Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.
Here is a list of relevant cyber security terms for 2018s:
AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.
Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.
Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.
Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.
Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.
Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.
Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017, browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.
Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.
Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.
Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.
Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?”
GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.
Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.
HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.
HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2. Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.
HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.
ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.
Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.
IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).
Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.
IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.
Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.
Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.
Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.
Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.
PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.
Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.
Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.
Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.
Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.
Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?
Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.
Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.
Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.
Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.
Sources:
Firefox, Chrome start calling HTTP connections insecure
Alert (TA17-075A) HTTPS Interception Weakens TLS Security
Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead
Cybersecurity Dangers Will Spike in 2018
We’re hitting rock bottom in cyber — let’s do something | TechCrunch
Mirai-makers plead guilty, Hajime still lurks in shadows
DARPA Takes Chip Route to ‘Unhackable’ Computers
Another AI attack, this time against ‘black box’ machine learnings
General Data Protection Regulation (Wikipedia)
Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already
Miten GDPR pitää huomioida ohjelmistokehityksessä?
Seven Seas Cybersecurity: Captain, We Have a Problem
In the Words of President Ronald Reagan, “Trust but Verify”
Why You Should Question These Most Common Cloud Assumptions
It’s 2018. Do You Know Where Your Data Are?
Improved IoT Security Starts with Liability for Companies, Not Just Legislation
Smart Factory Connectivity for the Industrial IoT
The Race for a Universal IoT Security Standard
Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises
The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.
Resolve to Mitigate Your Business’ Digital Risk in 2018
Emerging Trends in Vulnerability Management
Research reveals customer-facing web and mobile apps as top security challenge
Open Source Vulnerabilities: Are You Prepared to Run the Race?
Device Security for the Industrial Internet of Things
GDPR and Open Source: Best Practices
Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC
ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good
Threat Modeling the Internet of Things: Modeling Reaper
Engineering for Privacy Requires Standards
How to Make Adversaries Work Harder, While We Work Smarter, in 2018
2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices
Facebook Releases New Certificate Transparency Tools
iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group
Open Source Vulnerabilities: Are You Prepared to Run the Race?
U.S. Military to Send Cyber Soldiers to the Battlefield
Machine Learning & Security: Making Users Part of the Equation
Security is Not a Technology Profession
Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018
636 Comments
Tomi Engdahl says:
Through the looking glass: Security and the SRE
https://opensource.com/article/18/3/through-looking-glass-security-sre?sc_cid=7016000000127ECAAY
It’s time to take a more proactive approach to system security. Here’s how chaos engineering can play a key role.
Tomi Engdahl says:
How to secure your Raspberry Pi
https://opensource.com/article/17/3/iot-security-raspberry-pi?sc_cid=7016000000127ECAAY
Find out what sensible steps you can take to protect your Raspberry Pi and other IoT devices.
Tomi Engdahl says:
Cyber Defense Tool Is an Early Warning System for Grid Attacks
https://spectrum.ieee.org/energywise/energy/the-smarter-grid/cyber-defense-tool-targets-grid-vulnerability
A rifle attack on an electrical substation near California’s Silicon Valley in April 2013 led to the development of a new tool for grid operators that will enable them to better detect not only a brutal physical attack but also the slightest hint of a hacker looking for vulnerabilities in these critical links in the grid.
Although distributed in nature, grid operators worry that the loss of just a few critical substations could trigger an outage that cascades across a region, potentially crippling a major urban center.
Indeed, in 2014, the Wall Street Journal reported the startling findings in confidential report by the Federal Energy Regulatory Commission (FERC): Thirty substations across the U.S. played an outsized role in grid operations; knocking out nine of them could cause a cascading outage capable of bringing down the nation’s grid.
During the still-unsolved crime, attackers cut fiber optic cables to the facility, and then shot up 17 transformers, resulting in $15 million in damage. The utility had to to re-route power around the damaged substation until repairs could be made.
A rifle assault means the attacker has to come close enough to blast away at a substation. Perhaps more worrisome to grid operators, however, is the possibility of a cyberattack launched remotely from anywhere on the globe.
Tomi Engdahl says:
Russell Brandom / The Verge:
FIDO Alliance and W3C announce WebAuthn, a new open standard for password-free logins, currently supported in Firefox, and to be supported in Chrome and Edge — One small step towards a world without phishing — Web browsers are building a new way for you to log in, announced today by the W3C and FIDO Alliance standards bodies.
Chrome and Firefox will support a new standard for password-free logins
One small step towards a world without phishing
https://www.theverge.com/2018/4/10/17215406/webauthn-support-chrome-firefox-edge-fido-password-free
Web browsers are building a new way for you to log in, announced today by the W3C and FIDO Alliance standards bodies. Called WebAuthn, the new open standard is currently supported in the latest version of Firefox, and will be supported in upcoming versions of Chrome and Edge slated for release in the next few months.
WebAuthn has been working its way toward W3C approval for nearly two years, but today marks the first major announcement of browser support. Apple has not commented on Safari support for WebAuthn, although the company is part of the working group that developed the standard.
Today’s announcement the latest step in a years-long effort to move users away from passwords and toward more secure login methods like biometrics and USB tokens. The system is already in place on major services like Google and Facebook, where you can log in using a Yubikey token built to the FIDO standard.
Tomi Engdahl says:
A Deep Dive Into Decision Advantage
https://www.securityweek.com/deep-dive-decision-advantage
The Most Effective Intelligence Programs Focus on Providing a Decision Advantage Over the Threats and Adversaries That Matter Most
Decision advantage is what results when intelligence enables a decision-maker to better understand and address an issue. It requires:
1) Intelligence that is timely, accurate, and relevant to a given issue and;
2) At least one decision-maker who possesses the expertise and resources needed to evaluate and action the intelligence within the context of the issue.
Decision advantage reinforces that the value of intelligence lies not in the intelligence itself but in the decisions it shapes and drives. This principle is crucial because it enables us to:
● Distinguish true intelligence from data and information
● More effectively measure the performance of an intelligence program
● Achieve better outcomes
Although the concept of decision advantage may seem obvious, realizing it is not simple. A “checkbox” approach that continues to motivate many organizations may never really address the questions decision-makers need answered to give them a decision advantage. There’s no point in having an intelligence program unless you’re able to make better decisions. This is why the most effective intelligence programs focus on providing a decision advantage over the threats and adversaries that matter most to their organizations.
Tomi Engdahl says:
SirenJack: Hackers Can Remotely Trigger Warning Sirens
https://www.securityweek.com/sirenjack-hackers-can-remotely-trigger-warning-sirens
Researchers at Bastille, a company that specializes in detecting threats through software-defined radio, have uncovered a new method that can be used to remotely hack emergency warning systems.
Sirens are used worldwide to alert the public of natural disasters, man-made disasters, and emergency situations, including tornadoes, hurricanes, floods, volcanic eruptions, nuclear accidents, chemical spills, and terrorist attacks. False alarms can cause widespread panic and annoyance.
