Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, will be making educated guesses based on what has happened during the last 12 months and several years before that.
The past year has seen a rapid increase in the adoption of up-and-coming technologies. Everyday items are getting
smarter and more connected. Companies are saving millions with new technologies and cities are racing to
implement smart solutions. 5G promises to bring wireless high speed broadband to everywhere. On the other hand those solutions add new kinds of vulnerabilities. Competing in today’s digital marketplace requires that organizations are cyber-savvy. 2020 is when cybersecurity gets even weirder, so get ready.
Here are some trends and predictions for cyber security in 2020:
Cyber Attacks: Cyberattacks grow in volume and complexity.Many countries that are going to emerge as major threats in the 2020s. Nation-state backed cyber groups have been responsible for major incidents over the last decade. And now more countries want the same power. Cyberattacks range from targeting your database to steal information that can be sold on the dark web, to hijacking unused CPU cycles on your devices to mine for cryptocurrencies, or trying to infect vulnerable systems so they can be used later as part of a botnet.
IoT security: IoT security is still getting worse until it starts to get better. IoT security is an extremely hot topic right now and will be hot for many years to come. Industrial IoT risk has been discussed a lot. Physics dictates local application deployment, because the control rate of most industrial systems is 10 milliseconds or below. Smart Building Security Awareness Grows. The risks of the IoT in financial services are great. An explosion in IoT devices significantly raises the threat level. Gartner predicted that the world will see nearly 21 billion IoT devices by next year and it would be nice if all of them would be secure, but many of them unfortunately are not secure. Hackers are continually looking for ways to exploit device vulnerabilities. From smart TV’s, IP cameras, and smart elevators, to hospital infusion pumps and industrial PLC controllers, IoT and OT (Operational Technology) devices are inherently vulnerable and easy to hack. Why? Because IoT security is complicated and security should consider and integrated with IoT deployments. Gartner Says Worldwide IoT Security Spending Will Reach $1.9 Billion in 2019, and will raise to $ 3.1 billion in 2021, making it one of the fastest growing segments in cybersecurity industry. IoT landscape is complex, and so are the security solutions. These tackle the different challenges of IoT- device hardening, encryption, discovery, data protection, malware and anomaly detection, policy enforcement and more. You might have to do a little work with your internet of things devices to stay secure. A failure by many IoT device manufacturers to follow cryptographic best practices is leaving a high proportion of the devices vulnerable to attack. One in every 172 active RSA certificates are vulnerable to attack. It is a good idea to build a separate network segments for IoT devices so that they are isolated from the normal office network. FBI recommends that you keep your IoT devices on a separate network.
IoT privacy: Silicon Valley Is Listening to Your Most Intimate Moments. The world’s biggest companies got millions of people to let temps analyze some very sensitive recordings made by your “smart” speakers and smart phones. A quarter of Americans have bought “smart speaker” devices such as the Echo, Google Home, and Apple HomePod. Consulting firm Juniper Research Ltd. estimates that by 2023 the global annual market for smart speakers will reach $11 billion, and there will be about 7.4 billion voice-controlled devices in the wild. That’s about one for every person on Earth. The question is, then what? Having microphones that listen all the time is concerning. Also some attackers are terrifying homeowners and making them feel violated in their own homes.
Medical systems security: Cyberattacks on Medical Devices Are on the Rise—and Manufacturers Must Respond. Attacks on networked medical devices, and the data they collect and transmit, can be costly. Patient safety is a critical concern, especially with devices such as defibrillators and insulin pumps that could cause patient harm or death if they malfunction. It’s shocking that a few years after WannaCry and NotPetya, the healthcare industry is still not prepared to deal with ransomware attacks. Many hospitals and healthcare networks that have been hit by ransomware over the past few months.
Surveillance cameras: Surveillance cameras are capturing what we do on the streets, at airports, in stores, and in much of our public space. China’s Orwellian video surveillance gets a bad rap but the US isn’t far behind as US has nearly the same ratio of security cameras to citizens as China.And the numbers are growing all over the world. One billion surveillance cameras will be deployed globally by 2021, according to data compiled by IHS Markit. Russia is building one of the world’s largest facial recognition networks and it may even be bigger than China’s 200 million camera system. China’s installed base is expected to rise to over 560 million cameras by 2021, representing the largest share of surveillance devices installed globally, with the US rising to around 85 million cameras. Now US, like China, has about one surveillance camera for every four people (in 2018 China had 350 million cameras and USA 70 million). Surveillance cameras are getting better, smaller and cheaper and can be installed almost anywhere. It would be very easy to sneak another device onto a hotel’s Wi-Fi network, stream that video over the internet to the computer.
Facial recognition: Private companies and governments worldwide are already experimenting with facial recognition technology. Facial recognition software is touted as making us safer. But mass surveillance has downsides of major proportions. Massive errors found in facial recognition tech. Facial recognition systems can produce wildly inaccurate results, especially for non-whites. Russia is building one of the world’s largest facial recognition networks. Individuals, lawmakers, developers – and everyone in between – should be aware of the rise of facial recognition, and the risks it poses to rights to privacy, freedom, democracy and non-discrimination.
Shut off Internet: Worrying worldwide trend employed by various governments: preventing people from communicating on the web and accessing information. Amid widespread demonstrations over different issues many countries have started cutting Internet connections from people. Some countries, namely China, architected their internet infrastructure from the start with government control in mind. Russia is aiming to this direction. Iran, India, Russia. For better or worse, an internet blackout limits the government’s ability to conduct digital surveillance on citizens.
Security First: Implementing Cyber Best Practices Requires a Security-First Approach. Competing in today’s digital marketplace requires that organizations be cyber-savvy. The best defense is to start with a security-driven development and networking strategy that builds a hardened digital presence from the ground up. This not only ensures that your online services and web applications are protected from compromise, but also enables security to automatically evolve and adapt right alongside the development of your digital presence, rather than it having to be constantly rigged and retrofitted to adapt to digital innovation.
Zero Trust Network Access: Many of the most damaging breaches have been the result of users gaining access to unauthorized levels of network resources and devices. Zero Trust is an enforceable, identity-driven access policy that includes seamless and secure two-factor/OTP authentication across the organization. Zero Trust Network Access ensures that all users and devices are identified, profiled, and provided appropriate network access. It also ensures that new devices are automatically assigned to appropriate network segments based on things like device profiles and owners. When combined with Network Access Control (NAC), organizations can also discover, identify, grant appropriate access, and monitor devices, thereby enhancing your access and segmentation strategy.
Anti-virus software: Only Half of Malware Caught by Signature AV. The percentage of malware that successfully bypassed signature-based antivirus scanners at companies’ network gateways has increased significantly, either by scrambling
code known as “packing” using basic encryption techniques or by the automatic creation of code variants. It seems that new approaches like machine learning and behavioral detection are necessary to catch threats. Meanwhile, network attacks have risen, especially against older vulnerabilities.
Ransomware attacks: Ransomware will remain a major threat in the coming year, as the criminal business model continues to flourish. That’s a move that security professionals have long condemned, warning that paying the ransom in a ransomware attack could end up causing more turmoil for victims – as well as inspire other cybercriminals to launch ransomware attacks. Microsoft never encourage a ransomware victim to pay. What to do with this is question. How much does a large-scale ransomware attack cost, as opposed to just hiring an adequate number of skilled IT personnel, and having disaster recovery plans in place? There is no complete security solution that could stop all attacks, but you should have decent protection. It would seem prudent to have adequate staff and offline BACKUPS to deal with this kind of situation, so decent recovery would be possible. Having no backup system is the gamble many companies and public entities seem to be playing. Good backups helps to recover from ransom attacks. There are new tactics coming to use in ransomware. A new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any resident security solutions. Another new tactic by ransomware developers is to release a victim’s data if they do not pay the ransom – they will publish data that they steal to a competitor if the ransom is not paid.
Public sector: Public Sector Security Is Lagging. The state of cybersecurity and resilience in the public sector needs an
urgent boost in many countries. U.S. citizens rely on state governments and local municipalities to provide a host of services everything from access to public records, law enforcement protection, education and welfare to voting and election services. Cybercriminals have been targeting state and local governments with ransomware tools, which infect an organization’s computer networks and lock up critical files.
Consumer confidence: Winning consumer confidence is crucial to the development of new digital services. In a PwC study, consumers are prepared to share personal information if it is of sufficient value to them. On the other hand, consumer confidence also needs to be earned that you keep the information safe.
API security: APIs now account for 40% of the attack surface for all web-enabled apps. It’s a good time to pay attention to API security, since some recent high-profile breaches have involved API vulnerabilities. OWASP, the Open Web Application Security Project known for its top 10 list of web application vulnerabilities, published the release candidate version of its API Security Top 10 list at the end of September 2019. Also it’s almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet.
Skills gap: Security teams are already grappling with serious challenges due to the growing cybersecurity skills gap, are being tasked to secure an ever-expanding network footprint. Security teams are often left to secure virtual and cloud environments, the implementation of SaaS services, DevOps projects, the growing adoption of IoT, mobile workers, and an expanding array of personal connected devices after they have already been implemented. They often do not have enough people and enough knowledge on those new technologies to do their work well. The cybersecurity unemployment rate is zero, with over 1 million jobs currently unfilled, a number that is expected to climb to 3.5 million by 2021. 145% Growth is Needed to Meet Global Demand.
