What are the top cyber trends to watch out for in 2019? Here’s what I have been hearing and reading:
First I present a new information security term: Virtual Security = Manufacturers claim that their products are secure. but in reality they are not.
New APT groups, and more regulations around data privacy, 2019 is set to be another big year in the cybersecurity space. Security is hard and getting harder in 2019. Good operational security is non trivial. Next generation dark markets are making cybercrime easier than ever before.
Gartner expects that the security market is expected to grow 8.7% in 2019 and hit $124 billion. Global spending on security products and services closed in 2018 in excess of $114 billion, marking a 12.4% increase from 2017.
A New Year’s Resolution: Security is Broken…Let’s Fix It. There are three strategies that show real promise for defending against tomorrow’s threats: Deploy Deception, Leverage Threat Intelligence, Think Proactively. Plan Now for Emerging Threats. Defending against these threats will require two things. The first is understanding the economic drivers of the criminal community, and the second is to adopt strategies and solutions that address and disrupt those drivers. Getting in front of the cyber-threat paradigm requires organizations to rethink their security strategies in 2019.
Many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, but when – and when they will finally find the hack has happened. For example it Marriott disclosed a four-year-long breach involving the personal and financial information of 500 million guests. Anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.
In today’s world, attackers intentionally look normal to evade automated defenses. With the rise of ransomware, fileless and non-malware attacks, it’s harder than ever to protect your endpoints with confidence. To prevent this, threat hunting has emerged as an essential process for organizations to preempt destructive attacks. This process is a proactive approach to cybersecurity that identifies gaps in defenses and stops attacks before they go too deep. The adversary is hunting for your security gaps…why aren’t you?
Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Attackers scan those systems for vulnerabilities actively in 2019. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late. Measure how good is your security. Data protection tools have been developed to measure the maturity of data protection issues in organization.
CEOs should ask the following questions about potential cybersecurity threats:
How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
How can my business create long-term resiliency to minimize our cybersecurity risks?
What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?
What can CEOs do to mitigate cybersecurity threats?
How Well Are You Protecting Your Brand from Digital Risk? Having a website is just the baseline for existing in digital world. Companies of all sizes are actively using social media to engage with customers and build loyalty for their brand. The Internet is an essential tool to grow your business, but it also poses digital risks to your brand reputation and integrity. Bad actors can spoof social media profiles of your company or brands. Cyber criminals will register and use web domains extremely similar to your actual domain names. Malicious apps that impersonate brands may use spyware to steal information from users. You might need to develop a brand protection program in 2019. Digital risk from brand exposure can lead to reputation damage, loss of intellectual property and customer trust and, ultimately, loss in revenue. This is what the brand managers need to think about in 2019. Successful hacking campaigns used to be all about keeping under the radar. But, for some, making a big splash is now now more important than lurking in the shadows.
Today, cybersecurity is moving beyond the financial impact to concerns over public safety, national security, and even cyberwarfare. The tech industry is becoming more worried about a cyberwar arms race. Microsoft boss thinks that cyber war cannot be won. High impact cyber attacks often affect the electricity network, water supply, financial markets, hospitals, and military families. Preparations for various cyber attacks in different sectors vary greatly. Energy and finance are the most advanced. We should all keep in mind two things: The proliferation of cyberweapons is already happening and arms control of cyberweapons hasn’t caught up. “Cyber is so wide that states alone cannot be sufficient in providing security” It seems also that authoritarian forces are trying to claw back control and even re-purposing the web in ways that undermine democracy.
It would be good for the company to be able to manage risks, prepare for major disruptions, and plan and practice recovery. Risk management requires the company to detect the attack itself. A large coordinated attack could attack our elections, our press, our telecommunications, our banks, and our military. According to a new report on digital freedom, authoritarian forces are clawing back control and even re-purposing the web in ways that undermine democracy. Tim Cook says that tech firms should prepare for ‘inevitable’ regulation.
We need to build cyber resilience to our networked systems. Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. “Cybersecurity, infrastructure security, is not a competitive advantage,” Bradford Willke, a top official in DHS’s Cybersecurity and Infrastructure Security Agency. If a good product or company fails because of a breach that could have been thwarted by sharing threat information, “there’s something that we’ve all lost.”
Did you remember to test the security? Every developer team should know how to code securely and how to test security. This kind of basic hygiene with information security creates the basis for genuinely intact applications. The basic thing for the tester in terms of data security is user identification and access, securing stability, encryption, firewalls, intruder detection, anonymization of information. All these things can be tested with different techniques, tools and methods. It is a good idea to ask a security professional if you do not know how to do this.
You will see many big data beaches also in 2019. Cybersecurity headlines in recent years have been dominated by companies losing money by being hacked and leaking the data of millions of customers. 2018 was again a banner year for breaches, check for example list of Biggest cyber security breaches 2018. In 2018 the mantra became “another day, another data breach.” 2018 has been the year par excellence for data protection, when data leaks, exfiltrations, and abuses have made headlines all over the world. Some companies have worked on improving their security, but overall there has not been so much activity going on that it would considerably change the situation for better in 2019. And against this backdrop of increased awareness about the challenges that working with sensitive data can entail, there is one regulation that has come to the fore: the GDPR (General Data Protection Regulation), which has been mandatory since May 25 this year.
How much are the first fines for GDPR infringement? It remains to be seen in 2019 as sanctions on big 2018 leaks start to appear. Infringement of GDPR regulation can incur fines of up to 4% of a company’s annual global turnover, or up to €20 million. The economic sanctions that we have seen so far in 2018 have clearly relatively conservative compared to the highest possible penalties, but with the recent spate of high profile data leaks – Marriott, British Airways, Quora – it won’t be long before harsher fines start to appear. Remember that by having appropriate protection for the personal data that your company manages, you can avoid sanctions.
IoT malware and email hacks are on the rise again. Blackmail demand claims will continue unfortunately also in 2019 and will become more innovative. In 2018 we first saw blackmail extortion with claims to have nailed you watching porn and the sender infected your computer by hacking your account or placing malware. All sorts of variants exist. There was also Spammed Bomb Threat Hoax that demands Bitcoin.Then there has been a New Extortion Email Threatens to Send a Hitman Unless You Pay $4,000 in bitcoin. As long as ransoms are paid and relatively easy attacks, such as phishing campaigns, are successful, bad actors will continue to use these techniques.
The number of attacks using IoT hardware is increasing in 2019. IoT is still insecure. As the number of IoT devices, such as smart home network monitoring systems, increase, the threat is constantly increasing. According to Nokia report IoT botnet operations accounted for 78 percent of malware detection events in the communications service provider (CSP) networks in 2018.
Many IoT protocols are still implemented without proper security. The CoAP protocol is the next big thing for DDoS attacks. Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attack. That is because most of today’s CoAP implementations forgo using hardened security modes for a “NoSec” security mode that keeps the protocol light, but also vulnerable to DDoS abuse.
Mirai botnet has been active since 2016. And several followers to it are still active. Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms. And you will not get rid of the new variations of it in 2019. Latest example is With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit. Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices. Miori is just one of the many Mirai offshoots. There is another very similar variant called Shinoa.
Regulating cyber security features on networked devices seems to be on rise. Germany proposes router security guidelines. It would like to regulate what kind of routers are sold and installed across the country. California became the first state with an Internet of Things cybersecurity law: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means less generic default credentials for a hacker to guess. In Finland security label created by FICORA’s Cybersecurity Center promises that will make it easy for consumers to identify a sufficiently secure devices in 2019.