Researchers say they have discovered a new attack method that allows hackers to remotely trigger sirens. This type of attack, dubbed SirenJack, is possible due to a vulnerability found in emergency alert systems made by ATI Systems, a company whose products are used by major cities, universities, military facilities, and industrial sites.
According to Bastille, the vulnerability, related to the use of insecure radio protocol controls, was initially found in the system used by the city of San Francisco and later confirmed at a second installation.
Bastille researcher Balint Seeber started analyzing the city’s outdoor public warning system in 2016 after noticing that it had been using RF communications. An analysis of the system showed that commands were sent without being encrypted, allowing a malicious actor to forge commands.
Attackers need to identify the radio frequency used by the targeted siren and send the system a specially crafted message that triggers an alarm.
“A single warning siren false alarm has the potential to cause widespread panic and endanger lives,” said Chris Risley, CEO of Bastille Networks. “Bastille informed ATI and San Francisco of the vulnerability 90 days ago, to give them time to put a patch in place. We’re now disclosing SirenJack publicly to allow ATI Systems’ users to determine if their system has the SirenJack vulnerability. We also hope that other siren vendors investigate their own systems to patch and fix this type of vulnerability.”
ATI Systems has been made aware of the vulnerability and it has created a patch that adds an additional layer of security to the packets sent over the radio.
ATI noted that its current products no longer use the old control protocols that often allowed malicious actors and pranksters to trigger false alarms.
Tomi Engdahl says:
What Social Media Platforms And Search Engines Know About You
https://www.securityweek.com/what-social-media-platforms-and-search-engines-know-about-you
The Facebook scandal involving the harvesting of data from tens of millions of users has raised a lot of questions about social media and search engines.
As Facebook founder and CEO Mark Zuckerberg testifies before the US Congress this week on protecting user data, here is a primer on what they know about you:
A user can control some sharing of their Facebook data with privacy settings and the ad preferences page.
● What it sells: Facebook insists it does not sell advertisers personally identifiable information or even aggregate data. What it provides an advertiser with is the ability to reach a specific demographic, which enhances the effectiveness of an ad campaign. Twitter, for its part, provides access to an internal search engine that sweeps up all messages on the site.
● What it shares: Most social media platforms are open to outside developers who create apps fed in varying degrees by using data from users of these networks. In the case of Facebook, the public profile — the whole page for some people, or just the first and last name and photo for others — does not require authorization from the user, but accessing the rest may require a separate OK from the user.
Once data is mined by outside apps, it is no longer in the grasp of Facebook and trying to get hold of it again is difficult.
Search engines
● What they collect: Google, Yahoo and Bing gather all information involving searches including the websites that are accessed and the location of the user. This can be integrated with information from other services owned by the internet giants.
“You don’t have to tell Google your age and your gender and all those things. They can determine all of that based on so many other factors,” said Chirag Shah, a computer science professor at Rutgers University.
● What they sell: like social networks, their revenue comes largely from advertising. They do not sell data, but rather access to a consumer with very specific characteristics.
This comes from compiling search engine data but also, in the case of Google, from searches and content viewed on its YouTube platform. Google used to also mine the content of Gmail before ending this practice in June.
● What they share: Like social media networks, search engines share data with developers and third-party app makers.
Are there limits?
In the United States there are practically no laws against the use of data from social media or search engines.
But the Federal Trade Commission did sanction Facebook in 2011 for its handling of personal data.
In Canada and Europe, there are some limits on the use of data, mainly involving health.
Tomi Engdahl says:
Emergency alert systems used across the US can be easily hijacked
https://www.helpnetsecurity.com/2018/04/10/emergency-alert-systems/
A vulnerability affecting emergency alert systems supplied by ATI Systems, one of the leading suppliers of warning sirens in the USA, could be exploited remotely via radio frequencies to activate all the sirens and trigger false alarms.
“We first found the vulnerability in San Francisco, and confirmed it in two other US locations including Sedgwick County, Wichita, Kansas,” Balint Seeber, Director of Threat Research at Bastille, told Help Net Security.
Tomi Engdahl says:
Louise Matsakis / Wired:
Mozilla’s Internet Health Report 2018 calls attention to monopolization of internet by tech giants, IoT security, privacy, digital inclusion, web literacy, more
Mozilla Diagnoses the Health of the Global Internet
https://www.wired.com/story/mozilla-internet-health-report
n its first full “Internet Health Report,” the nonprofit combines research and stories to examine five main issues: privacy and security, openness, digital inclusion, web literacy, and decentralization. “It’s really a look at human life on the internet,” says Mark Surman, the executive director of the Mozilla Foundation.
How healthy is the Internet?
https://internethealthreport.org/2018/
Our 2018 compilation of research explains what’s helping and what’s hurting the Internet across five issues, from personal experience to global concerns.
Tomi Engdahl says:
The Internet of Broken Things?
Even 64 percent of businesses have somehow accessed the Internet of Things. Over the next year, the share will increase by 20 percentage points to over 80%. Still, it is about technology that is highly questionable at security level, says Ian Kilpatrick, Senior Vice President of Information Security at Nuvias Group.
When dozens, hundreds or even thousands of unprotected dots are attached to a business network, cyber criminals cheat. Still, many companies turn their backs on the problem, putting their heads in a bush.
Kilpatrick points out that any IP device with a IP address is a potential door to hackers and cyber criminals. Many of the IoTs are not intended to be protected or upgraded after commissioning. This means that no later vulnerabilities can be repaired later.
Business IT organizations are more used to protect PCs than IoT nodes. They are not expected to become experts in intelligent lighting, heating and air conditioning systems, not to mention the CCTV systems.
Many organizations use IoT technology without a security strategy or even risk profiling. This is done even though the number of DDoS service attacks is increasing all the time. An unprotected IoT device is often easy to harness these attacks.
The PInnign Down the IoT report on the security of Finnish F-Secure IoT devices said that IoTs typically use a manufacturer’s default password
Source: http://etn.fi/index.php?option=com_content&view=article&id=7837&via=n&datum=2018-04-11_15:06:02&mottagare=30929
Tomi Engdahl says:
Opinion
A radical proposal to keep your personal data safe
Richard Stallman
https://www.theguardian.com/commentisfree/2018/apr/03/facebook-abusing-data-law-privacy-big-tech-surveillance
The surveillance imposed on us today is worse than in the Soviet Union. We need laws to stop this data being collected in the first place
Tomi Engdahl says:
Haunted By Data
http://idlewords.com/talks/haunted_by_data.htm
The terminology around Big Data is surprisingly bucolic. Data flows through streams into the data lake, or else it’s captured in logs. A data silo stands down by the old data warehouse, where granddaddy used to sling bits.
And high above it all floats the Cloud. Then this stuff presumably flows into the digital ocean.
