What are the top cyber trends to watch out for in 2019? Here’s what I have been hearing and reading:
First I present a new information security term: Virtual Security = Manufacturers claim that their products are secure. but in reality they are not.
New APT groups, and more regulations around data privacy, 2019 is set to be another big year in the cybersecurity space. Security is hard and getting harder in 2019. Good operational security is non trivial. Next generation dark markets are making cybercrime easier than ever before.
Gartner expects that the security market is expected to grow 8.7% in 2019 and hit $124 billion. Global spending on security products and services closed in 2018 in excess of $114 billion, marking a 12.4% increase from 2017.
A New Year’s Resolution: Security is Broken…Let’s Fix It. There are three strategies that show real promise for defending against tomorrow’s threats: Deploy Deception, Leverage Threat Intelligence, Think Proactively. Plan Now for Emerging Threats. Defending against these threats will require two things. The first is understanding the economic drivers of the criminal community, and the second is to adopt strategies and solutions that address and disrupt those drivers. Getting in front of the cyber-threat paradigm requires organizations to rethink their security strategies in 2019.
Many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, but when – and when they will finally find the hack has happened. For example it Marriott disclosed a four-year-long breach involving the personal and financial information of 500 million guests. Anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.
In today’s world, attackers intentionally look normal to evade automated defenses. With the rise of ransomware, fileless and non-malware attacks, it’s harder than ever to protect your endpoints with confidence. To prevent this, threat hunting has emerged as an essential process for organizations to preempt destructive attacks. This process is a proactive approach to cybersecurity that identifies gaps in defenses and stops attacks before they go too deep. The adversary is hunting for your security gaps…why aren’t you?
Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Attackers scan those systems for vulnerabilities actively in 2019. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late. Measure how good is your security. Data protection tools have been developed to measure the maturity of data protection issues in organization.
CEOs should ask the following questions about potential cybersecurity threats:
How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
How can my business create long-term resiliency to minimize our cybersecurity risks?
What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?
What can CEOs do to mitigate cybersecurity threats?
How Well Are You Protecting Your Brand from Digital Risk? Having a website is just the baseline for existing in digital world. Companies of all sizes are actively using social media to engage with customers and build loyalty for their brand. The Internet is an essential tool to grow your business, but it also poses digital risks to your brand reputation and integrity. Bad actors can spoof social media profiles of your company or brands. Cyber criminals will register and use web domains extremely similar to your actual domain names. Malicious apps that impersonate brands may use spyware to steal information from users. You might need to develop a brand protection program in 2019. Digital risk from brand exposure can lead to reputation damage, loss of intellectual property and customer trust and, ultimately, loss in revenue. This is what the brand managers need to think about in 2019. Successful hacking campaigns used to be all about keeping under the radar. But, for some, making a big splash is now now more important than lurking in the shadows.
Today, cybersecurity is moving beyond the financial impact to concerns over public safety, national security, and even cyberwarfare. The tech industry is becoming more worried about a cyberwar arms race. Microsoft boss thinks that cyber war cannot be won. High impact cyber attacks often affect the electricity network, water supply, financial markets, hospitals, and military families. Preparations for various cyber attacks in different sectors vary greatly. Energy and finance are the most advanced. We should all keep in mind two things: The proliferation of cyberweapons is already happening and arms control of cyberweapons hasn’t caught up. “Cyber is so wide that states alone cannot be sufficient in providing security” It seems also that authoritarian forces are trying to claw back control and even re-purposing the web in ways that undermine democracy.
It would be good for the company to be able to manage risks, prepare for major disruptions, and plan and practice recovery. Risk management requires the company to detect the attack itself. A large coordinated attack could attack our elections, our press, our telecommunications, our banks, and our military. According to a new report on digital freedom, authoritarian forces are clawing back control and even re-purposing the web in ways that undermine democracy. Tim Cook says that tech firms should prepare for ‘inevitable’ regulation.
We need to build cyber resilience to our networked systems. Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. “Cybersecurity, infrastructure security, is not a competitive advantage,” Bradford Willke, a top official in DHS’s Cybersecurity and Infrastructure Security Agency. If a good product or company fails because of a breach that could have been thwarted by sharing threat information, “there’s something that we’ve all lost.”
Did you remember to test the security? Every developer team should know how to code securely and how to test security. This kind of basic hygiene with information security creates the basis for genuinely intact applications. The basic thing for the tester in terms of data security is user identification and access, securing stability, encryption, firewalls, intruder detection, anonymization of information. All these things can be tested with different techniques, tools and methods. It is a good idea to ask a security professional if you do not know how to do this.
You will see many big data beaches also in 2019. Cybersecurity headlines in recent years have been dominated by companies losing money by being hacked and leaking the data of millions of customers. 2018 was again a banner year for breaches, check for example list of Biggest cyber security breaches 2018. In 2018 the mantra became “another day, another data breach.” 2018 has been the year par excellence for data protection, when data leaks, exfiltrations, and abuses have made headlines all over the world. Some companies have worked on improving their security, but overall there has not been so much activity going on that it would considerably change the situation for better in 2019. And against this backdrop of increased awareness about the challenges that working with sensitive data can entail, there is one regulation that has come to the fore: the GDPR (General Data Protection Regulation), which has been mandatory since May 25 this year.
How much are the first fines for GDPR infringement? It remains to be seen in 2019 as sanctions on big 2018 leaks start to appear. Infringement of GDPR regulation can incur fines of up to 4% of a company’s annual global turnover, or up to €20 million. The economic sanctions that we have seen so far in 2018 have clearly relatively conservative compared to the highest possible penalties, but with the recent spate of high profile data leaks – Marriott, British Airways, Quora – it won’t be long before harsher fines start to appear. Remember that by having appropriate protection for the personal data that your company manages, you can avoid sanctions.
IoT malware and email hacks are on the rise again. Blackmail demand claims will continue unfortunately also in 2019 and will become more innovative. In 2018 we first saw blackmail extortion with claims to have nailed you watching porn and the sender infected your computer by hacking your account or placing malware. All sorts of variants exist. There was also Spammed Bomb Threat Hoax that demands Bitcoin.Then there has been a New Extortion Email Threatens to Send a Hitman Unless You Pay $4,000 in bitcoin. As long as ransoms are paid and relatively easy attacks, such as phishing campaigns, are successful, bad actors will continue to use these techniques.
The number of attacks using IoT hardware is increasing in 2019. IoT is still insecure. As the number of IoT devices, such as smart home network monitoring systems, increase, the threat is constantly increasing. According to Nokia report IoT botnet operations accounted for 78 percent of malware detection events in the communications service provider (CSP) networks in 2018.
Many IoT protocols are still implemented without proper security. The CoAP protocol is the next big thing for DDoS attacks. Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attack. That is because most of today’s CoAP implementations forgo using hardened security modes for a “NoSec” security mode that keeps the protocol light, but also vulnerable to DDoS abuse.
Mirai botnet has been active since 2016. And several followers to it are still active. Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms. And you will not get rid of the new variations of it in 2019. Latest example is With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit. Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices. Miori is just one of the many Mirai offshoots. There is another very similar variant called Shinoa.
Regulating cyber security features on networked devices seems to be on rise. Germany proposes router security guidelines. It would like to regulate what kind of routers are sold and installed across the country. California became the first state with an Internet of Things cybersecurity law: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means less generic default credentials for a hacker to guess. In Finland security label created by FICORA’s Cybersecurity Center promises that will make it easy for consumers to identify a sufficiently secure devices in 2019.
Ransomware attack will continue in 2019. Hospital cybersecurity seems to be a pressing problem in 2019. The healthcare industry’s accelerating adoption of sophisticated networks, connected devices and digital records has revolutionized clinical operations and patient care but has also left modern hospitals acutely vulnerable to cyber attack. Recent high-profile hacks have brought these mounting threats sharply into focus. One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over year 2018. There is a number of technological, cultural and regulatory issues that complicate healthcare cybersecurity.