Ransomware attack will continue in 2019. Hospital cybersecurity seems to be a pressing problem in 2019. The healthcare industry’s accelerating adoption of sophisticated networks, connected devices and digital records has revolutionized clinical operations and patient care but has also left modern hospitals acutely vulnerable to cyber attack. Recent high-profile hacks have brought these mounting threats sharply into focus. One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over year 2018. There is a number of technological, cultural and regulatory issues that complicate healthcare cybersecurity.
DNS system is still full of “ugly hacks” that keep it running. Malicious actors have found innovative ways to take down the DNS and the landscape growing more problematical. Hopefully it will get robust in 2019. Vendors of DNS software, as well as large public DNS providers, are going to remove certain workarounds on February 1st, 2019, otherwise known as DNS Flag Day. Don’t Let DNS Flag Day Become Your DNS Doomsday. The result of this “line in the sand” means that all domains hosted on these poorly coded DNS servers will fail to resolve correctly across all the recursive resolvers built by and run by the consortium. So your SPF, DKIM, DMARC, most TXT and PTR records will fail. This will be a very bad day for anyone who doesn’t take time to address this issue BEFORE February 1st, 2019.
TLS 1.3 was published as of August 2018. It has been over eight years since the last major encryption protocol update. With the HTTP/2 protocol update in late 2015, and now TLS 1.3 in 2018, encrypted connections are now more secure and faster than ever. With OpenSSL 1.1.1 library many applications can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. Add this to list of existing TLS ecosystem woes. Malicious sites will increasingly use SSL certificates to look legitimate.
Remember to update your PHP version early in 2019. PHP 5.6 support and security updates have ended. PHP 5. is still widely used in many web services. FICORA’s Cybersecurity Center recommends giving up the use of old PHP versions, especially for services that are publicly available on the Internet. Currently the latest version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Currently the latest PHP version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Because the new PHP7 is not fully compatible with the old PHP5, so many sites need also updates to the site PHP code. If you can’t for some reason update PHP version, special attention should be paid to the security of the server and its environment.
Cloud security is still a problem for many organizations in 2019. The 2018 Cloud Security Spotlight Report noted that 84% of respondents claim traditional security solutions either don’t work at all or have limited functionality in the cloud. Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security (62%). Lack of staff resources and expertise to manage cloud security seems to be the largest barrier to cloud adoption for many companies. Many clouds are nowadays relatively secure, but Are You Using Them Securely? It’s time to stop obsessing over unsubstantiated cloud security worries and start focusing more on new approaches to cloud control. It is time to better manage your cloud deployments in 2019.
The Cybersecurity Industry Doesn’t Have Artificial Intelligence Right Yet. AI in security will be talked on in 2019. 2018 was The Year Machine Intelligence Arrived in Cybersecurity. “Intelligence” is a word heavily freighted in cybersecurity technology because it covers a wide variety of techniques and product: Expert systems, machine learning, deep learning, and artificial intelligence are all represented in the whole, with each being used and promoted by different vendors and service organizations. Antivirus protection is one of the tasks to which companies are applying intelligence. The vast majority of intelligence being used in security is “machine learning” rather than “artificial intelligence.” The application of artificial intelligence (AI) via the implementation of machine learning (ML) is the fastest growing area of cybersecurity, but it seems Artificial Intelligence in Cybersecurity is Not Delivering on its Promise at least yet. What has been largely missing from this assertion is independent verification that the theoretical benefits promoted by ML vendors translate to actual benefits in use. Also cyber-criminals start to use AI to make better attacks.
Machine learning can reduce the usefulness of CAPTCHA. Machine learning model breaks CAPTCHA systems on 33 highly visited websites very quickly.
Destructive malware has been employed by adversaries for years. Destructive targeted attacks have a critical impact on businesses, causing the loss of data or crippling business operations. NotPetya and Wannacry affected several companies around the world. OlympicDestroyer affected the Olympic Games organization.
Old destructive attacks can persist for a long time. Wannacry is not dead when 2019 starts. Eighteen months after the initial outbreak of the WannaCry Ransomware infection, the malware continues to rear its head on thousands, if not hundreds of thousands, of infected computers. The kill switch has been activates so the ransomware component would not activate, but the infection continues to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live.
Spectre and Meltdown vulnerabilities that were found in 2017 and became public the beginning of 2018 will continue. I have been following this saga since I reported it first in Finland at Uusiteknologia.fi on-line magazine. Spectre-like variations continued to be discovered, just as academics predicted at the start of 2018. Intel and other processor manufacturers have worked on fixed, but there has been numerous new vulnerability variation reported over the year on the same theme, latest published in late 2018. Is Spectre making a comeback? I expect you will not get rid of new variations on this vulnerability theme in 2019. There are still many side channel flaws to be found on modern processors.
USB security is still fundamentally broken in 2019. USB drives are a security threat to process control systems because USB drives can cause serious disruption to process facilities through unsecure or malicious files. USB-borne malware continues to present a major threat to industrial control systems (ICS) nearly a decade after the Stuxnet attacks on Iran’s nuclear infrastructure first highlighted the danger.
The air gap is low-tech but still has value as a barrier against cyber attacks. But air gaps, once a valuable barrier against cyberattacks, are disappearing from industrial control systems. As smart shipping and other network-connected industrial control systems (ICS) grow, the air gap loses value as a barrier against cyber attacks. The use of air gaps has eroded or disappeared altogether, thanks to increasingly intertwined OT (operational technology) and IT (information technology). Also air gaps can’t protect against “an ill-informed person’s actions,” as was the case with the notorious 2010 Stuxnet attack on Iran’s nuclear facilities.
There are still major problems cyber security in industrial system. Major problems in industrial cyber security are inadequate software updates, the following non-upgraded systems, and common usage ids for updating. While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading.
Perimeter-less security is hot in 2019. You can’t build anymore well defined perimeters around all of your systems. Welcome to a World of Zero Trust. Zero Trust Privilege approach is based on six fundamental elements: Verify Who, Contextualize the Privileged Access Request, Establish a Secure Admin Environment, Grant Least Privilege, Audit Everything, Apply Adaptive Security Controls.
Can You Mitigate Against Mission Impossible? Most probably you can’t. Focus on the Countless Manageable Vulnerabilities That You Can Control and Protect Against Them. Cybersecurity risks need help from contracts and insurance beyond technologies, policies, and people. Pretending cybersecurity risks aren’t there isn’t on any list of best practices.
Credential abuse is at the core of many hacks in 2019. Usually the easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity. Equipped with the right credentials, cyber adversaries and malicious insiders can wreak havoc on an organization’s network, exfiltrate sensitive data, or even siphon off funds — all while concealing their malicious activities from threat detection solutions.
Good database security planning is essential for protecting a company’s most important assets because if attackers can shut companies out of their own data can quickly cripple an organization. Leaked data can also become costly with costs of data leak itself, regulatory costs (including GDPR fines) and bad reputation that can affect revenue for a long time.
Just on the end of 2018 there was reports on SQLite vulnerabilities. Magellan is a number of vulnerabilities that exist in SQLite that were able to successfully implement remote code execution in Chromium browsers (already fidex). This vulnerability can have a wide range of influence in 2019 because SQLite is widely used in all modern mainstream operating systems and software. There is potential that Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers. I expect to see reports against attacks against many different systems and system users failing to secure their systems.
