Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, will be making educated guesses based on what has happened during the last 12 months and several years before that.
The past year has seen a rapid increase in the adoption of up-and-coming technologies. Everyday items are getting
smarter and more connected. Companies are saving millions with new technologies and cities are racing to
implement smart solutions. 5G promises to bring wireless high speed broadband to everywhere. On the other hand those solutions add new kinds of vulnerabilities. Competing in today’s digital marketplace requires that organizations are cyber-savvy. 2020 is when cybersecurity gets even weirder, so get ready.
Here are some trends and predictions for cyber security in 2020:
Cyber Attacks: Cyberattacks grow in volume and complexity.Many countries that are going to emerge as major threats in the 2020s. Nation-state backed cyber groups have been responsible for major incidents over the last decade. And now more countries want the same power. Cyberattacks range from targeting your database to steal information that can be sold on the dark web, to hijacking unused CPU cycles on your devices to mine for cryptocurrencies, or trying to infect vulnerable systems so they can be used later as part of a botnet.
IoT security: IoT security is still getting worse until it starts to get better. IoT security is an extremely hot topic right now and will be hot for many years to come. Industrial IoT risk has been discussed a lot. Physics dictates local application deployment, because the control rate of most industrial systems is 10 milliseconds or below. Smart Building Security Awareness Grows. The risks of the IoT in financial services are great. An explosion in IoT devices significantly raises the threat level. Gartner predicted that the world will see nearly 21 billion IoT devices by next year and it would be nice if all of them would be secure, but many of them unfortunately are not secure. Hackers are continually looking for ways to exploit device vulnerabilities. From smart TV’s, IP cameras, and smart elevators, to hospital infusion pumps and industrial PLC controllers, IoT and OT (Operational Technology) devices are inherently vulnerable and easy to hack. Why? Because IoT security is complicated and security should consider and integrated with IoT deployments. Gartner Says Worldwide IoT Security Spending Will Reach $1.9 Billion in 2019, and will raise to $ 3.1 billion in 2021, making it one of the fastest growing segments in cybersecurity industry. IoT landscape is complex, and so are the security solutions. These tackle the different challenges of IoT- device hardening, encryption, discovery, data protection, malware and anomaly detection, policy enforcement and more. You might have to do a little work with your internet of things devices to stay secure. A failure by many IoT device manufacturers to follow cryptographic best practices is leaving a high proportion of the devices vulnerable to attack. One in every 172 active RSA certificates are vulnerable to attack. It is a good idea to build a separate network segments for IoT devices so that they are isolated from the normal office network. FBI recommends that you keep your IoT devices on a separate network.
IoT privacy: Silicon Valley Is Listening to Your Most Intimate Moments. The world’s biggest companies got millions of people to let temps analyze some very sensitive recordings made by your “smart” speakers and smart phones. A quarter of Americans have bought “smart speaker” devices such as the Echo, Google Home, and Apple HomePod. Consulting firm Juniper Research Ltd. estimates that by 2023 the global annual market for smart speakers will reach $11 billion, and there will be about 7.4 billion voice-controlled devices in the wild. That’s about one for every person on Earth. The question is, then what? Having microphones that listen all the time is concerning. Also some attackers are terrifying homeowners and making them feel violated in their own homes.
Medical systems security: Cyberattacks on Medical Devices Are on the Rise—and Manufacturers Must Respond. Attacks on networked medical devices, and the data they collect and transmit, can be costly. Patient safety is a critical concern, especially with devices such as defibrillators and insulin pumps that could cause patient harm or death if they malfunction. It’s shocking that a few years after WannaCry and NotPetya, the healthcare industry is still not prepared to deal with ransomware attacks. Many hospitals and healthcare networks that have been hit by ransomware over the past few months.
Surveillance cameras: Surveillance cameras are capturing what we do on the streets, at airports, in stores, and in much of our public space. China’s Orwellian video surveillance gets a bad rap but the US isn’t far behind as US has nearly the same ratio of security cameras to citizens as China.And the numbers are growing all over the world. One billion surveillance cameras will be deployed globally by 2021, according to data compiled by IHS Markit. Russia is building one of the world’s largest facial recognition networks and it may even be bigger than China’s 200 million camera system. China’s installed base is expected to rise to over 560 million cameras by 2021, representing the largest share of surveillance devices installed globally, with the US rising to around 85 million cameras. Now US, like China, has about one surveillance camera for every four people (in 2018 China had 350 million cameras and USA 70 million). Surveillance cameras are getting better, smaller and cheaper and can be installed almost anywhere. It would be very easy to sneak another device onto a hotel’s Wi-Fi network, stream that video over the internet to the computer.
Facial recognition: Private companies and governments worldwide are already experimenting with facial recognition technology. Facial recognition software is touted as making us safer. But mass surveillance has downsides of major proportions. Massive errors found in facial recognition tech. Facial recognition systems can produce wildly inaccurate results, especially for non-whites. Russia is building one of the world’s largest facial recognition networks. Individuals, lawmakers, developers – and everyone in between – should be aware of the rise of facial recognition, and the risks it poses to rights to privacy, freedom, democracy and non-discrimination.
Shut off Internet: Worrying worldwide trend employed by various governments: preventing people from communicating on the web and accessing information. Amid widespread demonstrations over different issues many countries have started cutting Internet connections from people. Some countries, namely China, architected their internet infrastructure from the start with government control in mind. Russia is aiming to this direction. Iran, India, Russia. For better or worse, an internet blackout limits the government’s ability to conduct digital surveillance on citizens.
Security First: Implementing Cyber Best Practices Requires a Security-First Approach. Competing in today’s digital marketplace requires that organizations be cyber-savvy. The best defense is to start with a security-driven development and networking strategy that builds a hardened digital presence from the ground up. This not only ensures that your online services and web applications are protected from compromise, but also enables security to automatically evolve and adapt right alongside the development of your digital presence, rather than it having to be constantly rigged and retrofitted to adapt to digital innovation.
Zero Trust Network Access: Many of the most damaging breaches have been the result of users gaining access to unauthorized levels of network resources and devices. Zero Trust is an enforceable, identity-driven access policy that includes seamless and secure two-factor/OTP authentication across the organization. Zero Trust Network Access ensures that all users and devices are identified, profiled, and provided appropriate network access. It also ensures that new devices are automatically assigned to appropriate network segments based on things like device profiles and owners. When combined with Network Access Control (NAC), organizations can also discover, identify, grant appropriate access, and monitor devices, thereby enhancing your access and segmentation strategy.
Anti-virus software: Only Half of Malware Caught by Signature AV. The percentage of malware that successfully bypassed signature-based antivirus scanners at companies’ network gateways has increased significantly, either by scrambling
code known as “packing” using basic encryption techniques or by the automatic creation of code variants. It seems that new approaches like machine learning and behavioral detection are necessary to catch threats. Meanwhile, network attacks have risen, especially against older vulnerabilities.
Ransomware attacks: Ransomware will remain a major threat in the coming year, as the criminal business model continues to flourish. That’s a move that security professionals have long condemned, warning that paying the ransom in a ransomware attack could end up causing more turmoil for victims – as well as inspire other cybercriminals to launch ransomware attacks. Microsoft never encourage a ransomware victim to pay. What to do with this is question. How much does a large-scale ransomware attack cost, as opposed to just hiring an adequate number of skilled IT personnel, and having disaster recovery plans in place? There is no complete security solution that could stop all attacks, but you should have decent protection. It would seem prudent to have adequate staff and offline BACKUPS to deal with this kind of situation, so decent recovery would be possible. Having no backup system is the gamble many companies and public entities seem to be playing. Good backups helps to recover from ransom attacks. There are new tactics coming to use in ransomware. A new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any resident security solutions. Another new tactic by ransomware developers is to release a victim’s data if they do not pay the ransom – they will publish data that they steal to a competitor if the ransom is not paid.
Public sector: Public Sector Security Is Lagging. The state of cybersecurity and resilience in the public sector needs an
urgent boost in many countries. U.S. citizens rely on state governments and local municipalities to provide a host of services everything from access to public records, law enforcement protection, education and welfare to voting and election services. Cybercriminals have been targeting state and local governments with ransomware tools, which infect an organization’s computer networks and lock up critical files.
Consumer confidence: Winning consumer confidence is crucial to the development of new digital services. In a PwC study, consumers are prepared to share personal information if it is of sufficient value to them. On the other hand, consumer confidence also needs to be earned that you keep the information safe.
API security: APIs now account for 40% of the attack surface for all web-enabled apps. It’s a good time to pay attention to API security, since some recent high-profile breaches have involved API vulnerabilities. OWASP, the Open Web Application Security Project known for its top 10 list of web application vulnerabilities, published the release candidate version of its API Security Top 10 list at the end of September 2019. Also it’s almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet.
Skills gap: Security teams are already grappling with serious challenges due to the growing cybersecurity skills gap, are being tasked to secure an ever-expanding network footprint. Security teams are often left to secure virtual and cloud environments, the implementation of SaaS services, DevOps projects, the growing adoption of IoT, mobile workers, and an expanding array of personal connected devices after they have already been implemented. They often do not have enough people and enough knowledge on those new technologies to do their work well. The cybersecurity unemployment rate is zero, with over 1 million jobs currently unfilled, a number that is expected to climb to 3.5 million by 2021. 145% Growth is Needed to Meet Global Demand.
