose information such as current location, location history, device model and type, serial number, and phone number.

    Multiple vulnerabilities in the online services of (GPS) location tracking devices
    https://0×0.li/trackmageddon/

    Reply
  6. Tomi Engdahl says:

    Forever 21 Payment Systems Infected With Malware for 7 Months
    http://www.securityweek.com/forever-21-payment-systems-infected-malware-7-months

    Los Angeles-based fashion retailer Forever 21 informed customers last week that some of its payment processing systems had been infected with malware for a period of more than 7 months.

    According to the retailer, hackers penetrated its systems and installed a piece of malware designed to steal payment card data as it was being routed through point-of-sale (PoS) devices. The company has been using encryption technology to protect sensitive data, but the system was “not always on,” allowing unauthorized access to payment card information.

    Reply
  7. Tomi Engdahl says:

    It’s 2018. Do You Know Where Your Data Are?
    https://www.eetimes.com/author.asp?section_id=36&doc_id=1332778

    Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for.

    Reply
  8. Tomi Engdahl says:

    ‘Kernel memory leaking’ Intel processor design flaw forces Linux, Windows redesign
    Other OSes will need an update, performance hits loom
    https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

    A fundamental design flaw in Intel’s processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

    Programmers are scrambling to overhaul the open-source Linux kernel’s virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.

    Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we’re looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model.

    Similar operating systems, such as Apple’s 64-bit macOS, will also need to be updated – the flaw is in the Intel x86-64 hardware, and it appears a microcode update can’t address it. It has to be fixed in software at the OS level, or go buy a new processor without the design blunder.

    Details of the vulnerability within Intel’s silicon are under wraps: an embargo on the specifics is due to lift early this month, perhaps in time for Microsoft’s Patch Tuesday next week. Indeed, patches for the Linux kernel are available

    How can this security hole be abused?

    At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.

    Reply
  9. Tomi Engdahl says:

    OWASP Top Ten: Then to Now
    https://medium.com/@ArtsSEC/owasp-top-ten-then-to-now-85aad2d5d0a7?lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3B9n7gdq4fSWCS9c7U13bO2Q%3D%3D

    OWASP, short for the Open Web Application Security Project, is a community of web security professionals that actively endorse the best practices for web security. Their output includes in-depth papers, articles, documentation, modernized tools, and extensive research. OWASP is perhaps best known for the “OWASP Top 10” lists that are released every few years, which detail the ten most critical web application security risks.

    Reply
  10. Tomi Engdahl says:

    New Year’s Resolution: Return to Cyber Security Essentials
    http://www.securityweek.com/new-years-resolution-return-cyber-security-essentials

    When it Comes to Information Security, 100 Percent Protection is Unattainabl

    According to Gartner, worldwide security spending will reach $96 billion in 2018, up 8% from the 2017 spend of $89 billion. Meanwhile we’re experiencing a continuous increase in security incidents, which raises doubts about the effectiveness of these investments. When conducting post-mortem analysis of the data breaches that occurred in 2017, it becomes apparent that many of these big breaches can be attributed to a longstanding failure to implement basic cyber security measures (e.g., multi-factor authentication), botched usage of existing security tools to streamline the mitigation of known vulnerabilities, and lack of security measures for protecting sensitive data.

    Reply
  11. Tomi Engdahl says:

    The Top Five Security Gaps in Hybrid IT
    http://www.securityweek.com/top-five-security-gaps-hybrid-it

    Maintaining Consistent Security Controls Across Hybrid IT Environments is Growing Increasingly Complex

    Hybrid IT in the enterprise is the new normal. Hybrid cloud was the buzz for a number of years, but focusing solely on the mix of public and private cloud services ignores a significant portion of the enterprise estate that isn’t going away any time soon. Hybrid IT recognizes that IT organizations cannot abandon all legacy investments without introducing unacceptable risks and costs, so cloud and legacy technologies will coexist for the foreseeable future, and increasingly interact in ways that introduce risk.

    1. Threat Detection and Analysis

    Enterprise attackers don’t care if your data is stored in the cloud, on premise, or both. They will probe for vulnerabilities, phish users and attempt to install ransomware anywhere they can. You might be comfortable with the level of protection that your cloud services providers and internal controls deliver, but do you have a consistent way to visualize and analyze threats across different computing environments?

    2. Vulnerability Management

    We expect our SaaS providers to manage and patch their own vulnerabilities, and patch management for legacy systems is typically a well-understood discipline. But enterprises continue to accelerate the adoption of IaaS as DevOps teams drive faster release cycles. Is the same rigor applied to testing code for security vulnerabilities for applications running in the public cloud as it is for applications running in your own data centers?

    3. Privileged User Management

    Cloud providers have mostly convinced enterprises to accept their security practices as adequate to protect their most sensitive data. Customer records, health care information, financial transactions and even government records are now routinely stored in the cloud, often with better security controls than are provided for legacy systems. But who is watching and managing what your privileged users have access to and how they are using that access?

    4. Access Controls and Authentication

    From a SaaS perspective, the focus in access management has been on enabling Single Sign-On (SSO), mostly as a means of convenience for users. This has the added security benefit of supporting better controls such as strong, unique passwords, enforcing step-up authentication or risk-based authentication where needed. But having access controls does not necessarily mean that they are consistent with security policy across the enterprise. Policy, whether based on good security practices or regulations, doesn’t relax just because a workload has been migrated to the cloud.

    5. Identity Governance

    Most enterprises have significant Identity Governance and Administration (IGA) capabilities for their legacy apps, but SaaS in particular is still on an island in many environments. Many regulations and security practices expect a periodic review or recertification of access rights, so they can be revoked where those rights are no longer needed. Are you reviewing the rights to your cloud apps with the same rigor applied to legacy apps?

    Maintaining consistent security controls across the entire hybrid IT environment is growing increasingly complex as more cloud services are adopted. And as these cloud services interact with data maintained on legacy systems, simultaneously multiplying risk, attackers can identify more opportunities to exploit the gaps in security coverage between the systems. As long as enterprises operate hybrid environments, though, consistent controls must be enforced.

    Reply
  12. Tomi Engdahl says:

    Who’s Responsible For Security?
    Experts at the Table, part 1: Where security is working, where it isn’t, and what to do about it.
    https://semiengineering.com/whos-responsible-for-security/

    Reply
  13. Tomi Engdahl says:

    New Year’s Resolution: Return to Cyber Security Essentials
    http://www.securityweek.com/new-years-resolution-return-cyber-security-essentials

    When it Comes to Information Security, 100 Percent Protection is Unattainable

    As we enter 2018, it is a good time to reflect on what happened in cyber security last year. The learnings from the past 12 months can help us set a clear path for minimizing the risk of succumbing to data breaches in the New Year. In 2017, the news headlines were dominated by global ransomware attacks such as WannaCry and NotPetya, a growing number of new vulnerabilities (i.e., KRACK, WordPress, ROCA), and massive breaches such at Verizon, Equifax, and Uber. Considering the scale and sophistication of these attacks, many organizations need to revisit their security strategies in order to limit their exposure to cyber threats in 2018.

