Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.
Here is a list of relevant cyber security terms for 2018s:
AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.
Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.
Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.
Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.
Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.
Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.
Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017, browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.
Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.
Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.
Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.
Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?”
GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.
Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.
HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.
HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2. Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.
HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.
ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.
Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.
IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).
Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.
IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.
Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.
Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.
Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.
Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.
PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.
Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.
Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.
Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.
Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.
Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?
Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.
Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.
Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.
Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.
Sources:
Firefox, Chrome start calling HTTP connections insecure
Alert (TA17-075A) HTTPS Interception Weakens TLS Security
Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead
Cybersecurity Dangers Will Spike in 2018
We’re hitting rock bottom in cyber — let’s do something | TechCrunch
Mirai-makers plead guilty, Hajime still lurks in shadows
DARPA Takes Chip Route to ‘Unhackable’ Computers
Another AI attack, this time against ‘black box’ machine learnings
General Data Protection Regulation (Wikipedia)
Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already
Miten GDPR pitää huomioida ohjelmistokehityksessä?
Seven Seas Cybersecurity: Captain, We Have a Problem
In the Words of President Ronald Reagan, “Trust but Verify”
Why You Should Question These Most Common Cloud Assumptions
It’s 2018. Do You Know Where Your Data Are?
Improved IoT Security Starts with Liability for Companies, Not Just Legislation
Smart Factory Connectivity for the Industrial IoT
The Race for a Universal IoT Security Standard
Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises
The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.
Resolve to Mitigate Your Business’ Digital Risk in 2018
Emerging Trends in Vulnerability Management
Research reveals customer-facing web and mobile apps as top security challenge
Open Source Vulnerabilities: Are You Prepared to Run the Race?
Device Security for the Industrial Internet of Things
GDPR and Open Source: Best Practices
Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC
ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good
Threat Modeling the Internet of Things: Modeling Reaper
Engineering for Privacy Requires Standards
How to Make Adversaries Work Harder, While We Work Smarter, in 2018
2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices
Facebook Releases New Certificate Transparency Tools
iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group
Open Source Vulnerabilities: Are You Prepared to Run the Race?
U.S. Military to Send Cyber Soldiers to the Battlefield
Machine Learning & Security: Making Users Part of the Equation
Security is Not a Technology Profession
Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018
636 Comments
Tomi Engdahl says:
What are botnets downloading?
Statistics for the past year on files downloaded by botnets
https://securelist.com/what-are-botnets-downloading/87658/
Tomi Engdahl says:
DARPA Eyes BAE to Detect Cyber Threats
https://www.mwrf.com/systems/darpa-eyes-bae-detect-cyber-threats?NL=MWRF-001&Issue=MWRF-001_20180830_MWRF-001_255&sfvc4enews=42&cl=article_2_b&utm_rid=CPG05000002750211&utm_campaign=19568&utm_medium=email&elq2=306475ffe51949fca389cdadda795a11
DARPA has contracted BAE Systems to protect large networks against cyber attacks, by developing cyber-hunting tools that detect and analyze cyber threats.
Modern communications and computer technologies bring with them great convenience, but at the risk of cyber threats. To help protect large networks against cyber threats, the Defense Advanced Research Projects Agency (DARPA) has selected BAE Systems to develop data-driven, cyber-hunting tools that detect and analyze such threats. BAE Systems intends to automatically detect and overcome aggressive cyber threats by combining advanced machine learning with cyber-attack modeling. The contract for Phases 1, 2, and 3 of the program is valued at approximately $5.2 million.
Tomi Engdahl says:
Cognitive Intelligence: Empowering Security Analysts, Defeating Polymorphic Malware
https://blogs.cisco.com/security/cognitive-intelligence-empowering-security-analysts-defeating-polymorphic-malware
In psychology, the term “cognition” refers to a human function that is involved in gaining knowledge and intelligence. It helps describe how people process information and how the treatment of this information may lead to various decisions and actions. Individuals use cognition every day. Examples as simple as the formation of concepts, reasoning through logic, making judgments, problem-solving, and achieving goals all fall under the purview of this term.
In cybersecurity, applying the principles of cognition helps us turn individual observed threat events into actionable alerts full of rich investigative detail. This process improves over time through continuous learning. The goal is to boost discovery of novel or morphing threats and streamlining of the cybersecurity incident response. The work of the security operations teams can be vastly optimized by delivering prioritized actionable alerts with rich investigative context.
Tomi Engdahl says:
Patch Management Must be Guided by Risk
https://www.flashpoint-intel.com/blog/patch-management-must-be-guided-by-risk/
Since the major technology companies have a regular cadence for the release of patches, organizations can, in theory, better allocate resources, prepare to test software updates, and deploy fixes when ready. But when Microsoft patches dozens of bugs on the second Tuesday month after month, or Oracle fixes hundreds of bugs at a time on a quarterly basis, the temptation could arise to just patch it all, or at least rely on criticality scores and bleating pundits to guide your patch management efforts.
A high CVE score or a pithy quote from an expert, however, shouldn’t be the deciding factor as to whether an enterprise deploys every patch to every affected system. The discussion should center on risk, and it should land on the likelihood a vulnerability would be exploited on your network and what impact it will have to continuity, data integrity, and the bottom line. An approach aligned with Business Risk Intelligence (BRI) lends itself to informed decisions about patch management, and the right call could save your company precious time and money, and allow your internal experts to focus on what matters most to the business.
Unfortunately for many companies, patch management is still guided by CVE criticality scores that are often incorrectly equated with business risk. CVE scores are a macro guide to a bug’s potential impact, but my organization’s 9.8 score, could equate to a 4.6 inside the walls of your company. Patch management cannot be based on a third-party rating system devoid of the unique context of an enterprise’s security and risk posture. Relying solely on CVE criticality scores in place of business risk assessments will lead you down a path of costly monthly and quarterly updates, regardless of the need to do so.
Tomi Engdahl says:
The Evolving Threat Landscape – Looking at Our 2018 Predictions
https://www.fortinet.com/blog/industry-trends/the-evolving-threat-landscape—looking-at-our-2018-predictions.html
Tomi Engdahl says:
Cybercriminals Changing Tactics as Seen in First Half Report
https://blog.trendmicro.com/trend-micro-2018-midyear-security-roundup/
Any organization that supports critical infrastructure needs to look at how to harden up their ICS/SCADA networks as we’re starting to see threat actors looking to perform destructive attacks versus simply doing reconnaissance and testing capabilities when compromising these networks. As our Zero Day Initiative is finding out, vulnerabilities within the applications and devices in this sector are increasing and, more worrying, we’re not seeing quick patching of the vulnerabilities by the affected vendors. This will likely change as the vendors are made more accountable for fixing their bugs, but until then providers of critical infrastructure need to build improved patching processes, like the use of virtual patching at the network and host layers.