DevSecOps is having a positive impact on security, but the state of security still has a long way to go as over 13 percent of applications contain at least one critical vulnerability. According to Veracode’s State of Software Security (SOSS) report, 87.5 percent of Java applications, 92 percent of C++ applications, and 85.7 percent of .NET application contain at least one vulnerability. Even with a stronger focus on security in 2019, most software will still riddled with security vulnerabilities.
Misconfigured server infrastructure is often considered one of the most significant causes of data breaches within the IT industry. This human error phenomenon is usually unintentional, but it can have catastrophic consequences regarding the exposure of sensitive personal information as well as potentially damaging the reputation of your business.Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security.
4 mobile security threats that companies must fight in 2019: Cryptojacking, Data breaches, Insecure networks and Social engineering attacks. Also Mobile Spear phishing campaigns will form the cornerstone for targeted attacks on organizations. The Wi-Fi attack vector isn’t going away any time soon, despite 5G hype. I don’t expect the assault on mobile to slow down as according to Gartner’s Market Guide to Mobile Threat Defense, 42 million mobile malware attacks take place each year.
Google says that Android 9 Brings Significant Security Advancements. Google has focused on aspects such as platform hardening, anti-exploitation, hardware-backed security. There are also new protections for the Application Sandbox.
Ultrasonic Tracking are Beacons on the Rise. It is an inaudible sound with encoded data that can be used on a listening device with suitable application to receive information that could be just about anything. There are numerous scenarios in which ultrasonic tracking beacons can be surreptitiously used and misused.
PUAs are being weaponized. PUA is the acronym for “Potentially Unwanted Application.” This is a general category used by all vendors to tag particular applications that can be misused by malicious people. Recently, an active campaign was spotted in the well-known Emotet Banking Trojan, which makes use of Freeware system tools but with an obscure purpose.
Microsoft has officially announced ‘Windows Sandbox’ for running applications in isolation. Microsoft’s coming ‘Windows Sandbox’ feature is a lightweight virtual machine that allow users to run potentially suspicious software in isolation. Windows 10 19H1 Build 18305 adds support for a new sandbox feature for isolating potentially suspicious apps, plus several other new security fixes.
It seems that Security Teams Need to Maintain Packet-level Visibility Into All Traffic Flowing Across Their Networks. The most destructive disaster is the one you do not see coming. While there is no evacuating cyberspace to avoid a storm of hackers, prior warning gives security teams a chance to stop cybercriminals before they can wreak havoc and make off with sensitive customer data or company secrets. There is an all too common adage that it is not a question of if a company will be hacked, but when they will find the hack. The realities of the cyberspace make it too difficult to reliably keep hackers out of corporate networks. That is not to say security teams should give up, but rather that they need to shift their goals.
Is 5G Technology a Blessing or a Curse for Security? Depends Who You Ask. It is best to Prepare for the Coming 5G Security Threats. But do we understand the 5G security threats to come? Most probably not, because it seems that the general understanding of 5G is pretty shallow for very many organizations. Many countries are not comfortable with the Chinese building its 5G network.
Somewhat quietly over the past couple of years there has been a flurry of breakthroughs in biometric technology (especially face and fingerprint recognition). New Boom in Facial Recognition Tech Prompts Privacy Alarms. Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn. Now facial recognition appears to be on the verge of blossoming commercially. There is potential risk that Surveillance Inhibits Freedom of Expression.
Old outdated encryption technologies refuse to die. MD5 and SHA-1 are still used in 2018 and their use does not seen to end in 2019. The current state of cryptanalysis against MD5 and SHA-1 allows for collisions, but not for pre-images. Still, it’s really bad form to accept these algorithms for any purpose.
Law is trying to weaken encryption in some countries. A newly enacted law rushed through Australia’s parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals. “I think it’s detrimental to Australian and world security,” said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM. It could be a be a boon to the criminal underworld by undermining the technical integrity of the internet, hurting digital security and user privacy. We need good encryption in 2019 to keep Internet safe.
The payment card industry is thinking about security standards such as EMV 3D Secure and emerging technologies such as contactless payments.
The use of bug bounty programs to find security vulnerabilities in software and services is increasing.In January, the EU starts running Bug Bounties on Free and Open Source Software where European Commission to start offering bug bounties on 14 Free Software projects like Notepad++ and VLC that the EU institutions rely on. Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program.
You might need a password manager in 2019 more than you needed it now. If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember and sometimes are easily hackable. Nobody likes passwords but they’re a fact of life. How do you make them better? You need a password manager. Some examples for proposed alternatives to passwords include biometric identification, disposable passwords, certificate-based systems and FIDO2 USB sticks.
You might also need two-factor authentication can save you from hackers. If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts and it usually (when implemented well) only adds a few extra seconds to your day.
Two factor authentication has been considered as best practice for some time, but even that alone might not be enough in 2019. Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.
Two factor authentication can be hacked. Phishing Attempts That Bypass 2FA are here to stay. As we try to up our security game, the bad guys up their tactics too. Amnesty.org shared an interesting write up about phishing attacks that are bypassing 2FA. If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account as Hackers Bypass Gmail 2FA at Scale. Although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message. Some users likely need to switch to a more robust methods.
Keep in mind that your phone number can be a key for a hacker to many of your services. You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.
810 Comments
Tomi Engdahl says:
Susan Fowler / New York Times:
The biggest challenges for US tech firms in 2019: GDPR-like privacy protections, large security breaches becoming routine, and anti-government employee protests
Opinion
The 3 Biggest Challenges for Tech in 2019
https://www.nytimes.com/2018/12/29/opinion/tech-2018-trends-2019-predictions.html
How privacy, security and employee protests will shape the year ahead for Silicon Valley.
In 2018, it became very clear that Americans have no control over their digital information. We discovered that our cellphones could be monitored, and many of the apps on our phones are tracking us. We found out that Facebook shared our private messages with third parties
in Europe: The General Data Protection Regulation went into effect in May
United States have no similar privacy protections. There is no way for us to know which companies have our data, and I don’t think that will change in 2019.
There were some very large and frightening data breaches this year.
The knee-jerk response this year has been to say that these companies need stronger punishments for security breaches, or that we need to regulate tech companies.
It’s not clear that these breaches were a result of poor security practices or corporate negligence.
Being the best in the world when it comes to security and following the best security practices have not protected these companies, and, ultimately, they have not kept our data safe.
The spies from foreign governments hacking into American companies
they are trying to destroy the country that we live in.
The United States is under siege from foreign governments and malicious hackers. And Silicon Valley’s products are the battlefields where the war is being fought.
Tomi Engdahl says:
2019 Malware Trends to Watch
https://threatpost.com/2019-malware-trends-to-watch/140344/
Tomi Engdahl says:
Attacks Against Critical Infrastructure Poise to Reshape Cyber Landscape
https://www.securityweek.com/attacks-against-critical-infrastructure-poise-reshape-cyber-landscape
It’s Time for the Organizations Charged With Protecting Our Physical Infrastructure to Take Action and Fight Back
Looking forward to 2019, we can expect this rise in industrial cyber-attacks to continue. A lot of the industries supporting our critical infrastructure are undergoing a dramatic transformation. Internet of Things (IoT)-based innovation is spurring a wave of digitization across manufacturing and energy distribution. This perfect storm of increasing digital footprint and attacker focus is set to make industrial security the new front-line of cyber defense, and potentially even outright warfare. Here are three predictions for the next-generation of industrial cyber-attacks we are likely to see in the coming twelve months.