Think Like Your Adversary: Cybersecurity leaders need to access the potential vulnerabilities (from the mindset of the adversary) and devise effective defensive countermeasures unique to their company’s needs. Programmers Should Think like Hackers. Security must be taken into account in all programming steps.
Third party security: Most Companies Don’t Properly Manage Third-Party Cyber Risk. It’s been established that good cybersecurity requires not just an internal assessment of an organization’s own security practices, but also a close look at the security of the partners that businesses rely upon in today’s modern, interconnected world. Developing a Third-Party Cyber Risk Management (TPCRM) strategy is becoming more common with every news headline regarding a major breach that stemmed from a company’s relationship with a third-party.
Privacy and surveillance: Fears Grow on Digital Surveillance. Americans are increasingly fearful of monitoring of their online and offline activities, both by governments and private companies. More than 60 percent of US adults believe it is impossible to go about daily life without having personal information collected by companies or the government. Google and Facebook help connect the world and provide crucial services to billions. But their system can also be used for surveillance. Amnesty International says Facebook and Google’s omnipresent surveillance is inherently incompatible with the right to privacy and is a danger to human rights. The claim is that the companies’ surveillance-based business model is inherently incompatible with the right to privacy and poses a threat to a range of other rights including freedom of opinion and expression, freedom of thought, and the right to equality and non-discrimination. Amnesty International has called for a radical transformation of the tech giants’ core business model and said that Google and Facebook should be forced to abandon what it calls their surveillance-based business model because it is “predicated on human rights abuse.”
5G: Forecasting that 2020 will be “the year of 5G” no longer qualifies as a bold prediction. Billions of dollars’ worth of 5G rollouts are scheduled for the coming year, which will bring the emergent technology to countries around the world. The arrival of 5G will fuel an explosion of never-before-seen IoT machines, introducing uncharted vulnerabilities and opening the door for cyber-criminals to compromise our increasingly intertwined cities. Claims that 5G offers “better security” for IoT may not ring true.
5G security: The new 5G mobile networks will be the backbone of future digitalized operations. Therefore, it is also important to ensure the security and immunity of 5G networks.The Council of the European Union has warned member states that the introduction of 5G networks poses increased security risks while also bringing economic and infrastructure benefits. ENISA, the European Union Agency for Cybersecurity has published a ThreatLandscape for 5G Networks, assessing the threats related to the fifth generation of mobile telecommunications networks (5G). Organised cybercrime, rogue insiders and nation-state-backed hackers are among the groups that could soon be targeting 5G networks. Claims that 5G offers “better security” for IoT may not ring true – with the technology remaining vulnerable to SIM-jacking attacks within private Industry 4.0-style deployments. 5G SIM-swap attacks could be even worse for industrial IoT than now. Criminals can convince telcos to port a victim’s number to a new SIM card controlled by the criminal. Trust your hardware or operator? Pah, you oughta trust nobody. Do not put all your security and identification to this SIM card.
DNS Over HTTPS (DoH): DoH encrypted DNS queries are already set to arrive in Chrome and Firefox web browsers. Microsoft Will Bring DNS Over HTTPS (DoH) to Windows 10 in an attempt to keep user traffic as private as possible. DoH support in Windows means encrypted DNS queries. Microsoft says that DoH doesn’t require DNS centralization if adoption is broad among operating systems and Internet service providers alike.
Firewall configuration: Now, more than ever, it is important to automate firewall processes to prevent misconfigurations and data breaches. Gartner has warned that “50% of enterprises will unknowingly and mistakenly have exposed some IaaS storage services, network segments, applications or APIs directly to the public internet, up from 25% at YE18.”. This is a human problem, not a firewall problem.
Bot attacks: Bots are being used to take over user accounts, perform DDoS attacks, abuse APIs, scrape unique content and pricing information and more. Organizations are Failing to Deal With Rising Bot Attacks.
Network security: Networks are continually growing in complexity and the cyberattack surface is constantly expanding. The network perimeter of today is elastic, expanding and contracting with the demands of both users and the business. In a rush to adopt digital business practices, many of these new network expansion projects are often being implemented ad hoc by individual lines of business. Routers sit at the edge of the network and see everything and they can be utilized to Making the Network the First Line of Defense. A critical step in building a stronger security posture and more robust data protection strategy is a 24×7 facility whose mission is to monitor, detect, investigate and resolve active threats. Cybercriminals only need to be successful once in finding a way to access the network – but the security team needs to monitor everything on the network and be right all the time to ensure security. Today’s core network is continually adapting to the introduction of new devices, applications, and workflows, along with shifting network configurations to support business requirements, requiring the use of advanced, intent-based segmentation.
Security-Driven Networking: Security-Driven Networking is a new, strategic approach to security that enables the seamless expansion of network environments and services without ever compromising on security. Essentially, it begins by crafting a comprehensive security policy that covers the entire organization. It outlines the protocols, enforcement and inspection technologies, policies, and protections required to be in place before any new network environment or solution is even placed on the drawing board. It requires the selection and full integration of security tools that not only work together to share and correlate intelligence and coordinate a unified response to threats, but that also work seamlessly across the widest variety of environments possible.
Critical infrastructure: Determined threat actors have, for some time, been extending their toolsets beyond Windows, and even beyond PC systems. In recent years, we have seen a number of high-profile attacks on critical infrastructure facilities and these have typically been aligned to wider geo-political objectives. Expect targeted attacks on critical infrastructure facilities to increase. APT33 has shifted targeting to industrial control systems software. We need to be worried about Cyber-Physical Security of the Power Grid. To protect this infrastructure you need to prioritize strategic risks that affect critical infrastructure: Concern yourself with the most important hacks, Understand the critical pieces of your infrastructure and Know your inter-dependencies.
Payment security: Payment security backslides for second straight year in 2019. Verizon’s 2019 Payment Security Report found that full compliance with the Payment Card Industry Data Security Standard (PCI DSS) fell to36.7% globally, down from 52.5% in 2018. At the same time EU’s PSD2 (Payments Services Directive) lays down regulatory requirements for companies that provide payment services, including the use of personal data by new fintech companies that are not part of the established banking community. Security of online, including mobile, payments is a key aspect of the legislation. Nevertheless, as banks will be required to open their infrastructure and data to third parties. Although SSLv3 has been considered obsolete and insecure for a long time, a large number of web servers still support its use.
Election security: Nowadays, no elections can be held any longer without debate on influencing voters through online services. There are on-going accusations of Russian interference in US elections and fears about a possible reboot of this in the run-up to the 2020 elections. U.S. military cyber experts are plotting strategy in a fight against potential Russian and other cyberattacks ahead of the 2020 American and Montenegrin elections. As the 2020 Presidential election looms closer in the United
States, a key focus will be on securing election infrastructure to prevent tampering. Most of the largest US voting districts are still vulnerable to email spoofing. Also disinformation campaigns for political purposes are deeply rooted in cybercriminal endeavors. It’s quite possible that we will see changes to legislation and policy, as governments look to define more clearly what is and what isn’t allowed. Hacking is considered to be the biggest tech threats to 2020 elections in USA. Legislators are working on new laws, but it is not going to be enough in an era when technology is turning out entirely new attack surfaces.
False Flags: The use of false flags has become an important element in the playbook of several APT groups. This can be used to try to deflect attention away from those responsible for the attack or what is really happening.
Common attack tools: Cyber actors continually use commodity malware, scripts, publicly available security tools or administrator software during their attacks and for lateral movement, making attribution increasingly difficult.
Vulnerability disclosure: Most “white hat” cyber engineers seem to be driven by a sense of social responsibility best expressed as, “If you find something, say something.” Across the industry, the ethos is to share information quickly, whether the problem is a newly discovered exploit or an evolving cyber threat. The goal is to impel the affected vendor—hardware or software—to take quick action and produce a fix. There are good and bad ways to make vulnerabilities known. A premature “full disclosure” of a previously unknown issue can unleash the forces of evil, and the “black hats” often move faster than vendors or enterprise IT teams. The preferred path is a “responsible” or “coordinated” disclosure that happens behind the scenes. Public announcements occur after a specified period of time—typically 90 or 120 days. But things don’t work this way always.
Ransomware: Cybercriminals have become more targeted in their use of ransomware. It is inevitable that the cybercriminals will also attempt to diversify their attacks to include other types of devices besides PCs or servers. There is a Ransomware ‘Crisis’ in US Schools and in many cities in USA.
Supply chain: Use of supply chains will continue to be one of the most difficult delivery methods to address. It is likely that attackers will continue to expand this method through manipulated software containers, for example, and abuse of packages and libraries. Medium-sized companies are being targeted even more heavily by cyber criminals. They are often the weakest link in supply chains that include large corporations. There is the growth of counterfeit electronics.
Mobile: The main storage for our digital lives has moved from the PC to mobiles over last 10 years. Several countries have started demanding their own software (maybe in some cases also malware) to be installed to all smart phones. Putin signs law making Russian apps mandatory on smartphones, computers.