Tomi Engdahl says:
https://documents.trendmicro.com/assets/rpt/rpt-2018-Midyear-Security-Roundup-unseen-threats-imminent-losses.pdf
Tomi Engdahl says:
Semi-annual balance of mobile security
https://www.welivesecurity.com/2018/08/29/semi-annual-balance-mobile-security/
For Android, malware detections were down 27% compared to the first half of 2017; for iOS, they decreased 15% compared to the same period last year
Tomi Engdahl says:
Fileless Attacks Jump 94% in First Half of 2018
While ransomware is still popular, fileless and PowerShell attacks are the threats to watch this year.
https://www.darkreading.com/endpoint/fileless-attacks-jump-94–in-first-half-of-2018/d/d-id/1332686
Tomi Engdahl says:
Three Ways of Looking at Security Operations
https://www.securityweek.com/three-ways-looking-security-operations
The term “security operations” is often interpreted to be synonymous with a security operations center (SOC). In fact, a web search on security operations results mostly in links to SOC content. But that’s a narrow view. How you view security operations will make a difference in how fast your organization can deliver software and mitigate breach damage. A bigger-picture view that includes IT operations is necessary to address the agile threat environment that exists today.
The divide between security and operations
While IT security ultimately is concerned with the confidentiality, integrity and availability of IT services and information, IT operations focuses more on performance, efficiency and availability.
We might be tempted to find common ground over availability, but even this identical term is viewed through different lenses. The security perspective focuses on countering intentional sabotage, while operations seeks to mitigate accidental service disruption. The result of this divide is overlapping organizations and tools in many organizations, with conflict arising over the boundaries between them.
The approach taken by many organizations can be grossly organized into three categories.
1. Security administration – The everyday activities performed by IT security in support of its responsibilities. These can include the implementation and maintenance of policies and controls, threat analysis, compliance assessments, and security monitoring and incident investigation from a SOC or similar structure. These operational activities are clearly in the security domain, and while they will intersect with operations (for example, enabling log collection on a server) there is usually less grey area on who is the authority.
2. Secure ops frenemies – The necessary collaboration that must occur between IT security and operations. Every organization handles this a little differently, and ideally, there is documentation that clearly defines who provides management of credentials and access, who changes rules on the firewalls, and who patches servers to eliminate a vulnerability, as examples. Where things get contentious is when timeframe and priorities differ. If a security organization detects the exfiltration of data from a database, they often must rely on operations to shut it down. Operations may be reluctant to do so if that database supports a mission-critical service for the business.
3. DevSecOps – As more enterprises adopt DevOps practices, there is a greater integration of developers and operations teams in planning, building, testing, deploying and maintaining code in production to accelerate release velocity. As bottlenecks or “constraints” are removed, security is gaining the spotlight, and often not in a good way. Security testing, when performed at the end of a development cycle, can identify code that is insecure, but is also then costly to change. So there is a movement to “shift left” security testing by including it earlier in the cycle, which is helpful for developers, but operations/security integration continues to be unaddressed. It remains to be seen if DevOps, which is developer focused, shifts its center of gravity more towards operations, and in doing so, helps to bridge security and operations.
Which approach is correct?
The correct answer, of course, is the one that supports the business need for speed of software delivery, and the confidentiality, integrity and availability of services and data. That means that all three approaches must be covered, but they need improvement. The greatest potential for improvement comes from the interaction between security and operations teams.
One of the keys to the success of DevOps is the automation of handoffs between steps in the toolchain that allows for the continuous delivery of code. That kind of orchestration is sorely needed to bridge the divide between security and operations tools.
For example, your SIEM platform may be able to initiate tickets in a service desk tool. Automated processes in the service desk can then be triggered to perform a remediation action that IT operations has approved. This reduces the workload on both the security and operations teams and can enable a feedback loop for continuous improvement that will also support mutual trust.
Tomi Engdahl says:
Davey Alba / BuzzFeed News:
A look at the human cost of Facebook’s rise in the Philippines: truth matters less, propaganda is ubiquitous, lives are wrecked, and some have died as a result
How Duterte Used Facebook To Fuel the Philippine Drug War
https://www.buzzfeednews.com/article/daveyalba/facebook-philippines-dutertes-drug-war
“We were seduced, we were lured, we were hooked, and then, when we became captive
audiences, we were manipulated to see what other people — people with vested interests and evil motives of power and domination — wanted us to see.”
Tomi Engdahl says:
The Continuing Problem of Aligning Cybersecurity With Business
https://www.securityweek.com/continuing-problem-aligning-cybersecurity-business
Aligning security policy with business practices is generally considered to be a key imperative for a successful company. This must necessarily start with security teams understanding the business, and business leaders understanding security requirements.
Varonis decided to test the progress by querying 345 C-Suite executives and IT/cybersecurity professionals — broadly separated into business and IT/security groups — across the U.S., UK, France and Germany. The results show apparent progress, but with puzzling details that might indicate slightly divergent viewpoints between the two groups.
For example, asked what types of data most need to be protected, both groups agreed on first customer or patient data, and second, intellectual property. They disagreed however, on the third priority. The business group specified employee data, while the security group specified financial data.
Do Executives and Cybersecurity Pros Agree on Today’s Biggest Cyber Threats?
https://blog.varonis.com/do-executives-cybersecurity-pros-agree-cyber-threats/
Breaches cost companies billions, erode trust and can have a long-lasting negative impact on a company’s brand. With so much as stake, we wondered: are C-Suite executives aligned with their security and IT pros when it comes to cybersecurity?
The figures suggest that business and IT/sec are still not fully aligned, but in a non-intuitive manner. The reason could be something simple. Business leaders understand business better than they understand cybersecurity, and consequently worry more about what they don’t fully understand; while IT/sec people understand security better than they understand commerce.
Or it could be a continuing failure for IT/sec to find the best metrics for reporting to business leaders. “It’s all about data,” said Vecci. “Nobody ever breaks into a network to steal the network log — it’s all about data, either exfiltrating and stealing data, or in denying service with something like ransomware.”
The data that needs to be secured is also changing in its nature. A few years ago, most sensitive data was stored in structured databases, and the need and methodologies for securing that data were well understood. Now, however, the majority of sensitive data — made more sensitive by increasingly stringent data privacy laws like the GDPR — is held in unstructured files and documents. Earlier this year, the 2018 Varonis Global Data Risk Report showed that 41% of companies have more than 1,000 sensitive files open to everyone with access to the network, 58% of companies have more than 100,000 folders open to everyone.