1. Turning Off the Lights: Smart Grid Compromise
2. Manipulating Markets: Disrupting the Global Supply Chain
3. High Profile Hacking: Targeting Major Sporting Events
Tomi Engdahl says:
How Big is Your Digital Footprint Anyway?
https://www.securityweek.com/how-big-your-digital-footprint-anyway
Those of us at a certain age (ahem) grew up in a simpler time. Email was largely unheard of. There was no social media, no Facebook, Twitter or Instagram. There was no e-commerce, no Amazon, Alibaba or Taobao. No online banking. No online dating. Credit card transactions were processed manually. Local businesses accepted personal checks.
In short, there really wasn’t any such thing as a “digital footprint,” where personal information resides virtually, in an electronic ether, potentially available for anyone to see.
But over the last two decades, we’ve moved more and more of our lives into that realm. And almost as soon as we began, people attempted to gain inappropriate access to information of all kinds.
Today we are still adjusting to this new reality.
Tomi Engdahl says:
New Protocol Authenticates USB Type-C Chargers, Devices
https://www.securityweek.com/new-protocol-authenticates-usb-type-c-chargers-devices
The USB Implementers Forum (USB-IF) on Wednesday announced the launch of the USB Type-C Authentication Program, which aims to protect host systems against non-compliant chargers and potentially malicious devices.
The USB Type-C Authentication specification, unveiled by the USB-IF and the USB 3.0 Promoter Group in 2016, provides the cryptographic mechanisms needed for authenticating various types of USB Type-C devices, including chargers, cables, storage drives and power sources.
https://usb.org/sites/default/files/article_files/USB_Type-C_Authentication_PR_FINAL.pdf
Tomi Engdahl says:
Your Face is Going Places You May Not Like
https://hackaday.com/2019/01/02/your-face-is-going-places-you-may-not-like/
Many Chinese cities, among them Ningbo, are investing heavily in AI and facial recognition technology. Uses range from border control — at Shanghai’s international airport and the border crossing with Macau — to the trivial: shaming jaywalkers.
In Ningbo, cameras oversee the intersections, and use facial-recognition to shame offenders by putting their faces up on large displays for all to see, and presumably mutter “tsk-tsk”.
False positives in detecting jaywalkers are mostly harmless and maybe even amusing, for now. But the city of Shenzhen has a deal in the works with cellphone service providers to identify the offenders personally and send them a text message, and eventually a fine, directly to their cell phone. One can imagine this getting Orwellian pretty fast.
Facial recognition has been explored for decades, and it is now reaching a tipping point where the impacts of the technology are starting to have real consequences for people, and not just in the ways dystopian sci-fi has portrayed. Whether it’s racist, inaccurate, or easily spoofed, getting computers to pick out faces correctly has been fraught with problems from the beginning.
Tomi Engdahl says:
Chinese schools testing ‘smart uniforms’ that track students locations
https://6abc.com/technology/chinese-schools-testing-smart-uniforms-that-track-students-locations/5010387/?sf205347425=1
Tomi Engdahl says:
New Year’s Resolution: Help Rescue Privacy from the Jaws of Big Tech
https://www.eeweb.com/profile/mindchasers/articles/new-years-resolution-help-rescue-privacy-from-the-jaws-of-big-tech
Let us make the resolution today, as tech-minded and talented individuals, to work together to turn the tide against Big Tech
If you’re like me, you’re both shocked and appalled at the rapid erosion of privacy. The recent revelation that Facebook gave corporate partners access to its users’ private messages is just another example of our privacy being violated. Although many of us have come to expect this from online platforms such as Facebook, we are still holding onto an expectation of privacy in our homes, cars, and perhaps even our offices and/or workplaces. However, it’s rather obvious that these spaces are also inside Big Tech’s crosshairs in their ongoing quest to take control and data-mine anything connected to the internet.
Each new device that we buy with the intent to improve our lives comes equipped with sensors designed to collect and send data back to the cloud, where artificial intelligence (AI) is applied for the purpose of classifying and modeling. Although Big Tech assures us that our data is being gathered and employed only to improve services and target ads, deep down, many of us have a sneaking feeling that this data is being used for more nefarious purposes.
Open-source to the rescue
Repeat after me: “We resolve this year to participate and make our mark on at least one privacy-related open-source project. We will pursue projects that seek to disrupt, not strengthen, Big Tech’s grip on us. We will join the army of open-source developers that is ever-growing thanks to the worldwide, omnipresent training ground consisting of maker boards, web browsers, and powerful open-source software tools.”
I don’t know about you, but I feel invigorated and empowered. There are many great open-source projects to consider and others that need to be started. You might also contemplate participating in standardization efforts, such as the Internet Engineering Task Force (IETF), to champion new protocols and methods (RFCs) for data visibility for the device owner. For example, all connected device owners should be entitled to view the data being sent to the cloud before it is encrypted. Even if TLS 1.3 was perfect, which it isn’t, encryption doesn’t protect data that you never intended to share from being analyzed on a cloud-based server to where it was delivered. There needs to be a standardized method to deploy an open, centralized proxy to view any data that applications and IoT devices are transmitting to the cloud.
Tomi Engdahl says:
5 Reasons Why You’re a Perfect Cyber Attack Target
https://spectrum.ieee.org/telecom/security/5-reasons-why-youre-a-perfect-cyber-attack-target
Do you believe you’re safe from cyber attacks?
Most people do. They believe that hackers won’t target them because hackers go for the “big fish”. Most people are wrong.
The truth is: not even small businesses are safe from cyber attacks. In fact, perusing through Barkly’s 5 cybersecurity statistics every small business should know in 2018 will show that not only are cyber attacks on small businesses possible, but they’re also quite common.
Likewise, not even individuals are 100% safe from cyber attacks. Hackmageddon’s June 2018 cyber attack statistics even show that 20% of cyber attacks are aimed at individuals.
Tomi Engdahl says:
EU to offer nearly $1m in bug bounties for open-source software
https://nakedsecurity.sophos.com/2019/01/04/eu-to-offer-nearly-1m-in-bug-bounties-for-open-source-software/
The full list of 15 bounty programs includes the file archiver 7-zip, the Java servlet container Apache Tomcat, the content management framework Drupal, the cross-platform FTP application Filezilla, the media player VLC, the password manager KeePass, the text/source code editor Notepad++, plus other popular tools. Rewards start at €25,000 and go on up to €90,000 ($28,600 to $103,000), for a total offered amount of €851,000 ($973,000).
Tomi Engdahl says:
Here’s what to expect in cybersecurity in 2019
https://techcrunch.com/2018/12/31/cybersecurity-predictions-2019/?utm_source=tcfbpage&sr_share=facebook
Tomi Engdahl says:
Confirmation Bias and the Importance of a Second Opinion
https://www.securityweek.com/confirmation-bias-and-importance-second-opinion
Security Organizations Should Remember to Seek a Second Opinion, Which Can Bring Bias to Light
Tomi Engdahl says:
Will data breaches continue to occur during 2019? Most definitely, according to Robert Ackerman Jr., founder and a managing director of AllegisCyber and a founder of DataTribe. “Look for AI-driven chatbots to go rogue, a substantial increase in crimeware-as-a-service, acceleration of the weaponization of data, a resurgence in ransomware and a significant increase in nation-stage cyberattacks. Also on a growth track is so-called cryptojacking — a quiet, more insidious avenue of profit that relies on invasive methods of initial access and drive-by scripts on websites to steal resources from unsuspecting victims,” he writes in this analysis.