Think Like Your Adversary: Cybersecurity leaders need to access the potential vulnerabilities (from the mindset of the adversary) and devise effective defensive countermeasures unique to their company’s needs. Programmers Should Think like Hackers. Security must be taken into account in all programming steps.
Third party security: Most Companies Don’t Properly Manage Third-Party Cyber Risk. It’s been established that good cybersecurity requires not just an internal assessment of an organization’s own security practices, but also a close look at the security of the partners that businesses rely upon in today’s modern, interconnected world. Developing a Third-Party Cyber Risk Management (TPCRM) strategy is becoming more common with every news headline regarding a major breach that stemmed from a company’s relationship with a third-party.
Privacy and surveillance: Fears Grow on Digital Surveillance. Americans are increasingly fearful of monitoring of their online and offline activities, both by governments and private companies. More than 60 percent of US adults believe it is impossible to go about daily life without having personal information collected by companies or the government. Google and Facebook help connect the world and provide crucial services to billions. But their system can also be used for surveillance. Amnesty International says Facebook and Google’s omnipresent surveillance is inherently incompatible with the right to privacy and is a danger to human rights. The claim is that the companies’ surveillance-based business model is inherently incompatible with the right to privacy and poses a threat to a range of other rights including freedom of opinion and expression, freedom of thought, and the right to equality and non-discrimination. Amnesty International has called for a radical transformation of the tech giants’ core business model and said that Google and Facebook should be forced to abandon what it calls their surveillance-based business model because it is “predicated on human rights abuse.”
5G: Forecasting that 2020 will be “the year of 5G” no longer qualifies as a bold prediction. Billions of dollars’ worth of 5G rollouts are scheduled for the coming year, which will bring the emergent technology to countries around the world. The arrival of 5G will fuel an explosion of never-before-seen IoT machines, introducing uncharted vulnerabilities and opening the door for cyber-criminals to compromise our increasingly intertwined cities. Claims that 5G offers “better security” for IoT may not ring true.
5G security: The new 5G mobile networks will be the backbone of future digitalized operations. Therefore, it is also important to ensure the security and immunity of 5G networks.The Council of the European Union has warned member states that the introduction of 5G networks poses increased security risks while also bringing economic and infrastructure benefits. ENISA, the European Union Agency for Cybersecurity has published a ThreatLandscape for 5G Networks, assessing the threats related to the fifth generation of mobile telecommunications networks (5G). Organised cybercrime, rogue insiders and nation-state-backed hackers are among the groups that could soon be targeting 5G networks. Claims that 5G offers “better security” for IoT may not ring true – with the technology remaining vulnerable to SIM-jacking attacks within private Industry 4.0-style deployments. 5G SIM-swap attacks could be even worse for industrial IoT than now. Criminals can convince telcos to port a victim’s number to a new SIM card controlled by the criminal. Trust your hardware or operator? Pah, you oughta trust nobody. Do not put all your security and identification to this SIM card.
DNS Over HTTPS (DoH): DoH encrypted DNS queries are already set to arrive in Chrome and Firefox web browsers. Microsoft Will Bring DNS Over HTTPS (DoH) to Windows 10 in an attempt to keep user traffic as private as possible. DoH support in Windows means encrypted DNS queries. Microsoft says that DoH doesn’t require DNS centralization if adoption is broad among operating systems and Internet service providers alike.
Firewall configuration: Now, more than ever, it is important to automate firewall processes to prevent misconfigurations and data breaches. Gartner has warned that “50% of enterprises will unknowingly and mistakenly have exposed some IaaS storage services, network segments, applications or APIs directly to the public internet, up from 25% at YE18.”. This is a human problem, not a firewall problem.
Bot attacks: Bots are being used to take over user accounts, perform DDoS attacks, abuse APIs, scrape unique content and pricing information and more. Organizations are Failing to Deal With Rising Bot Attacks.
Network security: Networks are continually growing in complexity and the cyberattack surface is constantly expanding. The network perimeter of today is elastic, expanding and contracting with the demands of both users and the business. In a rush to adopt digital business practices, many of these new network expansion projects are often being implemented ad hoc by individual lines of business. Routers sit at the edge of the network and see everything and they can be utilized to Making the Network the First Line of Defense. A critical step in building a stronger security posture and more robust data protection strategy is a 24×7 facility whose mission is to monitor, detect, investigate and resolve active threats. Cybercriminals only need to be successful once in finding a way to access the network – but the security team needs to monitor everything on the network and be right all the time to ensure security. Today’s core network is continually adapting to the introduction of new devices, applications, and workflows, along with shifting network configurations to support business requirements, requiring the use of advanced, intent-based segmentation.
Security-Driven Networking: Security-Driven Networking is a new, strategic approach to security that enables the seamless expansion of network environments and services without ever compromising on security. Essentially, it begins by crafting a comprehensive security policy that covers the entire organization. It outlines the protocols, enforcement and inspection technologies, policies, and protections required to be in place before any new network environment or solution is even placed on the drawing board. It requires the selection and full integration of security tools that not only work together to share and correlate intelligence and coordinate a unified response to threats, but that also work seamlessly across the widest variety of environments possible.
Critical infrastructure: Determined threat actors have, for some time, been extending their toolsets beyond Windows, and even beyond PC systems. In recent years, we have seen a number of high-profile attacks on critical infrastructure facilities and these have typically been aligned to wider geo-political objectives. Expect targeted attacks on critical infrastructure facilities to increase. APT33 has shifted targeting to industrial control systems software. We need to be worried about Cyber-Physical Security of the Power Grid. To protect this infrastructure you need to prioritize strategic risks that affect critical infrastructure: Concern yourself with the most important hacks, Understand the critical pieces of your infrastructure and Know your inter-dependencies.
Payment security: Payment security backslides for second straight year in 2019. Verizon’s 2019 Payment Security Report found that full compliance with the Payment Card Industry Data Security Standard (PCI DSS) fell to36.7% globally, down from 52.5% in 2018. At the same time EU’s PSD2 (Payments Services Directive) lays down regulatory requirements for companies that provide payment services, including the use of personal data by new fintech companies that are not part of the established banking community. Security of online, including mobile, payments is a key aspect of the legislation. Nevertheless, as banks will be required to open their infrastructure and data to third parties. Although SSLv3 has been considered obsolete and insecure for a long time, a large number of web servers still support its use.
Election security: Nowadays, no elections can be held any longer without debate on influencing voters through online services. There are on-going accusations of Russian interference in US elections and fears about a possible reboot of this in the run-up to the 2020 elections. U.S. military cyber experts are plotting strategy in a fight against potential Russian and other cyberattacks ahead of the 2020 American and Montenegrin elections. As the 2020 Presidential election looms closer in the United
States, a key focus will be on securing election infrastructure to prevent tampering. Most of the largest US voting districts are still vulnerable to email spoofing. Also disinformation campaigns for political purposes are deeply rooted in cybercriminal endeavors. It’s quite possible that we will see changes to legislation and policy, as governments look to define more clearly what is and what isn’t allowed. Hacking is considered to be the biggest tech threats to 2020 elections in USA. Legislators are working on new laws, but it is not going to be enough in an era when technology is turning out entirely new attack surfaces.
False Flags: The use of false flags has become an important element in the playbook of several APT groups. This can be used to try to deflect attention away from those responsible for the attack or what is really happening.
Common attack tools: Cyber actors continually use commodity malware, scripts, publicly available security tools or administrator software during their attacks and for lateral movement, making attribution increasingly difficult.
Vulnerability disclosure: Most “white hat” cyber engineers seem to be driven by a sense of social responsibility best expressed as, “If you find something, say something.” Across the industry, the ethos is to share information quickly, whether the problem is a newly discovered exploit or an evolving cyber threat. The goal is to impel the affected vendor—hardware or software—to take quick action and produce a fix. There are good and bad ways to make vulnerabilities known. A premature “full disclosure” of a previously unknown issue can unleash the forces of evil, and the “black hats” often move faster than vendors or enterprise IT teams. The preferred path is a “responsible” or “coordinated” disclosure that happens behind the scenes. Public announcements occur after a specified period of time—typically 90 or 120 days. But things don’t work this way always.
Ransomware: Cybercriminals have become more targeted in their use of ransomware. It is inevitable that the cybercriminals will also attempt to diversify their attacks to include other types of devices besides PCs or servers. There is a Ransomware ‘Crisis’ in US Schools and in many cities in USA.
Supply chain: Use of supply chains will continue to be one of the most difficult delivery methods to address. It is likely that attackers will continue to expand this method through manipulated software containers, for example, and abuse of packages and libraries. Medium-sized companies are being targeted even more heavily by cyber criminals. They are often the weakest link in supply chains that include large corporations. There is the growth of counterfeit electronics.
Mobile: The main storage for our digital lives has moved from the PC to mobiles over last 10 years. Several countries have started demanding their own software (maybe in some cases also malware) to be installed to all smart phones. Putin signs law making Russian apps mandatory on smartphones, computers.