Tomi Engdahl says:
Why Mass Transit Could Be the Next Big Target for Cyber Attacks—and What to do About it
https://www.securityweek.com/why-mass-transit-could-be-next-big-target-cyber-attacks%E2%80%94and-what-do-about-it
The constantly evolving tools and methods of cyber attackers has resulted in specific industries becoming the unfortunate subjects of sudden upswings in incident volume and severity. In recent years, for example, we’ve seen waves of ransomware attacks in healthcare and large-scale customer data breaches in technology. So, this trend begs the question, who’s next?
1. What Makes Mass Transit So Vulnerable?
SCADA Systems
Supervisory control and data acquisition (SCADA) systems control the physical automation that coordinates mass transit. Some of these systems have been in operation since the 1970s, and needless to say, they were not designed with modern cybersecurity in mind.
Other Legacy Systems
It was revealed by a Department of Homeland Security report, that there is elevated risk in transportation due to the aging infrastructure used across the industry. These legacy systems are not limited to SCADA. The industry as a whole has made the move towards network-enabled “intelligent public transport” (IPT) but has simultaneously been slow to phase out aging systems.
2. Potential for Terrorist and Criminal Attacks
Unlike most industries, where the potential consequences of poor cybersecurity are largely financial or privacy-driven, an attack on a public transit system has the potential to be lethal. Vulnerable SCADA systems could be hijacked by terrorists or cyber-criminals to cause derailing or collisions. While this nightmare scenario has not yet occurred, there have been numerous incidents involving mass transit and other SCADA-dependent industries that paint a clear picture of how it could happen
3. How to Prepare
The consequences of a significant cyber-attack against a mass transit system will go well beyond a few fines and bad publicity. Even when dealing with an attack that only succeeds in stealing data, the American Public Transportation Association (APTA) has warned that it could breach compliance violations under HIPAA, PCI DSS, the Patriot Act, and more. To prevent this, the recommendations provided by the Department of Homeland Security (DHS) and the APTA stress the importance of “defense-in-depth”, meaning multiple layers of security to protect against future attacks. Strong compliance and audit programs are complements to—and not substitutes for—this type of robust multi-layer defense. With the stakes so high, and the volume of incidents on the rise, what more can transit authorities do to minimize the damage?
Identify Critical Assets
Manage Patches and Vulnerabilities
Prepare for the Inevitable
Tomi Engdahl says:
Sarah Skidmore Sell / Associated Press:
The Internal Revenue Service’s payment site has been down for much of the day, preventing many Americans from filing taxes electronically
IRS payment site fails on tax day, but you still have to pay
https://apnews.com/660bafaa3b654a37bc2735e55be55e42
Just in time for tax day: The IRS website to make payments is down. But you still have to pay your taxes.
The IRS did not have an immediate explanation for the failure.
The IRS typically recommends that taxpayers use electronic filing to avoid common mistakes. Online filing is quicker than dropping something in the mail — when the site works, of course. Plus, electronic filers typically get any refund faster.
Tomi Engdahl says:
Will the boom in public cloud services open the doors to cyber criminals?
https://www.electropages.com/2018/04/will-public-cloud-services-open-doors-cyber-criminals/?utm_campaign=&utm_source=newsletter&utm_medium=email&utm_term=article&utm_content=Will+the+boom+in+public+cloud+services+open+the+doors+to+cyber+criminals%3F
Public cloud computing and storage services are rapidly becoming the norm and overtaking the alternative strategy where companies build their own private cloud.
But will this trend open more doors through which cyber criminals can infiltrate company networks?
This question follows news this week that hackers are launching more online attacks against British businesses than ever before. The warning comes from the National Cyber Security Centre and the National Crime Agency.
There is no doubt that public cloud services are a booming business to be in. Cisco’s Global Cloud Index analysis indicates that by the time we enter the next decade over 70% of cloud computing services will be handled by public centres.
This of course is terrific news for the companies battling each other in the public cloud arena and suggests that corporate revenues are set to escalate.
Today there are several dominate players and these are Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform. The majority of industry analysts position AWS as leader of the pack, particularly when it comes to the revenues it creates. However, Azure is hot on its heels and Google is very comfortably lurking in third place.
But when it comes to making sure public cloud services are secure and that data is protected there exists a dichotomy. Responsibility for ensuring watertight security does not as you may think entirely lie with the cloud service provider. Certainly they have a huge interest in making sure their network is very secure but interestingly some of the responsibility also lies with the cloud services customer or, in other words, the company that has chosen to use a public cloud rather than creating its own cloud service operation.
So what should these potential public cloud customer companies be looking out for? According to the Cloud Security Alliance (CSA) there are some key public cloud security issues that specifically relate to the way in which cloud computing operates through its fundamental concept of shared and available-on-demand facilities. So what are they? Prime among them of course are data breaches whereby a network has been deliberately targeted or where security systems have proved either inadequate or not sufficiently updated, or it could be through plain old human error by an employee.
Tomi Engdahl says:
FDA Reveals New Plans for Medical Device Security
https://www.securityweek.com/fda-reveals-new-plans-medical-device-security
The U.S. Food and Drug Administration (FDA) this week announced its medical device safety action plan, which includes seeking additional funding and authorities that would help it improve cybersecurity in the healthcare industry.
The FDA’s plan focuses on five key areas and medical device cybersecurity is one of them. As part of its efforts to keep up with emerging threats and vulnerabilities, the agency wants the authority to require medical device manufacturers to include updating and patching capabilities into the design of their products.
The organization also wants vendors to create a “Software Bill of Materials,” which should help medical device customers and users determine which systems may be impacted by vulnerabilities.
“The additional authorities we seek are to further strengthen medical device security by directly addressing challenges healthcare delivery organizations and providers have encountered as a result of cyber campaigns and attacks such as WannaCry,” an FDA spokesperson told SecurityWeek.
The agency would require that “new devices entering the market have a demonstrated capability of patchability and updatability built into the design architecture of the device, and that a patch management process and plan is provided by the manufacturer for premarket review,” the spokesperson said.
As for the Software Bill of Materials, the measure is inspired by one of the recommendations made recently by the Health Care Industry Cybersecurity Task Force.
https://www.fda.gov/downloads/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDRH/CDRHReports/UCM604690.pdf
Tomi Engdahl says:
Thirty-four companies signed the Cybersecurity Tech Accord, agreeing to work together on cyberattack defense, refusing to help governments launch cyberattacks, empowering developers to work in the field, and taking collective action with a variety of parties. Companies participating include Arm, Cisco Systems, Facebook, Hewlett Packard Enterprise, Microsoft, Nokia, Oracle, and Trend Micro.
