Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,203 Comments
Tomi Engdahl says:
https://www.yrittajat.fi/uutiset/657740-prh-varoittaa-harhaanjohtavista-puheluista-lue-miten-suojaat-yritystasi-huijauksiilta
Tomi Engdahl says:
Noah Smith / Washington Post:
A look at US Cyber Games, jointly founded in April by the US government, academia, and the private sector to find and train candidates for cybersecurity careers
https://www.washingtonpost.com/video-games/2021/10/15/cybersecurity-hacks-esports/
Tomi Engdahl says:
Deepfence Open Sources Vulnerability Mapping Tool ‘ThreatMapper’
https://www.securityweek.com/deepfence-open-sources-vulnerability-mapping-tool-threatmapper
Cloud and container security company Deepfence this week announced the open source availability of ThreatMapper, a tool designed to help organizations scan for, map, and rank application vulnerabilities.
By performing post-deployment scans of applications and infrastructure, the platform seeks to identify emerging threats in both first-party and third-party solutions.
Designed to work across a wide range of environments, including serverless, container, and multi-cloud, ThreatMapper brings together feeds from over 50 different sources to identify software supply chain vulnerabilities and help organizations better respond to them.
ThreatMapper can discover and map services, cloud resources, and third-party APIs; scans resources for known vulnerable dependencies; and ranks identified security errors to help organizations prioritize patching.
Already fast-evolving, ThreatMapper is expected to gain new capabilities from the open source community, such as a misconfiguration scanner, compliance-related hardening, and more runtime capabilities.
https://github.com/deepfence/ThreatMapper
Tomi Engdahl says:
https://www.epanorama.net/blog/2021/10/18/owasp-updates-top-10/
Tomi Engdahl says:
This malware botnet gang has stolen millions with a surprisingly simple trick https://www.zdnet.com/article/this-relentless-malware-botnet-has-made-millions-with-a-surprisingly-simple-trick/
The long-running botnet known as MyKings is still in business and has raked in at least $24.7 million by using its network of compromised computers to mine for cryptocurrencies.
Tomi Engdahl says:
US links $5.2 billion worth of Bitcoin transactions to ransomware https://www.bleepingcomputer.com/news/security/us-links-52-billion-worth-of-bitcoin-transactions-to-ransomware/
The U.S. Treasury Department’s Financial Crimes Enforcement Network
(FinCEN) has identified roughly $5.2 billion worth of outgoing Bitcoin transactions likely tied to the top 10 most commonly reported ransomware variants. Lisäksi:
https://therecord.media/treasury-said-it-tied-5-2-billion-in-btc-transactions-to-ransomware-payments/
Tomi Engdahl says:
CISA Issues Warning On Cyber Threats Targeting Water and Wastewater Systems https://thehackernews.com/2021/10/cisa-issues-warning-on-cyber-threats.html
The U.S. Cybersecurity Infrastructure and Security Agency (CISA) on Thursday warned of continued ransomware attacks aimed at disrupting water and wastewater facilities (WWS), highlighting five incidents that occurred between March 2019 and August 2021. Lisäksi:
https://us-cert.cisa.gov/ncas/alerts/aa21-287a
Tomi Engdahl says:
Check your iPhone for compromised passwords… NOW!
https://www.zdnet.com/article/check-your-iphone-for-compromised-passwords-now/
But thankfully iOS makes it quite easy to do a quick audit of your passwords for compromised passwords, allowing you to change them before problems escalate.
Tomi Engdahl says:
When Is an Attack not an Attack? The Story of Red Team Versus Blue Team https://securityintelligence.com/articles/red-team-versus-blue-team-attack/
Cybersecurity experts fill our days with terminology from warfare, including jargon such as red team versus blue team. The concept of red team’ has its origin in wargaming. The red team plays an opposing force and attempts to bypass the barriers of the defending or blue team.
Tomi Engdahl says:
How Attackers Hack Humans
https://www.darkreading.com/edge-articles/how-attackers-hack-humans
Inside their motivations, how they go about it — and what businesses can do about it, according to Counterintelligence Institute founder Peter Warmka.
Tomi Engdahl says:
Welcome to Britain, the bank scam capital of the world https://www.reuters.com/world/uk/welcome-britain-bank-scam-capital-world-2021-10-14/
A British record of 754 million pounds ($1 billion)was stolen in the first six months of this year, up 30% from the same period in 2020, according to data from banking industry body UK Finance, and up more than 60% from 2017, when it began compiling the figures.
Tomi Engdahl says:
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes https://unit42.paloaltonetworks.com/exploits-interactsh/
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful.
It can be used by researchers but also by attackers to validate vulnerabilities via real-time monitoring on the trace path for the domain.
Tomi Engdahl says:
Virus Bulletin: Old malware never dies it just gets more targeted https://www.welivesecurity.com/2021/10/15/virus-bulletin-old-malware-never-dies-gets-more-targeted/
Virus Bulletin this year brought a fresh batch of amped-up, refreshed malware with lots more horsepower and devilish amounts of custom-tailored targeting. From singled-out political activist individual targets to regionalized targets, malware’s aim is getting better
Tomi Engdahl says:
“Killware”: Is it just as bad as it sounds?
https://blog.malwarebytes.com/cybercrime/2021/10/killware-is-it-just-as-bad-as-it-sounds/
On October 12, after interviewing US Secretary of Homeland Security Alejandro Mayorkas, USA TODAY’s editorial board warned its readers about a dangerous new form of cyberattack under this eye-catching
headline: “The next big cyberthreat isn’t ransomware. It’s killware.
And it’s just as bad as it sounds.”
Tomi Engdahl says:
BlackMatter Ransomware
https://us-cert.cisa.gov/ncas/alerts/aa21-291a
First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80, 000 to $15, 000, 000 in Bitcoin and Monero.
Tomi Engdahl says:
In Cyberwar, Attribution Can Be Impossible and That’s OK https://www.darkreading.com/analytics/in-cyberwar-attribution-can-be-impossible—and-that-s-okay
For most of human history, battle lines have been clearly demarcated.
Physical borders, trenches, and satellite imagery have shown us launch sites, front lines, and enemy targets. Technology has allowed opponents to trace every inch of a weapon’s path. Historically, we have been able to determine the source of a strike and know who we’re up against with clarity.
Tomi Engdahl says:
Third-Party Attacks Are Increasing, But Third-Party Risk Management Is Failing
https://www.securityweek.com/third-party-attacks-are-increasing-third-party-risk-management-failing
The risks associated with supply chain (for software and services) is huge and growing. A new report shows that boardroom awareness and budgets for third-party risk management has increased; but this is not necessarily translating into effective action.
Over the last year, major attacks such SolarWinds, Kaseya and Accellion have brought third party risk to top of mind. A new report from BlueVoyant, a firm that provides third-party cyber risk management, examines current attitudes to this risk. The report (PDF download) surveyed 1,200 CIOs, CISOs and CPOs (Chief Procurement Officers) with responsibility for this risk.
It found a rising awareness of the urgency of the threat. Last year, 31% of companies said this risk was not on their radar. This has now dropped to 13%. Last year, 14% of companies reported third party vendors in excess of 1000. This has more than doubled to 31% of companies – although BlueVoyant suspects the dramatic increase is more to do with increased awareness than with a major rise in the use of third parties.
Over the last year, the number of companies reporting an increase in budget for third party security risk management has increased from 81% to 91% – but that hasn’t translated into a meaningful improvement in tackling the risk. The main problem is it is still frequently treated as a GRC issue; that is, an annual perhaps paper-based audit for each third-party vendor. This does not reflect the continuous and ongoing nature of third-party risk.
The frequency with which vendors are assessed has fallen over the last year, making the problem worse rather than better. Forty-seven percent of companies now audit or report on vendor security no more than twice per year. This is an increase from 32% in 2020. It is no surprise that 38% of the survey respondents said they have no way of knowing when or if an issue arises with a third-party supplier’s cybersecurity, up from 29% last year.
“The trends that we’ve identified,” Adam Bixler, global head of third party cyber risk management at BlueVoyant, told SecurityWeek, “are that spending is increasing mostly because of these notable events that have been in the news, but we haven’t necessarily seen operationalization where those budgets are being applied for continuous monitoring and actual risk reduction. The good news is there is awareness and budget is following. Now it’s a matter of tuning that budget appropriately for risk reduction.”
Tomi Engdahl says:
Banks Informed U.S. Treasury of $590 Million in Ransomware Payments
https://www.securityweek.com/banks-informed-us-treasury-590-million-ransomware-payments
The United States Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has identified a total of 177 cryptocurrency wallets associated with the top 10 most commonly reported ransomware variants during the first half of the year.
In a report detailing ransomware-related financial transactions, FinCEN reveals that these 177 unique wallet addresses were used to make $5.2 billion in outgoing Bitcoin transactions, most of which could be potentially related to ransomware.
Between January 1 and June 30, 2021, there were 635 ransomware-related suspicious activity reports (SARs) filed by financial institutions, including 458 transactions that occurred in this timeframe.
The total value of the suspicious activity was $590 million, significantly higher than the $416 million registered for the entire 2020. The registered transactions for the first half of the year amounted to $398 million — the difference represents transactions registered before January 1, 2021.
FinCEN estimates that, by the end of the year, the ransomware-related transaction value of filed reports will be higher than that of the reports filed over the past 10 years combined.
“The transition to remote and online work in response to COVID-19 has also exacerbated risks and vulnerabilities of businesses to cyberattacks such as ransomware. Attacks on small municipalities and healthcare organizations have also increased, typically due to perceived weaker security controls and higher propensity of these victims to pay the ransom because of the criticality of their services, particularly during a global health pandemic,” FinCEN notes.
Most of the ransomware-related payments during the first half of the year were of less than $250,000, with a median average payment of $102,273, slightly higher compared with the $100,000 registered during the first six months of last year.
Tomi Engdahl says:
Password Auditing Tool L0phtCrack Released as Open Source
https://www.securityweek.com/password-auditing-tool-l0phtcrack-released-open-source
The password auditing and recovery tool L0phtCrack is now open source and the project is looking for both maintainers and contributors.
First released in 1997, L0phtCrack can be used to test password strength and recover lost Windows passwords via dictionary, brute-force, and other types of attacks.
L0phtCrack was originally developed by Peiter Zatko, also known as Mudge, of the L0pht hacker think tank. L0pth then merged with @stake, which was acquired by Symantec in 2004. It was owned by Symantec between 2004 and 2009, when it was acquired from the cybersecurity firm by Zatko and other original authors. By that time, Symantec had stopped selling the tool.
Terahash announced buying L0phtCrack in 2020, but it was repossessed in July 2021 after Terahash defaulted on its instalment sale loan.
When the announcement was made in July, its owners said L0phtCrack would no longer be sold or supported.
L0phtCrack is Now Open Source
https://l0phtcrack.gitlab.io/
L0phtCrack 7.2.0 has been released as an open source project, and is seeking both maintainers and contributors.
As of July 1, 2021, the L0phtCrack software is no longer owned by Terahash, LLC. It has been repossessed by the previous owners, formerly known as L0pht Holdings, LLC for Terahash defaulting on the installment sale loan.
L0phtCrack is no longer being sold. The current owners have no plans to sell licenses or support subscriptions for the L0phtCrack software. All sales have ceased as of July 1, 2021.
Tomi Engdahl says:
Many Prometheus Endpoints Expose Sensitive Data
https://www.securityweek.com/many-prometheus-endpoints-expose-sensitive-data
Unprotected instances of open source event monitoring solution Prometheus may leak metric and label data to the Internet, software company JFrog warns.
Designed to harvest real-time metrics from various endpoints, Prometheus enables organizations to keep a close eye on systems’ state, network usage, and the like. Close to 800 cloud-native platforms, including Slack and Uber, leverage the solution.
In January 2021, Prometheus added support for Transport Layer Security (TLS) and basic authentication, to prevent access to the captured metrics. However, numerous Prometheus endpoints that are accessible from the Internet were found to leak metric and label data, JFrog reveals.
https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
Prometheus is an open-source, metrics-based event monitoring and alerting solution for cloud applications. It is used by nearly 800 cloud-native organizations including Uber, Slack, Robinhood, and more. By scraping real-time metrics from various endpoints, Prometheus allows easy observation of a system’s state in addition to observation of hardware and software metrics such as memory usage, network usage and software-specific defined metrics (ex. number of failed login attempts to a web application).
Tomi Engdahl says:
Sarah Perez / TechCrunch:
Sundar Pichai calls for the creation of new US federal privacy regulations, and stresses the importance of staying ahead in AI, quantum computing, and more — In a wide-ranging interview at the WSJ Tech Live conference that touched on topics like the future of remote work, A.I. innovation …
Alphabet CEO Sundar Pichai calls for federal tech regulation, investments in cybersecurity
https://techcrunch.com/2021/10/18/alphabet-ceo-sundar-pichai-calls-for-federal-tech-regulation-investments-in-cybersecurity/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cudGVjaG1lbWUuY29tLw&guce_referrer_sig=AQAAAHNCtc6O1C4N4On3AvzY0dB9J_eC6u6XXDuqhassYQciWJD03I2nbgtRvSywl4JyLd5tGiS3feDuusik1U5bVg_X0fWd3XhfhcnwWwxPlnTB6fjRtM-jYD1-PAh_kdoUPb2USRcIOll9VoQqF4XDrJGpSwFcHWNiRJkT2PQxyiDq
In a wide-ranging interview at the WSJ Tech Live conference that touched on topics like the future of remote work, AI innovation, employee activism and even misinformation on YouTube, Alphabet CEO Sundar Pichai also shared his thoughts on the state of tech innovation in the U.S. and the need for new regulations. Specifically, Pichai argued for the creation of a federal privacy standard in the U.S., similar to the GDPR in Europe. He also suggested it was important for the U.S. to stay ahead in areas like AI, quantum computing and cybersecurity, particularly as China’s tech ecosystem further separates itself from Western markets.
In recent months, China has been undergoing a tech crackdown, which has included a number of new regulations designed to combat tech monopolies, limit customer data collection and create new rules around data security, among other things. Although many major U.S. tech companies, Google included, don’t provide their core services in China, some who did are now exiting — like Microsoft, which just this month announced its plan to pull LinkedIn from the Chinese market.
Pichai said this sort of decoupling of Western tech from China may become more common.
He also said it would be important to stay ahead in areas where the U.S. and China compete, like AI, quantum computing and cybersecurity, noting that Google’s investments in these areas comes at a time when governments were slightly pulling back on “basic R&D funding.”
“The government has limited resources and it needs to focus,” noted Pichai, “but all of us are benefiting from foundational investments from 20 to 30 years ago — which is what a lot of the modern tech innovation is based on, and we take it for granted a bit,” he said. “So when I look at the semiconductor supply chain [and] quantum … the government can play a key role, both in terms of policies and allowing us to bring in the best talent from anywhere in the world, or participating with universities and creating some of the longer-term research areas,” Pichai added. These are areas that private companies may not focus on from day one, but play out of 10 to 20 years, he said.
Tomi Engdahl says:
Kyberturvallisuuskeskus kartoittaa jälleen suojaamattomia automaatiojärjestelmiä
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/kartoitus2021
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus etsii tietoverkoista suojaamattomia automaatiolaitteita. Työn tavoitteena on parantaa tilannekuvaa ja kyberturvallisuutta Suomessa. Saatuja tuloksia verrataan aikaisempien vuosien tuloksiin.
Tomi Engdahl says:
Social Now Among Top Three Sectors to be Imitated in Phishing Attempts in Q3 2021 https://blog.checkpoint.com/2021/10/19/social-now-among-top-three-sectors-to-be-imitated-in-phishing-attempts-in-q3-2021/
Our latest Brand Phishing Report for Q3 2021 highlights the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September 2021.
Tomi Engdahl says:
Trickbot module descriptions
https://securelist.com/trickbot-module-descriptions/104603/
Over the years, Trickbot has acquired dozens of auxiliary modules that steal credentials and sensitive information, spread it over the local network using stolen credentials and vulnerabilities,
Tomi Engdahl says:
About 26% of all malicious JavaScript threats are obfuscated https://www.bleepingcomputer.com/news/security/about-26-percent-of-all-malicious-javascript-threats-are-obfuscated/
A research that analyzed over 10, 000 samples of diverse malicious software written in JavaScript concluded that roughly 26% of it is obfuscated to evade detection and analysis.
Tomi Engdahl says:
LightBasin hacking group breaches 13 global telecoms in two years https://www.bleepingcomputer.com/news/security/lightbasin-hacking-group-breaches-13-global-telecoms-in-two-years/
A group of hackers that security researchers call LightBasin has been compromising mobile telecommunication systems across the world for the past five years.
LightBasin: A Roaming Threat to Telecommunications Companies https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/
CrowdStrike Services, CrowdStrike Intelligence and Falcon OverWatch have investigated multiple intrusions within the telecommunications sector from a sophisticated actor tracked as the LightBasin activity cluster, also publicly known as UNC1945.
Tomi Engdahl says:
CSIRT – Law Enforcement Cooperation Workshop – 10 Years of Joint Efforts against Cybercrime https://www.enisa.europa.eu/news/csirt-law-enforcement-cooperation-workshop-10-years-of-joint-efforts-against-cybercrime
The European Union Agency for Cybersecurity, (ENISA) and Europol’s European Cybercrime Centre (EC3) organised the 10th Annual Workshop for CSIRTs and law enforcement.
Tomi Engdahl says:
The VC View: Vendor Risk Management
https://www.securityweek.com/vc-view-vendor-risk-management
Unlike other areas of security, the COVID-19 pandemic has not made a big impact on the Vendor risk management (VRM) sector. This space would have been a Top 10 security project even without a pandemic, as it has been going down this path for years: moving away from security questionnaires to finding something more predictable, useful and scalable.
Security incidents have only helped to shine spotlights on third-party risk: SolarWinds for example, only fanned the fears of letting third parties impact your hard-built and well-understood security program. Add in the fact that so much more business is digital, purchasing software is at an all-time high and almost every new innova-tive company delivers their solution via SaaS… technology is continuing to scale im-pact and also risk.
As a result, I do think we’ve seen VRM projects get additional interest this year. While there still isn’t a clear industry-accepted answer to VRM, there has been more interest in staying on top of and learning about the latest in this space.
Ranging from vendors wanting to improve the data collection process, to out-sourcing the work as a managed service, to data/report providers proactively scanning the internet, conducting standardized assessments, etc.
Tomi Engdahl says:
Microsoft, Intel and Goldman Sachs Lead New Supply Chain Security Initiative
https://www.securityweek.com/microsoft-intel-and-goldman-sachs-lead-new-supply-chain-security-group-tcg
Microsoft, Intel and Goldman Sachs will lead a new work group focusing on supply chain security at the Trusted Computing Group (TCG).
TCG is a non-profit organization that develops, defines and promotes open and vendor-neutral industry specifications and standards for trusted computing platforms, including the widely used Trusted Platform Module (TPM).
TCG has several work groups, including for cloud, embedded systems, infrastructure, IoT, mobile, PC clients, servers, software stack, storage, trusted network communications, TPM, and virtualized platforms.
The organization this week announced a new work group focusing on supply chain security. Representatives of Microsoft, Intel and Goldman Sachs will lead the new group, which will work on developing guidance for supply chain security standards.When we think about cyber threats, we often imagine a lone attacker sitting in a dark room, furiously typing as green text spreads across the screen in order to gain access to sensitive information or assume control of some system to which they would otherwise not have access. While this sort of threat does exist, we now see a much greater threat in the form of coordinated adversaries attempting to compromise the supply chains of our industries and governments. These adversaries exploit supply chain vulnerabilities, stealing intellectual property, exploiting software vulnerabilities, surveilling and disrupting critical infrastructure, and engaging in other malicious activity. To address these vulnerabilities, we need to recognize that within each phase of product lifecycles, from design, manufacture, and transport, to provisioning, utilization, and decommission, there are serious risks.
To effectively protect our infrastructure and devices throughout product lifecycles, we must also consider the components of these products and computing systems. In the hardware supply chain, we see a specific and growing set of threats which are much more difficult for any one organization to protect against. Taken together, supply chain threats now affect a broad range of industries and organizations, from critical infrastructure, military and defense, and financial services, to consumer electronics, education, and healthcare. Mitigating or eliminating these threats is the goal of Supply Chain Security.
Supply Chain Security
https://trustedcomputinggroup.org/work-groups/supply-chain-security/
Tomi Engdahl says:
https://www.securityweek.com/tokenization-vs-encryption-data-protection-compliance
Tomi Engdahl says:
Kansallisen turvallisuuden katsaus 2021
https://supo.fi/kansallisen-turvallisuuden-katsaus
Kansallisen turvallisuuden katsauksessa tarkastellaan Suojelupoliisin toimialaan kuuluvia ilmiöitä ja arvioidaan niiden kehitystä.
Tomi Engdahl says:
IPv6 Considerations for TIC 3.0
https://www.cisa.gov/publication/ipv6-considerations-tic-30
CISA’s “IPv6 Considerations for TIC 3.0″ supports federal agencies as they implement Internet Protocol version 6 (IPv6) network protocol, in accordance with the Office of Management and Budget’s (OMB) Memorandum (M) 21-07: “Completing the Transition to Internet Protocol Version 6.” The “IPv6 Considerations for TIC 3.0″ explains the background of IPv6, lists security considerations for the protocol in relation to the TIC 3.0 security capabilities, and provides awareness of IPv6 security features according to TIC guidance. This document is intended to be architecture-agnostic and broadly supports the government-wide deployment and use of the IPv6 network protocol.
https://www.cisa.gov/trusted-internet-connections
Tomi Engdahl says:
CISA Opens IPv6 Guidance to Public Feedback
https://www.securityweek.com/cisa-opens-ipv6-guidance-public-feedback
Tomi Engdahl says:
https://www.securityweek.com/openssl-30-released-after-3-years-development
Tomi Engdahl says:
Guide to Cyber Security Measures
https://english.ncsc.nl/publications/publications/2021/august/4/guide-to-cyber-security-measures
The Guide to Cyber Security Measures lists eight measures that every organisation should take to prevent cyber-attacks. Examples of these measures are enabling logging, implementing multi-factor authentication, creating backups and encrypting sensitive information. Furthermore, the Guide to Cyber Security Measures provides the organisational context in which you apply these measures.
Tomi Engdahl says:
Linux Threat Report 2021 1H
Linux Threats in the Cloud and Security Recommendations
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations
Linux powers many cloud infrastructures today. However, it is not immune to threats and risks. We discuss several pressing security issues including malware and vulnerabilities that compromise Linux systems in the first half of 2021.
Tomi Engdahl says:
https://sensorfleet.com/2021/09/07/confluence-vulnerability.html
Tomi Engdahl says:
Threat landscape for industrial automation systems in H1 2021
https://securelist.com/threat-landscape-for-industrial-automation-systems-in-h1-2021/104017/
https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Threat-landscape-for-industrial-automation-systems-statistics-for-H1-2021-En.pdf
Tomi Engdahl says:
The Global Drive to Control Big Tech
https://freedomhouse.org/report/freedom-net/2021/global-drive-control-big-tech
In the high-stakes battle between states and technology companies, the rights of internet users have become the main casualties.
Tomi Engdahl says:
A Pentester’s Guide to Cross-Site Scripting (XSS)
https://cobalt.io/blog/a-pentesters-guide-to-cross-site-scripting-xss
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end-user. Flaws that allow these attacks to succeed are quite widespread and can occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
Tomi Engdahl says:
Cross Site Scripting Prevention Cheat Sheet
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
This article provides a simple positive model for preventing XSS using output encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack.
This article does not explore the technical or business impact of XSS. Suffice it to say that it can lead to an attacker gaining the ability to do anything a victim can do through their browser.
DOM based XSS Prevention Cheat Sheet
https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
Tomi Engdahl says:
Example a CSP header with a meta tag
Let’s add a Content-Security-Policy HTTP response header to a HTML page using a meta tag.
https://content-security-policy.com/examples/meta/
Tomi Engdahl says:
Cross-site scripting (XSS) cheat sheet
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
Tomi Engdahl says:
https://stackoverflow.com/questions/51969117/how-to-resolve-an-xss-vulnerability-in-an-href-tag
Tomi Engdahl says:
https://security.stackexchange.com/questions/57268/how-does-the-anchor-tag-a-lets-you-do-an-reflected-xss
https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
Tomi Engdahl says:
IMPROVING YOUR REPORTSdiscoverySection
Welcome to Bug Hunter University
https://bughunters.google.com/learn
Tomi Engdahl says:
This just blows me away. This woman has three Amazon speakers in her house. She requests audio files of all recordings Amazon has for her. And when she downloads and listens to them she’s “shocked” at the things these devices recorded. I mean, what did she expect??
LISTEN UP I found Amazon folder with THOUSANDS of audio recordings from my home gadgets
https://www.thesun.co.uk/tech/16469416/amazon-alexa-recordings-shock-woman/
A WOMAN has been shocked to discover just how much data Amazon has collected about her.
She posted a viral TikTok video explaining how she requested to see the data but wasn’t expecting to receive so much.
TikToker my.data.not.yours explained: “I requested all the data Amazon has on me and here’s what I found.”
Tomi Engdahl says:
EU National Telecom Authorities analyse Security Supervision and Latest Security Threats
https://www.enisa.europa.eu/news/enisa-news/eu-national-telecom-authorities-analyse-security-supervision-latest-security-threats
The EU National Telecom Authorities met in Athens, Greece for the 35th meeting of the ECASEC group. The European Union Agency for Cybersecurity also hosted the 1st Telecom Security Forum on this occasion.
Tomi Engdahl says:
In Cyberwar, Attribution Can Be Impossible — and That’s OK
Instead of using a substantial proportion of resources to determine attribution, organizations should focus on defenses that will help them remediate an attack.
https://www.darkreading.com/analytics/in-cyberwar-attribution-can-be-impossible—and-that-s-okay
For most of human history, battle lines have been clearly demarcated. Physical borders, trenches, and satellite imagery have shown us launch sites, front lines, and enemy targets. Technology has allowed opponents to trace every inch of a weapon’s path. Historically, we have been able to determine the source of a strike and know who we’re up against with clarity.
But the rules of cyberspace are different.
Acts of cyberwar continue to proliferate — defined by espionage, proxy battles, disinformation campaigns, and guerrilla tactics. Every day, it becomes more challenging to establish the source of an attack — and therefore, to establish an effective, proportional response.
Tomi Engdahl says:
Älylaitteet tekevät aukkoja yritysverkkoihin
https://etn.fi/index.php/13-news/12721-aelylaitteet-tekevaet-aukkoja-yritysverkkoihin
Jopa 82 prosenttia it-alan päätöksentekijöistä EMEA-alueella uskoo, että etätöihin siirtyminen työntekijöiden kotoa käsin on heikentänyt yritysverkon turvallisuutta laitteiden internetin kasvamisen myötä. Tämä johtuu siitä, että yritysverkkoihin on tullut mukaan älylaitteita, jotka eivät ole yrityksen omia.
Tähän tulokseen tultiin Vanson Bournen koostamassa Palo Alto Networksin puolivuosittaisessa IoT-turvallisuusraportissa. Raporttia varten kerättiin tietoa maailmanlaajuisesti 1 900 it-alan päätöksentekijältä.
EMEA-alueella tutkimustulokset jakaantuivat laajasti it-päätöksentekijöiden ja laitteiden internetin osalta. Päätöksentekijät ovat aiempaa luottavaisempia IoT-laitteiden näkyvyyteen verkossa (70 % vuonna 2021, 58 % vuonna 2020). Toisaalta 45 prosenttia päätöksentekijöistä koki tilanteen vähemmän turvalliseksi IoT-laitteiden verkottumisen osalta, kun työntekijä työskentelee koti- tai etätoimistolta käsin.
Vastaajista 72 prosenttia on huomannut ei-yrityslähtöisten älylaitteiden määrän kasvun yritysverkossa. Esimerkiksi 28 prosentilla vastaajista oli kokemusta lemmikkieläimiin liittyvien laitteiden liittymisestä yritysverkkoihin. Samaa havaittiin yritykseen liittymättömien kameroiden (31 %) sekä terveys- ja urheilutuotteiden (31 %) liittymisen osalta. Jokainen näistä sisältää tuntemattomia turvallisuusuhkia.