Android: Today 80% of Android apps are encrypting traffic by default. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain. The heterogeneity of the Android versions will continue to be a problem in the coming year.
DDoS attacks: DNS amplification attacks continue to dominate distributed denial-of-service (DDoS) attacks, while mobile devices make up a larger share of traffic. The number of distributed denial-of-service (DDoS) attacks rose 86% in the third quarter compared to a year ago. DNS amplification attacks accounted for 45% of the attacks, while HTTP
floods and TCP SYN attacks accounted for 14%. Mobile Devices Account for 41% of DDoS Attack Traffic.
Business security: Small and medium-sized businesses (SMBs) increasingly recognize that a reactive security posture is no longer sufficient for protecting their networks. Breaches will happen. Companies should treat cyberattacks “as a matter of when” and not “whether.” Inside threads are still a big issue as Employees are one of your biggest assets, but human beings are the weakest link in the security chain. Data leaks help attackers to craft more convincing social engineering attacks. Plan proper incident management because Quick, reliable, multichannel communication is a vital part of any incident management solution. Cybercriminals often choose very small companies as their targets because small businesses rarely spend significant money on security systems. Medium-sized companies are being targeted even more heavily by cyber criminals. They are often the weakest link in supply chains that include large corporations.
Cyber insurance: Cyber Has Emerged as a Risk That is Not Specifically Covered by Other Insurance Policies. Since business is now urged to take a risk management approach to cyber security, it is natural and inevitable that cyber insurance should be considered as part of the mix. Cyber insurance is set to grow.
New encryption: The problem with encrypted data is that you must decrypt it in order to work with it. There is a powerful solution to this scenario: homomorphic encryption. Homomorphic encryption makes it possible to analyze or manipulate encrypted data without revealing the data to anyone. Just like many other populr forms of encryption, homomorphic encryption uses a public key to encrypt the data. There are three main types of homomorphic encryption: partially homomorphic encryption (keeps sensitive data secure by only allowing select mathematical functions to be performed on encrypted data); somewhat homomorphic encryption (supports limited operations that can be performed only a set number of times); fully homomorphic encryption (this is the gold standard of homomorphic encryption that keeps information secure and accessible). Cryptographers have known of the concept of homomorphic encryption since 1978 but Gentry established the first homomorphic encryption scheme in 2009.The biggest barrier to widescale adoption of homomorphic encryption is that it is still very slow. Duality, a security startup co-founded by the creator of homomorphic encryption, raises $16M.
Artificial Intelligence (AI): The buzzword for 2019 that we have all heard a thousand times was Artificial Intelligence, AI. The term AI is often interchanged with machine learning. There is a lot of research to examine AI applications on cyber security. As cyberattacks grow in volume and complexity, hopefully artificial intelligence (AI) is helping under-resourced security operations analysts stay ahead of threats. Cybersecurity tools currently use this data aggregation and pattern analysis in the field of heuristic modeling: THE TRUE FUNCTION OF AI WILL BE TO DETERMINE WITH A LONG ARC OF TIME AND DATA, WHAT “NORMAL” LOOKS LIKE FOR A USER. AI can act as an advisor to analysts, helping them quickly identify and connect the dots between threats. Finnish cyber security company F-Secure is making research on AI agents and on that Mikko Hyppönen says that AI should not used to try to imitate humans and that artificial intelligence-based attacks are expected in the near future. Another Finnish cyber security company Nixu says that Artificial intelligence is going to revolutionize cyber security. According to Orlando Scott-Cowley from Amazon Web Services machine learning is the new normal in cyber security. Advanced Machine Learning layers are to be integrated into the latest Windows cybersecurity products. Leaders in artificial intelligence warn that progress is slowing, big challenges remain, and simply throwing more computers at a problem isn’t sustainable.
2020 problems: Has your business prepared for the ‘2020 problem’? Software updates for Windows 7 will end on January 14, 2020. As of Jan. 14, 2020, Windows 7 and Server 2008 technical support and software updates will no longer be available from Windows Update. There will no longer be updates for Office 2010. Some business users can buy extended security update support with extra money for some time. Python will stop supporting Python version 2 on January 1, 2020. Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognize timestamps from events where the date contains a two-digit year. December 2019 Patch Tuesday was the last time Microsoft ever offered security updates for devices running Windows 10 Mobile.
Crypto wars continue: A decades-old debate: Government officials have long argued that encryption makes criminal investigations too hard. Governments all over the world say that Encrypted communication is a huge issue for law enforcement and the balance between the privacy of citizens and effective policing of criminal activity is top of mind for governments, technology companies, citizens and privacy organisations all over the world. The international police organization Interpol plans to condemn the spread of strong encryption. Top law enforcement officials in the United States, United Kingdom and Australia, the larger group will cite difficulties in catching child sexual predators as grounds for companies opening up user communications to authorities wielding court warrants. Congress warns tech companies: Take action on encryption, or we will. US lawmakers are poised to “impose our will” if tech companies don’t weaken encryption so police can access data.
Do not weaken encryption: Companies, they say, should build in special access that law enforcement could use with a court’s permission. Technologists say creating these back doors would weaken digital security for everyone. Unfortunately, every privacy protection mechanism is subject to abuse by the morally challenged. That’s just a truth that must be accepted and overcome. Invading the privacy of the masses in order to catch criminals is unacceptable. Remember three things: One, that strong encryption is necessary for personal and national security. Two, that weakening encryption does more harm than good. And three, law enforcement has other avenues for criminal investigation than eavesdropping on communications and stored devices. If back-doors are added to encryption, they will be abused. If You Think Encryption Back Doors Won’t Be Abused, You May Be a Member of Congress. Bad encryption can have business consequences. Apple and Facebook told the committee that back doors would introduce massive privacy and security threats and would drive users to devices from overseas. In Australia 40% of firms say they have lost sales say they have lost sales or other commercial opportunities as a result of the encryption law being in place.
2FA: The second authentication factor might be a minor inconvenience, but it provides a major security boost. With past years riddled with security breaches, it is high time we evaluated the way we secure our online presence. Two factors are much better than one, but can still be hacked. Attacks that phish 2FA to access email accounts cost $100-$400; such attacks can be prevented with physical security keys. Also some physical security keys can be hacked as they turn to be less secure that what they were told to be in the advertisements.
Myth of sophisticated hacker in news: It’s the latest lexical stretch for an adjective that’s widely used in reports of cybersecurity incidents — and widely loathed by researchers as a result. If everything is sophisticated, nothing is sophisticated.
New security models: Google moved from perimeter-based to cloud-native security. Google’s architecture is the inspiration and template for what’s widely known as “cloud-native” today—using microservices and containers to enable workloads to be split into smaller, more manageable units for maintenance and discovery. Google’s cloud-native architecture was developed prioritizing security as part of every evolution.
Hacktivists: Hacktivists seek to obtain private information about large companies in order to embarrass or expose the company’s controversial business practices. Many companies are a treasure trove for personal information, whether they realize it or not. Experian is predicting that the emerging cannabis industry will experience an increase in data breaches and cybersecurity threats in 2020.
RCS messaging: RCS, expanded as Rich Communications Services, is a protocol that aims to replace SMS.RCS messaging has rolled out to Android users in the US. The update brings a lot of new features like chat, send hi-res videos and photos and create group chat. One criticism of RCS is that it doesn’t provide end-to-end encryption. RCS could be also better in many other security aspects. Researchers have discovered that the RCS protocol exposes most users to several cyber attacks. These risks are said to be mitigated by implementing the protocol with the security perspective in mind. The standard itself allows for poor security implementation, but GSMA advises its members to deploy rcs with the most secure settings possible.
Data breaches: Billions of Sensitive Files Exposed Online all the time. During the first six months of 2019, more than 4 billion records were exposed by data breaches. That’s a shocking statistic that’s made even more so when you realize that passwords were included in droves. On December 4, a security researcher discovered a treasure trove of more than a billion plain-text passwords in an unsecured online database. Many businesses wrongly assume they are too small to be on the radar of the threat actors. The truth is that it is all about the data, and small businesses often have less well-guarded data stores. All organizations are exposed to security breaches: from large multinationals to SMEs and public administrations. A common thread is unsecured cloud-based databases that left the sensitive information wide open for anyone to access online.
Phishing: Phishing remains 1 of the most pervasive online threats. Phishing emails are still managing to catch everyone out. Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Google Chrome now offers better protection against it as safe Browsing displays warning messages to users ahead of visiting dangerous websites and before downloading harmful applications. New advanced ways to phish are taken to use.With dynamite phishing, the cyber criminals read the email communication from a system already infected with an information stealer. The infected user’s correspondents then receive malicious emails that quote the last “real” email between the two parties and look like a legitimate response from the infected user. Attacks that phish 2FA to access email accounts cost $100-$400; such attacks can be prevented with physical security keys.
Windows: Microsoft Doesn’t Back Up the Windows Registry Anymore. It’s still possible to perform Windows Registry backups, but the option is disabled by default. It’s time to disconnect RDP from the internet as brute-force attacks and BlueKeep exploits usurp convenience of direct RDP connection. Microsoft is ready to push a full-screen warning to Windows 7 users
who are still running the OS after January 14.