DNS system is still full of “ugly hacks” that keep it running. Malicious actors have found innovative ways to take down the DNS and the landscape growing more problematical. Hopefully it will get robust in 2019. Vendors of DNS software, as well as large public DNS providers, are going to remove certain workarounds on February 1st, 2019, otherwise known as DNS Flag Day. Don’t Let DNS Flag Day Become Your DNS Doomsday. The result of this “line in the sand” means that all domains hosted on these poorly coded DNS servers will fail to resolve correctly across all the recursive resolvers built by and run by the consortium. So your SPF, DKIM, DMARC, most TXT and PTR records will fail. This will be a very bad day for anyone who doesn’t take time to address this issue BEFORE February 1st, 2019.
TLS 1.3 was published as of August 2018. It has been over eight years since the last major encryption protocol update. With the HTTP/2 protocol update in late 2015, and now TLS 1.3 in 2018, encrypted connections are now more secure and faster than ever. With OpenSSL 1.1.1 library many applications can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. Add this to list of existing TLS ecosystem woes. Malicious sites will increasingly use SSL certificates to look legitimate.
Remember to update your PHP version early in 2019. PHP 5.6 support and security updates have ended. PHP 5. is still widely used in many web services. FICORA’s Cybersecurity Center recommends giving up the use of old PHP versions, especially for services that are publicly available on the Internet. Currently the latest version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Currently the latest PHP version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Because the new PHP7 is not fully compatible with the old PHP5, so many sites need also updates to the site PHP code. If you can’t for some reason update PHP version, special attention should be paid to the security of the server and its environment.
Cloud security is still a problem for many organizations in 2019. The 2018 Cloud Security Spotlight Report noted that 84% of respondents claim traditional security solutions either don’t work at all or have limited functionality in the cloud. Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security (62%). Lack of staff resources and expertise to manage cloud security seems to be the largest barrier to cloud adoption for many companies. Many clouds are nowadays relatively secure, but Are You Using Them Securely? It’s time to stop obsessing over unsubstantiated cloud security worries and start focusing more on new approaches to cloud control. It is time to better manage your cloud deployments in 2019.
The Cybersecurity Industry Doesn’t Have Artificial Intelligence Right Yet. AI in security will be talked on in 2019. 2018 was The Year Machine Intelligence Arrived in Cybersecurity. “Intelligence” is a word heavily freighted in cybersecurity technology because it covers a wide variety of techniques and product: Expert systems, machine learning, deep learning, and artificial intelligence are all represented in the whole, with each being used and promoted by different vendors and service organizations. Antivirus protection is one of the tasks to which companies are applying intelligence. The vast majority of intelligence being used in security is “machine learning” rather than “artificial intelligence.” The application of artificial intelligence (AI) via the implementation of machine learning (ML) is the fastest growing area of cybersecurity, but it seems Artificial Intelligence in Cybersecurity is Not Delivering on its Promise at least yet. What has been largely missing from this assertion is independent verification that the theoretical benefits promoted by ML vendors translate to actual benefits in use. Also cyber-criminals start to use AI to make better attacks.
Machine learning can reduce the usefulness of CAPTCHA. Machine learning model breaks CAPTCHA systems on 33 highly visited websites very quickly.
Destructive malware has been employed by adversaries for years. Destructive targeted attacks have a critical impact on businesses, causing the loss of data or crippling business operations. NotPetya and Wannacry affected several companies around the world. OlympicDestroyer affected the Olympic Games organization.
Old destructive attacks can persist for a long time. Wannacry is not dead when 2019 starts. Eighteen months after the initial outbreak of the WannaCry Ransomware infection, the malware continues to rear its head on thousands, if not hundreds of thousands, of infected computers. The kill switch has been activates so the ransomware component would not activate, but the infection continues to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live.
Spectre and Meltdown vulnerabilities that were found in 2017 and became public the beginning of 2018 will continue. I have been following this saga since I reported it first in Finland at Uusiteknologia.fi on-line magazine. Spectre-like variations continued to be discovered, just as academics predicted at the start of 2018. Intel and other processor manufacturers have worked on fixed, but there has been numerous new vulnerability variation reported over the year on the same theme, latest published in late 2018. Is Spectre making a comeback? I expect you will not get rid of new variations on this vulnerability theme in 2019. There are still many side channel flaws to be found on modern processors.
USB security is still fundamentally broken in 2019. USB drives are a security threat to process control systems because USB drives can cause serious disruption to process facilities through unsecure or malicious files. USB-borne malware continues to present a major threat to industrial control systems (ICS) nearly a decade after the Stuxnet attacks on Iran’s nuclear infrastructure first highlighted the danger.
The air gap is low-tech but still has value as a barrier against cyber attacks. But air gaps, once a valuable barrier against cyberattacks, are disappearing from industrial control systems. As smart shipping and other network-connected industrial control systems (ICS) grow, the air gap loses value as a barrier against cyber attacks. The use of air gaps has eroded or disappeared altogether, thanks to increasingly intertwined OT (operational technology) and IT (information technology). Also air gaps can’t protect against “an ill-informed person’s actions,” as was the case with the notorious 2010 Stuxnet attack on Iran’s nuclear facilities.
There are still major problems cyber security in industrial system. Major problems in industrial cyber security are inadequate software updates, the following non-upgraded systems, and common usage ids for updating. While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading.
Perimeter-less security is hot in 2019. You can’t build anymore well defined perimeters around all of your systems. Welcome to a World of Zero Trust. Zero Trust Privilege approach is based on six fundamental elements: Verify Who, Contextualize the Privileged Access Request, Establish a Secure Admin Environment, Grant Least Privilege, Audit Everything, Apply Adaptive Security Controls.
Can You Mitigate Against Mission Impossible? Most probably you can’t. Focus on the Countless Manageable Vulnerabilities That You Can Control and Protect Against Them. Cybersecurity risks need help from contracts and insurance beyond technologies, policies, and people. Pretending cybersecurity risks aren’t there isn’t on any list of best practices.
Credential abuse is at the core of many hacks in 2019. Usually the easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity. Equipped with the right credentials, cyber adversaries and malicious insiders can wreak havoc on an organization’s network, exfiltrate sensitive data, or even siphon off funds — all while concealing their malicious activities from threat detection solutions.
Good database security planning is essential for protecting a company’s most important assets because if attackers can shut companies out of their own data can quickly cripple an organization. Leaked data can also become costly with costs of data leak itself, regulatory costs (including GDPR fines) and bad reputation that can affect revenue for a long time.
Just on the end of 2018 there was reports on SQLite vulnerabilities. Magellan is a number of vulnerabilities that exist in SQLite that were able to successfully implement remote code execution in Chromium browsers (already fidex). This vulnerability can have a wide range of influence in 2019 because SQLite is widely used in all modern mainstream operating systems and software. There is potential that Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers. I expect to see reports against attacks against many different systems and system users failing to secure their systems.
DevSecOps is having a positive impact on security, but the state of security still has a long way to go as over 13 percent of applications contain at least one critical vulnerability. According to Veracode’s State of Software Security (SOSS) report, 87.5 percent of Java applications, 92 percent of C++ applications, and 85.7 percent of .NET application contain at least one vulnerability. Even with a stronger focus on security in 2019, most software will still riddled with security vulnerabilities.
Misconfigured server infrastructure is often considered one of the most significant causes of data breaches within the IT industry. This human error phenomenon is usually unintentional, but it can have catastrophic consequences regarding the exposure of sensitive personal information as well as potentially damaging the reputation of your business.Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security.
4 mobile security threats that companies must fight in 2019: Cryptojacking, Data breaches, Insecure networks and Social engineering attacks. Also Mobile Spear phishing campaigns will form the cornerstone for targeted attacks on organizations. The Wi-Fi attack vector isn’t going away any time soon, despite 5G hype. I don’t expect the assault on mobile to slow down as according to Gartner’s Market Guide to Mobile Threat Defense, 42 million mobile malware attacks take place each year.
Google says that Android 9 Brings Significant Security Advancements. Google has focused on aspects such as platform hardening, anti-exploitation, hardware-backed security. There are also new protections for the Application Sandbox.
Ultrasonic Tracking are Beacons on the Rise. It is an inaudible sound with encoded data that can be used on a listening device with suitable application to receive information that could be just about anything. There are numerous scenarios in which ultrasonic tracking beacons can be surreptitiously used and misused.
PUAs are being weaponized. PUA is the acronym for “Potentially Unwanted Application.” This is a general category used by all vendors to tag particular applications that can be misused by malicious people. Recently, an active campaign was spotted in the well-known Emotet Banking Trojan, which makes use of Freeware system tools but with an obscure purpose.
