Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.
Here is a list of relevant cyber security terms for 2018s:
AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.
Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.
Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.
Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.
Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.
Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.
Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017, browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.
Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.
Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.
Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.
Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?”
GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.
Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.
HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.
HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2. Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.
HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.
ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.
Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.
IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).
Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.
IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.
Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.
Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.
Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.
Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.
PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.
Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.
Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.
Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.
Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.
Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?
Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.
Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.
Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.
Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.
Sources:
Firefox, Chrome start calling HTTP connections insecure
Alert (TA17-075A) HTTPS Interception Weakens TLS Security
Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead
Cybersecurity Dangers Will Spike in 2018
We’re hitting rock bottom in cyber — let’s do something | TechCrunch
Mirai-makers plead guilty, Hajime still lurks in shadows
DARPA Takes Chip Route to ‘Unhackable’ Computers
Another AI attack, this time against ‘black box’ machine learnings
General Data Protection Regulation (Wikipedia)
Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already
Miten GDPR pitää huomioida ohjelmistokehityksessä?
Seven Seas Cybersecurity: Captain, We Have a Problem
In the Words of President Ronald Reagan, “Trust but Verify”
Why You Should Question These Most Common Cloud Assumptions
It’s 2018. Do You Know Where Your Data Are?
Improved IoT Security Starts with Liability for Companies, Not Just Legislation
Smart Factory Connectivity for the Industrial IoT
The Race for a Universal IoT Security Standard
Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises
The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.
Resolve to Mitigate Your Business’ Digital Risk in 2018
Emerging Trends in Vulnerability Management
Research reveals customer-facing web and mobile apps as top security challenge
Open Source Vulnerabilities: Are You Prepared to Run the Race?
Device Security for the Industrial Internet of Things
GDPR and Open Source: Best Practices
Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC
ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good
Threat Modeling the Internet of Things: Modeling Reaper
Engineering for Privacy Requires Standards
How to Make Adversaries Work Harder, While We Work Smarter, in 2018
2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices
Facebook Releases New Certificate Transparency Tools
iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group
Open Source Vulnerabilities: Are You Prepared to Run the Race?
U.S. Military to Send Cyber Soldiers to the Battlefield
Machine Learning & Security: Making Users Part of the Equation
Security is Not a Technology Profession
Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018
636 Comments
Tomi Engdahl says:
Trump’s new cyber strategy eases rules on use of government cyberweapons
https://techcrunch.com/2018/09/21/trumps-new-cyber-strategy-eases-rules-on-use-of-government-cyberweapons/?utm_source=tcfbpage&sr_share=facebook
In the 40-page document, the government set out its plans to improve cybersecurity, incentivizing change, and reforming computer hacking laws. Election security about a quarter of a page, second only to “space cybersecurity.”
the imposition of “consequences” was repeated.
“Our presidential directive effectively reversed those restraints, effectively enabling offensive cyber-operations through the relevant departments,” said John Bolton, national security advisor, to reporters.
Tomi Engdahl says:
Wireless Carriers Now Want to Be the Keepers of Your Website Login Data
https://motherboard.vice.com/amp/en_us/article/d3jpkv/wireless-carriers-now-want-to-be-the-keepers-of-your-website-login-data?__twitter_impression=true
But a history of privacy scandals makes them the worst candidates for the job.
Wireless carriers are developing a new system that could someday allow consumers to log into supporting websites without the need for traditional passwords. But given the industry’s terrible track record on privacy, significant doubts linger over whether wireless carriers should be tasked with maintaining even more of the public’s sensitive data.
AT&T, Verizon, Sprint, and T-Mobile this week gave this project a formal name: Project Verify. Project Verify is a “next generation authentication platform” that’s supposed to make passwords irrelevant, instead confirming a user’s identity using a myriad of other factors, including location data, cellular handset specs, “account tenure,” SIM card information, and more.
Tomi Engdahl says:
5 ways DevSecOps changes security
https://opensource.com/article/18/9/devsecops-changes-security
Security must evolve to keep up with the way today’s apps are written and deployed.
There’s been an ongoing kerfuffle over whether we need to expand DevOps to explicitly bring in security. After all, the thinking goes, DevOps has always been something of a shorthand for a broad set of new practices, using new tools (often open source) and built on more collaborative cultures. Why not DevBizOps for better aligning with business needs? Or DevChatOps to emphasize better and faster communications?
Hopefully, someday we will have a world where we no longer have to use the word DevSecOps and security will be an inherent part of all service delivery discussions.
We’ve arguably never done a great job of information security in spite of (or maybe because of) the vast industry of complex point products addressing narrow problems. But we also arguably did a good enough job during the era when defending against threats focused on securing the perimeter, network connections were limited, and most users were employees using company-provided devices.
Those circumstances haven’t accurately described most organizations’ reality for a number of years now. But the current era, which brings in not only DevSecOps but new application architectural patterns, development practices, and an increasing number of threats, defines a stark new normal that requires a faster pace of change.
Tomi Engdahl says:
Three years later, Let’s Encrypt has issued over 380 million HTTPS certificates
https://techcrunch.com/2018/09/14/three-years-later-lets-encrypt-now-secures-75-of-the-web/?sr_share=facebook&utm_source=tcfbpage
The free-to-use nonprofit was founded in 2014 in part by the Electronic Frontier Foundation and is backed by Akamai, Google, Facebook, Mozilla and more. Three years ago Friday, it issued its first certificate.