Linux: Support for 32 bit i386 architecture will be dropped by many Linux distributions. It turns out that there are essentially no upstream development resources dedicated to x86_32 Linux. Perhaps unsurprisingly, it was badly broken.
Drones: Turkey is getting military drones armed with machine guns. Drone hacking happens. There is now Dronesploit – Metasploit for drones. Metasploit-style CLI framework tailored for tinkering with everybody’s favourite unmanned flying objects.
World market war: China tells government offices to remove all foreign computer equipment. China has ordered the replacement of all foreign PC hardware and operating systems in state offices over the next three years. This will mean that China to ditch all Windows PCs by 2022.China has already some of their own Linux distros like Kylin and Deepin. Many western countries are more or less banning Huawei teleocm equipment.
Cloud security: Traditional security tools and methodologies are ill-suited to protect cloud native’s developer-driven and infrastructure-agnostic multicloud patterns. The vision as laid out by these renown analysts is straightforward. The legacy “data center as the center of the universe” network and network security architecture are obsolete and has become an inhibitor to the needs of digital business. They describe the underpinning shift to cloud infrastructure, a digital transformation that has been underway for ten years. They also point out that the corporate network cannot protect end users who consume cloud applications from any location and any device without the contorting, expensive, backhaul of traffic through the corporate data center. Gartner coins a new term for the future of security and networks, SASE (pronounced sassy), Secure Access Service Edge, which is not anything really new. SASE promises to create a ubiquitous, resilient, and agile secure network service—globally. Most of the stolen data incidents in the cloud are related to simple human errors rather than concerted attacks. Expect that through 2020, 95% of cloud security failures will be the customer’s fault. A common thread is unsecured cloud-based databases that left the sensitive information wide open for anyone to access online. Also it’s almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet.
Autocracy as a service: Now Any Government Can Buy China’s Tools for Censoring the Internet. “Autocracy as a service” lets countries buy or rent the technology and expertise they need, as they need it. China offers a full-stack of options up and down the layers of the internet, including policies and laws, communications service providers with full internet.
Geopolitics: US-China Tech Divide Could Cause Havoc. It is possible that world’s next major conflict can start in cyberspace. USA has ordered to ban certain hardware from China (Huawei and ZTE). China orders ban on US computers and software. Chinese government to replace foreign hardware and software within three years. Who needs who more?
International cyber politics: Lack of international standards for proper behavior in cyberspace prevents the United States and allies from policing adversaries as they wish to. US can’t ‘enforce standards that don’t exist’. We have international norms in the maritime; we don’t have those in cyber. It makes it difficult to enforce standard that don’t exist, and to therefore hold nations accountable for nefarious behavior. NATO did confirm in 2017 that it could invoke Article 5 of its charter should one or more member nations find themselves under a serious cyberattack that threatens critical military and civilian infrastructure.
Sources:
https://pentestmag.com/iot-security-its-complicated/
https://isc.sans.edu/diary/rss/25580
https://www.securityweek.com/case-cyber-insurance
https://www.securityweek.com/tips-help-mssps-choose-threat-intelligence-partner
https://www.zdnet.com/article/microsoft-we-never-encourage-a-ransomware-victim-to-pay/
https://www.darkreading.com/iot/weak-crypto-practice-undermining-iot-device-security/d/d-id/1336636
https://pacit-tech.co.uk/blog/the-2020-problem/
https://www.theregister.co.uk/2019/12/09/dronesploit_framework/
https://www.securityweek.com/blunt-effect-two-edged-sword-vulnerability-disclosures
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020
https://threatpost.com/email-voted-a-weak-link-for-election-security-with-dmarc-lagging/150909/
https://www.theregister.co.uk/2019/12/04/council_of_eu_5g_risks/
https://techcrunch.com/2019/12/05/major-voting-districts-vulnerable-email-security/
https://cacm.acm.org/magazines/2019/12/241053-hack-for-hire/fulltext
http://read.uberflip.com/i/1180978-siliconexpert-growth-of-counterfeit-electronics-3/0?acctid=6759
https://www.zdnet.com/article/2020-is-when-cybersecurity-gets-even-weirder-so-get-ready/
https://www.theregister.co.uk/2019/12/09/china_orders_ban_on_us_computers_and_software/
https://www.securityweek.com/case-cyber-insurance
https://www.eetimes.eu/ai-will-empower-industry-4-0-when-it-arrives/
https://www.pandasecurity.com/mediacenter/security/2019-the-ransomware-tsunami/
https://blog.paloaltonetworks.com/2019/12/cloud-native-security-platform-age/
https://github.com/dhondta/dronesploit/
https://www.zdnet.com/article/1-in-every-172-active-rsa-certificates-are-vulnerable-to-exploit/
https://nationalcybersecurity.com/hacking-the-biggest-tech-threats-to-2020-elections/
https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/
https://www.eff.org/wp/behind-the-one-way-mirror
https://www.gdatasoftware.com/blog/2019/12/35671-early-detection-and-repulsion-of-dangerous-attacks
https://www.is.fi/digitoday/tietoturva/art-2000006342803.html
https://techcrunch.com/2019/10/30/duality-cybersecurity-16-million/
https://www.wired.com/story/sobering-message-future-ai-party/
https://security.googleblog.com/2019/12/an-update-on-android-tls-adoption.html?m=1
https://www.zdnet.com/article/google-all-android-users-in-the-us-just-got-rcs-next-gen-sms/
https://www.schneier.com/blog/archives/2019/12/scaring_people_.html
https://lists.ubuntu.com/archives/ubuntu-devel-announce/2019-June/001261.html
https://lwn.net/ml/oss-security/CALCETrW1z0gCLFJz-1Jwj_wcT3+axXkP_wOCxY8JkbSLzV80GA@mail.gmail.com/
https://www.bbc.com/news/amp/world-australia-46463029
https://cyware.com/news/rcs-technology-most-users-are-vulnerable-to-hacking-b53f9a6f
https://hub.packtpub.com/core-python-team-confirms-sunsetting-python-2-on-january-1-2020/
https://www.cnet.com/news/congress-warns-tech-companies-take-action-on-encryption-or-we-will/
https://cyware.com/news/rcs-technology-most-users-are-vulnerable-to-hacking-b53f9a6f
https://edri.org/facial-recognition-and-fundamental-rights-101/
https://techcrunch.com/2019/12/10/insider-threats-startups-protect/
https://uk.pcmag.com/windows-10/121518/microsoft-doesnt-back-up-the-windows-registry-anymore
https://threatpost.com/ransomware-attack-new-jersey-largest-hospital-system/151148/
https://chiefexecutive.net/bridge-cybersecurity-skills-gap/
https://systemagic.co.uk/has-your-business-prepared-for-the-2020-problem/
https://news.yahoo.com/massive-errors-found-facial-recognition-tech-us-study-215334634.html
https://www.securityweek.com/most-companies-dont-properly-manage-third-party-cyber-risk
https://www.uusiteknologia.fi/2019/11/21/hyoty-panee-jakamaan-tietonsa-luottamus-ratkaisee/
https://pentestmag.com/advice-for-a-cybersecurity-leader-think-like-your-adversary/
https://www.amnesty.org/en/latest/news/2019/11/google-facebook-surveillance-privacy/
https://www.amnesty.org/en/documents/pol30/1404/2019/en/
https://www.securityweek.com/compromised-connection-5g-will-unite-cities-and-also-put-them-risk
https://www.securityweek.com/amnesty-international-calls-facebook-google-rights-abusers
https://www.securityweek.com/microsoft-will-bring-dns-over-https-doh-windows
https://www.securityweek.com/cybersecurity-workforce-gap-145-growth-needed-meet-global-demand
https://www.helpnetsecurity.com/2019/11/19/successful-soc/
https://www.securityweek.com/making-network-first-line-defense
https://techbeacon.com/security/how-prioritize-strategic-risks-affect-critical-infrastructure
https://www.securityweek.com/transitioning-security-driven-networking-strategy
https://www.theregister.co.uk/2019/11/16/5g_iot_report/
https://www.securityweek.com/us-montenegro-plot-cyber-warfare-ahead-2020-elections
https://www.securityweek.com/fears-grow-digital-surveillance-us-survey
https://www.kaspersky.com/blog/attack-on-online-retail/31786/
https://www.securityweek.com/implementing-cyber-best-practices-requires-security-first-approach
https://securelist.com/advanced-threat-predictions-for-2020/95055/
https://www.darkreading.com/cloud/smart-building-security-awareness-grows/d/d-id/1336597
https://www.cisomag.com/the-future-of-ai-in-cybersecurity/
https://www.ibm.com/security/artificial-intelligence
https://www.welivesecurity.com/2019/12/13/2fa-double-down-your-security/
https://cannatechtoday.com/experian-predicts-an-increase-in-global-cannabis-industry-data-breaches/
https://www.uusiteknologia.fi/2019/11/21/f-secure-tutkimaan-tekoalyagentteja/
https://www.securityweek.com/ongoing-research-project-examines-application-ai-cybersecurity
http://www.etn.fi/index.php/13-news/10151-mikko-hypponen-tekoalyn-ei-pida-matkia-ihmista
http://www.etn.fi/index.php/13-news/10124-nixu-selvitti-tekoaly-mullistaa-kyberturvan
http://www.etn.fi/index.php/13-news/10120-kyberturvassa-koneoppiminen-on-uusi-normaali
https://www.is.fi/digitoday/tietoturva/art-2000006316233.html
https://www.cyberscoop.com/apt33-microsoft-iran-ics/
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/11/exploit-kits-fall-2019-review/
https://www.enisa.europa.eu/news/enisa-news/enisa-draws-threat-landscape-of-5g-networks/
https://systemagic.co.uk/has-your-business-prepared-for-the-2020-problem/
https://smartgrid.ieee.org/newsletters/november-2019/the-cyber-physical-security-of-the-power-grid
https://www.wired.com/story/un-secretary-general-antonio-guterres-internet-risks/
https://codastory.com/authoritarian-tech/russia-facial-recognition-networks/
https://www.theverge.com/2019/12/9/21002515/surveillance-cameras-globally-us-china-amount-citizens
https://www.wired.com/story/iran-internet-shutoff/
https://www.zdnet.com/article/fbi-recommends-that-you-keep-your-iot-devices-on-a-separate-network/
https://www.reuters.com/article/us-interpol-encryption-exclusive-idUSKBN1XR0S7
https://www.kcrw.com/news/shows/to-the-point/does-facial-recognition-software-threaten-our-freedom
1,468 Comments
Tomi Engdahl says:
OT Infrastructure Attacks The Risk is Real
https://www.fortinet.com/blog/industry-trends/ot-infrastructure-attacks-the-risk-is-real
Despite the added risk to OT networks, IT/OT convergence is happening
because it makes financial and operational sense. Operations teams
are implementing sophisticated control systems that use software and
databases that run on IT systems. Things like WiFi-enabled thermostats
and valves can be monitored and controlled remotely over the IT
infrastructure And CFOs dont like the costs of separate . networks or
the separate teams needed to run them. . Also
https://www.fortinet.com/blog/industry-trends/report-ot-security-remains-challenge-for-leaders-across-industries.