Microsoft has officially announced ‘Windows Sandbox’ for running applications in isolation. Microsoft’s coming ‘Windows Sandbox’ feature is a lightweight virtual machine that allow users to run potentially suspicious software in isolation. Windows 10 19H1 Build 18305 adds support for a new sandbox feature for isolating potentially suspicious apps, plus several other new security fixes.
It seems that Security Teams Need to Maintain Packet-level Visibility Into All Traffic Flowing Across Their Networks. The most destructive disaster is the one you do not see coming. While there is no evacuating cyberspace to avoid a storm of hackers, prior warning gives security teams a chance to stop cybercriminals before they can wreak havoc and make off with sensitive customer data or company secrets. There is an all too common adage that it is not a question of if a company will be hacked, but when they will find the hack. The realities of the cyberspace make it too difficult to reliably keep hackers out of corporate networks. That is not to say security teams should give up, but rather that they need to shift their goals.
Is 5G Technology a Blessing or a Curse for Security? Depends Who You Ask. It is best to Prepare for the Coming 5G Security Threats. But do we understand the 5G security threats to come? Most probably not, because it seems that the general understanding of 5G is pretty shallow for very many organizations. Many countries are not comfortable with the Chinese building its 5G network.
Somewhat quietly over the past couple of years there has been a flurry of breakthroughs in biometric technology (especially face and fingerprint recognition). New Boom in Facial Recognition Tech Prompts Privacy Alarms. Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn. Now facial recognition appears to be on the verge of blossoming commercially. There is potential risk that Surveillance Inhibits Freedom of Expression.
Old outdated encryption technologies refuse to die. MD5 and SHA-1 are still used in 2018 and their use does not seen to end in 2019. The current state of cryptanalysis against MD5 and SHA-1 allows for collisions, but not for pre-images. Still, it’s really bad form to accept these algorithms for any purpose.
Law is trying to weaken encryption in some countries. A newly enacted law rushed through Australia’s parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals. “I think it’s detrimental to Australian and world security,” said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM. It could be a be a boon to the criminal underworld by undermining the technical integrity of the internet, hurting digital security and user privacy. We need good encryption in 2019 to keep Internet safe.
The payment card industry is thinking about security standards such as EMV 3D Secure and emerging technologies such as contactless payments.
The use of bug bounty programs to find security vulnerabilities in software and services is increasing.In January, the EU starts running Bug Bounties on Free and Open Source Software where European Commission to start offering bug bounties on 14 Free Software projects like Notepad++ and VLC that the EU institutions rely on. Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program.
You might need a password manager in 2019 more than you needed it now. If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember and sometimes are easily hackable. Nobody likes passwords but they’re a fact of life. How do you make them better? You need a password manager. Some examples for proposed alternatives to passwords include biometric identification, disposable passwords, certificate-based systems and FIDO2 USB sticks.
You might also need two-factor authentication can save you from hackers. If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts and it usually (when implemented well) only adds a few extra seconds to your day.
Two factor authentication has been considered as best practice for some time, but even that alone might not be enough in 2019. Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.
Two factor authentication can be hacked. Phishing Attempts That Bypass 2FA are here to stay. As we try to up our security game, the bad guys up their tactics too. Amnesty.org shared an interesting write up about phishing attacks that are bypassing 2FA. If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account as Hackers Bypass Gmail 2FA at Scale. Although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message. Some users likely need to switch to a more robust methods.
Keep in mind that your phone number can be a key for a hacker to many of your services. You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.
810 Comments
Tomi Engdahl says:
This Toy Can Open Any Garage
https://www.youtube.com/watch?v=CNodxp9Jy4A
Or almost any garage – it’s particularly good with fixed code gates and garages. Samy proposes other weaknesses with rolling codes.
Tomi Engdahl says:
Microsoft Chief Calls for ‘Global Standard’ on Privacy
https://www.securityweek.com/microsoft-chief-calls-global-standard-privacy
Microsoft Joins Apple in Calling for Strong Privacy Legislation
In an interview this week at the World Economic Forum Annual Meeting in Davos, Switzerland, Microsoft CEO Satya Nadella praised the EU’s GDPR and called it a “fantastic start on really treating privacy as a human right.”
He went on to say, “In fact I will hope that the world over, we all converge on a common standard. One of the things we do not want to do is fragment the world and increase transaction costs, because ultimately it’s going to be born in our economic figures. I hope we all come together, the United States and Europe first, and China. All the three regions will have to come together and set a global standard.”
The implication is that GDPR should be used as a blueprint for worldwide user privacy protections.
But is this realistic?
The latest proposal, the ADD Act, put forward by Sen Marco Rubio, is already weaker than GDPR in the exemptions it makes.
Tomi Engdahl says:
GDPR Compliance Brings Other Benefits: Cisco Study
https://www.securityweek.com/gdpr-compliance-brings-other-benefits-cisco-study
Companies that are ready for the EU’s General Data Protection Regulation (GDPR) have reported shorter sales delays and fewer or less serious data breaches, according to Cisco’s 2019 Data Privacy Benchmark Study.
The Data Privacy Benchmark Study shows that organizations that have invested in customer privacy requirements, mainly to become GDPR compliant and to avoid fines and penalties, are seeing some benefits beyond GDPR compliance.
According to Cisco, 59% of respondents said their organization had met GDPR requirements and 29% expect to become compliant within one year.
Tomi Engdahl says:
Microsoft CEO: Face recognition technology is basically the Wild West right now
https://bgr.com/2019/01/24/microsoft-facial-recognition-regulation-needed-privacy/
Tomi Engdahl says:
‘The goal is to automate us’: welcome to the age of surveillance capitalism
https://www.theguardian.com/technology/2019/jan/20/shoshana-zuboff-age-of-surveillance-capitalism-google-facebook
Shoshana Zuboff’s new book is a chilling exposé of the business model that underpins the digital world. Observer tech columnist John Naughton explains the importance of Zuboff’s work and asks the author 10 key questions
Tomi Engdahl says:
Hackers are still using cloud services to mask attack origin and build false trust
https://www.techrepublic.com/article/hackers-are-still-using-cloud-services-to-mask-attack-origin-and-build-false-trust/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5c4a0c6404d30148f5e50056&utm_medium=trueAnthem&utm_source=facebook&fbclid=IwAR15tpMd6V18SkLWQcy6Bi2IY2kGvz9jF54I74AcT0CQWZ2YEJW4OEDIC_o
Using Google App Engine to mask the destination of links is a staggeringly easy way to conduct a phishing campaign, but Google claims it is not their problem.
Tomi Engdahl says:
These Girl Scouts are earning patches for cybersecurity skills
https://mashable.com/article/girl-scouts-hewlett-packard-cybersecurity/?europe=true&utm_source=social&utm_medium=facebook&utm_campaign=mash-com-fb-main-link&utm_content=tech#K4NwSTBcrsqr
In 2018, Girl Scouts of the USA announced a new set of STEM-oriented badges, including three cybersecurity challenges. Now, the largest Girl Scouts council in the country, Girl Scouts Nation’s Capital (GSNC — located in the D.C. area) is working with Hewlett Packard Enterprise (HPE) to take its troops’ cyber skills to the next level.
Tomi Engdahl says:
A DNS hijacking wave is targeting companies at an almost unprecedented scale
https://arstechnica.com/information-technology/2019/01/a-dns-hijacking-wave-is-targeting-companies-at-an-almost-unprecedented-scale/
Clever trick allows attackers to obtain valid TLS certificate for hijacked domains.
Tomi Engdahl says:
British Companies Are Implanting Microchips in Their Employees
https://futurism.com/british-companies-implanting-microchips
It’s a convenient way to deal with security, but it raises privacy concerns
Tomi Engdahl says:
Oculus co-founder Palmer Luckey is making a ‘virtual’ border wall with A.I., and it’s already working
https://www.cnbc.com/2019/01/15/oculus-co-founder-palmer-luckey-wants-to-build-a-virtual-border-wall.html
Virtual reality technology made Palmer Luckey a multi-millionaire. Now, the Oculus co-founder’s new company is using artificial intelligence technology to create a high-tech surveillance system that could be used to build a “virtual wall” on the southern US border.