Since then, the numbers have exploded. To date, more than 380 million certificates have been issued on 129 million unique domains. That also makes it the largest certificate issuer in the world, by far.
Now, 75 percent of all Firefox traffic is HTTPS, according to public Firefox data
Tomi Engdahl says:
MSPs: Please, Pretty Please, Don’t List Your Clients On Your Website
https://www.linkedin.com/pulse/msps-please-pretty-dont-list-your-clients-website-brian-gill/
Your website is one of the many things any potential customer will look at when deciding who they want to go to for managed IT services.
Your website is your first opportunity to sell yourself as the solution to your potential client’s problems, and you need to make a good first impression
So what can you do to draw your potential customer’s eye and convince them that You’re The Best Around (and nothing’s gonna ever keep you down)? It sounds like a no-brainer—why, of course, you’ll list some of your highest-profile business clients right there on your website!
But… is this actually a good idea? It sounds obvious from a marketing standpoint—but you have other things you need to consider. Things like cybersecurity and the safety of your clients.
You see, when you put your clients’ names on your website, you’re not just enticing potential customers. You’re drawing in a nasty sort of folk who will look at that list and, instead of seeing an A+ pedigree of great managed IT services, will see a list of targets ripe for exploitation.
That’s right—you’re leading hackers to your clients!
The thickest vault walls and heaviest doors in the world don’t matter when a master thief can just dress up as a security guard, have some unsuspecting mark guarding the safe just hand him the key, and waltz right in. When you show off your clients on your website, you’re handing hackers just the disguise they need to get what they want.
ever be 100% effective. In other words, sooner or later, one of your clients is going to get hit.
When hacks happens, it’s up to you to help your clients clean up—which you can do by enlisting an expert incident response team ASAP.
If you are not currently supplying your clientele with any social engineering training, this might be a really good idea as well. Training your clients to be more paranoid and prepared for scammers is a fantastic way for MSPs to add value.
Tomi Engdahl says:
Stephen Hiltner / New York Times:
Defcon attendees say corporate demands, widespread professionalization, and bug bounty programs are reshaping hackers’ attitudes toward privacy and anonymity
For Hackers, Anonymity Was Once Critical. That’s Changing.
https://www.nytimes.com/2018/09/22/technology/defcon-hackers-privacy-anonymity.html
At Defcon, one of the world’s largest hacking conferences, new pressures are reshaping the community’s attitudes toward privacy and anonymity.
Nico Sell managed to stay “ungoogleable,” she said, until around 2012, when, acting as chief executive of a secure-messaging company, Wickr, she felt she needed to become more of a public figure — if reluctantly. “My co-founders and I, we all drew straws,” she said, “and that was that.”
A lion’s share of the media attention devoted to hacking is often directed at deeply anonymous (and nefarious) hackers like Guccifer 2.0, a shadowy online avatar — alleged to have been controlled by Russian military intelligence officers — that revealed documents stolen from the Democratic National Committee in 2016. And, to be sure, a number of Defcon attendees, citing various concerns about privacy, still protect their identities. Many conceal their real names, instead using only pseudonyms or hacker aliases. Some wear fake beards, masks or other colorful disguises.
But new pressures, especially for those who attend Defcon, seem to be reshaping the community’s attitudes toward privacy and anonymity. Many longtime hackers, like Ms. Sell and Mr. Wyler, have been drawn into the open by corporate demands, or have traded their anonymity for public roles as high-level cybersecurity experts.
“It’s probably fair to say that fewer and fewer people are hiding behind their handles,”
“This is a profession for a lot of people now,” she added. “And you can’t fill out a W-9 with your hacker handle.”
Defcon has grown exponentially since its founding in 1993, when Jeff Moss — or, as many of his hacker friends know him, The Dark Tangent, or simply D.T. — gathered about 100 of his hacker friends for a hastily assembled party.
Tomi Engdahl says:
Credential Stuffing Attacks Are Reaching DDoS Proportions
https://www.securityweek.com/credential-stuffing-attacks-are-reaching-ddos-proportions
Credential stuffing is a growing threat. It is not new, but for many companies it is treated as annoying background noise that can be absorbed by bandwidth, handled by access controls, and ignored. New figures suggest that this is a bad approach.
Credential stuffing typically uses bots to test many hundreds of thousands of stolen credential pairs against fresh targets. It doesn’t afford a high return for the attacker, but it is a low cost, low risk attack that occasionally hits the jackpot. The attacker is relying on users’ habit of reusing the same password across multiple accounts.
It isn’t clear exactly where the credentials come from — but there have been dozens of major breaches, hundreds of minor breaches, and an unknown number of unreported breaches over the last few years — and we know that criminals aggregate stolen databases and sell them on. We are usually told that stolen passwords have been hashed; but since credential stuffing can only happen with plaintext passwords, either some of the databases were never hashed, or that hashing is not as secure against cracking as we would like to believe.
Financial and retail sectors are the most targeted simply because that’s where the online money is to be found. In its ‘State of the Internet/security — Credential Stuffing Attacks’ report (PDF), Akamai focuses on the experiences of just two financial sector customers. The first is a very large financial services institution, while the second is a much smaller credit union bank.