Cyber breaches abound in 2019
https://techcrunch.com/2018/12/26/cyber-breaches-abound-in-2019/
Tomi Engdahl says:
Censoring China’s Internet, for Stability and Profit
https://www.nytimes.com/2019/01/02/business/china-internet-censor.html
Thousands of low-wage workers in “censorship factories” trawl the online world for forbidden content, where even a photo of an empty chair could cause big trouble.
Tomi Engdahl says:
The United States and China – A Different Kind of Cyberwar
https://www.securityweek.com/united-states-and-china-different-kind-cyberwar
The potential for cyberwarfare between the United States and Russia is openly discussed, and – if not actually defined – is well understood. The British attitude is clear and defined, and the threat of retaliation – not necessarily cyber retaliation – is explicit.
But few people talk about China and cyberwar. The reason is simple. China is already engaged in its own form of cyberwarfare, but one that does not readily fit into the West’s perception of war and peace. China, the world’s oldest surviving civilization, is taking the long view. It has no interest in winning short-term battles; its focus is on winning the long-term war.
The USSR was not defeated by the might of the U.S. military, but the power of the U.S. economy. In striving to keep up or surpass the military strength of the West, the USSR was effectively bankrupted into dissolution. China sees a greater likelihood of success against the West by similar means than by open warfare – whether that be kinetic or cyber.
Tomi Engdahl says:
U.S. Companies Urged to Protect Against Foreign Government Hackers
https://www.securityweek.com/us-companies-urged-protect-against-foreign-government-hackers
The US intelligence community launched a campaign Monday to help US business defend against hacking by foreign governments like China and Russia.
The National Counterintelligence and Security Center began sending out detailed advisories, in brochure and video forms, to companies around the country to show them how to guard against cyber-incursions.
Tomi Engdahl says:
EU Looks to Reduce Exposure to Chinese 5G Risk: Report
https://www.infosecurity-magazine.com/news/eu-looks-reduce-exposure-chinese/
The European Union is hoping to lead a more coordinated response to security concerns over Chinese 5G equipment makers, it has emerged.
Brussels wants to ensure it doesn’t end up with a situation where member states have unwittingly allowed Chinese kit to dominate across the region, according to the FT.
One unnamed diplomat told the paper that with although 5G auctions can raise billions for governments, the EU is “urging everyone to avoid making any hasty moves they might regret later.”
“It’s quite a serious strategic problem for the EU and we haven’t properly mapped the exposure,” they added. “The problem is every country is interested in the 5G auction because it’s a massive payday. Once these auctions have happened you need to avoid a situation where you end up with the entire continent being with one [equipment] provider.”
The EU wants to map its exposure to Chinese technology as national security concerns mount.
The US, Australia, New Zealand, Taiwan and Japan have all banned Huawei products on security fears to a lesser or greater extent, despite the firm repeatedly protesting its innocence.
Tomi Engdahl says:
One of the West’s biggest cybersecurity vulnerabilities is our idiotic habit of sending servers full of sensitive information to foreign countries
https://nordic.businessinsider.com/western-countries-send-servers-full-of-sensitive-information-to-foreign-countries-2018-12?r=US&IR=T
Western companies routinely sell their old tech hardware to private companies in foreign countries, without wiping the sensitive data on them first.
A Business Insider source found a large database of the Dutch public health insurance system on old equipment abandoned after a hardware upgrade.
He also found the codes for controlling the traffic lights in multiple Spanish cities.
It’s pointless worrying about hackers breaking into our systems if we’re giving away data to anyone with a credit card in the hardware refurbishing business, the source says.
Tomi Engdahl says:
There’s a battle brewing over Google’s $1 billion high-tech neighborhood, and it could have big privacy implications for cities
https://nordic.businessinsider.com/google-sidewalk-labs-toronto-privacy-data-2018-10/
Sidewalk Labs, the urban innovation arm of Google’s parent company, Alphabet, will soon build a high-tech neighborhood along Toronto’s Eastern Waterfront.
The company has clashed with residents over its decision to collect data in public spaces such as intersections or park benches.
Sidewalk Labs claims the data will help them improve the community, but experts worry it could be used for financial gain.
In response to this criticism, the company has proposed an independent trust that might ensure the fair use of urban data.
Tomi Engdahl says:
Could a Chinese-made Metro car spy on us? Many experts say yes.
https://www.stripes.com/news/could-a-chinese-made-metro-car-spy-on-us-many-experts-say-yes-1.563551
The warnings sounds like the plot of a Hollywood spy thriller: The Chinese hide malware in a subway rail car’s security camera system that allows surveillance of Pentagon or White House officials as they ride — sending images back to Beijing.
Or sensors on the train secretly record the officials’ conversations. Or a flaw in the software that controls the train — inserted during the manufacturing process — allows it to be hacked by foreign agents or terrorists to cause a crash.
Congress, the Pentagon and industry experts have taken the warnings seriously, and now the Washington, D.C.-area subway system, known as Metro, will do the same.
CRRC’s success has raised concerns about national security and China’s growing footprint in the U.S. industrial supply chain and infrastructure.
A ban on purchases from China could penalize financially pressed transit systems such as Metro
“Saving a buck isn’t worth compromising security in the nation’s capital,” Connolly said. “If there are valid security concerns about sourcing rail cars from a Chinese state-owned company, then find another option.”
“My concern is that state-sponsored enterprises can serve as platforms for conducting cyberespionage against the United States,” Horner said. ”
“The risk of espionage is uniquely high in our nation’s capital,”
China has previously been accused of embedding spying technology in its products. In May, the Pentagon directed service members on military bases to stop using phones made by the Chinese companies ZTE and Huawei
Pesaturo said MBTA’s design process for new rail cars includes a cybersecurity analysis based on a U.S. Department of Defense military system safety standard
Grotto, the former National Security Council official, said the security measures described by the transit agencies were “appropriate” but expressed concern about how they would be implemented.
“Who is responsible and held accountable for seeing these results through? How will monitoring and auditing work?”
Tomi Engdahl says:
Enterprise applications and software systems have a reputation for being clunky, expensive, and almost impossible to keep up to date, but that doesn’t need to be the case. Rethinking your software strategy to include cloud options like SaaS can reap benefits, but beware the pitfalls.
This InformationWeek Trend Report will help you rethink your enterprise software systems and consider whether cloud-based options like SaaS may better serve your needs
Tomi Engdahl says:
NCSC Starts Campaign to Help Industry Fight Foreign State Threats
https://www.bleepingcomputer.com/news/security/ncsc-starts-campaign-to-help-industry-fight-foreign-state-threats/
The U.S. National Counterintelligence and Security Center (NCSC) has started to distribute informative materials ranging from brochures to videos to privately held companies around the country promoting increased awareness of rising cybersecurity threats from nation-state actors.
“Make no mistake, American companies are squarely in the cross-hairs of well-financed nation-state actors, who are routinely breaching private sector networks, stealing proprietary data, and compromising supply chains,” stated NCSC Director William Evanina.
Tomi Engdahl says:
Can a set of equations keep U.S. census data private?
https://www.sciencemag.org/news/2019/01/can-set-equations-keep-us-census-data-private?utm_source=6&utm_medium=social&utm_campaign=News-from-Science-(ScienceNOW)&utm_term=SciMag&utm_content=AAAS
The U.S. Census Bureau is making waves among social scientists with what it calls a “sea change” in how it plans to safeguard the confidentiality of data it releases from the decennial census.
The agency announced in September 2018 that it will apply a mathematical concept called differential privacy to its release of 2020 census data after conducting experiments that suggest current approaches can’t assure confidentiality. But critics of the new policy believe the Census Bureau is moving too quickly to fix a system that isn’t broken.