Tomi Engdahl says:
Russell Brandom / The Verge:
Illinois Supreme Court rules that companies can be sued for collecting biometric data without opt-in consent, even if no tangible injury was demonstrated
Crucial biometric privacy law survives Illinois court fight
https://www.theverge.com/2019/1/26/18197567/six-flags-illinois-biometric-information-privacy-act-facial-recognition
Privacy advocates won a crucial court victory on Friday, as the Illinois Supreme Court dismissed a case that would have pared back a state law limiting the use of facial recognition and other biometrics.
Passed in 2008, Illinois’ Biometric Information Privacy Act (or BIPA) requires affirmative consent for companies to collect biometric markers from their customers, including fingerprints and facial recognition models. The law has become a sticking point for a number of tech companies using facial recognition as a photo-sorting tool, and both Facebook and Google have faced lawsuits for alleged BIPA violations in their photo-tagging products. Facebook has pushed for legislative revisions to the law on several occasions, but so far unsuccessfully.
Tomi Engdahl says:
I asked an online tracking company for all of my data and here’s what I found
https://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found
Tomi Engdahl says:
Mike Isaac / New York Times:
Sources: Zuckerberg plans to add end-to-end encryption to Instagram and Messenger and integrate their messaging infrastructure and WhatsApp’s by end of the year
http://www.nytimes.com/2019/01/25/technology/facebook-instagram-whatsapp-messenger.html
Kurt Wagner / Recode:
Zuckerberg’s WSJ op-ed and rumored push to unify messaging infrastructure across Facebook’s apps may be signs of company’s increased concern about regulation — It sure feels like regulation is coming for Facebook. — The threat of government regulation has been looming over Facebook …
http://www.recode.net/2019/1/26/18197883/mark-zuckerberg-wsj-regulation-messaging-monopoly
Tomi Engdahl says:
Enhance Your Security Posture Through Security Services
https://www.securityweek.com/enhance-your-security-posture-through-security-services
Cybercriminals are continually changing their attacks and techniques to stay ahead of security countermeasures. This continuous threat evolution has forced organizations to be consistently prepared to defend against something new at all times. Success relies on somehow anticipating the next threat to close the gap between its launch and being able to detect and stop it.
The challenge is that networks, devices, and applications being added to networks at an unprecedented rate, complicating the ability of organizations to see and manage their expanding security footprint. Likewise, the growing cybersecurity skills gap means that keeping up with advancing security challenges is stretching available IT resources to the breaking point. All but the most well-funded organizations are struggling to keep up, and even those rarely have the range of skills in-house to secure every new network system and device being added to the network.
Tomi Engdahl says:
Skill Squatting: The Next Consumer IoT Nightmare?
https://www.securityweek.com/skill-squatting-next-consumer-iot-nightmare
Connected devices are proliferating at a rapid rate, and this growth means that we’re only just beginning to scratch beneath the surface with potential use cases for Internet of Things (IoT) technology. IoT has quickly moved beyond basic internet-connected gadgets and wearables to more sophisticated interactive features like voice processing, which in turn has led to a significant rise in voice-activated devices such as smart speakers.
32 percent of surveyed consumers reported owning a smart speaker in August 2018, compared with 28 percent in January of earlier that year, according to new research by Adobe Analytics. The adoption rate of voice assistant technology has overtaken even that of smartphones and tablets – in fact, some predict that as many as 225 million smart speakers will be in homes worldwide by 2020. But at what risk?
Voice assistant-powered devices rely on ‘skills,’ or combinations of verbal commands that instruct the assistant to perform a task. When a user gives a verbal command through a phrase or statement, the device registers the command and determines which skill the user would like to activate. From turning on the lights in your living room to adding an item to your grocery list – or even buying those groceries – for every command you give, there’s a skill attached to that task.
Every smart assistant has the ability to get even smarter with small software applets that allow it to run processes automatically. These applets will look for a statement and then act upon it by running a number of linked skills
Voice processing technology does not always interpret commands correctly.
All of this potential for error exposes users to the risk of activating skills they did not intend to – and therefore opens up a new avenue for cybercriminals to exploit. Bad actors can develop skills that prey on predictable errors in hopes of redirecting commands to malicious skills designed to do things like grant access to password information, a home network or even transmit recordings to a third party. This is known as skill squatting.
Weaponized for Attacks
Although these attacks have not yet been found in the wild, the real-world repercussions are all too easy to imagine. We know from experience – and now research – that speech recognition systems make mistakes that could give cybercriminals access to a user’s home network. By activating a squatted skill, an unexpecting user could allow a malicious actor to extract information about their account, home network and even passwords before running the requested command. Because these devices typically operate quickly and without screens, the squatted skill would be activated so fast that the user would not notice. Like other attacks, cybercriminals can capitalize on human behavior and predictable errors to hijack intended commands and route users to malicious skills.
As of yet, there’s not a large attack of this nature on the scale or magnitude of WannaCry or Meltdown/Spectre to point to as a warning, but as with all new innovations, there will be breakdowns in speech/voice processing technology. Both cybersecurity professionals and consumers need to get serious about how to secure these devices. Just think about the nearly 50 percent of Americans who now own smart speakers – that’s a lot of vulnerable users for cybercriminals to target.
Tomi Engdahl says:
Where To Begin With MITRE ATT&CK Matrix
https://www.securityweek.com/where-begin-mitre-attck-matrix
How You Can Put the MITRE ATT&CK Matrix to Work for Your Security Operations Team
For many organizations, the goal of cybersecurity is about preventing attackers from breaching their networks, which of course is a valid and completely legitimate goal. But what these organizations aren’t planning for is that the security controls and policies they implement will be circumvented.
The best security prevention measures react to the threat landscape – they don’t shape it. Whether it’s a human being stealing usernames and passwords or an employee tricked into clicking a malicious link sent via email, intruders are often ahead of the curve.
The longer a bad actor resides inside your company network, the greater the risk to your customers, finances and reputation – so it’s important to practice with scenarios that assume a successful foothold was obtained.
Many security practitioners are turning to the MITRE ATT&CK matrix as a means of understanding post-compromise techniques. The ATT&CK matrix is a collection of more than 200 adversary tactics and techniques based on real-world observations and research shared by the global security community.
Tomi Engdahl says:
APNewsBreak: Undercover agents target cybersecurity watchdog
https://www.seattletimes.com/business/apnewsbreak-undercover-agents-target-cybersecurity-watchdog-2/
Tomi Engdahl says:
DON’T TOSS THAT BULB, IT KNOWS YOUR PASSWORD
https://hackaday.com/2019/01/29/dont-toss-that-bulb-it-knows-your-password/
In a series of posts on the [Limited Results] blog, low-cost “smart” bulbs are cracked open and investigated to see what kind of knowledge they’ve managed to collect about their owners. Not only was it discovered that bulbs manufactured by Xiaomi, LIFX, and Tuya stored the WiFi SSID and encryption key in plain-text, but that recovering said information from the bulbs was actually quite simple. So next time one of those cheapo smart bulb starts flickering, you might want to take a hammer to it before tossing it in the trash can; you never know where it, and the knowledge it has of your network, might end up.
https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/
Tomi Engdahl says:
Facebook pays teens to install VPN that spies on them
https://techcrunch.com/2019/01/29/facebook-project-atlas/?utm_source=tcfbpage&sr_share=facebook
Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.
Tomi Engdahl says:
Facebook pays teens to install VPN that spies on them
https://techcrunch.com/2019/01/29/facebook-project-atlas/?utm_source=tcfbpage&sr_share=facebook
Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.
Tomi Engdahl says:
Download the Latest DoD Cybersecurity Chart Here:
https://dodiac.dtic.mil/dod-cybersecurity-policy-chart/
The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.
Tomi Engdahl says:
Too few cybersecurity professionals is a gigantic problem for 2019
https://techcrunch.com/2019/01/27/too-few-cybersecurity-professionals-is-a-gigantic-problem-for-2019/
As the new year begins gaining steam, there is ostensibly a piece of good news on the cyber front. Major cyberattacks have been in a lull in recent months, and still are.
The good tidings are fleeting, however. Attacks typically come in waves. The next one is due, and 2019 will be the worst year yet — a sad reality as companies increasingly pursue digitization to drive efficiency and simultaneously move into the “target zone” of cyberattacks.