    According to Gartner, worldwide security spending will reach $96 billion in 2018, up 8% from the 2017 spend of $89 billion. Meanwhile we’re experiencing a continuous increase in security incidents, which raises doubts about the effectiveness of these investments.

    Reply
  14. Tomi Engdahl says:

    Improved IoT Security Starts with Liability for Companies, Not Just Legislation
    http://www.securityweek.com/improved-iot-security-starts-liability-companies-not-just-legislation

    My question for discussion is this: if policies like the EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data, could legislation improve the state of IoT security for devices that are also putting our privacy at risk?

    Reply
  15. Tomi Engdahl says:

    Solving Security Problems Isn’t Sexy
    http://www.securityweek.com/solving-security-problems-isnt-sexy

    Many Security Professionals Find Themselves Trapped in a Cycle of “Sexy” – What Can We Do About It?

    Recently, during a discussion around the current state of marketing and sales in the security industry, one of my colleagues said something that jarred me. I asked why more people in the security field, regardless of the specific role they are in, don’t focus marketing and sales messaging on problem solving. His response was uncanny. The “herd” isn’t looking for solutions to problems. They are on the prowl for “sexy”.

    To explain what I mean by this, let’s take a closer look from a few different perspectives.

    First, let’s begin with entrepreneurs in the security field. There are certainly entrepreneurs in our field who are visionary and who are working to solve the problems of tomorrow. But, unfortunately, there are far too many who simply chase after the hot topic of the day. Or, to put it another way: These entrepreneurs are solving the problems of today, or worse yet, yesterday, rather than the problems of tomorrow.

    Unfortunately, with the lead time involved in building a company and bringing a product to market, by the time the product is ready to go out the door, the world has often moved on.

    Of course, it’s hard to place the burden solely on entrepreneurs without also looking at the funding angle. For obvious reasons, those who fund security start-ups tend to want to fund companies that have a high likelihood of a successful acquisition or an IPO. Sometimes it seems that this potential is more directly correlated to the “sexiness” of a company and its ability to function in a “hot” area, than it is to the company’s ability to address actual operational pain points for customers.

    And why is this the case? To answer that question, we need to take a look into the buyer angle. Of course, there are many experienced security buyers who have been around the block a few times and tend to acquire in a strategic and calculated manner. Sadly, however, they are not the majority of buyers. Far too many buyers buy products that are hot or en vogue. Perhaps because someone told them they had to have one. Or, perhaps because everyone is buying one. Unfortunately, this type of approach is more grounded in pop culture than it is in strategically solving security problems.

    It’s difficult to fault buyers, however, without looking at the diet of FUD (Fear, Uncertainty, and Doubt) they are being fed.

    When we combine all of these angles, we find ourselves trapped in a cycle of “sexy” in the security field. So what can we do about it? How can we shift the discussion from one around sexiness to one around what pain points buyers are looking to address and what makes for a sustainable and profitable security business?

    As entrepreneurs, we can found companies with sustainable business models that have the potential for long-term profitability. We can focus on addressing real operational pain points that exist in the industry. There is no shortage of them.

    As buyers, we can acquire in a strategic and calculated manner – not buying things we don’t need or that don’t help us address our operational pain points just because someone told us we had to have one or because everyone else is doing it.

    Reply
  16. Tomi Engdahl says:

    Devices Running GoAhead Web Server Prone to Remote Attacks
    http://www.securityweek.com/devices-running-goahead-web-server-prone-remote-attacks

    A vulnerability affecting all versions of the GoAhead web server prior to version 3.6.5 can be exploited to achieve remote code execution (RCE) on Internet of Things (IoT) devices.

    GoAhead is a small web server employed by numerous companies, including IBM, HP, Oracle, Boeing, D-link, and Motorola, is “deployed in hundreds of millions of devices and is ideal for the smallest of embedded devices,” according to EmbedThis, its developer.

    The web server is currently present on over 700,000 Internet-connected devices out there, a Shodan search has revealed.

    However, not all of these devices are impacted by said remote code execution vulnerability. Tracked as CVE-2017-17562, the vulnerability is triggered only in special conditions and affects only devices with servers running *nix that also have CGI support enabled with dynamically linked executables (CGI scripts).

    Reply
  17. Tomi Engdahl says:

    DMARC Implemented on Half of U.S. Government Domains
    http://www.securityweek.com/dmarc-implemented-half-us-government-domains

    Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security (DHS) directive, but the first deadline is less than two weeks away.

    The Binding Operational Directive (BOD) 18-01 issued by the DHS in mid-October instructs all federal agencies to start using web and email security technologies such as HTTPS, STARTTLS and DMARC.

    DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations can set the DMARC policy to “none” in order to only monitor unauthenticated emails, “quarantine” to send them to the spam or junk folder, or “reject” to completely block their delivery.

    The DHS has ordered government agencies to implement DMARC with at least a “none” policy by January 15. Organizations will then need to set their DMARC policy to “reject” within one year.

    Reply
  18. Tomi Engdahl says:

    Hackers Expected to Remotely Exploit CPU Vulnerabilities
    http://www.securityweek.com/hackers-expected-remotely-exploit-cpu-vulnerabilities

    Security experts believe hackers will soon start to remotely exploit the recently disclosed vulnerabilities affecting Intel, AMD and ARM processors, if they haven’t done so already.

    Researchers disclosed on Wednesday the details of Spectre and Meltdown, two new attack methods targeting CPUs. The attacks leverage three different flaws and they can be used to bypass memory isolation mechanisms and gain access to sensitive data, including passwords, photos, documents, and emails.

    The affected CPUs are present in billions of products, including PCs and smartphones, and attacks can also be launched against cloud environments.

    Researchers have developed a proof-of-concept (PoC) for Google Chrome that uses JavaScript to exploit Spectre and read private memory from the process in which it runs.

    Mozilla has conducted internal experiments and determined that these techniques can be used “from Web content to read private information between different origins.” While the issue is still under investigation, the organization has decided to implement some partial protections in Firefox 57.

    Google pointed out that attacks are possible via both JavaScript and WebAssembly.

    Microsoft has also confirmed that attacks can be launched via JavaScript code running in the browser. The company has released updates for its Edge and Internet Explorer web browsers to mitigate the vulnerabilities.

    Since a JavaScript PoC is available, experts believe it’s only a matter of time until malicious actors start exploiting the flaws remotely. While some say state-sponsored actors are most likely to leverage these attacks, others point out that mass exploitation is also possible, particularly via the ads served by websites.