The misalignment between IT/sec and business leaders may, then, be down to the difficulty of delivering meaningful metrics on the effect of machine learning defenses. This is possibly confirmed by one of the responses in the Varonis survey. Asked whether the organization can quantify the effect of cybersecurity measures, 88% of the IT/sec group replied in the affirmative, while only 68% of the business group agreed.
Unfortunately, while this may be partially true, other figures from the Varonis survey suggest that there remains a fundamental divide between the two sides. Ninety-six per cent of the IT/sec group believes their security planning approach is aligned with the organization’s risks and objectives, but only 73% of the business leaders agree.
Tomi Engdahl says:
Knowing When to Trust
https://www.securityweek.com/knowing-when-trust
I would like to offer 10 points to consider when evaluating whether or not to trust:
1. Give and take: Security, like life, is a give and take. Those who receive are usually quite happy to give back. Unfortunately, not everyone is like that. If you only hear from someone when they need something, if they are always looking for that next piece of information or that next favor, and if they never give back, chances are that you can’t really trust them.
2. Everyone loves free advice: During my consulting days, I learned the hard way just how much people love free advice. Unfortunately, there are more than a few people that will promise you the world in exchange for your insight. But if they disappear at the slightest mention of money, more than likely, they can’t be trusted.
3. Not the stock market: Trusting someone inherently involves some risk. While a calculated risk or educated guess can pay dividends, trusting someone who shouldn’t be trusted can come at a high price. If by trusting someone you feel like you’re betting on the horses or playing the stock market, it’s probably best to hold your cards close in that particular situation.
4. Trust me: Sometimes, people feel a need to remind you repeatedly that you can trust them. In my experience, this is a red flag. Truly trustworthy people’s reputations speak for themselves. Trustworthy people don’t need to fast talk the next person whose good nature they’re looking to exploit.
5. Don’t worry: In a similar vein, people who feel a need to reassure you continually that you needn’t worry are most often cause for worry. If something sounds too good to be true, or if something sounds a bit far-fetched, it usually is.
6. Very interesting idea: For some people, being straightforward and direct is a challenge. Saying “no” is a definitive answer that can have undesired consequences for an untrustworthy person. If this type of person is looking to leave a potential door open, if they are looking to lead someone along, or if they are looking to stall, saying things like “that’s a very interesting idea” is a great way to keep the status quo of ambiguity and indecision going indefinitely.
7. Inconsistency: We’ve all spoken to people whose story keeps changing, those who give different answers in different settings, or those who can’t seem to give a straight answer. If you notice these behaviors, chances are that the person who exhibits them cannot be trusted.
8. Lack of transparency: People who have nothing to hide are often quite happy to be open, honest, straightforward, and transparent. When people are less than transparent, it may be a sign that they are hiding something, keeping something from you, or are otherwise less than trustworthy.
9. Paranoia or anxiety: Do you get a feeling of paranoia or anxiousness from someone? Besides being difficult to work in that type of an environment, it can be a sign that for one reason or another, the person is untrustworthy.
10. Projection: If someone is telling you that you are untrustworthy, that they don’t want to work with you, that they are unsure of your intentions, or similar such statements, it could be a sign of projection. People who are untrustworthy often project that character trait onto people who are trustworthy. If you see this happening, it’s likely a sign that the person you are working with is not trustworthy.
Tomi Engdahl says:
Everything’s Amazing, Nobody’s Secure
https://www.securityweek.com/everythings-amazing-nobodys-secure
One of the best comedic routines I’ve ever had the opportunity to hear is Louis C.K.’s “Everything’s Amazing, Nobody’s Happy” piece. He makes some very clear if not painful points about how we as human beings in a modern society take things for granted. For example, we complain when the WiFi on the airplane goes out. But we never take a second to consider the technological marvel that it takes to deliver that WiFi experience to passengers in a metal tube shooting through the sky.
Enter today’s consumer-driven techno-economy. Let’s be real – if you’re in at least your forties you’ve seen the evolution of computer technology from the very start.
So here’s the point. With all this amazing technology floating around us from watches that don’t need a phone to place calls, to digital assistants that respond to our voices, to all manner of widgets that make our lives easier and more connected – we’re far less secure than we ever have been. This should be no surprise, right? I forget who this idea is attributed to, but the thought is that it takes society about 10 years to fully understand the ramifications of any major technological advancement. For example, it’s taken us over ten years to comprehend the impact the cellular phone had on our lives. The issue is, we develop technology at a pace that is at least 10x this speed.
Truth told, in today’s society we’ve prototyped, tested, developed, released, and sunset a technology or widget 8 years before we ever understand it’s societal impact. If that doesn’t concern you, you don’t understand technology. Security is critical to our lives since tech impacts every single crevice of everyday life. Yet, security isn’t something that’s commonly written into product requirements!
So yes, the world we live in is infused with technological marvels that we couldn’t have dreamed of twenty years ago. But at the same time, we’re orders of magnitude less secure, and in some cases even less safe, as a result. If you’re reading this, odds are good you have a role to play in the security and safety of technology that’s deployed throughout our lives.
So you have a duty. All of you. Everyone out there. Think about what all these technological advancements mean – and how they can impact people’s lives. Think of how we can balance the drive for cool new things, with security and safety. Because everything today is more amazing than it’s ever been in history – but we’re much less safe and secure because of all the technology. And fixing that is your job.
Tomi Engdahl says:
Fighting Alert Fatigue With Security Orchestration, Automation and Response
https://www.securityweek.com/fighting-alert-fatigue-security-orchestration-automation-and-response
New research confirms and quantifies two known challenges for security operations teams: they don’t have enough staff and would benefit from automated tools.
Tomi Engdahl says:
Preventing the Other Kind of Hack Back
https://www.securityweek.com/preventing-other-kind-hack-back
There has been endless discussion among security professionals about the ethics, propriety, legality, and effectiveness of corporations “hacking back” against attackers. On the other hand, there is no hesitation on the part of attackers to hack back against threat intelligence researchers who are investigating them. Identification and retaliation are a constant risk for anyone probing the darkest back alleys of the internet.
There are two paths criminals use to attack investigators: they can try to compromise the investigator’s computer directly, or they can identify and attack the organization behind the investigation. Many techniques can protect against both paths.
What’s at Risk
Attacks on the organization are the more potentially damaging risk. By properly hiding your identity during your investigations, the target will not know who to attack. Attacks on your organization can manifest in many ways, including DDOS, phishing, and hacking.
Covering Your Tracks
As the Russian DNC hackers showed, it is not easy to maintain your anonymity. The first step is to ensure that your visible IP address is not associated with your organization. That means not only that it should not be a company IP, but that it can’t be a coffee shop in the building or any other address which could easily be connected with the organization. Because many protocols can leak identifying information, take care to ensure that all communications from your desktop go out through your chosen IP.