Report at
https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/report-state-of-operational-technology.pdf
Tomi Engdahl says:
Framing the Security Story: The Simplest Threats Are the Most
Dangerous
https://www.darkreading.com/vulnerabilities—threats/framing-the-security-story-the-simplest-threats-are-the-most-dangerous/a/d-id/1338222
Often, it is the simplest vulnerabilities that are leveraged to breach
a system. The reason for this: The easier a vulnerability is to
exploit, the higher the number of threat actors that can, and actually
will, exploit that vulnerability. It is a simple numbers game, yet the
CISO and security team have a real problem framing this security story
in a way that is both accurate and meaningful for . executive
leadership.. What I’ve discovered in almost two decades of attack
simulation (including penetration testing and red/blue/purple teaming)
as well as developing and advising these programs globally is that
breaking in is still relatively easy. This does not mean that all the
security work organizations have done is wasted or poor.
Tomi Engdahl says:
Applying the 80-20 Rule to Cybersecurity
https://www.darkreading.com/operations/applying-the-80-20-rule-to-cybersecurity-/a/d-id/1338205
Can we identify a Cybersecurity Pareto Principle? We can if security
teams concentrate on these six priorities:. Principle 1: Develop and
Govern a Healthy Security Culture. Principle 2: Manage Risk in the
Language of Business. Principle 3: Establish a Control Baseline.
Principle 4: Simplify and Rationalize IT and Security. Principle 5:
Control Access with Minimal Drag on the Business. Principle 6:
Institute Resilient Detection, Response and Recovery
Business efficiency metrics are more important than detection metrics
https://www.helpnetsecurity.com/2020/07/07/business-efficiency-metrics-are-more-important-than-detection-metrics/
Businesses would benefit from taking a look at detection metrics in
the context of how they may impact business efficiency metrics for
better or worse. Today, robust security protocols require non-security
employees to turn their attention from operational priorities,
ultimately slowing productivity.. These implications can even extend
to organizations who invest significantly in advanced security
technologies to improve detection, if they fail to apply them in a
manner that takes both security and business efficiency into account.
In a 2019 study from McKinsey, they suggest that spending resources on
such solutions can do more harm than good when strategy is misguided,
creating significant . inefficiencies within the cybersecurity team,
thereby compromising the cybersecurity program overall.
Tomi Engdahl says:
From Exposure To Takeover: Part 1. Beg, Borrow, And Steal Your Way In
https://www.digitalshadows.com/blog-and-research/from-exposure-to-takeover-part-1-beg-borrow-and-steal-your-way-in/
To date, weve discovered 15 billion-plus credentials, stemming from
more than 100,000 discrete breaches. Of these credentials, more than 5
billion are unique. . Also
https://resources.digitalshadows.com/whitepapers-and-reports/from-exposure-to-takeover
Tomi Engdahl says:
https://secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-the-state-of-cloud-security-2020-wp.pdf
Almost three-quarters of organizations hosting data or workloads in
the public cloud experienced a security incident in the last year.
Seventy percent of organizations reported they were hit by malware,
ransomware, data theft, account compromise attempts, or cryptojacking
in the last year.. Multi-cloud organizations reported more security
incidents in the last 12 months.. Security gaps in misconfigurations
were exploited in 66% of attacks [...], while 33% of attacks used
stolen credentials to get into cloud provider accounts.. Sophos state
of cloud security report 2020
Tomi Engdahl says:
A Most Personal Threat: Implantable Devices in Secure Spaces
https://www.darkreading.com/iot/a-most-personal-threat-implantable-devices-in-secure-spaces/d/d-id/1338299
Do implantable medical devices pose a threat to secure communication
facilities? A Virginia Tech researcher says they do, and the problem
is growing.. So far, Michaels says, there has been relatively little
recognition of this as an issue in secure facilities, with existing
rules driven by HR as much as cybersecurity. “We want to protect the
information and support the individual. Yet there comes a point which
you probably deny entry,” he adds, and that point may be coming sooner
than many people think.
Tomi Engdahl says:
Google open-sources Tsunami vulnerability scanner
https://www.zdnet.com/article/google-open-sources-tsunami-vulnerability-scanner/
The search giant said that going forward Tsunami will focus on meeting
the goals of high-end enterprise clients like itself, and the
conditions found in these types of large and multi-device networks..
Furthermore, Tsunami will also be extended with support only for
high-severity vulnerabilities that are likely to be weaponized, rather
than focus on scanning for everything under the sun, as most
vulnerability scanners tend to do today. This will be done to reduce
alert fatigue for security teams.
Tomi Engdahl says:
USB a prevalent industrial vector vulnerability for OT systems
https://www.scmagazine.com/home/security-news/vulnerabilities/usb-prevalent-industrial-vector-vulnerability-for-ot-systems/
The company first studied the market in 2018, and since then the
number of threats capable of disrupting OT rose from 26 percent in the
first report to now 59 percent, which Honeywell tagged as staggering,
as targeted and more sophisticated malware and ransomware attacks have
become prevalent in focusing on industrial control and process
automation systems.. Original at
https://www.honeywell.com/en-us/honeywell-forge/the-security-threat-in-disguise
Tomi Engdahl says:
Security Automation Challenges to Adoption: Overcoming Preliminary Obstacles
https://www.securityweek.com/security-automation-challenges-adoption-overcoming-preliminary-obstacles
For Most Organizations, the Full Capabilities of Security Automation Are Still Untapped
Modern security threats come in many different forms, which is part of the reason why addressing them is so challenging and there is a dire need for security automation. But despite recent advancements, the barriers to adoption for automation software remain high, particularly within the security industry.
Cyberattacks have long used automation. It makes things simple for the attacker to create, test, fire and forget. Code can be reused with little modification and enhancements added with minimal work. This is the way it has been since the very beginning of malware development. There are brute-force attacks that use a variety of credentials to gain access, port-scan attacks that prod network ports to find one unprotected and lateral propagation where software installed on a computer spreads automatically to vulnerable devices. Each of these uses packaged tools to automate one or more steps in the process.
A past and future threat
Automated attacks are evolving fast. For example, there is growth in malicious tweets and chatbots that harvest personal information to use in phishing campaigns. The information can also be utilized for pre-infection tactics where malware is sent onto a network in advance to ensure it is ‘clean’ before executing an attack.
Attackers already have a head start on us, which leaves one to wonder why there are still barriers for the adoption of automation in security? Why are organizations not making more use of this technology to help address the challenge in staying ahead of threats?
To be successful in preventing attacks, we need to reconsider how they take place
Automation Fact: The fastest spreading malware is called MyDoom. The code uses automation and is estimated to have caused $38 billion of damage – and is still spreading. The surprising part is MyDoom is not new. It was released in 2004 and could still be seen in one percent of emails, as of 2019.
With attackers developing automated attacks which are better at concealment, we must realize that some threats will get through and prevention is no longer enough. To minimize the effect of an attack, an automated response is vital, as this can reduce the amount of time between infection and resolution. It is not practical, however, to think that we can jump from mostly manual security to a fully automated infrastructure. It is important to consider what automation’s strengths are and where the human element is still a crucial component.
Robotic automation vs. cognitive automation
Security automation splits into two broad areas:
1. Robotic automation – where repetitive and routine tasks, such as alert monitoring, are offloaded from the security team, providing them more time to focus on threat response and security improvements.
2. Cognitive automation – where the security platform learns about the behavior of the network, hosts and applications to provide informed responses on threats or ways to improve security posture.
Most tasks that we automate today fall into the robotic category – regular activities, such as patching, scheduled scans and access management requests, for example. These give time back to the security team but are protection and prevention activities, not responses.
An engineer works well with unstructured datasets. Therefore, when investigating a threat, they are comfortable with switching between software code of the exploit, researching online forums, understanding related patches that exist or reading documentation. The human brain is good at working to form connections from seemingly unconnected information.
Computers, by contrast, work with structured data. They prefer information lists, which may include port numbers, protocols or detected exploit details. Artificial Intelligence (AI) is not yet at the point where it can follow the same thinking patterns as an engineer, when analyzing a threat or formulating a response.
Moving from attack prevention to threat response
Machine learning can be trained to work with data and process it in a more unstructured way like the human brain does. When a threat is detected, there is immediately more contextual information available to the engineer about how the threat is spreading, what protocols are in use and how many devices are infected. This means the time required for response development reduces, which speeds up the resolution.
Traditional cybersecurity models use data from solutions to create a strong posture. Extending this model to leverage not only security data, but also data from other non-security devices like switches or routers, means posture can be improved even further.
With the use of machine learning to understand where a threat may start an attack and automation to create dynamic policy actions based across both solution and platform data, technology can be trained to act on behavioral indicators across different vectors throughout the network. This process significantly reduces the risk of a successful attack, as well as provides crucial information the security engineer needs for successful overall mitigation.
For most organizations, the full capabilities of automation are still untapped.
Tomi Engdahl says:
Four Considerations for Making Your IoT/ICS Networks CMMC Compliant
https://cyberx-labs.com/blog/four-considerations-for-making-your-iot-ics-networks-cmmc-compliant/?utm_campaign=Blog&utm_medium=email&_hsmi=91200351&_hsenc=p2ANqtz-9qwz9KLTA3KYRCzrJfCbnjqcQte3cd_9sfvb4TTeXWO4mu1hYKg4y3ntpII8Nnhsc2XBrItKnDH77FJigVaJ__5a9Bb4Hn9JUsT9CU1Qnmjbm1QSU&utm_content=91200351&utm_source=hs_email
In early 2020, the US Department of Defense released the Cybersecurity Maturity Model Classification (CMMC). Contractors in the DoD supply chain must be evaluated against this maturity model by a third-party audit. The CMMC contains seventeen capability domains, each of which encompasses a different area of security. Each of these domains will be evaluated on a level from one to five — five being the most mature — and the organization will be assigned an overall CMMC level based on their evaluation results.
The CMMC is a big deal, because the level that an organization achieves will determine which DoD contracts they’re eligible for.
But for many organizations, CMMC certification is understandably daunting. The capability domains outlined in CMMC are very broad, encompassing everything from physical security to personnel security to asset management and beyond. But it’s important to note that the goal of the CMMC is not to encourage supply chain organizations simply to meet the model’s requirements — the requirements are so broad because building a culture of cybersecurity, one that’s effective enough to evolve for future threats, is a holistic effort that encompasses the entire organization.
This is why organizations that are preparing for CMMC evaluation need to make sure they consider their IoT/ICS environments. Modern attacks often cross IT/OT boundaries, which is why unified security monitoring and governance across both IT and OT networks is the optimal way to quickly detect and respond to threats. .
Modern attacks often cross IT/OT boundaries, which is why unified security monitoring and governance across both IT and OT networks is the optimal way to quickly detect and respond to threats. .
Plus there are very few CMMC domains that don’t apply to IoT/ICS networks. Asset discovery, threat detection, incident response — these are all things that are just as relevant to your IoT/ICS network as your IT network. In fact, addressing those domains without addressing IoT/ICS networks is an incomplete response.
Tomi Engdahl says:
https://en.wikipedia.org/wiki/OWASP
Tomi Engdahl says:
https://owasp.org/www-project-top-ten/
https://github.com/OWASP
Tomi Engdahl says:
Can Governments Defeat Nation-State Attacks on Critical Infrastructures?
https://threatpost.com/can-governments-defeat-nation-state-attacks-on-critical-infrastructures/156338/
The one cyber risk that governments are much better at controlling than we are is insider threats. Governments have been dealing with people threats for centuries and have powerful tools at their disposal for such investigations.
For physical conflicts, we expect our government to protect us from nation-state adversaries. It turns out, though, that industrial enterprises are much better positioned to defeat most nation-state attacks on power plants, pipelines, and other critical infrastructures than governments are.
For example – consider classic industrial attacks:
Stuxnet was an autonomous worm carried into an industrial target on a USB drive.
TRITON was a remote-control attack on a refinery’s safety systems.
LockerGoga was targeted ransomware that shut down Norsk Hydro’s and several of its aluminum plants.
NotPetya was a destructive worm, introduced by a compromised software update, that crippled shipping at Maersk.
Now consider government approaches to cyber defenses:
Information sharing programs – share detailed information about previous attacks.
Threat intelligence programs – give early warning of possible new attacks and targets.
Security regulations – are costly rules demanding minimal security measures.
Central intrusion detection systems –use essentially the same technology platforms as enterprise systems.
Insider threat detection – identifies malicious insiders, compromised insiders, spies, sleeper cells, and other human conspiracies against critical infrastructures.
What are the lessons here?
Information sharing is backward-looking – Stuxnet, TRITON, and NotPetya “came out of nowhere” – there were no similar previous attacks to learn from.
Threat intelligence programs are imperfect – Stuxnet, TRITON, and NotPetya were all the result of long-standing physical conflicts and succeeded in spite of presumably long-standing warnings.
Regulations are not protection, but the government ordered us to protect ourselves, and
Government intrusion detection is a little better at detecting attacks than our own systems and presents serious risks to corporate confidentiality.
The one cyber risk that governments are much better at controlling than we are is insider threats. Governments have been dealing with people threats for centuries and have powerful tools at their disposal for such investigations.
Secure Operations Technology
The world’s most secure industrial sites have long concluded that they must defend themselves against even sophisticated cyber attacks. How do they do it? Secure sites observe that all cyber attacks are information – and so they carry out thorough inventories of offline and online information/attack flows that come into their critical networks. These sites then deploy physical controls for these attack & information flows, instead of relying solely on software protections.
For example, to control offline threats, secure sites physically remove as many CD-drives, floppy drives, and USB ports as possible, and put technology & procedures in place to detect and remediate all use of removable media. Secure sites are similarly strict with laptops – no device that has ever been exposed to an Internet-exposed network is ever allowed to connect to an industrial network.
For online threats, secure sites deploy at least one layer of unidirectional gateway technology in their networks. Unidirectional gateway hardware can physically send information in only one direction – generally out of the industrial network. The gateway software replicates servers – most commonly historian databases that are the focus of IT/OT integration. Users and applications on the enterprise network interact normally with the replica databases.
Practitioners not familiar with the technology are often surprised to discover that unidirectional gateways support OT intrusion detection systems, remote access systems, anti-virus updates, and many other communications needs. The 2019 book Secure Operations Technology (SEC-OT) addresses this gap, documenting the perspective, methodology, and best practices of secure industrial sites.
The bottom line – with even sophisticated cyber attacks frustrated, the biggest residual risk is insiders. This is where secure sites ask their governments for help. Again, governments have much more powerful tools at their disposal than do commercial enterprises for such threats.
The threat environment continues to worsen.
Tomi Engdahl says:
What is OWASP? What Are The OWASP Top 10?
https://www.cloudflare.com/learning/security/threats/owasp-top-10/
The Open Web Application Security Project maintains a regularly-updated list of the most pressing web application security concerns.
Tomi Engdahl says:
DARPA computer security unit says, “Don’t worry; we can take it.”
DARPA: Hack Our Hardware
https://spectrum.ieee.org/tech-talk/computing/hardware/hack-our-hardware
Thanks to Moore’s Law, the number of transistors in our computing devices has doubled every two years, driving continued growth in computer speed and capability. Conversely, Wirth’s Law indicates that software is slowing more rapidly than hardware is advancing. The net result is that both hardware and software are becoming more complex. With this complexity, the number of discovered software vulnerabilities is increasing every year; there were over 17,000 vulnerabilities reported last year alone. We at DARPA’s System Security Integrated Through Hardware and firmware (SSITH) program argue that the solution lies not in software patches but in rethinking hardware architecture.
In March 2020, MITRE released version 4.0 of its Common Weakness Enumerations (CWE) list, which catalogues weaknesses in computer systems. For the first time, it included categories of hardware vulnerabilities. Among them are: Rowhammer; Meltdown/Spectre; CacheOut; and LVI, which are becoming more prevalent. In fact, a reported 70 percent of cyber-attacks are the result of memory safety issues [pdf] such as buffer overflow attacks –
a category of software exploit that takes advantage of hardware’s inherent “gullibility.”
Gartner forecasts that there will be 5.81 billion IoT endpoints this year, and IDC estimates the number of IoT devices will grow to 41.6 billion in 2025. Despite these staggering statistics, IoT is still in its infancy. I liken it to the Wild West, where companies come and go, regulations and standards are undefined, and security is often an afterthought. This lawlessness can have significant consequences, as we saw in 2016 when the Mirai bot-net attacked domain registration service provider, Dyn.
Today, the security research community is able to identify many of these cyberattacks quickly, and solutions are distributed to patch the exploited software.
Every time a new software vulnerability that exploits hardware is identified, a new software patch is issued. However, these patches only address the software layer and do not actually “treat” the underlying problem in the hardware, leaving it open to the creation of new exploits. In the medical field, this type of treatment regime is expensive and doesn’t cure the disease. In recent years, physicians have been advocating preventive medicine to treat the root causes of chronic diseases. Similarly, we need to adapt and find a better way to protect our computer systems.
Even though they may use open source components, this slow update cycle is due to devices needing to be requalified to make sure that any updates to the kernel or drivers do not break the system.
Requalifying a device is expensive and even more costly when a new version of an operating system is involved. Often this is not even possible
The net result is that individual third-party IP components are often not updated and only support certain versions of an operating system and software stack, further preventing the device that uses them from being updated. Additionally, the cost of supporting hardware devices is so large that many companies outsource technical support and device management to third-party companies who were not involved with the original development.
Because of these issues, protection from malware often requires a hardware upgrade. Take, for example, the cell phone market. Updates are often slow or nonexistent if you are not using one of the major brands.
Even then, they keep this up for only for a few years before the consumer is forced to upgrade. In between these hardware updates, software updates are employed in the form of the “patch and pray” approach.
DARPA’s System Security Integrated Through Hardware and firmware (SSITH) program seeks to break this cycle of vulnerability exploitation by developing hardware security architectures to protect systems against entire classes of the hardware vulnerabilities that these software exploits attack. SSITH’s philosophy: By treating the problem at its root—the hardware—it can end the need for continual “patch and pray” cycles.
https://cwe.mitre.org/data/
https://www.darpa.mil/program/ssith
Tomi Engdahl says:
Cisco removed its seventh backdoor account this year, and that’s a good thing
Seventh backdoor account discovered in Cisco Small Business Switches firmware.
https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/
Tomi Engdahl says:
The NCSC-UK’s Exercise in a Box tool set has been updated to help
organisations keep their employees safe while working from home
https://www.zdnet.com/article/remote-working-this-free-tool-tests-how-good-your-security-really-is/
The ‘Home and Remote Working’ exercise has been added to the NCSC-UK’s
Exercise in a Box, a toolkit designed to help small and medium-sized
businesses prepare to defend against cyber attacks by testing
employees with scenarios based around real hacking incidents – and
lessons on how to respond.
Tomi Engdahl says:
US Secret Service creates new Cyber Fraud Task Force
https://www.bleepingcomputer.com/news/security/us-secret-service-creates-new-cyber-fraud-task-force/
CFTF’s main goal is to investigate and defend American individuals and
businesses from a wide range of cyber-enabled financial crimes, from
business email compromise (BEC) scams and ransomware attacks to data
breaches and the illegal sale of stolen personal information and
credit cards on the Internet and the dark web.
Tomi Engdahl says:
Injecting Magecart into Magento Global Config
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/
This attack shows the relative ease in which a Magento system can be
compromised to inject malicious JavaScript into web pages.
Tomi Engdahl says:
https://darungrim.com/research/2020-07-10-windows-malware-analysis-process-artifacts.html
Tomi Engdahl says:
The Misguided Search for Cybersecurity’s Purple Unicorn
https://www.governing.com/security/The-Misguided-Search-for-Cybersecuritys-Purple-Unicorn.html
In looking for a new chief information security officer, it’s tempting to generate a long list of professional qualifications. But these days, technical expertise isn’t what the job is really about.
Over the years I’ve developed an intuition about the way people interview, and it became obvious that the organization didn’t really understand what it wanted or even what the role of a CISO should be.
At the end of our conversation, the recruiter admitted that she realized her client was looking for a “purple unicorn,” but the organization had gone through three CISOs in the past five years and those in charge of filling the job wanted to make sure they were establishing the right expectations at the beginning.
That’s an understandable concern, because musical chairs in cybersecurity leadership serve neither the organization nor the CISO well.
Twenty years ago, a CISO was expected to be a technical expert in all facets of the management of security operations within an organization. And that was a reasonable expectation because the technology and regulatory environments were fairly well bounded and fit on a single sheet of paper. Fast-forward to 2020, and the security world has become so complex, with such a vast array of competing technologies, nation-state and mob-like bad guys, and a dizzying array of regulatory and compliance requirements that being a comprehensive cybersecurity expert is futile. Managing risk is the name of the game today.
CISO today cannot possibly be a subject-matter expert in all things cyber. “In theory, the CISO is an executive management position,”
“This implies a lot of experience and expertise in collaborating with peers, delegating to and consulting with internal and external experts at various levels, that requires both very technical and very bureaucratic skills.”
while technology certainly jumps out as the most dramatically changing facet of information security, people and process requirements have also been on a high-speed change trajectory.
“for most folks, ‘cybersecurity’ is a simple term often describing a simple problem — bad guys attacking devices, systems and data. But for CISOs, this simple term is actually a highly complex world of very different areas of expertise which they have to manage holistically without missing a beat.”
One of the most difficult CISO challenges today is hiring qualified people and then retaining them in an environment where competition for their services is ruthless. Government organizations have an additional disadvantage in that they must compete for that talent when private-sector companies can offer a lot more money and other incentives.
Personnel turnover costs are significant, so hiring right the first time is more important than it’s ever been.
Process has become central in determining how a government organization addresses risk in a world in which meeting standards, regulations and compliance requirements consumes a huge amount of resources.
Finally, and with respect to technology itself, there are well over 3,000 cybersecurity vendors in the global market today, offering everything from end-user device management to identity and access control, automation of security operations centers, insider-threat mitigation, cloud security and dozens of other categories of products and services. Most government organizations employ between 40 and 100 different vendor products and services, and it is impossible for a CISO to even know all of the different solutions in use in the organization, much less have expert knowledge of them all.
Cybersecurity is, and will continue to be, a highly dynamic environment where the threat reshapes more frequently than most of us can keep up with. My counsel to both CISOs and people hiring them is that those who might hold this position should aspire to be experts who can manage the complex individual specialty areas of security, rather than people with expert skills in any individual specialty area.
“a zen-like balance” in managing the various strategic and tactical requirements of organizational security
Tomi Engdahl says:
Just 21% of security pros haven’t considered quitting their current
job
https://www.theregister.com/2020/07/14/infosec_job_change/
Almost one in five infosec pros have quit a job due to overwork or
burnout caused by the constant pressure of keeping things safe and
doing so without the resources to counter ever-evolving threats. Some
18 per cent [n=445] said they had personally walked out of a role
permanently because of burnout; 36 per cent professed to knowing
someone that had left due to it; and another 25 per cent claimed they
had considered it.
Tomi Engdahl says:
Deepfake used to attack activist couple shows new disinformation frontier
https://www.reuters.com/article/us-cyber-deepfake-activist/deepfake-used-to-attack-activist-couple-shows-new-disinformation-frontier-idUSKCN24G15E
Online profiles describe him as a coffee lover and politics junkie who was raised in a traditional Jewish home. His half dozen freelance editorials and blog posts reveal an active interest in anti-Semitism and Jewish affairs, with bylines in the Jerusalem Post and the Times of Israel.
The catch? Oliver Taylor seems to be an elaborate fiction.
Six experts interviewed by Reuters say the image has the characteristics of a deepfake.
“The distortion and inconsistencies in the background are a tell-tale sign of a synthesized image, as are a few glitches around his neck and collar,”
Artist Mario Klingemann, who regularly uses deepfakes in his work, said the photo “has all the hallmarks.”
“I’m 100 percent sure,” he said.
The Taylor persona is a rare in-the-wild example of a phenomenon that has emerged as a key anxiety of the digital age: The marriage of deepfakes and disinformation.
The threat is drawing increasing concern in Washington and Silicon Valley. Last year House Intelligence Committee chairman Adam Schiff warned that computer-generated video could “turn a world leader into a ventriloquist’s dummy.”
Last week online publication The Daily Beast revealed a network of deepfake journalists – part of a larger group of bogus personas seeding propaganda online.
Deepfakes like Taylor are dangerous because they can help build “a totally untraceable identity,”
Oliver Taylor’s articles drew minimal engagement on social media, but the Times of Israel’s Herschlag said they were still dangerous – not only because they could distort the public discourse but also because they risked making people in her position less willing to take chances on unknown writers.
“Absolutely we need to screen out impostors and up our defenses,” she said. “But I don’t want to set up these barriers that prevent new voices from being heard.”
Tomi Engdahl says:
A reason to not have a camera. If you are going to have a camera, be sure to run the data through a VPN to reduce the ability to suss out this particular data stream.
Your Security Cameras Could Be Snitching On You
https://www.popularmechanics.com/technology/security/a33236875/home-security-cameras-vulnerability-burglars/
New research shows that burglars can figure out when you’re not home.
Tomi Engdahl says:
Do Old Viruses Work on Modern PCs? | Nostalgia Nerd
https://www.youtube.com/watch?v=kLan-BOybbk
Tomi Engdahl says:
Google open-sources Tsunami vulnerability scanner
https://www.zdnet.com/article/google-open-sources-tsunami-vulnerability-scanner/
Google says Tsunami is an extensible network scanner for detecting high-severity vulnerabilities with as little false-positives as possible.
Tomi Engdahl says:
Check your router now – it could be a huge Linux security risk
By Mike Moore 9 days ago
https://www.techradar.com/news/check-your-router-now-it-could-be-a-huge-linux-security-risk
Your router might be the biggest security hole in your network
Tomi Engdahl says:
How Have I Been Pwned became the keeper of the internet’s biggest data breaches
https://techcrunch.com/2020/07/03/have-i-been-pwned/
Tomi Engdahl says:
PROTESTERS, HERE’S HOW TO SET UP A CHEAP BURNER PHONE
https://theintercept.com/2020/06/15/protest-tech-safety-burner-phone/
Tomi Engdahl says:
https://seiffi.fi/uncategorized/ser-kierratys-varoittaa-valvomattomista-sahko-ja-elektroniikkalaitteiden-talkookerayksista/
Tomi Engdahl says:
Understanding the Purpose of Security Controls and the Need for Compliance
https://www.tripwire.com/state-of-security/featured/understanding-purpose-controls-compliance/
Tomi Engdahl says:
The AnonyBox – a Cheap and Easy Network Device to Manage Anonymity Online
https://www.instructables.com/id/The-AnonyBox-A-cheap-and-easy-network-device-to-/
https://gschoppe.com/embedded/the-anonybox-squid-socks-and-openvpn-all-for-15/
Tomi Engdahl says:
Your personal details are almost certainly for sale on the Dark Web now
https://www.techradar.com/uk/news/over-15-billion-stolen-credentials-are-for-sale-on-the-dark-web-now
Over 15 billion stolen online details are for sale on the Dark Web right now, according to a shocking new report.
According to new research from Digital Shadows, the number of stolen credentials currently available for purchase is equivalent of more than two for every person on the planet. This figure has risen by 300% since 2018 as a result of more than 100,000 separate breaches.
Of the 15 billion stolen credentials estimated to be for sale online, more than five billion were assessed to be ‘unique’ as they have not been advertised more than once on cybercriminal forums.
Tomi Engdahl says:
Cryptography Pioneer Seeks Secure Elections the Low-Tech Way
By
SUSAN D’AGOSTINO
March 12, 2020
https://www.quantamagazine.org/rsa-cryptographer-ronald-rivest-seeks-secure-elections-20200312/
Ronald Rivest helped come up with the RSA algorithm, which safeguards online commerce. Now he’s hoping to make democratic elections more trustworthy.
Tomi Engdahl says:
https://panopticlick.eff.org/
When you visit a website, online trackers and the site itself may be able to identify you – even if you’ve installed software to protect yourself. It’s possible to configure your browser to thwart tracking, but many people don’t know how.
Panopticlick will analyze how well your browser and add-ons protect you against online tracking techniques.
Tomi Engdahl says:
The hidden trackers in your phone, explained
How covert code enables your phone’s apps to spy on you.
https://www.vox.com/recode/2020/7/8/21311533/sdks-tracking-data-location
Tomi Engdahl says:
What’re you telling me, Ghidra?
An introduction to Ghidra’s primary components
https://byte.how/posts/what-are-you-telling-me-ghidra/
Tomi Engdahl says:
https://theintercept.com/2020/06/15/protest-tech-safety-burner-phone/
Tomi Engdahl says:
https://www.darknet.org.uk/2020/07/axiom-pen-testing-server-for-collecting-bug-bounties/
Tomi Engdahl says:
High Performance, lightweight, portable Open Source tool for mass SMBGhost Scan
https://github.com/deepsecurity-pe/GoGhost
Tomi Engdahl says:
Beginners Guide On How You Can Use Javascript In BugBounty.
https://medium.com/@patelkathan22/beginners-guide-on-how-you-can-use-javascript-in-bugbounty-492f6eb1f9ea
Let us take a look at what javascript is and why dev’s use them in a web app, before looking into how we can use them to find bugs.
Tomi Engdahl says:
This is What Computer Viruses Looked Like in the 1990s
https://www.mentalfloss.com/article/69060/what-computer-viruses-looked-1990s
Tomi Engdahl says:
Covid-19 has forced businesses to change how they operate with great speed and agility. Meanwhile, hackers have been equally innovative.
WIRED and Accenture have examined the company strategies being used to stay secure during the pandemic #WIREDpartner https://buff.ly/2OkATHJ
The Covid-19 risks businesses may not have considered
https://www.wired.co.uk/article/business-risks-coronavirus-hacking-accenture
The pandemic has forced businesses to change how they operate with great speed and agility – but they’re not the only ones. Hackers and scammers have been equally innovative
Tomi Engdahl says:
A Security Reminder: Containers Talk to Each Other and Other Endpoints
https://pentestmag.com/a-security-reminder-containers-talk-to-each-other-and-other-endpoints/
#pentest #magazine #pentestmag #pentestblog #PTblog #containers #endpoints #cybersecurity #infosecurity #infosec
Tomi Engdahl says:
Real-Time Network Monitoring via Shodan
https://asciinema.org/a/231048
Tomi Engdahl says:
How to issue Let’s Encrypt wildcard certificate with acme sh and @Cloudflare DNS API and grab A+ ratings https://www.cyberciti.biz/faq/issue-lets-encrypt-wildcard-certificate-with-acme-sh-and-cloudflare-dns/ Useful when you need to TLS certificate on LAN that are not open from the internet. #Linux #Unix #sysadmin #OpenSource
Tomi Engdahl says:
THE MICROSOFT POLICE STATE: MASS SURVEILLANCE, FACIAL RECOGNITION, AND THE AZURE CLOUD
https://theintercept.com/2020/07/14/microsoft-police-state-mass-surveillance-facial-recognition/
Tomi Engdahl says:
What your company can learn from the Bank of England’s resilience proposal
https://techcrunch.com/2020/07/23/what-your-company-can-learn-from-the-bank-of-englands-resilience-proposal/
Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) decided to take action and set a standard for operational resiliency.
While policies can often feel burdensome and detached from reality, these guidelines are reasonable steps that any company across any industry can exercise to improve the resilience of their software systems.
The BoE standard breaks down to these five steps:
Identify critical business services based on those that end users rely on most.
Set a tolerance level for the amount of outage time during an incident that is acceptable for that service, based on what utility the service provides.
Test if the firm is able to stay within that acceptable period of time during real-life scenarios.
Involve management in the reporting and sign-off of these thresholds and tests.
Take action to improve resiliency against the different scenarios where feasible.
Following this process aligns with best practices in architecting resilient systems.
Tomi Engdahl says:
Identify critical business services
The operational resilience framework recommends focusing on the services that serve external customers. While internal applications are important for productivity, this customer-first mentality is sound advice for determining a starting place for reliability efforts.
https://techcrunch.com/2020/07/23/what-your-company-can-learn-from-the-bank-of-englands-resilience-proposal/
Tomi Engdahl says:
The Top 5 Healthcare Cybersecurity Frameworks
https://pentestmag.com/the-top-5-healthcare-cybersecurity-frameworks/
What are the components of the frameworks?
There are three main components of CSF: core, implementation tiers, and profiles.
Frameworks consist of three main components:
Framework core stands for an arrangement of cybersecurity activities and references. It provides communication of cybersecurity risks across an organization.
Implementation tiers assists in defining cyber security management. Also, they tend to highlight the right level of thoroughness for a security solution.
Profiles stand for the list of organizational goals and premises. They usually level off industry standards and best practices.
Reasons to Use Cybersecurity Frameworks in the Healthcare Industry
It’s obvious that hospitals and the healthcare industry require sound security systems, along with data protection.
According to the Version, inside threads are more frequent in the healthcare sector — there are 59% of internal in comparison to 42% of external ones.
Of course, there are various reasons for these statistics. However, the main one is human mistakes. Also, there are such reasons as privilege misuse and various software issues.
Additionally, 6% of internal breach cases were done ‘just for fun’. However, such actions had horrible effects.
So, there is no surprise that security becomes a priority task for the healthcare industry.
How can healthcare cybersecurity frameworks help here?
There are four primary ways:
The cybersecurity frameworks assist in identifying and detecting security threats. Also, they help recover from security attacks.
Frameworks allow ensuring security issues using its core elements, implementation tiers, and profile.
Healthcare cybersecurity frameworks will enable stakeholders to find out and manage cybersecurity issues together.
Healthcare frameworks tend to align business and tech policies.
As a result, healthcare organizations get improved service delivery and increased operational efficiency with personnel.