    Reply
  19. Tomi Engdahl says:

    Cybersecurity Dangers Will Spike in 2018
    While the cyber danger increases for industrial networks, holistic security is gaining ground.
    https://www.designnews.com/automation-motion-control/cybersecurity-dangers-will-spike-2018/178950264557972?ADTRK=UBM&elq_mid=2701&elq_cid=876648

    Reply
  20. Tomi Engdahl says:

    Last year brought the state hackers

    The security company Check Point predicts for 2018 more state actors who will remain hacked. In addition to news releases, official bodies such as large corporations and governments have been caught by companies stealing information from competitors or spreading misleading information.

    The security provider Check Point’s latest global cybersecurity forecast depicts up-to-date cybercurves of information that may affect the daily lives of citizens, perhaps even more than individual data crashes and malware campaigns.

    Source: https://www.uusiteknologia.fi/2018/01/02/viime-vuosi-toi-esiin-valtiolliset-hakkerit/

    Reply
  21. Tomi Engdahl says:

    Google Details How It Protects Data Within Its Infrastructure
    http://www.securityweek.com/google-details-how-it-protects-data-within-its-infrastructure

    Google has decided to share detailed information on how it protects service-to-service communications within its infrastructure at the application layer and the the system it uses for data protection.

    Called Application Layer Transport Security (ALTS), the technology was designed to authenticate communication between Google services and keep data protected while in transit. When sent to Google, data is protected using secure communication protocols such as TLS (Transport Layer Security).

    According to the Web search giant, it started development of ALTS in 2007, when TLS was bundled with support protocols that did not satisfy the company’s minimum security standards. Thus, the company found it more suitable to design its own security solution than patch an existing system.

    More secure than older TLS, Google describes ALTS as “a highly reliable, trusted system that provides authentication and security for […] internal Remote Procedure Call (RPC) communications,” that ensures security within the company’s infrastructure.

    ALTS uses a Diffie-Hellman (DH) based authenticated key exchange protocol for handshakes and provides applications with an authenticated remote peer identity that can be used for fine-grained authorization policies at the application layer, the company explains.

    “After a handshake is complete and the client and server negotiate the necessary shared secrets, ALTS secures RPC traffic by forcing integrity, and optional encryption, using the negotiated shared secrets. We support multiple protocols for integrity guarantees, e.g., AES-GMAC and AES-VMAC with 128-bit keys,” Google says.

    Reply
  22. Tomi Engdahl says:

    Sorry Sci-Fi Fans, Real Wars in Space Not the Stuff of Hollywood
    https://www.space.com/39273-real-wars-in-space-not-science-fiction.html?utm_content=bufferf3665&utm_medium=social&utm_source=facebook

    The public’s idea of a war in space is almost entirely a product of Hollywood fantasy

    The reality of how nations will fight in space is much duller and blander. And some of the key players in these conflicts will be hackers and lawyers.

    Savvy space warriors like Russia’s military already are giving us a taste of the future. They are jamming GPS navigation signals, electronically disrupting satellite communications links and sensors in space. Not quite star wars.

    This form of electronic warfare in space is serious enough, however, that the U.S. military is now moving to defend its satellites and other space assets.

    “There are legal and practical limits on armed conflict in space,”

    Space indeed has turned into an important battlefront, and for good reasons. It is critical to nearly all aspects of national security and military power, including intelligence, surveillance, reconnaissance, communications, precision timing and navigation, attack warning and targeting of potential threats.

    International law concerns
    The preeminent statute of international space law is the 1967 Outer Space Treaty, but some of the language is becoming harder to interpret in today’s environment, Hoversten said.

    Reply
  23. Tomi Engdahl says:

    Ransomware to hit cloud computing in 2018, predicts MIT
    http://www.computerweekly.com/news/450432488/Ransomware-to-hit-cloud-computing-in-2018-predicts-MIT

    Ransomware targeting cloud services is one of the six biggest cyber threats likely to face organisations in 2018, according to the Massachusetts Institute of Technology

    Reply
  24. Tomi Engdahl says:

    2018 will be the year of microprocessor vulnerabilities, and it’s going to be a wild ride.

    https://www.schneier.com/blog/archives/2018/01/spectre_and_mel_1.html

    Reply
  25. Tomi Engdahl says:

    Louise Matsakis / Wired:
    Experts: human damage to undersea fiber optic cables would be less severe than military warns; of ~428 cables, one is damaged every couple days, often by nature

    What Would Really Happen If Russia Attacked Undersea Internet Cables
    https://www.wired.com/story/russia-undersea-internet-cables/

    It might seem like a nightmare scenario. A terrorist organization or nefarious nation state decides to derail the global internet by faulting the undersea fiber optic cables that connect the world. These cables, which run along the ocean floor, carry almost all transoceanic digital communication, allowing you to send a Facebook message to a friend in Dubai, or receive an email from your cousin in Australia.

    US Navy officials have warned for years that it would be devastating if Russia, which has been repeatedly caught snooping near the cables, were to attack them. The UK’s most senior military officer said in December that it would “immediately and potentially catastrophically” impact the economy were Russia to fault the lines. NATO is now planning to resurrect a Cold War-era command post in part to monitor Russian cable activity in the North Atlantic.

    The idea of the global internet going dark because some cables were damaged is frightening. But if Russia or anyone else were to snip a handful of the garden hose-sized lines, experts say that the consequences would likely be less severe than the picture the military paints.

    “The amount of anxiety about somebody sabotaging a single cable or multiple cables is overblown,” says Nicole Starosielski, a professor at New York University who spent six years studying internet cables to write the The Undersea Network. “If somebody knew how these systems worked and if they staged an attack in the right way, then they could disrupt the entire system. But the likelihood of that happening is very small. Most of the concerns and fears are not nearly a threat at all.”

    For one, ruptures aren’t exactly an anomaly. One of the estimated 428 undersea cables worldwide is damaged every couple of days. Nearly all faults aren’t intentional

    Russia snipping a handful of cables in the Atlantic, where its submarines have been spotted, would disturb the global internet very little.

    Reply
  26. Tomi Engdahl says:

    Ryan Selkis / TwoBitIdiot:
    Thoughts on cryptocurrencies for 2018, including prices and investing, people involved, taxes, ICOs and crypto funds, promising applications, and more

    95 Crypto Theses for 2018
    https://medium.com/@twobitidiot/95-crypto-theses-for-2018-ca7b74f8abcf

    Reply
  27. Tomi Engdahl says:

    Paul Mozur / New York Times:
    Recent public outcry against Alibaba’s Sesame Credit and Tencent’s WeChat over user privacy point to a growing demand for online data protection in China

    Internet Users in China Expect to Be Tracked. Now, They Want Privacy.
    https://www.nytimes.com/2018/01/04/business/china-alibaba-privacy.html

    China’s biggest online payment company offers its hundreds of millions of users a breakdown on their spending each year, showing everything from their environmental impact to their ranking among shoppers in their area. Many spenders — not shy, and occasionally even a bit boastful about their personal finances — in turn share the details on social media.