“Credential Stuffing is growing fast,” Rich Bolstridge, chief strategist for financial services at Akamai Technologies, told SecurityWeek. “In March and April 2018 we logged over 6 billion malicious login attempts. By May and June, this had risen to more than 8 billion attempts.”
https://www.akamai.com/uk/en/multimedia/documents/state-of-the-internet/soti-2018-credential-stuffing-attacks-report.pdf
Tomi Engdahl says:
Credit Freezes are Free: Let the Ice Age Begin
https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/
It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.
Tomi Engdahl says:
How Can Companies Defend Against Adversarial Machine Learning Attacks in the Age of AI?
https://securityintelligence.com/how-can-companies-defend-against-adversarial-machine-learning-attacks-in-the-age-of-ai/
The use of AI and machine learning in cybersecurity is on the rise. These technologies can deliver advanced insights that security teams can use to identify threats accurately and in a timely fashion. But these very same systems can sometimes be manipulated by rogue actors using adversarial machine learning to provide inaccurate results, eroding their ability to protect your information assets.
While it’s true that AI can strengthen your security posture, machine learning algorithms are not without blind spots that could be attacked.
Tomi Engdahl says:
850 million dollars in cryptocurrencies stolen in 2018 alone
https://www.pandasecurity.com/mediacenter/news/millions-cryptocurrencies-stolen/
The new trend of stealing cryptocurrencies shows no signs of letting up. In the last few hours, the cryptocurrency platform Tech Bureau Cop in Japan has fallen victim to this technique, which is affecting more and more companies. In this case, the cybercriminals made off with 60 million dollars’ worth of Bitcoin, MonaCoins and Bitcoin Cash. However, despite the multi-million dollar loot, this is not the most lucrative crypto-theft so far this year.
Tomi Engdahl says:
Here was not known to be caused by cyber-attack, but shows possibilities what a silent cyber-attack that changes industry system code could do:
How a coding error made 293 Subaru SUVs unusable
https://thenextweb.com/cars/2018/09/24/subaru-293-cars-destoryed-software-bug/
A software error has caused Subaru to completely dispose of 293 of its Ascent 2019 SUVs. According to a safety recall report filed with National Highway Traffic Safety Administration (NHTSA), robots at missed critical welds, thanks to improper coding.
Tomi Engdahl says:
Hacking Back: Simply a Bad Idea
While the concept may sound appealing, it’s rife with drawbacks and dangers.
https://www.darkreading.com/threat-intelligence/hacking-back-simply-a-bad-idea/a/d-id/1332856
As the topic of hacking back continues to resurface among elected officials, those of us in the cybersecurity community are scratching our heads over why this concept refuses to die. After digging deeper, one can see that there are many misperceptions regarding what the terms “hacking back” and “active cyber defense” (ACD) actually mean. General frustration and misinformation are driving the interest, but the mixing of definitions is fueling confusion.
Tomi Engdahl says:
How to Make the Business Case for an Intelligence Program
https://www.securityweek.com/how-make-business-case-intelligence-program
It’s Crucial to Communicate the Benefits of an Intelligence Program in the Context of Risk
There are many challenges inherent to starting an intelligence program, but making a business case for one can be among the most difficult. A primary reason for this challenge is that the security practitioners who typically advocate for—and see the most value in—such a program are rarely the ones who control the budget. Meanwhile, budgetary stakeholders are often far removed from the tactical benefits and, in many cases, are unaware of the strategic benefits that a well-executed intelligence program can bestow upon the business.
Based on my own experiences confronting these types of challenges throughout my career, the following tips can help security teams to effectively justify the business need for, and value of, an intelligence program:
Tomi Engdahl says:
App permissions in Android 8: The complete guide
https://www.kaspersky.com/blog/android-8-permissions-guide/23981/
These days, Android variants probably run into the thousands. That’s because every vendor modifies the system for its own requirements, and certainly not always for the better. But at the heart of Android lies a well-designed operating system that is becoming more secure with each new version.
Or rather, it’s becoming more secure when the user does things right. To get hold of a chunk of interesting data in shared storage or gain access to a function that might be unsafe, Android apps always needs the user’s explicit permission. And it’s crucial to set these permissions properly.
Tomi Engdahl says:
Google paljasti turvalliset Android-puhelimet – onko laitteesi tällä listalla?
https://www.is.fi/digitoday/tietoturva/art-2000005839069.html
Android and Google Play Security Rewards Programs surpass $3M in payouts
https://android-developers.googleblog.com/2018/09/android-and-google-play-security.html
Keeping devices secure
Tomi Engdahl says:
6 Dark Web Pricing Trends
For cybercriminals, the Dark Web grows more profitable every day.
https://www.darkreading.com/threat-intelligence/6-dark-web-pricing-trends/d/d-id/1332872
For cybercriminals, the Dark Web grows more profitable every day. According to Armor, this is especially true for stolen credit card data, where prices have increased anywhere from 33% to 83% from 2015 to 2018 in the United States, Canada, the United Kingdom, and Australia.
Tomi Engdahl says:
U.S. Unveils First Step Toward New Online Privacy Rules
https://www.securityweek.com/us-unveils-first-step-toward-new-online-privacy-rules
The US administration called Tuesday for public comments on a “new approach to consumer data privacy” that could trigger fresh regulations of internet companies.
The Commerce Department said the announcement is part of an effort to “modernize US data privacy policy for the 21st century.”
The move follows the implementation this year of ramped up data protection rules imposed by the European Union, and a new privacy law enacted in California.
Both measures will impact internet firms whose websites can be accessed around the globe.
