Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,203 Comments
Tomi Engdahl says:
Elaine Glusac / New York Times:
US airports are increasingly using biometrics like facial recognition to verify IDs and shorten security procedures for passengers who opt into the programs
https://www.nytimes.com/2021/12/07/travel/biometrics-airports-security.html
Tomi Engdahl says:
Myös Apple-käyttäjät ovat vaarassa
https://etn.fi/index.php/13-news/12923-myoes-apple-kaeyttaejaet-ovat-vaarassa
Tomi Engdahl says:
With 18, 378 vulnerabilities reported in 2021, NIST records fifth straight year of record numbers https://www.zdnet.com/article/with-18376-vulnerabilities-found-in-2021-nist-reports-fifth-straight-year-of-record-numbers/
The National Institute of Standards and Technology (NIST) released a graph showing the number of vulnerabilities reported in 2021, finding 18, 378 this year. The figure set a record for the fifth straight year in a row, but 2021 was different in some ways. The number of high severity vulnerabilities fell slightly compared to 2020, with 3, 646 high-risk vulnerabilities this year compared to last year’s 4, 381.
For 2021, the number of medium and low-risk vulnerabilities reported
- — 11, 767 and 2, 965 respectively — exceeded those seen in 2020.
Tomi Engdahl says:
CISA Releases Guidance on Protecting Organization-Run Social Media Accounts
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/09/cisa-releases-guidance-protecting-organization-run-social-media
CISA has released Capacity Enhancement Guide (CEG): Social Media Account Protection, which details ways to protect the security of organization-run social media accounts. Malicious cyber actors that successfully compromise social media accountsincluding accounts used by federal agenciescould spread false or sensitive information to a wide audience. The measures described in the CEG aim to reduce the risk of unauthorized access on platforms such as Twitter, Facebook, and Instagram.
Tomi Engdahl says:
Volume of Attacks on IoT/OT Devices Increasing: Microsoft Study
https://www.securityweek.com/volume-attacks-iotot-devices-increasing-microsoft-study
The volume of attacks on IoT and OT devices is increasing and in many cases these systems were specifically targeted by threat actors, according to a new study commissioned by Microsoft.
Forty-four percent of the more than 600 respondents who took part in a survey said their organization experienced a cyber incident that involved an IoT or OT device in the past two years. Thirty-nine percent said such a device was the target of the attack and 35% said the device was leveraged to conduct a broader attack — this includes lateral movement, detection evasion and persistence.
IoT and OT devices may be specifically targeted by attackers with the intent to cause disruption. One example provided by Microsoft involves human-operated ransomware attacks that disrupt production in an organization.
Half of respondents said the volume of attacks against IoT/OT devices in their organization “increased” or “significantly increased” in the past 12 to 24 months. Moreover, only less than 20% of respondents believe the volume of attacks will decrease in the upcoming period.
Tomi Engdahl says:
Facebook, GDPR and Max Schrems – Under the Hood of GDPR Legal Processes
https://www.securityweek.com/facebook-gdpr-and-max-schrems-under-hood-gdpr-legal-processes
In October 2021, The Irish Data Processing Commission (DPC) produced a Draft Decision on a complaint against Facebook originally raised by Max Schrems with the Austrian data protection authority. In accordance with GDPR rules, Austria handed the case to Ireland, where Facebook’s European headquarters is located.
The draft decision, three years in the making, finds in favor of Facebook; that is, Facebook does not require specific user consent for personal data processing because its terms of service have been changed into a terms of contract. Under that contract, Facebook is allowed to do (more or less) anything it wishes with its users’ information. Schrems had challenged this, but the DPC’s Draft decision effectively rules that the contract supersedes any separate GDPR requirement for user consent.
Tomi Engdahl says:
The First Building Block for the SOC of the Future is Data
https://www.securityweek.com/first-building-block-soc-future-data
Data is the lifeblood of security because it provides context from a wide range of internal and external sources
Previously, I discussed the concept of the SOC of the future, with a mission to be a detection and response organization. Entirely new solution categories have emerged to support this mission, including Security Orchestration, Automation and Response (SOAR) and, more recently, Extended Detection and Response (XDR). Thousands of reports, articles and research papers have been written on each.
As a security professional it’s important to remain informed about security innovations and update your tools and technologies. But you risk limiting the value you can derive from your next security investment without first thinking about your top use cases and the capabilities needed to address them. Threat detection and monitoring, investigation, incident response and hunting are all use cases aimed at detection and response. And the starting point for each of these use cases is to focus on data.
Data is the lifeblood of security because it provides context from a wide range of internal and external sources, including systems, threats, vulnerabilities, identities and more. When security is data-driven, teams have the context to focus on relevant, high-priority issues, make the best decisions and take the right action. Data-driven security also provides a continuous feedback loop that enables teams to capture and use data to improve future analysis.
A data-driven approach to security challenges earlier process-driven approaches that take the tack of accelerating response by defining a process and automating the steps needed to complete that process. Instead, data-driven is based on the premise that you need to start by analyzing data to determine that the right criteria are met and once something meets the criteria, then the appropriate process is triggered. Automating and orchestrating noisy data just amplifies the noise. And in a dynamic and variable environment, the operational reality is that you need to continuously ensure you have the right data to focus on what really matters to your organization, use that data to ensure the right actions are taken faster, and capture feedback to learn from actions taken for improvement.