    This year, the marketing stunt has run into a problem: China’s growing sense of personal privacy.

    Ant Financial, an affiliate of the e-commerce giant Alibaba Group, apologized to users on Thursday after prompting an outcry by automatically enrolling in its social credit program those who wanted to see the breakdown. The program, called Sesame Credit, tracks personal relationships and behavior patterns to help determine lending decisions.

    Reply
  28. Tomi Engdahl says:

    Nitasha Tiku / Wired:
    The unprecedented power of technology companies is prompting calls for the rethinking of decades-old US antitrust laws focusing on consumer protection

    How to Curb Silicon Valley Power—Even With Weak Antitrust Laws
    https://www.wired.com/story/how-to-curb-silicon-valley-power-even-with-weak-antitrust-laws

    Technology companies with unprecedented power to sway consumers and move markets have done the unthinkable: They’ve made trust-busting sound like a good idea again.

    The concentration of wealth and influence among tech giants has been building for years—90 percent of new online-ad dollars went to either Google or Facebook in 2016; Amazon is by far the largest online retailer, the third-largest streaming media company, and largest cloud-computing provider. Silicon Valley titans coasted to the top of the economy with little government oversight on the backs of incredibly convenient products, a killer backstory, shrewd lobbying, and our personal data. They were allowed to grow unfettered in part because of a nearly-40-year-old interpretation of US antitrust law that views anticompetitive behavior primarily through the prism of the effect on consumers. In that light, the tech industry’s cheap products and free services fell somewhere between benign and benevolent.

    Last year, though, the real-world consequences of unregulated internet platforms became undeniable, from facilitating Russian interference in the presidential election to aiding foreign despots by spreading fake news to building surveillance infrastructure that monitors our daily activities to hijacking our minds with invisible persuasion techniques, to automating racist advertising and displaying content that exploits children.

    Reply
  29. Tomi Engdahl says:

    2018 prediction: securing IoT-connected devices will be a major cybersecurity challenge
    https://www.csoonline.com/article/3244467/internet-of-things/2018-prediction-securing-iot-connected-devices-will-be-a-major-cybersecurity-challenge.html

    For careless operators, an IoT-connected device could lead to breaches bigger and more invasive than we’ve ever seen.

    Internet of Things (IoT)-connected devices no longer represent a niche market; rather they’ve become a mainstream part of our lives both inside and outside the workplace. Gartner predicts that nearly 20 billion IoT–connected devices will be online by 2020.

    And while your coffee maker may not have been hacked, the last few years have seen some major breaches of IoT devices that have serious implications.

    The August 2016 Mirai botnet attack targeted Internet recording devices to create one of the largest DDoS attacks in history, and an August 2017 attack lead to the recall of 500,000 pacemakers

    While these devices are undoubtedly improving our lives and businesses in many ways, securing this massive number of devices will represent one of our biggest challenges in 2018. Fortunately, identity management can help because each device has an identity, as well as potentially multiple user credentials to manage. By creating three-way trust between the device, user and application we can drastically reduce the attack surface.

    companies should adopt a set of guidelines to ensure the secure development and deployment of IoT devices. At the heart of these standards ought to be identity-focused security solutions, which can help spur IoT security by managing the relationships between these devices, the entities controlling them, and the data being sent and received.

    Open Web Application Security Project (OWASP), a repository of information on web application security, which lays out cybersecurity suggestions in its IoT Attack Surface Areas Project.

    From device firmware to network surfaces and physical interfaces, the OWASP guidance acts as a set of best practices for those who want the convenience of IoT without the inherent risk of connecting hundreds of devices across an organization. Just by laying out those risks, it is clear identity and access management capabilities are the best security options across every category.

    It’s imperative to both authenticate the user’s identity with each interaction and make sure the user is authorized for each activity on their IoT-connected device.

    Companies must also manage the human-device relationship. That means giving different permission levels for difference users of the IoT device.

    The device lifecycle presents another attack surface. Organizations need to keep track of version configurations on devices, monitor the baseline behaviors of the users and employ more granular control of the user permissions throughout the lifecycle of the device.

    But with some relatively simple cyber hygiene practices that stretch from the IT department to on-the-ground employees, organizations can stay connected and still be safe from cyberattacks.

    Reply
  30. Tomi Engdahl says:

    AWS infrastructure Security Auditing: Cloud Security Suite
    https://n0where.net/aws-infrastructure-security-auditing-cloud-security-suite

    CS Suite is a one stop tool for auditing the security posture of the AWS infrastructure and does system audits as well. CS Suite leverages current open source tools capabilities and has other missing checks added into one tool to rule them all.

    Reply
  31. Tomi Engdahl says:

    Today in Technology: The top ten tech issues for 2018
    https://blogs.microsoft.com/on-the-issues/2018/01/02/today-technology-top-ten-tech-issues-2018/

    Over the past six months we’ve written in our Today in Technology series about historical tech developments and the insights they provide for our current day. As the calendar flips to 2018, we are looking back at the top tech issues of the last year, offering our perspectives for the coming 12 months, recapping what we’ve learned, and sharing how Microsoft is helping to address these issues. The following are our top 10.

    CYBERSECURITY: From WannaCry and electoral attacks to a Digital Geneva Convention
    IMMIGRATION: From the travel ban to DACA to the green card backlog
    TECHNOLOGY FOR RURAL COMMUNITIES: Ensuring a fair shot for everyone
    DIVERSITY AND TECH: A watershed year
    PRIVACY AND SURVEILLANCE: More milestones in an eventful decade
    AI AND ITS ROLE IN SOCIETY: The future of technology
    SUSTAINABILITY AND THE PARIS ACCORD: The U.S. government pulled out, but the tech sector stayed in
    NET NEUTRALITY: A single vote sometimes doesn’t last forever
    CODING IN SCHOOLS: A decisive year in a decade-long movement
    GLOBALIZATION OF THE IT SECTOR: It’s a new world

    Reply
  32. Tomi Engdahl says:

    The Ultimate Defense Against Hackers May Be Just a Few Atoms Thick
    NYU Tandon Researchers Discover Big Cryptographic Potential in Nanomaterial
    http://engineering.nyu.edu/press-releases/2017/11/29/ultimate-defense-against-hackers-may-be-just-few-atoms-thick

    The next generation of electronic hardware security may be at hand as researchers at New York University Tandon School of Engineering introduce a new class of unclonable cybersecurity security primitives made of a low-cost nanomaterial with the highest possible level of structural randomness. Randomness is highly desirable for constructing the security primitives that encrypt and thereby secure computer hardware and data physically, rather than by programming.

    In a paper published in the journal ACS Nano, Assistant Professor of Electrical and Computer Engineering Davood Shahrjerdi and his NYU Tandon team offer the first proof of complete spatial randomness in atomically thin molybdenum disulfide (MoS2).