Android: Today 80% of Android apps are encrypting traffic by default. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain. The heterogeneity of the Android versions will continue to be a problem in the coming year.
DDoS attacks: DNS amplification attacks continue to dominate distributed denial-of-service (DDoS) attacks, while mobile devices make up a larger share of traffic. The number of distributed denial-of-service (DDoS) attacks rose 86% in the third quarter compared to a year ago. DNS amplification attacks accounted for 45% of the attacks, while HTTP
floods and TCP SYN attacks accounted for 14%. Mobile Devices Account for 41% of DDoS Attack Traffic.
Business security: Small and medium-sized businesses (SMBs) increasingly recognize that a reactive security posture is no longer sufficient for protecting their networks. Breaches will happen. Companies should treat cyberattacks “as a matter of when” and not “whether.” Inside threads are still a big issue as Employees are one of your biggest assets, but human beings are the weakest link in the security chain. Data leaks help attackers to craft more convincing social engineering attacks. Plan proper incident management because Quick, reliable, multichannel communication is a vital part of any incident management solution. Cybercriminals often choose very small companies as their targets because small businesses rarely spend significant money on security systems. Medium-sized companies are being targeted even more heavily by cyber criminals. They are often the weakest link in supply chains that include large corporations.
Cyber insurance: Cyber Has Emerged as a Risk That is Not Specifically Covered by Other Insurance Policies. Since business is now urged to take a risk management approach to cyber security, it is natural and inevitable that cyber insurance should be considered as part of the mix. Cyber insurance is set to grow.
New encryption: The problem with encrypted data is that you must decrypt it in order to work with it. There is a powerful solution to this scenario: homomorphic encryption. Homomorphic encryption makes it possible to analyze or manipulate encrypted data without revealing the data to anyone. Just like many other populr forms of encryption, homomorphic encryption uses a public key to encrypt the data. There are three main types of homomorphic encryption: partially homomorphic encryption (keeps sensitive data secure by only allowing select mathematical functions to be performed on encrypted data); somewhat homomorphic encryption (supports limited operations that can be performed only a set number of times); fully homomorphic encryption (this is the gold standard of homomorphic encryption that keeps information secure and accessible). Cryptographers have known of the concept of homomorphic encryption since 1978 but Gentry established the first homomorphic encryption scheme in 2009.The biggest barrier to widescale adoption of homomorphic encryption is that it is still very slow. Duality, a security startup co-founded by the creator of homomorphic encryption, raises $16M.
Artificial Intelligence (AI): The buzzword for 2019 that we have all heard a thousand times was Artificial Intelligence, AI. The term AI is often interchanged with machine learning. There is a lot of research to examine AI applications on cyber security. As cyberattacks grow in volume and complexity, hopefully artificial intelligence (AI) is helping under-resourced security operations analysts stay ahead of threats. Cybersecurity tools currently use this data aggregation and pattern analysis in the field of heuristic modeling: THE TRUE FUNCTION OF AI WILL BE TO DETERMINE WITH A LONG ARC OF TIME AND DATA, WHAT “NORMAL” LOOKS LIKE FOR A USER. AI can act as an advisor to analysts, helping them quickly identify and connect the dots between threats. Finnish cyber security company F-Secure is making research on AI agents and on that Mikko Hyppönen says that AI should not used to try to imitate humans and that artificial intelligence-based attacks are expected in the near future. Another Finnish cyber security company Nixu says that Artificial intelligence is going to revolutionize cyber security. According to Orlando Scott-Cowley from Amazon Web Services machine learning is the new normal in cyber security. Advanced Machine Learning layers are to be integrated into the latest Windows cybersecurity products. Leaders in artificial intelligence warn that progress is slowing, big challenges remain, and simply throwing more computers at a problem isn’t sustainable.
2020 problems: Has your business prepared for the ‘2020 problem’? Software updates for Windows 7 will end on January 14, 2020. As of Jan. 14, 2020, Windows 7 and Server 2008 technical support and software updates will no longer be available from Windows Update. There will no longer be updates for Office 2010. Some business users can buy extended security update support with extra money for some time. Python will stop supporting Python version 2 on January 1, 2020. Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognize timestamps from events where the date contains a two-digit year. December 2019 Patch Tuesday was the last time Microsoft ever offered security updates for devices running Windows 10 Mobile.
Crypto wars continue: A decades-old debate: Government officials have long argued that encryption makes criminal investigations too hard. Governments all over the world say that Encrypted communication is a huge issue for law enforcement and the balance between the privacy of citizens and effective policing of criminal activity is top of mind for governments, technology companies, citizens and privacy organisations all over the world. The international police organization Interpol plans to condemn the spread of strong encryption. Top law enforcement officials in the United States, United Kingdom and Australia, the larger group will cite difficulties in catching child sexual predators as grounds for companies opening up user communications to authorities wielding court warrants. Congress warns tech companies: Take action on encryption, or we will. US lawmakers are poised to “impose our will” if tech companies don’t weaken encryption so police can access data.
Do not weaken encryption: Companies, they say, should build in special access that law enforcement could use with a court’s permission. Technologists say creating these back doors would weaken digital security for everyone. Unfortunately, every privacy protection mechanism is subject to abuse by the morally challenged. That’s just a truth that must be accepted and overcome. Invading the privacy of the masses in order to catch criminals is unacceptable. Remember three things: One, that strong encryption is necessary for personal and national security. Two, that weakening encryption does more harm than good. And three, law enforcement has other avenues for criminal investigation than eavesdropping on communications and stored devices. If back-doors are added to encryption, they will be abused. If You Think Encryption Back Doors Won’t Be Abused, You May Be a Member of Congress. Bad encryption can have business consequences. Apple and Facebook told the committee that back doors would introduce massive privacy and security threats and would drive users to devices from overseas. In Australia 40% of firms say they have lost sales say they have lost sales or other commercial opportunities as a result of the encryption law being in place.
2FA: The second authentication factor might be a minor inconvenience, but it provides a major security boost. With past years riddled with security breaches, it is high time we evaluated the way we secure our online presence. Two factors are much better than one, but can still be hacked. Attacks that phish 2FA to access email accounts cost $100-$400; such attacks can be prevented with physical security keys. Also some physical security keys can be hacked as they turn to be less secure that what they were told to be in the advertisements.
Myth of sophisticated hacker in news: It’s the latest lexical stretch for an adjective that’s widely used in reports of cybersecurity incidents — and widely loathed by researchers as a result. If everything is sophisticated, nothing is sophisticated.
New security models: Google moved from perimeter-based to cloud-native security. Google’s architecture is the inspiration and template for what’s widely known as “cloud-native” today—using microservices and containers to enable workloads to be split into smaller, more manageable units for maintenance and discovery. Google’s cloud-native architecture was developed prioritizing security as part of every evolution.
Hacktivists: Hacktivists seek to obtain private information about large companies in order to embarrass or expose the company’s controversial business practices. Many companies are a treasure trove for personal information, whether they realize it or not. Experian is predicting that the emerging cannabis industry will experience an increase in data breaches and cybersecurity threats in 2020.
RCS messaging: RCS, expanded as Rich Communications Services, is a protocol that aims to replace SMS.RCS messaging has rolled out to Android users in the US. The update brings a lot of new features like chat, send hi-res videos and photos and create group chat. One criticism of RCS is that it doesn’t provide end-to-end encryption. RCS could be also better in many other security aspects. Researchers have discovered that the RCS protocol exposes most users to several cyber attacks. These risks are said to be mitigated by implementing the protocol with the security perspective in mind. The standard itself allows for poor security implementation, but GSMA advises its members to deploy rcs with the most secure settings possible.
Data breaches: Billions of Sensitive Files Exposed Online all the time. During the first six months of 2019, more than 4 billion records were exposed by data breaches. That’s a shocking statistic that’s made even more so when you realize that passwords were included in droves. On December 4, a security researcher discovered a treasure trove of more than a billion plain-text passwords in an unsecured online database. Many businesses wrongly assume they are too small to be on the radar of the threat actors. The truth is that it is all about the data, and small businesses often have less well-guarded data stores. All organizations are exposed to security breaches: from large multinationals to SMEs and public administrations. A common thread is unsecured cloud-based databases that left the sensitive information wide open for anyone to access online.
Phishing: Phishing remains 1 of the most pervasive online threats. Phishing emails are still managing to catch everyone out. Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Google Chrome now offers better protection against it as safe Browsing displays warning messages to users ahead of visiting dangerous websites and before downloading harmful applications. New advanced ways to phish are taken to use.With dynamite phishing, the cyber criminals read the email communication from a system already infected with an information stealer. The infected user’s correspondents then receive malicious emails that quote the last “real” email between the two parties and look like a legitimate response from the infected user. Attacks that phish 2FA to access email accounts cost $100-$400; such attacks can be prevented with physical security keys.
Windows: Microsoft Doesn’t Back Up the Windows Registry Anymore. It’s still possible to perform Windows Registry backups, but the option is disabled by default. It’s time to disconnect RDP from the internet as brute-force attacks and BlueKeep exploits usurp convenience of direct RDP connection. Microsoft is ready to push a full-screen warning to Windows 7 users
who are still running the OS after January 14.