Hiding your Fingerprint
After hiding your IP, you need to take care of all the other ways an attacker can identify your computer. Your browser fingerprint, cookies, and super cookies can all quickly expose your organization. Conducting all of your investigations inside a clean virtual machine, used only for this purpose, can be very effective at protecting your identity. Even seemingly innocuous activities can expose you. Any personal browsing, searching, or social media use within the virtual machine can leak identifying information to a savvy opponent.
Carefully isolating the virtual machine from your real desktop can go a long way toward preventing damage from any direct counter-attacks while investigating. Any malware they sneak past your scanners will be destroyed when the virtual machine is rolled back. Restricting all network traffic to only flow over a VPN to your chosen exit point ensures that malware can’t scan your local network for vulnerable targets or identifying device names.
Tomi Engdahl says:
Make BGP great again, er, no, for the first time: NIST backs internet route security brainwave
It’s always a good idea to know who you’re talking to
https://www.theregister.co.uk/2018/09/06/nist_bgp_rpki/
A proposal for securing BGP – the protocol that lays out the traffic pathways of the internet – has a another backer: NIST, aka America’s National Institute for Standards and Technology.
The US government agency has issued a discussion paper outlining the use of Route Origin Validation (ROV) to protect the notoriously all-too-trusting Border Gateway Protocol (BGP) from route hijacking.
BGP, in a nutshell, allows the patchwork of large networks that make up the global internet announce to each other how to thread everyone’s connections through mazes of machines crisscrossing the planet until they reach their intended destinations.
The ancient protocol was written with the “good chaps theory” as one of its fundamental assumptions – since network operators knew each other in 1989, “good chaps” would never sabotage each others’ networks, mistakes were genuine gaffes, and you could phone someone who blundered and rerouted packets to the wrong machines.
It’s a cinch to hijack and intercept traffic to a stranger’s network, by announcing your network as the best route to reach them and then consuming the packets for yourself. Amazon Web Services was attacked in such a way this earlier this year, for example.
The NIST’s National Cybersecurity Center of Excellence, with a group of vendors, has forged that draft RPKI technology into what it this week called “proof-of-concept demonstrations” of BGP route origin verification
Cisco, Juniper Networks, Palo Alto Networks, AT&T, CenturyLink, Comcast, and the George Washington University in the US helped NIST prepare the paperwork.
BGP ROV certainly needs a boost: in June, research discussed in this APNIC blog post said adoption of the security measures was “bleak.”
Tomi Engdahl says:
6 open source tools for making your own VPN
https://opensource.com/article/18/8/open-source-tools-vpn?sc_cid=7016000000127ECAAY
Want to try your hand at building your own VPN but aren’t sure where to start?
Tomi Engdahl says:
Cyber Insurance Market to Double by 2020, Says Munich Re
https://www.securityweek.com/cyber-insurance-market-double-2020-says-munich-re
The market for insurance against cyber threats will double by 2020 to over 8 billion dollars, German reinsurance giant Munich Re told a conference in Monaco on Sunday.
“Cyber risks are one of the biggest threats to the networked economy,” Munich Re board member Torsten Jeworrek said in a statement on the first day of an annual meeting of reinsurers in the Mediterranean principality.
Munich Re estimated that companies could more than double their spending on cyber insurance from $3.4-$4 billion (3-3.4 billion euros) in 2017 to $8-$9 billion by 2020.
While the digital economy had increased productivity, “increased networking of machines, and equipment in particular, can also give rise to very complex risks such as data theft, disruptions in the interaction between networked machines, and even the failure of entire production lines and supply chains,” Munich Re said, estimating the number of connected devices worldwide will rise from 27 billion to 125 billion by 2030.
Tomi Engdahl says:
Professionalizing Cybersecurity Practitioners
https://www.securityweek.com/professionalizing-cybersecurity-practitioners-0
The formation of a professional body to provide standards of excellence within cybersecurity practitioners has been mooted for many years. Now the UK government has proposed the development of an institution for “developing the cybersecurity profession, including through achieving Royal Chartered status by 2020.”
This is the professionalization of cybersecurity in everything but name. ‘Regulation’ is not mentioned in the proposal; but just as the General Medical Council regulates medical practitioners, so a potential UK National Cybersecurity Council might eventually regulate cybersecurity practitioners.
Tomi Engdahl says:
How Automation Helps Security Managers
https://www.securityweek.com/how-automation-helps-security-managers
It’s the nature of security operations: the worse the situation, the more you need everything to be working perfectly. Any issues with your program need to be figured out ahead of time, because in the heat of the moment, there isn’t any time to solve problems.
Implementing security automation and orchestration is often seen as a win for security analysts, because automating menial tasks frees them up for more interesting “human work”. But security managers and SOC leaders might have even more to gain. That’s because the right automation and orchestration tool offers more than just task automation—it facilitates process improvements and enables security operations that are more business-aligned and quantifiable in their results.
Replacing Manual Steps with Automated Workflows
As a manager, you want a SOC that runs smoothly, requires little oversight, but also doesn’t let any dangerous alerts slip through. For this to happen, you need consistent workflows in place for handling alerts and incidents. With manual processes, there is a great deal of room for human error and inconsistency, which can result in threats going unnoticed.
Prioritizing Threats Based on their Business Impact
For any security manager seeking to augment their security operations with automation, a common first step is to identify the assets they are protecting, including crown jewels such as valuable IP, the corporate website, operational IT, executives’ email accounts, admin user privileges, etc.
Using Trend Reporting to Show Progress
As a manager, even though you might not be on the front lines dealing with security incidents day-to-day, you need to be able to see everything that’s going on in your SOC.
Conclusion
Whether you’re a security manager, team leader, or CISO, you want your SOC to be efficient, effective, and dependable in a crisis. You need to be able to effectively prioritize threats and shut them down quickly using consistent workflows. You might not always be in the trenches working on incidents, so you need to find visibility through other means, such as trend reports, metrics, and analytics.
Tomi Engdahl says:
Finding the Middle Ground: Securing Smart Cities
https://www.securityweek.com/finding-middle-ground-securing-smart-cities
High-profile cyberattacks and data breaches have become somewhat of a norm. You’ve likely heard this before: it’s no longer a question of if an attack will happen but when. We expect ‘always on’ connectivity with access to business data and this means that the clear boundaries of the traditional security perimeter are fading fast; as this happens, the potential attack surface grows. Advanced smart infrastructure, cloud networks and the Internet of Things (IoT) add more points of entry and ultimately more risk for both network operators and end users.
This reality has sparked a rather polarized debate among government organizations and municipalities contemplating smart city technologies. Advocates are willing to throw caution to the wind to charge forward and implement these technologies, eager to harness the data and near real-time communications enabled by smart applications to positively impact their communities and citizens. On the other hand, skeptics are staving off adoption due to fears of destructive cyberattacks – and there’s no shortage of examples to justify their hesitancy.