Tomi Engdahl says:
Tutut haittaohjelmat edelleen kiusana – Netwalker yleisin Suomessa
https://www.uusiteknologia.fi/2021/12/09/tutut-haittaohjelmat-edelleen-kiusana-netwalker-suomessa-yleisin/
Emotetin paluu huolestuttaa
https://etn.fi/index.php/13-news/12934-emotetin-paluu-huolestuttaa
Tietoturvayhtiö Check Point Software on julkaissut marraskuun haittaohjelmakatsauksensa. Tutkijat kertovat, että modulaarinen bottiverkko ja pankkitroijalainen Trickbot on maailman yleisin haittaohjelma. Sitä esiintyy viidessä prosentissa maailman yritysverkoista. Tammikuussa alasajettu Emotet on tehnyt paluun maailman yleisimpien haittaohjelmien joukkoon ollen marraskuussa sijalla seitsemän.
Tomi Engdahl says:
Kyberturvan ABC – yleisimmät tietoturvan kirjainlyhenteet
https://www.cinia.fi/blogi/kyberturvan-abc-yleisimmat-tietoturvan-kirjainlyhtenteet
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
PwC report details the ransomware attack on Ireland’s public health system in May 2021 and finds that IT admins failed to respond to multiple warning signs
Inside Ireland’s Public Healthcare Ransomware Scare
https://krebsonsecurity.com/2021/12/inside-irelands-public-healthcare-ransomware-scare/
The consulting firm PricewaterhouseCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland’s public health system. The unusually candid post-mortem found that nearly two months elapsed between the initial intrusion and the launching of the ransomware. It also found affected hospitals had tens of thousands of outdated Windows 7 systems, and that the health system’s IT administrators failed to respond to multiple warning signs that a massive attack was imminent.
Tomi Engdahl says:
BBC:
UK MPs propose changes to the UK’s Online Safety Bill, including adding more offenses and fines, mandating tech firms appoint a “safety controller”, and more
https://www.bbc.com/news/technology-59638569
Tomi Engdahl says:
Work-from-Anywhere Requires “Work-from-Anywhere Security”
https://www.securityweek.com/work-anywhere-requires-work-anywhere-security
Security policies and solutions need to follow users and data from anywhere to anywhere
Securing today’s expanding networks often includes adding additional technologies to an already overburdened security environment. With organizations already struggling to manage an average of 45 security tools, with each incident requiring coordination across 19 different devices, adding new technologies to the mix may be the straw that breaks the camel’s back.
The most recent example of the rapid expansion of the network’s attack surface has been remote work. The COVID-19 pandemic accelerated the need for a work-from-anywhere (WFA) strategy. And now, as workers begin to return to the office, a hybrid approach to work has become the new status quo. According to Accenture, 83% of workers prefer a hybrid work model that allows them to work remotely between 25% and 75% of the time. And businesses are listening. 63% of high-revenue growth companies have already enabled productivity anywhere workforce models.
Tomi Engdahl says:
Cybersecurity is Under Assault, And It’s Growing Worse
https://www.securityweek.com/cybersecurity-under-assault-and-its-growing-worse
You don’t have to look very far for evidence of just how widespread cybercrime has become. Unfortunately, many of us don’t even have to look beyond our own inboxes. And sadly, the situation is getting worse. It is now bad enough that in April, the U.S. proposed a bipartisan lawmaker group form a “Civilian Cybersecurity Reserve,” to create a surge capacity of cyber expertise, patterned after the National Guard, that would respond to incidents affecting government networks.
Outside the federal government in the U.S., one of the most frequent and lucrative cyberattacks – which typically begins with a successful phishing scam – is ransomware. In addition to cash-rich corporations and financial institutions, ransom attack victims have included hospitals, schools, universities, local governments, and police departments, as well as utility and industrial companies. And, borrowing a page from the blackmailer’s playbook, some criminals even threaten to publicly release the organization’s most sensitive data unless they pay up, typically in cryptocurrency.
Tomi Engdahl says:
Connect: The Fourth Pillar of Industrial Cybersecurity
https://www.securityweek.com/connect-fourth-pillar-industrial-cybersecurity
Recent attacks on U.S. critical infrastructure and actions by the U.S. government, including the July 28, 2021 National Security Memorandum, have added urgency to the need to modernize industrial control systems’ cybersecurity capabilities.
Tomi Engdahl says:
Log4Shell Tools and Resources for Defenders – Continuously Updated
https://www.securityweek.com/log4shell-tools-and-resources-defenders-continuously-updated
The widely used Apache Log4j Java-based logging tool is affected by a critical remote code execution vulnerability that has been increasingly exploited by malicious actors, including to deliver various types of malware.
The vulnerability is tracked as CVE-2021-44228 and it has been dubbed Log4Shell and LogJam. The security hole exposes many organizations to attacks and exploitation is not difficult.