Source: https://semiengineering.com/the-week-in-review-iot-94/
More:
Signing pledge to fight cyberattacks, 34 leading companies promise equal protection for customers worldwide
https://cybertechaccord.org/
Tomi Engdahl says:
Ryan Duffy / The Verge:
Profile of CrowdSource Rescue, a service created by two friends during Hurricane Harvey, which helped coordinate thousands of rescues during future disasters
This app maker says his work saved thousands during Hurricane Harvey — and he’s not done yet
Meet CrowdSource Rescue, a passion project that grew into something much larger
https://www.theverge.com/2018/4/17/17244390/hurricane-harvey-crowdsource-rescue-app
Tomi Engdahl says:
Flexibility vs. Security – A False Choice
https://www.securityweek.com/flexibility-vs-security-false-choice
Striking a Balance Between Security and Flexibility is Crucial
For the record, I do not believe you can’t have both flexibility and security. I do believe, however, that you must compromise. Absolute flexibility, or absolute security, while they may appear appealing are ultimately bad. When you think about it, completely secure environments are often unusable. A similar thing can be said about complete flexibility. Those types of environments are virtually impossible to secure.
So we look for a balance. But that balance often proves to be elusive. Some companies require highly secure environments. Others require high degrees of flexibility to support the workforce.
As a security professional you should remember three key things to guide you:
Balance
1. You support the business mission
2. Productivity often trumps any and all security requirements if forgotten
3. Security is never an absolute
That said, let me lay out some useful strategies for striking a flexibility – security balance.
First, understand your organization’s appetite for risk. I know risk is a massively over-used word in security. I also know many security professionals use it incorrectly. The point is that you must understand where the limits are.
Second, understand how your business or organization operates. What are the driving processes? What level of autonomy are employees given? What are the regulatory pressures and responsibilities? These are key inputs into your balancing strategy.
Finally, understand your own resources and capabilities. How much control a security team can exert over an organization is directly proportional to it’s ability to execute. Even a small team with good operational processes can handle the workload that tight control requires. However, take operational capability away and control is at best an illusion.
Bottom line, if you’re not careful, security becomes a hinderance and a target. Where security leaders create inflexible environments, security tends to struggle. High levels of flexibility, supported by good operational processes, can drive good security. It’s all a matter of how you define your strategy.
Security organizations have historically added a significant amount of lead time to projects.
It was, and in some cases still is, common for security take up to 20% of the project timeline to “add security”. That is simply unacceptable. Where security was inflexible developers and project owners turned to a predictable outcome. Development teams turned to the cloud to bypass security.
So the lesson here is that security teams must focus on flexibility. Where flexibility fails, security often follows suit. Striking a balance between security and flexibility is crucial.
Tomi Engdahl says:
Wading Through Tool Overload and Redundancy?
https://www.securityweek.com/wading-through-tool-overload-and-redundancy
A False Sense of Security is Worse Than a Real Sense of Vulnerability
The starting point for any home renovation is sketching out the existing layout, from which you can start to nip, tuck and enhance for the greatest effect. Finding the right cyber security technology is no different. The starting point for any conversation needs to be a comprehensive understanding of the existing environment and architecture.
The first step is to inventory your cyber security tools and information assets, including documenting technical details like software versions and underlying platforms, security functional areas, coverage and the business value of assets. By understanding your tool coverage and the business value of assets, you can better understand the actual value each tool is providing and drive a risk-based approach for filling in the gaps. In other words, prioritizing protection of your most critical assets, those that if compromised, would impact the business the most.
The results of inventories are often surprising. One of the important outcomes of implementing security/user and entity behavioral analytics is that it provides visibility into the coverage and effectiveness of the tools that feed it data. The process of identifying, integrating and reporting on all of that security and business data in a consistent and comprehensive way provides an understanding of where the skeletons lie and where the organization should be focused to reduce risk the most.
With an inventory in hand, the next step is identifying gaps and redundancies in coverage and/or functionality. The result of rationalizing security tools and their coverage will be a clear list of actions and needs, often with neutral or positive budget impact. It is not uncommon for companies to pay for enterprise licenses for tools that only get deployed across half the organization. That money can be recovered or utilized by completing the deployment with no additional license cost. Reducing vendor and tool redundancy can reduce support costs and drive better deals with the winning vendor.
Companies that are not new to cyber security, typically have some semblance of traditional tools, including firewalls, data loss prevention, endpoint protection, vulnerability and configuration scanners, SIEMs, cloud access security brokers and the such. Notwithstanding any shiny new toys that struck your fancy, these tools are still a great foundation on top of which to build your architecture.
With an inventory and action plan in hand, you can start to execute and understand how you may benefit from any new tools or technology. Execution should be risk driven, starting with protecting your highest value assets. New tools should be evaluated based on how they fill a gap or up your data protection game to the next level. If the prospective tool is not part of an entirely new category, it is important to assess where it fits and where it overlaps, with the goal of minimizing functional and budgetary redundancy.
Documenting and rationalizing an enterprise’s security architecture is not a trivial process. It requires a dedicated effort to complete.
Tomi Engdahl says:
Martin Matishak / Politico:
Senate unanimously confirms Trump’s pick to lead the NSA and US Cyber Command, Lt. Gen. Paul Nakasone, who is replacing Navy Admiral Mike Rogers
Senate confirms Trump’s pick for NSA, Cyber Command
https://www.politico.com/story/2018/04/24/paul-nakasone-nsa-cyber-command-547645
The Senate Tuesday quietly confirmed President Donald Trump’s nominee to lead the National Security Agency and U.S. Cyber Command.
U.S. Army Cyber Command chief Lt. Gen. Paul Nakasone was unanimously confirmed by voice vote to serve as the “dual-hat” leader of both organizations. The two have shared a leader since the Pentagon established Cyber Command in 2009.
Tomi Engdahl says:
Data center infrastructure often an overlooked security risk: Report
http://www.cablinginstall.com/articles/pt/2018/04/data-center-infrastructure-often-an-overlooked-security-risk-report.html?cmpid=enl_cim_cim_data_center_newsletter_2018-04-24&pwhid=e8db06ed14609698465f1047e5984b63cb4378bd1778b17304d68673fe5cbd2798aa8300d050a73d96d04d9ea94e73adc417b4d6e8392599eabc952675516bc0&eid=293591077&bid=2078269
Maria Korolov of Data Center Knowledge notes that “in the rush to secure networks, servers, and endpoint devices many organizations overlook the risks hidden in the physical infrastructure necessary to keep data centers operating. Power supplies, heating and cooling systems, even security systems themselves can all be entry points for both determined threat actors and casual attackers who scan the internet for insecure access points. One of the most high-profile attacks in recent times, the Target breach, involved a third-party HVAC provider.”
Data Center Infrastructure, the Often-Overlooked Security Risk
http://www.datacenterknowledge.com/security/data-center-infrastructure-often-overlooked-security-risk
Power supplies, cooling systems, even security systems themselves can all be entry points for attackers.
One of the most high-profile attacks in recent times, the Target breach, involved a third-party HVAC provider.
“The bad guys are going after anything that’s open and available,” said Bob Hunter, founder and CEO at AlphaGuardian Networks.
Take, for example, rack power distribution units. Since data center administrators need to know what’s going on with the power to their servers, the PDUs typically offer either local or remote monitoring, but the security on these systems is extremely weak.