Just recently, we saw the City of Atlanta crippled by a SamSam ransomware attack that lasted two weeks and cost nearly $3 million – a clear warning to municipalities using smart applications. Numerous attacks on smart cities fly under the public’s radar: local police departments hit by small ransomware attacks, fire department databases hacked and gas operators plagued by customer communications disruptions.
Tomi Engdahl says:
VLAN Hopping and Mitigation
https://www.alienvault.com/blogs/security-essentials/vlan-hopping-and-mitigation
A VLAN is used to share the physical network while creating virtual segmentations to divide specific groups. For example, a host on VLAN 1 is separated from any host on VLAN 2. Any packets sent between VLANs must go through a router or other layer 3 devices. Security is one of the many reasons network administrators configure VLANs. However, with an exploit known as ‘VLAN Hopping’, an attacker is able to bypass these security implementations. Learn more about network segmentation and VLANs here.
VLAN Hopping
This type of exploit allows an attacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform said exploit. In this article, I will go through the two primary methods of VLAN hopping, known as ‘switched spoofing’, and ‘double tagging’. I will then discuss mitigation techniques.
Switched Spoofing VLAN Attack
An attacker acts as a switch in order to trick a legitimate switch into creating a trunking link between them.
Double Tagging
Double tagging occurs when an attacker adds and modifies tags on an Ethernet frame to allow the sending of packets through any VLAN. This attack takes advantage of how many switches process tags. Most switches will only remove the outer tag and forward the frame to all native VLAN ports. With that said, this exploit is only successful if the attacker belongs to the native VLAN of the trunk link.
Tomi Engdahl says:
The rise of biometric readers and security
https://www.itproportal.com/features/the-rise-of-biometric-readers-and-security/
Your fingerprint cannot be reverse engineered to recreate your information and be used to access particular levels and areas of a company.
The biometrics industry is continuing to grow at a huge rate – particularly with the rise in sophisticated security breaches. The ever-pressing concern of security has seen a global movement towards the advantages of biometric access control systems. In particular, fingerprint scanners, are a substantial boon for companies when it comes to office security, workforce management and restricted access. Biometric readers provide the much-needed reassurance for many companies. As such, ievo Ltd – leading specialists in biometric access control systems – are sharing their guide to biometrics.
Tomi Engdahl says:
The Vulnerability Disclosure Process: Still Broken
https://threatpost.com/the-vulnerability-disclosure-process-still-broken/137180/
Despite the advent to bug bounty programs and enlightened vendors, researchers still complain of abuse, threats and lawsuits.
Despite huge progress in the vulnerability disclosure process, things remain broken when it comes to vendor-researcher relationships.
Case in point: Last year when Leigh-Anne Galloway (a cybersecurity resilience lead at Positive Technologies) found a gaping hole in the Myspace website, she reported it to Myspace owner Time Inc. But then days, weeks and then three months later – crickets.
The Myspace bug wasn’t small. It allowed a hacker to log in to any one of the 3.6 million Myspace active users’ accounts in a few easy steps. “It was a straightforward bug, and easy to execute and reproduce,” Galloway told Threatpost.
After giving up on Time Inc., Galloway weighed the public risk of the bug versus going public. Galloway decided to publish her research. “Within hours of my blog posting, the bug was fixed,” she said. Neither Time Inc. or Myspace ever got back to her.
A year later, things haven’t improved much: Last month, Galloway found several bugs in mobile point-of-sale platforms. After privately disclosing the bugs to the vendors, they didn’t ignore her, but she was threatened with multiple lawsuits for reverse-engineering copyright-protected intellectual property.
“I can’t say personally I’m seeing a lot changing,” she said.
Tomi Engdahl says:
VLAN Hopping and Mitigation
https://www.alienvault.com/blogs/security-essentials/vlan-hopping-and-mitigation
A VLAN is used to share the physical network while creating virtual segmentations to divide specific groups. For example, a host on VLAN 1 is separated from any host on VLAN 2. Any packets sent between VLANs must go through a router or other layer 3 devices. Security is one of the many reasons network administrators configure VLANs. However, with an exploit known as ‘VLAN Hopping’, an attacker is able to bypass these security implementations.
Tomi Engdahl says:
One Year Later, Over 2 Billion Devices Still Exposed to BlueBorne Attacks
https://www.securityweek.com/one-year-later-over-2-billion-devices-still-exposed-blueborne-attacks
One year after researchers disclosed the Bluetooth vulnerabilities dubbed BlueBorne, more than 2 billion devices are believed to still be vulnerable to attacks, either because their owners have failed to install patches or due to the fact that no patches are available.
The BlueBorne vulnerabilities were disclosed in September 2017 by Armis Labs, a company that specializes in protecting Internet of Things (IoT) devices. Its researchers found that nine Bluetooth implementation flaws affected mobile, desktop and IoT systems, including Android, iOS, Windows and Linux devices.
Armis later also revealed that Amazon Echo and Google Home devices were also vulnerable to these attacks.
Tomi Engdahl says:
The Risk of Triangulation: You May Just be a Piece of the Puzzle
https://www.securityweek.com/risk-triangulation-you-may-just-be-piece-puzzle
As the world’s ongoing conversion to the digital realm continues, the risks involved with protecting sensitive information will only intensify.
For security teams, this means expanding your view of risk and considering factors outside your company when evaluating potential motivations for a breach. Companies have to keep an eye on current events in ways that were never under IT’s purview in the past. And that means you have to bring in the right talent to do so.
Having that broader view is important because the different motivations behind today’s attacks mean they can seemingly come out of nowhere. How you look at the information itself is no longer the sole concern. Your organization and your data may just be a piece of the puzzle.
One of the more intriguing ways this is playing out is in the murky world of cyber espionage—and just about every national government is engaged somehow.
Tomi Engdahl says:
Is AI being over-hyped in the security industry?
By Pascal Geenens 2018-09-11T15:30:37ZSecurity
https://www.itproportal.com/features/is-ai-being-over-hyped-in-the-security-industry/
Artificial intelligence won’t be replacing trained cybersecurity specialists any time soon.
Will AI security completely take over from humans and provide a sci-fi like experience to defend against advanced cyber-attacks, or is it still some way behind and should we instead look at the advancements made in machine learning to boost our defences in the near future?
These questions and more have been a hot discussion point in the cyber security industry recently, with many commentators concluding that true AI security has been significantly over-hyped.
And in many ways, they are right.
Tomi Engdahl says:
Are colleges teaching real-world cyber security skills?