SecurityWeek has compiled a list of tools and other resources that can be useful for defenders concerned about the impact of the Log4Shell vulnerability on their organization.
Tomi Engdahl says:
Dan Kaminsky Inducted into Internet Hall of Fame
https://www.securityweek.com/dan-kaminsky-inducted-internet-hall-fame
Famed hacker Dan Kaminsky has been inducted in the Internet Society’s Hall of Fame for his groundbreaking contributions to DNS (domain name system) security.
Kaminsky, who passed away suddenly in April this year, was inducted alongside a list of tech visionaries and pioneers being celebrated for “extraordinary contributions” to the worldwide availability and use of the Internet.
“Dan was an outspoken advocate of Internet security and privacy and a determined digital sleuth,” the Internet Society said in a note celebrating Kaminsky’s life, accomplishments and contributions.
“His untimely death at the age of 42 cut short a brilliant career that had by then already made the Internet stronger and more secure,” it added.
In July this year, Kaminsky was inducted into FIRST’s incident response hall of fame.
Tomi Engdahl says:
Recent Ransomware Trends Reinforce the Need for Cyber Hygiene, Collaboration
https://www.securityweek.com/recent-ransomware-trends-reinforce-need-cyber-hygiene-collaboration
It’s no secret that ransomware has reached near-epic proportions. We are hearing about ransomware attacks left and right – and those are just the ones we hear about. For every attack that makes the headlines, there are many more that don’t. In fact, a recent survey (PDF) by Fortinet found that more than two-thirds of organizations say they’ve been the target of at least one ransomware attack.
Ransomware is top of mind for business leaders – and the evolving threat landscape is cited as one of the biggest challenges in preventing ransomware attacks. Let’s dig into some of the other findings of the survey.
Ransomware is the top cybersecurity concern
Tomi Engdahl says:
As Ransomware costs balloon, it’s last call for legacy security
Nov. 29, 2021
A strong security posture against ransomware can be achieved only when organizations recognize the need to proactively adapt and evolve
https://www.securityinfowatch.com/cybersecurity/article/21247898/as-ransomware-costs-balloon-its-last-call-for-legacy-security
Ransomware attacks are growing more costly. But amid the financial and reputational wreckage, there may be an unexpected silver lining. Perhaps the rising average bill, at last, provides vulnerable organizations with an inarguable business case for upgrading obsolete legacy defenses.
2021 saw a steady parade of new, high-profile ransomware victims, from Colonial Pipeline to meat processor JBS to Kia Motors America. The good news, according to recent reports from Sophos and Microsoft, is that the volume of attacks keeps declining, year over year. But don’t take that to mean old defense systems suddenly, mysteriously became more effective. And it certainly doesn’t signal ransomware is now less on-trend, and we might consider relaxing. Fewer attacks merely signal a more considered, efficient strategy from the black hats: sharper focus on more lucrative targets.
Remediation Costs Soar
The bad news is that from 2019 to 2020, the average remediation cost of a ransomware attack more than doubled, according to Sophos, to $1.85 million. In the United States, it’s even higher — $2.09 million — and in March 2021 CNA Financial reportedly paid its attackers $40 million. If that’s accurate, it would be the highest known ransom payout to date.
Like flat tires, migraine headaches, and flight delays, ransomware attacks are an unpleasant, incurable reality for the foreseeable future. Today, no single region, country, or industry is safe from such attacks or their costs. The White House is implementing counterinitiatives, including a multi-agency ransomware task force and Congress is proposing the “Ransom Disclosure Act,” but the tide will not be turned by Washington alone. Nor can ransomware attacks be reliably mitigated by employee training; employees often create entry points for attack by falling for phishing links, but it’s unrealistic to expect a zero-error workplace.
Most ransomware attacks encompass four key phases:
An attacker infiltrates one or more systems in the target organization.
Often undetected, the attacker penetrates deep into the organization’s data systems.
Hours, days or weeks later exfiltration and encryption of data occur, causing the organization to lose control over its own critical information.
With the target organization in damage-control mode, a ransom demand is issued.
In the face of this established attack pattern, organizations must adapt and combine several different measures to approach high-level security. They include systems that block all known malware delivery infrastructure and payloads, limitations on internet-accessible services, and multifactor authentication (MFA) requirements. Merge these tactical steps with a comprehensive detection and response strategy which includes vigorous detection capabilities (across endpoint, network, and cloud) designed to detect ransomware attacks as early as possible and rapid response capabilities to stop attackers in their tracks.
Having mechanisms in place that enable rapid, accurate identification of unusual, suspicious activity within a network environment can flip the four-step script above. Rapid detection, post-penetration, can position an organization to disrupt an attack before it gets to the exfiltration and encryption stages.
Status Quo Has Got to Go
The most disquieting motif of the ransomware era is not the attackers’ audacity, success rate, or profit margins. It has been the consistently expressed conviction, in high corporate places, that current protections are good enough. As the 2010s concluded, credible surveys found fewer organizations viewed ransomware as a threat — and that most senior executives felt their IT infrastructure was secure. This amid a ransomware rampage. My industry colleague Jay Chaudhry at Zscaler is quite correct to call out the creeping danger to organizations posed by “WADITWay Disease,” as in: We’ve always done it this way.