Tomi Engdahl says:
The United States and China – A Different Kind of Cyberwar
https://www.securityweek.com/united-states-and-china-different-kind-cyberwar
China is Conducting a Low and Slow Cyberwar, Attempting to Stay Under the Radar and Maneuver the Global Economy
The potential for cyberwarfare between the United States and Russia is openly discussed, and – if not actually defined – is well understood. The British attitude is clear and defined, and the threat of retaliation – not necessarily cyber retaliation – is explicit.
But few people talk about China and cyberwar. The reason is simple. China is already engaged in its own form of cyberwarfare, but one that does not readily fit into the West’s perception of war and peace. China, the world’s oldest surviving civilization, is taking the long view. It has no interest in winning short-term battles; its focus is on winning the long-term war.
Tomi Engdahl says:
The (Re-)Emergence of Zero Trust
https://www.securityweek.com/re-emergence-zero-trust
As we enter 2019, we’re still facing massive cyber-attacks that expose the sensitive data of millions of people and impact businesses both from a reputational and material perspective. To address these challenges, the use of a Zero Trust model has returned to the spotlight after more and more analyst firms provided their stamp of approval. Contributing to the momentum, early adopters like Google have published Zero Trust success stories, detailing the benefits it has provided when it comes to minimizing their cyber risk exposure.
The Zero Trust model, first introduced in 2010 by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST), is not a new concept. Instead of using the traditional approach of “trust, but verify”, the Zero Trust model implements “never trust, always verify” as its guiding principle. The Zero Trust model is based on the following three pillars:
• Ensuring that all resources are accessed securely, regardless of location (in other words, there is no longer a trusted zone).
• Applying a least privilege strategy, and strictly enforcing access control. In Zero Trust, all users are initially untrusted.
• Inspecting and logging all traffic. Even traffic originating on the LAN is assumed to be suspicious and is analyzed and logged just as if it came from the WAN.
Tomi Engdahl says:
Predicting the Year Ahead in ICS Cybersecurity
https://www.securityweek.com/predicting-year-ahead-ics-cybersecurity
Let’s start off on a couple positive notes:
1) The U.S. electric grid will not go down. Despite all of the fear, uncertainty, and doubt being spewed around about the security and resiliency of the U.S. electric grid, especially in the face of increasingly aggressive threats, no Americans will lose power for a single minute in 2019 due to a cyber attack.
2) After a few years of grappling with the problem of ICS security from the shop floor to the top floor, there is growing consensus on the subject of governance. In 2019, more organizations than ever before will consolidate responsibility for both IT and OT security and elevate the Board’s visibility.
3) On a less optimistic note, ransomware will shift from data to operations.
4) Legislation and regulation will play catch-up. This last prediction is a bit more neutral than the previous three but equally significant.
With two positive, one negative, and one neutral prediction, I’m optimistic about ushering in 2019.
Tomi Engdahl says:
Aging like milk, not wine: The realities of container security
https://www.redhat.com/en/blog/aging-milk-not-wine-realities-container-security?sc_cid=7016000000127ECAAY
Tomi Engdahl says:
The United States and China – A Different Kind of Cyberwar
https://www.securityweek.com/united-states-and-china-different-kind-cyberwar
Tomi Engdahl says:
Playing catch-up with cybersecurity
https://www.controleng.com/articles/playing-catch-up-with-cybersecurity/
Cybersecurity risks need help from contracts and insurance beyond technologies, policies, and people. Pretending cybersecurity risks aren’t there isn’t on any list of best practices.
An examination of applications for cyber insurance coverage can be helpful as a guide for curtailing potential exposure, according to suggestions from my partner Patrick O’Connor.
Among the questions asked:
How much of the information technology (IT) is outsourced?
How many names can be found in databases under your control?
Do you have a third-party endorsement of your privacy processes and practices?
What is your encryption strategy?
What physical security strategies are in place to control human access to the servers?
Do you have a chief security officer?
I am not the one to tell you how the actuaries take all that information and turn it into a premium, but I do know the people who figure out that equation will be the insurance heroes of tomorrow. The larger lesson is more basic: at present, contracts and insurance can only do so much. The cyber “front line,” for now, is in your own company’s ways of doing things.
Tomi Engdahl says:
WordPress-Related Vulnerabilities Tripled in 2018
https://www.bleepingcomputer.com/news/security/wordpress-related-vulnerabilities-tripled-in-2018/
WordPress-related vulnerabilities have seen a 300% increase in 2018 compared to the previous year, a recent study has found. Most of the bugs were in the plugins that extend the functionality of WordPress websites.
Powering about 30% of all websites on the internet, WordPress is the most popular content management system (CMS), followed by Joomla and Drupal trailing behind at a safe distance.
A product’s rise in popularity also captures the attention of cybercriminals who look for security bugs, incentivized by a large number of potential victims.
Tomi Engdahl says:
Podcast: Beware These Top Security Threats in 2019
https://threatpost.com/podcast-beware-these-top-security-threats-in-2019/140573/
Tomi Engdahl says:
Predicting the Year Ahead in ICS Cybersecurity
https://www.securityweek.com/predicting-year-ahead-ics-cybersecurity
Tomi Engdahl says:
The Latest Threats to ATM Security
https://www.securityweek.com/latest-threats-atm-security
Attacks against automated teller machines (ATMs) are nothing new, for obvious reasons. They are a perfect target for both conventional thieves and hackers, standing at the intersection of physical theft and cyber crime. Particularly in the developing world, ATMs often lack basic cybersecurity precautions, with archaic operating systems and minimal authentication requirements within the machines. The past few years have seen criminals applying their creativity to stealing money from ATMs, with considerable success. Methods of attack have included:
• Insert skimmers—physical devices placed in card slots to capture information from swiped cards.
• Remote cyber attacks—taking control of ATM servers to dispense cash, using malware like ATMitch.
• Direct malware attacks—using physical access to an ATM to deploy malware variants like Ploutus-D.
2018 saw at least two new major threats to ATM security: a “jackpotting” attack that presents a unique challenge because of its speed, efficacy, and comparative lack of resources required from attackers; and “shimming”, a simple way to steal data from chip-enabled cards.
Tomi Engdahl says:
IT asset disposition in the age of IoT
https://ces.eetimes.com/it-asset-disposition-in-the-age-of-iot/
Disposing of IT assets has become even more challenging in the age of the internet of things (IoT) and the industrial IoT (IIoT). Electronic devices contain toxic components, which can be harmful to the environment. These devices often contain personal and proprietary data, too. But there are other potential uses for end-of-life electronics, beyond simply throwing them away.
Tomi Engdahl says:
Wall Street Journal:
Sources: Commerce Department signals it will not renew export license for Futurewei Technologies, Huawei’s Silicon Valley-based R&D unit
U.S. Blocks Some Exports From Huawei’s Silicon Valley Unit
R&D unit Futurewei is no longer able to send home some technologies developed in U.S.
https://www.wsj.com/articles/u-s-blocks-some-exports-from-huaweis-silicon-valley-unit-11547119803?mod=e2tw
Tomi Engdahl says:
How Communist China Steals American Secrets and Endangers U.S. Security
https://m.theepochtimes.com/how-communist-china-steals-american-secrets-and-endangers-u-s-security_2764407.html/amp?__twitter_impression=true
At a press conference held on Dec. 20, the U.S. Department of Justice (DOJ) announced the prosecution of two hackers from communist China. According to the DOJ, they were members of the hacking unit APT10, which is affiliated with the Chinese regime’s Ministry of State Security (MSS).
