Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,203 Comments
Tomi Engdahl says:
Know the Four Pillars of Cloud Security That Reduce Data Breach Risk https://securityintelligence.com/posts/four-pillars-cloud-security-reduce-data-breach-risk/
Can having a mature, comprehensive cloud security strategy reduce the impact of data breaches on your organization? Results from the latest Cost of a Data Breach Report indicate that taking this approach might produce potential savings for your business.
Tomi Engdahl says:
UK’s new £5bn cyber force HQ to be sited in heart of Lancashire says Defence Secretary Ben Wallace
https://www.lep.co.uk/news/defence/uks-new-ps5bn-cyber-force-hq-to-be-sited-in-heart-of-lancashire-says-defence-secretary-ben-wallace-3405571
The Government is to build a new digital warfare centre in the heart of Lancashire, capable of launching “offensive” cyber attacks against hostile powers such as Russia.
Tomi Engdahl says:
Voimakas aurinkomyrsky voi kaataa sähköverkot ja pilkkoa internetin Suomessa tutkitaan, miten odotettuun myrskyyn pitäisi varautua
https://yle.fi/uutiset/3-12120070
Aurinkomyrskyjen vaikutuksista sähköverkkoihin on kertynyt kokemuksia.
Tietoverkkojen kohdalla näin ei ole. Kaikki edelliset myrskyt ovat tapahtuneet ennen nykyistä internet-aikaa. Tutkimuksen mukaan paikalliset verkot pysyisivät todennäköisesti pystyssä, koska valokaapelit kestävät hyvin geomagneettisia hiukkasia. Lyhyet valokaapelit on usein myös maadoitettu tasaisin välein. Sen sijaan merten pohjissa kulkevat suuret kaapelit ovat vaarassa.
Tomi Engdahl says:
Miten sirupula vaikuttaa Suomeen?
https://www.tivi.fi/uutiset/tv/0bb0de80-a452-44b8-8a59-9d44b88171d0
Kuka seuraa sinua netissä?
https://yle.fi/aihe/a/20-10001278
Tomi Engdahl says:
Proposed Bill Would Require Organizations to Report Ransomware Payments
https://www.securityweek.com/proposed-bill-would-require-organizations-report-ransomware-payments
U.S. senators this week introduced a bill that would require critical infrastructure organizations to inform the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyberattack, and it would also require most private companies to notify the government if they have made a payment in response to a ransomware attack.
The bipartisan bill, named the Cyber Incident Reporting Act, was introduced by senators Gary Peters (D-MI) and Rob Portman (R-OH), who also plan on introducing separate legislation to update the Federal Information Security Modernization Act with requirements for federal agencies and their contractors to report cyberattacks.
The Cyber Incident Reporting Act aims to help the government deal with cyberattacks and help it hold threat actors who target U.S. networks accountable.
If the bill becomes law, critical infrastructure owners and operators will be required to report cyberattacks to CISA within 72 hours.
https://www.hsgac.senate.gov/imo/media/doc/210928_PetersPortmanCyberIncidentReportingAct_AsIntroduced.pdf
Tomi Engdahl says:
New CISA Tool Helps Organizations Assess Insider Threat Risks
https://www.securityweek.com/new-cisa-tool-helps-organizations-assess-insider-threat-risks
The United States Cybersecurity and Infrastructure Security Agency (CISA) this week released a tool to help organizations assess their insider threat risk posture.
Suitable for organizations in both public and private sectors, the Insider Risk Mitigation Self-Assessment Tool provides users with feedback based on responses to a series of questions.
Furthermore, the tool aims to deliver a better understanding of the nature of insider threats, to help users start their own prevention and mitigation programs.
As CISA points out, insider threats represent a major risk to any organization due to the fact that knowledge and trust are placed in the hands of the adversary, which could be an employee, a contractor, or other individuals who have inside knowledge.
Tomi Engdahl says:
Telemetry Report Shows Patch Status of High-Profile Vulnerabilities
https://www.securityweek.com/telemetry-report-shows-patch-status-high-profile-vulnerabilities
A record number of new security vulnerabilities (18,352) were reported in 2020. This year, the number is likely to be higher (13,002 by September 1). The problem with a zero-day vulnerability is that it remains a zero-day until it is patched by both the vendor and the user.
Twenty percent of this year’s new vulnerabilities were given a ‘high severity’ scoring by NVD. Given the speed with which malicious actors can begin to exploit these vulnerabilities, researchers at Trustwave decided to investigate and report (PDF) on how quickly industry patches them.
The researchers selected a range of high profile vulnerabilities, and used Shodan to detect instances of the vulnerabilities still extant on the internet. They conducted searches on July22, August 16, and August 31 to detect the progress of patching.
Seven vulnerability disclosures were selected for the analysis: MS Exchange Server (ProxyShell and ProxyToken); Apache Tomcat (HTTP request smuggling and QNAP NAS command injection); VMware vCenter (multiple vulnerabilities); Pulse Connect (authentication bypass); F5 BIG-IP (RCE vulnerability); MS Exchange Server (ProxyLogon); and Oracle WebLogic Server (RCE).
Tomi Engdahl says:
Jumpataan kyberturvallisuuden perustaidot kuntoon – Tule mukaan!
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/jumpataan-kyberturvallisuuden-perustaidot-kuntoon-tule-mukaan
Euroopan kyberturvallisuuskuukausi, European Cyber Security Month, kutsuu mukaan meidät kaikki, jotka käytämme nettiä ja älylaitteita.
Tarjoamme on vinkkejä, joiden avulla jokainen voi parantaa tietoturvallisuuttaan ja auttaa myös läheisiä esimerkiksi suojautumaan nettihuijareilta. Eurooppalainen kyberturvallisuuden yhteisponnistus näkyy ja kuuluu verkkosivuillamme ja somekanavissamme. Tule mukaan!
Tomi Engdahl says:
Hyökkääjät yrittävät arvata salasanasi näin suojaudut https://www.iltalehti.fi/tietoturva/a/f9553838-9e0b-40da-bb71-56894330dc5d
Huijarit ja kyberrikolliset ovat olleet erittäin aktiivisia kuluneella vuodella. Huijausviestien lisäksi tietokoneverkkoja pommitetaan erittäin aggressiivisesti salasanojen arvaushyökkäyksillä, joita tapahtuu miljardeja kuukaudessa. Koska hyökkäysyritysten määrä on niin korkea, on kyse automatisoidusta toiminnasta. Jos salasana on helposti arvattavissa, tai monessa eri palvelussa on käytössä sama salasana, helpottuu hyökkääjän urakka melkoisesti
Tomi Engdahl says:
What’s On Your Bank Card? Hacker Tool Teaches All About NFC And RFID
https://hackaday.com/2021/10/04/whats-on-your-bank-card-hacker-tool-teaches-all-about-nfc-and-rfid/
The Flipper Zero hacker tool is a multipurpose hacker tool that aims to make the world of hardware hacking more accessible with a slick design, wide array of capabilities, and a fantastic looking UI. They are struggling with manufacturing delays like everyone else right now, but there’s a silver lining: the team’s updates are genuinely informative and in-depth. The latest update is all about RFID and NFC, and how the Flipper Zero can interact with a variety of contactless protocols.
Contactless tags are broadly separated into low-frequency (125 kHz) and high-frequency tags (13.56 MHz), and it’s not really possible to identify which is which just by looking at the outside. Flipper Zero can interface with both, but the update at the link above goes into considerable detail about how these tags are used in the real world, and what they look like from both the outside and inside.
Low-frequency tags are “dumb” and incapable of encryption or two-way communication, but what about high-frequency (often referred to as NFC) like bank cards and applications like Apple Pay? One thing demonstrated is that mobile payment methods offer up considerably less information on demand than a physical bank or credit card. With a physical contactless card it’s possible to read the full card number, expiry date, and in some cases the name as well as recent transactions. Mobile payment systems (like Apple or Google Pay) don’t do that.
Diving into RFID Protocols with Flipper Zero
https://blog.flipperzero.one/rfid/
Tomi Engdahl says:
NSA’s Rob Joyce Explains ‘Sand and Friction’ Security Strategy
https://www.securityweek.com/nsas-rob-joyce-explains-sand-and-friction-security-strategy
News Analysis: The newly minted director of cybersecurity at NSA offers a candid assessment of the nation-state threat landscape and argues that adding “sand and friction” to adversary operations is a winning strategy.
Rob Joyce has always been known for speaking candidly about malicious hacker activity and trends in the nation-state APT landscape.
Back in 2016, the NSA’s top hacker raised eyebrows with a plain-spoken presentation on exactly how high-end hacking teams break into computer networks, concluding that defenders hardly stand a chance against nation-state hacking teams.
“We put the time in …to know [that network] better than the people who designed it and the people who are securing it,” Joyce said matter-of-factly. “There’s a reason it’s called advanced persistent threats. Because we’ll poke and we’ll poke and we’ll wait and we’ll wait and we’ll wait, right? We’re looking for that opening and that opportunity to finish the mission.”
It was a sobering conference talk that underscored why there is a certain defeatist mindset among the folks tasked with repelling cyberattacks. The message was clear: If a nation-state hacking group wants to break into your machine, you don’t stand much of a chance.
Since that presentation, Joyce has been named director of cybersecurity at the NSA and tasked with defending U.S. digital assets during a massive ransomware-driven wealth transfer to Russian cybercriminals, a noticeable surge in zero-day exploit usage, and documented nation-state APT activity at an all-time high.
Instead of traditional offensive hacking-back, Joyce used the spotlight of the recent Aspen Cyber Summit to promote a “sand and friction” strategy to disrupt apex predators.
“Across a number of these nation state activities, defense is really important, but you also have to work to disrupt [them] before they are successful,” Joyce said, describing it as a “continuous engagement strategy” aimed at putting sand and friction in high-end malware operations.
“They don’t just get free shots on goal to keep trying and trying until they score,”
“We need to find those ways to expose their tools and infrastructure. We’re establishing the expectation that these things won’t be tolerated,” Joyce declared.
In addition to joint advisories and urgent warnings on signs of nation-state software exploitation, the U.S. government has also used social media to share IOCs on North Korea cryptocurrency hacks and step-by-step software mitigation guidance to help organizations reduce exposed attack surface.
“We’ve got to continue to understand, disrupt, and then find ways to push back. If we just let them keep shooting on goal and the goal is undefended, eventually, they’re going to score,” Joyce said.
Joyce was characteristically forthcoming when asked to discuss the threat from specific countries, describing the scale and scope of attacks from China as “off the charts.”
“The amount of Chinese cyber activity dwarfs the rest of the world, combined. They have scale,” Joyce said. “They have a [hacker] resource base that’s large and the elite in that group really are really elite. At the high end, the sophistication [of Chinese APTs] is really good.”
Tomi Engdahl says:
Cloud Services Providers Introduce Trusted Cloud Principles
https://www.securityweek.com/cloud-services-providers-introduce-trusted-cloud-principles
Major cloud services providers last week formally introduced the Trusted Cloud Principles, an initiative aimed at bringing standardization and consistencies across platforms.
Trusted Cloud Principles signatories say they are committed to maintaining consistent human rights standards across their services, while also ensuring that cloud services providers’ interests are protected.
The initiative has received support from heavy industry names, including Amazon, Atlassian, Cisco, Google, Microsoft, and IBM, among others.
“Trusted Cloud Principles signatories are committed to protecting the rights of our customers. We have agreed to strong principles that ensure we compete while maintaining consistent human rights standards,” the signatories say.
As per the newly introduced principles, cloud services providers are committed to ensure the privacy and security of their customers’ data across borders, while working with governments around the world to ensure the free flow of data and establish legal frameworks for data privacy, security, and integrity.
Tomi Engdahl says:
ICS Security Experts Share Tales From the Trenches – Part 2
https://www.securityweek.com/ics-security-experts-share-tales-trenches-part-2
Tomi Engdahl says:
Drawing a Dragon: Connecting the Dots to Find APT41
https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41
The BlackBerry Research & Intelligence Team recently connected seemingly disparate malware campaigns, which began with an unusual Cobalt Strike configuration that was first included in a blog post published the same month as COVID-19 lockdowns began in Europe and the U.S. What we found led us through a malicious infrastructure that had been partially documented in articles by several other research organizations. The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims. And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic.
Tomi Engdahl says:
https://www.securityweek.com/expired-lets-encrypt-root-certificate-causes-problems-many-companies
Tomi Engdahl says:
NSA chief predicts U.S. will face ransomware every single day’ for years to come https://therecord.media/nsa-chief-predicts-u-s-will-face-ransomware-every-single-day-for-years-to-come/
The U.S. will have to contend with the threat of ransomware daily for at least the next several years, the leader of the country’s premier digital spy agency said Tuesday. “Every single day, ” Gen. Paul Nakasone, the director of the National Security Agency and the head of U.S. Cyber Command, answered during a discussion at the Mandiant Cyber Defense Summit in Washington when asked if the threat would persist for the next five years.
Tomi Engdahl says:
How to Build an Incident-Response Plan, Before Security Disaster Strikes https://threatpost.com/incident-response-plan-security-disaster/175335/
A strong incident-response plan can help a company recover quickly and reduce incident costs. It’s also critical to not only have an incident-response plan, but also to be “incident-response ready, ”
which means that the plan is periodically tested, similar to a fire drill.
Tomi Engdahl says:
Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester https://blog.nviso.eu/2021/10/04/phish-phished-phisher-a-quick-peek-inside-a-telegram-harvester/
In one of the smaller campaigns we monitored last month (September 2021), the threat actor inadvertently exposed Telegram credentials to their harvester. This opportunity provided us some insight into their operations; a peek behind the curtains we wanted to share.
Tomi Engdahl says:
What 10, 000 Analysts Showed Us About the State of Threat Hunting https://www.riskiq.com/blog/external-threat-management/state-of-threat-hunting/
As cyberthreats increase, security analysts are our first line of defense. Their skills, know-how, and passion for their work meet attackers head-on. Unfortunately, these analysts often lack the resources, technology, and latest techniques to defeat them. After speaking with thousands of analysts, here are the top five things Benjamin wants all threat hunters and incident responders to know.
Tomi Engdahl says:
Illegal Activities Endure on China’s Dark Web Despite Strict Internet Control https://www.recordedfuture.com/illegal-activities-endure-chinas-dark-web/
This report analyzes the structure of internet sources used by Chinese-speaking threat actors to facilitate cybercriminal activities, specifically Chinese-language dark web sources, clearnet hacking forums and blogs, instant messaging platforms, and well-established criminal sources. This report aims to provide a general understanding of the Chinese-speaking cybercriminal landscape and the threat it presents under the context of its distinct cultural, political, and legal characteristics. Report (PDF):
https://go.recordedfuture.com/hubfs/reports/cta-2021-1005.pdf
Tomi Engdahl says:
F-Securen Mikko Hyppönen: Verkkopalvelujen keskittyminen Piilaaksoon on netin heikko kohta Facebookin kyykkäys “aivan poikkeuksellinen”
https://yle.fi/uutiset/3-12128657
Facebookin palveluiden kaatuminen kuudeksi tunniksi osoitti sen, miten haavoittuvaisessa tilanteessa olemme. Tulevaisuudessa internet on yhtä tärkeä kuin sähköverkko, ja se pelottaa jopa F-Securen tutkimusjohtajaa Mikko Hyppöstä.
Tomi Engdahl says:
Mikko Hyppönen esittää firmoissa vieraillessaan pysäyttävän kysymyksen – vastaus on yleensä syvä hämmennys https://www.is.fi/digitoday/tietoturva/art-2000008308608.html
Tomi Engdahl says:
Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
In July 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe. The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool.
Assessments as to the identity of the operators and authors of ShellClient resulted in the identification of a new Iranian threat actor dubbed MalKamak that has operated since at least 2018 and remained publicly unknown thus far. In addition, our research points out possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT (APT39) and Agrius APT. However, we assess that MalKamak has distinct features that separate it from the other Iranian groups.
Tomi Engdahl says:
Loss of Intellectual Property, Customer Data Pose Greatest Business Risks https://www.darkreading.com/edge-threat-monitor/loss-of-intellectual-property-customer-data-pose-greatest-business-risks
Dark Reading’s “The State of Incident Response 2021″ report shows that security professionals have been most concerned about breaches of intellectual property and business secrets (36%), followed by the unauthorized use of applications by credentialed users (17%). In addition, 16% said outages of internal IT systems, applications, or networks pose big organizational risks.
Tomi Engdahl says:
Ransomware Impact on the Education Sector https://www.fortinet.com/blog/threat-research/ransomware-impact-on-the-education-sector
FortiGuard Labs has identified at least 20 different ransomware infections targeting the education sector. Most of these infections occurred in the United States, which outnumbered the other countries by a large margin. The Pysa and Ryuk ransomware families were the most common, closely followed by Grief and Babuk ransomware. Interestingly, many notable ransomware variants, such as REvil, Blackmatter, Lockbit, DarkSide, and Ragnar Locker, were not found to be targeting schools.
That may be partially explained by the policy mentioned above that some ransomware groups have imposed on affiliates, banning them from attacking specific sectors such as health and education.
Tomi Engdahl says:
The Biggest Cybersecurity Threats Facing Healthcare Organizationsand How to Protect Yourself https://www.recordedfuture.com/biggest-cybersecurity-threats-facing-healthcare-organizations/
In fact, the healthcare industry is a top target for threat actors because of the unique blend of characteristics that comprise organizations within the industry. A study by the National Institute of Standards and Technology and the Office for Civil Rights found that 70% of malware attacks in 2019 were targeted at healthcare and public health organizations. The report by the Healthcare & Public Health Sector Coordinating Councils dives into the five threats facing the healthcare industry. Let’s take a look at these threats and also how you can improve your security posture to defend against these attacks.
Tomi Engdahl says:
Unit 42 Cloud Threat Report, 2H 2021
https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-2h21.html
Supply chain attacks in the cloud continue to grow as an emerging threat. However, much remains misunderstood about both the nature of these attacks and how to defend against them. This report draws on Unit 42′s analysis of past supply chain attacks. It explains the full scope of supply chain attacks, discusses poorly understood details about how they occur, and recommends actionable best practices organizations can adopt today to protect their supply chains in the cloud.
Tomi Engdahl says:
Google to auto-enroll 150m users, 2m YouTubers with two-factor authentication https://www.theregister.com/2021/10/06/google_twofactor_authentication/
Google is going to automatically enroll 150 million users and two million YouTube creators into using two-factor authentication for their accounts by the end of the year, it announced on Tuesday. Google calls this two-step verification (2SV) and it involves being sent a code to type in, using a hardware key, or an app on your phone.
Tomi Engdahl says:
Mandia Alerted NSA on FireEye’s SolarWinds Breach https://www.darkreading.com/threat-intelligence/mandia-alerted-nsa-on-fireeye-s-solarwinds-breach
“National security” concerns led former CEO Kevin Mandia to call the NSA when FireEye discovered its breach in late 2020.
Tomi Engdahl says:
How To Triage Leaked Credentials
https://www.recordedfuture.com/how-to-triage-leaked-credentials/
Leaked and stolen credentials pose a critical risk to organizations everywhere. In fact, 61% of breaches involve compromised credentials.
Every year, billions of credentials appear on the dark web, paste sites, and in data dumps shared by cybercriminals. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, and more. But what do you do if you’ve discovered leaked employee or customer credentials? This step-by-step guide will show you exactly what to do.
Tomi Engdahl says:
Mana Tools: A Malware C2 Panel with a Past https://www.riskiq.com/blog/external-threat-management/mana-tools-malware-c2-panel/
As part of our ongoing research into malware distribution infrastructure, we investigated “Mana Tools, ” a malware distribution and command and control (C2) panel associated with several big names in the malware world, including RevengeRat, AzoRult, Lokibot, Formbook, and Agent Tesla.
Tomi Engdahl says:
Azurescape: What You Need to Know
https://blog.aquasec.com/azurescape-azure-container-instances
Microsoft recently disclosed a security vulnerability in its Azure Container Instances (ACI) service, referred to as Azurescape. No actual exploitations were reported and, thankfully, no Azure customers were affected by this vulnerability. To clear any doubts around risks to current environments, in this post we will examine the anatomy of a possible attack leveraging Azurescape and what it means for an effective defense-in-depth strategy for cloud native environments.
Tomi Engdahl says:
What’s in a Threat Group Name? An Inside Look at the Intricacies of Nation-State Attribution
https://www.securityweek.com/whats-threat-group-name-inside-look-intricacies-nation-state-attribution
Understanding the naming conventions of various threat groups can help us better understand the overall threat landscape
Tomi Engdahl says:
US Poised to Go After Contractors Who Don’t Report Breaches
https://www.securityweek.com/us-poised-go-after-contractors-who-dont-report-breaches
The Justice Department is poised to sue government contractors and other companies who receive U.S. government grants if they fail to report breaches of their cyber systems, the department’s No. 2 official said Wednesday.
Deputy Attorney General Lisa Monaco said the department is prepared to take legal action under a statute called the False Claims Act against contractors who misuse federal dollars by failing to disclose hacks or by having deficient cybersecurity standards. The Justice Department will also protect whistleblowers who come forward to report those issues.
“For too long, companies have chosen silence under the mistaken belief that it’s less risky to hide a breach than to bring it forward and to report it. Well, that changes today,” Monaco said.
The action, unveiled at the Aspen Cyber Summit, is part of a broader Biden administrative effort to incentivize contractors and private companies to share information with the government about breaches and to bolster their own cybersecurity defenses. Officials have repeatedly spoken of the need for better private sector engagement as the government confronts ransomware attacks that in the last year have targeted critical infrastructure and major corporations, including a major fuel pipeline.
Tomi Engdahl says:
Ransomware Risk Assessment Service Aims to Deflect Attacks
https://www.securityweek.com/ransomware-risk-assessment-service-aims-deflect-attacks
The function of cybersecurity is not to eliminate all attacks and compromises – that’s impossible – but to make the attack so expensive and time-consuming on the attacker that he simply moves on to an easier target. That is the purpose of a new product/service designed to make commodity ransomware attacks less easy for the attacker.
Security experts at Qualys have analyzed 36 leading ransomware families and their attacks over the last five years. They find that unpatched vulnerabilities, device misconfigurations, internet-facing assets and unauthorized software consistently rank among the top attack vectors.
Leveraging its own VMDR cloud platform and applying the results of its research, Qualys has developed a tailored service – the Ransomware Risk Assessment Service – designed to detect and remediate the most common routes taken by ransomware attacks.
Their researchers isolated the 110 CVEs most used by the criminals in these attacks. In almost all cases, these vulnerabilities have been patched by the vendor, but left unpatched by the victim. For example, the top five CVEs exploited by ransomware gangs are CVE-2013-1493 (used by Exxroute, vendor patched in March 2013); CVE-2013-0431 (used by Reveton, patched in February 2013); CVE-2012-1723 (Urausy, June 2012); CVE-2019-1458 (NetWalker, December 2019); and CVE-2018-12808 (Ryuk/Conti, August 2018).
If these CVEs had been patched by the victims, the attacker would be required to find a different entry point, or just as likely moved on to an unpatched site. As it stands, a Qualys report suggests that just these five CVEs have, through ransomware, “negatively impacted millions of assets across organizations worldwide.”
The importance of patching is well understood – the continued failure of organizations to patch thoroughly is less easy to understand. A study by Trustwave at the end of September 2021 found that despite all the warnings and publicity, more than 20% of the world’s Microsoft Exchange Server installations had not patched the ProxyShell and ProxyLogon vulnerabilities by August 31, 2021. This is concerning. If whitehat researchers can discover these servers, it is certain the blackhat criminals also know them.
Telemetry Report Shows Patch Status of High-Profile Vulnerabilities
https://www.securityweek.com/telemetry-report-shows-patch-status-high-profile-vulnerabilities
Tomi Engdahl says:
Audit: Cybersecurity Weak for Many Kansas School Districts
https://www.securityweek.com/audit-cybersecurity-weak-many-kansas-school-districts
Many Kansas school districts aren’t taking basic steps to protect their computer systems and the privacy of sensitive information collected about students, according to a legislative audit release Tuesday.
The report from the Legislature’s auditing agency based its conclusions on a survey sent to the state’s 286 local school districts, with 147, or 51% responding.
School Districts’ Self-Reported IT Security Practices and Resources
https://www.kslpa.org/audit-report-library/school-districts-self-reported-it-security-practices-and-resources/
Tomi Engdahl says:
The New Paradigm for Work from Anywhere: Zero Trust Network Access (ZTNA)https://www.securityweek.com/new-paradigm-work-anywhere-zero-trust-network-access-ztna
It is important to listen to early adopters of ZTNA, as they can provide insights into key factors to success and help avoid pitfalls
While most of us might get tired of talking about the impact of the pandemic on today’s cybersecurity, we also need to acknowledge and accept that the future state of work is a hybrid one.
In this new work from anywhere era, traditional security perimeters have become obsolete as each employee’s home office effectively became an extension of the corporate office. In addition, many organizations accelerated their digital transformation by moving their workloads to the cloud. These dynamic changes lead to an expanded attack surface that requires a rethinking of how access to enterprise resources is granted.
In today’s perimeter-less environment, security practitioners can no longer assume implicit trust among applications, users, devices, services, and networks. That’s why many organizations have started to embrace a Zero Trust approach and are considering augmenting their conventional network access security concepts such as virtual private networks (VPNs) and demilitarized zones (DMZs) with Zero Trust Network Access (ZTNA) solutions. However, what best practices should security practitioners apply when implementing these emerging solutions?
ZTNA solutions create an identity- and context-based, logical access boundary around an application or a set of applications. Access is granted to users based on a broad set of factors, for instance, the device being used, as well as other attributes such as the device posture (e.g., if anti-malware is present and functioning), time/date of the access request, and geolocation. Upon assessing the contextual attributes, the solution then dynamically offers the appropriate level of access at that specific time. As there is a constant change in the risk levels of users, devices, and applications, access decisions are made for each individual access request.
While many organizations have reported that they still leverage traditional VPN for some of their legacy applications, most commonly ZTNA is implemented to augment VPNs as part of a bigger initiative towards a Secure Access Service Edge (SASE) paradigm. ZTNA offers an approach that centralizes the access policies and allows for very granular access controls, limiting users to only the applications that they are entitled to access, unlike a traditional VPN, which allows full tunnel access to an entire network segment. In turn, any lateral movement in the network is inherently ruled out. Furthermore, ZTNA provides a reliable isolation of an organization’s applications from the Internet, as they’re hidden from discovery, and access in turn is restricted via a trust broker to a set of named entities.
Building a Secure Remote Connection Solution for Today’s Business
https://www.securityweek.com/building-secure-remote-connection-solution-todays-business
The need for secure and reliable connectivity continues to be top of mind for many organizations. The persistence of the pandemic is making this essential. But even if it wasn’t, many organizations are now committed to implementing permanent hybrid work and learning models, where employees and student alternate between on-premises and remote participation. The challenge of this transition involves more than just simple connectivity. Issues like reliability, scalability, and flexibility are essential to maintaining quality of experience (QoE) for users, without sacrificing protection for application performance.
Two solutions that every organization needs to secure and connect a work-from-anywhere (WFA) strategy is Zero Trust Network Access (ZTNA) and Secure SD-WAN.
Zero Trust Network Access
Many organizations rely on virtual private networks (VPNs) to create encrypted tunnels back to the company network. One new technology that is rapidly becoming crucial for organizations looking to evolve their VPN remote access is zero-trust network access (ZTNA). It simplifies secure connectivity by providing seamless, per-use access to applications, no matter where the user or application may be located.
ZTNA is also a critical extension of a zero trust security strategy. Zero trust assumes that every user or device is potentially compromised. As a result, access to resources is only granted after verifying the user and device. It also follows the least privilege principle, which means that once a user and device have been authenticated, access is only granted to those resources needed to do their job. Connections are then monitored to ensure that they comply with policy.
ZTNA applies this same principle to application access. Unless specified by policy, location does not necessarily grant trust, so where a user is working from becomes irrelevant. This means that the same zero trust approach applies no matter where a user or device is physically located, so access to business-critical applications is consistently protected across hybrid worker and network models. ZTNA also only grants per-session access to individual applications and workflows, even after a user and/or device has been authenticated. This multi-step process happens automatically and invisibly. Users are verified and authenticated to ensure they are allowed to access an application before being granted access. And every device is also checked to ensure the device meets the application access policy. And these checks happen each time an application is accessed. And beyond simple password authentication, authorization also leverages a variety of contextual information, including user role, device type, device compliance, location, time, and how a device or user is connecting to the network or resource.
A true zero-trust approach to cybersecurity is a complex process that touches many systems and may take years to fully implement. But because ZTNA is much simpler to deploy, it can be run independently, to augment other systems, such as VPN or as a good first step as part of a larger ZTA strategy.
Tomi Engdahl says:
Superhero Passwords Pose Serious Risk to Personal, Enterprise Accounts
https://www.securityweek.com/superhero-passwords-pose-serious-risk-personal-enterprise-accounts
Superheroes may be able to save everyone in a fantasy world, but they can’t keep online accounts secure in the digital era, Mozilla warns.
With hundreds of thousands of occurrences in breach datasets, superhero passwords aren’t a strong account protection method, even when the real identities of superheroes are used instead.
Data from breach notification website haveibeenpwned.com reveals that thousands of users choose to protect their online accounts with superhero names, thus weakening their protection.
With more than 328,000 occurrences in breach datasets, Superman is the most commonly used superhero password, followed by Batman (more than 226,000 occurrences) and Spider-Man (slightly over 160,000 occurrences).
Wolverine, Ironman, Wonder Woman, and Daredevil are also popular, emerging tens of thousands of times in datasets.
The real identities of superheroes are also poor choices for passwords. James Howlett/Logan was seen more than 30,000 times in datasets and Clark Kent, Bruce Wayne, Peter Parker and Tony Stark had thousands of occurrences each as well.
Tomi Engdahl says:
https://www.facebook.com/groups/2600net/permalink/3138284516394652/
Phrack! We’re back! It was only five years ago that issue 0×45 was released. It may sound bad, but it is also, indeed, quite bad. Issue 0×45 was released four years after issue 0×44. And we are now five years after that. Just trying to set the context here. The world is so different and so many things have happened in these five years that it makes no sense trying to make any point. Phrack has always been a reflection of the hacking community, and guess what, the community is moving away from itself. By this we don’t mean that there are no talented hackers, because there most definitely are (just take a look at our authors). We also don’t mean that there is no exquisite public hacking, because there is (again, our articles as proof). However, there is a clear move away from the collective hacking mindset that was most prevalent in the past. The word “scene” brings only smirks to people’s faces. There are many reasons for this, and we are all to blame [1]…
http://www.phrack.org/issues/70/1.html
Tomi Engdahl says:
Christopher Bing / Reuters:
TSA to mandate that critical US railroad and aviation companies name a chief cyber official, disclose hacks to the government, and draft hack recovery plans
U.S. to tell critical rail, air companies to report hacks, name cyber chiefs
https://www.reuters.com/article/usa-cyber-railways-exclusive-idUSKBN2GW1LP
(Reuters) -The Transportation Security Administration will introduce regulations that compel the most important U.S. railroad and airport operators to improve their cybersecurity procedures, Homeland Security Secretary Alejandro Mayorkas said on Wednesday.
The upcoming changes will make it mandatory for “higher-risk” rail transit companies and “critical” U.S. airport and aircraft operators to do three things: name a chief cyber official, disclose hacks to the government and draft recovery plans for if an attack were to occur.
The planned regulations come after cybercriminals attacked a major U.S. pipeline operator here, causing localized gas shortages along the U.S. East Coast in May. The incident led to new cybersecurity rules for pipeline owners in July.
“Whether by air, land, or sea, our transportation systems are of utmost strategic importance to our national and economic security,” Mayorkas said. “The last year and a half has powerfully demonstrated what’s at stake.”
Tomi Engdahl says:
Chris Bing / Reuters:
DOJ says it will create a National Cryptocurrency Enforcement Team, focusing on crimes by exchanges and other services, recovering lost assets, and more
U.S. Justice Dept launches new initiatives on cryptocurrencies, contractor hacks
https://www.reuters.com/world/us/us-justice-dept-launches-new-initiatives-cryptocurrencies-contractor-hacks-2021-10-06/
Tomi Engdahl says:
Kyberuhkaan tulee varautua ajoissa – ”voidaan tarvittaessa rinnastaa aseelliseen hyökkäykseen”
TIVI1.10.2021 09:24KybersotaDigitalisaatioHakkerit
Laajamittainen kyberhyökkäys Suomea vastaan voidaan rinnastaa vaikutuksiltaan vastaavanlaiseen aseelliseen hyökkäykseen, sanoo Catharina Candolin. Silloin meillä pitäisi olla valmius vastatoimiin.
https://www.tivi.fi/uutiset/tv/7e3c01f8-fb5c-4988-9e06-5fa34728425c
Kyberhyökkäys ja -turvallisuus eivät ole vain kansallisia asioita. Vastuu ulottuu myös omien rajojen ulkopuolelle.
”Suomella on kansainvälisten lakien nojalla oikeus, jopa velvollisuus puolustautua, jos Suomen infraa käytetään hyökkäykseen muuta maata vastaan”, kyberturvallisuusasiantuntija Catharina Candolin sanoo.
Jotta vastatoimemme olisivat mahdollisia, meillä pitäisi olla kyky attribuutioon eli sen osoittamiseen, kuka hyökkääjä on. Lisäksi tarvitaan poliittista tahtoa tehdä niin.
Meillä olisi Candolinin mukaan varaa terävöittää linjaa.
Tomi Engdahl says:
Läpimurto maksukortin biometrisessä tunnistuksessa
https://etn.fi/index.php/13-news/12646-laepimurto-maksukortin-biometrisessae-tunnistuksessa
Maksukorteissa halutaan ero PIN-koodien näpyttelystä. Sormenjälkianturi on tehnyt tuloaan korteille jo pidemmän aikaa, mutta tekniikkaan on sisältynyt monia haasteita. Nyt ruotsalainen anturivalmistaja sanoo kehittäneensä yhdessä Infineonin kanssa ratkaisun, joka lupaa mullistusta biometrisiin kortteihin.
Fingerprint Cards pystyy nyt tekemään sormenjäljen biometrisen todennuksen kokonaan Infineonin turvatulla älysirulla (Secure Element). Tämä tekee korteista edullisempia valmistaa ja helpompia kehittää. Monien asiantuntijoiden mukaan käyttäjän todennuksen ei pitänyt olla älysirulla mahdollista.
Fingerprint Cards ja Infineon yhdistivät Infineonin 40 nanometrin prosessissa valmistetun SLC38-piirin Fingerprintin T-Shape 2 -anturimoduuliin ja uusimpaan biometriseen ohjelmistoon.
Tomi Engdahl says:
Joka neljäs joutunut kyberhuijauksen kohteeksi kesän aikana
https://etn.fi/index.php/13-news/12640-joka-neljaes-joutunut-kyberhuijauksen-kohteeksi-kesaen-aikana
Tomi Engdahl says:
Telemetry Report Shows Patch Status of High-Profile Vulnerabilities
https://www.securityweek.com/telemetry-report-shows-patch-status-high-profile-vulnerabilities
A record number of new security vulnerabilities (18,352) were reported in 2020. This year, the number is likely to be higher (13,002 by September 1). The problem with a zero-day vulnerability is that it remains a zero-day until it is patched by both the vendor and the user.
Tomi Engdahl says:
Optimizing Monitoring Services For Intelligence Teams
https://www.securityweek.com/optimizing-monitoring-services-intelligence-teams
Tomi Engdahl says:
New CISA Tool Helps Organizations Assess Insider Threat Risks
https://www.securityweek.com/new-cisa-tool-helps-organizations-assess-insider-threat-risks
Tomi Engdahl says:
Ransomware in the CIS
https://securelist.com/cis-ransomware/104452/
These days, when speaking of cyberthreats, most people have in mind ransomware, specifically cryptomalware. In 20202021, with the outbreak of the pandemic and the emergence of several major cybercriminal groups (Maze, REvil, Conti, DarkSide, Avaddon), an entire criminal ecosystem took shape, leading to a mounting worldwide wave of attacks on large organizations with pockets deep enough to pay a ransom in the hundreds of thousands, even millions, of US dollars.
Tomi Engdahl says:
Ransom disclosure law would give firms 48 hours to disclose ransomware payments https://www.tripwire.com/state-of-security/featured/ransom-disclosure-law-48-hours-disclose-payments-ransomware-gangs/
Organisations who find their networks hit by a ransomware attack may soon have to disclose within 48 hours any payments to their extortionists. Thats the intention of the Ransom Disclosure Act, a new bill proposed by US Senator Elizabeth Warren and Representative Deborah Ross. Ransomware victims are not currently required to report attacks or ransom payments to federal authorities, but the new bill would require all ransomware victims (excluding individuals) to disclose the following information within 48 hours of a ransom payment.
Tomi Engdahl says:
The Real Cost of Ransomware
https://securityintelligence.com/articles/real-cost-of-ransomware/
Ransomware is an expensive cybercrime and getting more so all the time. Payouts have risen massively in the past few years. But while ransomware payment amounts make headlines, the real costs go far beyond whats paid to the attackers. Ransomware has always been a problem. But in recent years, attackers have gotten really good at it.