    “At monolayer thickness, this material has the optical properties of a semiconductor that emits light, but at multilayer, the properties change, and the material no longer emits light. This property is unique to this material,”

    the beautiful random light patterns of MoS2 when he realized it would be highly valuable as a cryptographic primitive.

    This represents the first physically unclonable security primitive created using this nanomaterial. Typically embedded in integrated circuits, physically unclonable security primitives protect or authenticate hardware or digital information. They interact with a stimulus — in this case, light — to produce a unique response that can serve as a cryptographic key or means of authentication.

    The research team envisions a future in which similar nanomaterial-based security primitives can be inexpensively produced at scale and applied to a chip or other hardware component, much like a postage stamp to a letter.

    Reply
  33. Tomi Engdahl says:

    Industrial Firms Increasingly Hit With Targeted Attacks: Survey
    http://www.securityweek.com/industrial-firms-increasingly-hit-targeted-attacks-survey

    An increasing number of companies in the industrial sector have experienced a targeted attack, according to a survey conducted by Kaspersky Lab and B2B International.

    As part of its 2017 IT Security Risks Survey, Kaspersky talked to more than 5,200 representatives of small, medium and large businesses in 29 countries about IT security and the incidents they deal with.

    Of the 962 industrial companies surveyed, 28% said they had faced a targeted attack in the last 12 months. This represents an 8 percentage point increase compared to the previous year.

    “The fact that the most dangerous incident type has grown by more than a third strongly suggests that cybercriminal groups are paying much closer attention to the industrial sector,” Kaspersky said.

    More than half of industrial organization surveyed by Kaspersky reported being hit by malware attacks in the last year.

    Reply
  34. Tomi Engdahl says:

    Ransomware and Bitcoin Enter New Phase
    http://www.securityweek.com/ransomware-and-bitcoin-enter-new-phase

    The phenomenal appreciation in Bitcoin’s value against the dollar, up roughly 18x in 2017 and 4x since September, gives us pause to consider – from a security perspective – what this might mean for ransomware in the near and distant future.

    Ransomware and Bitcoin Codependency

    It is not an exaggeration to say that without each other, ransomware and Bitcoin might not exist at all. I think it’s largely understood that the rise of a virtual, anonymized and easy-to-use payment system was a key factor in making ransomware the phenomenon it is today.

    Is Ransomware Still Pressuring Bitcoin Prices?

    The most obvious explanations for the current run-up in Bitcoin are a) it’s a tulip craze or b) Bitcoin has crossed some credibility barrier and entered the mainstream. But we shouldn’t count out the ransomware float’s possible continuing contribution.

    Arguing in favor of the idea that Bitcoin was mid-wifed by ransomware, but has now crossed some hockey stick threshold into legitimacy, and is no longer particularly dependent on the ransomware economy, we see that major retailers like Overstock, Virgin Galactic, PayPal, eBay, and Expedia have begun to accept Bitcoin as payment.

    The “tulip craze/Ponzi scheme” argument also has many adherents who voice the certainty (this author included) that this is a bubble being driven by speculators, which must burst some day. Admittedly, the long-term viability of Bitcoin is a complex question to ponder, being equal parts mass psychology, macroeconomics and technical evaluation. The scenario of a Bitcoin meltdown is enhanced by pointing out that there are other cryptocurrencies available, like Ethereum, Bitcoin Cash, Ripple, and Litecoin among hundreds, ready to fill the void, without getting into the idea that governmental monetary authorities might get into the act themselves – or interfere.

    Ransomware Rainy-Day Funds

    However, there is still an argument to be made that ransomware-related Bitcoin purchases by businesses might still be contributing to the “tightness” of the Bitcoin money supply, and helping feed the upward spiral.

    malware authors (and other criminal organizations) whose holdings were substantially in Bitcoin are equally seeing their ill-gotten gains multiply.

    Reply
  35. Tomi Engdahl says:

    Gifts and Data – Personalization Brings Meaning
    http://www.securityweek.com/gifts-and-data-personalization-brings-meaning

    You need to increase the level of personalization to maximize the impact of threat data on your security operations and more effectively and efficiently protect your organization. There are several sources you can turn to.

    Geographic and industry-specific data: These include national/governmental Computer Emergency Response Teams (CERTs) that develop and provide threat intelligence based both on a geography and industry so that organizations can understand and adapt to threats that are occurring locally in their specific sector. Information Sharing and Analysis Centers (ISACs) organized by industry can also prove useful as they disseminate to their members threat intelligence that concerns their sector.

    Adversary and related data: Commercially available threat feeds provide updated threat data that cut across categories to get closer to the personalized type of threat data you need. For example identifying adversaries, their targets and their tools, techniques and procedures (TTPs) to help you know if you’re in their sights.

    Data based on your ecosystem: You can also filter threat data based on your supply chain and other third parties within your ecosystem. Mentions of their names, brands, or sectors may alert you to adversaries and campaigns that may be actively targeting them and then, in turn, can potentially infiltrate your organization.

    A central repository can help you make sense of all these different threat feeds and intelligence sources by aggregating them for analysis and action. But you still can, and should, filter out the noise and cull the data further so that it is focused on you – your tools, infrastructure and risk profile. To do this you must add context to the data, so you can prioritize it.

    Your own layers of defense and/or SIEM provide a massive amount of log and event data, capturing everything that has happened within your environment. By correlating these events and associated indicators from inside your environment with external threat data, you gain additional and critical context to understand what is relevant and high-priority to your organization.

    Reply
  36. Tomi Engdahl says:

    Don’t Disable SELinux
    Developers often recommend disabling security like SELinux support to get software to work. Not a good idea.
    http://www.electronicdesign.com/embedded-revolution/don-t-disable-selinux

    Reply
  37. Tomi Engdahl says:

    David Gilbertson / Hacker Noon:
    Developer indicts culture of dependency-laden projects with cautionary tale of an npm package for websites that would scrape and send sensitive user info

    I’m harvesting credit card numbers and passwords from your site. Here’s how.
    https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

    The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all.

    It’s been a frantic week of security scares — it seems like every day there’s a new vulnerability.

    Seeing people close to me get all flustered at the prospect of being “powned” has really put things in perspective for me.

    So, it is with a heavy heart that I’ve decided to come clean and tell you all how I’ve been stealing usernames, passwords and credit card numbers from your sites for the past few years.

    In short, if it looks like data that might be even remotely valuable to me, I send it off to my server.

    If an attacker successfully injects any code at all, it’s pretty much game over

    XSS is too small scale, and really well protected against.

    Chrome Extensions are too locked down.

    Lucky for me, we live in an age where people install npm packages like they’re popping pain killers.

    So, npm was to be my distribution method. I would need to come up with some borderline-useful package that people would install without thinking — my Trojan horse.

    “Hey, I’ve fixed issue x and also added some logging.”