NTIA Seeks Comment on New Approach to Consumer Data Privacy
https://www.ntia.doc.gov/press-release/2018/ntia-seeks-comment-new-approach-consumer-data-privacy
Tomi Engdahl says:
Cloudflare Encrypts SNI Across Its Network
https://www.securityweek.com/cloudflare-encrypts-sni-across-its-network
Cloudflare this week announced it has turned on Encrypted SNI (ESNI) across all of its network, making yet another step toward improving user privacy.
The Transport Layer Security (TLS) Server Name Indication (SNI) extension was introduced to resolve the issue of accessing encrypted websites hosted at the same IP address. Before that, when a request was made for a HTTPS connection, the web server would only hand a single SSL certificate per IP address.
With SNI, however, if a web server hosts multiple domains, the request is routed to the correct site and the right SSL certificate is returned. This ensures that content is encrypted correctly and browsers widely adopted the TLS extension after its specification was introduced by the IETF in 2003.
“Today, as HTTPS covers nearly 80% of all web traffic, the fact that SNI leaks every site you go to online to your ISP and anyone else listening on the line has become a glaring privacy hole. Knowing what sites you visit can build a very accurate picture of who you are, creating both privacy and security risks,” Cloudflare’s Matthew Prince points out.
https://blog.cloudflare.com/esni/
Tomi Engdahl says:
How to improve hiring practices in cybersecurity
https://www.welivesecurity.com/2018/09/25/hiring-practices-cybersecurity-professionals/
Should schools and businesses do more to combat the shortfall of cybersecurity professionals by changing the hiring process for those interested in having a career in the industry?
There are few things that cause the computer security industry more concern than the need to avoid “false negatives”. While no product or technology is a silver bullet for preventing every single genuine threat, we go to great lengths to provide comprehensive, ever-improving detection and protection – and to have this reflected in competent, independent tests. And yet, there is a huge number of systemic false negatives happening in our efforts to populate security positions.
While the detection of hazardous threats is necessarily different from the detection of a target with positive attributes like interested students or qualified applicants to meet the massive shortfall in finding cybersecurity professionals, the failure to detect is similarly causing problematic results.
Students who are not offered computer-related classes before college are less likely to go on to choose a CS undergraduate degree, as many of these students will feel that they’re having to play catch-up to students who’ve been steeping in computer-related concepts since they were young. Whatever you think of the utility of college degrees as preparation for a career in computer security, many companies do still require a four-year CS degree, even for an entry-level position. Many people find getting that crucial first job prohibitively difficult without those credentials.
Tomi Engdahl says:
2018 Has Been Open Season on Open Source Supply Chains
https://threatpost.com/2018-has-been-open-season-on-open-source-supply-chains/137726/
Hackers see green field opportunities in vulnerable software supply chains.
As the number of open source components used in software supply chains shoot up, hackers are going along for the ride. Increasingly threat actors are planting bad code in open-source repositories in the hopes to harvest the flaws later when used in larger banking, manufacturing and healthcare DevOp projects.
Tomi Engdahl says:
Why Openness Is The Greatest Path To Security
https://www.forbes.com/sites/martenmickos/2018/09/26/why-openness-is-the-greatest-path-to-security/#4a7d01025f7f
Every year we spend more on cybersecurity, and every year the data breaches get more rampant. Cybersecurity should be a healthy and constructive practice, but for many, it is a nightmare.
Something in this model is not right. Our predicament is not unlike the software industry twenty years ago. Every year, customers would spend more on expensive proprietary software, with no discernible benefit emerging.
Customers paid not for receiving more value, but out of fear of what would happen if they stopped paying. Fear, however, is not a path forward.
The software industry was ultimately liberated by open source software. This model of open collaboration and sharing delivered what was thought to be impossible: better quality of products at a lower cost for the customer.
Openness, collaboration, and sharing are what will save cybersecurity too.
The old belief that secrecy produces security was plain wrong.
The practice of not telling your industry peers what you are seeing, observing and learning was detrimental. No wonder cyber costs skyrocketed and breaches too.
Bruce Schneier, one of the foremost experts on cybersecurity has said that “public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure.”
One industry that has been following an open approach to security for many years is aviation. Today, flying is the safest form of transport by far and this is largely because the industry freely shares information.
The software world would be a lot more secure if they took a similar approach. Organizations must be open to help from people outside their organization. The reality is, vulnerabilities exist. In fact, Gartner predicted that “99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident.”
The best way to prevent getting hacked is to try to get hacked by people you trust. Furthermore, sharing vulnerability information once issues are resolved can help other organizations resolve similar issues before they’re exploited.
The cybersecurity industry has been built on a culture of hiding, then blaming and shaming. This must change.
Tomi Engdahl says:
Be a hacker, save the world — and you can name your price to do it all
https://www.google.fi/amp/s/thenextweb.com/offers/2018/07/06/be-a-hacker-save-the-world-and-you-can-name-your-price-to-do-it-all/%3famp=1
Being a white hat hacker doesn’t just mean you’re hired to protect a company’s digital, financial, and security interests. In many cases, ethical hackers have made major contributions in serving the public’s interests as well.
Tomi Engdahl says:
One Disturbing Black Mirror Episode Is Going To Become Reality By 2020
https://www.iflscience.com/editors-blog/china-launches-social-credit-system-that-will-track-rank-all-citizens-by-2020/
Every move you make, every step you take, they’ll be watching you – the Chinese government, that is. The communist nation says it is on track to launch its “Social Credit” system in real time for 2020.