Linux: Support for 32 bit i386 architecture will be dropped by many Linux distributions. It turns out that there are essentially no upstream development resources dedicated to x86_32 Linux. Perhaps unsurprisingly, it was badly broken.
Drones: Turkey is getting military drones armed with machine guns. Drone hacking happens. There is now Dronesploit – Metasploit for drones. Metasploit-style CLI framework tailored for tinkering with everybody’s favourite unmanned flying objects.
World market war: China tells government offices to remove all foreign computer equipment. China has ordered the replacement of all foreign PC hardware and operating systems in state offices over the next three years. This will mean that China to ditch all Windows PCs by 2022.China has already some of their own Linux distros like Kylin and Deepin. Many western countries are more or less banning Huawei teleocm equipment.
Cloud security: Traditional security tools and methodologies are ill-suited to protect cloud native’s developer-driven and infrastructure-agnostic multicloud patterns. The vision as laid out by these renown analysts is straightforward. The legacy “data center as the center of the universe” network and network security architecture are obsolete and has become an inhibitor to the needs of digital business. They describe the underpinning shift to cloud infrastructure, a digital transformation that has been underway for ten years. They also point out that the corporate network cannot protect end users who consume cloud applications from any location and any device without the contorting, expensive, backhaul of traffic through the corporate data center. Gartner coins a new term for the future of security and networks, SASE (pronounced sassy), Secure Access Service Edge, which is not anything really new. SASE promises to create a ubiquitous, resilient, and agile secure network service—globally. Most of the stolen data incidents in the cloud are related to simple human errors rather than concerted attacks. Expect that through 2020, 95% of cloud security failures will be the customer’s fault. A common thread is unsecured cloud-based databases that left the sensitive information wide open for anyone to access online. Also it’s almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet.
Autocracy as a service: Now Any Government Can Buy China’s Tools for Censoring the Internet. “Autocracy as a service” lets countries buy or rent the technology and expertise they need, as they need it. China offers a full-stack of options up and down the layers of the internet, including policies and laws, communications service providers with full internet.
Geopolitics: US-China Tech Divide Could Cause Havoc. It is possible that world’s next major conflict can start in cyberspace. USA has ordered to ban certain hardware from China (Huawei and ZTE). China orders ban on US computers and software. Chinese government to replace foreign hardware and software within three years. Who needs who more?
International cyber politics: Lack of international standards for proper behavior in cyberspace prevents the United States and allies from policing adversaries as they wish to. US can’t ‘enforce standards that don’t exist’. We have international norms in the maritime; we don’t have those in cyber. It makes it difficult to enforce standard that don’t exist, and to therefore hold nations accountable for nefarious behavior. NATO did confirm in 2017 that it could invoke Article 5 of its charter should one or more member nations find themselves under a serious cyberattack that threatens critical military and civilian infrastructure.
Sources:
https://pentestmag.com/iot-security-its-complicated/
https://isc.sans.edu/diary/rss/25580
https://www.securityweek.com/case-cyber-insurance
https://www.securityweek.com/tips-help-mssps-choose-threat-intelligence-partner
https://www.zdnet.com/article/microsoft-we-never-encourage-a-ransomware-victim-to-pay/
https://www.darkreading.com/iot/weak-crypto-practice-undermining-iot-device-security/d/d-id/1336636
https://pacit-tech.co.uk/blog/the-2020-problem/
https://www.theregister.co.uk/2019/12/09/dronesploit_framework/
https://www.securityweek.com/blunt-effect-two-edged-sword-vulnerability-disclosures
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020
https://threatpost.com/email-voted-a-weak-link-for-election-security-with-dmarc-lagging/150909/
https://www.theregister.co.uk/2019/12/04/council_of_eu_5g_risks/
https://techcrunch.com/2019/12/05/major-voting-districts-vulnerable-email-security/
https://cacm.acm.org/magazines/2019/12/241053-hack-for-hire/fulltext
http://read.uberflip.com/i/1180978-siliconexpert-growth-of-counterfeit-electronics-3/0?acctid=6759
https://www.zdnet.com/article/2020-is-when-cybersecurity-gets-even-weirder-so-get-ready/
https://www.theregister.co.uk/2019/12/09/china_orders_ban_on_us_computers_and_software/
https://www.securityweek.com/case-cyber-insurance
https://www.eetimes.eu/ai-will-empower-industry-4-0-when-it-arrives/
https://www.pandasecurity.com/mediacenter/security/2019-the-ransomware-tsunami/
https://blog.paloaltonetworks.com/2019/12/cloud-native-security-platform-age/
https://github.com/dhondta/dronesploit/
https://www.zdnet.com/article/1-in-every-172-active-rsa-certificates-are-vulnerable-to-exploit/
https://nationalcybersecurity.com/hacking-the-biggest-tech-threats-to-2020-elections/
https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/
https://www.eff.org/wp/behind-the-one-way-mirror
https://www.gdatasoftware.com/blog/2019/12/35671-early-detection-and-repulsion-of-dangerous-attacks
https://www.is.fi/digitoday/tietoturva/art-2000006342803.html
https://techcrunch.com/2019/10/30/duality-cybersecurity-16-million/
https://www.wired.com/story/sobering-message-future-ai-party/
https://security.googleblog.com/2019/12/an-update-on-android-tls-adoption.html?m=1
https://www.zdnet.com/article/google-all-android-users-in-the-us-just-got-rcs-next-gen-sms/
https://www.schneier.com/blog/archives/2019/12/scaring_people_.html
https://lists.ubuntu.com/archives/ubuntu-devel-announce/2019-June/001261.html
https://lwn.net/ml/oss-security/CALCETrW1z0gCLFJz-1Jwj_wcT3+axXkP_wOCxY8JkbSLzV80GA@mail.gmail.com/
https://www.bbc.com/news/amp/world-australia-46463029
https://cyware.com/news/rcs-technology-most-users-are-vulnerable-to-hacking-b53f9a6f
https://hub.packtpub.com/core-python-team-confirms-sunsetting-python-2-on-january-1-2020/
https://www.cnet.com/news/congress-warns-tech-companies-take-action-on-encryption-or-we-will/
https://cyware.com/news/rcs-technology-most-users-are-vulnerable-to-hacking-b53f9a6f
https://edri.org/facial-recognition-and-fundamental-rights-101/
https://techcrunch.com/2019/12/10/insider-threats-startups-protect/
https://uk.pcmag.com/windows-10/121518/microsoft-doesnt-back-up-the-windows-registry-anymore
https://threatpost.com/ransomware-attack-new-jersey-largest-hospital-system/151148/
https://chiefexecutive.net/bridge-cybersecurity-skills-gap/
https://systemagic.co.uk/has-your-business-prepared-for-the-2020-problem/
https://news.yahoo.com/massive-errors-found-facial-recognition-tech-us-study-215334634.html
https://www.securityweek.com/most-companies-dont-properly-manage-third-party-cyber-risk
https://www.uusiteknologia.fi/2019/11/21/hyoty-panee-jakamaan-tietonsa-luottamus-ratkaisee/
https://pentestmag.com/advice-for-a-cybersecurity-leader-think-like-your-adversary/
https://www.amnesty.org/en/latest/news/2019/11/google-facebook-surveillance-privacy/
https://www.amnesty.org/en/documents/pol30/1404/2019/en/
https://www.securityweek.com/compromised-connection-5g-will-unite-cities-and-also-put-them-risk
https://www.securityweek.com/amnesty-international-calls-facebook-google-rights-abusers
https://www.securityweek.com/microsoft-will-bring-dns-over-https-doh-windows
https://www.securityweek.com/cybersecurity-workforce-gap-145-growth-needed-meet-global-demand
https://www.helpnetsecurity.com/2019/11/19/successful-soc/
https://www.securityweek.com/making-network-first-line-defense
https://techbeacon.com/security/how-prioritize-strategic-risks-affect-critical-infrastructure
https://www.securityweek.com/transitioning-security-driven-networking-strategy
https://www.theregister.co.uk/2019/11/16/5g_iot_report/
https://www.securityweek.com/us-montenegro-plot-cyber-warfare-ahead-2020-elections
https://www.securityweek.com/fears-grow-digital-surveillance-us-survey
https://www.kaspersky.com/blog/attack-on-online-retail/31786/
https://www.securityweek.com/implementing-cyber-best-practices-requires-security-first-approach
https://securelist.com/advanced-threat-predictions-for-2020/95055/
https://www.darkreading.com/cloud/smart-building-security-awareness-grows/d/d-id/1336597
https://www.cisomag.com/the-future-of-ai-in-cybersecurity/
https://www.ibm.com/security/artificial-intelligence
https://www.welivesecurity.com/2019/12/13/2fa-double-down-your-security/
https://cannatechtoday.com/experian-predicts-an-increase-in-global-cannabis-industry-data-breaches/
https://www.uusiteknologia.fi/2019/11/21/f-secure-tutkimaan-tekoalyagentteja/
https://www.securityweek.com/ongoing-research-project-examines-application-ai-cybersecurity
http://www.etn.fi/index.php/13-news/10151-mikko-hypponen-tekoalyn-ei-pida-matkia-ihmista
http://www.etn.fi/index.php/13-news/10124-nixu-selvitti-tekoaly-mullistaa-kyberturvan
http://www.etn.fi/index.php/13-news/10120-kyberturvassa-koneoppiminen-on-uusi-normaali
https://www.is.fi/digitoday/tietoturva/art-2000006316233.html
https://www.cyberscoop.com/apt33-microsoft-iran-ics/
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/11/exploit-kits-fall-2019-review/
https://www.enisa.europa.eu/news/enisa-news/enisa-draws-threat-landscape-of-5g-networks/
https://systemagic.co.uk/has-your-business-prepared-for-the-2020-problem/
https://smartgrid.ieee.org/newsletters/november-2019/the-cyber-physical-security-of-the-power-grid
https://www.wired.com/story/un-secretary-general-antonio-guterres-internet-risks/
https://codastory.com/authoritarian-tech/russia-facial-recognition-networks/
https://www.theverge.com/2019/12/9/21002515/surveillance-cameras-globally-us-china-amount-citizens
https://www.wired.com/story/iran-internet-shutoff/
https://www.zdnet.com/article/fbi-recommends-that-you-keep-your-iot-devices-on-a-separate-network/
https://www.reuters.com/article/us-interpol-encryption-exclusive-idUSKBN1XR0S7
https://www.kcrw.com/news/shows/to-the-point/does-facial-recognition-software-threaten-our-freedom
1,468 Comments
Tomi Engdahl says:
Using Frida For Windows Reverse Engineering
https://darungrim.com/research/2020-06-17-using-frida-for-windows-reverse-engineering.html
Tomi Engdahl says:
IPv6 Security & Capability Testing, Part 1
https://theinternetprotocolblog.wordpress.com/2020/05/24/ipv6-security-capability-testing-part-1/
IPv6 Security & Capability Testing, Part 2
https://theinternetprotocolblog.wordpress.com/2020/05/26/ipv6-security-capability-testing-part-2/
Tomi Engdahl says:
The Pentagon has a laser that can identify people from a distance—by their heartbeat
The Jetson prototype can pick up on a unique cardiac signature from 200 meters away, even through clothes.
