Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.
Here is a list of relevant cyber security terms for 2018s:
AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.
Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.
Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.
Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.
Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.
Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.
Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017, browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.
Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.
Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.
Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.
Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?”
GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.
Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.
HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.
HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2. Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.
HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.
ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.
Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.
IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).
Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.
IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.
Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.
Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.
Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.
Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.
PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.
Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.
Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.
Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.
Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.
Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?
Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.
Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.
Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.
Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.
Sources:
Firefox, Chrome start calling HTTP connections insecure
Alert (TA17-075A) HTTPS Interception Weakens TLS Security
Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead
Cybersecurity Dangers Will Spike in 2018
We’re hitting rock bottom in cyber — let’s do something | TechCrunch
Mirai-makers plead guilty, Hajime still lurks in shadows
DARPA Takes Chip Route to ‘Unhackable’ Computers
Another AI attack, this time against ‘black box’ machine learnings
General Data Protection Regulation (Wikipedia)
Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already
Miten GDPR pitää huomioida ohjelmistokehityksessä?
Seven Seas Cybersecurity: Captain, We Have a Problem
In the Words of President Ronald Reagan, “Trust but Verify”
Why You Should Question These Most Common Cloud Assumptions
It’s 2018. Do You Know Where Your Data Are?
Improved IoT Security Starts with Liability for Companies, Not Just Legislation
Smart Factory Connectivity for the Industrial IoT
The Race for a Universal IoT Security Standard
Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises
The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.
Resolve to Mitigate Your Business’ Digital Risk in 2018
Emerging Trends in Vulnerability Management
Research reveals customer-facing web and mobile apps as top security challenge
Open Source Vulnerabilities: Are You Prepared to Run the Race?
Device Security for the Industrial Internet of Things
GDPR and Open Source: Best Practices
Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC
ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good
Threat Modeling the Internet of Things: Modeling Reaper
Engineering for Privacy Requires Standards
How to Make Adversaries Work Harder, While We Work Smarter, in 2018
2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices
Facebook Releases New Certificate Transparency Tools
iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group
Open Source Vulnerabilities: Are You Prepared to Run the Race?
U.S. Military to Send Cyber Soldiers to the Battlefield
Machine Learning & Security: Making Users Part of the Equation
Security is Not a Technology Profession
Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018
636 Comments
Tomi Engdahl says:
https://www.tivi.fi/CIO/joka-kolmas-tietoturvapomo-pitaa-pilvea-riskina-6750833
Tomi Engdahl says:
Phish or Fox? A Penetration Testing Case Study From IBM X-Force Red
https://securityintelligence.com/phish-or-fox-a-penetration-testing-case-study-from-ibm-x-force-red/
Tomi Engdahl says:
https://www.htbridge.com/blog/top-ten-mobile-breaches-and-incidents-of-2018.html
Tomi Engdahl says:
New Database Tracks Faulty Medical Devices Across The Globe
https://www.icij.org/investigations/implant-files/new-database-tracks-faulty-medical-devices-across-the-globe/
The International Medical Devices Database empowers patients, doctors and regulators with unprecedented knowledge
Tomi Engdahl says:
Practical Cryptography for Developers – Free Book by Svetlin Nakov
https://cryptobook.nakov.com
Tomi Engdahl says:
Top 20 Free Digital Forensic Investigation Tools for SysAdmins
https://techtalk.gfi.com/top-20-free-digital-forensic-investigation-tools-for-sysadmins/
Tomi Engdahl says:
https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Tomi Engdahl says:
Miasm – Reverse Engineering Framework In Python
https://www.kitploit.com/2018/11/miasm-reverse-engineering-framework-in.html?m=1
Tomi Engdahl says:
Cyber security books
https://pinky.ratman.org/~r0d3nt/ebooks/
Tomi Engdahl says:
Book: Information security for journalists – V1.1
https://gendo.ch/en/
Tomi Engdahl says:
Incidents
DarkVishnya: Banks attacked through direct connection to local network
https://securelist.com/darkvishnya/89169/
While novice attackers, imitating the protagonists of the U.S. drama Mr. Robot, leave USB flash drives lying around parking lots in the hope that an employee from the target company picks one up and plugs it in at the workplace, more experienced cybercriminals prefer not to rely on chance. In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.
Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.
The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:
netbook or inexpensive laptop
Raspberry Pi computer
Bash Bunny, a special tool for carrying out USB attacks
Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard.
At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. T
Having succeeded, the cybercriminals proceeded to stage three. Here they logged into the target system and used remote access software to retain access. Next, malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies.
Tomi Engdahl says:
Australia passes ‘dangerous’ anti-encryption law after bipartisan compromise
https://techcrunch.com/2018/12/05/australia-rushes-its-dangerous-anti-encryption-bill-into-parliament/
Update, 12/6: The bill has now passed after the Labor party agreed to drop its proposed amendments
Tomi Engdahl says:
Top 5 Threat Hunting Myths: “Threat Hunting Is Too Complicated”
https://www.carbonblack.com/2018/12/05/top-5-threat-hunting-myths-threat-hunting-is-too-complicated/
The cybersecurity landscape is in a constant state of change and, as many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, but when. In today’s world, attackers intentionally look normal to evade automated defenses. With the rise of ransomware, fileless and non-malware attacks, it’s harder than ever to protect your endpoints with confidence.
To prevent this, threat hunting has emerged as an essential process for organizations to preempt destructive attacks. This process is a proactive approach to cybersecurity that identifies gaps in defenses and stops attacks before they go too deep.
The bottom line is this: The adversary is hunting for your security gaps…why aren’t you?
Tomi Engdahl says:
Hoarding threat information ‘not a competitive advantage,’ DHS official tells corporate leaders
https://www.cyberscoop.com/hoarding-threat-information-not-competitive-advantage-dhs-official-tells-corporate-leaders/
“Cybersecurity, infrastructure security, is not a competitive advantage,” Bradford Willke, a top official in DHS’s Cybersecurity and Infrastructure Security Agency, said Tuesday.
If a good product or company fails because of a breach that could have been thwarted by sharing threat information, “there’s something that we’ve all lost,”
Willke cited a December 2015 blackout in Ukraine caused by suspected Russian government hackers as a cautionary tale in information-hoarding.
Six months before the cyberattack, which left 225,000 people without power, a Ukrainian power company saw warning signs of the threat but failed to share that information with other companies in the sector, Willke said.
Tomi Engdahl says:
A Shift from Cybersecurity to Cyber Resilience: 6 Steps
https://www.darkreading.com/threat-intelligence/a-shift-from-cybersecurity-to-cyber-resilience-6-steps/a/d-id/1333378
Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. Here’s where to begin.
Tomi Engdahl says:
Step 1. Identify users: top 10 actions to secure your environment
https://cloudblogs.microsoft.com/microsoftsecure/2018/12/05/step-1-identify-users-top-10-actions-to-secure-your-environment/
Tomi Engdahl says:
The Weaponization of PUAs
https://www.fortinet.com/blog/threat-research/the-weaponization-of-puas.html
Back in the 90’s, the Internet was not too *wild* in terms of malicious software, hacking attacks, etc. Viruses and some Worms had started to emerge, and while some were really dangerous, a great majority were not.
What are PUAs?
PUA is the acronym for “Potentially Unwanted Application.” This is a general category used by all vendors to tag particular applications that can be misused by malicious people. In that sense, these tools are not really malicious and the program itself does not necessarily represent a risk. It is the usage of such tools and the related outcomes that are the real problem.
Why care about PUAs?
The answer is easy. System Administration tools and other tools with similar functionalities can also fall into the PUA category. These set of tools are useful when the user makes use of all the program functionalities and advantages provided by the software. There are a lot of tool categories, ranging from System Administration to Password Recovery. These can be very useful when someone with limited knowledge in program development has a specific requirement. These tools can then save the day.
PUA Weaponization
Recently, an active campaign was spotted in the well-known Emotet Banking Trojan, which makes use of Freeware system tools but with an obscure purpose. The US-CERT released an alert this year (2018) for this particular version of Emotet, mentioning the use of some NirSoft “Password-Recovery” tools.