By Adi Shua 2018-09-11T10:00:40ZBusiness
https://www.itproportal.com/features/are-colleges-teaching-real-world-cyber-security-skills/
Cybersecurity is a fast-growing profession, and talented graduates are in very high demand.
The cybersecurity skill shortage is a well-recognised industry challenge, but the problem isn’t that there are too few people rather that many of them lack suitable skills and experience. Cybersecurity is a fast-growing profession, and talented graduates are in very high demand. Cyber degree programs are rapidly opening up at colleges across the country, and students are racing to enrol, eager to join one of the most challenging and financially rewarding fields. Yet, there seems to be a growing chasm between what graduates learned in school and what the market demands.
Tomi Engdahl says:
Inspecting the Inspectors: How to Get the Most Out of Managed Security Solutions
https://securityintelligence.com/inspecting-the-inspectors-how-to-get-the-most-out-of-managed-security-solutions/
As demand grows for MSSPs, so do the number of vendors in the space looking to take advantage of a growing market opportunity. There are so many, in fact, that businesses frequently struggle to find the right vendor for precisely what they need.
Sure, you could make this decision by sending out a request for information (RFI) or request for proposal (RFP) and selecting the cheapest option or the best overall value on paper. More and more, I see this tactic replacing the effort and time it takes to select the right resource for both products and services. But the real problem with RFP-RFI is that your selection could be based on superior marketing rather than the specific capabilities your organization requires to streamline its use cases and goals.
Tomi Engdahl says:
There’s More to SOAR
https://www.securityweek.com/theres-more-soar
Orchestrating and Automating Interactions of Security Analysts Across Disparate Security Products Can Deliver a Significant Return on Investment
Ever since the industrial revolution, which began more than 200 years ago, automation has played a role in our world. Today automation is woven into the fabric of our daily lives – from paying bills to making coffee to controlling the temperature in our homes. The emphasis of automation has been to reduce the time humans spend on mundane tasks so that they can focus more time on higher-value activities.
There’s a place for automation in every industry, security included. As security professionals, we’ve talked about automation for decades yet, as I’ve discussed before, haven’t fully embraced it for a variety of reasons. However, over the last couple of the years we’ve started to see a shift. With the advent and expansion of Security Orchestration, Automation and Response (SOAR), automation now is starting to take hold.
Gartner is credited with having coined the term SOAR and has written extensively on the topic. Many security vendors are entering the SOAR market, and many are focused on automating playbooks for incident response (IR). There’s no arguing this is important – accelerating mean time to response (MTTR) is a top imperative for security teams in every organization. But SOAR it is a term that can cover so much more.
Here are just three examples.
1. Detect threats faster.
2. Optimize scarce resources.
3. Achieve the impossible.
hrough orchestration and automation, you can gather threat intelligence from the cloud, translate it into a useable format and create new blacklists. You can then reconfigure a firewall based on that latest threat intelligence to proactively strengthen security – all without human intervention.
Tomi Engdahl says:
Secureworks Launches New Security Maturity Model
https://www.securityweek.com/secureworks-launches-new-security-maturity-model
Secureworks has launched the Secureworks Security Maturity Model. It is released, announces Secureworks, in response to “research which shows that more than one-third of US organizations (37%) face security risks that exceed their overall security maturity. Within that group, 10% face a significant deficiency when it comes to protecting themselves from the threats in their environment.”
Secureworks is offering a complementary evaluation (an online process supported by a security expert) to help organizations benchmark their own security maturity. The model incorporates elements of well-known frameworks like National Institute of Standards and Technology (NIST) and ISO 27001/02 with insight from Secureworks’ global threat intelligence. It comprises four levels: guarded, informed, integrated and resilient.
http://images.go.secureworks.com/Web/SecureWorksInc/%7B7f5c416f-7e97-4a6a-9876-a18922ad2c74%7D_E-CO_1.1.61N_5_Critical_Steps_to_a_More_Mature_Security_Posture.pdf
Tomi Engdahl says:
Do Data Breaches Affect Stock Performance in the Long Run?
https://yro.slashdot.org/story/18/09/15/0522212/do-data-breaches-affect-stock-performance-in-the-long-run?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
A multi-year study on the stock price evolution for breached companies reveals that data breaches have a long-term impact on a company’s stock price, even if it’s somewhat minima
In total, the list included 28 companies, such as Apple, Adobe, Anthem, Community Health Systems, Dun & Bradstreet, eBay, Equifax, Experian, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone, and Yahoo. “In the long term, breached companies underperformed the market,” the CompariTech team concluded in their report.
Study authors noted that the impact of data breaches likely diminished over time, but the damage was still visible in the stock’s NASDAQ performance indicator even after three years, in some cases.
Data breaches affect stock performance in the long run, study finds
https://www.zdnet.com/article/data-breaches-affect-stock-performance-in-the-long-run-study-finds/
Study finds that stocks from 28 companies that suffered large breaches had underperformed on the stock market
“After 1 year, Share price grew 8.53% on average, but underperformed the NASDAQ by -3.7%. After 2 years, average share price rose 17.78%, but underperformed the NASDAQ by -11.35%. And after three years, average share price is up by 28.71% but down against the NASDAQ by -15.58%.”
Although other factors also weighed into how a stock performed, the fact that all of the analyzed breached companies had a poor performance cannot be ignored.
Experts say that companies usually suffered the worst hit, with stock prices hitting their lowest point, 14 market days following a breach when share prices fell 2.89% on average, and underperformed the NASDAQ by -4.6%.
In most cases, share prices rebounded with NASDAQ performance indicators after one month, started performing even better than before the breach, but later started falling in the long run.
Tomi Engdahl says:
32 percent of data breaches lead to executive job loss
https://betanews.com/2018/09/14/data-breach-executive-job-loss/
In North America 32 percent of data breaches have resulted in a C-level manager, president or CEO losing their job, according to new research.
The study from Kaspersky Lab shows that 42 percent of businesses worldwide experienced at least one data breach in the last year. When a data breach occurs it not only results in a costly recovery burden, now put at $1.23 million on average, but it can also impact the company’s reputation, customer privacy, and even severely impact employees’ careers.
“While a data breach is devastating to a business as a whole, it can also have a very personal impact on people’s lives — whether they are customers or failed employees — so this is a reminder that cybersecurity has real-life implications and is in fact everyone’s concern,”
Businesses and personal data: In-depth analysis of practices and risks
https://www.kaspersky.com/blog/data-protection-report/23824/
Tomi Engdahl says:
Cyber-attacks targeting EU manufacturing giants
https://www.itproportal.com/news/cyber-attacks-targeting-eu-manufacturing-giants/
By Anthony Spadafora 2018-09-14T15:14:43ZSecurity
Two thirds of German manufacturers have fallen victim to a cyberattack.