The dystopian-esque system monitors, tracks, and ranks Chinese citizens based on a combination of factors used to then assign individuals a numerical score. These scores can then make or break a person, in some cases awarding them with VIP access to certain institutions. In other cases, wrongdoers could be blacklisted from government resources, including access to schools or transportation.
Tomi Engdahl says:
For safety’s sake, we must slow innovation in internet-connected things
https://www.technologyreview.com/s/611948/for-safetys-sake-we-must-slow-innovation-in-internet-connected-things/
That’s the view of security expert Bruce Schneier, who fears lives will be lost in a cyber disaster unless governments act swiftly.
SSmart gadgets are everywhere. The chances are you have them in your workplace, in your home, and perhaps on your wrist. According to an estimate from research firm Gartner, there will be over 11 billion internet-connected devices (excluding smartphones and computers) in circulation worldwide this year, almost double the number just a couple of years ago.
Many billions more will come online soon. Their connectivity is what makes them so useful, but it’s also a cybersecurity nightmare. Hackers have already shown they can compromise everything from connected cars to medical devices
In a new book called Click Here to Kill Everybody, Bruce Schneier argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought.
The title of your book seems deliberately alarmist. Is that just an attempt to juice sales?
It may sound like publishing clickbait, but I’m trying to make the point that the internet now affects the world in a direct physical manner, and that changes everything. It’s no longer about risks to data, but about risks to life and property. And the title really points out that there’s physical danger here, and that things are different than they were just five years ago
You’ve come up with a new term, “Internet+,” to encapsulate this shift. But we already have the phrase “internet of things” to describe it, don’t we?
I hated having to create another buzzword, because there are already too many of them. But the internet of things is too narrow. It refers to the connected appliances, thermostats, and other gadgets. That’s just a part of what we’re talking about here. It’s really the internet of things plus the computers plus the services plus the large databases being built plus the internet companies plus us. I just shortened all this to “Internet+.”
True, but these incidents didn’t lead to loss of life or limb, and we haven’t seen many cases involving potential physical harm yet, have we?
We haven’t. Most attacks still involve violations of data, privacy, and confidentiality. But we’re entering a new era. I’m obviously concerned if someone steals my medical records, but what if they change my blood type in the database?
Tomi Engdahl says:
“I know I’m paranoid, but am I paranoid enough?”
— Tom Clancy
https://quotefancy.com/quote/1048761/Tom-Clancy-I-know-I-m-paranoid-but-am-I-paranoid-enough
Tomi Engdahl says:
Brett Solomon / Wired:
Digital ID systems, as they are being developed today, are ripe for exploitation and abuse; citizens must advocate for principles that shield fundamental rights — THERE ARE SIGNIFICANT, real-world benefits to having an accepted and recognized identity. That’s why the concept of a digital identity …
Digital IDs Are More Dangerous Than You Think
https://www.wired.com/story/digital-ids-are-more-dangerous-than-you-think/
There are significant, real-world benefits to having an accepted and recognized identity. That’s why the concept of a digital identity is being pursued around the world, from Australia to India. From airports to health records systems, technologists and policy makers with good intentions are digitizing our identities, making modern life more efficient and streamlined.
Governments seek to digitize their citizens in an effort to universalize government services, while the banking, travel, and insurance industries aim to create more seamless processes for their products and services. But this isn’t just about efficiency and market share. In places like Syria and Jordan, refugees are often displaced without an identity. Giving them proof of who they are can improve their settlement, financial security, and job prospects in foreign lands.
But as someone who has tracked the advantages and perils of technology for human rights over the past ten years, I am nevertheless convinced that digital ID, writ large, poses one of the gravest risks to human rights of any technology that we have encountered. Worse, we are rushing headlong into a future where new technologies will converge to make this risk much more severe.
Tomi Engdahl says:
Digital Single Market:
EU enacts law enabling cross-border recognition of national electronic IDs, like driver licenses and bank cards, in tax filing, medical records, public services
Cross-border digital identification for EU countries: Major step for a trusted Digital Single Market
https://ec.europa.eu/digital-single-market/en/news/cross-border-digital-identification-eu-countries-major-step-trusted-digital-single-market
People will be able to use their electronic ID (eID) such as ID cards, driver licenses, bank cards and fill tax returns online, access medical records and online public services across the EU.
Tomi Engdahl says:
Tim Berners-Lee:
Tim Berners-Lee unveils Solid, an open source project to decentralize the web and give users control of their data, and Inrupt, a startup to guide the project
One Small Step for the Web…
https://medium.com/@timberners_lee/one-small-step-for-the-web-87f92217d085
Tomi Engdahl says:
When Good Apps Go Bad: Protecting Your Data Through App Permissions
https://www.securityweek.com/when-good-apps-go-bad-protecting-your-data-through-app-permissions
When was the last time you thought about what permissions the apps on your phone have? Often, when downloading something new from the app store, many people somewhat blindly accept the various pop-ups that ask to allow the app access to their phone’s data; more excited about what they get from the app, not what it might be getting from them. But as people are becoming more aware of the data being collected about them from every angle, it’s becoming apparent that more attention needs to be paid to what people are enabling when they hit “download.”