https://www.technologyreview.com/2019/06/27/238884/the-pentagon-has-a-laser-that-can-identify-people-from-a-distanceby-their-heartbeat/
Tomi Engdahl says:
SOARing Across Clouds: How Security Orchestration, Automation And Response Can Strengthen Your Hybrid, Multicloud Security
https://www.forbes.com/sites/ibmsecurity/2020/05/29/soaring-across-clouds-how-security-orchestration-automation-and-response-can-strengthen-your-hybrid-multicloud-security/
Tomi Engdahl says:
https://pentestmag.com/nessus-map/
Tomi Engdahl says:
https://thehackernews.com/2020/05/dark-web-monitoring-tool.html
Tomi Engdahl says:
Looking at Big Threats Using Code Similarity. Part 1
https://securelist.com/big-threats-using-code-similarity-part-1/97239/
Tomi Engdahl says:
moz://a SSL Config Generator
https://cipherl.ist/
Tomi Engdahl says:
A New Free Monitoring Tool to Measure Your Dark Web Exposure
https://thehackernews.com/2020/05/dark-web-monitoring-tool.html
https://www.immuniweb.com/radar/
Tomi Engdahl says:
eBay port scans visitors’ computers for remote access programs
https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/
When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote access applications.
Many of these ports are related to remote access/remote support tools such as the Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and more.
After learning about this, BleepingComputer conducted a test and can confirm that eBay.com is indeed performing a local port scan of 14 different ports when visiting the site.
Tomi Engdahl says:
What Is Confidential Computing?
https://spectrum.ieee.org/computing/hardware/what-is-confidential-computing
A handful of major technology companies are going all in on a new security model they’re calling confidential computing in an effort to better protect data in all its forms.
The three pillars of data security involve protecting data at rest, in transit, and in use. Protecting data at rest means using methods such as encryption or tokenization so that even if data is copied from a server or database, a thief can’t access the information. Protecting data in transit means making sure unauthorized parties can’t see information as it moves between servers and applications. There are well-established ways to provide both kinds of protection.
Protecting data while in use, though, is especially tough because applications need to have data in the clear—not encrypted or otherwise protected—in order to compute. But that means malware can dump the contents of memory to steal information. It doesn’t really matter if the data was encrypted on a server’s hard drive if it’s stolen while exposed in memory.
Tomi Engdahl says:
Malware Analysis with Visual Pattern Recognition
The secret to quickly reverse-engineering binary files
https://towardsdatascience.com/malware-analysis-with-visual-pattern-recognition-5a4d087c9d26
Tomi Engdahl says:
When one open-source package riddled with vulns pulls in dozens of others, what’s a dev to do?
https://www.theregister.com/2020/06/26/open_source_security_snyk_survey/
Snyk survey puts cross-site scripting top of the list for security holes – but watch out for prototype pollution too
Tomi Engdahl says:
IBM Differential Privacy Library: The single line of code that can
protect your data
https://www.ibm.com/blogs/research/2020/06/ibm-differential-privacy-library-the-single-line-of-code-that-can-protect-your-data/
This year for the first time in its 230-year history the US Census
will use differential privacy to keep the responses of its citizens
confidential when the data is made available. But how does it work?.
Differential privacy uses mathematical noise to preserve individuals’
privacy and confidentiality while allowing population statistics to be
observed. This concept has a natural extension to machine learning,
where we can protect models against privacy attacks, while maintaining
overall accuracy.
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Apple’s decision in Feb. to limit HTTPS certs’ lifespan to 398 days in Safari has been mimicked by Chrome and Firefox to the dismay of Certificate Authorities
Apple strong-arms entire CA industry into one-year certificate lifespans
https://www.zdnet.com/article/apple-strong-arms-entire-ca-industry-into-one-year-certificate-lifespans/
Apple, Google, and Mozilla reduce the lifespan for HTTPS certificates to 398 days, against the wishes of Certificate Authorities.
A decision that Apple unilaterally took in February 2020 has reverberated across the browser landscape and has effectively strong-armed the Certificate Authority industry into bitterly accepting a new default lifespan of 398 days for TLS certificates.
Following Apple’s initial announcement, Mozilla and Google have stated similar intentions to implement the same rule in their browsers.
Starting with September 1, 2020, browsers and devices from Apple, Google, and Mozilla will show errors for new TLS certificates that have a lifespan greater than 398 days.
Tomi Engdahl says:
Apple strong-arms entire CA industry into one-year certificate
lifespans
https://www.zdnet.com/article/apple-strong-arms-entire-ca-industry-into-one-year-certificate-lifespans/
Apple, Google, and Mozilla reduce the lifespan for HTTPS certificates
to 398 days, against the wishes of Certificate Authorities.
Tomi Engdahl says:
Driver Vulnerabilities Facilitate Attacks on ATMs, PoS Systems
https://www.securityweek.com/driver-vulnerabilities-facilitate-attacks-atms-pos-systems
A significant number of ATM malware families emerged over the past years, including the ones known as Skimer, Alice, CUTLET MAKER, Ploutus, Tyupkin, ATMJackpot, Suceful, RIPPER, WinPot, PRILEX, ATMii and GreenDispenser. Many of these pieces of malware allow their operators to conduct so-called “jackpotting” attacks, where the attacker instructs the targeted ATM to dispense cash.
According to Eclypsium, vulnerabilities affecting the drivers running on ATMs or PoS devices could allow attackers to escalate privileges and gain “deeper access” into the targeted system.
“By taking advantage of the functionality in insecure drivers, attackers or their malware can gain new privileges, access information, and ultimately steal money or customer data,” Eclypsium explained.
Tomi Engdahl says:
The Communication Imperative for CISOs
https://www.securityweek.com/communication-imperative-cisos
One of the potential upsides for security leaders as a result of the COVID-19 pandemic, is a renewed focus on cybersecurity and business resiliency. Seemingly overnight, your expertise, resourcefulness and dedication became recognized as integral to shifting your business to become distributed and digital. Now’s the time to take advantage of all the attention and step up your communications skills, so you can:
• Demonstrate the value you and your teams are providing during the crisis
• Collaborate more effectively to improve security operations, even when teams are working remotely
• Educate the organization on how you mitigate cyber risk on a daily basis
Let’s take a closer look at each.
Demonstrate. The best days for security technologies and teams are when they aren’t seen – when they’re doing their jobs to secure the business, employees and customers, without impacting productivity and user experience. Although you’ve been in the spotlight, that doesn’t mean that your executive team and Board really understand the work that happened largely behind the scenes. I’m sure you’re familiar with the phrase, “Tell them what you’re going to do, do it, and then tell them what you did.”
Explain the unique challenges the company faced, how you and your team overcame them, the value delivered, lessons learned, and how to continue to improve security operations. Afterall, you know that the next disruption isn’t too far behind and there is no such thing as preparing too early.
Collaborate. How you communicate with your team has changed – at least in the near term, if not permanently. With employees working from home, you can’t tap an analyst on the shoulder to assign them a task or walk down the hall to get an update on an investigation.