This bad news is compounded by the harsh reality that there are not nearly enough cybersecurity pros to properly respond to all the threats.
Tomi Engdahl says:
Global gap of nearly 3 million cybersecurity positions
https://techcrunch.com/2019/01/27/too-few-cybersecurity-professionals-is-a-gigantic-problem-for-2019/
In a recent study, (ISC)2 — the world’s largest nonprofit association of certified cybersecurity pros — said there is now a gap of almost 3 million cybersecurity jobs globally — substantially more than other experts said might be the case years into the future.
Only recently has formal training existed
Tomi Engdahl says:
Without proof, is Huawei still a national security threat?
https://techcrunch.com/2019/01/26/is-huawei-a-national-security-threat/?utm_source=tcfbpage&sr_share=facebook
Tomi Engdahl says:
Theoretical Ransomware Attack Could Lead to Global Damages Says Report
https://www.bleepingcomputer.com/news/security/theoretical-ransomware-attack-could-lead-to-global-damages-says-report/
According to a speculative cyber risk scenario prepared by Cambridge University for risk management purposes, a ransomware strain that would manage to impact more than 600,000 businesses worldwide within 24 hours would potentially lead to damages of billions not covered by insurers.
First of all, it is important to understand that although the numbers look very scary, this type of an attack is practically impossible to pull off at the moment when taking into consideration the current capabilities of malware, anti-malware, and current IT ecosystems.
Insurance firms refusing to cover ransomware attack losses
Although the report “identifies opportunities for insurers to expand their business in insurance classes associated with ransomware attacks,” quite recent events show that, in some circumstances, insurers have refused to cover the losses generated by ransomware attacks.
According to the “hypothetical scenario developed as a stress test for risk management purposes” presented in the report, the speculative global cyber attack could lead to economic damages of at least $85 billion in the least severe scenario and up to $193 billion in the worst possible case.
The Lloyd’s press release through which the report was published, says that:
In the report’s scenario, the attack is launched through an infected email, which once opened is forwarded to all contacts and within 24 hours encrypts all data on 30 million devices worldwide. Companies of all sizes would be forced to pay a ransom to decrypt their data or to replace their infected devices. The report, [..] shows a ransomware attack on this scale would cause substantial economic damage to a wide range of business sectors through reduced productivity and consumption, IT clean-up costs, ransom payments and supply chain disruption.
https://www.lloyds.com/news-and-risk-insight/press-releases/2019/01/global-ransomware-attack
Tomi Engdahl says:
Psychological warfare and information operations: the real threat to Western democracy
By Joep Gommers 2019-01-30T17:30:44Z Security
https://www.itproportal.com/features/psychological-warfare-and-information-operations-the-real-threat-to-western-democracy/
Misinformation could become an even more common factor in the future.
Over the past couple of years, names such as WikiLeaks, Steve Bannon and Cambridge Analytica have become increasingly known among the general public, serving as evidence of the extent to which Western democracy is now believed to be under threat.
significant threat to democracy, and one that has made its way into common parlance thanks to President Trump himself, is that of misinformation, also known as ‘fake news’. Psychological operations can be employed as a means of changing public opinion toward a particular economically or politically motivated agenda.
Traditional tactics
Information operations and psychological warfare have long been employed as standard tactics when entering a theatre of conflict. Traditional methods would involve agents on the ground speaking with locals to win their acceptance of an invading force, or distributing pamphlets explaining the invaders’ intentions. For a more impactful campaign, heads of local businesses or particular areas would be employed as advocates for the cause; recruiting people in whom the population held a degree of trust, such as leaders of particular factions or trade houses, made it significantly easier to spread the desired message.
Methods such as these have been used by intelligence agencies for decades
Inevitably, of course, these traditional tactics have moved into the digital world. With more than half of the world’s population now online, nation states, agencies and even solo actors are able to quickly and easily spread information – or misinformation – among entire sections of the populace in order to influence the way they think.
An orchestrated campign
It is widely believed that Russia has taken to the web in a bid to upset democracy in the West, the most high-profile example being a series of campaigns aimed at diminishing the ability of the U.S. to trade with its global partners, destabilise its government and generally cause civil unrest.
As part of a campaign believed by the US intelligence community to have been orchestrated by Russian intelligence to assist Donald Trump in his campaign for the U.S. presidency, the Democratic National Congress (DNC) famously suffered a serious data breach when hackers infiltrated its servers before and during the 2016 elections.
A focus for the future
It is highly unlikely that the 2016 U.S. presidential election will be the last instance we see of a foreign power attempting to hack an election and influence the democratic process of another country. We can safely predict too that nation states will increasingly make use of information operations in their ongoing attempts to affect the way in which a population thinks. Indeed, we haven’t even touched on the possibility of external interference on either side of the Brexit campaign.
https://www.foreign.senate.gov/imo/media/doc/FinalRR.pdf
Tomi Engdahl says:
YouTube Strikes Now Being Used as Scammers’ Extortion Tool
By Andy on January 30, 2019
https://torrentfreak.com/youtube-strikes-now-being-used-as-scammers-extortion-tool/
In a terrible abuse of YouTube’s copyright system, a YouTuber is reporting that scammers are using the platform’s “three strike” system for extortion. After filing two false claims against ObbyRaidz, the scammers contacted him demanding cash to avoid a third – and the termination of his channel.
Every week, millions of YouTubers upload content for pleasure and indeed profit, hoping to reach a wide audience with their topics of choice.
On occasion, these users run into trouble by using content to which they don’t own the copyrights, such as a music track or similar.
While these complaints can often be dealt with quickly and relatively amicably using YouTube’s Content ID system, allegedly-infringing users can also get a so-called ‘strike’ against their account. Get three of these and a carefully maintained channel, with countless hours of work behind it, can be rendered dead by YouTube.
Tomi Engdahl says:
How CISOs Can Demonstrate Business Value
https://www.securityweek.com/how-cisos-can-demonstrate-business-value
CISOs Must Clearly Demonstrate Their Value to the Business in Dollars and Cents
If you’re the typical CISO or other level of information security officer, chances are this job description sounds about right:
“My role is to manage information security to keep the business secure.”
And your success metrics – how you communicate what you do to the rest of business – probably relate to maintenance and improvement of the technical aspects for security, such as vulnerabilities patched or NIST CSF maturity levels met.
To truly succeed in their roles, CISOs must clearly demonstrate their value to the business in dollars and cents. That’s going to mean shifting their branding from “minimize threats and vulnerabilities” to include “providing options for business enablement”, where trade-offs between security investments levels and resulting risks are clearly articulated for informed business decisions to be made.
CISOs need to focus on the strategic objectives of the business, as well as the people, technology and processes supporting the most important functions of the business. The technical side of security needs to be seen as part of that whole. For example, your risk register. Most risk registers are run as a ledger book, a place to record control deficiencies, audit findings and policy exceptions or just vague categories of worrisome things like “moving to the cloud”.
Those entries may get categorized based on the gut feel of analysts as high-medium-low risk (most likely medium!) or just left in an undifferentiated pile. Either way, no effort is made to relate these “risks” to anything the business cares about – like a potential financial loss.
ADP has a better way. The human resources and payroll services company, and one of the most sophisticated cyber risk managers around, has two rules for risk register management, as described by ADP’s Lead Security Consultant, Marta Palanques, at the FAIR Conference 2017:
1. Every entry must relate to an IT asset that must in turn relate to a product line. For instance, the risk might be loss of a data center that knocks out servers that run applications that run products that bring in revenue.
2. Every entry must be defined as a “loss event” according to the standard FAIR model (Factor Analysis of Information Risk) for cyber risk quantification, with a potential frequency and impact in dollar terms (as in lost revenue from the data center outage).
A risk register like ADP’s clearly demonstrates the business value of cybersecurity and quantification is the key. With an estimate in dollar terms of loss events, CISOs can also prioritize a Top Risks list based on relative ranges of potential losses then rank, for instance, the cost of that application going down vs. the loss by data breach of the customer information tied to that application.
The next step in the value chain is to answer the question, “Among our top risks, what’s the return on investment for mitigation?”
Next, risk analysts can seek to answer the question of whether actual loss exposure is decreasing over time.