The MSS is China’s only official intelligence agency
The MSS and MPS carry out different roles in conjunction with one another. Operations involving foreign countries are the domain of the MSS, while the DSB carries out comparable tasks within China’s borders.
Tomi Engdahl says:
Dystopian surveillance police-state technology is now cheap and reliable enough to roll out at massive scale.
Our dystopian cyberpunk here and now
https://techcrunch.com/2019/01/13/our-motto-dystopia-now/?sr_share=facebook&utm_source=tcfbpage
We in the West love our apocalyptic science fiction, in which cartoonishly evil authorities ruthlessly oppress all who so much as wonder about their absolute power, enforced via ubiquitous surveillance technology. Think The Hunger Games, Blade Runner 2049, V for Vendetta, just to pick a few. Well — to trot out that infamous William Gibson line, the future is here, it’s just unevenly distributed.
Xinjiang, northwest China, which, according to panoply of reports over the last year, has become an oppressive surveillance police state
the real-life dehumanization of the surveillance state. “Installing cameras in some people’s homes.” “Officers recorded their voices, took pictures of their heads at different angles and collected hair and blood samples.” Targeting “people who have received a phone call from overseas.”
But also, partly because they can: because this dystopian surveillance police-state technology is now cheap and reliable enough to roll out at massive scale. Hard not to be chilled by that …
Tomi Engdahl says:
Most People Expect a Serious Cyberattack Against Their Country
https://www.securityweek.com/most-people-expect-serious-cyberattack-against-their-country
People across the world are expecting major cyber-attacks against their own country. A Pew Research survey of more than 27,000 respondents across 26 countries shows that the majority of people expect that sensitive national security information will be accessed (74%), the public infrastructure will be damaged (69%), and elections will be targeted (61%).
In all these areas, American concerns are higher than average. Eighty-three percent are worried about attacks on the infrastructure, 82% fear that national security information will be accessed, and 78% expect election tampering. The breakdown within each area follows political party associations. For example, Democrats (87%) in the U.S. are more concerned about election tampering than Republicans (66%).
While the expectation of future cyber-attacks is higher than average in the Americas, so too is confidence that their country is well-prepared to withstand them. The global median for not well-prepared is 49% against 43% who believe their country is well-prepared.
Tomi Engdahl says:
Security is a Top Concern for SD-WAN. Is Your Solution Ready?
https://www.securityweek.com/security-top-concern-sd-wan-your-solution-ready
The Necessity of Native Security Controls in an SD-WAN Environment Cannot be Overstated
According to a recent report from Gartner, security is the top concern for organizations updating their wide-area networks (WANs). This is followed by wanting to ensure high-performance connectivity to their branch offices and managing escalating costs associated with traditional connections such as MPLS.
Part of the challenge is that today’s networks are highly interconnected, with data moving across and between different ecosystems and devices.
To address the growing need for agile and scalable connections, organizations are replacing their traditional WAN connections to their remote locations with SD-WAN.
Tomi Engdahl says:
5 Forecasts to Inform Digital Risk Protection in 2019
https://www.securityweek.com/5-forecasts-inform-digital-risk-protection-2019
1. BEC campaigns will continue to increase. According to the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013.
2. The push and pull between ransomware attacks and cryptomining will persist. In 2018 we saw sharp declines in the number of reported attacks involving new ransomware variants, but this didn’t mean threat attackers were taking a break.
3. Companies will open their wallets for GDPR fines, but how widely is to be determined.
4. Emotet banking trojan will be modified and used for new purposes. Involved in a high-volume of activity throughout 2018, Emotet malware has become increasingly sophisticated. With its ability to download additional modules, we have observed Emotet used as the initial stage downloader for other banking trojans such as IcedID and TrickBot.
5. MITRE ATT&CK framework will move towards becoming a threat intelligence standard. The MITRE ATT&CK framework provides a common vocabulary for how to talk about threat intelligence.
Tomi Engdahl says:
MITRE Uses ATT&CK Framework to Evaluate Enterprise Security Products
https://www.securityweek.com/mitre-uses-attck-framework-evaluate-enterprise-security-products
MITRE Corporation’s ATT&CK framework has been used to evaluate enterprise security products from several vendors to determine how efficient they are in detecting and responding to attacks launched by sophisticated threat groups.
Tomi Engdahl says:
“Tietoturvassa nyt tehtävät ratkaisut näkyvät 2020-luvulla”
https://www.dna.fi/yrityksille/blogi/-/blogs/jarna-hartikainen-tietoturvassa-nyt-tehtavat-ratkaisut-nakyvat-2020-luvulla?utm_source=facebook&utm_medium=artikkeli&utm_term=tietoturva&utm_campaign=natiivi&utm_content=jarna_hartikainen_tietoturvassa_nyt_tehtavat_ratkaisut_nakyvat_2020_luvulla
“Tietoturvan kannalta on iso riski, että kaikki pikkuhiljaa vain pahenee. Silloin jokin tietoturvauhka voi saada jalansijaa hiljalleen, kun kukaan ei huomaa nousemassa olevaa ilmiötä. Esimerkiksi tietojen kalastelu on tällä tavalla päässyt yleistymään”
Tomi Engdahl says:
Nettiturvallisuuden jalkauttaminen vaatii valtakunnallisen ohjelman
http://mialaiho.puheenvuoro.uusisuomi.fi/267461-nettiturvallisuuden-jalkauttaminen-vaatii-valtakunnallisen-ohjelman?ref=poiminnat
Tomi Engdahl says:
VALEHENKILÖILLE UUSI MELLASTUSKENTTÄ?
https://www.telia.fi/yrityksille/tuotteet/tietoliikenne/varmenne-ja-luottamuspalvelut/tunnistuspalvelu/artikkeli/valehenkiloille-uusi-mellastuskentta-newsroom?utm_source=facebook&utm_campaign=B2B+sisältö+nostot+Q3-Q4+2018+buP11160004019&utm_medium=social_paid&utm_content=link+%7C+Valehenkilöille+uusi+mellastuskenttä&utm_term=SERVICES+%7C+pros+%7C+Valehenkilöille+uusi+mellastuskenttä+%7C+native+%7C+julkishallinto+%7C+5665
Asiakas soittaa yritykseesi, vetoaa uuteen tietosuoja-asetukseen ja pyytää saada tietonsa nähtäviksi rekistereistänne. Miten varmistat, että kysyjä on juuri se, joka hän kertoo olevansa eivätkä lähetetyt tiedot vuoda muille?
Tomi Engdahl says:
What is a certificate?
https://opensource.com/article/19/1/what-certificate?sc_cid=7016000000127ECAAY
What is a certificate, why do they expire, and what could happen when they do?
Tomi Engdahl says:
Security Expectations and Mis-Conceptions in Migrating ERP to the Cloud
https://www.securityweek.com/security-expectations-and-mis-conceptions-migrating-erp-cloud
Digital transformation is increasing the need for enterprise resource planning (ERP) systems to allow organizations to manage the entirety of their business in a coordinated manner. Globalization is forcing organizations to consider cloud solutions to prevent disjointed business operation across multiple global locations — and even smaller companies are simply attracted by the economies and potential security of cloud operations.
The specific arguments for migrating ERP to the cloud are faster time to value, increased innovation, and scalability with growth.