A new survey published by the German IT sector association Bitkom has revealed that two thirds of the country’s manufacturers have fallen victim to a cyberattack costing Europe’s largest economy around $50bn.
Bitkom surveyed 503 of the top managers and security chiefs across Germany’s manufacturing sector to discover that the SMBs that form the backbone of the country’s economy are particularly vulnerable to cyberattacks.
Bitkom’s survey identified a number of risks across the industry with a third of the companies surveyed reporting their employees’ mobile phones had been stolen and a quarter saying they had lost sensitive data.
The survey also found that cybercriminals had employed other techniques to disrupt German manufacturing. Of those surveyed, 19 per cent said their IT and production systems had been sabotaged digitally while 11 per cent reported that their communications had been tapped.
Tomi Engdahl says:
New Bill Aims to Address Cybersecurity Workforce Shortage
https://www.securityweek.com/new-bill-aims-address-cybersecurity-workforce-shortage
A bill introduced last week by U.S. Rep. Jacky Rosen (D-Nev.) aims to address the cybersecurity workforce shortage through a grant for apprenticeship programs.
The new bill, called the Cyber Ready Workforce Act, is inspired by Nevada’s recently introduced cybersecurity apprenticeship program. This new piece of legislation would help establish a program within the Department of Labor for awarding grants, on a competitive basis, to workforce intermediaries.
The goal is to create, implement and expand cybersecurity apprenticeship programs. Apprentices will benefit from support services that include career counseling, mentorship, and assistance with housing, transportation and child care costs.
“The demand for talent in cybersecurity is sky-high, and we’re putting ourselves at risk if we don’t address this shortage in our workforce,”
Tomi Engdahl says:
The Art of (Cyber) War: How Adversarial Thinking Strengthens Cybersecurity
https://www.securityweek.com/art-cyber-war-how-adversarial-thinking-strengthens-cybersecurity
Cybersecurity is unique compared to most other business operations, even most IT operations. Unlike marketing or network management—both of which tackle difficult and ever-changing challenges in the business operating environment—cybersecurity pits defenders against intelligent, creative and deliberate opponents.
Hackers are aware that they are actively hunted and thwarted at every step between target scoping and data breach. That means they are applying the full brunt of their ingenuity and technical expertise to avoid cybersecurity defenses as they pursue their goal.
Even though this struggle takes place in cyberspace, the lessons from real battlegrounds retain their relevance and significance. In the ancient military strategy text, Art of War, Sun Tzu makes the point “If you know the enemy and know yourself, you need not fear the results of a hundred battles.”
Cybersecurity teams need to adopt an adversarial mindset that allows them to tackle the unique challenges of the cyberspace. This involves clearly understanding what their enemies are capable of and preparing an appropriate response.
Tomi Engdahl says:
Expectations for CISOs Have Changed
https://www.securityweek.com/expectations-cisos-have-changed
There was a time once when CISOs could dazzle or dominate every conversation with the board or senior management – they were the high priests of a technology that no one outside the cubicles of the IT group could understand. The inside joke was that all it took was FUD – Fear, Uncertainty and Doubt – to win budget. A heat map with some angry red zones was a good visual aid.
Enter the Standards Compliance era – CISOs had industry-accepted, and even government-approved standards like the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), to justify spend toward a goal of “maturity” — filling out your compliance checklist. More recently, vendors have begun offering CISOs security “scorecards” that count maturity ratings, vulnerabilities, threat issues, patching history, and other indicators to spin up a numerical security rating.
CISOs and the Quest for Cybersecurity Metrics Fit for Business
https://www.securityweek.com/cisos-and-quest-cybersecurity-metrics-fit-business
Never-ending breaches, ever-increasing regulations, and the potential effect of brand damage on profits has made cybersecurity a mainstream board-level issue. It has never been more important for cybersecurity controls and processes to be in line with business priorities.
A recent survey by security firm Varonis highlights that business and security are not fully aligned; and while security teams feel they are being heard, business leaders admit they aren’t listening.
The problem is well-known: security and business speak different languages. Since security is the poor relation of the two, the onus is absolutely on security to drive the conversation in business terms. When both sides are speaking the same language, aligning security controls with business priorities will be much easier.
Well-presented metrics are the common factor understood by both sides and could be used as the primary driver in this alignment. The reality, however, is this isn’t always happening
Demolishing the Tower of Babel
“While some Board members may be aware of what firewalls are,” comments John Masserini: CISO at Millicom Telecommunications, “the vast majority have no understanding what IDS/IPS, SIEMs, Proxies, or any other solution you have actually do. They only care about the level of risk in the company.”
CISOs, on the other hand, understand risk but do not necessarily understand which parts of the business are at most risk at any time. Similarly, business leaders do not understand how changing cybersecurity threats impact specific business risks.
The initial onus is on the security lead to better understand the business side of the organization to be able to deliver meaningful risk management metrics that business leaders understand.
Tomi Engdahl says:
Know Your Enemy: The Art and Science of Cyberthreat Hunting
https://securityintelligence.com/know-your-enemy-the-art-and-science-of-cyberthreat-hunting/
One attendee at a recent workshop even stated: “My bank isn’t a target for a cyberattack because our country isn’t seen as a major globalized economy.”
The reality, however, is that your organization is always a target. Whether you’re a target of choice or a target of opportunity, it’s not a matter of if you’ll be attacked, but when. There’s even a possibility that attackers are already dwelling within your network and have been for some time.
Tomi Engdahl says:
The future of security lies in quantum computing
https://www.pandasecurity.com/mediacenter/security/security-quantum-computing/
“Quantum” is a word that stirs in its wake a litany of questions. No one can deny that the future of computing is to be found in the unique features of quantum mechanics, the branch of physics that studies nature at an infinitely small scale. However, it seems hard to grasp how it could be that the sector that has most to gain from quantum computing is, in fact, the security sector.
Tomi Engdahl says:
The Death of Symantec’s Digital Certificate Business
https://hackercombat.com/the-death-of-symantecs-digital-certificate-business/
Certificate Authentication is a serious business; it is a business entity that keeps the trust-based digital certificate system secure. The very foundation of the encryption standard in the web we have today. One wrong move and the certificate authority loses the business and exits the digital certificate market, no exemptions. Following the demise of the user to be a popular certificate authority, DigiNotar in Sep 2011, Symantec is exiting the TLS certificate business due to its exposed shady practices.
Symantec sells digital certificate under the brand: Symantec, RapidSSL, Geotrust, and Thawte. Its business establishment will be defunct in favor of the highly trusted certificate authority: Digicert. The pressure comes from the top two browsers: Google Chrome and Mozilla Firefox, starting October 2018, all digital certificate issued under the brands: Symantec, RapidSSL, Geotrust, and Thawte will be denied by the two browsers mentioned.