Tomi Engdahl says:
Internet Society Publishes Privacy Code of Conduct
https://www.securityweek.com/internet-society-publishes-privacy-code-conduct
It is against this background that the Internet Society published on Monday (International Privacy Day) its Privacy Code of Conduct (PDF) — nine steps that all companies should take to ensure data privacy. The first principle combines the notions of this dual moral and economic need: Become Data Stewards. “Act as custodians of users’ personal data — protect the data, not just out of business necessity [legal and economic], but on behalf of the people who have trusted you with it [moral].”
The remaining eight steps comprise:
Be accountable. This effectively means ‘be transparent’. Conform to independent privacy audits; and if anything goes wrong, be open about it.
Don’t hide behind ‘user consent’. A user might consent to the collection of certain personal data; but that does not give a company carte blanche on how that data is used.
Provide user-friendly privacy information. Companies should do this as a matter of course — but it should be noted that failure to do so is not without legal ramifications. On 21 January, the French data protection regulator (CNIL) fined Google €50 million because, in part, “the information provided by GOOGLE is not easily accessible for users,” and where it is accessible, “is not always clear nor comprehensive”.
Give people control over their privacy. This combines some of the other principles: allow users to see how their data is used, and give them control over that usage.
Respect context. Again, this is flavored by other principles; privacy controls should be easy-to-use, and privacy should be the default, not an option.
Protect “anonymized” data as if it were personal data. Just because personal data has been anonymized, that does not mean that companies can be cavalier over its use. De-anonymization is relatively easy, especially when the anonymized data is amalgamated with other clear data. Individuals can still be recognized.
Encourage researchers to highlight privacy flaws. The days of companies trying to protect their reputation by threatening legal action against researchers should be long gone. We’re now in the era of bug bounties; and this is a good thing. ‘Paying’ researchers to find flaws makes economic sense — and is generally more effective and efficient than using in-house staff. Companies now should “provide an open, transparent process for responsible disclosure.”
The final code brings us full circle to the combination of moral and legal requirements for data privacy: ‘Set privacy standards above and beyond what the law requires’. It is companies, says the Internet Society, that “should set the next generation of privacy standards.”
https://www.internetsociety.org/wp-content/uploads/2019/01/9-Steps-Companies-Must-Take-to-Ensure-Data-Privacy.pdf
Tomi Engdahl says:
A Cybersecurity Strategy to Secure the Real World
https://www.electronicdesign.com/industrial-automation/cybersecurity-strategy-secure-real-world?NL=ED-005&Issue=ED-005_20190130_ED-005_429&sfvc4enews=42&cl=article_1_b&utm_rid=CPG05000002750211&utm_campaign=22981&utm_medium=email&elq2=dca7adcc1c864f9598ffc4455cdcbd87
With the ever-evolving and expanding connected world, cybersecurity tries to keep pace, thus making it more complex and tougher to understand. One company has a plan to simplify it all.
When it comes to cybersecurity, complexity is the enemy. For every 1,000 lines of code, there are two to three coding errors, which provide avenues to maliciously exploit a system. Implementing cybersecurity at the point of lowest complexity creates an environment that’s more assured to have correctly implemented security. Secure operations can take place within security boundaries implemented within the edge devices, pushing the chain of trust closer to the real world.
In highly complex networks, organizations and individuals must continually update applications and configurations to protect against the latest threats. At the device level, one can limit the secure operations to a footprint that becomes much more manageable throughout the product’s lifecycle.
Implementing cybersecurity where the physical world meets the digital world offers the highest level of security by establishing trusted data earlier in the signal chain. As IT and OT converge, cybersecurity will not simply be an IT network problem.
Tomi Engdahl says:
Mayhem, the Machine That Finds Software Vulnerabilities, Then Patches Them
https://spectrum.ieee.org/computing/software/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them
Back in 2011, when the venture capitalist Marc Andreessen said that “software is eating the world,” it was still a fresh idea. Now it’s obvious that software permeates our lives. From complex electronics like medical devices and autonomous vehicles to simple objects like Internet-connected lightbulbs and thermometers, we’re surrounded by software.
And that means we’re all more exposed to attacks on that software than ever before.
Every year, 111 billion lines are added to the mass of software code in existence, and every line presents a potential new target.
research firm Cybersecurity Ventures, predicts that system break-ins made through a previously unknown weakness—what the industry calls “zero-day exploits”—will average one per day in the United States by 2021, up from one per week in 2015.
The cybersecurity battleground is populated by hackers who are technically skilled and, at the highest levels, creative in exploiting weaknesses in software to penetrate an organization’s defenses.
Our research at CMU had begun with a simple premise: People need a way to check the software they’re buying and ensure that it’s safe. Coders will, of course, make a due-diligence effort to flush out security flaws, but their main concerns are always more basic: They have to ship their product on time and ensure that it does what it’s supposed to do. The problem is that hackers will find ways to make the software do things it’s not supposed to do.
Today’s state of the art for software security involves using special tools to review the source code and to flag potential security weaknesses. Because that process produces a lot of false positives—flagging things that in fact are not weaknesses—a human being must then go through and check every case.
The system we entered in the competition, Mayhem, automated what white-hat hackers do. It not only pointed to possible weaknesses, it exploited them, thus proving conclusively that they were in fact weaknesses.
Tomi Engdahl says:
GitHub Helps Developers Keep Dependencies Secure via Dependabot
https://www.securityweek.com/github-helps-developers-keep-dependencies-secure-dependabot
Microsoft-owned GitHub informed developers on Thursday that they can easily ensure that the dependencies used by their applications are always secure and up to date through an integration of its Security Advisory API with Dependabot.
Created by London-based developer Grey Baker, Dependabot is a management tool that helps GitHub users keep their dependencies up to date. The tool checks a user’s dependency files every day and creates pull requests in case an update is available. Users can manually review the requests and merge them, or they can configure Dependabot for automatic merger based on certain criteria.
https://github.com/marketplace/dependabot
Tomi Engdahl says:
Why User Names and Passwords Are Not Enough
https://www.securityweek.com/why-user-names-and-passwords-are-not-enough
Security Leaders are Finally Recognizing How Big of a Problem Credential Compromises Are
Over the past few years, it’s become evident that attackers are no longer “hacking” to carry out data breaches ― they are simply logging in by exploiting weak, stolen, or otherwise compromised credentials. That’s why this month’s discovery of a massive repository of 773 million email addresses and more than 21 million passwords floating on the Dark Web doesn’t come as a surprise to many security experts. It’s just further proof that identity has become the new security perimeter and the battleground for mitigating cyber-attacks that impersonate legitimate users.
Typically, hackers seek the path of least resistance and target the weakest link in the cyber defense chain ― humans. Consequently, most of today’s data breaches are front-ended by credential harvesting campaigns, followed by credential stuffing attacks.
Forrester Research has estimated that despite continually-increasing cyber security budgets, 80 percent of security breaches involve privileged access abuse and 66% of companies have been breached an average of five or more times. As a result, organizations need to look beyond user names and passwords when it comes to authenticating employees to protect accounts and secure access to valuable data and critical systems.
The State of Multi-Factor Authentication
Instead of relying solely on user names and passwords, security professionals should consider adding an additional security layer for their access controls by implementing multi-factor authentication (MFA). In fact, it appears that security leaders are finally recognizing how big of a problem credential compromises are, and they are working to mitigate the risks through stronger forms of authentication. A recent study by Javelin Strategy & Research found that reliance on passwords declined from 56 percent to 47 percent over the past year, as organizations increased their adoption of both traditional MFA and strong authentication.
The most common MFA options include:
• Security Questions – One or more security questions can be used as the simplest form of authentication using something the user knows.
• One-Time-Passcodes – One-time-passcodes delivered via email or SMS message can be used as a second factor for authentication purposes. However it’s been well documented that SMS-transmitted one-time password tokens (OTPs) are vulnerable to interception (e.g., SIM-swap or mobile number port-out scams). That’s why the National Institute of Standards and Technologies (NIST) in its Special Publication 800-63 Guidelines recommends restricting the use of SMS for an OTP and advises to completely remove OTP via email. The weaknesses that OTP represents was also illustrated by last year’s Reddit hack.
• OATH Tokens -mAn OATH token is a secure one-time-password that can be used for two-factor authentication. The OATH token is sent to a device as a one-time-password to increase security in authentication.