Regular malware has been doing this for years, but as time passes, more threat actors and groups are emerging and the usage of such tools is increasing. For instance, BitDefender spotted a targeted attack launched by Netrepser, a Cyberespionage group, which is one of many groups that are well-known for using 3rd party components (some from the aforementioned NirSoft tool-set) in their launched attacks.
Tomi Engdahl says:
Winning the war against unknown zero-day malware
https://blog.checkpoint.com/2018/12/05/winning-the-war-against-unknown-zero-day-malware/
Tomi Engdahl says:
APT review of the year
What the world’s advanced threat actors got up to in 2018
https://securelist.com/apt-review-of-the-year/89117/
What were the most interesting developments in terms of APT activity throughout the year and what can we learn from them?
Not an easy question to answer; everybody has partial visibility and it’s never possible to really understand the motivations of some attacks or the developments behind them. Still, with the benefit of hindsight, let’s try to approach the problem from different angles to get a better understanding of what went on.
Tomi Engdahl says:
Getting ROI From a Security Advisory Board That Works: Part 2
https://www.securityweek.com/getting-roi-security-advisory-board-works-part-2
Tomi Engdahl says:
How Well Are You Protecting Your Brand from Digital Risk?
https://www.securityweek.com/how-well-are-you-protecting-your-brand-digital-risk
Without an online presence an organization doesn’t exist, and having a website is just the baseline. Today, an organization’s Internet presence has expanded to include other digital channels. Companies of all sizes are actively using social media to engage with customers and build loyalty for their brand. Of the Fortune 500 companies, 98 percent use LinkedIn and 88 percent have a presence on Twitter, while more than 70 percent of small businesses use some type of social platform.
The Internet is an essential tool to grow your business, but it also poses digital risks to your brand reputation and integrity through the following key ways:
Online brand and social media abuse: Bad actors can spoof social media profiles of your company or brands, as well as take advantage of employee activity such as oversharing information about your brand or organization on social media.
Malicious web domains: Cyber criminals will register and use web domains extremely similar to your actual domain names.
Fraudulent mobile applications: Threat actors will take advantage of out-of-date mobile applications that you no longer maintain or will even create one for you that passes for a legitimate application. Malicious apps that impersonate brands may use spyware to steal information from users, ranging from banking information to login credentials.
As you develop a brand protection program, here are five concrete things you can do now to proactively identify and mitigate risk to your brand.
1. Identify spoof domains. Freely available tools like DNStwist on GitHub can identify permutations of your domains to detect typosquatting.
2. Look for mentions on criminal sites. OnionScan can help you search
3. Track mentions of sensitive keywords. Google Alerts is a powerful tool to identify mentions of your brand across the open web as well as mentions of your configuration files in cracking forums, indicating you may be facing credential stuffing.
4. Monitor mobile application stores. Even if your organization doesn’t have any official mobile applications, threat actors may create them for you
5. Tap into external expertise. Work with a third-party digital risk provider to monitor your online presence and mitigate these types of risk.
Digital risk from brand exposure impacts everyone including the company, the brand, customers, third parties, employees and each of us as individuals. Brand exposure can lead to reputation damage, loss of intellectual property and customer trust and, ultimately, loss in revenue.
Tomi Engdahl says:
What You Need to Know About PCI DSS Compliance this Holiday Season
https://www.securityweek.com/what-you-need-know-about-pci-dss-compliance-holiday-season
While no plan is never 100 percent foolproof, retailers need to start by covering these bases:
• Be PCI DSS compliant. Keeping systems secure and compliant with PCI DSS signals to customers that they can be confident all sensitive payment card information is protected and out of reach from malicious actors hoping to rack up fraudulent transactions using the funds of unsuspecting shoppers.
• Patch all systems with the latest available releases of software, malware signatures, policies and IPS/IDS updates.
• Activate multi-factor authentication and make sure it is working correctly for all systems, especially those that give access to any cardholder data. This is a requirement in PCI DSS, but the holiday period is a great chance for checking it once, then checking it twice.