Tomi Engdahl says:
Building an Integrated IT/OT Security Program: Notes From the Field
https://www.securityweek.com/building-integrated-itot-security-program-notes-field
Tomi Engdahl says:
Hidden in Plain Sight: File System Protection With Cyber Deception
https://securityintelligence.com/hidden-in-plain-sight-file-system-protection-with-cyber-deception/
Share Hidden in Plain Sight: File System Protection With Cyber Deception on Twitter
Share Hidden in Plain Sight: File System Protection With Cyber Deception on Facebook
Share Hidden in Plain Sight: File System Protection With Cyber Deception on LinkedIn
This article is the first in a three-part series that will provide a technical overview of Decoy File System (DcyFS). This original research was recently showcased in a paper titled “Hidden in Plain Sight: Filesystem View for Data Integrity and Deception,” which appeared at the 15th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) in Paris in June 2018.
Reconciling Trust With Security: A Closer Look at Cyber Deception With DcyFS
https://securityintelligence.com/reconciling-trust-with-security-a-closer-look-at-cyber-deception-with-dcyfs/
Tomi Engdahl says:
Patching Not Enough; Organizations Must Adopt Zero-Trust Practices: Report
https://www.securityweek.com/patching-not-enough-organizations-must-adopt-zero-trust-practices-report
Hackers Can Gain Network Access Via Social Engineering and Wait for New Zero-Day Exploits to Elevate Their Privilege
At Black Hat 2017, privileged access firm Thycotic surveyed 250 hackers to find out what was easy and what was hard about hacking into networks. At this year’s Black Hat, it conducted a similar survey (PDF) among 300 people that consider themselves hackers.
“This year,” Thycotic’s chief security scientist Joseph Carson told SecurityWeek, “we also wanted to better understand the types of hacker that exist, and their motives for doing what they do.”
The respondents self-identified as three groups that could traditionally be described as white hat (70%), grey hat (30%) and black hat (5%). The white hats describe themselves as ‘ethical’ hackers — they use their skills and knowledge for good purposes. “There’s another category — which is also ethical — but where they admit to crossing the line,” said Carson. “Their motivation is still to benefit the community; but they admit that some of their practices may actually be illegal.”
These tend to be independent researchers, and their work is often unrecognized, because, said Carson, “they tend to report their findings through anonymous channels.”
And then there’s the black hats — those who hack for illegal purposes and for personal gain. Only 5% of the respondents admitted to this; but none of them are likely to be full-time criminals. Law enforcement agencies always monitor Black Hat; and ‘unemployed’ attendees are of particular interest.
Tomi Engdahl says:
Privacy Protection Means Encryption at the Application Layer
https://www.securityweek.com/privacy-protection-means-encryption-application-layer
Comprehensive Data Security Measures Should Include a Formal Process for Application Security and Vulnerability Assessment
Encryption is a popular topic with recent regulatory emphasis on “pseudonymisation and encryption of personal data” (Article 32(1)(a) of the General Data Protection Regulation). The requirement to notify affected customers within 72 hours of a data breach is waived for encrypted data, because no personally identifiable information has technically been exposed if the attacker can’t use it. While GDPR doesn’t require encryption, there are four mentions of encryption in GDPR that provide real incentives for organizations to use encryption.
The new California Consumer Privacy Act, scheduled to take effect January 1, 2020, states in § 1798.150(a), that any consumer whose non-encrypted or non-redacted personal information is stolen or disclosed as a result of a business’ lack of reasonable security measures, may sue that business for up to $750 each. A single data breach could result in a class-action lawsuit with penalties in the millions, if a sizable database of consumers and their personal information are exposed.
There is a temptation, therefore, to encrypt every bit of data of personally identifiable information that exists in your environment. That’s important, but a recent 2018 application security research report (PDF) indicates that it isn’t enough. Before implementing encryption to meet these and future regulations, make sure you understand what you’re encrypting.
2018 Application Security Research Update
https://www.microfocus.com/media/report/application_security_research_update_report.pdf
Tomi Engdahl says:
Mitigate Risk From Malicious and Accidental Insiders
https://www.securityweek.com/mitigate-risk-malicious-and-accidental-insiders
When we hear the term “insider trading” most people think of the illegal practice of trading a public company’s stock based on material, non‐public information. The image of Michael Milken, Ivan Boesky or Martha Stewart may come to mind. Yet there’s a second face to insider trading: insiders that sell valuable data or privileged access via online forums and marketplaces to cybercriminals.
Forrester recently published a research report on malicious insiders, Defend Your Data As Insiders Monetize their Access. I’ve also discussed how financial industry insiders and cybercriminals trade in high‐value data or credentials on the dark web and on criminal sites on the open web. In these forums, individuals may ask about the best places to sell insider information or claim to be selling insider access. Meanwhile cybercriminals shop for data or use these venues to attempt to recruit insiders.
Tomi Engdahl says:
Privacy Protection Means Encryption at the Application Layer
https://www.securityweek.com/privacy-protection-means-encryption-application-layer
Comprehensive Data Security Measures Should Include a Formal Process for Application Security and Vulnerability Assessment
Tomi Engdahl says:
https://www.htbridge.com/blog/murder-of-cybersecurity-by-legacy-applications.html
Tomi Engdahl says:
To prevent EHR breaches, stop using them (Q&A)
https://www.the-parallax.com/2018/09/20/stop-ehr-breaches-twila-brase-qa/
The idea behind electronic health records seems sound: Bring a patient’s paper chart into the Digital Age. But the reality, says Twila Brase, a public-health nurse who is also the president and co-founder of the patient advocacy group Citizens’ Council for Health Freedom, is that EHRs are a disaster for patients and doctors alike—and in more ways than we might suspect.
Brase and her Citizens Council for Health Freedom organization concluded that EHRs are causing a data deluge that’s swamping doctors, and leaving patient choice high and dry.
EHRs reduce the ability of doctors to make decisions that they feel are best for the well-being of their patients while decreasing patient privacy, Brase says.
A 2016 Mayo Clinic study found that EHRs are a major factor in physician burnout rates,
While more commonly discussed dilemmas, such as how best to patch connected devices, and stopping ransomware attacks, form the foundation of some of the hardest problems to solve at the intersection of cybersecurity and medicine, the immense value to hackers of medical records—and the lack of flexibility hospitals and doctors have in dealing with them—can’t be ignored, either.
Medical records, replete with personal data such as home addresses, phone numbers, financial information, and Social Security numbers, are among the most expensive records for sale on the Dark Web.
I consider today’s EHRs part of a surveillance system inside the exam room that has made doctors into data clerks. They’re helping create a comprehensive dossier on individuals.