Educate. Boards are maturing in their understanding of cybersecurity and asking more detailed questions. They don’t just want to know if the latest threat pertains to the organization, but in what ways and how you know that. Start thinking now about the information and capabilities you need to help you communicate in a simple and clear way. For example, if there is a new vulnerability or threat in the news, the CEO may ask: “What is it?”, “Does it pertain to us?”, or “How are we impacted?”. You need to be able to answer in a clear and concise manner. This involves understanding external data on the threat, identifying events and associated indicators from your own internal systems and correlating the two for context and relevance to your environment. With this information you can explain, in a format that is easily digestible for people who don’t live and breathe security, whether or not they should be concerned about a recent attack that made the headlines. Simple explanations help put their mind at ease, whether the news is good, (e.g., “The latest ransomware attack is taking advantage of a vulnerability we’ve already patched, so this isn’t a threat to be concerned about.”) or not so good, (e.g., “Internal data and events indicate some evidence of potential malicious activity, so we’re taking steps to contain it and are now remediating the affected systems.”)
Tomi Engdahl says:
Apple strong-arms entire CA industry into one-year certificate
lifespans
https://www.zdnet.com/article/apple-strong-arms-entire-ca-industry-into-one-year-certificate-lifespans/
Apple, Google, and Mozilla reduce the lifespan for HTTPS certificates
to 398 days, against the wishes of Certificate Authorities.
Remember when we warned in February Apple will crack down on long-life HTTPS certs? It’s happening:
Chrome, Firefox ready to join in, too
From Sept 1, new TLS certificates valid for more than 398 days will be snubbed
https://www.theregister.com/2020/06/30/tls_cert_lifespan/
From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS
certificates that are valid for more than 398 days, plus or minus some caveats.
“Connections to TLS servers violating these new requirements will fail,” Apple warned in its official
note. “This might cause network and app failures and prevent websites from loading.”
What this means for netizens is that websites and apps may stop working as expected on Apple gear some
time after September 1, if said sites and apps renew or use new encryption certificates that last longer
than 398 days. For developers and site admins, that means if you’re creating or renewing certs after
September 1, make sure they expire within that time limit, or they won’t work as you expect in Safari, on
iOS, and with other Apple software. Users may see error messages or notice connections fail and services
break.
Critics, particularly commercial certificate sellers, say it burdens software makers and site owners with extra costs and hassle, and will drive folks to free services, such as Let’s Encrypt – which, incidentally, offers tools to regularly and automatically renew certificates at no cost.
In any case, Google’s Chrome is set to follow suit, judging by this commit to the Chromium browser engine source code last week:
Enforce publicly trusted TLS server certificates have a lifetime of 398 days or less, if they are issued on or after 2020-09-01. Certificates that violate this will be rejected with ERR_CERT_VALIDITY_TOO_LONG and will be treated as misissued.
Tomi Engdahl says:
Gps-tietojen poistaminen ei riitä – näin Google tietää, mistä kuvasi ovat peräisin
https://www.is.fi/digitoday/mobiili/art-2000006556321.html?ref=rss
Tomi Engdahl says:
How public safety systems can be abused by nation state actors
https://www.bleepingcomputer.com/news/security/how-public-safety-systems-can-be-abused-by-nation-state-actors/
Open systems, open data, and open-source software provide a means to
promote greater transparency, public trust, and user participation.
But what happens when adversaries can abuse the same systems?
Tomi Engdahl says:
Ransomware Crooks Start Selling Victims’ Secrets To The Highest Bidder
https://www.forbes.com/sites/leemathews/2020/06/30/revil-ransomware-auctions-victim-data/
Being struck by ransomware used to mean that data would be lost
forever unless you paid up. Those days are long gone. Today ransomware
gangs are also stealing their victims’ data… and in some cases
auctioning it off on Dark Web markets.
Tomi Engdahl says:
REvil Ransomware Gang Adds Auction Feature for Stolen Data
https://threatpost.com/revil-ransomware-gang-auction-stolen-data/157006/
An anonymous bidding mechanism enhances the REvil group’s
double-extortion game.
Tomi Engdahl says:
System hardening in Android 11
https://security.googleblog.com/2020/06/system-hardening-in-android-11.html
In Android 11 we continue to increase the security of the Android
platform. We have moved to safer default settings, migrated to a
hardened memory allocator, and expanded the use of compiler
mitigations that defend against classes of vulnerabilities and
frustrate exploitation techniques.
Tomi Engdahl says:
The more cybersecurity tools an enterprise deploys, the less effective their defense is
https://www.zdnet.com/article/the-more-cybersecurity-tools-an-enterprise-deploys-the-less-effective-their-defense-is/
New research highlights how throwing money indiscriminately at security doesn’t guarantee results.
The enterprise is slowly improving its response to cybersecurity incidents, but in the same breath, it is still investing in too many tools that can actually reduce the effectiveness of defense.
The research suggests that while investment and planning are on the uptake, effectiveness is not on the same incline, with response efforts hindered by complexity caused by fragmented toolsets.
On average, enterprises deploy 45 cybersecurity-related tools on their networks. The widespread use of too many tools may contribute to an inability not only to detect, but also to defend from active attacks. Enterprises that deploy over 50 tools ranked themselves 8% lower in their ability to detect threats, and 7% lower in their defensive capabilities, than other companies employing fewer toolsets.
It does appear that the enterprise cybersecurity scene is reaching a new level of maturity, however, with 26% of respondents saying that their organizations have now adopted formal, company-wide Cyber Security Incident Response Plans (CSIRPs), an increase from 18% five years ago.
In total, however, 74% of respondents said their cybersecurity planning posture still leaves much to be desired, with no plans, ad-hoc plans, or inconsistency still a thorn in the side of IT staff. In addition, among those who have adopted a response plan, only a third have created a playbook for common attack types to watch out for during daily operations.
“Since different breeds of attack require unique response techniques, having pre-defined playbooks provides organizations with consistent and repeatable action plans for the most common attacks they are likely to face,” the report notes.
According to IBM, a lack of planning and incident response testing can lead to a damages bill up to $1.2 million higher than a cyberattack would have otherwise cost a victim company.
The cost can be high in terms of disruption, too, as only 39% of enterprise companies with CSIRP applied have experienced a severely disruptive attack in the past two years — in comparison to 62% of those which did not implement any form of plan.
Tomi Engdahl says:
The U.S. Senate is advancing legislation that creates a threat to strong encryption, the bedrock of digital security.
While the senators championing the bill, which they’ve named the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), may have good intentions, they are seriously misguided about the impact of their proposal.
Encryption ensures our information, from our sensitive financial and medical details to emails and text messages, is protected. But the EARN IT Act will create a broad path for government actors to seriously undermine strong encryption, putting our information at risk. That’s why Mozilla is joining dozens of other internet health and civil society organizations in calling on the U.S. Congress to vote no on the EARN IT Act.
Oppose the EARN IT Act
https://foundation.mozilla.org/en/campaigns/oppose-earn-it-act/
The U.S. Senate is advancing legislation that creates a threat to strong encryption, the bedrock of digital security.
While the senators championing the bill, which they’ve named the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), may have good intentions, they are seriously misguided about the impact of their proposal.
Tomi Engdahl says:
Inside a ransomware attack: From the first breach to the ransom demand
https://www.zdnet.com/article/inside-a-ransomware-attack-from-the-first-breach-to-encrypting-a-network-in-just-two-weeks/
Security researchers map out how a ransomware attack plays out over a
two week period.
Tomi Engdahl says:
Ransomware Gangs Don’t Need PR Help
https://krebsonsecurity.com/2020/07/ransomware-gangs-dont-need-pr-help/
We’ve seen an ugly trend recently of tech news stories and
cybersecurity firms trumpeting claims of ransomware attacks on
companies large and small, apparently based on little more than the
say-so of the ransomware gangs themselves. Such coverage is
potentially quite harmful and plays deftly into the hands of organized
crime.
Tomi Engdahl says:
G DATA threat report: Number of cyber attacks increases significantly
in the first quarter
https://www.gdatasoftware.com/blog/2020/07/36199-number-of-cyber-attacks-increases-significantly-in-the-first-quarter
The current threat analysis by G DATA CyberDefense shows that the
number of attacks prevented in March 2020 has increased significantly.
The cyber defence company averted almost a third more attacks than in
February. Especially active – GuLoader and Trickbot. Old tricks, new
losses – tech supports scams
Tomi Engdahl says:
MITEN VALITA TURVALLINEN ETÄTYÖVÄLINE? OHJEITA JA VINKKEJÄ AVUKSI
https://www.huoltovarmuuskeskus.fi/miten-valita-turvallinen-etatyovaline-ohjeita-ja-vinkkeja-avuksi/
Moni on tänä vuonna miettinyt, mikä etätyöhön käytettävä sovellus on
turvallinen käyttää. Tästä syntyi ajatus oppaasta, joka auttaa
organisaatioita, heidän työntekijöitään ja tietoturvasta vastaavia
vertailemaan eri etätyövälineitä keskenään ja valitsemaan sopiva
monista vaihtoehdoista. Oppaan on teettänyt Huoltovarmuusorganisaation
Digipooli.