• Have a team available during the holiday period to monitor and audit security logs on, at a minimum, a daily basis. We know that it takes around 200 days for many breaches to be detected; instating a higher amount of review during this critical time can significantly reduce detection and remediation time.
Tomi Engdahl says:
Scanning for Flaws, Scoring for Security
https://krebsonsecurity.com/2018/12/scanning-for-flaws-scoring-for-security/
Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late.
Tomi Engdahl says:
This working group just went through a painful process of realizing
that deploying a new TLS version on the Internet is a hard task due to
broken devices. If you’re not aware David Benjamin just gave a great
talk summarizing the issues:
TLS ecosystem woes | David Benjamin (Google) | RWC 2018
https://www.youtube.com/watch?v=_mE_JmwFi1Y
Tomi Engdahl says:
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
Tomi Engdahl says:
Five Steps to Perimeter-Less Security: Adopting a Zero-Trust Model for Secure Application Access
https://duo.com/resources/ebooks/five-steps-to-perimeter-less-security-adopting-a-zero-trust-model-for-secure-application-access?key=face96c&utm_source=facebook&utm_medium=paid_social&utm_campaign=emea-h2-2017&utm_content=emea2017_leadllfb&_bf=23843060369250249#eyJoYXNoIjoiI2V5Sm9ZWE5vSWpvaUkyVjVTbTlaV0U1dlNXcHZhVWxwZDJsak1sWm9ZMjFPYjBscWIybFFNblJzWlZReGJWbFhUbXhQVkZwcVNtNVdNR0pXT1hwaU0xWjVXVEpWT1ZwdFJtcGFWMHAyWWpKemJXUllVblJZTWpGc1drZHNNV0pVTVhkWlYyeHJXRE5PZGxreWJHaGlRMW94WkVjeFpsa3lSblJqUjBad1dqSTBPVnBYTVd4WlV6RnZUV2t3ZVUxRVJUTktibFl3WWxZNWFtSXlOVEJhVnpVd1VGZFdkRnBYUlhsTlJFVXpXREo0YkZsWFVuTmlSMXBwU213NWFWcHFNSGxOZW1jd1RYcEJNazFFVFRKUFZFa3hUVVJKTUU5VFNqa2lMQ0p6WldGeVkyZ2lPaUkvYTJWNVBXWmhZMlU1Tm1NbWRYUnRYM052ZFhKalpUMW1ZV05sWW05dmF5WjFkRzFmYldWa2FYVnRQWEJoYVdSZmMyOWphV0ZzSm5WMGJWOWpZVzF3WVdsbmJqMWxiV1ZoTFdneUxUSXdNVGNtZFhSdFgyTnZiblJsYm5ROVpXMWxZVEl3TVRkZmJHVmhaR3hzWm1JbVgySm1QVEl6T0RRek1EWXdNelk1TWpVd01qUTVJbjA9Iiwic2VhcmNoIjoiP2tleT1mYWNlOTZjJnV0bV9zb3VyY2U9ZmFjZWJvb2smdXRtX21lZGl1bT1wYWlkX3NvY2lhbCZ1dG1fY2FtcGFpZ249ZW1lYS1oMi0yMDE3JnV0bV9jb250ZW50PWVtZWEyMDE3X2xlYWRsbGZiJl9iZj0yMzg0MzA2MDM2OTI1MDI0OSJ9
The shift away from traditional perimeter-based security and tools
The new zero-trust security paradigm and what it means for your business
How to enable secure access to cloud and on-premises applications based on user identity and the trustworthiness of devices
The zero-trust security maturity model
Tomi Engdahl says:
THE INTERNET BECAME LESS FREE IN 2018. CAN WE FIGHT BACK?
https://www.wired.com/story/internet-freedom-china-2018/
Tomi Engdahl says:
The Cybersecurity Stories We Were Jealous of in 2018
https://motherboard.vice.com/en_us/article/xwj38j/motherboard-cybersecurity-jealousy-list-2018
These are the best stories on hacking and information security that we wish we had reported and written ourselves.