The effect of these arguments is to persuade organizations to migrate existing on-premise ERP solutions to the cloud, and for companies considering their first ERP system to consider going straight to the cloud. Cloud migrations are never easy, particularly when the data concerned is business operational critical.
“As moving to the cloud raises its own security and privacy challenges, we wanted to provide some benchmarks regarding the myriad issues surrounding cloud migration and security,” explained John Yeoh, director of research, Americas for the CSA.
Noticeably, the Americas and APAC regions (both at 73%) are more likely to be migrating to a cloud solution than EMEA. “Regulations in EMEA, such as the European Union General Data Protection Regulation (GDPR) impacted organizational plans for technology purchases, cloud services, and third-party policies,” notes the report (PDF).
Compliance challenges are the third most concerning issue for all companies in the survey at 54.29%. The biggest concern is over the practical issues around migrating sensitive data (64.76%), with general security concerns second at 59.05%.
Less concerning is disruption of business operations (46.67%) and the time it takes (45.71%).
Tomi Engdahl says:
Newsmaker Interview: Bruce Schneier on Physical Cyber Threats
https://threatpost.com/newsmaker-interview-bruce-schneier-on-physical-cyber-threats/140491/
Bruce Schneier discusses the clash between critical infrastructure and cyber threats.
Attacks on physical devices and infrastructure offer a new target for cyber crime, a new opportunity for espionage and even a few front in cyber war.
Rather than exploit computers and their applications, the Internet of Things allows malicious actors to go after a whole new category of devices, from children’s toys to nuclear power equipment.
This is the context for the latest book by cryptographer and cyber security expert Bruce Schneier. In “Click Here to Kill Everybody,” Schneier paints a bleak picture of a world unprepared for the risks attached to the “Internet+” (a term coined to describe the application of the internet to conventional industries) and the clash between physical and cyber threats.
Threatpost caught up with Schneier, and asked him about his vision to limit the damage.
Threatpost: What prompted you to write “Click Here to Kill Everybody?”
Schneier: That title, alarmist as it might sound, invokes the notion of computers that can affect the physical world. That is something relatively new, but increasingly important. [The book] is about what citizens and society can do about the increased risks from physically capable, and dangerous, computing devices.
TP: How big a departure is the Internet+ or Internet of Things, from the risks we’ve faced through conventional computing and the internet?
Schneier: There’s no difference and there is a lot difference.
We can talk about vulnerabilities in software, about worms and viruses. The difference really is what the computers are doing. We are moving to a world where computers are in things, in cars, in medical devices, in appliances, in toys, in power plants.
It’s what the computers are attached to, and what they can do.
TP: It’s still relatively early days for the IoT and connected devices. Where are we on the threat curve – how many attacks have we seen?
Schneier: We see attacks all the time. Just recently, we had a major attack on Marriott Hotels. These things happen every week, every day. Attacks against cars have been largely in the lab and in demonstrations…but we’ve seen ransomware against thermostats, refrigerators sending spam.
Have we seen a death by this? Not that’s documented. Possibly if you dig down through some of the effects of the hospital DDoS and ransomware attacks you might find some. But we have not seen murder through disabling the brakes in a car. We haven’t seen massive property damage through disabling thermostats in the middle of winter. Those are still to come.
Tomi Engdahl says:
Don’t Overlook the Business Risk in BRI
https://www.securityweek.com/don%E2%80%99t-overlook-business-risk-bri
A business risk intelligence (BRI) program requires many components about which I’ve written previously: the right intelligence requirements, collection strategy, KPIs, vendors, collaboration, and stakeholder support. But there’s another component that, though it may seem obvious, is among the most foundational yet also the most frequently overlooked: a comprehensive understanding of business risk.
As security practitioners, we often think about business risk in terms of threats, vulnerabilities, and the extent that they could impact the assets we’ve been entrusted to protect. But it’s important to remember that business risk encompasses more than just security. And in order to execute a BRI program effectively, we need to be able to understand, measure, and mitigate business risk not only through a security-focused lens but also through a business-focused one. Here’s how:
Know the five categories of business risk
Business risk is broadly defined as the possibility that a business will incur a loss due to uncertainty. Although there are seemingly countless uncertainties inherent to running a business, most tend to fall under one or more of the following categories:
● Financial risk reflects the likelihood and extent that a business could experience financial loss due its capital structure and/or financing. Changes in interest rates, foreign exchange rates, or a business’s debt-to-equity ratio are common factors that can influence financial risk. Although all categories of business risk can have financial implications, financial risk refers solely to implications of how a business handles money.
● Compliance risk refers to the penalties a business could face if it fails to comply with requisite regulations. These penalties can vary immensely and range from minor fines to serious legal action. But regardless of a business’s regulatory environment—which tends to depend primarily on its location, size, and industry—many compliance risks can arise due to largely unforeseen circumstances such as data breaches, technical failures, or sudden legislative changes, for example.
● Strategic risk entails the potential loss a business could incur in the event that any aspect of its strategy becomes less effective for any reason. Increased competition, demand fluctuations, and technological limitations are among the many circumstances that can hinder the efficacy of a business’s strategy and thus affect its bottom line.
● Reputational risk encompasses the consequences a business could suffer due to reputational damage. Product recalls, lawsuits, security incidents, and other types of bad publicity are common examples that can erode trust in a business and therefore result in revenue losses.
● Operational risk is the risk of loss due to unexpected errors or damages caused by people, processes, external events, or anything else that interrupts a business’s core operations. Operational risks are numerous and can range from natural disasters and physical infrastructure damage to fraud, cyberattacks, and supply chain vulnerabilities, among others.
Reduce uncertainty through anticipation and preparation
Once you’re familiar with the categories of business risk, it’s important to incorporate them into your BRI program and operations. Keep in mind that business risk is fueled by uncertainty—so in order to reduce business risk, we need to apply BRI in a manner that reduces uncertainty.
BRI operation would first need to consider how previous DDoS attacks have impacted the retailer’s business risk across each category, as follows:
● Financial risk: The DDoS attacks had no effect on the business’s capital structure and thus did not impact its financial risk.
● Compliance risk: The retailer’s compliance requirements include GDPR and PCI DSS, neither of which were violated due to the DDoS attacks.
● Strategic risk: The DDoS attacks did influence strategic risk because the retailer’s strategy is largely dictated by its e-commerce business model. Customers were unable to browse, shop, or make purchases on the retailer’s website during the DDoS attacks, thereby resulting in lost revenue.
● Reputational risk: The DDoS attacks inconvenienced and upset customers who sought to access the retailer’s website during outages. Many such customers expressed their frustration on social media, attracting significant negative attention to the company, eroding consumer trust, and ultimately exacerbating revenue losses.
● Operational risk: The retailer was unprepared for the attacks and did not have adequate DDoS protection measures in place to protect its website from outages and resulting consequences. As such, the attacks did contribute to the retailer’s operational risk.
Tomi Engdahl says:
”Tietoverkkosodankäyntiä ei ole ja tokkopa tuleekaan”
https://ruotuvaki.fi/-/-tietoverkkosodankayntia-ei-ole-ja-tokkopa-tuleekaan-
Tomi Engdahl says:
The Ethics of Reporting Vulnerabilities in Illegal Software
https://terrythibault.com/index.php/2019/01/15/the-ethics-of-reporting-vulnerabilities-in-illegal-software/
Normally, when I find a vulnerability it’s simple enough for me to find a product owner and let them know about the issue. But when it’s an illicit website with an owner that doesn’t want to be found, I am left with very little information about how to proceed.