Tomi Engdahl says:
ENISA Launches Public Consultation for First Candidate Cybersecurity
Certification Scheme
https://www.enisa.europa.eu/news/enisa-news/enisa-launches-public-consultation-for-first-candidate-cybersecurity-certification-scheme
The EUCC Candidate Scheme for ICT Products, set to replace the SOG-IS,
is released today for public feedback.
Tomi Engdahl says:
The Case for Intent-Based Segmentation with SD-WAN
https://www.securityweek.com/case-intent-based-segmentation-sd-wan
Intent-based Segmentation Allows Networks to Dynamically Adapt for Advanced Threat Mitigation
SD-WAN is a perfect example of how digital innovation (DI) efforts are redefining how businesses operate and networks function. It combines remote workers, multi-cloud platforms, business-critical applications, and advanced networking into a single, integrated system. And when combined with a fully integrated security solution, it can vastly improve an organization’s security posture and protection across the distributed WAN.
However, providing an advanced set of technologies that enable fast and reliable access to critical resources is less effective if the network on the other side of the firewall hasn’t been adequately secured. Traditional security approaches tend to be perimeter-centric, meaning that the majority of security resources are focused on things like posting a next-gen firewall and AAA services at the network edge. But far too often, the network behind the firewall is flat and open. With little effort, users can move laterally across the network, which also means that threats are often able to cross over to POS or other restricted corporate network resources. And worse, because there is so little security monitoring the internal network, events such as those can remain undetected for months.
In addition, ongoing complexity from infrastructure expansion projects as well as mergers and acquisitions as part of business development can also compound the challenge to implementing security measures if not planned for ahead of time at a foundational level.
Network Security Should Start with Segmentation
Internal segmentation strategies—solutions that go well beyond simple VLANs—play a critical role in ensuring that agile connectivity strategies such as SD-WAN can be safely integrated into a traditional network. However, this segmentation strategy needs to be smart enough to support the kinds of access and dynamic changes that things like business applications and SD-WAN connectivity require. And the reality is, traditional segmentation methods are often more complex to work with when it comes to addressing the needs of an active SD-WAN deployment.
First, rigid segmentation methods struggle to adapt to business and compliance requirements. This issue is especially true for SD-WAN, where the infrastructure is continuously shifting to meet business demands. Another challenge is that segmentation can introduce high levels of unnecessary risk due to static or implicit trust. This happens when data and users are free to move, and devices can be repurposed on demand. Traditional segmentation efforts are unable to detect and adapt to these changes. And finally, the isolation that can occur within, as well as between, network segments can reduce security visibility and limit consistent policy enforcement. This becomes particularly risky when the attack surface is in a state of instability.
The Need for Intent-based Segmentation
To ensure that the security inside the network matches the SD-WAN and other DI efforts occurring outside the traditional perimeter, organizations have begun to transition to intent-based segmentation. This strategy is designed to help organizations establish and maintain a security-driven networking strategy that complements DI efforts happening elsewhere across the distributed environment.
Using business intent, rather than just the network architecture, is essential in determining the logic by which end-users, applications, and devices are segmented. It also enables security policies that can see and adjust to change in real-time to achieve a level of continuous trust that can evolve with the network. This can then complement the deployment of advanced application-level security solutions so they can span the entire network. It also enables comprehensive, centralized content inspection to provide full visibility into all traffic and limit breaches to specific segments by preventing malicious content from passing over from one area to another. Further, choosing a solution that supports thousands of application signatures enables accurate detection and translates into segmentation logic for users and applications.
The power of intent-based segmentation is that it provides visibility into all aspects of the network. It enables the instantaneous fine-tuning of access controls, enables segments to be dynamically established regardless of where a workflow originates, and allows for advanced threat mitigation by using business intent to drive network segmentation.
The Importance of Trust
One of the biggest challenges faced by organizations is that many parts of the network operate from a position of implicit trust. This model is the result of years of running a static network. But in a dynamic and evolving environment, pre-configured segmentation standards that allow implicit or static trust will inevitably expose critical resources to risk, especially in the event of a network compromise. To support an SD-WAN deployment, an intent-based segmentation solution must be able to measure trust to determine a suitable level of access for individual users, devices, and applications. There are several existing trust databases designed to house such information that can be leveraged.
But that’s not enough. IoT and other devices can be easily manipulated, and trusted employees and insiders can act maliciously and inflict considerable damage. As a result, trust also needs to be continually renewed through an integrated security strategy. This requires employing tools such as behavioral analysis and multifactor authentication, maintaining trustworthiness through the use of strict access controls and the continuous monitoring of each device’s data and traffic, and then dynamically resetting access rules when behavior becomes untrustworthy.
To effectively establish and maintain this level of trust, organizations should consider augmenting their intent-based network segmentation with a Zero-trust Network Access (ZTNA) strategy. This ensures that, in addition to restricting lateral movement, all access is authenticated, every aspect of traffic is monitored, and users and devices are limited to only those assets and resources required to do their job.
Tomi Engdahl says:
NSA releases guidance on securing IPsec Virtual Private Networks
https://www.bleepingcomputer.com/news/security/nsa-releases-guidance-on-securing-ipsec-virtual-private-networks/
Tomi Engdahl says:
According to the 2020 Verizon breach report, ransomware accounted for 27% of malware incidents last year. This may not seem like a lot, but when you think of the impact it has on an organization you can understand why it’s often the malware that makes the news headlines. Over the last few years, the impact has worsened due to adversaries moving to a more targeted attack method, rather than the traditional “spray and pray” method of infecting as many potential victims as possible.
https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems
Tomi Engdahl says:
ALL YOUR ENCRYPTION KEYS ARE BELONG TO US…
U.S. Senators Introduce Ultimate Backdoor Bill Banning the Use of Strong Consumer-Grade Encryption
https://forklog.media/u-s-senators-introduce-ultimate-backdoor-bill-banning-the-use-of-strong-consumer-grade-encryption/
Last week, Republican U.S. Senators introduced the Lawful Access to Encrypted Data Act “ending the use of ‘warrant-proof’ encrypted technology by terrorists and other bad actors to conceal illicit behavior.” Experts and privacy advocates think it can effectively outlaw strong encryption.
As the name may suggest, the Lawful Access to Encrypted Data Act (LAED Act, also referred to as LAEDA) is about requiring device manufacturers and service providers to allow law enforcement to access encrypted data, whether it is stored on a device or transmitted through the internet.
“The bill would require service providers and device manufacturers to provide assistance to law enforcement when access to encrypted devices or data is necessary,” the official announcement reads, “but only after a court issues a warrant, based on probable cause that a crime has occurred, authorizing law enforcement to search and seize the data.”
The Senators behind the proposal argued that terrorists, drug traffickers, and other unsavory individuals exploit consumer-level encrypted communications to run their operations, while law enforcement officials can’t access information potentially important to the investigation.
The bill would require companies like Apple and Facebook to “assist law enforcement with accessing encrypted data if assistance would aid in the execution of the warrant.” If a company is unable to comply, it will have to implement the required capabilities or appeal in federal court. The U.S. government will compensate the affected companies “for reasonable costs incurred in complying with the directive.”
This basically means that U.S. companies will have to have an encryption backdoor available for all data stored or transmitted. Those who don’t have one will have to redesign their systems so there is a backdoor. Experts perceive the bill as an outright ban on end-to-end encryption in the U.S.
“The bill is an actual, overt, make-no-mistake, crystal-clear ban on providers from offering end-to-end encryption in online services, from offering encrypted devices that cannot be unlocked for law enforcement, and indeed from offering any encryption that does not build in a means of decrypting data for law enforcement,” she wrote, “This bill is the encryption backdoor mandate we’ve been dreading was coming, but that nobody, during the past six years of the renewed Crypto Wars, had previously dared to introduce.”
Tomi Engdahl says:
Given the broad wording of the bill, Riana suggested that it might apply even to individual contributors in open-source projects.
If the LAED Act passes, U.S. tech companies will be unable to provide users with end-to-end encryption.
Importantly, the LAED Act doesn’t even have to pass in order to harm encryption. As pointed out by Slate’s Jillian Foley, companies that had plans to introduce strong encryption may now reconsider the decision”
https://forklog.media/u-s-senators-introduce-ultimate-backdoor-bill-banning-the-use-of-strong-consumer-grade-encryption/
Tomi Engdahl says:
Using this assessment you will evaluate your DevSecOps practices and find the quickest way to improve.
https://about.gitlab.com/why/shift-your-security-scanning-left/index.html?utm_medium=paidsocial&utm_source=facebook&utm_campaign=devsecopsusecase_emea_pr_static_x_x&utm_content=shift-your-security-scanning-left_digital_x_english_
Tomi Engdahl says:
Browser extension, called Behave! that monitors and warns users if a web-page performs any following actions:
Browser based Port Scan
Access to Private IPs
DNS Rebinding attacks to Private IPs
https://github.com/mindedsecurity/behave
Tomi Engdahl says:
Yes, it’s safe to move sensitive data to the cloud
https://www.infoworld.com/article/3565392/yes-its-safe-to-move-sensitive-data-to-the-cloud.html
The public clouds have been safe places to store mission-critical and sensitive data for some time, but it takes a pandemic to push most enterprises over the tipping point
According to a study by the Cloud Security Alliance, 69 percent of enterprises have moved or are moving mission-critical information to the cloud. The research also shows 65 percent of businesses are worried about migrating sensitive data, and 59 percent of them have security concerns.