    Look ma, I’m contributing to open source!

    There are a lot of sensible people out there that tell me they don’t want a new dependency, but that was to be expected, it’s a numbers game.

    Overall, the campaign has been a big success and my colourful console code is now directly depended on by 23 packages. One of those packages is itself depended upon by a pretty widely used package — my cash cow.

    I’d notice the network requests going out!

    Where would you notice them? My code won’t send anything when the DevTools are open (yes even if un-docked).

    It also stays silent when running on localhost or any IP address, or where the domain contains dev, test, qa, uat or staging

    Our penetration testers would see it in their HTTP request monitoring tools!

    What hours do they work? My code doesn’t send anything between 7am and 7pm. It halves my haul, but 95% reduces my chances of getting caught.

    And I only need your credentials once.

    Also the URL looks a lot like the 300 other requests to ad networks your site makes.

    The point is, just because you don’t see it, doesn’t mean it’s not happening.

    I’d see it in your source on GitHub!

    Your innocence warms my heart.

    But I’m afraid it’s perfectly possible to ship one version of your code to GitHub and a different version to npm.

    I’ve defined the files property to point to a lib directory that contains the minified, uglified nasty code — this is what npm publish will send to npm. But lib is in my .gitignore so it never makes its way to GitHub. This is a pretty common practice so it doesn’t even look suspect if you read through these files on GitHub.

    The point: it is very difficult to spot shenanigans in obfuscated code, you’ve got no chance.

    I have a Content Security Policy!

    Oh, do you now.

    And did somebody tell you that this would prevent malicious code from sending data off to some dastardly domain?

    If you don’t know already, a content security policy can (try to) restrict what network requests can be made from the browser. It is often worded as restricting what you can bring into the browser, but you can also think of it protecting what can be sent out (when I ‘send’ your users’ passwords to my server, it’s just a query param on a get request).

    In the event that I can’t get data out using the prefetch trick, CSPs are tricky for my credit card collection corporation. And not just because they neuter my nefarious intentions.

    You see, if I try to send data out from a site that has a CSP, it can alert the site owner of the failed attempt

    I check your CSP before attempting to send something out.

    At this point I can look for holes in your CSP. Astoundingly, the Google sign in page has a bad CSP that would allow me to easily collect your username and password if my code ran on that page. They fail to set connect-src explicitly and also haven’t set the catch-all default-src so I can send your credentials wherever I damn well please.

    Amazon has no CSP at all on the page where you type your credit card number in, nor does eBay.

    Twitter and PayPal have CSPs, but it’s still dead easy to get your data from them.

    So, when I’m checking your CSP (and checking it twice), if everything else is locked down but I don’t see form-action in there, I just go and change the action (where the data is sent when you click ‘sign in’) on all your forms.

    Boom, thanks for sending me your PayPal username and password, pal. I’ll send you a thank you card with a photo of the stuff I bought with your money.

    Naturally, I only do this trick once per device and bounce the user right back to the referring page where they will shrug and try again.

    OK I am sufficiently concerned, what can I do?

    Option 2:

    On any page that collects any data that you don’t want me (or my fellow attackers) to have, don’t use npm modules. Or Google Tag Manager, or ad networks, or analytics, or any code that isn’t yours.

    As suggested here, you might want to consider having dedicated, lightweight pages for login and credit card collection that are served up in an iFrame.

    You can still have your big ol’ React app with 138 npm packages for the header/footer/nav/whatever, but the part of the page where the user is typing should be in a sandboxed iFrame and it should run only hand-crafted (and may I suggest, not-minified) JavaScript — if you want to do client-side validation.

    This post is entirely fictional, but altogether plausible, and I hope at least a little educational.

    Although this is all made up, it worries me that none of this is hard.

    There’s no shortage of smart, nasty people out there, and 400,000 npm packages.

    My goal (as it turns out) is simply to point out that any site that includes third party code is alarmingly vulnerable, in a completely undetectable way.

    Reply
  38. Tomi Engdahl says:

    Don’t Disable SELinux
    http://www.electronicdesign.com/embedded-revolution/don-t-disable-selinux

    Developers often recommend disabling security like SELinux support to get software to work. Not a good idea.

    Reply
  39. Tomi Engdahl says:

    Edward Snowden made an app to protect your laptop
    Wait, Snowden built an app?
    https://www.theverge.com/2017/12/23/16812834/edward-snowden-haven-guardian-project-laptop-phone

    Snowden told Moudeina that he was working on an app that could turn a mobile device into a kind of motion sensor in order to notify you when your devices are being tampered with. The app could also tell you when someone had entered a room without you knowing, if someone had moved your things, or if someone had stormed into your friend’s house in the middle of the night. Snowden recounted that pivotal conversation in an interview with the Verge. “She got very serious and told me, ‘I need this. I need this now. There’s so many people around us who need this.’”

    Haven, announced today, is an app that does just that. Installed on a cheap burner Android device, Haven sends notifications to your personal, main phone in the event that your laptop has been tampered with. If you leave your laptop at home or at an office or in a hotel room, you can place your Haven phone on top of the laptop, and when Haven detects motion, light, or movement — essentially, anything that might be someone messing with your stuff — it logs what happened. It takes photos, records sound, even takes down changes in light or acceleration, and then sends notifications to your main phone. None of this logging is stored in the cloud, and the notifications you receive on your main phone are end-to-end encrypted over Signal.

    https://guardianproject.github.io/haven/

    Haven: Keep Watch
    Haven is for people who need a way to protect their personal spaces and possessions without compromising their own privacy, through an Android app and on-device sensors

    Reply
  40. Tomi Engdahl says:

    Intel to form new cybersecurity group amid chip flaw: report
    https://www.reuters.com/article/us-intel-restructuring/intel-to-form-new-cybersecurity-group-amid-chip-flaw-report-idUSKBN1EY06R

    Intel Corp (INTC.O) will create a new internal cybersecurity group in the wake of recently disclosed flaws in its microchips, the Oregonian newspaper reported on Monday, citing a memo sent to company employees.

    The new group would be run by Intel human resources chief Leslie Culberstone who has worked in the chipmaker since 1979 and would be called, “Intel Product Assurance and Security,” according to the report.

    “It is critical that we continue to work with the industry, to excel at customer satisfaction, to act with uncompromising integrity, and to achieve the highest standards of excellences,”

    Reply
  41. Tomi Engdahl says:

    With WPA3, Wi-Fi security is about to get a lot tougher
    http://www.zdnet.com/article/wpa3-wireless-standard-tougher-wifi-security-revealed/

    Finally, a security reprieve for open Wi-Fi hotspot users.

    The Wi-Fi Alliance, an industry body made up of device makers including Apple, Microsoft, and Qualcomm, announced Monday its next-generation wireless network security standard, WPA3. The standard will replace WPA2, a near-two decades-old security protocol that’s built in to protect almost every wireless device today — including phones, laptops, and the Internet of Things.