Our secure digital future depends on pivoting to do something new. A strong security posture against ransomware can be achieved, but only when organizations recognize the need to proactively adapt and evolve their security strategies, not simply react to attacks with legacy solutions – after the damage is done.
Tomi Engdahl says:
Depending on the Cloud: The AWS “Oops”
Dec. 8, 2021
Using the cloud for development and collaboration is great… when it works.
https://www.electronicdesign.com/altembedded/article/21183210/electronic-design-depending-on-the-cloud-the-aws-oops?utm_source=EG%20ED%20Connected%20Solutions&utm_medium=email&utm_campaign=CPS211208093&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R
Electronic designers and developers depend heavily on the internet these days. It’s great when it works, but not so much when it doesn’t cooperate. Unless your internet service provider (ISP) goes down, you tend to have a degraded experience if a web-based service hits the skids.
That’s what happened today when AWS encountered unspecified problems. I noticed a general slowness in all our tools and websites I was working on. The impact came home when the webinar I was watching decided to give everyone the circle of death (see figure). This was fixed after an hour or so, but I will have to go back and watch the recording when it’s posted since it was a “live” event. It was actually a hybrid in-person, web event that’s likely to become the norm.
AWS is one of a few bit cloud service providers. Their whole infrastructure wasn’t impacted, but it was enough to affect major sites. Though this type of outage isn’t unusual and other major providers have had problems, the problems vary. Likewise, how quickly they’re fixed varies as well.
Putting the Hammer on Tools
The reason I bring this up in our venue is that we were impacted, too, but more due to the tools we use for managing our website as well as our collaboration tools. On the plus side, the tools slowed down today, but the integrity was fine. The website had some issues due more to where images where stored. This highlights the interdependence of tools and services that cloud-based solutions tend to require. We use another service for hosting videos. Cloud problems can affect our sites in different ways depending on what’s working and what’s not.
This isn’t an outlier these days. We embed YouTube videos, too, and if YouTube isn’t working, those videos don’t play.
A Cloudy Cloud
The impact of cloud-based problems becomes more important when they impact your workflow. For example, if we can’t get our newsletters out, then our advertisers don’t pay us. This financial impact can be even more serious for companies using cloud-based services to design and manage chips, IoT devices, or any other products or services tied to the cloud.
Losing Access
There’s another problem as well. What about when the things you need to work with are accessible via the cloud. I have a Wi-Fi smart light switch that only works remotely when it’s connected to the cloud. On the plus side, it still has a real button, but the functionality—e.g., changing the schedule—only works when there’s cloud connectivity. What’s even more bizarre is my smart light is controlled via Bluetooth, but the app on my smartphone only works if it can talk to the cloud. Though this is by design, it’s not something I would really want if I had the option to change it.
Tomi Engdahl says:
I remember the good old days when we could blame things on chip creep or floating point logic error. Now all we have is DNS
Tomi Engdahl says:
MIT Professor Warns That Cartels Could Use “Slaughterbots” to Evade Justice
https://lm.facebook.com/l.php?u=https%3A%2F%2Ffuturism.com%2Fmit-professor-warns-cartels-could-use-slaughterbots&h=AT2GzQHoNyHEOFRw-zUlmmoXX7RjsS5xD5Gn5wJJfzeW77EMyJkH9ii0HMMokv6c-5vRrDx0UkvZyEaK6tSQ-0vFcIKTvbt_SxVOnB8XRTA2jsM7V9KzWbqLmTMRwO00Kg
Cheap, lightweight killer robots are just around the corner — and major military powers, including the US, are doing very little to stop them.
In an interview with TheNextWeb, MIT artificial intelligence and weapons researcher Max Tegmark warned that the kind of “slaughterbots” that militaries are already working hard on may soon be in the hands of civilians as well.
“They’ll be small, cheap and light like smartphones, and incredibly versatile and powerful,” he told the site. “It’s clearly not in the national security interest of these countries to legalize super-powerful weapons of mass destruction.”
The greater context is even more chilling. The US, Russia, and China have all signaled that they are against an outright global ban on these so-called “legal autonomous weapons” (LAWs) ahead of a United Nations debate and resolution vote this week.
Tomi Engdahl says:
Nämä asiat jokaisen suomalaisen tulisi osata voi pelastaa omaisuutesi
https://www.iltalehti.fi/tietoturva/a/70393ac2-795d-4f2d-a6cc-8df8d1a12789
Suomalaiset ovat menettäneet yli 35 miljoonaa euroa huijauksiin.
Tomi Engdahl says:
The final report on NOBELIUM’s unprecedented nation-state attack https://www.microsoft.com/security/blog/2021/12/15/the-final-report-on-nobeliums-unprecedented-nation-state-attack/
This is the final post in a four-part series on the NOBELIUM nation-state cyberattack. In December 2020, Microsoft began sharing details with the world about what became known as the most sophisticated nation-state cyberattack in history. In the final episode of our “Decoding NOBELIUM” series, we provide an after-action report that explores Microsoft’s findings and discusses lessons learned.