Tomi Engdahl says:
Honest Government Ad | Anti Encryption Law
https://m.youtube.com/watch?v=eW-OMR-iWOE&feature=youtu.be
Tomi Engdahl says:
What Family Harmony and Reducing Time to Containment Have in Common
https://www.securityweek.com/what-family-harmony-and-reducing-time-containment-have-common
Most Organizations Have More Intelligence Than They Know What to do With..
We’re finishing up the holiday season and at this point most of us have spent more time than usual at family gatherings. Let’s be honest, while often enjoyable, they can also be trying. Depending on who is in attendance, the location and duration of the event and the occasion, we resort to avoidance techniques like going for frequent walks around the block, dodging certain topics of discussion, taking deep breaths, staying in a hotel or some combination. By understanding as much as we can about those who will be at a specific family event, we can make better decisions about how to approach it. We turn to methods that have worked in the past to decrease the stress and maintain family harmony
According to the 2018 SANS Incident Response Survey published in October 2018, 40 percent of organizations take more than a day to respond to incidents. We all know that by then much of the damage is likely done as exfiltration is typically measured in minutes and hours. Perhaps more troubling, 44 percent report that they have been breached by the same threat actor at least twice, with 34 percent saying either the same or similar tactics, techniques and procedures (TTPs) were used. The remainder state that different TTPs were used, but they may have limited visibility and missed certain indicators the first time.
Tomi Engdahl says:
Cybersecurity and Insurance
https://hackaday.com/2018/12/31/cybersecurity-and-insurance/
Insurance is a funny business. Life insurance, for example, is essentially betting someone you will die before your time. With the recent focus on companies getting hacked, it isn’t surprising that cybersecurity insurance is now big business. Get hacked and get paid. Maybe.
The reason I say maybe is because of the recent court battle between Zurich and Mondelez. Never heard of them? Zurich is a big insurance company and Mondelez owns brands like Nabisco, Oreo, and Trident chewing gum, among others.
It all started with the NotPetya ransomware attack in June of 2017. Mondelez is claiming it lost over $100 million dollars because of the incident. But no problem! They have insurance. If they can get the claim paid by Zurich, that is. Let’s dig in and try to see how this will all shake out.
That’s a Lot of Money
By anyone’s standards, $100 million is a pretty big wad of cash. Apparently, Mondelez uses Windows-based software for shipping and order fulfillment. By adding up property damage (lost hard drives, perhaps), supply and distribution disruption, customer order loss they came up with the $100 million figure.
You might argue if that number is really accurate.
However, even if you deflated the estimate by an order of magnitude, you are still talking about a $10 million dollar loss. Not small change. Having lived through some major cyberattacks, I can tell you just the time spent in meetings between IT, executives, and lawyers can add up pretty quickly.
Loophole
As you can probably guess, Zurich isn’t wanting to pay the claim. Insurance companies have a reputation for being happier to take your payments than they are paying your claim, and things like this are why. On the other hand, insurance companies have a fiduciary responsibility to their other customers and their shareholders to not pay out any more than they have to, and we get that too. So other than the “We didn’t know you’d ask for $100 million dollars!” defense, how can Zurich not pay if they agreed to underwrite Mondelez against cyberattacks?
Many insurance policies have a clause in them that excludes things like acts of God and acts of war. Well, the technical term is “force majeure” but it covers things like earthquakes and other natural disasters.
If you have a homeowner’s policy, you probably don’t want a force majeure exclusion.
The act of war is a bit trickier. The logic is the same. If an army marches through your town and burns everything to the ground — or a nuke does the job remotely — the company would be on the hook for so much that they would have to raise premiums quite a bit. In the United States, though, the chances of that seem so slim that no one usually minds. If a nuke hits your house, you probably aren’t going to care anymore anyway.
As usual, though, trying to apply old ideas to new technology causes problems.
According to media reports, the exact language in the insurance policy covers “hostile or warlike action in time of peace or war” and includes any agent of any government (including a de facto government) or military force.
The problem is, in a world where the battlefield is the Internet, how does this apply? There is a lot of evidence that NotPetya was state-sponsored by Russia and targeted Ukraine. The fact that it spread globally may even have been a mistake. Russia, of course, denies this.
Lesson Learned
Not being a lawyer or an insurance expert, this whole thing made me think. If you are buying cybersecurity insurance, maybe you don’t want an act of war exclusion. That’s going to drive up costs, but nearly any widespread cyberattack from another country could be argued as an act of war. Especially since in so many cases, these acts are perpetrated by persons unknown. Did the Russians create NotPetya? Did they deploy it? Did they hire some hacker group to do it for them? Does that matter? What if a hacker did it and then says they were paid by some government? How would you ever prove one way or the other?
Tomi Engdahl says:
How Hackers Stole $1B From Cryptocurrency Exchanges In 2018
https://www.forbes.com/sites/daveywinder/2018/12/31/how-hackers-stole-1b-from-cryptocurrency-exchanges-in-2018/#ef0b73a4d879
According to the Cryptocurrency Anti-Money Laundering Report from Ciphertrace some $927 million had been stolen from cryptocurrency exchanges in the first three quarters of 2018 alone. That total will almost certainly have hit, if not smashed straight through, the $1 billion mark by now. So, who were the hackers behind the heists and how did they get away with it?
The how remains sadly predictable throughout the year, truth be told; exploiting vulnerabilities in crypto wallet software and servers, social engineering/password compromises and insider theft. The who covers equally predictable territory with lone wolf criminal opportunists at the lower end of scale through to well-resourced nation-state actors at the other.
SIM-swapping endeavor, an increasingly common method used to compromise otherwise secure accounts by gaining access to two-factor authentication codes sent via SMS
Then there are the state-sponsored actors.
North Korea remains firmly in the cross-hairs for anyone investigating cryptocurrency theft, especially at the bigger end of the attack scale. One group in particular, the Lazarus Group, is thought to have been involved in a number of attacks. Often launching their attacks out of China, possibly in order to try and obfuscate accurate geo-political attribution, the Lazarus actors are widely thought to be nation-state players tasked with cyber heists to help boost the beleaguered North Korean economy.
In this regard, Lazarus is thought to have been spectacularly successful: more than $571 million in cryptocurrency is reported to have been stolen by the Lazarus Group since the start of 2017 and it is thought that 65% of stolen cryptocurrency ends up in North Korea.
Tomi Engdahl says:
How To See And Block All The Apps Tracking You On Facebook
https://www.iflscience.com/technology/how-to-see-and-block-all-the-apps-tracking-you-on-facebook/
Tomi Engdahl says:
A look back at the Israeli cyber security industry in 2018
https://techcrunch.com/2019/01/06/a-look-back-at-the-israeli-cyber-security-industry-in/?sr_share=facebook&utm_source=tcfbpage
Tomi Engdahl says:
Washington Post:
AT&T and T-Mobile say they will stop selling customers’ location data to 3rd-party service providers by March; Verizon says it’s winding down sharing agreements — AT&T said Thursday it will stop selling its customers’ location data to third-party service providers after a report this week …
http://www.washingtonpost.com/technology/2019/01/10/phone-companies-are-selling-your-location-data-now-some-lawmakers-want-federal-investigation/
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Report: $5.3B was invested in cybersecurity companies in 2018, up 81% from 2016, with California alone accounting for 46% of VC investments worldwide — 2018 wasn’t all bad. It turned out to be a record year for venture capital firms investing in cybersecurity companies.
VC funding of cybersecurity companies hits record $5.3B in 2018
https://techcrunch.com/2019/01/17/vc-funding-cybersecurity-record/
2018 wasn’t all bad. It turned out to be a record year for venture capital firms investing in cybersecurity companies.
According to new data out by Strategic Cyber Ventures, a cybersecurity-focused investment firm with a portfolio of four cybersecurity companies, more than $5.3 billion was funneled into companies focused on protecting networks, systems and data across the world, despite fewer deals done during the year.
That’s up from 20 percent — $4.4 billion — from 2017, and up from close to double on 2016.