Just this month, researchers from GuardianApp revealed a list of 24 notable iOS apps that have been used to “covertly collect precise location histories from tens of millions of mobile devices.”
Tomi Engdahl says:
Without Handcuffs: Creating A Culture of Compliance
https://www.securityweek.com/without-handcuffs-creating-culture-compliance
Over the years, I have met with hundreds of security teams. One of the most common complaints, that comes up in meetings with companies of all sizes and across all industries, is that security teams feel helpless to enforce the policies they put in place. Multiple security officers have described it as feeling like “cops without handcuffs.” Upon flagging serious incidents of rogue IT staff and acceptable use violations, I’ve been met with shrugs instead of surprise.
Security policies exist for a reason, but unenforced they’re not valuable to anyone – updating them takes time and resources away from already strained teams and arbitrary rules don’t make employees happier or more productive. Given the challenges to enforcement, what role do these policies play in a security team’s toolkit? And what needs to change to make security teams able and willing to enforce policies?
Tomi Engdahl says:
Worried About Privacy? 5 Alternatives to Google Maps
https://www.eeweb.com/profile/max-maxfield/articles/if-youre-worried-about-privacy-here-are-five-alternatives-to-google-maps
Tomi Engdahl says:
AI-powered IT security seems cool – until you clock miscreants wielding it too
Field both embraced, feared by enterprise
https://www.theregister.co.uk/2018/10/01/can_ai_be_trusted_on_security/
We’re hearing more about AI or machine learning being used in security, monitoring, and intrusion-detection systems. But what happens when AI turns bad?
Two interesting themes emerged from separate recent studies: the growth of artificial intelligence coupled with concerns about their potential impact on security.
Tomi Engdahl says:
View Previous Tips
Security Tip (ST18-004)
Protecting Against Malicious Code
https://www.us-cert.gov/ncas/tips/ST18-271
What is malicious code?
Malicious code is unwanted files or programs that can cause harm to a computer or compromise data stored on a computer. Various classifications of malicious code include viruses, worms, and Trojan horses.
Viruses have the ability to damage or destroy files on a computer system and are spread by sharing an already infected removable media, opening malicious email attachments, and visiting malicious web pages.
Worms are a type of virus that self-propagates from computer to computer. Its functionality is to use all of your computer’s resources, which can cause your computer to stop responding.
Trojan Horses are computer programs that are hiding a virus or a potentially damaging program. It is not uncommon that free software contains a Trojan horse making a user think they are using legitimate software, instead the program is performing malicious actions on your computer.
Tomi Engdahl says:
Examining Phishing Websites and Scraping Information to Track Down Malicious Actors
Phishing attacks.
https://medium.com/@imafilthyscrub/examining-phishing-websites-and-scraping-information-to-track-down-potential-malicious-actors-bcd46119238e
Tomi Engdahl says:
Cybersecurity Canon Candidate Book Review: “Cybersecurity: A Business Solution”
https://researchcenter.paloaltonetworks.com/2018/09/cybersecurity-canon-candidate-book-review-cybersecurity-business-solution/
Managing cyber risk is a challenging undertaking, even for large organizations with significant resources at their disposal. For executives and senior managers in small to medium-sized organizations, however, managing cyber risk can quickly become a daunting and overwhelming task. That is where Rob Arnold’s book Cybersecurity: A Business Solution provides a unique and helpful perspective. Written specifically for small to medium-sized businesses, the book provides executives and senior managers with a business-centered perspective on managing cyber risk in their organizations. The audience for this book also includes IT professionals and network defenders. By mapping out how to manage an organization’s cyber risk strategies, as well as how to implement an effective cybersecurity plan, it gives IT professionals a way to speak to administration and provide them with tools for an overall plan of action.
Tomi Engdahl says:
Internet Organised Crime Threat Assessment 2018
https://www.europol.europa.eu/internet-organised-crime-threat-assessment-2018
Tomi Engdahl says:
Four Things to Consider When Evaluating IPS Solutions
https://www.securityweek.com/four-things-consider-when-evaluating-ips-solutions
The volume of successful cyberattacks continues to grow at an alarming pace. According to a report from Risk Base Security the number of breached data records has grown from about 4 million in 2010 to a jaw-dropping 7.89 billion information records compromised just last year. There are a number of reasons for this alarming trend.
First, the rapid adoption of IoT has introduced highly vulnerable devices, many of which are headless, that are difficult or impossible to update or patch. As a result, attacks targeting IoT devices have escalated over the past few years.
Second, things like the cyberskills gap and the drive toward digital transformation has dropped security hygiene best practices such as patching and updating to the bottom of the to-do list. Many of the most successful exploits of the past few years successfully exploited vulnerabilities for which patches had been available for months and even years.
Another reason for this spike is that malware sophistication is outpacing the development of effective security counter-measures. During Q2 2018, Fortinet saw a steady increase in the volume of new malware, with W32/StartPage—a class of information-stealing Trojans capable of harvesting credentials from browsers, FTP clients, and email clients—capturing the lead position for the quarter.
Meanwhile, the vast majority of security solutions in place were deployed long before the adoption of IoT or multi-cloud, or a growing array of BYOD devices that combine work and personal data.
Tomi Engdahl says:
Google Turns on G Suite Alerts for State-Sponsored Attacks
https://www.securityweek.com/google-turns-g-suite-alerts-state-sponsored-attacks
After rolling out an option for G Suite administrators to receive alerts on suspected government-backed attacks on their users’ accounts, Google is now turning those alerts on by default.