I get it. If your data is in the cloud, then it’s not in your data center. You can’t touch the server, therefore it must be unsecure or at risk.
The reality is counterintuitive. Indeed, for at least the past few years the cloud has surpassed the security capabilities of most on-premises systems. This was accomplished by more security companies focusing on the exploding cloud computing market and spending R&D dollars there, rather than on existing, on-premises security systems.
Of course, security is directly related to the enterprise’s ability to leverage the proper systems, and the talent of those who are selecting and implementing those systems. Nothing is 100 percent secure. That said, you’re more likely to have a stronger data security system in the public cloud than you are in your data center. On-demand access to state-of-the-art security systems is the primary reason.
So, why the sudden interest in moving mission-critical and sensitive data to the cloud? The pandemic, of course.
The pandemic exposed issues with data security and data access for on-premises systems. In some cases, humans could not get into the data centers, and outages had to be fixed remotely, which for some issues (like equipment failure) is impossible.
we passed the tipping point of the cloud being a more secure platform years ago. Your organization still may have political struggles around using cloud for critical data, but the evidence shows that it’s just a better platform for data, for a lot of obvious reasons—at least, reasons that are obvious to me.
Tomi Engdahl says:
3,650 respondents from 21 countries spoke about their DevOps successes, challenges, and ongoing struggles. See what they have to say.
Mapping the DevSecOps Landscape
https://about.gitlab.com/developer-survey/?utm_medium=paidsocial&utm_source=facebook&utm_campaign=2020surveydevsecops_emea_pr_static_x_x&utm_content=developer-survey_corpmkt_239_english_
Tomi Engdahl says:
Rebecca Heilweil / Vox:
Even if government use of facial recognition tech is regulated more strictly, issues will remain due to the ubiquity of the same tech in consumer devices — A growing number of gadgets are scanning your face. — Facial recognition is having a reckoning.
How can we ban facial recognition when it’s already everywhere?
https://www.vox.com/recode/2020/7/3/21307873/facial-recognition-ban-law-enforcement-apple-google-facebook?scrolla=5eb6d68b7fedc32c19ef33b4
A growing number of gadgets are scanning your face.
Tomi Engdahl says:
The key to stopping cyberattacks? Understanding your own systems
before the hackers strike
https://www.zdnet.com/article/the-key-to-stopping-cyberattacks-understanding-your-own-systems-before-the-hackers-strike/
“That’s what people often misunderstand about attacks they don’t
happen at the speed of light, it often takes months or years to get
the right level of access in a network and ultimately to be able to
push the trigger and cause a destructive act,” says Dmitri
Alperovitch, executive chairman at Silverado Policy Accelerator and
co-founder and former CTO of CrowdStrike.
Tomi Engdahl says:
North Korean hackers are skimming US and European shoppers
https://sansec.io/research/north-korea-magecart
North Korean state sponsored hackers are implicated in the
interception of online payments from American and European shoppers,
Sansec research shows. Hackers associated with the APT Lazarus/HIDDEN
COBRA1 group were found to be breaking into online stores of large US
retailers and planting payment skimmers as early as May 2019.
Tomi Engdahl says:
Fraunhofer FKIE: Significant security flaws detected in Home Routers
https://www.fkie.fraunhofer.de/en/press-releases/Home-Router.html
Alarming findings are published in the »Home Router Security Report
2020« by the Fraunhofer Institute for Communication, Information
Processing and Ergonomics FKIE. Of the 127 home routers tested from
seven major manufacturers, nearly all were found to have security
flaws, some of them very severe. The problems range from missing
security updates to easily decrypted, hard-coded passwords and . known
vulnerabilities that should have been patched long ago.. Report at
https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/HomeRouter/HomeRouterSecurity_2020_Bericht.pdf.
Tool at https://fkie-cad.github.io/FACT_core/
Tomi Engdahl says:
First full version of the Cyber Security Body of Knowledge published
https://www.ncsc.gov.uk/blog-post/full-version-of-the-cyber-security-body-of-knowledge-published
We are delighted to announce that version 1.0 of the Cyber Security
Body of Knowledge (CyBOK) has been published. This is a comprehensive
Body of Knowledge to inform and underpin education and professional
training for the cyber security sector, a culmination of international
cyber security effort over the last 3 years.. The 828 pages of PDF at
https://www.cybok.org/media/downloads/cybok_version_1.0.pdf
Tomi Engdahl says:
False Flags in Cyber Threat Intelligence Operations
https://medium.com/@dw.chow/false-flags-in-cyber-threat-intelligence-operations-6893af697080
Based on my research and poking; I was able to successfully prove to a
client that CTI adversary injection was indeed possible and could have
major impacts on the entity depending on specific timing and scale of
the injection. . … In under 15 sample submissions; we were able to
get the client domain blacklisted for a period of 4872 hours until
whitelisting submissions were validated by varying vendors including
Symantec, Microsoft, and BlueCoat.
Tomi Engdahl says:
OT Networks Are Becoming Essential Components of IT Risk Management, Governance
https://www.securityweek.com/ot-networks-are-becoming-essential-components-it-risk-management-governance
Recent global events have convinced us that digital transformation is here to stay and, in fact, accelerating. Companies that had already begun to embrace digital transformation were able to adapt more quickly to disruption and demonstrate greater resiliency. Now that the initial rush to support a shift to a more distributed model is behind us, we have an opportunity to pause and consider what work still needs to be done to further resiliency. For the 45% of Fortune 2000 companies in industries that depend on operational technology (OT) networks to run their business, it’s likely time to revisit IT risk management and governance and determine how to include OT networks.
Looking at governance and processes holistically can be a challenge for various reasons. To begin with, IT and OT teams prioritize the three principles of confidentiality, integrity, and availability (CIA) differently. The teams that manage information security typically prioritize confidentiality of data over integrity and availability, whereas the teams that run OT networks prioritize availability (or uptime) over integrity and confidentiality. This difference tends to overshadow the fact that both teams share the same desired outcome – risk reduction. We can respect those priorities by employing different approaches and different tools as we work toward a common goal.
Another area that presents a challenge is the different way in which organizations, versus adversaries, view IT and OT networks. Organizations tend to think of these as separate networks, whereas adversaries don’t see things this way. To them, a network is a network, so attacks are intertwined. NotPetya is a prime example of an attack devised to spread quickly and indiscriminately across an organization. While OT networks were not the primary target, the accidental spill-over of NotPetya from IT to OT networks was a wake-up call that we must think of these networks as one and strive for a consolidated picture of our technology infrastructure.
Without being attuned to these first two points, many organizations go down the path of creating an OT governance process and Security Operations Center (SOC) separate from IT, which introduces risk to digital transformation initiatives. Recreating processes and doubling coordination wastes time and effort and isn’t effective. Instead, what’s needed is a way to extend existing IT risk management and governance processes to include OT networks.
A more secure digital transformation journey begins by embracing the differences between IT and OT networks. It’s very challenging for OT professionals to play catch up and close the 25+ year IT-OT security gap. The combination of legacy devices, many more attack vectors, and opportunistic adversaries creates a perfect storm situation. But we can’t let this deter us. In fact, because OT networks have no modern security controls, we have an opportunity to start with a clean slate and build an OT security program from scratch. There is no need to recreate the complexity of the IT security stack with 15+ security tools and embark on lengthy projects, like physical segmentation, which take too long and often aren’t effective or necessary.
OT networks are designed to communicate and share much more information than is typically available from IT components – the software version they are running, firmware, serial numbers, and more. OT network traffic provides all the security information needed to monitor for threats and can fuel playbooks that will fulfill multiple security controls. With a single, agentless solution for asset visibility and continuous threat monitoring that can be implemented quickly and integrated into IT systems and workflows, we can start to close the IT-OT security gap without risk to productivity or downtime.
Tomi Engdahl says:
Karmaisevat tulokset: Kodin reititin voi olla vaarallinen laite
https://www.is.fi/digitoday/tietoturva/art-2000006564407.html?ref=rss
https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/HomeRouter/HomeRouterSecurity_2020_Bericht.pdf
Tomi Engdahl says:
Comprehensive password reports, including Have I Been Pwned password checks to find breached passwords. In addition, the YubiKey and OnlyKey integration is vastly improved with support for up to four keys plugged in simultaneously.
KeePassXC 2.6.0 released
https://keepassxc.org/blog/2020-07-07-2.6.0-released/
We now have comprehensive password reports, including Have I Been Pwned password checks to find breached passwords. In addition, the YubiKey and OnlyKey integration is vastly improved with support for up to four keys plugged in simultaneously. Pictures are worth a thousand words, so here are some screenshots!
https://keepassxc.org/screenshots/
Tomi Engdahl says:
Vulnerability Management Maturity Model
https://www.sans.org/blog/vulnerability-management-maturity-model/
Getting into the meat of the model, it is broken down into five focus
areas. They are PREPARE, IDENTIFY, ANALYZE, COMMUNICATE, and TREAT.
These are the five areas of the PIACT process from the course. Tasks
and activities that are part of a vulnerability management program fit
across these five sections.