• Phone Call with PIN Verification – A phone call with PIN verification can be used with any phone number available from the enterprise directory, mobile, office, or home phone number. The user just must validate the PIN once they answer the phone.
• Mobile Push Notifications – Mobile push notifications to a mobile authentication app for iOS and Android devices allow for a simple swipe after unlocking the smartphone to verify the authentication.
• FIDO U2F Security Keys – FIDO U2F Security Keys represent a very simple to deploy option that also provides the highest security assurance when combined with the user’s password.
• Smart Cards – Smart Cards can also be used for authentication and provide the highest assurance level once validated and verified against an organization’s corporate directory.
Industry and regulatory standards such as PCI DSS, NIST 800-63, PSD2, and GDPR are requiring security controls that provide higher assurance levels, such as authentication that is based on proof of possession of a cryptographic key using a cryptographic protocol.
The benefits provided by level-3 compliant authentication methods have been demonstrated by Google. According to the company, its more than 85,000 employees have not been victimized by a significant phishing attack since the use of hardware-based, cryptographic authenticators was implemented.
Tomi Engdahl says:
Will quantum computing break security?
https://opensource.com/article/19/1/will-quantum-computing-break-security?sc_cid=7016000000127ECAAY
Over the past few years, a new type of computer has arrived on the block: the quantum computer.
And scary. Because one of the types of problems that quantum computers should be good at solving is decrypting encrypted messages, even without the keys.
Some good news
This is all scary stuff, but there’s good news of various types.
The first is that, in order to make any of this work at all, you need a quantum computer with a good number of qubits operating, and this is turning out to be hard.4 The general consensus is that we’ve got a few years before anybody has a “big” enough quantum computer to do serious damage to classical encryption algorithms.
although there are theoretical models to show how to attack some of our existing algorithms, actually making them work is significantly harder than you or I5 might expect.
there are clever people out there who are designing quantum-computation-resistant algorithms (sometimes referred to as “post-quantum algorithms”) that we can use, at least for new encryption, once they’ve been tested and become widely available.
All in all, in fact, there’s a strong body of expert opinion that says we shouldn’t be overly worried about quantum computing breaking our encryption in the next five or even 10 years.
you should at least embrace the concept of crypto-agility: designing protocols and systems so you can swap out algorithms if required
Tomi Engdahl says:
Fighting Fire with Fire: API Automation Risks
https://threatpost.com/fighting-fire-with-fire-api-automation-risks/141163/
A look at API attack trends such as the current (and failing) architectural designs for addressing security of these API transactions.
Akamai research shows that 83 percent of all traffic on the web today are API calls (JSON / XML). In many cases this fast growth can be attributed to the adoption and popularity of mobile devices and the mobile app ecosystem, as well as the abuse by threat actors using bots to automate their manual attack processes. It’s been established that attackers are targeting public facing API’s that can be easily discovered, but there’s a whole other attack surface that’s getting little attention.
Tomi Engdahl says:
The best antivirus software for Windows Home User
https://www.av-test.org/en/antivirus/home-windows/windows-10/december-2018/
Tomi Engdahl says:
13 quotes from George Orwell’s 1984 that resonate more than ever
https://inktank.fi/13-quotes-from-george-orwells-1984-that-resonate-more-than-ever/
Tomi Engdahl says:
Shodan Safari, where hackers heckle the worst devices put on the internet
https://techcrunch.com/2019/01/21/shodan-safari/?sr_share=facebook&utm_source=tcfbpage
Tomi Engdahl says:
Internet Outage or Internet Manipulation? New America lists government interference, DDoS attacks as top reasons for Internet Outages across the world
https://securityboulevard.com/2019/01/internet-outage-or-internet-manipulation-new-america-lists-government-interference-ddos-attacks-as-top-reasons-for-internet-outages-across-the-world/
On 17th January, New America published a blog post on the rising number of Internet blackouts since 2018, citing various examples for the same and hinting at political reasons behind it. The post also predicts the same trend to continue in 2019 owing to two factors- countries deliberately “turning off” the internet within their borders, and hackers attempting a distributed denial-of-service (DDoS) attack ultimately leading to internet disruptions.
Tomi Engdahl says:
These Are The Biggest Threats Facing The World In 2019
https://www.iflscience.com/environment/these-are-the-biggest-threats-facing-the-world-in-2019/
We’re only halfway through January and any attempt to look for the positives in 2019 is dissolving rapidly. The US government has smashed the record for longest shutdown and Brexit negotiations in the UK are, let’s say, not going well. Luckily, we’ve got some good news for you. Only kidding, here we bring you the biggest risks threatening the world this year, according to a top new report.
Each year the World Economic Forum’s Global Risk Report presents the results of its Global Risk Perception Survey
Environmental threats may dominate, but technological threats are also of high importance. Data fraud or theft, cyber attacks, and critical information infrastructure breakdown appear in the top 10 of both lists after a year of fake news and increasing email hacks.
Interestingly, the report also warns of unprecedented “geopolitical and geo-economic” tensions
“There has never been a more pressing need for a collaborative and multistakeholder approach to shared global problems,” Børge Brende, president of the WEF says in the report’s introduction.
Tomi Engdahl says:
The Evil-Twin Framework: A tool for testing WiFi security
https://opensource.com/article/19/1/evil-twin-framework?sc_cid=7016000000127ECAAY
Learn about a pen-testing tool intended to test the security of WiFi access points for all types of threats.
Tomi Engdahl says:
What can organizations learn from military cyberdefense?
https://www.pandasecurity.com/mediacenter/tips/military-cyberdefense-for-companies%EF%BB%BF/
Tomi Engdahl says:
Why User Names and Passwords Are Not Enough
https://www.securityweek.com/why-user-names-and-passwords-are-not-enough
Security Leaders are Finally Recognizing How Big of a Problem Credential Compromises Are
Over the past few years, it’s become evident that attackers are no longer “hacking” to carry out data breaches ― they are simply logging in by exploiting weak, stolen, or otherwise compromised credentials. That’s why this month’s discovery of a massive repository of 773 million email addresses and more than 21 million passwords floating on the Dark Web doesn’t come as a surprise to many security experts.
Typically, hackers seek the path of least resistance and target the weakest link in the cyber defense chain ― humans. Consequently, most of today’s data breaches are front-ended by credential harvesting campaigns, followed by credential stuffing attacks.
The State of Multi-Factor Authentication
Instead of relying solely on user names and passwords, security professionals should consider adding an additional security layer for their access controls by implementing multi-factor authentication (MFA). In fact, it appears that security leaders are finally recognizing how big of a problem credential compromises are, and they are working to mitigate the risks through stronger forms of authentication. A recent study by Javelin Strategy & Research found that reliance on passwords declined from 56 percent to 47 percent over the past year, as organizations increased their adoption of both traditional MFA and strong authentication.
When it comes to MFA methods, organizations have a wealth of choices but should realize that there is no “one-fits-all” approach. Instead, they should select alternatives that are best aligned with their use cases and represent the lowest friction experience for users to assure broad adoption. The most common MFA options include:
• Security Questions – One or more security questions can be used as the simplest form of authentication using something the user knows.
• One-Time-Passcodes – One-time-passcodes delivered via email or SMS message can be used as a second factor for authentication purposes. However it’s been well documented that SMS-transmitted one-time password tokens (OTPs) are vulnerable to interception (e.g., SIM-swap or mobile number port-out scams). That’s why the National Institute of Standards and Technologies (NIST) in its Special Publication 800-63 Guidelines recommends restricting the use of SMS for an OTP and advises to completely remove OTP via email. The weaknesses that OTP represents was also illustrated by last year’s Reddit hack.
• OATH Tokens -mAn OATH token is a secure one-time-password that can be used for two-factor authentication. The OATH token is sent to a device as a one-time-password to increase security in authentication.
• Phone Call with PIN Verification – A phone call with PIN verification can be used with any phone number available from the enterprise directory, mobile, office, or home phone number. The user just must validate the PIN once they answer the phone.
• Mobile Push Notifications – Mobile push notifications to a mobile authentication app for iOS and Android devices allow for a simple swipe after unlocking the smartphone to verify the authentication.
• FIDO U2F Security Keys – FIDO U2F Security Keys represent a very simple to deploy option that also provides the highest security assurance when combined with the user’s password.