Google has been long warning users of attacks that it believed might be the work of state-sponsored adversaries, but only sent those alerts to the impacted users. Starting in August, however, it rolled out a new option in G Suite to also notify admins on suspected attacks on their users.
Tomi Engdahl says:
Cyber Security & You: Vulnerability Exists Between Chair and Keyboard
http://www.electronics-know-how.com/article/2727/cyber-security-you-vulnerability-exists-between-chair-and-keyboard
Software vulnerabilities can manifest themselves in many ways, but typically, they are exploited by abusing software interfaces in ways outside of their designed operation. We try to mitigate against this possibility with techniques such as testing, and peer review, but we still can’t seem to avoid an occasional oversight. The problem with these techniques is that they all require human input to analyze all possible permutations for all possible interfaces and calculate potential risk. This type of calculation sounds like a great task for a computer!
Tomi Engdahl says:
How to Make the Business Case for an Intelligence Program
https://www.securityweek.com/how-make-business-case-intelligence-program
t’s Crucial to Communicate the Benefits of an Intelligence Program in the Context of Risk
There are many challenges inherent to starting an intelligence program, but making a business case for one can be among the most difficult. A primary reason for this challenge is that the security practitioners who typically advocate for—and see the most value in—such a program are rarely the ones who control the budget. Meanwhile, budgetary stakeholders are often far removed from the tactical benefits and, in many cases, are unaware of the strategic benefits that a well-executed intelligence program can bestow upon the business
Tomi Engdahl says:
Without Handcuffs: Creating A Culture of Compliance
https://www.securityweek.com/without-handcuffs-creating-culture-compliance
Over the years, I have met with hundreds of security teams. One of the most common complaints, that comes up in meetings with companies of all sizes and across all industries, is that security teams feel helpless to enforce the policies they put in place. Multiple security officers have described it as feeling like “cops without handcuffs.” Upon flagging serious incidents of rogue IT staff and acceptable use violations, I’ve been met with shrugs instead of surprise.
Security policies exist for a reason, but unenforced they’re not valuable to anyone – updating them takes time and resources away from already strained teams and arbitrary rules don’t make employees happier or more productive.
Tomi Engdahl says:
Cybersecurity Is Not a Job for Humans
Is artificial intelligence better suited than humans to keeping our networks safe?
https://www.designnews.com/electronics-test/cybersecurity-not-job-humans/86006162259563?ADTRK=UBM&elq_mid=5943&elq_cid=876648
Keeping our networks secure from hackers is becoming too big a job for humans. The increasing complexity of networks, much of which is coming hand-in-hand with the expansion of the IoT—not to mention a dearth of available talent—is only pointing to one conclusion: Attacks and security breaches will only get more severe as more devices and data are brought online.
Just this month, Facebook fell victim to a network attack that exposed the personal information of 50 million of its users. The same week as the Facebook breach, ridesharing company Uber was fined $148 million for failing to disclose a 2016 breach that exposed personal data, including driver’s license information, for roughly 600,000 of Uber’s drivers as well as information on 57 million Uber mobile app users. Uber tried to cover up the breach and paid the hackers a $100,000 ransom in 2017 for the stolen data to be destroyed.
Tomi Engdahl says:
Better Customer Experience is More Than a “Nice to Have” for Security
https://www.securityweek.com/better-customer-experience-more-nice-have-security
Customer Experience (CX) has gone from a buzzword to an imperative in just a few short years. A reported 80 percent of companies responding to Gartner’s marketing leaders survey now say they expect to compete mainly based on CX. Forrester has created a Customer Experience Index by which they measure and rank CX leaders. And there are hundreds of customer experience conferences to choose from every year.
Improved security leads to improved customer experience – and improved customer experience leads to improved security. Here are four key ways.
1. Simplicity of the solution
2. Dedicated customer success teams
3. Integration
4. A “solutions” focus
CX is becoming a key driver of success in the security industry, not just for companies that deliver superior customer experiences but – more importantly – for the organizations and security professionals they serve. The nuance and interplay between the two is a powerful proposition.
Tomi Engdahl says:
When the Digital Impacts the Physical
https://securingtomorrow.mcafee.com/mcafee-labs/when-the-digital-impacts-the-physical/
Cyberattacks have always been, well, cyber. Their immediate effects were on our data, our digital information, and our devices…until they weren’t. The interconnected nature of the world and the way it’s built in 2018 has brought us exciting and revolutionary innovations, but it has also been leveraged by hackers to extend the impact of a cyberattack beyond the digital sphere into the physical. Pacemakers can be hacked, shocks can be sent to patients remotely. Critical infrastructure can be taken down, rendering cities powerless. Large corporations we trust with our data are violating that trust by collecting our data unknowingly, and even tracking our locations without consent. Cybercrime is no longer just cyber, and it can compromise a lot more than just data.
When you think of one’s well-being, physical health often comes to mind. Hospitals, health care, and medical tools and devices have evolved to become members of an interconnected ecosystem. Many health care systems connect to the internet to operate, the same holds true with numerous medical devices such as pacemakers. But that makes the latter part of the ”Internet of Things,” a growing collection of connected devices which are potentially vulnerable to cyberattack. In fact, there have already been reports of threats to these medical devices.