Hackers can get in and hijack systems for ransom, or, more frequently and insidiously, keep their access a secret in order to steal data or compute cycles.
Network segmentation is a good security principle, he added, but it only serves to slow down attackers, not stop them completely.
“Segmentation is a speed bump,” he said. “In the Target break, the building management system was on a physically separate network from the data itself, so they had to jump from one to the other. It took a while to do that, but at the end of the day, they were able to do it.”
And the people responsible for infrastructure security are often busy with other tasks, such as maintaining data center operations, he added.
“To add additional complexity, the industrial control systems were not designed with security in mind,” said Niall Browne, CSO at Domo, a business intelligence company. “They often have default passwords and have not been patched in years, as the manufacturer was slow to release upgrades, or the customer was hesitant to deploy them for fear of causing a service interruption to critical functions.”
“The customer leaves their back doors open and gets hacked; that can shut down the entire data center eventually.”
It’s one of the biggest vulnerabilities in the data center, Hunter said.
“Everyone wants remote access to the PDUs, because they want to remotely reboot their PDUs if the server goes down,” he said.
Ponemon Institute recently released a survey of risk professionals, in which 97 percent said that unsecured internet-enabled devices could be catastrophic for their organizations.
“If it has an IP address, it can be hacked and needs to be secured,” said Mike Jordan, senior director at consulting firm The Santa Fe Group. “You can slap an IP address on anything these days. Data center infrastructure is no exception, and it makes subcontracting support of data center infrastructure like HVAC, security cameras, and power management more compelling.”
However, only 9 percent of survey respondents said they were fully aware of all the physical devices in their environment that were connected to the internet.
Tomi Engdahl says:
Edge Computing May Increase Attack Surface
http://www.datacenterknowledge.com/edge-computing/edge-computing-may-increase-attack-surface
To protect the edge, enterprises should move toward architectures that will protect applications even if the infrastructure is compromised.
Edge computing can increase computing power and lower latency, but it poses the risk of expanding the attack surface, experts say.
For example, some enterprises are deploying compute clusters or small edge data centers closer to endusers or production facilities to minimize network latency and reduce the volume of network traffic, said Bob Peterson, CTO architect at Sungard Availability Services.
“However, many times they are putting systems in areas that may not have the same logical and physical controls as their larger data centers,” he said.
In addition, restoring physical control or services can be more difficult with remote centers, and the risk of systems being breached or tampered with increases when devices are placed in locations with little or no staff.
“I think it’s not that security teams are overlooking the risks, but more so that security teams are unable to keep up with the rapid evolution of technology,” he said. “I think we are still too far away from information security being a fundamental part of everyone’s role.”
Tomi Engdahl says:
Next-Gen Agility Avoids Unplanned Downtime
http://www.datacenterknowledge.com/industry-perspectives/next-gen-agility-avoids-unplanned-downtime
Reducing planned downtime, testing 2.0 and migration can create an approach enabling IT to overcome challenges and deliver next-gen agility.
Tomi Engdahl says:
Timothy W. Martin / Wall Street Journal:
McAfee report identifies North Korea-linked hacking and data-theft campaign called Operation GhostSecret working across 17 countries and many industries
‘Operation GhostSecret’: North Korea Is Suspected in Intensifying Global Cyberattack
Pyongyang-linked data-theft campaign has hit 17 countries, including the U.S., report says
https://www.wsj.com/articles/operation-ghostsecret-north-korea-is-suspected-in-intensifying-global-cyberattack-1524629807
A suspected North Korean cyberattack on Turkish banks last month is broader in scope than originally believed, and has expanded to a global data-theft campaign targeting nations including the U.S. and Australia, according to a new cybersecurity analysis.
Tomi Engdahl says:
Picture This. Now Protect It.
https://www.securityweek.com/picture-now-protect-it
An astonishing amount of sensitive data – over 12 petabytes – is being exposed publicly. If you’re having difficulty visualizing what 12 petabytes is, this might help. One petabyte is the equivalent of 500 billion pages of standard printed text, or over 2,000 years of continuous music, or three and half years of an HD video recorder running day and night. Now multiply by 12. That’s a lot of data – roughly 1.5 billion files – and that’s how much is being exposed across open Amazon S3 buckets along with older, yet still widely used, file transfer and sharing technologies as well as misconfigured websites and network-attached storage (NAS) devices often used to backup home computers.
Three main categories of data are being exposed across these technologies.
● Personal data. The most common type of data is personal data of employees and customers. Payroll and tax return files account for 700,000 and 60,000 files respectively. For consumers, contact and patient lists, some credit card data, and even medical tests are being exposed.
● Intellectual property. Employees, contractors and other third parties can use misconfigured or unauthenticated services to backup or share proprietary documents, such as photographs of upcoming product designs or information about yet-to-be-released products. In the process, they inadvertently make this information public.
● Systems information. Thousands of documents including security audits and assessments, network infrastructure details, and penetration testing and vulnerability scanning reports are also publicly accessible. The availability of this information attackers can use to launch attacks is largely a result of third-party and supplier risk, instances of contractors backing up or transferring data outside of an organization’s network.
Talk about making life easy for cyber criminals. They can simply find ways to monetize data that is already publicly available, and/or take advantage of exposed security information to save time and resources they would have spent conducting reconnaissance.
Tomi Engdahl says:
Closing the Gaps that Result in Compromised Credentials
https://www.securityweek.com/closing-gaps-result-compromised-credentials
Closing Gaps in Credential Security Requires Awareness of What Gaps Exist and How to Mitigate Them
On March 23rd, 2018, the United States brought charges against nine Iranians for their alleged state-sponsored attacks against 100,000 university professors worldwide, and in the US. The attackers’ target was “valuable intellectual property and data”, but their tactic was the compromising of email accounts using spear phishing attacks.
Separately, in January 2018, VeriClouds released the results of research that indicated that 2.7 million credentials of Fortune 500 employees were compromised and available for sale at an average of 2.3 data sources on the dark web. That constitutes 10% of all employed by the Fortune 500.
The Fortune 500 were just the tip of the iceberg, though. On December 5th 2017, 4iQ shared that a database of 1.4 billion credentials were found on the dark web. Going further back to last April, the 2017 Verizon Data Breach Investigation Report found that 81% of breaches in the previous year leveraged either stolen and/or weak passwords.
Tomi Engdahl says:
Threat intelligence is a critical organizational need
https://www.plantengineering.com/single-article/threat-intelligence-is-a-critical-organizational-need/3e297e86bde11f5c4c5ac32790a72b1f.html
Cover story: Continuous threat intelligence collection, analysis, and optimization can help organizations improve cybersecurity measures.
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/7891-kolmen-suomalaisen-identiteetti-varastetaan-joka-tunti
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/7887-paasemme-vihdoin-eroon-salasanoista
Tomi Engdahl says:
Managing Risk a Must in Third-Party Relationships
https://www.securityweek.com/managing-risk-must-third-party-relationships
Conducting Thorough Due Diligence on a Prospective Vendor’s Security is Essential
All businesses rely to some degree on external vendors, and as a result, all businesses face some degree of vendor risk. Though most businesses have no choice but to obtain internet services, security solutions, and a range of other business-critical technologies from third-party providers, they do have a choice in how they manage the associated security risks. The following tips can help security decision-makers more effectively address the risks posed by technology vendor relationships:
Be Hands-On With Due Diligence
Conducting thorough due diligence on a prospective vendor’s security is essential. Start with the vendor’s website where many post their security compliance standards. Gathering this information is particularly important if you require certain compliance certifications—such as GDPR if your business processes or controls EU citizens’ data, for example—but it should only serve as the beginning of your due diligence process.
Here are some questions to pose:
Evaluating Vendor Risks● When was your last penetration test? Is your remediation on schedule?
● Have you documented your last five security incidents? How did you remediate those incidents?
● Do you have the result of your last business continuity test? If yes, can you share it?
● What security controls exist for your users? Do they use multifactor authentication, etc.?
● How are you maturing your security program?
Be Ready to Implement Additional Security Controls
What happens if you’re unsatisfied with the answers? First, determine whether working with the vendor is critical to your business. I
Technical: These are typically restrictions on the access and/or technical integrations of vendor offerings. For example, if a product is web-based but unencrypted, consider blocking users on your network from accessing its website; provided the proper authentication is in place, use its API instead.
Policy: These are policies that users of the offering should follow, such as limits on the types and amounts of data that can be input securely.
Keep Track of Your Assets
There are several reasons why it’s imperative to know which of your business’s assets the vendor will be able to store and/or access. For one, this knowledge can help you identify and shape any additional security controls. Second, having this knowledge on hand is crucial should the vendor suffer a breach.
Prepare a Response Plan
Before finalizing a vendor relationship, it’s crucial to use all the information gathered during your due diligence process to construct a response plan in preparation for any future incidents the vendor might experience. Tracking the assets to which your vendor has access is one component of an effective response plan. Others include courses of action to mitigate exposure, disclosure and notification procedures, external communications strategies, and plans to re-evaluate the vendor’s security and remediations following an incident.
Tomi Engdahl says:
How to Achieve Low-Cost, Advanced Security For Your Embedded System
http://www.electronicdesign.com/embedded-revolution/how-achieve-low-cost-advanced-security-your-embedded-system?code=NN8DK004&utm_rid=CPG05000002750211&utm_campaign=17027&utm_medium=email&elq2=adb98e6ec77646f683537bfeb28da18d
The availability of low-cost processing power plus ubiquitous connectivity have spurred the rise of the Internet of Things (IoT) and the development of large-scale embedded applications that rely on networks of smart nodes. A smart node in an embedded system typically consists of one or more sensors, a microcontroller, and a wired or wireless connection. Examples are found in almost every IoT application: the electrical grid, the home, the doctor’s office, the factory floor, the automobile are just a few.
As embedded systems proliferate, so have concerns about their security, fueled by well-publicized stories about data breaches, viruses, botnets, trojan horses and the like. The results of an embedded-system security breach can range from inconvenient to life-threatening: video cameras, home routers, cars, drug-delivery systems, and even pacemakers have been hacked.
Tomi Engdahl says:
Stats on the Cybersecurity Skills Shortage: How Bad Is It, Really?
https://www.darkreading.com/stats-on-the-cybersecurity-skills-shortage-how-bad-is-it-really/d/d-id/1331504?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
Is it just a problem of too few security professionals, or are there other reasons enterprises struggle to build infosec teams?
While plenty of CISOs today find ways to successfully build out effective cybersecurity teams, most industry pundits agree that the process is a bear. One of the biggest complaints is that there just aren’t enough experienced, talented security professionals to fill the roles available – but there is talent for the taking if organizations know where to look for it. Nevertheless, the numbers support the fact that market constraints on security brainpower are a very real factor. Here’s what the most recent data shows.
Tomi Engdahl says:
We’ve Tried Nothing and We’re All Out of Ideas!
One of the most recent cybersecurity skills surveys conducted by Vanson Bourne on behalf of McAfee found that while 84% of organizations reported some difficulty in bringing on skilled security professionals, a lot of them were also not doing much to truly attract talent. The organizations who complained it was impossible to hire good security people were least likely to offer training opportunities, flexible working hours, or the chance to use new technology.
Source: https://www.darkreading.com/stats-on-the-cybersecurity-skills-shortage-how-bad-is-it-really/d/d-id/1331504?_mc=rss%5Fx%5Fdrr%5Fedt%5Faud%5Fdr%5Fx%5Fx%2Drss%2Dsimple&image_number=6
Tomi Engdahl says:
There’s security – then there’s barbed wire-laced pains in the arse
How do you strike a balance with compliance and UX?
https://www.theregister.co.uk/2018/04/09/balancing_security_compliance_freedom/
Tomi Engdahl says:
10 Reasons To Break Up With Your Legacy SIEM
https://www.securityweek.com/10-reasons-break-your-legacy-siem
The Value Most Organizations Get Out of Their SIEM Deployment is Far Lower Than it Used to Be
Almost all security organizations of a certain size have a substantial and costly SIEM deployment. Historically, the SIEM has played a central role in security operations and incident response for a number of reasons. But as time has gone on, the security operations workflow has grown more sophisticated and complex. So much so that the value that most organizations get out of their SIEM deployment is far lower than it used to be.
Tomi Engdahl says:
Maritime Cybersecurity: Securing Assets at Sea
https://www.securityweek.com/maritime-cybersecurity-securing-assets-sea
The Nature of the Shipping Industry Presents Unique Challenges for Hardening Cybersecurity
By the end of the decade, it is expected that the world’s first autonomous container ship will have embarked on its maiden voyage, moving goods around the coastline of Norway. Together with other initiatives currently underway, such as the development of remote controlled vessels, this will mark a new era of connected shipping technology and demonstrate that the $210 billion industry is ready to embrace the future.
These advances are to be celebrated, but simultaneously they bring with them a high element of risk, as more on-board elements become exposed to the kinds of cybersecurity concerns that we’re more familiar with on land.
Much has been written about the dangers of Operational Technology (OT) in industrial environments, and we’re used to the traditional challenges of doing business at sea, from piracy to bottlenecks at container ports. What we’re not used to is recognizing that a container ship is an OT environment just like any other, and at risk of targeted and generic cyberattacks.
Tomi Engdahl says:
Chip designer Mediatek gets Taiwan nod to export goods to ZTE
https://www.reuters.com/article/us-usa-china-zte-mediatek/chip-designer-mediatek-gets-taiwan-nod-to-export-goods-to-zte-idUSKBN1I809Y
TAIPEI (Reuters) – Taiwanese chip designer Mediatek Inc has received an export permit from the government to sell components to ZTE Corp, a Chinese telecoms equipment maker subjected to restrictions in the United States.
The U.S. government last month banned American firms from selling to ZTE for seven years, saying the company had failed to comply with a settlement related to ZTE shipping U.S.-made goods to Iran in violation of U.S. sanctions.
Following the U.S. ban, Taiwan had instructed local firms wanting to ship goods to ZTE to apply for permission.
Tomi Engdahl says:
Is The Education System Keeping Women Out of Cybersecurity?
https://www.securityweek.com/education-system-keeping-women-out-cybersecurity
While the Gender Bias in Professions Remains Strong, There Are Indications That Factors Beyond Genuine Aptitude Are at Play
Despite the increasing cybersecurity skills shortage, projected by Frost & Sullivan to reach 1.8 million unfilled roles by 2020, we are yet to engage with the obvious solution. There is currently more interest in reducing vacancies using artificial intelligence (AI) and automation than in training youngsters to adopt the profession.
The problem with AI as a solution, according to a report published Tuesday by ProtectWise, is, “The impact of artificial intelligence on the man-hours required to staff a security operations center is basically nil today — and will be for a significant amount of time.”
This is confirmed by a separate survey (PDF) published Wednesday by Exabeam. Exabeam queried 481 cybersecurity professionals around the world. It found nearly 68% of respondents reported they do not currently use AI or ML in their jobs or don’t have plans to use in the future, even though 75% agreed AI/ML can make their job better or easier and improve security.
Tomi Engdahl says:
The Solution to the Cybersecurity Talent Gap is Inclusion
https://www.securityweek.com/solution-cybersecurity-talent-gap-inclusion
There is No One Definition of a Cybersecurity Professional and No One Path to Get There
Frost & Sullivan puts the cybersecurity workforce gap at 1.8 million by 2022, while Cybersecurity Ventures pegs it at 3.5 million by 2021. No matter how you measure it, the number of unfilled cybersecurity positions is big and it’s a problem we’ve been lamenting for years. The traditional approach to address the shortage has been to encourage more individuals to pursue technical and engineering degrees. But which individuals? And if you aren’t “technical” does that mean there’s no room for you in cybersecurity? If we think more broadly about the type of talent we need and how to build even better security teams, we’ll see that the solution to the workforce gap is through inclusion.
Consider that the number of women in the digital security workforce is 11 percent, while blacks, Hispanics, and Asians represent less than 12 percent.
Tomi Engdahl says:
Exploiting People Instead of Software: Report Shows Attacker Love for Human Interaction
https://www.securityweek.com/exploiting-people-instead-software-report-shows-attacker-love-human-interaction
Cybercriminals Continue to Rely on Human Interaction to Conduct Wide Range of Attacks
Cybercriminals have been scaling up people-centered threats, increasingly using social engineering rather than automated exploits even in web attacks, a recent report from Proofpoint report reveals.
Humans have been long said to be the best exploits in the eyes of cybecriminals, with social engineering becoming the most used attack method years back, when almost all attached documents and URLs in malicious emails required human interaction.
Now, Proofpoint’s The Human Factor 2018 report (PDF) reveals that both cybercriminals and threat actors have found new ways to trick victims into becoming their unwitting accomplices. Email remained the most popular attack vector, while the rise of crypto-currency drove innovations in phishing and cybercrime.
Proofpoint saw attacks that include both large, multimillion-message malicious campaigns distributing malware such as ransomware (the biggest email-borne threat of 2017) and highly targeted assaults orchestrated by state-sponsored groups and financially motivated fraudsters.
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-human-factor-report-2018-180425.pdf
Tomi Engdahl says:
Cyber War and the Compromise of Reliable Full Disclosure
https://www.securityweek.com/cyber-war-and-compromise-reliable-full-disclosure
We Can’t Rely on Our Own Governments to Practice Responsible Full Disclosure. Full Disclosure is Compromised.
Recorded Future, a Threat Intelligence provider, recently published a study that claims that China’s National Vulnerability Database acts as a clearing house for vulnerabilities of interest and with a high operational value for nation state hacking. The study makes for interesting reading. The high level summary is that in the process of analyzing the publication dates of vulnerabilities in the US National Vulnerability Database (NVD) and China’s National Vulnerability Database (CNNVD) to determine which one is faster in processing and releasing vulnerabilities. Overall, CNNVD was quicker for most vulnerabilities, with the exception of what RF in an initial analysis 6 months ago classified as statistical outliers. In a more recent analysis, Recorded Future noticed that the publication dates in CNNVD for the statistical outlier vulnerabilities had been tampered with and retroactively altered to better align with NVD publication dates. Many of these vulnerabilities were high severity vulnerabilities.
China seems to be content with being able to weaponize the vulnerabilities discovered via CNNVD for a limited time until they disclose them. That limited time however, is all that is necessary to successfully hack a target or adversary to gain a foothold or exfiltrate data. It is exactly the time period after first discovery where the value of a vulnerability is highest and the risk of a 3rd party rediscovering it the lowest.
Tomi Engdahl says:
What your provider won’t tell you about cloud security
https://www.infoworld.com/article/3270740/cloud-computing/what-your-provider-wont-tell-you-about-cloud-security.html
Their self-interest may cause your cloud providers to omit these cloud-security best practices in their advice to you
Everyone loves insider tips. In the case of cloud computing, the tips that matter are mostly about cloud security approaches and technology.
Here are three cloud security tips that your cloud provider won’t want to tell you. But I will.
Tip 1: Cloud security should be decoupled from specific cloud providers
Tomi Engdahl says:
New DDoS Attack Method Obfuscates Source Port Data
https://www.securityweek.com/new-ddos-attack-method-obfuscates-source-port-data
Recent distributed denial of service (DDoS) attacks showed evidence of a new method being used to bypass existing defenses by obfuscating source port data, Imperva says.
In addition to commonly encountered amplification methods, the observed attacks used payloads with irregular source port data, a vector that only few DDoS defenders considered possible, Imperva claims. The attack method abuses a well-known, unpatched UPnP (Universal Plug and Play) protocol exploit.
The UPnP networking protocol allows for device discovery over UDP port 1900, and for device control over an arbitrarily chosen TCP port. Because of that, many Internet of Things devices use the protocol to discover and communicate to one another over LAN.
However, default settings leaving devices open to remote access, the lack of an authentication mechanism, and UPnP-specific remote code execution vulnerabilities have shown the protocol to pose security risks.
In addition to revealing UPnP related vulnerabilities for nearly two decades, security researchers have also shown how SOAP API calls could be used to remotely reconfigure insecure devices over WAN. SOAP API calls can also be used to remotely execute AddPortMapping commands, which govern port forwarding rules.
Tomi Engdahl says:
Signal Flaw Allowed Code Execution With No User Interaction
https://www.securityweek.com/signal-flaw-allowed-code-execution-no-user-interaction
An update released over the weekend for the desktop version of the privacy-focused communications app Signal patches a critical vulnerability that could have been exploited for remote code execution with no user interaction required.