    WPA3 Announced After KRACK Attack to Improve Security for Personal and Enterprise Wi-Fi Networks
    https://gbhackers.com/wpa3-announced-enhance-security/

    Reply
  42. Tomi Engdahl says:

    Industrial robots that build cars can be easily hacked
    A hacker could introduce a minor defect in manufacturing that could be catastrophic.
    https://www.recode.net/2017/5/3/15521520/industrial-robots-build-cars-hacked-security

    Reply
  43. Tomi Engdahl says:

    Bringing safety and security together for process control applications
    https://www.controleng.com/single-article/bringing-safety-and-security-together-for-process-control-applications/412f09ec6e154f705bd7483d0810270a.html

    It is important to understand the interaction between safety and security in process control applications to make better overall decisions.

    Every production process comes with inherent risks. To achieve the greatest degree of safety and security, it is vital to implement an effective separation of the process control and safety systems, which is required for functional safety and cybersecurity standards. There is a lot at stake, including the employees’ health, the company’s assets, and the environment.

    It often is not possible to eliminate all potential risks; especially in complex systems.

    A more common definition of safety is the absence of unacceptable risks. Reducing risks to an acceptable level is functional safety’s task. An application’s safety depends on the function of a corresponding technical system, such as a safety controller. If this system fulfills its protective function, the application is regarded as functionally safe.

    Separate layers reduce risks

    The process industry increasingly is becoming aware of the importance of relevant standards for the safety and profitability of systems. Technical standard IEC 61511, Functional safety – Safety instrumented systems for the process industry sector, defines the best way to reduce the risk of incidents and downtime. It prescribes separate safety layers for control and monitoring, prevention and containment, as well as emergency measures (see Figure 1). Each of these three layers provides specific functions for risk reduction, and collectively they mitigate the hazards arising from the entire production process.

    IEC 61511 also prescribes independence, diversity, and physical separation for each protection level. To fulfill these requirements, the functions of the different layers need to be sufficiently independent of each other. It is not sufficient to use different I/O modules for the different layers because automation systems also are dependent on functions in I/O bus systems, CPUs and software. To be regarded as autonomous protection layers in accordance with IEC 61511, safety systems and process control systems must be based on different platforms, development foundations, and philosophies. In concrete terms, this means the system architecture must, fundamentally, be designed so no component in the process control system level or the safety level can be used simultaneously.

    Rising risk

    In the last 10 years, the risk of cyber attacks on industrial systems has risen due to increasing digitalization. In addition to endangering information security, these attacks increasingly pose a direct threat to system safety. System operators need to be aware of these risks and address them. This can be achieved in a variety of ways. Unlike functional safety systems, which are intended to protect people, these systems and measures protect technical information systems against intentional or unintentional manipulation as well as against attacks intended to disrupt production processes or steal industrial secrets.

    Safety and security have become more closely meshed. Cybersecurity plays a key role, particularly for safety-oriented systems, because it forms the last line of defense against a potential catastrophe.

    Standards define the framework

    Compliance with international standards is necessary in the design, operation, and specification of safety controllers. IEC 61508, Functional Safety, is the basic standard for safety systems, which applies to all safety-oriented systems (electrical, electronic, and programmable electronic devices). IEC 61511 is the fundamental standard for the process industry and defines the applicable criteria for the selection of safety function components.

    The IEC 62443 cybersecurity series of standards for information technology (IT) security in networks and systems must also be considered. It specifies a management system for IT security, separate protection layers with mutually independent operating and protection facilities, and measures to ensure IT security over the full life cycle of a system. It also requires separate zones for the enterprise network, control room, safety instrumented system (SIS), and basic process control system (BPCS), each of which must be protected by a firewall to prevent unauthorized access (

    Cybersecurity by design

    Safety and security are closely related aspects of process systems, which must be considered separately and as a whole.

    Standardized hardware and software in process control systems require regular updates to remedy weaknesses in the software and the operating system. However, the complexity of the software architecture makes it difficult or impossible to assess the risks analytically, which could arise from a system update. For example, updates to the process control system could affect the functions of the safety system integrated into the control system.

    To avoid critical errors with unforeseeable consequences in safety-relevant processes as a result of control system updates, the process control system must be technologically separate from the safety system. For effective cybersecurity, it is not sufficient to upgrade an existing product by retrofitting additional software functionality. Every solution for functional safety must be conceived and developed with cybersecurity in mind, right from the start. This applies equally to the firmware and the application software.

    A common feature of the process industry standard and the cybersecurity standard is the required separation of the SIS and the BPCS. This independence of safety systems is a good idea from a practical and economic perspective. The SIS and BPCS have, for example, very different life cycles and rates of change. System operators are free to choose “best-of-breed” solutions from different manufacturers.

    Reply
  44. Tomi Engdahl says:

    Cybersecurity Dangers Will Spike in 2018
    While the cyber danger increases for industrial networks, holistic security is gaining ground.
    https://www.designnews.com/automation-motion-control/cybersecurity-dangers-will-spike-2018/178950264557972

    Reply
  45. Tomi Engdahl says:

    Working Smarter, Not Harder: Bridging the Cyber Security Skills Gap
    http://www.securityweek.com/working-smarter-not-harder-bridging-cyber-security-skills-gap

    The Most Effective Security Teams Aren’t Necessarily the Largest or the Most Experienced

    Let AI Do the Heavy-lifting

    We are facing a dramatic cyber skills shortage, with the demand for skilled practitioners consistently outstripping supply. Companies struggle to find the right people for the job but beyond that, analysts have to stay motivated – avoiding alert fatigue and burnout.

    AI technology can not only make our existing teams more efficient, but can also help with retention by doing the heavy lifting and enabling security teams to focus on higher-level, strategic work.

    Be Creative in Your Hiring

    Consider rethinking your hiring strategy. Traditionally, most security teams have consisted of seasoned security professionals and cyber analysts, who use their experience to identify indicators of threats. However, armed with AI technology, budding cyber security experts can also catch even the most pernicious threats.
    The most effective security teams aren’t necessarily the largest or the most experienced, but the most diverse – complete with skilled cyber professionals, engineers, analysts, and intuitive business thinkers.

    Find Out What’s Happening on the Inside

    Armed with a badge into the building and a password to the network, some of the most impactful breaches start with an insider gone rogue—and yet these are often the most difficult threats to detect.

    Less is More: Prioritize Threats in Order of Severity

    We are drowning in data. ESG research found that 38 percent of organizations collect, process, and analyze more than 10 terabytes of data as part of security operations each month, while an Ovum report found that over a third of banks receive more than 200,000 security alerts daily.

    Finding an indicator of the next NotPetya or WannaCry is like trying to find a needle in a haystack for security teams. Organizations need to not only find that threat, but find it before it starts inflicting damage – in other words, in real time. But how can you find the subtle threat lurking in your network when your team is sifting through 200,000 alerts a day?