We’ve seen a handful of hospitals taken offline in recent ransomware attacks, all due to the use of outdated or vulnerable systems.
In fact, cybercriminals have recently begun hitting critical infrastructure hard and fast, with dramatic results emerging from their efforts. They’ve infamously put an entire city in the Ukraine out of power for about an hour. Then there was the Schneider Electric hack, in which cybercriminals leveraged a zero-day vulnerability within an industrial plant’s safety system for a cyberattack.
There are also cyber issues that impact our physical safety that don’t even come in the form of an attack. Lately, news has been circulating about big-name companies tracking users’ locations or data
Ramifications such as these have changed the nature of privacy, as well as digital and physical safety as we know it.
Tomi Engdahl says:
How to Avoid the Trap of Fragmented Security Analytics
https://securityintelligence.com/how-to-avoid-the-trap-of-fragmented-security-analytics/
The continuous evolution of attack tactics and poor threat visibility keeps cyber defenders on their toes, especially when adversaries exploit the human mind with tactics such as phishing and using individually crafted, short-lived weaponizations. As a result, more and more security organizations are prioritizing the use of security analytics to quickly and accurately identify attacks and act before major damage is done.
Embrace a Platform-Based Approach to Security Analytics
To avoid this trap, security teams should consider a platform-based approach whereby data ingestion, correlation, management and a broad set of analytics can be tied together. Solid correlation within the entire data stream offers great perspective for moving into more mature detection.
Tomi Engdahl says:
The US National Cyber Strategy
https://www.schneier.com/blog/archives/2018/10/the_us_national.html
Last month, the White House released the “National Cyber Strategy of the United States of America. I generally don’t have much to say about these sorts of documents. They’re filled with broad generalities.
Who can argue with:
Defend the homeland by protecting networks, systems, functions, and data;
Promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation;
Preserve peace and security by strengthening the ability of the United States in concert with allies and partners to deter and, if necessary, punish those who use cyber tools for malicious purposes; and
Expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet.
The devil is in the details, of course. And the strategy includes no details.
Tomi Engdahl says:
Web application security is rife with conflict and confusion
https://www.itproportal.com/features/web-application-security-is-rife-with-conflict-and-confusion/
How can organisations ensure that their applications are protected on their own networks and across multiple clouds?
Global organisations are having to deal with continually evolving threats to their web application security, and as their network ecosystem grows, so do the threats. To compete more effectively, companies are examining how to best manage and secure applications and data. As the complexity of cloud and on-premises networks increases, new vulnerabilities are introduced that leave applications open to constant attacks.
Security survey was to find out how security breaches have affected respondents’ organisations in the past 12 months and the impact of application attacks on plans for cybersecurity protection measures.
The results were contradictory.
While two thirds of respondents said that hackers were able to access their networks, the vast majority of respondents (90%) said that they were certain their organisations could keep up with the growing rate of application-layer attacks, even though many did not secure APIs or felt that their WAFs were not stopping all attacks.
The stakes are getting higher
When application attacks are successful, organisations can experience many negative consequences, including loss of reputation, customer requests for compensation, churn, stock price drops and executive job losses, among other impacts. Customers expect the organisations with which they associate to protect their data. When a data breach is revealed, trust between customers and the organisation is broken. The process of repairing a company’s reputation is long and not always successful.
About half of the organisations surveyed indicated that some of their customers asked for compensation or their own reputations suffered because of application/web server attacks.
Organisations work very hard to capture and retain customers with targeted marketing programmes, service-level agreements and privacy assurances. Security breaches can cause lasting damage to customer loyalty and with the introduction of new data protection legislation such as the GDPR, can also result in substantial financial penalties.
Tomi Engdahl says:
Torii botnet – Not another Mirai variant
https://blog.avast.com/new-torii-botnet-threat-research
New, more sophisticated IoT botnet targets a wide range of devices
2018 has been a year where the Mirai and QBot variants just keep coming. Any script kiddie now can use the Mirai source code, make a few changes, give it a new Japanese-sounding name, and then release it as a new botnet.
Tomi Engdahl says:
DNS security still an issue
https://www.hpe.com/us/en/insights/articles/dns-security-still-an-issue-1810.html
DNS security is a decades-old issue that shows no signs of being fully resolved. Here’s a quick overview of some of the problems with proposed solutions and the best way to move forward.
Like almost all of the original and fundamental Internet protocols, DNS transactions are designed to be transported in plain text on the wire.
DNS requests on TCP or UDP port 53.
The current standard for securing DNS
The first proposed standard for DNSSEC (RFC 4033 and many others) is almost 20 years old, but it solves a different problem: validating the provenance of DNS results, by using public and private keys and signatures in the DNS to prove that an authorized party actually created the DNS entry. This protects the client against certain attacks, such as DNS cache poisoning.
After many years of availability, DNSSEC has yet to attain significant adoption, even though any security expert you might ask recognizes its value. As with any public key infrastructure, DNSSEC is complicated. You must follow a lot of rules carefully, although some network services providers are trying to make things easier.
So despite best efforts of various Internet groups, DNS remains insecure. Too many roadblocks exist that prevent the Internet-wide adoption of a DNS security solution.
Tomi Engdahl says:
From Now On, Only Default Android Apps Can Access Call Log and SMS Data
https://thehackernews.com/2018/10/android-app-privacy.html?m=1