Several researchers were looking at an unrelated cross-site scripting (XSS) vulnerability when they noticed that the XSS payload was triggered in the Signal desktop application.
The white hat hackers discovered that they could execute arbitrary code in the app simply by sending a specially crafted message containing specific HTML elements to the targeted user.
“The Signal-desktop software fails to sanitize specific html-encoded HTML tags that can be used to inject HTML code into remote chat windows. Specifically the and tags can be used to include remote or local resources,” the researchers explained in an advisory.
Tomi Engdahl says:
Flaws in Open Source Components Pose Increasing Risk to Apps: Study
https://www.securityweek.com/flaws-open-source-components-pose-increasing-risk-apps-study
Open source components have been increasingly used by developers, but failure to patch vulnerabilities in this type of software can pose serious risks.
The 2018 Open Source Security and Risk Analysis (OSSRA) report published on Tuesday by Synopsys shows that of the more than 1,100 commercial codebases analyzed by the company last year, 96% contained open source components, the same percentage as the previous year. However, many applications now contain more open source than proprietary code, with the percentage of open source components in the codebases of scanned apps increasing from 36% in 2016 to 57% in 2017.
The study shows that 78% of the examined codebases were plagued by at least one open source vulnerability, compared to 67% in the previous year. The average number of flaws discovered per codebase in 2017 was 64, which represents an increase of 134%.
Synopsys noted that more than 4,800 vulnerabilities were found in open source software last year, which is not surprising considering that the total number of flaws recorded by the National Vulnerability Database (NVD) exceeded 14,700, compared to only 6,400 in 2016.
Tomi Engdahl says:
Bumper to Bumper: Detecting and Mitigating DoS and DDoS Attacks on the Cloud, Part 1
https://securityintelligence.com/bumper-to-bumper-detecting-and-mitigating-dos-and-ddos-attacks-on-the-cloud-part-1/
Bumper to Bumper: Detecting and Mitigating DoS and DDoS Attacks on the Cloud, Part 2
https://securityintelligence.com/bumper-to-bumper-detecting-and-mitigating-dos-and-ddos-attacks-on-the-cloud-part-2/
Tomi Engdahl says:
Day three of our personal security tuneup: turn on that 2FA!
https://motherboard.vice.com/en_us/article/a3adpj/how-to-set-up-2fa
Tomi Engdahl says:
10 Security Behaviors That Anger Us
https://www.securityweek.com/10-security-behaviors-anger-us
Why Do We Get Angry With People for Doing What We Incentivize Them to Do?
To answer it, I offer “10 security behaviors that anger us, but that we incentivize”:
1. Focusing tactically: On numerous occasions, I’ve heard different organizations state that the security team is too tactically focused. That may certainly be the case. But if your primary metrics involve the number of alerts fired and the number of tickets opened and closed in a given week, can you really fault your team for working towards the numbers you measure them on?
2. Fire fighting: No one wants their security team running from one emergency to the next without any time to focus on everything else going on. But sometimes it’s hard to fault security teams that succumb to this. There are some issues that arise that legitimately need to push everything else aside. Far too often though, security teams are on the receiving end of a seemingly endless array of “emergencies” that result from a lack of understanding and/or faith in both the issue and the abilities of the security team.
3. Event “du jour”: I haven’t met a security team yet that enjoys getting sucked up into the spin surrounding an event “du jour”. But it’s hard to imagine how they could choose to do anything but that. When a high profile event happens, the questions “What are we doing about this?”, “Are we affected by this?”, “Are we protected against this?”, and others start coming faster than the security team can respond. All incentives point them toward responding to the rapid fire coming their way.
4. Market segment “en vogue”: Many in the security industry mock or poke fun at companies running towards the latest “en vogue” market. But before you laugh, look at what we incentivize them to do.
5. Writing down passwords: This is one of my favorites. Everyone loves to laugh at those “stupid” users that write down their passwords. But perhaps they should be laughing at us. As an industry, we cannot prove that insanely complex password rules actually improve our respective security postures. In fact, to do that, we probably need to move away from passwords entirely.
6. Being unprepared for incident response: No one likes to get caught by surprise and appear unprepared when a critical or serious incident occurs. But building a mature incident response capability takes a strategic effort that won’t show its value immediately.
7. Acquiring stovepiped technology: How many times have we seen an acute problem in security boil over to the point where everyone is screaming for an immediate solution. While we need to make sure we address acute issues in a timely manner, we want to make sure we don’t “knee jerk” and acquire a quick fix that is almost “disposable”.
8. Under budgeting security: Everyone loves the low prices of big retail chains, but at the same time, loves to complain about lack of assistance available. We can’t really have it both ways. We want our vendors and providers to give us a lot of value at a low price point. So, not surprisingly, that’s where they invest most of their resources. Security is an overhead cost.
9. Under training team members: It costs money to send team members to professional training, and it takes them away from their job for a bit. If we can see the strategic value that properly training team members brings, it is a no brainer.
10. Not collaborating enough: There is a lot of talk about information sharing and collaboration, but unfortunately, there is less action than we would like to see. There are many reasons why this is the case, but it doesn’t help that most organizations incentivize their staff to keep information close hold, as well as to keep up appearances around the true state of the security program.
Tomi Engdahl says:
Reflecting on the Memcached Reflection Attacks: A Wake-Up Call for Developers
https://securityintelligence.com/reflecting-on-the-memcached-reflection-attacks-a-wake-up-call-for-developers/
Around the end of February, rumors started floating around about a new reflector called memcached that could be used to fuel distributed denial-of-service (DDoS) attacks. A day or so later, defenders were prepping for huge attacks, but threat actors were even quicker to capitalize on their newest toy.
On Feb. 28, exposed memcached servers were used to fuel a 1.3-TB-per-second attack, the largest recorded to date. Since the incident, security professionals have made great strides toward limiting the number of exposed memcached systems.
Today, the issues caused by memcached have been largely mitigated, but not completely. The initial count of 50,000 vulnerable servers was quickly whittled down to 10,000 in the initial days of the attacks and has since dropped below a few thousand servers. Multiple internet service providers (ISPs) and cloud services have taken steps to prevent their networks from being the source of memcached attack traffic. Linux defaults have been updated to prevent the preconfigured exposure of the service to the internet, and administrators across the globe have updated their configurations to block port 11211 and require authentication.
A Wake-Up Call for Developers
Memcached is simply the latest example of a valid service that was developed and deployed with little or no thought to security. It was quite a wake-up call when Mirai burst onto the scene with a 623-Gbps attack against security writer Brian Krebs. This was the first big leap in attack traffic in several years and highlighted the fact that attackers were looking for new resources to fuel DDoS attacks. Memcached is proof that the bad guys haven’t stopped their search for new pools of vulnerable protocols and services to exploit.