Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,203 Comments
Tomi Engdahl says:
Beijing fingers foreign spies for data mischief, with help from consulting firm https://www.theregister.com/2021/11/05/china_claims_foreign_spies_stole_data/
Chinese media wonders why it hasn’t been reported in the West – hang on, you’re reading this…
Hackers are stealing data today so quantum computers can crack it in a decade https://www.technologyreview.com/2021/11/03/1039171/hackers-quantum-computers-us-homeland-security-cryptography/
The US government is starting a generation-long battle against the threat next-generation computers pose to encryption.
Tomi Engdahl says:
Tuliko sinullekin sähköposti Googlelta? Se kannattaa lukea tarkasti https://www.is.fi/digitoday/tietoturva/art-2000008384255.html
GOOGLE tekee merkittävän muutoksen lukuisiin käyttäjätileihin lähiaikoina. Yhtiö ottaa kaksivaiheisen tunnistuksen automaattisesti käyttöön näillä tileillä ja on lähettänyt asiasta sähköpostia muutoksen piirissä oleville käyttäjilleen. Sähköpostin otsikko alkaa sanoin “Kirjautumistapasi muuttuu…”.
Tomi Engdahl says:
Positive Technologies says US sanctions had little or no effect on its business https://therecord.media/positive-technologies-says-us-sanctions-had-little-or-no-effect-on-its-business/
Russian cybersecurity firm Positive Technologies said on Thursday that it is not concerned about the recent sanctions announced by the US government earlier this week, as the previous US sanctions did not have any “significant impact” on its operations.
Tomi Engdahl says:
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
https://blogs.blackberry.com/en/2021/11/zebra2104
The BlackBerry Research & Intelligence Team has uncovered an unusual connection between the actions of three distinct threat groups, including those behind financially-motivated ransomware such as MountLocker and Phobos, as well as the espionage-related advanced persistent threat (APT) group known as StrongPity. While it might seem implausible for criminal groups to be sharing resources, we found these groups had a connection that is enabled by a fourth; a threat actor we have dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB). In this post, we will discuss what led us to these findings, what an IAB is, and how each piece fits into the puzzle. Once we look at each piece in context, we can better assess the full ramifications of these discoveries, and project what is yet to come.
Tomi Engdahl says:
DDoS Attack Trends for Q3 2021
https://blog.cloudflare.com/ddos-attack-trends-for-2021-q3/
The third quarter of 2021 was a busy quarter for DDoS attackers.
Cloudflare observed and mitigated record-setting HTTP DDoS attacks, terabit-strong network-layer attacks, one of the largest botnets ever deployed (Meris), and more recently, ransom DDoS attacks on voice over IP (VoIP) service providers and their network infrastructure around the world.
Tomi Engdahl says:
It-palveluista on tullut liian nopeita ja helppokäyttöisiä
https://www.tivi.fi/blogit/it-palveluista-on-tullut-liian-nopeita-ja-helppokayttoisia/3f72d0ff-c0b5-4b0a-b092-c418c46afd12
LÄHES VIIKOITTAIN saamme lukea uutisista, miten huijarit ovat onnistuneet höynäyttämään verkkopankin asiakkaita. Uhrit ovat menettäneet jopa kymmeniätuhansia euroja, vaikka verkkopankin pitäisi olla täysin turvallinen ja älypuhelimeen sidotun tunnistamisen pomminvarmaa. Rahojen siirtäminen ulkomaille ei saisi olla näin helppoa ja nopeaa. Ulkomaansiirroissa pitäisi olla 24 tunnin viive, jota ei voi ohittaa. Jos tämä tuottaa joillekin käyttäjille ongelmia, he voisivat poistaa sen käytöstä asioimalla pankin konttorissa tai puhelinpalvelussa.
Tomi Engdahl says:
Senators add CISA cyberattack/ransomware reporting amendment to defense bill https://www.zdnet.com/article/bipartisan-group-of-senators-add-cisa-cyberattackransomware-reporting-amendment-to-defense-bill/
The amendment only covers confirmed cyberattacks and not ones that are suspected. But it forces all federal contractors to report attacks.
There is no fine component in the amendment, one of the many provisions senators had been fighting over for months. Victims organizations will have 72 hours to report attacks, another hotly debated topic among government cybersecurity experts. Some wanted it to be within 24 hours and others said it should be within a week.. But the 72 hour limit does not apply to all organizations. Some — which the senators said included businesses, nonprofits and state and local governments — would be forced to report ransomware payments to the federal government within 24 hours of payment being made.
Tomi Engdahl says:
House approves massive infrastructure plan that includes $1.9 billion for cybersecurity https://therecord.media/house-approves-massive-infrastructure-plan-that-includes-1-9-billion-for-cybersecurity/
The U.S. House of Representatives on Friday approved $1.2 trillion infrastructure bill that will investment nearly $2 billion in cybersecurity efforts throughout the federal government. The measure incorporates the Cyber Response and Recovery Act, which authorizes
$100 million over five years to support federal response to cyber incidents. It also allows the Homeland Security Secretary, working with the National Cyber Director, to declare a significant cyber incident. CISA would coordinate the response to the event and tap the emergency fund to help both private companies, and the government, recover from cyberattacks.
Tomi Engdahl says:
Hackers Apologize to Arab Royal Families for Leaking Their Data https://www.vice.com/en/article/n7nw8m/conti-ransomware-hackers-apologize-to-arab-royal-families-for-leaking-their-data
In October, the infamous ransomware gang known as Conti released thousands of files stolen from the UK jewelry store Graff. Among the data Conti leaked, there were sensitive files belonging to celebrities like David Beckham, Oprah Winfrey, and Donald Trump, according to The Daily Mail. There was also, according to the hackers themselves, information belonging to the UAE, Qatar, and Saudi royal families. “We found that our sample data was not properly reviewed before being uploaded to the blog, ” the hackers wrote in an announcement published on Thursday. “Conti guarantees that any information pertaining to members of Saudi Arabia, UAE, and Qatar families will be deleted without any exposure and review.”. “Our Team apologizes to His Royal Highness Prince Mohammed bin Salman and any other members of the Royal Families whose names were mentioned in the publication for any inconvenience, ” the hackers added.
Tomi Engdahl says:
Microsoft Warns Of Moving Target’ Password AttacksHere’s How To Stop Them https://www.forbes.com/sites/daveywinder/2021/11/07/microsoft-confirms-rising-tide-of-moving-target-password-attacks-heres-how-to-stop-them/
While password spraying isn’t a technique that’s off the consumer radar, it’s an attack vector that DART has seen being ramped up in attacks targeting Microsoft’s business users recently.. What Microsoft explains is who these targets, based on the DART findings, are likely to be. The answer is admins. They could be Exchange or SharePoint admins, a security or helpdesk admin, maybe a user or company admin.
The common denominator is the administrator part: Microsoft says it has specifically seen an increase in the number of cloud admin accounts being targeted in this way.
Tomi Engdahl says:
Kova väite: joka kolmas datakeskus heitteillä Suomessa [TILAAJILLE]
https://www.tivi.fi/uutiset/kova-vaite-joka-kolmas-datakeskus-heitteilla-suomessa/30bdd3b7-933a-4f89-bd34-8dc1f1ccaf39
Monissa datakeskuksissa ei nykyisin tehdä tarkempia selvityksiä laitteiden kunnosta, kunhan mikään varoitusvalo ei pala. Näin väittää Rittal, joka tarjoaa itse myös huoltopalveluita.
Tomi Engdahl says:
Operation Cyclone deals blow to Clop ransomware operation https://www.bleepingcomputer.com/news/security/operation-cyclone-deals-blow-to-clop-ransomware-operation/
A thirty-month international law enforcement operation codenamed ‘Operation Cyclone’ targeted the Clop ransomware gang, leading to the previously reported arrests of six members in Ukraine. This Friday, new information came to light regarding how the operation was conducted and the law enforcement agencies involved. The transcontinental operation named ‘Operation Cyclone’ was coordinated from INTERPOL’s Cyber Fusion Centre in Singapore, with assistance from Ukrainian and US law enforcement authorities. The operation was also assisted by private partners, including Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet, and Group-IB.
Tomi Engdahl says:
SolarWinds Investors Allege Board Knew About Cybersecurity Risks Ahead of Massive Breach
https://gadgets.ndtv.com/internet/news/solarwinds-hack-cyberattack-board-knew-security-risks-investors-allege-2600864
SolarWinds investors have sued the software company’s directors, alleging they knew about and failed to monitor cybersecurity risks to the company ahead of a breach that created a vulnerability in thousands of its customers’ systems.
Tomi Engdahl says:
Brian Barrett / Wired:
The FBI and DHS say a drone dangling copper wires tried to disrupt a PA power substation in July 2020, the first drone attack targeting US energy infrastructure — An attack attempt in 2020 proves the UAS threat is real—and not enough is being done to stop it.
A Drone Tried to Disrupt the Power Grid. It Won’t Be the Last https://www.wired.com/story/drone-attack-power-substation-threat/
IN JULY OF last year, a DJI Mavic 2 drone approached a Pennsylvania power substation. Two 4-foot nylon ropes dangled from its rotors, a thick copper wire connected to the ends with electrical tape. The device had been stripped of any identifiable markings, as well as its onboard camera and memory card, in an apparent effort by its owner to avoid detection. Its likely goal, according to a joint security bulletin released by DHS, the FBI, and the National Counterterrorism Center, was to “disrupt operations by creating a short circuit.”
Tomi Engdahl says:
Another Cybersecurity Awareness Month Has Passed and Little Has Changed
https://www.securityweek.com/another-cybersecurity-awareness-month-has-passed-and-little-has-changed
Last month we celebrated the 18th year of the Cybersecurity Awareness Month, which was previously known as National Cybersecurity Awareness Month. Under the slogan “Do Your Part. #BeCyberSmart”, the Cybersecurity and Infrastructure Security Agency (CISA) together with the National Cyber Security Alliance (NCSA) each year encourage individuals and organizations to own their role in protecting cyberspace by emphasizing personal accountability and the importance of taking pro-active steps to enhance cybersecurity.
Unfortunately, not much has changed since last year. Cyber breaches are bigger and worse than ever. Hardly a week goes by without headlines about some new devastating cyberattack. In fact, the Identity Theft Research Center reports the number of data breaches so far this year has already surpassed the total number in 2020 by 17 percent.
Tomi Engdahl says:
Engaging Customers on an Uncertain Journey
https://www.securityweek.com/engaging-customers-uncertain-journey
While every company has unique policies, politics, and market pressures, the technical challenges are often shared among many
We have all seen tremendous uncertainty in the last few years. Market dynamics are unlike anything we’d seen before, and though we are coming into a phase of apparent recovery, there is a combination of both optimism and anxiety everywhere.
Amidst the pandemic, the push home caused an enormous change in the way we work, and in turn created huge changes in the IT systems we all need to protect. The profiles of network traffic, the need for office functions and services to be supported in the cloud, challenges in managing and maintaining anything using remote teams, securing the enterprise both in the office and at home, the list goes on, are all results of the environment we’re in.
Tomi Engdahl says:
House Passes Two Bills to Improve Small Business Cybersecurity
https://www.securityweek.com/house-passes-two-bills-improve-small-business-cybersecurity
The House of Representatives this week passed two bills whose goal is to boost small business cybersecurity in the United States.
One of the bills, the Small Business Administration (SBA) Cyber Awareness Act, was introduced by Reps. Young Kim (R-CA) and Jason Crow (D-CO). It aims to strengthen the capabilities of the SBA when it comes to handling and reporting cyber threats that affect small businesses.
The SBA Cyber Awareness Act would expand the SBA’s cybersecurity operations by requiring the agency to inform Congress about its ability to combat cyberthreats. The report would include details on the SBA’s cybersecurity infrastructure, cybersecurity improvement strategy, the use of equipment manufactured by Chinese companies, and any cyber incident at the agency.
“For more than two decades, the SBA’s Inspector General has listed IT security as one of the most pressing challenges facing the SBA. Unfortunately, SBA cybersecurity vulnerabilities were brought to light with unprecedented demand of SBA loan programs during COVID-19, discouraging entrepreneurs from starting a business and creating jobs,” said Congresswoman Kim. “We must address this issue now and secure our systems so small business owners can safely utilize SBA’s resources as they work to recover from the pandemic, hire workers and adjust to rising costs of supplies.”
Tomi Engdahl says:
FBI: Scams Involving Cryptocurrency ATMs and QR Codes on the Rise
https://www.securityweek.com/fbi-scams-involving-cryptocurrency-atms-and-qr-codes-rise
Tomi Engdahl says:
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Tietoturvayritys Trend Micro on julkistanut vuoteen 2030 ulottuvan tulevaisuusraporttinsa. Videoidenkin avulla kerrotaan, miltä maailma voisi näyttää seuraavan vuosikymmenen alussa. Kyberuhkien ja verkkoturvan näkökulmasta tulevaisuus vaikuttaa synkältä.
Vuoteen 2030 mennessä liitettävyys eli jatkuva verkossa oleminen vaikuttaa arkipäiväämme niin fyysisellä kuin henkisellä tasolla. Samalla kyberuhat jatkavat kehittymistään ja väärinkäyttävät teknisiä innovaatioita alati uusilla tavoilla.
- Project 2030 -raporttimme ei ole suinkaan lopullinen näkemys tulevaisuudesta, vaan se pyrkii enemmän ravistelemaan näkemyksiämme. Toivomme, että katsauksemme herättää keskustelua niin tietoturvateollisuuden sisällä kuin laajemminkin yhteiskunnassa. Voimme valmistautua seuraavan vuosikymmenen kyberhaasteisiin vain ennakoimalla kattavasti kaikkia mahdollisia tilanteita ja neuvomalla, kuinka hallitukset, yritysmaailma ja yksityishenkilöt voivat varautua niihin, sanoo Trend Micron kyberturva-asiantuntija Kalle Salminen.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer,
yet where truth has never been more insubstantial.
Welcome to New San Joban.
Tomi Engdahl says:
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
Älypuhelimissa tietoturva on hoidettu jo yli kymmenen vuoden ajan niin, että luotettu prosessointi tehdään laitteen muistin TEE-osiossa (Trusted Execution Environment). Nyt käynnissä on murros. Tulevaisuudessa esimerkiksi salausavaimet tallennetaan eristettyyn muisti-alueeseen eli enklaaviin, kertoo Huawein HSSL-laboratoriota johtava Jan-Erik Ekberg.
HSSL- eli järjestelmäturvallisuuden laboratoriota (Helsinki System Security Lab) vetävän Ekbergin mukaan älypuhelimien tietoturvan tämän hetken standardiratkaisu syntyi Arm:n TrustZone-tekniikan myötä. Useimmissa puhelimissa on turvallinen suojattu TEE-osio, jossa voi säilyttää esimerkiksi pankki-korttitietoja. Käytännössä kyse on rinnakkaisesta kernelistä, joista toinen on suojattu ja tarkoitettu vain tietoturvallisten prosessien käyttöön.
- Puhelimen oma tietoturva lähtee TEE:stä. Turvakäynnistys eli secure boot yleensä sisällyttää TEE:n, mutta TEE myös auttaa turvakäynnistyksen ylläpitämisessä, Ekberg kuvaa.
Viime vuosina tämä kuva on alkanut monipuolistua. Lähinnä Google on lanseerannut keystone-tekniikan, jossa sovellus voi luoda järjestelmän ylläpitämän avaimen, ja jolla voidaan autentikoida palveluja. Myös nämä on toteutettu TEE-osiossa. Älypuhelimen tietoturvan mullistus tulee kuitenkin palvelinpuolelta.
Intel esitteli viitisen vuotta sitten SGX-tekniikan, joka tarkoittaa yksinkertaisesti CPU-piirille lisättyjä tietoturvan laajennuskäskyjä. – Tässä ratkaisussa TEE:n virkaa toimittaa secure enclave eli eristetty turvallinen muistialue. Iso ero TEE-rakenteeseen on siinä, että tällainen enklaavi on koodimäärältään pienempi, Ekberg selventää.
Enklaavi on väliaikainen rakennelma laitteen muistissa. Se muodostuu ainoastaan suojausprosesseja varten ja poistuu, kun on tehnyt tehtävänsä. Ero on merkittävä TEE-rakenteeseen, jossa käyttöjärjestelmän rinnalla pyörii koko ajan toinen kernel.
- Kun enklaaviin viedään logiikkaa, on hyökkääjille samalla vähemmän softaa, jonka voisi murtaa. Kun ei ole toista rinnakkaista kerneliä, on yksi komponentti vähemmän, jota vastaan hyökätä, Ekberg selventää.
Hän näkee, että tällainen enclave-tyylinen ratkaisu rakennelma tulee myös päätelaitteisiin. – Esimerkiksi viime vuonna esitelty Armv9-A-arkkitehtuuri tarjoaa realm-moodia, joka on hyvin lähellä niitä tekniikoita, joita tarjotaan palvelinpuolella.
Intelin SGX:ssä enklaavit toteutettiin välimuistin kautta, mikä rajoitti niiden käyttöä. Tätä rajoitusta Intel on pyrkinyt korjaamaan uudemmalla TDX-tekniikalla (Trust Domain Extensions). Samaan pyrkii AMD omalla SEV-tekniikallaan (Secure Encrypted Virtualization). Nämä perustuvat salaukseen, jolloin rajoitus tulee enää laitteiston kokonaismuistista, ei välimuistin koosta.
Ekberg muistuttaa, että hän katsoo mobiililaitteiden tietoturvaa pitkälti tutkijan näkökulmasta.
- Mobiiliekosysteemissä TEE on niin syvään juurtunut, että murroksessa menee varmaan viitisen vuotta. Sen jälkeen jonkin aikaa TEE ja dynaamisemmat ratkaisut ovat markkinoilla rinnakkain.
TEE on ollut älypuhelimissa elegantti ratkaisu, vaikka se onkin jäämässä vanhanaikaiseksi. Sen nousuun laitteiden de facto -tietoturvastandardiksi perustuu osin historiaan ja tuonaikaisiiin kännykkäpiireihin.
- Kun Arm TrustZone kehitettiin 15 vuotta sitten, ei mobiilipiireissä ollut 2-vaiheista virtuaalimuistia. Oli vain yksi virtuaalimuisti sovellusten ja kernelin välillä, ja jos tällaisessa ympäristössä halutaan tehdä laitetasolla eristys, ei ole oikeastaan muuta tapaa kuin tehdä toinen saman-lainen ympäristö rinnalle.
Tämän jälkeen monivaiheinen virtualisointikerros on pikku hiljaa levinnyt Intelin prosessoreista myös Arm-piireille, jolloin tarve ajaa rinnakkain kahta kerneliä on hävinnyt. Tulevien enklaavien myötä käyttöön saadaan periaatteessa ääretön määrä turvattuja ympäristöjä.
Tomi Engdahl says:
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Kyberhyyökkäykset aiheuttavat tulevaisuudessa sekasortoa tuotteiden toimitusketjuissa, arvioi japanilainen tietoturvayritys Trend Micron uusimmassa raportissaan. Ne voivat aiheuttaa myös fyysistä vahinkoa ihmisille, joten kyse ei ole vain tuotannolle tai jakelulle aiheutuvista ongelmista. Mukana linkit myös dramatisoituihin verkkovideoihin.
Vuoteen 2030 mennessä verkottunut liitettävyys vaikuttaa Trend Micron mukaan nykyistäkin enemmän arkipäiväämme niin fyysisellä kuin henkisellä tasolla. Samalla kyberuhat jatkavat kehittymistään ja väärinkäyttävät teknisiä innovaatioita alati uusilla tavoilla.
Tekoälytyökalut demokratisoivat kyberrikollisuuden teknisesti taitavilta yksilöiltä ja rikollisorganisaatioilta kaikkien ulottuville. Myös uudenlaiset ”Everything as a Service” -palvelumalli tekee pilvipalvelutarjoajista erittäin houkuttelevia kohteita kyberhyökkääjille.
Teollisuuslaitosten, logistiikkakeskusten, liikennejärjestelmien, terveydenhuollon, koulutuksen, kaupan ja kotien massiiviset IoT (MIoT) -ympäristöt ovat houkuttelevia maaleja sabotööreille ja kiristyshyökkäysten tekijöille. Myös uudet 5G- ja sitä seuraavat 6G-verkot tekevät hyökkäyksistä entistä kehittyneempiä ja tarkemmin kohdistettuja.
Käyttäjien manipulaatio ja valeuutiset muuttuvat tulevaisuudessa yhä oleellisemmaksi ja vaikeammin ohitettavaksi, kun ne toimitetaan suoraan käyttäjän esimerkiksi silmillä oleviin älylaseihin tai heijastusnäyttöihin. Todellisuus voi vääristyä pahastikin.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Tomi Engdahl says:
CARBON SPIDER Embraces Big Game Hunting, Part 2 https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/
This blog discusses the Darkside ransomware incident at U.S. oil pipeline system Colonial Pipeline in May 2021 and how CARBON SPIDER responded to fallout from this event. Despite the termination of the Darkside program, the adversary continued malware distribution campaigns and subsequently introduced the BlackMatter RaaS. Due to numerous technical overlaps with Darkside, BlackMatter is attributed to CARBON SPIDER.
Tomi Engdahl says:
Banking Malware Threats Surging as Mobile Banking Increases Nokia Threat Intelligence Report https://www.darkreading.com/attacks-breaches/banking-malware-threats-surging-as-mobile-banking-increases-nokia-threat-intelligence-report
The Nokia 2021 Threat Intelligence Report announced today shows that banking malware threats are sharply increasing as cyber criminals target the rising popularity of mobile banking on smartphones, with plots aimed at stealing personal banking credentials and credit card information.
Tomi Engdahl says:
DDoS attacks in Q3 2021
https://securelist.com/ddos-attacks-in-q3-2021/104796/
Q3 proved unexpectedly fast-paced for DDoS attacks: our records show several thousand attacks per day on some days. Yet the duration of attacks both average and maximum reduced from Q2, meaning that we saw very many shorter attacks during the period.
Tomi Engdahl says:
ICS Threat Hunting: “They’re Shootin’ at the Lights!” – PART 2
https://www.sans.org/blog/ics-threat-hunting-they-are-shootin-at-the-lights-part-2/
Welcome to the second of our multi-part series on threat hunting for industrial control system (ICS) and operational technology (OT) environments.
Tomi Engdahl says:
Hacking of activists is latest in long line of cyber-attacks on Palestinians https://www.theguardian.com/world/2021/nov/08/hacking-activists-latest-long-line-cyber-attacks-palestinians-nso-group-pegasus-spyware
The disclosure that Palestinian human rights defenders were reportedly hacked using NSO’s Pegasus spyware will come as little surprise to two groups of people: Palestinians themselves and the Israeli military and intelligence cyber operatives who have long spied on Palestinians.
While it is not known who was responsible for the hacking in this instance, what is very well documented is the role of the Israeli military’s 8200 cyberwarfare unit known in Hebrew as the Yehida Shmoneh-Matayim in the widespread spying on Palestinian society.
Tomi Engdahl says:
Surveillance Technology at the Fair: Proliferation of Cyber Capabilities in International Arms Markets
https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/surveillance-technology-at-the-fair/
State cyber capabilities are increasingly abiding by the “pay-to-play”
modelboth US/NATO allies and adversaries can purchase interception and intrusion technologies from private firms for intelligence and surveillance purposes. NSO Group has repeatedly made headlines in 2021 for targeting government entities in cyberspace, but there are many more companies selling similar products that are just as detrimental.
These vendors are increasingly looking to foreign governments to hawk their wares, and policymakers have yet to sufficiently recognize or respond to this emerging problem. Any cyber capabilities sold to foreign governments carry a risk: these capabilities could be used against individuals and organizations in allied countries, or even in one’s home country.
Tomi Engdahl says:
Is the DDoS threat insurmountable, or can we tame the beast?
https://www.nokia.com/blog/is-the-ddos-threat-insurmountable-or-can-we-tame-the-beast/?did=D0000000069P&gclid=EAIaIQobChMIj4iVwfuK9AIVYwWiAx1RqARkEAAYAiAAEgK20vD_BwE
Clear and present danger of DDoS
Last year, in our Nokia Deepfield Network Intelligence Report: Networks in 2020, we shared some observations and stats on the Distributed Denial of Service (DDoS) traffic trends. We noticed a significant increase in the aggregate levels of DDoS traffic (40% increase within two months of the pandemic across five major US service provider networks), an interesting correlation between the gaming traffic and DDoS, and the increased level of abuse of North American and European amplifiers (sites that can respond with an amplified response to queries sent to them).
Over the last couple of months, we took a deeper look and performed some further analysis, which Dr. Craig Labovitz, CTO Nokia Deepfield, will share in his presentation at NANOG82.
Here, we outline some of the key trends that we have observed lately, along with some bad and good news
Tomi Engdahl says:
Can a DDoS problem get any worse?
The short answer is yes. DDoS attacks have evolved quite a bit, and today an attack may combine many different techniques employed simultaneously. At Nokia Deepfield, we have been tracking the internet security context for years; according to our Nokia Deepfield research, there is a potential for 10-12 Tb/s DDoS attacks (4-5 times the size of the largest DDoS attacks reported so far, using an amplification factor of 200-500) to happen more frequently. An attack with this level of intensity can cripple the service availability of a service provider of any size.
https://www.nokia.com/blog/is-the-ddos-threat-insurmountable-or-can-we-tame-the-beast/?did=D0000000069P&gclid=EAIaIQobChMIj4iVwfuK9AIVYwWiAx1RqARkEAAYAiAAEgK20vD_BwE
Tomi Engdahl says:
Engaging Customers on an Uncertain Journey
https://www.securityweek.com/engaging-customers-uncertain-journey
While every company has unique policies, politics, and market pressures, the technical challenges are often shared among many
We have all seen tremendous uncertainty in the last few years. Market dynamics are unlike anything we’d seen before, and though we are coming into a phase of apparent recovery, there is a combination of both optimism and anxiety everywhere.
Amidst the pandemic, the push home caused an enormous change in the way we work, and in turn created huge changes in the IT systems we all need to protect. The profiles of network traffic, the need for office functions and services to be supported in the cloud, challenges in managing and maintaining anything using remote teams, securing the enterprise both in the office and at home, the list goes on, are all results of the environment we’re in.
In addition, the incredible turnover of staff in the last six months has been staggering. There’s a migration of corporate memory that is unlike we’ve seen before, and the combination of these factors creates an environment of unpredictability when not only are the systems changing but the staff maintaining and securing them is changing at the same time. It’s a bit like flying more than one plane, while upgrading both in flight. As if this job wasn’t hard enough!
Prepare For the Company You Are Engaging
This might seem obvious, but every company is different in substantive ways. For instance, a healthcare company has dramatically different concerns from a company that produces sheetrock. Orienting yourself toward what the customer is concerned about is critical.
Engage On These Areas of Change
One of the best approaches to identifying both the value you are bringing to a customer and opportunities to increase that value is by going on the change-journey with your customers. Recently, I met with a great customer who is pivoting away from self-hosting applications. They are moving to a cloud-only infrastructure and are trying mightily to rid themselves of hosting. This developing trend is becoming more common, and it is through this pain-point that a tighter bond between vendor and customer can be made.
Don’t Try to Bend the Laws of Physics
Far too often I’ve been on the receiving end of “Yeah! We can do that,” to only find that there were no resources available to make that happen and the comment was much more to keep me hooked than to solve my issue. This is infuriating and serves nobody.
Frank and clear conversations are appreciated. The challenge is to go on the journey with the customer AND have the customer go on the journey with you. Great products evolve, and therefore are never exactly where we want them. Nothing is static or finished, both in products as well as the customer environments. Work with the customer to identify those points where the environments align, and share, if possible, when you anticipate you’ll get to those alignment points.
I will often explain to customers items on our backlog that are very high priority, and why. This isn’t an excuse for not getting to their ask, nor is it a roadmap review, but it is an honest discussion around the laws of physics your team is dealing with.
Companies are made up of human beings, doing complex things, with complex products, in ever changing environments. With the rate of change we’re seeing, having a relationship with your customers that has you on the customer journey as well as the customer materially engaged on your product journey instills a trust between you that creates resiliency in the relationship. These conversations are also the generator of great feedback to your development teams.
Tomi Engdahl says:
China proposes special rules for “super large” internet platforms
https://therecord.media/china-proposes-special-rules-for-super-large-internet-platforms/
China’s State Administration for Market Regulations (SAMR) has created a new category for Chinese internet companies: the “super large platform” and, the agency made clear in new guidelines such designations come with great responsibility.
According to the SAMR, China’s “super large platforms” should be held to higher standards than their smaller brethren. Among other things, the agency proposes that they be required to compete fairly, have higher standards for data security, be more transparent about their algorithms, and be subjected to comprehensive risk reviews.
What is SAMR’s definition of a super large platform? Any company that has over 500 million annual users, 1 trillion RMB ($16 billion) market capitalization, and offers at least two services.
Falling under such a metric are likely to be Chinese behemoth apps like online shopping platform Taobao, instant messaging and mobile payment app WeChat, the online payment platform Alipay and Douyin, China’s answer to TikTok.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Tomi Engdahl says:
https://www.wired.com/story/drone-attack-power-substation-threat/
Tomi Engdahl says:
[New research] SSL certificates could be leaking company secrets
https://blog.detectify.com/2021/11/04/new-research-are-ssl-certificates-leaking-company-secrets/
New research from Detectify Labs: Don’t let your SSL certificates give away your company secrets.
Short summary
SSL/TLS certificates make the internet a safer place, but many companies are unaware that their certificates can become a looking glass into the organisation – potentially leaking confidential information and creating new entry points for attackers.
Cyber criminals are constantly monitoring growing external attack surfaces to find exploitable weaknesses. Since July 2021, Detectify’s research arm Detectify Labs has collected and analysed over 900 million public SSL/TLS certificates and uncovered some SSL/TLS pitfalls that can lead to company data being exposed or compromised by malicious actors. The main findings include risks associated with using descriptive domain names and so called wildcard certificates.
The research
SSL/TLS certificates are issued by trusted certificate authorities (“CA”). In 2021, the issuing process was made public for both internal and external domains, meaning that anyone on the internet can monitor which domains are getting certificates, and what kind of certificates they get. The data can provide insight into the architecture, software and products used and served by organizations internally and externally – information that a malicious actor could leverage.
Researchers at Detectify were curious to see what patterns around SSL security could be revealed from collecting and wrangling these millions of publicly available data points.
Since July 2021, Detectify’s team has collected close to 10 million certificate logs every day from the public process of issuing SSL/TLS certificates. So far, over 900 million events generated from issuing organisations including but not limited to Let’s Encrypt, Digicert, Amazon and Google have been documented and analysed.
Descriptive names exposing company secrets
The analysts found that an overwhelming majority of newly certified domains had been given descriptive names. This may sound harmless but can actually be a business information risk, explains Fredrik Nordberg Almroth, co-founder and senior security researcher at Detectify:
“Many domains get certified in the staging phase of the development cycle, before they are publicly launched. Let’s say company X is working on product Y and deploys its domain to staging using next-generation-of-product-Y.staging.companyX.com, 6 months before its public release. That gives competitors half a year to do marketing or other efforts that could drive traffic away from the future announcement. Make sure to always choose code names or random strings over descriptive product names when deploying new domain names.
Widely used wildcard certificates open the door to new hacking techniques
The data also reveals information about the certificates that an attacker could exploit.
Tomi Engdahl says:
Inertia is the enemy of cybersecurity
https://thehill.com/opinion/cybersecurity/580383-inertia-is-the-enemy-of-cybersecurity
Human beings are creatures of habit, and digital systems have “humans in the loop” who inherently want to do things the way they always have. It’s a rate-limiting step for digital transformation, and a massive and under-appreciated barrier to improving cybersecurity.
It’s the simple human preference for doing tomorrow what you did yesterday that leads users to repeat passwords, delay installing patches, and stick with old software because they’re comfortable with it. Cyber-attackers know this behavioral inertia is often the weakest link, so they exploit it. Phishing attacks work because an email seems to come from a familiar friend or business, and fake web pages that host malware fool people because users recognize the look and feel and just click through or enter data without thinking.
It’s not just individual behavioral inertia that makes it easy for bad actors. Organizational inertia is equally a problem, and it’s often the largest organizations that are most stuck in their ways.
Tomi Engdahl says:
CWE Security Report Highlights the “Most Important Hardware Weaknesses” of 2021
https://www.hackster.io/news/cwe-security-report-highlights-the-most-important-hardware-weaknesses-of-2021-3b72fea9616e
Tomi Engdahl says:
School surveillance of students via laptops may do more harm than good
https://theconversation.com/school-surveillance-of-students-via-laptops-may-do-more-harm-than-good-170983
Ever since the start of the pandemic, more and more public school students are using laptops, tablets or similar devices issued by their schools.
The percentage of teachers who reported their schools had provided their students with such devices doubled from 43% before the pandemic to 86% during the pandemic, a September 2021 report shows.
In one sense, it might be tempting to celebrate how schools are doing more to keep their students digitally connected during the pandemic. The problem is, schools are not just providing kids with computers to keep up with their schoolwork. Instead – in a trend that could easily be described as Orwellian – the vast majority of schools are also using those devices to keep tabs on what students are doing in their personal lives.
Tomi Engdahl says:
12 New Flaws Used in Ransomware Attacks in Q3
https://threatpost.com/12-new-flaws-used-in-ransomware-attacks-in-q3/176137/
A dozen new vulnerabilities were used in ransomware attacks this quarter, bringing the total number of bugs associated with ransomware to 278. That’s a 4.5 percent increase over Q2, according to researchers.
Tomi Engdahl says:
83% of Critical Infrastructure Organizations Suffered Breaches, 2021 Cybersecurity Research Reveals https://www.darkreading.com/vulnerabilities-threats/83-of-critical-infrastructure-organizations-suffered-breaches-2021-cybersecurity-research-reveals
A new research study by Skybox Security found that 83% of organizations suffered an operational technology (OT) cybersecurity breach in the prior 36 months. The research also uncovered that organizations underestimate the risk of a cyberattack, with 73% of CIOs and CISOs “highly confident” their organizations will not suffer an OT breach in the next year.
Tomi Engdahl says:
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
Tomi Engdahl says:
New Quarterly Threat Trends & Intelligence Report Available
https://www.phishlabs.com/blog/new-quarterly-threat-trends-intelligence-report-available/
Vishing attacks have more than doubled for the second consecutive quarter, according to the PhishLabs Quarterly Threat Trends & Intelligence Report. The November 2021 report uses hundreds of thousands of attacks analyzed and mitigated by PhishLabs to identify the top threats targeting brands and determine emerging trends throughout the threat landscape.
Tomi Engdahl says:
FinCEN Releases Updated Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments
https://www.fincen.gov/news/news-releases/fincen-releases-updated-advisory-ransomware-and-use-financial-system-facilitate
In connection with a set of actions announced today by the Department of the Treasury and focused on disrupting criminal ransomware actors, FinCEN has released an update to its 2020 advisory on ransomware and the use of the financial system to facilitate ransom payments.
PDF: https://www.fincen.gov/sites/default/files/2021-11/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf
Tomi Engdahl says:
Security is Everywhere. Can Your Services Keep Up?
https://www.securityweek.com/security-everywhere-can-your-services-keep
Today’s networks require flexible services designed to accompany efforts to protect any user accessing any service from any location on any device
Cloud adoption and the rapid transition to remote work have permanently changed how companies do business. And now, as organizations begin to bring employees back to the office using a hybrid work model, organizations have had to deploy highly dynamic and adaptable hybrid networks. These recent changes have resulted in a proliferation of devices and users working from anywhere, which has expanded the digital attack surface and exposed more applications, devices, data, and users to risk.
Understanding and controlling data, applications, and traffic moving across and between these divergent environments is crucial to maintaining security. But this becomes complicated as hybrid and multi-cloud environments adopt new technologies like zero-trust access (ZTA), zero-trust network access (ZTNA), secure SD-WAN that combine physical, cloud, and endpoint devices into an integrated solution. And it becomes even more complicated when things like identity and access management (IAM) policies and an array of tools designed to protect applications and platforms are added to the mix.
But while the ability to create dynamic environments has rapidly evolved, security services have traditionally failed to keep up. Security services help organizations manage licenses, keep solutions current with the latest product updates and real-time threat intelligence, and ensure their policies and configurations align with critical compliance requirements and regulations. But most security services are still tied to specific silos. As a result, many organizations now struggle to manage the complex array of inflexible siloed offerings with different licensing models they have in place.
Tomi Engdahl says:
The Rising Threat Stemming From Identity Sprawl
https://www.securityweek.com/rising-threat-stemming-identity-sprawl
Identity sprawl in the age of remote working and business transformation is a threat to cybersecurity
The identity sprawl generated by remote working and business digitization is out of control. This is the clear message from a global survey of more than 1,000 IT professionals.
The survey was undertaken by Dimensional Research for One Identity, a provider of unified identity security, and returned similar results across all industry verticals.
Larry Chinski, One Identity’s VP of global IAM strategy, described the three primary results of the survey (PDF). These are the rapidly expanding and almost unchecked growth in the number of identities in use (sprawl); the large number of different tools used to manage the identities, leading to poor overall visibility; and the need to find a unified approach to identities as a solution.
“We found that organizations have experienced an enormous amount of identity sprawl, especially over the last two years,” he told SecurityWeek. Eighty-four percent of the respondents said the number of identities they manage has more than doubled. Twenty-five percent said the number of identities they manage has increased by a factor of 10 or more. And 95% of the respondents are struggling to manage them.
“To get more control over their identities,” continued Chinski, “companies are investing in more and different types of identity-based tools. But the more tools you drop on the problem, the more siloed and fragmented it becomes.” The result is poor visibility into the overall problem.
Fifty-one percent of the respondents struggle with this lack of visibility; 55% complain that it complicates provisioning and deprovisioning; and 85% have employees with more privileged access than is needed for their work.
“So, although the tools are good and perform well,” Chinski told SecurityWeek, “the problem is that each one of those tools doesn’t necessarily understand the identities it is managing are the same identities that other tools are managing. When you create that fragmented state, you don’t have a single way to manage identities from a central location.”
IDENTITIES AND SECURITY IN 2021
A Global Survey of Identity and Security Stakeholders
https://www.oneidentity.com/docs/2021-identities-and-security-survey-results-white-paper-29725.pdf
Tomi Engdahl says:
Taiwan Government Faces 5 Million Cyberattacks Daily: Official
https://www.securityweek.com/taiwan-government-faces-5-million-cyberattacks-daily-official
Taiwan’s government agencies face around five million cyberattacks and probes a day, an official said Wednesday, as a report warned of increasing Chinese cyber warfare targeting the self-ruled island.
Taiwanese officials have previously said the island faces millions of cyberattacks every month, with around half of them believed to originate from China.
Speaking in parliament, cyber security department director Chien Hung-wei said Taiwan’s government network faces “five million attacks and scans a day”.
A scan in cyber security refers to an attempt to locate weaknesses in a server.
“We are strengthening the government’s defensive measures and collecting relevant data for analysis in a bid to stop the attacks when they are initiated,” Chien told lawmakers.
Taipei has accused Beijing of ramping up cyber attacks since the 2016 election of President Tsai Ing-wen, who views the island as a sovereign nation.
Beijing views democratic Taiwan as part of its own territory and has vowed to one day seize the island, by force if necessary.
Tomi Engdahl says:
https://threatpost.com/12-new-flaws-used-in-ransomware-attacks-in-q3/176137/
Tomi Engdahl says:
Overall, I Believe Some of the Best Red Teamers Are Those Who Were Blue Teamers First (and vice versa)
https://pentestmag.com/heath-adams-interview/
Tomi Engdahl says:
“Malware Attack Types with Kill Chain Methodology” – Demo Video
https://pentestmag.com/malware-attack-types-with-kill-chain-methodology-demo-video/
Tomi Engdahl says:
Why Technical Translation Matters in the Cyber Security World
https://pentestmag.com/83690-2/
Tomi Engdahl says:
Näillä vinkeillä varmistat kasvuyrityksen tietoturvan
https://sulava.com/tietoturva/nailla-vinkeilla-varmistat-kasvuyrityksen-tietoturvan/
Oma sovelluskehitys on harvan kasvuyrityksen ydinosaamista, mutta omat liiketoimintasovellukset ovat yhä useamman bisnesidean ydin. Kasvuyritysten uusien sovellusten kehitys ja käyttöönotto tapahtuvat tänä päivänä pilvipalveluissa, sillä vain siellä sovelluskehitys voi olla tarpeeksi nopeaa ja skaalautuvaa. Microsoft-pilven osalta Azure on luonteva valinta sekä sovelluskehitysympäristöksi että sovellusten ajoalustaksi. Miten saadaan varmistettua, että pilvisovellus on kasvun mahdollistaja eikä tietoturvariski?
Tietoturvan näkökulmasta pilvipalvelu tarjoaa tuoreimmat ja turvallisimmat rakennuspalikat sovelluksen osaksi, mutta sovelluskehittäjien on osattava hyödyntää niitä oikein.