Tomi Engdahl says:
U.K. seeks to build “cyber power” via new national cybersecurity strategy https://therecord.media/u-k-seeks-to-build-cyber-power-via-new-national-cybersecurity-strategy/
The United Kingdom on Wednesday announced a major update to its national cybersecurity strategy, calling on the country to leverage “cyber power in support of national goals.”. The 130-page plan, which builds on a strategy announced in 2016 that has spanned the last five years, proposes building up domestic knowledge bases and creating resilience in technical supply chains in the face of increasing digital risks to national securitysupported by a £2.6 billion ($3.4
billion) investment in cybersecurity.
Tomi Engdahl says:
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. Instead, malware families in this arena
- — including WannaCry, NotPetya, Ryuk, Cerber, and Cryptolocker — can be one component of attacks designed to elicit a blackmail payment from a victim organization. The European Union Agency for Cybersecurity (ENISA) said there was a 150% rise in ransomware attacks between April 2020 and July 2021. According to the agency, we are experiencing the “golden era of ransomware, ” in part due to multiple monetization options.
Tomi Engdahl says:
Kaspersky Managed Detection and Response: interesting cases https://securelist.com/kaspersky-managed-detection-and-response-interesting-cases/105214/
The MDR results allow us to map out the modern threat landscape and show techniques used by attackers right now. We share these results with you so that you are more informed about in-the-wild attacks and better prepared to respond.
Tomi Engdahl says:
Large-scale phishing study shows who bites the bait more often https://www.bleepingcomputer.com/news/security/large-scale-phishing-study-shows-who-bites-the-bait-more-often/
A large-scale phishing study involving 14, 733 participants over a 15-month experiment has produced some surprising findings that contradict previous research results that formed the basis for popular industry practices. Research paper (PDF):
https://arxiv.org/pdf/2112.07498.pdf
Tomi Engdahl says:
Tips for DFIR Analysts, pt VI
http://windowsir.blogspot.com/2021/12/tips-for-dfir-analysts-pt-vi.html
Tomi Engdahl says:
Dragos CEO Robert M. Lee Keynote at Fortinet Operations Technology
(OT) Energy Symposium 2021
https://www.dragos.com/blog/industry-news/dragos-ceo-rob-lee-keynote-fortinet-ot-energy-symposium-2021/
Below we provide some highlights from Rob’s keynote discussion. To listen to the keynote presentation in its entirety, including ransomware case studies and activity breakdowns, you can watch the recorded session here.
Tomi Engdahl says:
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/
This report provides a technical overview of 5 prominent web shells:
Alfa, Krypton, SharPyShell, ASPXSpy, and TWOFACE. It contains details on the capabilities of the web shells and host-based and network-based detections. This report is intended for security operations audiences who focus on detection engineering. Sources include the Recorded Future Platform®, GreyNoise, Shodan, and BinaryEdge.. Report (PDF):
https://go.recordedfuture.com/hubfs/reports/mtp-2021-1214.pdf
Tomi Engdahl says:
Implications of Log4j Vulnerability for Operational Technology (OT) Networks https://www.dragos.com/blog/industry-news/implications-of-log4j-vulnerability-for-ot-networks/
Given that Log4j has been a ubiquitous logging solution for Enterprise Java development for decades, Log4j has the potential to become a vulnerability that will persist within Industrial Control Systems
(ICS) environments for years to come. Within ICS environments, Dragos anticipates OT operators will face one of three scenarios when working to mitigate Log4j vulnerabilities.
Tomi Engdahl says:
Upskilling Cyber Defenders Requires a Readiness Environment
https://www.securityweek.com/upskilling-cyber-defenders-requires-readiness-environment
The cybersecurity threat landscape never stands still. New threats and threat actors appear all the time. They are highly trained, well-funded, and leverage the newest tools to pursue some form of cybercrime — extortion, terrorism, data theft, the list goes on.
To defend against the endless wave of threats, cybersecurity professionals need to upskill constantly so they can keep up with criminals’ evolving tactics. One of the best ways to gain cybersecurity readiness is to conduct hands-on, interactive exercises using real IT infrastructure, tools, and attack scenarios.
Tomi Engdahl says:
CISA Calls for Improved Critical Infrastructure Security
https://www.securityweek.com/cisa-calls-improved-critical-infrastructure-security
Tomi Engdahl says:
Ransomware in 2022: We’re all screwed
Security experts tell us what to expect in the cybercriminal landscape as we head into the new year. It’s not good.
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Ransomware is now a primary threat for businesses, and with the past year or so considered the “golden era” for operators, cybersecurity experts believe this criminal enterprise will reach new heights in the future.
Tomi Engdahl says:
Log4j zero-day flaw: What you need to know and how to protect yourself
https://www.zdnet.com/article/log4j-zero-day-flaw-what-you-need-to-know-and-how-to-protect-yourself/
The Log4j vulnerability affects everything from the cloud to developer tools and security devices. Here’s what to look for, according to the latest information.