• Smart Cards – Smart Cards can also be used for authentication and provide the highest assurance level once validated and verified against an organization’s corporate directory.
Tomi Engdahl says:
Industry and regulatory standards such as PCI DSS, NIST 800-63, PSD2, and GDPR are requiring security controls that provide higher assurance levels, such as authentication that is based on proof of possession of a cryptographic key using a cryptographic protocol. Nonetheless, organizations are still relying on far less secure authentication methods.
https://www.securityweek.com/why-user-names-and-passwords-are-not-enough
Tomi Engdahl says:
Bots are cheap and effective. One startup trolls them into going away
https://techcrunch.com/2019/02/05/kasada-bots/?utm_source=tcfbpage&sr_share=facebook
Bots are ruining the internet.
When they’re not pummeling a website with usernames and passwords from a long list of stolen credentials, they’re scraping the price of hotels or train tickets and odds from betting sites to get the best data. Or, they’re just trying to knock a website offline for hours at a time. There’s an entire underground economy where bots are the primary tools used in automating fraudulent purchases, scraping content and launching cyberattacks. Bots are costing legitimate businesses money by stealing data, but also hogging system resources and costly bandwidth.
Tomi Engdahl says:
https://www.securityweek.com/where-begin-mitre-attck-matrix
Tomi Engdahl says:
Avoiding the little mistakes that lead to huge data breaches
https://www.itproportal.com/features/avoiding-the-little-mistakes-that-lead-to-huge-data-breaches/
Organisations now must take practical steps to prevent the simple but common mistakes that cause huge data breaches.
When GDPR was finally put into motion earlier last year, and the reems of emails associated with it from online retailers finally stopped, many hoped that for EU citizens a new era of improved personal data security was around the corner. The regulation was very much a watershed moment in the overall debate that has been dominated by increased worries around data misuse and breaches in recent years.
But even in the post GDPR era, data breaches have continued to dominate the headlines. Most worryingly, these significant data breaches are continuing to happen at major companies that boast huge customer databases. GDPR is a positive regulatory action by politicians to further secure personal data, but organisations now must take practical steps to prevent the simple but common mistakes that cause huge data breaches.
Fresh approaches to data handling
The NHS and Heathrow breaches are both examples of breaches caused by common mistakes that could have been avoided. However, the reason that these organisations were targeted in the first place is because of the vast amounts of data they store.
But what do these steps look like? Pub chain Wetherspoons raised eyebrows when it made the decision to erase its entire customer email database, thus ending all kinds of mailing list activities. This may have been an unconventional move, but an understandable one given the huge repercussions a data breach today can have. All organisations going forward must evaluate the areas of data storage that can be cut down in volume to reduce holding of personal data, and thus overall risk.
Large companies can also take advantage of third-party vendors that offer solutions to help in outsourcing and improving overall data storage. There are platforms on the market that can assist in handling both data orchestration and compliance. Some of these platforms can work alongside already established legacy systems, potentially mitigating not just the risk of keeping all data handling in-house, but overall operational costs as well.
Shifting cultures
Awareness is growing amongst the general population around the importance of securing personal data. Headline-grabbing scandals has made data breaches a hot topic, and all eyes are on what individual companies are doing to keep personal data more secure. For companies to prevent falling victim to the next data breach headline in 2019, reflections must be made on overall approaches to data handling and internal cultures for the sake of not just customers, but also for the sake of maintaining trust and loyalty.
A collective company responsibility and awareness for data security might have stopped the Heathrow employee leaving an important USB lying around, or indeed having data on a USB drive or stopped NHS employees from falling victim to classic email phishing scams that opened the door for the WannaCry attacks. Not to mention basic housekeeping in regard to keeping operating systems and virus scanning software up to date.
Tomi Engdahl says:
How much will staying patched on Windows 7 cost you? Here’s the price list
https://www.zdnet.com/article/how-much-will-staying-patched-on-windows-7-cost-you-heres-the-price-list/
Large businesses not ready to migrate off Windows 7 as of January 2020 and which opt for paid security updates should expect Microsoft’s update pricing to double each year.
Last Fall, Microsoft officials said they would provide Windows 7 Extended Security Updates for three years, meaning through January 2023. These will be security patches/fixes like the ones Microsoft is currently providing for free for Windows 7 users, as Windows 7 is still in “Extended” Support through January 14, 2020.
For Windows 10 Enterprise and Microsoft 365 customers, Microsoft will provide Windows 7 ESUs as an “add-on,” according to information Microsoft seemingly shared with partners and its field sales people. Year one (January 2020 to 2021), that add-on will cost $25 per device for that set of users. Year two (January 2021 to 2022) that price goes up to $50 per device. And Year three (January 2022 to January 2023) it goes up to $100 per device. To qualify for this pricing tier, customers can be running Pro as long as they are considered “active customers” of Windows Enterprise in volume licensing.
For users who decide to stick with Windows 10 Pro rather than Windows 10 Enterprise, those ESU prices are significantly higher. Year one, Windows 7 ESUs will cost those Windows 7 Pro customers $50 per device; Year 2, $100 per device; and Year 3, $200 per device,
Tomi Engdahl says:
The Need for Intent-Based Network Segmentation
https://www.securityweek.com/need-intent-based-network-segmentation
Network Segmentation Needs to be Able to Consistently Secure and Isolate Data Regardless of Where it Needs to Go
Part of the challenge is that many networks are undergoing rapid change without a cohesive security strategy in place. This has led to ad-hoc security strategies, overburdened security teams, security sprawl, and gaps in both visibility and control. Without an overarching plan in place, security teams are forced to rapidly identify and deploy security solutions to protect the expanding network and its new assets.
As a result, organizations on average now have solutions in place from over 80 security vendors that they need to configure, manage, and update. This sort of accidental security architecture poses critical challenges for security teams, not the least of which is simply collecting and correlating security data between isolated and highly dispersed solutions in order to detect and respond to threats.
Adding to the complexity of this problem are three facts. First, new devices—both physical and virtual—and their related traffic are being added to networks at an unprecedented rate. Second, applications and workflows are being added, updated, and replaced at an astonishing speed. And third, those applications and workflows need to be able to move freely between different networked environments, including remote devices, branch offices, and multi-cloud ecosystems.
Addressing these challenges has overwhelmed the capacity of many security teams. This is why we see, in spite of spending $124 billion on security solutions this year, the cost of cybercrime will outpace spending on cybersecurity by over 16X, reaching $2.1 trillion by the end of 2019.
Starting this process requires doing three things:
1. Get involved in business operations planning on day one. Security operations play a critical role in digital transformation, and early inclusion can save time and money in terms of protecting new assets, ensuring compliance, and building security that functions as an integral part of a larger security strategy.
2. Replace isolated security devices with tools that can be integrated to see, share, and correlate threat intelligence. Those tools also need to be able to consistently and seamlessly track and secure workflows, applications, and data that move across and between different network environments.
3. Develop a single pane of glass management strategy using open APIs and standards, centralized SIEM, and where possible, a common OS to establish and maintain centralized policy distribution, orchestration, and enforcement across security solutions.
Tomi Engdahl says:
Security Professionals Win When They Can Master Risk Communications
https://www.securityweek.com/security-professionals-win-when-they-can-master-risk-communications
Demonstrating Effective Communication is a Foundation for Effective Security Operations
A lot of people are talking about security risk right now. A quick Google search reveals articles on risks associated with the Slack collaboration tool, out of date Windows software, 5G network equipment from Huawei, iPhone apps that have been communicating with a malicious server and organizations’ employees. And that’s just the first page! Of course, when these topics make the headlines, security teams inevitably get calls from management, but the nature of these calls is evolving.
Recent analysis by Forrester finds that Boards are maturing in their understanding of cybersecurity and are asking more detailed questions. They don’t just want to know if the latest threat matters to the organization, but how you know that.
this means that your ability to communicate effectively about cybersecurity is just as important as your work doing cybersecurity, if not more important. Communication has become a critical component of security operations.
Speaking about risk using terms like “red, yellow, green” based on factors from outside your organization simply isn’t going to cut it. You must be able to provide greater detail, while communicating in ways that resonate with management and are relevant to the organization. Your ability to do this begins with contextual awareness. In security operations, context comes from aggregating and augmenting internal threat and event data with external threat feeds. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository, case management systems and security infrastructure) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack.