Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, will be making educated guesses based on what has happened during the last 12 months and several years before that.
The past year has seen a rapid increase in the adoption of up-and-coming technologies. Everyday items are getting
smarter and more connected. Companies are saving millions with new technologies and cities are racing to
implement smart solutions. 5G promises to bring wireless high speed broadband to everywhere. On the other hand those solutions add new kinds of vulnerabilities. Competing in today’s digital marketplace requires that organizations are cyber-savvy. 2020 is when cybersecurity gets even weirder, so get ready.
Here are some trends and predictions for cyber security in 2020:
Cyber Attacks: Cyberattacks grow in volume and complexity.Many countries that are going to emerge as major threats in the 2020s. Nation-state backed cyber groups have been responsible for major incidents over the last decade. And now more countries want the same power. Cyberattacks range from targeting your database to steal information that can be sold on the dark web, to hijacking unused CPU cycles on your devices to mine for cryptocurrencies, or trying to infect vulnerable systems so they can be used later as part of a botnet.
IoT security: IoT security is still getting worse until it starts to get better. IoT security is an extremely hot topic right now and will be hot for many years to come. Industrial IoT risk has been discussed a lot. Physics dictates local application deployment, because the control rate of most industrial systems is 10 milliseconds or below. Smart Building Security Awareness Grows. The risks of the IoT in financial services are great. An explosion in IoT devices significantly raises the threat level. Gartner predicted that the world will see nearly 21 billion IoT devices by next year and it would be nice if all of them would be secure, but many of them unfortunately are not secure. Hackers are continually looking for ways to exploit device vulnerabilities. From smart TV’s, IP cameras, and smart elevators, to hospital infusion pumps and industrial PLC controllers, IoT and OT (Operational Technology) devices are inherently vulnerable and easy to hack. Why? Because IoT security is complicated and security should consider and integrated with IoT deployments. Gartner Says Worldwide IoT Security Spending Will Reach $1.9 Billion in 2019, and will raise to $ 3.1 billion in 2021, making it one of the fastest growing segments in cybersecurity industry. IoT landscape is complex, and so are the security solutions. These tackle the different challenges of IoT- device hardening, encryption, discovery, data protection, malware and anomaly detection, policy enforcement and more. You might have to do a little work with your internet of things devices to stay secure. A failure by many IoT device manufacturers to follow cryptographic best practices is leaving a high proportion of the devices vulnerable to attack. One in every 172 active RSA certificates are vulnerable to attack. It is a good idea to build a separate network segments for IoT devices so that they are isolated from the normal office network. FBI recommends that you keep your IoT devices on a separate network.
IoT privacy: Silicon Valley Is Listening to Your Most Intimate Moments. The world’s biggest companies got millions of people to let temps analyze some very sensitive recordings made by your “smart” speakers and smart phones. A quarter of Americans have bought “smart speaker” devices such as the Echo, Google Home, and Apple HomePod. Consulting firm Juniper Research Ltd. estimates that by 2023 the global annual market for smart speakers will reach $11 billion, and there will be about 7.4 billion voice-controlled devices in the wild. That’s about one for every person on Earth. The question is, then what? Having microphones that listen all the time is concerning. Also some attackers are terrifying homeowners and making them feel violated in their own homes.
Medical systems security: Cyberattacks on Medical Devices Are on the Rise—and Manufacturers Must Respond. Attacks on networked medical devices, and the data they collect and transmit, can be costly. Patient safety is a critical concern, especially with devices such as defibrillators and insulin pumps that could cause patient harm or death if they malfunction. It’s shocking that a few years after WannaCry and NotPetya, the healthcare industry is still not prepared to deal with ransomware attacks. Many hospitals and healthcare networks that have been hit by ransomware over the past few months.
Surveillance cameras: Surveillance cameras are capturing what we do on the streets, at airports, in stores, and in much of our public space. China’s Orwellian video surveillance gets a bad rap but the US isn’t far behind as US has nearly the same ratio of security cameras to citizens as China.And the numbers are growing all over the world. One billion surveillance cameras will be deployed globally by 2021, according to data compiled by IHS Markit. Russia is building one of the world’s largest facial recognition networks and it may even be bigger than China’s 200 million camera system. China’s installed base is expected to rise to over 560 million cameras by 2021, representing the largest share of surveillance devices installed globally, with the US rising to around 85 million cameras. Now US, like China, has about one surveillance camera for every four people (in 2018 China had 350 million cameras and USA 70 million). Surveillance cameras are getting better, smaller and cheaper and can be installed almost anywhere. It would be very easy to sneak another device onto a hotel’s Wi-Fi network, stream that video over the internet to the computer.
Facial recognition: Private companies and governments worldwide are already experimenting with facial recognition technology. Facial recognition software is touted as making us safer. But mass surveillance has downsides of major proportions. Massive errors found in facial recognition tech. Facial recognition systems can produce wildly inaccurate results, especially for non-whites. Russia is building one of the world’s largest facial recognition networks. Individuals, lawmakers, developers – and everyone in between – should be aware of the rise of facial recognition, and the risks it poses to rights to privacy, freedom, democracy and non-discrimination.
Shut off Internet: Worrying worldwide trend employed by various governments: preventing people from communicating on the web and accessing information. Amid widespread demonstrations over different issues many countries have started cutting Internet connections from people. Some countries, namely China, architected their internet infrastructure from the start with government control in mind. Russia is aiming to this direction. Iran, India, Russia. For better or worse, an internet blackout limits the government’s ability to conduct digital surveillance on citizens.
Security First: Implementing Cyber Best Practices Requires a Security-First Approach. Competing in today’s digital marketplace requires that organizations be cyber-savvy. The best defense is to start with a security-driven development and networking strategy that builds a hardened digital presence from the ground up. This not only ensures that your online services and web applications are protected from compromise, but also enables security to automatically evolve and adapt right alongside the development of your digital presence, rather than it having to be constantly rigged and retrofitted to adapt to digital innovation.
Zero Trust Network Access: Many of the most damaging breaches have been the result of users gaining access to unauthorized levels of network resources and devices. Zero Trust is an enforceable, identity-driven access policy that includes seamless and secure two-factor/OTP authentication across the organization. Zero Trust Network Access ensures that all users and devices are identified, profiled, and provided appropriate network access. It also ensures that new devices are automatically assigned to appropriate network segments based on things like device profiles and owners. When combined with Network Access Control (NAC), organizations can also discover, identify, grant appropriate access, and monitor devices, thereby enhancing your access and segmentation strategy.
Anti-virus software: Only Half of Malware Caught by Signature AV. The percentage of malware that successfully bypassed signature-based antivirus scanners at companies’ network gateways has increased significantly, either by scrambling
code known as “packing” using basic encryption techniques or by the automatic creation of code variants. It seems that new approaches like machine learning and behavioral detection are necessary to catch threats. Meanwhile, network attacks have risen, especially against older vulnerabilities.
Ransomware attacks: Ransomware will remain a major threat in the coming year, as the criminal business model continues to flourish. That’s a move that security professionals have long condemned, warning that paying the ransom in a ransomware attack could end up causing more turmoil for victims – as well as inspire other cybercriminals to launch ransomware attacks. Microsoft never encourage a ransomware victim to pay. What to do with this is question. How much does a large-scale ransomware attack cost, as opposed to just hiring an adequate number of skilled IT personnel, and having disaster recovery plans in place? There is no complete security solution that could stop all attacks, but you should have decent protection. It would seem prudent to have adequate staff and offline BACKUPS to deal with this kind of situation, so decent recovery would be possible. Having no backup system is the gamble many companies and public entities seem to be playing. Good backups helps to recover from ransom attacks. There are new tactics coming to use in ransomware. A new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any resident security solutions. Another new tactic by ransomware developers is to release a victim’s data if they do not pay the ransom – they will publish data that they steal to a competitor if the ransom is not paid.
Public sector: Public Sector Security Is Lagging. The state of cybersecurity and resilience in the public sector needs an
urgent boost in many countries. U.S. citizens rely on state governments and local municipalities to provide a host of services everything from access to public records, law enforcement protection, education and welfare to voting and election services. Cybercriminals have been targeting state and local governments with ransomware tools, which infect an organization’s computer networks and lock up critical files.
Consumer confidence: Winning consumer confidence is crucial to the development of new digital services. In a PwC study, consumers are prepared to share personal information if it is of sufficient value to them. On the other hand, consumer confidence also needs to be earned that you keep the information safe.
API security: APIs now account for 40% of the attack surface for all web-enabled apps. It’s a good time to pay attention to API security, since some recent high-profile breaches have involved API vulnerabilities. OWASP, the Open Web Application Security Project known for its top 10 list of web application vulnerabilities, published the release candidate version of its API Security Top 10 list at the end of September 2019. Also it’s almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet.
Skills gap: Security teams are already grappling with serious challenges due to the growing cybersecurity skills gap, are being tasked to secure an ever-expanding network footprint. Security teams are often left to secure virtual and cloud environments, the implementation of SaaS services, DevOps projects, the growing adoption of IoT, mobile workers, and an expanding array of personal connected devices after they have already been implemented. They often do not have enough people and enough knowledge on those new technologies to do their work well. The cybersecurity unemployment rate is zero, with over 1 million jobs currently unfilled, a number that is expected to climb to 3.5 million by 2021. 145% Growth is Needed to Meet Global Demand.
Think Like Your Adversary: Cybersecurity leaders need to access the potential vulnerabilities (from the mindset of the adversary) and devise effective defensive countermeasures unique to their company’s needs. Programmers Should Think like Hackers. Security must be taken into account in all programming steps.
Third party security: Most Companies Don’t Properly Manage Third-Party Cyber Risk. It’s been established that good cybersecurity requires not just an internal assessment of an organization’s own security practices, but also a close look at the security of the partners that businesses rely upon in today’s modern, interconnected world. Developing a Third-Party Cyber Risk Management (TPCRM) strategy is becoming more common with every news headline regarding a major breach that stemmed from a company’s relationship with a third-party.
Privacy and surveillance: Fears Grow on Digital Surveillance. Americans are increasingly fearful of monitoring of their online and offline activities, both by governments and private companies. More than 60 percent of US adults believe it is impossible to go about daily life without having personal information collected by companies or the government. Google and Facebook help connect the world and provide crucial services to billions. But their system can also be used for surveillance. Amnesty International says Facebook and Google’s omnipresent surveillance is inherently incompatible with the right to privacy and is a danger to human rights. The claim is that the companies’ surveillance-based business model is inherently incompatible with the right to privacy and poses a threat to a range of other rights including freedom of opinion and expression, freedom of thought, and the right to equality and non-discrimination. Amnesty International has called for a radical transformation of the tech giants’ core business model and said that Google and Facebook should be forced to abandon what it calls their surveillance-based business model because it is “predicated on human rights abuse.”
5G: Forecasting that 2020 will be “the year of 5G” no longer qualifies as a bold prediction. Billions of dollars’ worth of 5G rollouts are scheduled for the coming year, which will bring the emergent technology to countries around the world. The arrival of 5G will fuel an explosion of never-before-seen IoT machines, introducing uncharted vulnerabilities and opening the door for cyber-criminals to compromise our increasingly intertwined cities. Claims that 5G offers “better security” for IoT may not ring true.
5G security: The new 5G mobile networks will be the backbone of future digitalized operations. Therefore, it is also important to ensure the security and immunity of 5G networks.The Council of the European Union has warned member states that the introduction of 5G networks poses increased security risks while also bringing economic and infrastructure benefits. ENISA, the European Union Agency for Cybersecurity has published a ThreatLandscape for 5G Networks, assessing the threats related to the fifth generation of mobile telecommunications networks (5G). Organised cybercrime, rogue insiders and nation-state-backed hackers are among the groups that could soon be targeting 5G networks. Claims that 5G offers “better security” for IoT may not ring true – with the technology remaining vulnerable to SIM-jacking attacks within private Industry 4.0-style deployments. 5G SIM-swap attacks could be even worse for industrial IoT than now. Criminals can convince telcos to port a victim’s number to a new SIM card controlled by the criminal. Trust your hardware or operator? Pah, you oughta trust nobody. Do not put all your security and identification to this SIM card.
DNS Over HTTPS (DoH): DoH encrypted DNS queries are already set to arrive in Chrome and Firefox web browsers. Microsoft Will Bring DNS Over HTTPS (DoH) to Windows 10 in an attempt to keep user traffic as private as possible. DoH support in Windows means encrypted DNS queries. Microsoft says that DoH doesn’t require DNS centralization if adoption is broad among operating systems and Internet service providers alike.
Firewall configuration: Now, more than ever, it is important to automate firewall processes to prevent misconfigurations and data breaches. Gartner has warned that “50% of enterprises will unknowingly and mistakenly have exposed some IaaS storage services, network segments, applications or APIs directly to the public internet, up from 25% at YE18.”. This is a human problem, not a firewall problem.
Bot attacks: Bots are being used to take over user accounts, perform DDoS attacks, abuse APIs, scrape unique content and pricing information and more. Organizations are Failing to Deal With Rising Bot Attacks.
Network security: Networks are continually growing in complexity and the cyberattack surface is constantly expanding. The network perimeter of today is elastic, expanding and contracting with the demands of both users and the business. In a rush to adopt digital business practices, many of these new network expansion projects are often being implemented ad hoc by individual lines of business. Routers sit at the edge of the network and see everything and they can be utilized to Making the Network the First Line of Defense. A critical step in building a stronger security posture and more robust data protection strategy is a 24×7 facility whose mission is to monitor, detect, investigate and resolve active threats. Cybercriminals only need to be successful once in finding a way to access the network – but the security team needs to monitor everything on the network and be right all the time to ensure security. Today’s core network is continually adapting to the introduction of new devices, applications, and workflows, along with shifting network configurations to support business requirements, requiring the use of advanced, intent-based segmentation.
Security-Driven Networking: Security-Driven Networking is a new, strategic approach to security that enables the seamless expansion of network environments and services without ever compromising on security. Essentially, it begins by crafting a comprehensive security policy that covers the entire organization. It outlines the protocols, enforcement and inspection technologies, policies, and protections required to be in place before any new network environment or solution is even placed on the drawing board. It requires the selection and full integration of security tools that not only work together to share and correlate intelligence and coordinate a unified response to threats, but that also work seamlessly across the widest variety of environments possible.
Critical infrastructure: Determined threat actors have, for some time, been extending their toolsets beyond Windows, and even beyond PC systems. In recent years, we have seen a number of high-profile attacks on critical infrastructure facilities and these have typically been aligned to wider geo-political objectives. Expect targeted attacks on critical infrastructure facilities to increase. APT33 has shifted targeting to industrial control systems software. We need to be worried about Cyber-Physical Security of the Power Grid. To protect this infrastructure you need to prioritize strategic risks that affect critical infrastructure: Concern yourself with the most important hacks, Understand the critical pieces of your infrastructure and Know your inter-dependencies.
Payment security: Payment security backslides for second straight year in 2019. Verizon’s 2019 Payment Security Report found that full compliance with the Payment Card Industry Data Security Standard (PCI DSS) fell to36.7% globally, down from 52.5% in 2018. At the same time EU’s PSD2 (Payments Services Directive) lays down regulatory requirements for companies that provide payment services, including the use of personal data by new fintech companies that are not part of the established banking community. Security of online, including mobile, payments is a key aspect of the legislation. Nevertheless, as banks will be required to open their infrastructure and data to third parties. Although SSLv3 has been considered obsolete and insecure for a long time, a large number of web servers still support its use.
Election security: Nowadays, no elections can be held any longer without debate on influencing voters through online services. There are on-going accusations of Russian interference in US elections and fears about a possible reboot of this in the run-up to the 2020 elections. U.S. military cyber experts are plotting strategy in a fight against potential Russian and other cyberattacks ahead of the 2020 American and Montenegrin elections. As the 2020 Presidential election looms closer in the United
States, a key focus will be on securing election infrastructure to prevent tampering. Most of the largest US voting districts are still vulnerable to email spoofing. Also disinformation campaigns for political purposes are deeply rooted in cybercriminal endeavors. It’s quite possible that we will see changes to legislation and policy, as governments look to define more clearly what is and what isn’t allowed. Hacking is considered to be the biggest tech threats to 2020 elections in USA. Legislators are working on new laws, but it is not going to be enough in an era when technology is turning out entirely new attack surfaces.
False Flags: The use of false flags has become an important element in the playbook of several APT groups. This can be used to try to deflect attention away from those responsible for the attack or what is really happening.
Common attack tools: Cyber actors continually use commodity malware, scripts, publicly available security tools or administrator software during their attacks and for lateral movement, making attribution increasingly difficult.
Vulnerability disclosure: Most “white hat” cyber engineers seem to be driven by a sense of social responsibility best expressed as, “If you find something, say something.” Across the industry, the ethos is to share information quickly, whether the problem is a newly discovered exploit or an evolving cyber threat. The goal is to impel the affected vendor—hardware or software—to take quick action and produce a fix. There are good and bad ways to make vulnerabilities known. A premature “full disclosure” of a previously unknown issue can unleash the forces of evil, and the “black hats” often move faster than vendors or enterprise IT teams. The preferred path is a “responsible” or “coordinated” disclosure that happens behind the scenes. Public announcements occur after a specified period of time—typically 90 or 120 days. But things don’t work this way always.
Ransomware: Cybercriminals have become more targeted in their use of ransomware. It is inevitable that the cybercriminals will also attempt to diversify their attacks to include other types of devices besides PCs or servers. There is a Ransomware ‘Crisis’ in US Schools and in many cities in USA.
Supply chain: Use of supply chains will continue to be one of the most difficult delivery methods to address. It is likely that attackers will continue to expand this method through manipulated software containers, for example, and abuse of packages and libraries. Medium-sized companies are being targeted even more heavily by cyber criminals. They are often the weakest link in supply chains that include large corporations. There is the growth of counterfeit electronics.
Mobile: The main storage for our digital lives has moved from the PC to mobiles over last 10 years. Several countries have started demanding their own software (maybe in some cases also malware) to be installed to all smart phones. Putin signs law making Russian apps mandatory on smartphones, computers.
Android: Today 80% of Android apps are encrypting traffic by default. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain. The heterogeneity of the Android versions will continue to be a problem in the coming year.
DDoS attacks: DNS amplification attacks continue to dominate distributed denial-of-service (DDoS) attacks, while mobile devices make up a larger share of traffic. The number of distributed denial-of-service (DDoS) attacks rose 86% in the third quarter compared to a year ago. DNS amplification attacks accounted for 45% of the attacks, while HTTP
floods and TCP SYN attacks accounted for 14%. Mobile Devices Account for 41% of DDoS Attack Traffic.
Business security: Small and medium-sized businesses (SMBs) increasingly recognize that a reactive security posture is no longer sufficient for protecting their networks. Breaches will happen. Companies should treat cyberattacks “as a matter of when” and not “whether.” Inside threads are still a big issue as Employees are one of your biggest assets, but human beings are the weakest link in the security chain. Data leaks help attackers to craft more convincing social engineering attacks. Plan proper incident management because Quick, reliable, multichannel communication is a vital part of any incident management solution. Cybercriminals often choose very small companies as their targets because small businesses rarely spend significant money on security systems. Medium-sized companies are being targeted even more heavily by cyber criminals. They are often the weakest link in supply chains that include large corporations.
Cyber insurance: Cyber Has Emerged as a Risk That is Not Specifically Covered by Other Insurance Policies. Since business is now urged to take a risk management approach to cyber security, it is natural and inevitable that cyber insurance should be considered as part of the mix. Cyber insurance is set to grow.
New encryption: The problem with encrypted data is that you must decrypt it in order to work with it. There is a powerful solution to this scenario: homomorphic encryption. Homomorphic encryption makes it possible to analyze or manipulate encrypted data without revealing the data to anyone. Just like many other populr forms of encryption, homomorphic encryption uses a public key to encrypt the data. There are three main types of homomorphic encryption: partially homomorphic encryption (keeps sensitive data secure by only allowing select mathematical functions to be performed on encrypted data); somewhat homomorphic encryption (supports limited operations that can be performed only a set number of times); fully homomorphic encryption (this is the gold standard of homomorphic encryption that keeps information secure and accessible). Cryptographers have known of the concept of homomorphic encryption since 1978 but Gentry established the first homomorphic encryption scheme in 2009.The biggest barrier to widescale adoption of homomorphic encryption is that it is still very slow. Duality, a security startup co-founded by the creator of homomorphic encryption, raises $16M.
Artificial Intelligence (AI): The buzzword for 2019 that we have all heard a thousand times was Artificial Intelligence, AI. The term AI is often interchanged with machine learning. There is a lot of research to examine AI applications on cyber security. As cyberattacks grow in volume and complexity, hopefully artificial intelligence (AI) is helping under-resourced security operations analysts stay ahead of threats. Cybersecurity tools currently use this data aggregation and pattern analysis in the field of heuristic modeling: THE TRUE FUNCTION OF AI WILL BE TO DETERMINE WITH A LONG ARC OF TIME AND DATA, WHAT “NORMAL” LOOKS LIKE FOR A USER. AI can act as an advisor to analysts, helping them quickly identify and connect the dots between threats. Finnish cyber security company F-Secure is making research on AI agents and on that Mikko Hyppönen says that AI should not used to try to imitate humans and that artificial intelligence-based attacks are expected in the near future. Another Finnish cyber security company Nixu says that Artificial intelligence is going to revolutionize cyber security. According to Orlando Scott-Cowley from Amazon Web Services machine learning is the new normal in cyber security. Advanced Machine Learning layers are to be integrated into the latest Windows cybersecurity products. Leaders in artificial intelligence warn that progress is slowing, big challenges remain, and simply throwing more computers at a problem isn’t sustainable.
2020 problems: Has your business prepared for the ‘2020 problem’? Software updates for Windows 7 will end on January 14, 2020. As of Jan. 14, 2020, Windows 7 and Server 2008 technical support and software updates will no longer be available from Windows Update. There will no longer be updates for Office 2010. Some business users can buy extended security update support with extra money for some time. Python will stop supporting Python version 2 on January 1, 2020. Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognize timestamps from events where the date contains a two-digit year. December 2019 Patch Tuesday was the last time Microsoft ever offered security updates for devices running Windows 10 Mobile.
Crypto wars continue: A decades-old debate: Government officials have long argued that encryption makes criminal investigations too hard. Governments all over the world say that Encrypted communication is a huge issue for law enforcement and the balance between the privacy of citizens and effective policing of criminal activity is top of mind for governments, technology companies, citizens and privacy organisations all over the world. The international police organization Interpol plans to condemn the spread of strong encryption. Top law enforcement officials in the United States, United Kingdom and Australia, the larger group will cite difficulties in catching child sexual predators as grounds for companies opening up user communications to authorities wielding court warrants. Congress warns tech companies: Take action on encryption, or we will. US lawmakers are poised to “impose our will” if tech companies don’t weaken encryption so police can access data.
Do not weaken encryption: Companies, they say, should build in special access that law enforcement could use with a court’s permission. Technologists say creating these back doors would weaken digital security for everyone. Unfortunately, every privacy protection mechanism is subject to abuse by the morally challenged. That’s just a truth that must be accepted and overcome. Invading the privacy of the masses in order to catch criminals is unacceptable. Remember three things: One, that strong encryption is necessary for personal and national security. Two, that weakening encryption does more harm than good. And three, law enforcement has other avenues for criminal investigation than eavesdropping on communications and stored devices. If back-doors are added to encryption, they will be abused. If You Think Encryption Back Doors Won’t Be Abused, You May Be a Member of Congress. Bad encryption can have business consequences. Apple and Facebook told the committee that back doors would introduce massive privacy and security threats and would drive users to devices from overseas. In Australia 40% of firms say they have lost sales say they have lost sales or other commercial opportunities as a result of the encryption law being in place.
2FA: The second authentication factor might be a minor inconvenience, but it provides a major security boost. With past years riddled with security breaches, it is high time we evaluated the way we secure our online presence. Two factors are much better than one, but can still be hacked. Attacks that phish 2FA to access email accounts cost $100-$400; such attacks can be prevented with physical security keys. Also some physical security keys can be hacked as they turn to be less secure that what they were told to be in the advertisements.
Myth of sophisticated hacker in news: It’s the latest lexical stretch for an adjective that’s widely used in reports of cybersecurity incidents — and widely loathed by researchers as a result. If everything is sophisticated, nothing is sophisticated.
New security models: Google moved from perimeter-based to cloud-native security. Google’s architecture is the inspiration and template for what’s widely known as “cloud-native” today—using microservices and containers to enable workloads to be split into smaller, more manageable units for maintenance and discovery. Google’s cloud-native architecture was developed prioritizing security as part of every evolution.
Hacktivists: Hacktivists seek to obtain private information about large companies in order to embarrass or expose the company’s controversial business practices. Many companies are a treasure trove for personal information, whether they realize it or not. Experian is predicting that the emerging cannabis industry will experience an increase in data breaches and cybersecurity threats in 2020.
RCS messaging: RCS, expanded as Rich Communications Services, is a protocol that aims to replace SMS.RCS messaging has rolled out to Android users in the US. The update brings a lot of new features like chat, send hi-res videos and photos and create group chat. One criticism of RCS is that it doesn’t provide end-to-end encryption. RCS could be also better in many other security aspects. Researchers have discovered that the RCS protocol exposes most users to several cyber attacks. These risks are said to be mitigated by implementing the protocol with the security perspective in mind. The standard itself allows for poor security implementation, but GSMA advises its members to deploy rcs with the most secure settings possible.
Data breaches: Billions of Sensitive Files Exposed Online all the time. During the first six months of 2019, more than 4 billion records were exposed by data breaches. That’s a shocking statistic that’s made even more so when you realize that passwords were included in droves. On December 4, a security researcher discovered a treasure trove of more than a billion plain-text passwords in an unsecured online database. Many businesses wrongly assume they are too small to be on the radar of the threat actors. The truth is that it is all about the data, and small businesses often have less well-guarded data stores. All organizations are exposed to security breaches: from large multinationals to SMEs and public administrations. A common thread is unsecured cloud-based databases that left the sensitive information wide open for anyone to access online.
Phishing: Phishing remains 1 of the most pervasive online threats. Phishing emails are still managing to catch everyone out. Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Google Chrome now offers better protection against it as safe Browsing displays warning messages to users ahead of visiting dangerous websites and before downloading harmful applications. New advanced ways to phish are taken to use.With dynamite phishing, the cyber criminals read the email communication from a system already infected with an information stealer. The infected user’s correspondents then receive malicious emails that quote the last “real” email between the two parties and look like a legitimate response from the infected user. Attacks that phish 2FA to access email accounts cost $100-$400; such attacks can be prevented with physical security keys.
Windows: Microsoft Doesn’t Back Up the Windows Registry Anymore. It’s still possible to perform Windows Registry backups, but the option is disabled by default. It’s time to disconnect RDP from the internet as brute-force attacks and BlueKeep exploits usurp convenience of direct RDP connection. Microsoft is ready to push a full-screen warning to Windows 7 users
who are still running the OS after January 14.
Linux: Support for 32 bit i386 architecture will be dropped by many Linux distributions. It turns out that there are essentially no upstream development resources dedicated to x86_32 Linux. Perhaps unsurprisingly, it was badly broken.
Drones: Turkey is getting military drones armed with machine guns. Drone hacking happens. There is now Dronesploit – Metasploit for drones. Metasploit-style CLI framework tailored for tinkering with everybody’s favourite unmanned flying objects.
World market war: China tells government offices to remove all foreign computer equipment. China has ordered the replacement of all foreign PC hardware and operating systems in state offices over the next three years. This will mean that China to ditch all Windows PCs by 2022.China has already some of their own Linux distros like Kylin and Deepin. Many western countries are more or less banning Huawei teleocm equipment.
Cloud security: Traditional security tools and methodologies are ill-suited to protect cloud native’s developer-driven and infrastructure-agnostic multicloud patterns. The vision as laid out by these renown analysts is straightforward. The legacy “data center as the center of the universe” network and network security architecture are obsolete and has become an inhibitor to the needs of digital business. They describe the underpinning shift to cloud infrastructure, a digital transformation that has been underway for ten years. They also point out that the corporate network cannot protect end users who consume cloud applications from any location and any device without the contorting, expensive, backhaul of traffic through the corporate data center. Gartner coins a new term for the future of security and networks, SASE (pronounced sassy), Secure Access Service Edge, which is not anything really new. SASE promises to create a ubiquitous, resilient, and agile secure network service—globally. Most of the stolen data incidents in the cloud are related to simple human errors rather than concerted attacks. Expect that through 2020, 95% of cloud security failures will be the customer’s fault. A common thread is unsecured cloud-based databases that left the sensitive information wide open for anyone to access online. Also it’s almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet.
Autocracy as a service: Now Any Government Can Buy China’s Tools for Censoring the Internet. “Autocracy as a service” lets countries buy or rent the technology and expertise they need, as they need it. China offers a full-stack of options up and down the layers of the internet, including policies and laws, communications service providers with full internet.
Geopolitics: US-China Tech Divide Could Cause Havoc. It is possible that world’s next major conflict can start in cyberspace. USA has ordered to ban certain hardware from China (Huawei and ZTE). China orders ban on US computers and software. Chinese government to replace foreign hardware and software within three years. Who needs who more?
International cyber politics: Lack of international standards for proper behavior in cyberspace prevents the United States and allies from policing adversaries as they wish to. US can’t ‘enforce standards that don’t exist’. We have international norms in the maritime; we don’t have those in cyber. It makes it difficult to enforce standard that don’t exist, and to therefore hold nations accountable for nefarious behavior. NATO did confirm in 2017 that it could invoke Article 5 of its charter should one or more member nations find themselves under a serious cyberattack that threatens critical military and civilian infrastructure.
Sources:
https://pentestmag.com/iot-security-its-complicated/
https://isc.sans.edu/diary/rss/25580
https://www.securityweek.com/case-cyber-insurance
https://www.securityweek.com/tips-help-mssps-choose-threat-intelligence-partner
https://www.zdnet.com/article/microsoft-we-never-encourage-a-ransomware-victim-to-pay/
https://www.darkreading.com/iot/weak-crypto-practice-undermining-iot-device-security/d/d-id/1336636
https://pacit-tech.co.uk/blog/the-2020-problem/
https://www.theregister.co.uk/2019/12/09/dronesploit_framework/
https://www.securityweek.com/blunt-effect-two-edged-sword-vulnerability-disclosures
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020
https://threatpost.com/email-voted-a-weak-link-for-election-security-with-dmarc-lagging/150909/
https://www.theregister.co.uk/2019/12/04/council_of_eu_5g_risks/
https://techcrunch.com/2019/12/05/major-voting-districts-vulnerable-email-security/
https://cacm.acm.org/magazines/2019/12/241053-hack-for-hire/fulltext
http://read.uberflip.com/i/1180978-siliconexpert-growth-of-counterfeit-electronics-3/0?acctid=6759
https://www.zdnet.com/article/2020-is-when-cybersecurity-gets-even-weirder-so-get-ready/
https://www.theregister.co.uk/2019/12/09/china_orders_ban_on_us_computers_and_software/
https://www.securityweek.com/case-cyber-insurance
https://www.eetimes.eu/ai-will-empower-industry-4-0-when-it-arrives/
https://www.pandasecurity.com/mediacenter/security/2019-the-ransomware-tsunami/
https://blog.paloaltonetworks.com/2019/12/cloud-native-security-platform-age/
https://github.com/dhondta/dronesploit/
https://www.zdnet.com/article/1-in-every-172-active-rsa-certificates-are-vulnerable-to-exploit/
https://nationalcybersecurity.com/hacking-the-biggest-tech-threats-to-2020-elections/
https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/
https://www.eff.org/wp/behind-the-one-way-mirror
https://www.gdatasoftware.com/blog/2019/12/35671-early-detection-and-repulsion-of-dangerous-attacks
https://www.is.fi/digitoday/tietoturva/art-2000006342803.html
https://techcrunch.com/2019/10/30/duality-cybersecurity-16-million/
https://www.wired.com/story/sobering-message-future-ai-party/
https://security.googleblog.com/2019/12/an-update-on-android-tls-adoption.html?m=1
https://www.zdnet.com/article/google-all-android-users-in-the-us-just-got-rcs-next-gen-sms/
https://www.schneier.com/blog/archives/2019/12/scaring_people_.html
https://lists.ubuntu.com/archives/ubuntu-devel-announce/2019-June/001261.html
https://lwn.net/ml/oss-security/CALCETrW1z0gCLFJz-1Jwj_wcT3+axXkP_wOCxY8JkbSLzV80GA@mail.gmail.com/
https://www.bbc.com/news/amp/world-australia-46463029
https://cyware.com/news/rcs-technology-most-users-are-vulnerable-to-hacking-b53f9a6f
https://hub.packtpub.com/core-python-team-confirms-sunsetting-python-2-on-january-1-2020/
https://www.cnet.com/news/congress-warns-tech-companies-take-action-on-encryption-or-we-will/
https://cyware.com/news/rcs-technology-most-users-are-vulnerable-to-hacking-b53f9a6f
https://edri.org/facial-recognition-and-fundamental-rights-101/
https://techcrunch.com/2019/12/10/insider-threats-startups-protect/
https://uk.pcmag.com/windows-10/121518/microsoft-doesnt-back-up-the-windows-registry-anymore
https://threatpost.com/ransomware-attack-new-jersey-largest-hospital-system/151148/
https://chiefexecutive.net/bridge-cybersecurity-skills-gap/
https://systemagic.co.uk/has-your-business-prepared-for-the-2020-problem/
https://news.yahoo.com/massive-errors-found-facial-recognition-tech-us-study-215334634.html
https://www.securityweek.com/most-companies-dont-properly-manage-third-party-cyber-risk
https://www.uusiteknologia.fi/2019/11/21/hyoty-panee-jakamaan-tietonsa-luottamus-ratkaisee/
https://pentestmag.com/advice-for-a-cybersecurity-leader-think-like-your-adversary/
https://www.amnesty.org/en/latest/news/2019/11/google-facebook-surveillance-privacy/
https://www.amnesty.org/en/documents/pol30/1404/2019/en/
https://www.securityweek.com/compromised-connection-5g-will-unite-cities-and-also-put-them-risk
https://www.securityweek.com/amnesty-international-calls-facebook-google-rights-abusers
https://www.securityweek.com/microsoft-will-bring-dns-over-https-doh-windows
https://www.securityweek.com/cybersecurity-workforce-gap-145-growth-needed-meet-global-demand
https://www.helpnetsecurity.com/2019/11/19/successful-soc/
https://www.securityweek.com/making-network-first-line-defense
https://techbeacon.com/security/how-prioritize-strategic-risks-affect-critical-infrastructure
https://www.securityweek.com/transitioning-security-driven-networking-strategy
https://www.theregister.co.uk/2019/11/16/5g_iot_report/
https://www.securityweek.com/us-montenegro-plot-cyber-warfare-ahead-2020-elections
https://www.securityweek.com/fears-grow-digital-surveillance-us-survey
https://www.kaspersky.com/blog/attack-on-online-retail/31786/
https://www.securityweek.com/implementing-cyber-best-practices-requires-security-first-approach
https://securelist.com/advanced-threat-predictions-for-2020/95055/
https://www.darkreading.com/cloud/smart-building-security-awareness-grows/d/d-id/1336597
https://www.cisomag.com/the-future-of-ai-in-cybersecurity/
https://www.ibm.com/security/artificial-intelligence
https://www.welivesecurity.com/2019/12/13/2fa-double-down-your-security/
https://cannatechtoday.com/experian-predicts-an-increase-in-global-cannabis-industry-data-breaches/
https://www.uusiteknologia.fi/2019/11/21/f-secure-tutkimaan-tekoalyagentteja/
https://www.securityweek.com/ongoing-research-project-examines-application-ai-cybersecurity
http://www.etn.fi/index.php/13-news/10151-mikko-hypponen-tekoalyn-ei-pida-matkia-ihmista
http://www.etn.fi/index.php/13-news/10124-nixu-selvitti-tekoaly-mullistaa-kyberturvan
http://www.etn.fi/index.php/13-news/10120-kyberturvassa-koneoppiminen-on-uusi-normaali
https://www.is.fi/digitoday/tietoturva/art-2000006316233.html
https://www.cyberscoop.com/apt33-microsoft-iran-ics/
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/11/exploit-kits-fall-2019-review/
https://www.enisa.europa.eu/news/enisa-news/enisa-draws-threat-landscape-of-5g-networks/
https://systemagic.co.uk/has-your-business-prepared-for-the-2020-problem/
https://smartgrid.ieee.org/newsletters/november-2019/the-cyber-physical-security-of-the-power-grid
https://www.wired.com/story/un-secretary-general-antonio-guterres-internet-risks/
https://codastory.com/authoritarian-tech/russia-facial-recognition-networks/
https://www.theverge.com/2019/12/9/21002515/surveillance-cameras-globally-us-china-amount-citizens
https://www.wired.com/story/iran-internet-shutoff/
https://www.zdnet.com/article/fbi-recommends-that-you-keep-your-iot-devices-on-a-separate-network/
https://www.reuters.com/article/us-interpol-encryption-exclusive-idUSKBN1XR0S7
https://www.kcrw.com/news/shows/to-the-point/does-facial-recognition-software-threaten-our-freedom
1,468 Comments
Tomi Engdahl says:
Katsooko tietoturvan heikoin lenkki peilistä?
https://www.lahitapiola.fi/tietoa-lahitapiolasta/uutishuone/blogit/blogit/blogi/1509564249565
Tomi Engdahl says:
Seth Colaner / VentureBeat:
An overview of how governments around the world are using smartphone data, apps, drones, facial recognition, and AI to track COVID-19 and surveil citizens
The technologies the world is using to track coronavirus — and people
https://venturebeat.com/2020/05/18/the-technologies-the-world-is-using-to-track-coronavirus-and-people/
Now that the world is in the thick of the coronavirus pandemic, governments are quickly deploying their own cocktails of tracking methods. These include device-based contact tracing, wearables, thermal scanning, drones, and facial recognition technology. It’s important to understand how those tools and technologies work and how governments are using them to track not just the spread of the coronavirus, but the movements of their citizens.
in a global pandemic, that careful manual method cannot keep pace, so a more automated system is needed.
That’s where device-based contact tracing (usually via smartphone) comes into play. This involves using an app and data from people’s smartphones to figure out who has been in contact with whom — even if it’s just a casual passing in the street — and alerting everyone who has been exposed to an infected individual
But the devil is in the details. There are obvious concerns about data privacy and abuse if that data is exposed or misused by those who hold it. And the tradeoffs between privacy and measures needed to curb the spread of COVID-19 are a matter of extensive debate.
The core of that debate is whether to take a centralized or decentralized approach to data collection and analysis. To oversimplify: In either approach, data is generated when people’s phones come into contact with one another. In a centralized approach, data from the phones gets uploaded into a database, and the database matches a user’s records with others and subsequently sends out alerts. In a decentralized approach, a user’s phone uploads only an anonymized identifier, other users download the list of anonymous IDs, and the matching is done on-device.
The advantage of decentralization is that data stays private and essentially unexploitable, and users remain anonymous. Centralization offers richer data, which could help public health officials better understand the disease and its spread and allow government officials to more effectively plan, execute, and enforce quarantines and other measures designed to protect the public.
But the potential disadvantages of centralized data are downright dystopian. Governments can exploit the data. Private tech companies may be able to buy or sell it en masse. Hackers could steal it.
And even though centralized systems anonymize data, that data can be re-identified in some cases. In South Korea, for example, a failure to keep contact tracing data sufficiently anonymous led to incidents of public shaming. An Israel-based company called the NSO Group provides spyware that could be put to such a task. According to Bloomberg, the company has contracts with a dozen countries and is embroiled in a lawsuit with WhatsApp, accused of delivering spyware via the popular messaging platform.
That’s not to mention various technical challenges — notably that Apple doesn’t allow the tracking apps to run in the background, as well as some Android bugs that contact tracing app developers have encountered. To obviate some of these issues, Apple and Google forged a historic partnership to create a shared API. But the debate between centralized and decentralized approaches remains riddled with nuance.
Tomi Engdahl says:
Choosing 2FA authenticator apps can be hard. Ars did it so you don’t
have to
https://arstechnica.com/information-technology/2020/05/choosing-2fa-authenticator-apps-can-be-hard-ars-did-it-so-you-dont-have-to/
Losing your 2FA codes can be bad. Having backups stolen can be worse.
What to do?
Tomi Engdahl says:
Anti-porn filters stop Dominic Cummings trending on Twitter
https://www.theguardian.com/politics/2020/may/27/anti-porn-filters-stop-dominic-cummings-trending-on-twitter
Name of PM’s aide is blocked, which has led to variety of misspelt hashtags
Twitter’s anti-porn filters have blocked Dominic Cummings’ name from its list of trending topics despite Boris Johnson’s chief adviser dominating British political news for almost a week, the Guardian can reveal.
As a result of the filtering, trending topics over the past five days have instead included a variety of misspellings of his name
This sort of accidental filtering has gained a name in computer science: the Scunthorpe problem, so-called because of the Lincolnshire town’s regular issues with such censorship.
By default, the site blocks all photo and video results from search terms it believes may contain sensitive content, meaning a media search for “porn” or “Cummings” will, unless the search filters are turned off, return zero results.
Twitter declined to comment on the filtering. The company’s opaque trending algorithms have regularly led to accusations of interference, as users conclude that the absence of a particular topic is a sign of malicious intent, but the answer is rarely as straightforward as it is in this case.
Tomi Engdahl says:
The lack of women in cybersecurity leaves the online world at greater risk
https://theconversation.com/the-lack-of-women-in-cybersecurity-leaves-the-online-world-at-greater-risk-136654?utm_source=facebook&utm_medium=bylinefacebookbutton
Women are underrepresented in technology fields, but especially so in cybersecurity. It’s not just a matter of fairness. Women are better than men at key aspects of keeping the internet safe.
Tomi Engdahl says:
Cyber security and space security
https://www.thespacereview.com/article/3950/1
What are the challenges at the junction of cybersecurity and space
security?
Tomi Engdahl says:
Ransomware’s big jump: ransoms grew 14 times in one year
https://www.bleepingcomputer.com/news/security/ransomwares-big-jump-ransoms-grew-14-times-in-one-year/
Ransomware has become one of the most insidious threats in the past
couple of years, with actors scaling up their operations to the point
that the average ransom demand increased more than 10 times in one
year. There are well over a dozen operators in the
ransomware-as-a-service (RaaS) game, each with a host of affiliates
that focus on enterprise targets across the world. Since the infamous
GandCrab group called it quits in mid-2019, the ransomware landscape
changed drastically. The RaaS model they introduced is now the norm,
paving the way for professional attackers with a clear strategy to
make money.
Tomi Engdahl says:
$100 million in bounties paid by HackerOne to ethical hackers
https://www.bleepingcomputer.com/news/security/100-million-in-bounties-paid-by-hackerone-to-ethical-hackers/
Bug bounty platform HackerOne announced today that it has paid out
$100, 000, 000 in rewards to white-hat hackers around the world as of
May 26, 2020. Since it started delivering vulnerability reports to its
customers, HackerOne bug bounty hunters have found roughly 170, 000
security vulnerabilities according to the company’s CEO Mårten Mickos.
Over 700, 000 ethical hackers are no using the bug bounty platform to
get paid for security bugs in the products of more than 1, 900
HackerOne customers.
Tomi Engdahl says:
Coalition Against Stalkerware bulks up global membership
https://blog.malwarebytes.com/stalkerware/2020/05/coalition-against-stalkerware-bulks-up-global-membership/
Today, the Coalition Against Stalkerware brought aboard 11 new
organizations to address the potentially dangerous capabilities of
stalkerware, an invasive, digital threat that can rob individuals of
their expectation of, and right to, privacy. These types of apps can
provide domestic abusers with a new avenue of control over their
survivors’ lives, granting wrongful, unfettered access to text
messages, phone calls, emails, GPS location data, and online browsing
behavior.
Tomi Engdahl says:
AI for cybersecurity is a hot new thing—and a dangerous gamble
https://www.technologyreview.com/2018/08/11/141087/ai-for-cybersecurity-is-a-hot-new-thing-and-a-dangerous-gamble/
Machine learning and artificial intelligence can help guard against cyberattacks, but hackers can foil security algorithms by targeting the data they train on and the warning flags they look for.
Tomi Engdahl says:
5 Things Every CEO Should Know About Cybersecurity
https://pentestmag.com/5-things-every-ceo-should-know-about-cybersecurity/
In the past, many chief executive officers of companies and brands have received numerous reports and information requiring them to look into the risk of cyber security. However, many of the CEOs didn’t understand what it meant, how they should respond to the risks, and the implications that it has for their organization.
CEOs now need to have a clear understanding of what is happening. They need to understand the necessity for them to understand what cybersecurity is, the underlying risks it possesses and the best way to respond to it, to protect their organization.
In the global business world environment of today, not just the CEO of an organization needs this knowledge but every member of the Board of Directors as well.
Without a proper understanding of cybersecurity, there is a possibility that the analyses of the risk would be flawed and the decisions that may be informed by the result of such analysis would definitely be wronged as well, putting the organization in a much bigger risk.
Risk Management
The cyberspace is becoming a breeding ground for criminals, and terrorists with a motivation to cause disruption, get noticed, make money, or even try to bring down governments and corporations through various online attacks. Cybercriminals have over the years collaborated among themselves which have led to a larger degree of competency catching many organizations off-guard
Avoid Damage to Your Reputation
The threat of cybersecurity to your organization has become more dangerous. The attackers are getting more organized, and the attacks are now more sophisticated, leaving you at the risk of potential damage to your organization’s reputation.
CEOs have to makes sure that they are well-equipped and fully prepared, so that they can effectively deal with these emerging challenges.
Supply Chain Security
One key area where information security is usually lacking is the supply chain. Today’s global economy largely depends on the supply chain. Major disruptions to the supply chain is something that has become an increasing source of worry about many businesses.
Embedded Behavior and Employee Awareness
The development of human capital is something that organizations keep investing heavily in, and it’s safe to assume that many CEOs understand its value. The idea behind this is that training and awareness always delivers some value without the need to prove it, and employee satisfaction is one of those. But it no longer works that way.
It is now time to move to tangible behaviors, and move away from awareness.
Staying Ahead of Cybersecurity Issues
Organizations are progressively operating more in a cyber-enabled world and the risks from cyberspace activities cannot be checked by traditional risk management steps. Risk management have to be extended to create a strong foundation of preparedness and risk resilience. Cyberattack is now an issue of when, not if. So, the threats have to be viewed from a position of risk profiling and business acceptability.
Conclusion
The scope of cybersecurity is ever evolving. Cyber attack is now viewed as a certainty, a matter of when not if. It’s therefore, important that CEOs are knowledgeable enough are able to take the right step to reduce the risks of cyberattack.
Tomi Engdahl says:
Sure, zero-trust is an overused buzzword — but it’s also a core principle of modern cybersecurity strategy.
Tomi Engdahl says:
What Is Confidential Computing?
Big tech companies are adopting a new security model called confidential computing to protect data while it’s in use
https://spectrum.ieee.org/computing/hardware/what-is-confidential-computing
A handful of major technology companies are going all in on a new security model they’re calling confidential computing in an effort to better protect data in all its forms.
The three pillars of data security involve protecting data at rest, in transit, and in use. Protecting data at rest means using methods such as encryption or tokenization so that even if data is copied from a server or database, a thief can’t access the information. Protecting data in transit means making sure unauthorized parties can’t see information as it moves between servers and applications. There are well-established ways to provide both kinds of protection.
Protecting data while in use, though, is especially tough because applications need to have data in the clear—not encrypted or otherwise protected—in order to compute. But that means malware can dump the contents of memory to steal information. It doesn’t really matter if the data was encrypted on a server’s hard drive if it’s stolen while exposed in memory.
Proponents of confidential computing hope to change that. “We’re trying to evangelize there are actually practical solutions” to protect data while it’s in use
The consortium, launched last August under the Linux Foundation, aims to define standards for confidential computing and support the development and adoption of open-source tools. Members include technology heavyweights such as Alibaba, AMD, Arm, Facebook, Fortanix, Google, Huawei, IBM (through its subsidiary Red Hat), Intel, Microsoft, Oracle, Swisscom, Tencent, and Vmware. Several already have confidential computing products and services for sale.
Confidential computing uses hardware-based techniques to isolate data, specific functions, or an entire application from the operating system, hypervisor or virtual machine manager, and other privileged processes. Data is stored in the trusted execution environment (TEE), where it’s impossible to view the data or operations performed on it from outside, even with a debugger. The TEE ensures that only authorized code can access the data. If the code is altered or tampered with, the TEE denies the operation.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/10835-joka-viides-suomalaisyritys-identiteettivarkauden-uhri
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Study that analyzed real-world web traffic shows that only around a third of users changed their passwords following a data breach announcement
After a breach, users rarely change their passwords, study finds
Only a third of users changed their password following a data breach.
https://www.zdnet.com/article/after-a-breach-users-rarely-change-their-passwords-study-finds/
Only around a third of users usually change their passwords following a data breach announcement, according to a recent study published by academics from the Carnegie Mellon University’s Security and Privacy Institute (CyLab).
The study, presented earlier this month at the IEEE 2020 Workshop on Technology and Consumer Protection, was not based on survey data, but on actual browser traffic.
The research team said that of the users who changed passwords (21), only a third (9) changed it to a stronger password, based on the password’s log10-transformed strength.
The rest created passwords of weaker or similar strength, usually by reusing character sequences from their previous password, or by using passwords that were similar to other accounts that were stored inside their browser.
The study shows that users still lack the education needed in choosing better or unique passwords.
The study is named “(How) Do People Change Their Passwords After a Breach?,” and is available for download in PDF format from here.
https://www.ieee-security.org/TC/SPW2020/ConPro/papers/bhagavatula-conpro20.pdf
Tomi Engdahl says:
U.S. Critical Infrastructure Full of Security Holes
https://www.eetimes.com/u-s-critical-infrastructure-full-of-security-holes/
The coronavirus pandemic has spawned a huge increase in cyberthreats and attacks. While much of this is aimed at consumers, a lot has also targeted companies whose employees must now access critical infrastructure, such as industrial control systems (ICS) and operational technology (OT) networks, from home.
But that critical infrastructure, which keeps modern society going even during a pandemic, is seriously under-protected against cyberattacks, say recent reports from cybersecurity companies.
“Critical infrastructure” means more than the obvious utility companies, water systems, and transportation networks. In defining essential workers during Covid-19-related lockdowns, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) lists 16 categories of critical infrastructure. These also include chemical plants, commercial facilities, communications, critical manufacturing, dams, defense, emergency services, financial, food & agriculture, government facilities, healthcare and public health, and IT.
Last month, CISA published a set of cybersecurity best practices for ICS, which the agency acknowledges are important for supporting critical infrastructure and maintaining national security.
Tomi Engdahl says:
Q&A: The Pioneers of Web Cryptography on the Future of Authentication
https://spectrum.ieee.org/tech-talk/telecom/security/pioneers-web-cryptography-future-authentication
Martin Hellman is one of the inventors of public-key cryptography. His work on public key distribution with Whitfield Diffie is now known as the Diffie–Hellman key exchange. The method, which allows two parties that have no prior knowledge of each other to establish a shared secret key, is the basis for many of the security protocols in use today.
Taher Elgamal, who was once Hellman’s student at Stanford, is known as the “father of SSL” for developing the Secure Sockets Layer protocol used to secure transactions over the Internet.
Elgamal, Hellman, and Jermoluk talked about how recent advances in technology made it possible to change how we handle authentication, and what the future would look like.
Elgamal: Connecting everything in the world made it very clear that many other security controls are needed. Using firewalls, intrusion detection and prevention, anti-virus and malware as well as many other operational technologies proved to be necessary to provide overall security. User authentication turns out to be one of the most important areas that everyone started working on from the beginning, without paying attention to the growth of the number of passwords or credentials users utilize to get access to the services they request. Today, passwords are the number one reason for all the breaches and exploits we suffer from.
Spectrum: Beyond Identity doesn’t use passwords. Instead, it stores the security key on the user’s device and makes the individual their own certificate authority. Certificates and key sharing have been around for a long time. What was the missing piece that had to happen to make this approach possible?
Hellman: These devices, like these smartphones, now have secure enclaves [a separate, isolated coprocessor to store sensitive data such as biometrics and keys]. I’ve been saying for 40 years that we need to have memories that are protected. Why should somebody be able to read my secret key, or to know it? The secret key should be accessible to a crypto-processor, but not to someone to read out. They’re accessible to the OS and to applications that need to sign things, but not to someone trying to steal your secret key.
Spectrum: Where do we go next? What is authentication going to look like in 10 years?
Jermoluk: Full sovereign identity. You should be in charge of your own identity. It is yours after all. Identity ought to have different layers, depending on whether you’re presenting it to your business, website, or government. You determine what you show of your identity. A commercial website may not ask for a lot of identifying information, but the government may want a much fuller view. You should be able to be in complete control of your own identity and how you present it, instead of letting Facebook be in charge of your identity and knowing who your friends are and what apps you visit, what things you buy. Why should they be charged for that or make money off it? It’s going to flip the entire Internet and the ad-supported model and Google and Facebook’s models on their heads.
It’s not something I’m doing today, but I think that’s where all this technology ultimately goes: that it gives the individual back the control of their identity and their actions.
Tomi Engdahl says:
https://www.swissbit.com/en/products/security-technology/worm-edition/
Tomi Engdahl says:
Parsing JSON is a Minefield
http://seriot.ch/parsing_json.php
JSON is the de facto standard when it comes to (un)serialising and exchanging data in web and mobile programming. But how well do you really know JSON? We’ll read the specifications and write test cases together. We’ll test common JSON libraries against our test cases. I’ll show that JSON is not the easy, idealised format as many do believe. Indeed, I did not find two libraries that exhibit the very same behaviour. Moreover, I found that edge cases and maliciously crafted payloads can cause bugs, crashes and denial of services, mainly because JSON libraries rely on specifications that have evolved over time and that left many details loosely specified or not specified at all.
Tomi Engdahl says:
IBM Releases Fully Homomorphic Encryption Toolkit for MacOS and iOS; Linux and Android Coming Soon
https://www.ibm.com/blogs/research/2020/06/ibm-releases-fully-homomorphic-encryption-toolkit-for-macos-and-ios-linux-and-android-coming-soon/
FHE really sounds like magic when you hear about it for the first time, but it’s actually based on very sound mathematics. The main difference is that FHE requires a shift in the programming paradigm that we are used to, which makes it a little more difficult to integrate into applications. That was until today thanks to a new toolkit we are making available for MacOS, iOS and soon for Linux and Android. In fact, developers with basic platform tool familiarity can get up and running by following a few simple instructions rather quickly
Tomi Engdahl says:
https://www.lansweeper.com/report/most-exploited-vulnerabilities-audit/
Tomi Engdahl says:
VMware haluaa virtualisoida verkot – Eroon siiloista!
https://etn.fi/index.php/13-news/10849-vmware-haluaa-virtualisoida-verkot-eroon-siiloista
VMware julkisti tänään tutkimuksen, jonka mukaan it-päättäjät moittivat huonoa näkyvyyttä verkon tietoturvaan. Suomen VMwaren johtava asiantuntija Santeri Stoltin mukaan ainoa keino ratkaista ongelma on tehdä verkoista virtuaalisia. – Meidän pitää päästä eroon siiloista, Stolt terottaa.
Stolt muistuttaa, että itse verkko on vain yksi osa tietoturvahaastetta. Pitää huolehtia myös koodin, laitteiden ja työkuormien tietoturvasta. Tällä hetkellä ongelmia lähestytään erillisten siilojen kautta. – Yksi porukka miettii pilvi- tai konesalin työkuormien ja ehkä päätelaitteiden tietoturvaa yksien työkalujen avulla, toinen porukka miettii julkipilven tietoturvaa, ja he joutuvat käyttämään niitä työkaluja, joita siihen siiloon on tehty, Stolt kuvaa.
Kolme neljästä it-päättäjästä ei näe verkkoaan kunnolla
https://etn.fi/index.php/13-news/10848-kolme-neljasta-it-paattajasta-ei-nae-verkkoaan-kunnolla
VMwaren tutkimusyhtiö Forresterilla teettämä laaja kyselytutkimus kertoo, että it-päättäjät Suomessa ja maailmalla pitävät suurena huolenaiheena puutteellista näkyvyyttä omiin tietoverkkoihinsa. Suomessa 75 prosenttia vastaajista pitää kattavan näkyvyyden aikaansaamista hyvin vaikeana tai äärimmäisen vaikeana.
- Yritykset ja niiden käyttämät sovellukset ovat riippuvaisia verkkojen turvallisuudesta, kun sovellusten data liikkuu päätelaitteiden, datakeskuksen ja pilven välillä. Siksi verkkoon pitäisi suhtautua strategisena välineenä, eikä pelkkänä datan putkistona. Tietoturvan kannalta näkyvyys omiin verkkoihin on välttämätöntä, sanoo Suomen VMwaren johtava asiantuntija Santeri Stolt.
Hänen mukaansa näkyvyyden vaatimuksen voi täyttää vain, jos verkko toimitetaan ohjelmistopohjaisesti tuotettuna eli virtualisoituna.
Tomi Engdahl says:
Stephanie Wykstra / Undark Magazine:
After rolling out a flawed automated system in 2014, Michigan falsely charged thousands with unemployment fraud and collected millions in fines
Government’s Use of Algorithm Serves Up False Fraud Charges
Republish
https://undark.org/2020/06/01/michigan-unemployment-fraud-algorithm/
Using a flawed automated system, Michigan falsely charged thousands with unemployment fraud and took millions from them.
Tomi Engdahl says:
The 20 Best Cybersecurity Startups To Watch In 2020
http://on.forbes.com/6181GHYpZ
There are 21,729 startups who either compete in or rely on cybersecurity technologies and solutions as a core part of their business models today, 1,653 of which have received seed funding in the last twelve months.
Nearly $10B was invested in privacy and security companies in 2019, an all-time high in the last decade up more than five-fold from $1.7B in 2010, according to a recent Crunchbase query.
From network and data security to I.T. governance, risk measurement, and policy compliance, cybersecurity is a growing industry estimated to be worth over $300B by 2025, according to C.B. Insight’s Emerging Trends Cybersecurity Report
C.B. Insights predicts the worldwide identity and access management (IAM) market is expected to reach $23B by 2025.
In 2020, 268 startups have raised a total of $4.7B, averaging $21M each with a median funding amount of $6.1M according to a recent Crunchbase query. The global information security and risk management end-user spending are forecast to grow at a five-year CAGR of 9.2% to reach $174.5 billion in 2022. New growth in spending is related to digital transformation, regulatory compliance, increased security threats, and response capabilities, according to Gartner’s latest market estimates. New startups continue to attract investors as cybersecurity investments are viewed as the cure for uncertainty and the proliferating, more complex nature of breach attempts.
Tomi Engdahl says:
Get Me out of Password Hell
https://www.eetimes.com/get-me-out-of-password-hell/
Back in 2013 there were articles about how many people used 1234 as a password. A Vice article from 2017 said that had changed: 3% of people then used 123456. A bunch even used “Password” as a password. Yeesh.
It’s still a problem today. A recent study from Clario, a company launching a digital security and privacy app this month, said more than three-quarters of millennials use the same password for more than 10 different devices, apps, and accounts; some have even admitted to using the same password more than 50 different places.
I’m amused on crime shows when a sleuth successfully guesses the subject’s password when breaking into a laptop. It’s always something like a pet’s name or a birthday. One show said the whole family shared a password.
But I’m not a password-denier. I know I need ‘em … and strong ones, too. So now I’m looking into options beyond my handwritten passwords and secret files.
I know people who use the free version of LastPass as a password manager. It sounds great to have one master account password that’s able to store and fill in all the passwords I use, but I start to twitch when I think of giving over my sacred codes to anything more sensitive than The Atlantic. My checking account? I don’t think so. Then there’s the manual labor involved: looking up the passwords, trying to decipher my secret coding schemes and then typing them all in one by one.
FIDO coming to rescue?
I was heartened recently when I read about FIDO (Fast IDentity Online ) Alliance, an open industry association with the mission to unite consumers and service providers around an authentication standard and “remedy the problems users face with creating and remembering multiple usernames and passwords.” Bingo!
The alliance announced in May a new website to educate consumers and service providers on the benefits of what FIDO calls “simpler, stronger user authentication.” The alliance’s inaugural conference, Authenticate, was due to take place this week in Seattle. Alas, like nearly every trade event scheduled since MWC 2020 in February, it was shelved, now planned for Nov. 11-12.
Each device/website pairing with FIDO requires separate registration and a separate cryptographic key pair. Once registered, a user can authenticate to multiple sites from the same device, but each site has no knowledge of the user interactions with other sites. The client’s private keys can be used only after they are unlocked locally on the phone by the user, using a secure, “user-friendly” action such as swiping a finger, entering a PIN, speaking into a mic, using two-factor authentication or pressing a button.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/10860-salasanan-pitaisi-olla-niin-vahva-ettei-sita-voi-muistaa
Tomi Engdahl says:
What Price for Privacy?
https://www.eetimes.eu/what-price-for-privacy/
In my simplistic mind, I haven’t yet fully comprehended why the world didn’t use all the technology tools at its disposal to contain the novel coronavirus early on.
“Covid-19 and the Success Story of Taiwan” that the island had effectively integrated its health insurance database with its immigration and customs database to identify cases and then act as needed to contain the virus. That’s so simple, it’s genius, I thought. Why not do it everywhere?
The CEO’s response was blunt: Doing the same thing in Europe or the U.S. would violate individual privacy, and we value our privacy dearly. Tracking people to the extent required for Taiwan’s program would simply not be tolerated here. But then, what price do we have to pay for our privacy — tens of thousands of deaths?
What if we think of it differently? In the U.K., we already have extensive surveillance on the streets of cities and towns, as I am sure many other European countries do. And many of these systems are gradually adding facial recognition, lots of local data processing, and artificial intelligence to identify a person’s intent, which the public considers an unacceptable personal intrusion. However, the same public doesn’t even realize that huge swaths of the population freely give away their data every day to companies like Facebook and Google. Where are the demands for privacy there? They’re few and far between, because we’ve accepted some loss of privacy as the tradeoff for getting something “for free.”
It doesn’t take much imagination to see how the data wealth of social media and internet companies and that of local and national governments might be combined and exploited to serve certain objectives, whether good or bad. Such activity might have affected the outcomes of certain elections and referenda in recent years.
In the case of Covid-19, however, I strongly believe if national governments had collaborated to carry out and share simple biometric monitoring and travel data, they could have prevented many deaths.
Those efforts underscore what readers of this publication already know: There is no shortage of sensors and technology to measure the vital data needed to contain and combat a pandemic. In times of crisis, as long as we have put the checks and balances in place to ensure that enforced tracking measures will be lifted after the danger has passed, wouldn’t it be OK to surrender a bit of our privacy?
Given a choice between life and privacy, I’d take life.
Tomi Engdahl says:
To Err Is Human: Accepting Responsibility to Regain Confidence
https://www.securityweek.com/err-human-accepting-responsibility-regain-confidence
Recently, after taking a routine medical test, the results never came back. When I called to find out what happened, I was told that due to technical reasons, the test was invalid. I asked what the technical reasons were and was told that there was no information to provide, nor an explanation. I asked why no one contacted me and was again told that there was no information to provide, nor an explanation. Then I was asked if I wanted to come in to do the test again. I replied that I didn’t want to, but that it appears that I have to. It would be an understatement to say that I was not amused by the attitude of the person with whom I was speaking.
Looking back on this phone call, what irked me the most? It wasn’t that a mistake had been made – that happens from time to time. Nor was it that I had to go back and redo the test – I think many of us are quite accustomed to having to correct other people’s mistakes. What irked me about this call was that the person on the other end of the line did not acknowledge that their organization was at fault, nor did they make any attempt to take responsibility for that.In this spirit, I offer five tips for maintaining the right attitude when security veers into the wrong:
1. Be humble: Mistakes will inevitably happen. What makes a mistake worse is immediately looking to blame the other side. Start from a position of humility when something goes wrong. Look internally first to understand what might have gone wrong and look to identify the root cause of the issue. If it turns out that fault lies elsewhere, then by all means, communicate that. Just don’t start there.
2. Acknowledge the mistake: The first step in correcting a mistake is to acknowledge that there was one. What went wrong exactly? What impact did the mistake have? How could it have been avoided? How could communication have been better? What steps are being put in place to ensure that it doesn’t happen again? Answering these and other questions from the beginning shows the right attitude when looking to navigate the clean-up after a goof-up.
3. Recognize when processes need to be improved: Some mistakes are caused by human error. Others by external factors. Yet, many are caused by broken or insufficient processes. It is important to take this into account when looking into a slip-up. If an issue with a process is identified and a plan to address it is hatched, that goes a long way when working to correct an error.
4. Respect the time of others: As the saying goes, “time is money.” Beyond that, time is also a precious commodity. I don’t know too many people that have a surplus of time. If your security team messes up, understand that, more often than not, you are costing others in the organization time and money. If you are aware of that and sensitive to it, that goes a long way to regaining the trust and support of those you’ve affected.
5. Empathize: Never underestimate how far showing that you understand that you have brought hardship can go. A little empathy can go a long way. Depending on the audience, empathy can be even better when delivered with a bit of humor to diffuse the tension. Let your peers outside of the security organization know that you get it. The security team has erred, and it has brought unexpected challenges to a number of different teams. They will appreciate your empathy, and it will help you get back on track sooner.
The Right Attitude Goes a Long Way Towards Helping Stakeholders Regain Confidence in the Security Team
Let’s look at the call from another angle – let’s see how a few adjustments would have made the call a much better experience:
1. Be humble and open to the idea that your organization can err
2. Acknowledge that a mistake had been made
3. Recognize that when a mistake had been made, someone needed to contact me to let me know
4. Show respect for my time
5. Empathize with me and use language like “Unfortunately, you need to come in again to do the test. I understand that this is an inconvenience. Can I help you make an appointment?” rather than “Do you want to come in to do the test again?”
Tomi Engdahl says:
Spies Can Eavesdrop by Watching a Light Bulb’s Vibrations
https://www.wired.com/story/lamphone-light-bulb-vibration-spying/
The so-called lamphone technique allows for real-time listening in on a room that’s hundreds of feet away.
THE LIST OF sophisticated eavesdropping techniques has grown steadily over years: wiretaps, hacked phones, bugs in the wall—even bouncing lasers off of a building’s glass to pick up conversations inside. Now add another tool for audio spies: Any light bulb in a room that might be visible from a window.
Researchers from Israeli’s Ben-Gurion University of the Negev and the Weizmann Institute of Science today revealed a new technique for long-distance eavesdropping they call “lamphone.” They say it allows anyone with a laptop and less than a thousand dollars of equipment—just a telescope and a $400 electro-optical sensor—to listen in on any sounds in a room that’s hundreds of feet away in real-time, simply by observing the minuscule vibrations those sounds create on the glass surface of a light bulb inside. By measuring the tiny changes in light output from the bulb that those vibrations cause, the researchers show that a spy can pick up sound clearly enough to discern the contents of conversations
“Any sound in the room can be recovered from the room with no requirement to hack anything and no device in the room”
The researchers found that the tiny vibrations of the light bulb in response to sound—movements that they measured at as little as a few hundred microns—registered as a measurable changes in the light their sensor picked up through each telescope. After processing the signal through software to filter out noise, they were able to reconstruct recordings of the sounds inside the room with remarkable fidelity: They showed, for instance, that they could reproduce an audible snippet of a speech from President Donald Trump well enough for it to be transcribed by Google’s Cloud Speech API. They also generated a recording of the Beatles’ “Let It Be” clear enough that the name-that-tune app Shazam could instantly recognize it.
The technique nonetheless has some limitations. In their tests, the researchers used a hanging bulb
the researchers’ technique still represents a significant and potentially practical new form of what he calls a “side channel” attack
“You just need line of sight to a hanging bulb.”
Researchers have known for years that a laser bounced off a target’s window can allow spies to pick up the sounds inside. Another group of researchers showed in 2014 that the gyroscope of a compromised smartphone can pick up sounds even if the malware can’t access its microphone. The closest previous technique to lamphone is what MIT, Microsoft, and Adobe researchers in 2014 called a “visual microphone”: By analyzing video recorded via telescope of an object in a room that picks up vibrations—a bag of potato chips or a houseplant, for instance—those researchers were able to reconstruct speech and music.
you actually use it in real time
As unlikely as being targeted by this technique is, it’s also easy to forestall. Just cover any hanging bulbs, or better yet, close the curtains. And if you’re paranoid enough to be concerned about this sort of spy game, hopefully you’ve already used anti-vibration devices on those windows to prevent eavesdropping with a laser microphone. And swept your house for bugs. And removed the microphones from your phone and computer.
Tomi Engdahl says:
10 Essential Bug Bounty Programs of 2020
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/essential-bug-bounty-programs/
In 2019, the State of Security published its most recent list of
essential bug bounty frameworks. Numerous organizations and government
entities have launched their own vulnerability reward programs (VRPs)
since then. COVID-19 has changed the digital security landscape, as
well. With that in mind, it’s time for an updated list.
Tomi Engdahl says:
Explicit content and cyberthreats: 2019 report
https://securelist.com/explicit-content-and-cyberthreats-2019-report/97310/
Stay at home’ is the new motto for 2020 and it has entailed many
changes to our daily lives, most importantly, in terms of our digital
content consumption. With users opting to entertain themselves online,
malicious activity has grown. Over the past two years we have reviewed
how adult content has been used to spread malware and abuse users’
privacy. This is a trend that’s unlikely to go away, especially under
current circumstances. While many pornography platforms are enjoying
an influx of new users and providing legitimate and safe services, the
security risks remain, if not increase.
Tomi Engdahl says:
Quarterly report: Incident Response trends in Summer 2020
https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html
For the fourth quarter in a row, Ryuk dominated the threat landscape
in incident response. As we mentioned in last quarter’s report, Ryuk
has shifted from relying on commodity trojans to using
living-off-the-land tools. This has led to a decrease in observations
of attacks leveraging commodity trojans. Email remained the top
infection vector, though we observe increased compromises of remote
desktop services (RDS) as well as Citrix devices and Pulse VPN. One of
the more interesting trends this quarter was the role of the COVID-19
pandemic. Interestingly, we did not observe any engagements in which
COVID-19 was used in an attack. However, CTIR has observed the
pandemic impacting organizations, affecting their ability to respond
and contain cybersecurity incidents.
Tomi Engdahl says:
Zero TrustPart 1: Networking
https://www.microsoft.com/security/blog/2020/06/15/zero-trust-part-1-networking/
Enterprises used to be able to secure their corporate perimeters with
traditional network controls and feel confident that they were keeping
hackers out. However, in a mobile- and cloud-first world, in which the
rate and the sophistication level of security attacks are increasing,
they can no longer rely on this approach. Taking a Zero Trust approach
can help to ensure optimal security without compromising end user
application experiences. Over a series of three blogs (of which this
is the first), we will take a deeper dive into the aspects of the
Networking pillar in the Microsoft Zero Trust security model. We will
go through each of the dimensions listed (network segmentation, threat
protection, and encryption) and show design patterns and helpful
guidance on using Microsoft Azure services to achieve optimality.
Tomi Engdahl says:
Exploiting a crisis: How cybercriminals behaved during the outbreak
https://www.microsoft.com/security/blog/2020/06/16/exploiting-a-crisis-how-cybercriminals-behaved-during-the-outbreak/
The COVID-19 outbreak has truly been a global event. Cybercriminals
have taken advantage of the crisis to lure new victims using existing
malware threats. In examining the telemetry, these attacks appear to
be highly correlated to local interest and news. Overall, COVID-19
themed attacks are just a small percentage of the overall threats the
Microsoft has observed over the last four months. There was a global
spike of themed attacks cumulating in the first two weeks of March.
Based on the overall trend of attacks it appears that the themed
attacks were at the cost of other attacks in the threat environment.
Tomi Engdahl says:
Facial Recognition: IT and Police in Delicate Dance
https://www.securityweek.com/facial-recognition-it-and-police-delicate-dance
Tech giants love to portray themselves as forces for good and as the United States was gripped by anti-racism protests a number of them publicly disavowed selling controversial facial recognition technology to police forces.
Facial recognition has numerous applications that could simplify our lives as we’ve seen with Apple using it to unlock smartphones or in stores to replace cash registers.
But the technology has a dark side, with facial recognition integrated into China’s massive public surveillance system and its social credit experiment where even minor infractions of public norms can result in sanctions.
As the protests spread across the United States about police violence and racism, pressure mounted on tech firms about the technology. Microsoft and Amazon announced they would suspend sales of facial recognition software to police forces while IBM said it would exit the business.
Privacy and rights groups worry about the implications of the use of facial recognition technology by law enforcement.
Tomi Engdahl says:
New Reality of IT-OT: Convergence, Collaboration and Digital Transformation Acceleration
https://www.securityweek.com/new-reality-it-ot-convergence-collaboration-and-digital-transformation-acceleration
We All Share the Same Objective of Risk Reduction, But in an OT Environment That Must be Implemented in a Different Way
In recent months, our definition of critical infrastructure has expanded and the convergence of IT and operational technology (OT) networks has accelerated dramatically. As more employees began working from home, the infrastructure of their homes became critical infrastructure to the business. For companies that had previously tried to keep their OT networks as isolated as possible and didn’t have remote connectivity in place, it was a slow and sometimes rocky start. Those that had begun to embrace digital transformation initiatives were able to transition more smoothly, as they had already started thinking about security in an expanding and open environment.
Whichever end of the spectrum you were on, the crisis also accelerated the need for IT and OT teams to collaborate. The extreme transformation of the workplace generated a lot of stress and questions, especially for organizations in industries that depend on physical processes – such as oil and gas, energy, utilities, manufacturing, pharmaceuticals, and food and beverage. How can we ensure production? How do we do so without compromising the health and safety of our employees? What can be done remotely and what needs to be done onsite? How do we enable this without increasing the risk of cyberattacks?
Tomi Engdahl says:
Implement DevSecOps to transform your business to IT-as-code
https://techcrunch.com/2020/06/18/transform-your-business-to-it-as-code-with-devsecops/?tpcc=ECFB2020
Conduct an online search and you’ll find close to one million websites offering their own definition of DevSecOps.
Why is it that domain experts and practitioners alike continue to iterate on analogous definitions? Likely, it’s because they’re all correct. DevSecOps is a union between culture, practice and tools providing continuous delivery to the end user. It’s an attitude; a commitment to baking security into the engineering process. It’s a practice; one that prioritizes processes that deliver functionality and speed without sacrificing security or test rigor. Finally, it’s a combination of automation tools; correctly pieced together, they increase business agility.
The goal of DevSecOps is to reach a future state where software defines everything. To get to this state, businesses must realize the DevSecOps mindset across every tech team, implement work processes that encourage cross-organizational collaboration, and leverage automation tools, such as for infrastructure, configuration management and security.
Tomi Engdahl says:
Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks
https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.
The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.
The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI.
Tomi Engdahl says:
https://attack.mitre.org/
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Tomi Engdahl says:
https://hackaday.com/2020/05/06/earn-it-privacy-encryption-and-policing-in-the-information-age/
Tomi Engdahl says:
Why Technical Translation Matters in the Cyber Security World
https://pentestmag.com/83690-2/
Tomi Engdahl says:
How artificial intelligence is changing social engineering
http://www.infosecinstitute.com/blog/how-artificial-intelligence-is-changing-social-engineering/
Tomi Engdahl says:
Ransomware operators lurk on your network after their attack
https://www.bleepingcomputer.com/news/security/ransomware-operators-lurk-on-your-network-after-their-attack/
When a company suffers a ransomware attack, many victims feel that the
attackers quickly deploy the ransomware and leave so they won’t get
caught. Unfortunately, the reality is much different as threat actors
are not so quick to give up a resource that they worked so hard to
control. Instead, ransomware attacks are conducted over time, ranging
from a day to even a month, starting with a ransomware operator
breaching a network. This breach is through exposed remote desktop
services, vulnerabilities in VPN software, or via remote access given
by malware such as TrickBot, Dridex, and QakBot.
Tomi Engdahl says:
Adobe wants users to uninstall Flash Player by the end of the year
https://www.zdnet.com/article/adobe-wants-users-to-uninstall-flash-player-by-the-end-of-the-year/
Adobe plans to prompt users and ask them to uninstall Flash Player
from their computers by the end of the year when the software is
scheduled to reach End-Of-Life (EOL), on December 31, 2020. The move
was announced in a new Flash Player EOL support page that Adobe
published earlier this month, six months before the EOL date.
Tomi Engdahl says:
How the pandemic affected DDoS attack patterns, global internet
traffic
https://www.helpnetsecurity.com/2020/06/19/internet-traffic-patterns-ddos/
There has been a shift in internet traffic patterns coinciding with an
increase in DDoS and other types of network attacks in recent months
as organizations across industries quickly transitioned to remote
workforces and individuals under stay-at-home orders began relying on
the internet more heavily, according to Neustar.
Tomi Engdahl says:
Sigma rules! The generic signature format for SIEM systems.
https://isc.sans.edu/forums/diary/Sigma+rules+The+generic+signature+format+for+SIEM+systems/26258/
What Snort is to network traffic, and YARA to files, is Sigma to logs.
By creating and using Sigma rules youll have generic rules which can
be shared and run against different targets (e.g. SIEMs). Sigma solves
the issue of everyone working on their own analysis, searches and
dashboards of log data theyve collected by having a standardized
format to create rules to be reused and shared with others, supporting
many different target systems.
Tomi Engdahl says:
Facebooks FTC-Mandated Privacy Committee Now in Effect
https://threatpost.com/facebooks-ftc-mandated-privacy-committee-now-in-effect/156730/
Facebook on Thursday said it has started to report its privacy
practices to a newly formed, independent Privacy Committee. The
creation of the independent committee was part of the companys
settlement a year ago with the Federal Trade Commission (FTC) over
data privacy violations, which came in addition to a $5 billion fine
(which was derided as chump change by lawmakers and privacy analysts).
Tomi Engdahl says:
Healthcare CISOs Share COVID-19 Response Stories
https://www.darkreading.com/threat-intelligence/healthcare-cisos-share-covid-19-response-stories/d/d-id/1338132
Cybersecurity leaders discussed the threats and challenges that arose
during the pandemic, and how they responded, during a virtual
roundtable. A few months ago, security leaders around the world faced
an unprecedented challenge in addressing threats and challenges
related to a global pandemic. In the healthcare space, CISOs juggled a
spike in cyberattacks, newly remote employees, and securing healthcare
institutions.
Tomi Engdahl says:
Academics studied DDoS takedowns and said they’re ineffective,
recommend patching vulnerable servers
https://www.zdnet.com/article/academics-studied-ddos-takedowns-and-said-theyre-ineffective-recommend-patching-vulnerable-servers/
A team of Dutch and German academics has studied the aftermath of a
major crackdown against DDoS providers and concluded that law
enforcement takedowns are largely ineffective, recommending that
authorities rather focus on patching the vulnerable systems that are
abused for the DDoS attacks in the first place.
Tomi Engdahl says:
Hacker Lexicon: What Is a Side Channel Attack?
https://www.wired.com/story/what-is-side-channel-attack/
Modern cybersecurity depends on machines keeping secrets. But
computers, like poker-playing humans, have tells. They flit their eyes
when they’ve got a good hand, or raise an eyebrow when they’re
bluffingor at least, the digital equivalent. And a hacker who learns
to read those unintended signals can extract the secrets they contain,
in what’s known as a “side channel attack.”.. Side channel attacks
take advantage of patterns in the information exhaust that computers
constantly give off: the electric emissions from a computer’s monitor
or hard drive, for instance, that emanate slightly differently
depending on what information is crossing the screen or being read by
the drive’s magnetic head.
Tomi Engdahl says:
Mistä tietää, voiko verkkosivuun luottaa? Tarkista nämä 5 asiaa
https://www.is.fi/digitoday/tietoturva/art-2000006545823.html
Verkkosivun turvallisuus on monen tekijän summa. Valpas käyttäjä ei
välttämättä luota edes aitoon sivustoon. Se, että verkossa on
huijauksia, ei ole kovinkaan monelle uutinen. Niiden erottaminen
aidoista verkkosivuista on kuitenkin aina vain hankalampaa, sillä
verkkohuijarit kehittyvät koko ajan. Surffaajan ja verkkoshoppailijan
on siis oltava koko ajan varovaisempi. IS Digitoday kokosi ohjeita
verkkosivun turvallisuuden varmistamiseksi. Apuna käytettiin
Kyberturvallisuuskeskuksen neuvoja.