Tomi Engdahl says:
U.S. blacklists 34 Chinese entities, citing human rights abuses and ‘brain-control weaponry’
https://www.cnbc.com/2021/12/16/us-blacklists-34-chinese-entities-over-human-rights-abuses-brain-control-weapons.html
KEY POINTS
The Biden administration imposed trade restrictions on more than 30 Chinese entities on Thursday for human rights violations and the alleged development of “brain-control weaponry.”
The move comes after the White House announced a diplomatic boycott of the 2022 Winter Olympics in Beijing, citing “ongoing genocide and crimes against humanity in Xinjiang.”
Beijing denies that it has been committing human rights abuses against Uyghurs in Xinjiang.
Tomi Engdahl says:
This company was hit with ransomware, but didn’t have to pay up.
Here’s how they did it
https://www.zdnet.com/article/this-company-was-hit-with-ransomware-but-didnt-have-to-pay-up-heres-how-they-did-it/
Cyber criminals demanded $15 million for a decryption key and sent threatening messages to staff – but this company recovered its network without paying hackers a thing.
Tomi Engdahl says:
U.S. blacklists world’s largest commercial drone firm for Uyghur surveillance https://www.axios.com/dji-drones-china-surveillance-a14cc7b4-16f9-461a-8a52-c55462bc5d63.html
The Treasury Department has added eight Chinese companies including DJI, the world’s largest commercial drone manufacturer to an investment blacklist for actively supporting the “surveillance and tracking” of Uyghurs and other ethnic minorities in China.
Tomi Engdahl says:
Facebook Bans Spy-for-Hire Firms for Targeting 50K People
https://threatpost.com/facebook-bans-spy-hire/177149/
Meta, Facebook’s parent company, has kicked six alleged spy-for-hire “cyber-mercenaries” to the curb, along with a mysterious Chinese law-enforcement supplier. It accused the entities of collectively targeting about 50, 000 people for surveillance. Full report here:
https://about.fb.com/wp-content/uploads/2021/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf
Tomi Engdahl says:
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
Earlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works..
Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.
Tomi Engdahl says:
All Log4j, logback bugs we know so far and why you MUST ditch 2.15 https://www.bleepingcomputer.com/news/security/all-log4j-logback-bugs-we-know-so-far-and-why-you-must-ditch-215/
Everyone’s heard of the critical log4j zero-day by now. Dubbed ‘Log4Shell, ‘ the vulnerability has already set the internet on fire.
Thus far, the log4j vulnerability, tracked as CVE-2021-44228, has been abused by all kinds of threat actors from state-backed hackers to ransomware gangs and others to inject Monero miners on vulnerable systems.
Tomi Engdahl says:
How the “Contact Forms” campaign tricks people https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/
“Contact Forms” is a campaign that uses a web site’s contact form to email malicious links disguised as some sort of legal complaint. We’ve seen this campaign push BazarLoader malware and distribute Sliver, but recently it’s been pushing IcedID (Bokbot). Most of the time, the Contact Forms campaign uses a “Stolen Images Evidence” theme, with emails stating a supposed violation of the Digital Millennium Copyright Act (DMCA). Below is an example seen on December 9th, 2021.
Tomi Engdahl says:
Improving OSS-Fuzz and Jazzer to catch Log4Shell
https://security.googleblog.com/2021/12/improving-oss-fuzz-and-jazzer-to-catch.html
Google Open Source Security Team: The discovery of the Log4Shell vulnerability has set the internet on fire. Similar to shellshock and heartbleed, Log4Shell is just the latest catastrophic vulnerability in software that runs the internet. Our mission as the Google Open Source Security Team is to secure the open source libraries the world depends on, such as Log4j. One of our capabilities in this space is OSS-Fuzz, a free fuzzing service that is used by over 500 critical open source projects and has found more than 7, 000 vulnerabilities in its lifetime. We want to empower open source developers to secure their code on their own. Over the next year we will work on better automated detection of non-memory corruption vulnerabilities such as Log4Shell.
Tomi Engdahl says:
Entiset työntekijät voivat muodostaa uhan yritysten it-järjestelmille
https://www.kauppalehti.fi/uutiset/kysely-exat-ovat-merkittava-tietoturvauhka-yrityksille/f7804220-ed63-4bb3-bbd2-60085b645dbf
Tuoreen raportin mukaan peräti 83 prosenttia organisaatioiden tietoturva-ammattilaisista toteaa, ettei organisaatioiden entisiä työntekijöitä pystytä varmuudella pitämään poissa it-järjestelmistä.
Asia selviää it-yhtiö Teleportin raportista, josta uutisoi VentureBeat.
Tomi Engdahl says:
Western Digital warns customers to update their My Cloud devices
https://www.bleepingcomputer.com/news/security/western-digital-warns-customers-to-update-their-my-cloud-devices/
Western Digital is urging customers to update their WD My Cloud devices to the latest available firmware to keep receiving security updates on My Cloud OS firmware reaching the end of support. “On April 15, 2022, support for prior generations of My Cloud OS, including My Cloud OS 3, will end, ” the company said this week. “If your device isn’t compatible with My Cloud OS 5, you will lose remote access and will only be able to access it locally. Devices on these older firmware versions will not receive security fixes or technical support.”
Tomi Engdahl says:
Andy Maxwell / TorrentFreak:
Malaysia passes a bill to imprison people who facilitate access to pirate content via illegal streaming, for up to 20 years
Malaysia Passes Bill to Imprison Illegal Streaming Pirates For Up To 20 Years
https://torrentfreak.com/malaysia-passes-bill-to-imprison-illegal-streaming-pirates-for-up-to-20-years-211218/
Malaysia’s House of Representatives has passed amendments to copyright law that will boost the country’s deterrent against those who facilitate access to pirate content via illegal streaming. The amendments, which cover both hardware and software, could see offenders imprisoned for up to 20 years.
Streaming KeyLaws that forbid the illegal uploading and downloading of copyrighted content are common around the world but the rise of streaming has sometimes exposed gaps in legislation.
Piracy-equipped Kodi devices, illegal streaming apps, and similar tools have led legal specialists to attempt to apply laws that didn’t envision the technology. In Malaysia, for example, it took a decision by the High Court last May to determine that the sale and distribution of streaming devices configured for piracy purposes does indeed constitute infringement under the Copyright Act.
Tomi Engdahl says:
Chinese Hackers Spotted Targeting Transportation Sector
https://www.securityweek.com/trend-micro-spots-chinese-hackers-targeting-transportation-sector
Ransomware Persists Even as High-Profile Attacks Have Slowed
https://www.securityweek.com/ransomware-persists-even-high-profile-attacks-have-slowed
In the months since President Joe Biden warned Russia’s Vladimir Putin that he needed to crack down on ransomware gangs in his country, there hasn’t been a massive attack like the one last May that resulted in gasoline shortages. But that’s small comfort to Ken Trzaska.
Trzaska is president of Lewis & Clark Community College, a small Illinois school that canceled classes for days after a ransomware attack last month that knocked critical computer systems offline.
Tomi Engdahl says:
Upskilling Cyber Defenders Requires a Readiness Environment
https://www.securityweek.com/upskilling-cyber-defenders-requires-readiness-environment
The cybersecurity threat landscape never stands still. New threats and threat actors appear all the time. They are highly trained, well-funded, and leverage the newest tools to pursue some form of cybercrime — extortion, terrorism, data theft, the list goes on.
To defend against the endless wave of threats, cybersecurity professionals need to upskill constantly so they can keep up with criminals’ evolving tactics. One of the best ways to gain cybersecurity readiness is to conduct hands-on, interactive exercises using real IT infrastructure, tools, and attack scenarios.
Controlled Setting for Skills Development
This can be accomplished using an environment that is secure, controlled and isolated from all development and production infrastructures, ensuring that the users of the emulated network (sometimes referred to as a cyber range) cannot compromise working systems, networks, or corporate data.
Tomi Engdahl says:
Planning for the Future: What’s Ahead in 2022
https://www.securityweek.com/planning-future-whats-ahead-2022
Current security technology stacks are not keeping up with the increasing scale and sophistication of attacks
With security incidents and breaches skyrocketing, the security industry is looking for value-based metrics that show return on investment. In 2022, threats will continue to rise and will include increased targeting of small to medium sized businesses that are important to the supply chain of larger enterprises. One way to accomplish this is by attacking the identities in the supply chain including mergers and acquisitions that have the least sophisticated security posture. Given past success, we can expect to see nation states continue to conduct aggressive attacks similar to the SolarWinds attacks of 2020.
To combat these threats, the security industry must commit to a risk-based approach that understands the specific attacks and actors targeting their industry and profile. Findings and security alerts should be qualified based on the impact on particular companies and not just tied to various industries. Attacks should be prioritized based upon the most impactful outcomes.
Threat Predictions for 2022
Cybercrime actors will continue to hammer small and medium size businesses “below the security poverty line” using common attack vectors including credentials found in the wild and used against open RDP ports exposed to the internet. Simple attacks like sending an HR representative a fake delivery invoice can give even an unsophisticated threat actor the ability to encrypt the entire network filesystem only to find the disaster recovery policies haven’t been updated in five years and the backup systems aren’t intact.
Larger enterprises will become more collaborative and influential in protecting small and medium sized businesses because they realize they are critical to the supply chain.
Security Technology Predictions for 2022
Current security technology stacks are not keeping up with the increasing scale and sophistication of attacks. While this is well known in the industry, security and IT teams’ continue to have an inability to prioritize and respond to the most relevant alerts and problems. The availability of metrics to justify increased security investment continue to be lacking.
Much of security technology continues to be under-engineered and over-marketed relative to threats that matter to most enterprises. In addition, many executives, employees and companies are targeted through routine social media and email scams. Platform technology companies are subjected to ongoing consumer account takeovers; fraudsters are reusing passwords to engage with employees following a phish to their work email, and disinformation is common on social media platforms and open and closed forums. In addition, ransomware actors continue to reuse credentials and exploit unpatched services.
For these threats to be addressed, the security industry must focus on threats that impact a company’s bottom line. Executives in customer-facing companies rarely understand security because the marketing efforts they see are geared towards nation state espionage efforts. In addition, customer-side security teams rarely understand the details of their company’s business and therefore, understanding the impact of security events on the corporate bottom line is challenging.
1. Enterprise security teams must shift their focus to client-directed intelligence to address threats to systems, assets, people, and the business. The generic threat data sets and analysis currently used by many organizations will not adequately address the company-specific threats targeting a company and their unique attributes.
2. Following this risk-based approach a security team can build a security stack that incorporates proper escalation policies and procedures including:
a. Asset Inventory Technology Evolution: New technology will solve challenges of identifying and automating hundreds of thousands of assets across corporate, OT, IT, and production environments.
b. Threat Intelligence As a Managed Service: Threat intelligence feeds providing data and generic industry threats does not solve the problem of sophisticated, client-specific threats. Improvements in managed intelligence services will likely mature and be adopted to address the problems posed by inadequate resources and expertise.
c. XDR Will Continue to Supplant Less-Sophisticated EDR Offerings: To date, SIEMs and SOARs have not delivered on their promise, leaving security and risk managers struggling with disparate security tools and high alert volumes. XDR products will start to improve detection and response activity by centralizing security tools and using ML/AI to reduce false positives. It will likely require several years for enterprises to evolve.
d. Cloud Security and Compliance Will Become Easier: Secure cloud software automation will become more mainstream enabling less sophisticated users and analysts to architect, build, and manage multi-vendor cloud deployments (AWS, Azure, GCP).
Tomi Engdahl says:
5 Ways to Reduce the Risk of Ransomware to Your OT Network
https://www.securityweek.com/5-ways-reduce-risk-ransomware-your-ot-network
In the last year and half, we’ve seen an unprecedented increase in ransomware attacks on Operational Technology (OT) networks. While this surge is generating a lot of press coverage, it was something that experts within our industry have been anticipating for a while. In fact, I presented on the topic of ransomware and destructive attacks at RSAC 2018, together with a host of security leaders from the public and private sector.
Evidence of nation-state actors targeting OT networks had been building. But in 2017, NotPetya showed the world that the accidental spill-over of ransomware into OT networks could have disastrous consequences. Operations came to a standstill at multinational corporations across a wide swath of sectors including healthcare, energy, and transportation, resulting in an estimated $10 billion in damages. It was only a matter of time for cybercriminals to realize that OT networks are critical to operations, and therefore extremely valuable.
Revenue is generated and customers’ lives are improved when OT networks are up and running. If ransomware attacks specifically targeted industrial environments, the outcome could be loss of availability of those systems, thus impacting the core business of the company. Even a partial loss of view for human operators into network activity would necessitate a shutdown of the process due to product quality or safety concerns. Ultimately, any risk of disruption to physical processes can lead to loss in productivity and revenue and, in some cases, could lead to loss of life as well.
Most recently, U.S. government agencies acknowledged that BlackMatter is a possible rebrand of DarkSide, the group that attacked Colonial Pipeline and has since targeted multiple U.S. critical infrastructure entities, including two in the food and agriculture sector. Whether a rebrand, or an offshoot as some security experts argue, the group demonstrates the resolve of nation-state actors to continue to disrupt consumer access to critical infrastructure services and thus the economy and daily life for millions of people.
What can defenders do in this new reality to strengthen the security posture of their OT environments? Here are five recommendations every CISO should consider:
1. Extend the scope of your risk governance to include anything that is a cyber-physical asset. This includes all Industrial IoT, industrial control system (ICS), and Enterprise IoT components. Of course, this is a challenging step for many organizations since it’s not an easy task to even identify those assets.
2. Make sure that you have proper segmentation between IT and OT networks. There are many business processes and applications that need to communicate across the IT/OT boundary, so we need to ensure this is done in a secure way. This simple step usually gets taken for granted, but it shouldn’t. In addition to the IT/OT segmentation, deploy virtual segmentation to zones within the OT environment – this will help detect lateral movement within the OT networks.
3. Practice good cyber hygiene. Ensure that your hygiene extends to OT and IoT devices. This includes the use of strong passwords (and not sharing passwords amongst different users, a practice that is common in industrial operations), a password vault, and multi-factor authentication. Some processes, like patching legacy systems, might be more challenging or not possible. If that is the case, identify and implement compensating controls such as firewall rules and access control lists.
4. Implement a robust system monitoring program. This means monitoring for threats in both IT and OT networks and anything that is traversing that boundary. Agentless solutions that are purpose-built for continuous threat monitoring across the OT network, can be implemented quickly, integrate equally well with OT and IT systems and workflows, and allow IT and OT teams to look at OT environments together. Working from the same set of information these teams take specific steps to manage and mitigate risk from both known and unknown, emerging threats.
5. Run exercises on your incident response plan. Running tabletop exercises of ransomware attacks can help you understand your organizational and technical preparedness. This affords you an opportunity to create an improved incident response plan and will build confidence in your preparedness and resilience to such attacks.
Ransomware attacks are disrupting pipelines, processing plants, and food distribution. And although none of these attacks appear to have impacted the OT environment directly – it is only a matter of time.