    Our security teams face the insurmountable task of triaging thousands of these false positives, traveling between web proxy logs, anti-virus logs, SIEM logs, and more to ultimately – and unfortunately – find an incomplete picture of what transpired. The last thing a SOC needs is yet another tool producing a profusion of alerts.

    Investing in methods to effectively visualize and prioritize threats in order of their severity can prove the difference between finding a threat as it emerges and finding a threat hundreds of days later.

    Reply
  46. Tomi Engdahl says:

    How public-private partnerships can combat cyber adversaries
    https://cloudblogs.microsoft.com/microsoftsecure/2017/12/13/how-public-private-partnerships-can-combat-cyber-adversaries/

    For several years now, policymakers and practitioners from governments, CERTs, and the security industry have been speaking about the importance of public-private partnerships as an essential part of combating cyber threats. It is impossible to attend a security conference without a keynote presenter talking about it. In fact, these conferences increasingly include sessions or entire tracks dedicated to the topic.

    Unfortunately, we stink at it. Information-sharing is the Charlie Brown football of cyber: we keep running toward it only to fall flat on our backs as attackers continually pursue us. Just wait ‘til next year. It’s become easier to talk about the need to improve information-sharing than to actually make it work, and it’s now the technology industry’s convenient crutch. Why? Because no one owns it, so no one is accountable. I suspect we each have our own definition of what information-sharing means, and of what success looks like. Without a sharp vision, can we really expect it to happen?

    Reply
  47. Tomi Engdahl says:

    Balance interests in understanding today’s and tomorrow’s threats with an equal commitment to lock down what is currently owned. (My favorite) Information-sharing usually includes going after threat actors and understanding what’s coming next. That’s important, but in an ‘assume compromise’ environment, we need to continue to hammer on the basics:

    Patch. If an integrator or on-site provider indicates patching and upgrading will break an application, and if that is used as an excuse not to patch, that is a problem. Authoritative third-parties such as US-CERT, SANS, and others recommend a 48- to 72-hour patch cycle. Review http://www.microsoft.com/secure to learn more.

    Reduce administrative privilege. This is especially important for contractor or vendor accounts. Up to 90 percent of breaches come from credential compromise. This is largely caused by a lack of, or obsolete, administrative, physical and technical controls to sensitive assets. Basic information-sharing demands that we focus on this. Here is guidance regarding securing access.

    Source: https://cloudblogs.microsoft.com/microsoftsecure/2017/12/13/how-public-private-partnerships-can-combat-cyber-adversaries/

    Reply
  48. Tomi Engdahl says:

    Cybersecurity: Have a game plan
    A proactive cybersecurity approach requires diligence and flexibility.
    https://www.controleng.com/single-article/cybersecurity-have-a-game-plan/dcd37f38336f2f7752582c80f8df4730.html

    Cybersecurity is a hot topic in the industry, and for good reason. In the past year, we have seen several large scale malware attacks that crippled manufacturers across multiple industries globally. Attacks that began in Europe quickly made their way here, and vice versa. Some manufacturers had to resort to cutting their enterprise networks and using personal email accounts and cell phones to continue operations. Every day, it seems there is another alert on a new vulnerability found in some piece of automation hardware or software.

    Cyber attacks feel like a far-off concept even when they hit close to home because for many of us the effects are intangible. A major pharmaceutical company having some computers attacked, or attacks on power grids overseas doesn’t feel like it poses a threat to everyday life because the attacks haven’t hit home in a way that matters. Focusing on and allocating resources to cybersecurity is very similar to focusing on safety. We have all heard of scenarios where safety precautions weren’t implemented because management didn’t see the value until they were hit with a hefty fine from OSHA due to an accident. Once an adverse incident occurs it is too late to avoid potentially large losses.

    Legacy migration

    Legacy migrations can strengthen security immediately. Legacy automation equipment poses a variety of issues and dangers on any manufacturing network.

    For starters, most manufacturers discontinue support on legacy systems. This includes technical support as well as patch development and testing to help mitigate security flaws (like the ability to poke OPC values into a controller) or other product faults.

    A lot of legacy platforms do not support Windows domain authentication, and in these cases a common username and password is used for user groups. These usernames and passwords are usually very basic and the devices have no way to maintain an audit trail on who is logging in and what is being changed. With legacy equipment, it is very common to see sticky notes with the username and password posted right on the HMI granting any person access. This opens manufacturers up to internal and external threats alike.

    Legacy platforms also usually run on legacy operating systems, which may not be supported by the vendor any more. This requires additional work and hardware to segregate the computers and it doesn’t necessarily guarantee absolute protection from outside threats.

    Unfortunately, many legacy systems are still in place because they are part of a critical process where downtime just is not available. When it is understood downtime from a security event will be greater and more disruptive than downtime for a migration, the case for migration becomes imperative.

    Modernization efforts bring about a whole host of process benefits, but they also bring along a variety of security benefits. Whether it is bringing on a more current and supported platform or getting rid of an unsupported operating system, there is more to modernization than shiny new plastic.

    Reply
  49. Tomi Engdahl says:

    Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage
    http://www.securityweek.com/dont-rely-one-star-manage-digital-risk-key-total-coverage

    Vince Lombardi, one of the greatest coaches of all time said, “The achievements of an organization are the results of the combined effort of each individual.” Think about the most successful coaches and you’ll see a common thread – the ability to bring players and staff together and use their talents effectively and intelligently to defeat opponents. Phil Jackson accomplished this with different NBA franchises and Joe Gibbs with different quarterbacks. They didn’t count on any one “star” to carry the team. Nor did they focus their efforts defending against one big threat. They led their teams to victory by looking at the big picture and understanding how to strategically apply capabilities to defeat whatever the opposition pulled out of their bag of tricks.

    Digital risks include cyber threats, data exposure, brand exposure, third-party risk, VIP exposure, physical threats and infrastructure exposure. Often these threats and risks span data sources and cannot be detected in full context by any point solution or even by multiple solutions used in isolation. You need insight across the widest range of data sources possible to mitigate digital risk and better protect your organization.

    Here are three examples.

    1. We all know organizations struggle to keep up with patching, and this challenge isn’t expected to go away any time soon. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.

    2. Ideologically motivated, hacktivists are far from quiet. They typically use social media to promote their cause and garner attention and often announce their targets on Facebook or Twitter. They also use Internet Relay Chat (IRC) to orchestrate attacks

    3. A more complex example, but one that has been in the spotlight recently, is database extortion. In this scenario, attackers look for publicly exposed databases, for example on Amazon S3 buckets. From there, they may be able to find information allowing them to remotely connect to a server or desktop to infiltrate your organization further.

    In each of these three examples, tracking just one source, or even all sources but in isolation would not give you the full context for any one of these threats.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*