Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
Yritysten tietoturva on osa kokonaisturvallisuuttamme https://www.kauppalehti.fi/uutiset/yritysten-tietoturva-on-osa-kokonaisturvallisuuttamme/6f847407-9290-4b44-96a9-998cae8cf56b
Digitalisaatio avaa apajia kyberrikollisille. Venäjän sotatoimet puolestaan lisäävät vihamielistä operointia ja vaikuttamista verkossa.
Yrityksillämme ei ole varaa suhtautua tähän sinisilmäisesti.
Tietoturvatyön merkitys korostuu nyt jos koskaan pk-yrityksissä.
Pk-yrityksistä 34 prosenttia arvioi tietomurrot suureksi tai melko suureksi riskiksi liiketoiminnalleen. Vain seitsemän prosenttia ei näe lainkaan riskejä. Yli puolet pitää tietoturvasta huolehtimista erittäin tärkeänä. Asia selviää Suomen Yrittäjien Kantarilla teetättämässä Yrittäjägallupista, joka laadittiin hetki ennen Ukrainan sotaa.
Tomi Engdahl says:
Ransomware: the number one cyber threat for enterprises and SMEs https://www.ncsc.gov.uk/blog-post/ransomware-the-number-one-cyber-threat-for-enterprises-and-smes
The 2021 NCSC Annual Review declared that ransomware has now become the most significant cyber threat facing the UK, with the impact of an attack on critical national infrastructure stated in the UK National Cyber Strategy 2022 as potentially as harmful as state-sponsored espionage. So there’s still a huge amount of work to do to protect not just our digital economy, but also businesses and citizens who can be victims of this growing threat. This is why Plexal and the NCSC have identified ransomware as the next challenge were focusing on with our NCSC for Startups initiative.
Tomi Engdahl says:
A clearer lens on Zero Trust security strategy: Part 1 https://www.microsoft.com/security/blog/2022/04/14/a-clearer-lens-on-zero-trust-security-strategy-part-1/
Todays world is flooded with definitions and perspectives on Zero Trust, so we are kicking off a blog series to bring clarity to what Zero Trust is and what it means. This first blog will draw on the past, present, and future to bring a clear vision while keeping our feet planted firmly on the ground of reality.
Tomi Engdahl says:
Old Gremlins, new methods
https://blog.group-ib.com/oldgremlin_comeback
Until recently, Russian-speaking cyber threat actors shared an unspoken rule: do not attack Russian companies. Groups that violated the rule were few and far between, and OldGremlin was one of them.
Since spring 2020, when the “gremlins” were first uncovered by Group-IB Threat Intelligence analysts, the hackers have been attacking Russian businesses, including banks, industrial enterprises, medical organizations, and software developers.
Tomi Engdahl says:
Ransomware: These two gangs are behind half of all attacks https://www.zdnet.com/article/ransomware-these-two-gangs-are-behind-half-of-all-attacks/
Over half of all ransomware attacks reported during the first three months of this year are the work of just two cyber criminal outfits.
According to analysis of recorded ransomware attacks between January and March 2022 by cybersecurity researchers at Digital Shadows, LockBit 2.0 and Conti were the two most active ransomware gangs during the three-month reporting period, accounting for 58% of all incidents.
Tomi Engdahl says:
How vx-underground is building a hackers dream library https://therecord.media/how-vx-underground-is-building-a-hackers-dream-library/
vx-undergound operator smelly_vx recently talked to Recorded Future analyst and product manager Dmitry Smilyanets about the sites goals, finances, and plans for the future. The interview, which was conducted over email in English, has been lightly edited for clarity.
Tomi Engdahl says:
Gaining Visibility Within Container Clusters https://unit42.paloaltonetworks.com/visibility-k8s-clusters/
A service mesh platform is a dedicated infrastructure layer that allows for the granular control of how applications share data. A standard use case could be to control the flow and rate of network traffic to a new version of a production web-based application. When the new web application is brought online, it is important to test the application to ensure it can handle a particular level of performance without failing. Service mesh platforms can be leveraged to facilitate how network traffic flows within a network and can be used to load balance the network traffic for a set of web-based applications.
Tomi Engdahl says:
Microsoft: Office 2013 will reach end of support in April 2023 https://www.bleepingcomputer.com/news/microsoft/microsoft-office-2013-will-reach-end-of-support-in-april-2023/
Microsoft has reminded customers earlier this week that Microsoft Office 2013 is approaching its end of support next year, advising them to switch to a newer version to reduce their exposure to security risks. “After five years of Mainstream Support, and five years of Extended Support, Office 2013 will reach the End of Extended Support on April 11, 2023. Per the Fixed Lifecycle Policy, after this date security updates for Office 2013 will no longer be available,”
Microsoft told customers.
Tomi Engdahl says:
Entä jos kaikki data menetetään? Pahimpaan kannattaa varautua etukäteen muista 3-2-1-sääntö
https://www.tivi.fi/uutiset/tv/eb23ce7d-a7a3-4031-b5fc-c20fd730a910
Kun kaunis kesäkuinen päivä alkoi Maerskin toimistolla Kööpenhaminassa, harva olisi uskonut, millainen soppa maailman suurimpiin kuuluvalla logistiikkayhtiöllä olisi edessä. Ensimmäiset merkit nähtiin iltapäivällä, kun it-tukeen alkoi virrata työntekijöitä kannettavien tietokoneidensa kanssa. Koneiden ruuduilla oli outoja viestejä, kuten korjataan tiedostojärjestelmää C:-asemalla. Joidenkin koneiden viestit olivat vielä pahaenteisempiä: Hups, tärkeät tiedostosi on kryptattu. Viestissä vaadittiin 300 dollarin maksua salauksen purkamisesta.
Tomi Engdahl says:
The Next Frontier for Data Security: Protecting Data in Use https://securityintelligence.com/posts/next-frontier-data-security-use/
Tremendous progress has been made over the last several years to protect sensitive data in transit and in storage. But sensitive data may still be vulnerable when it is in use. For example, consider transparent database encryption (TDE). While TDE ensures sensitive data is protected in storage, that same sensitive data must be stored in cleartext in the database buffer pool so that SQL queries can be processed. This renders the sensitive data vulnerable because its confidentiality may be compromised in several ways, including memory-scraping malware and privileged user abuse.
Tomi Engdahl says:
One-on-one with the Air Forces cyber chief https://therecord.media/one-on-one-with-the-air-forces-cyber-chief/
It would almost be easier to list the operations Timothy Haugh isnt involved in. As the head of Sixteenth Air Force (Air Forces Cyber) the three-star lieutenant general oversees a number of missions that the service consolidated into a single information warfare entity in 2019.
Before he assumed command, Haugh served in senior positions at U.S.
Cyber Command including director of intelligence and chief of the National Cyber Mission Force that left him well-versed in multiple facets of the digital domain.
Tomi Engdahl says:
An Investigation of the BlackCat Ransomware via Trend Micro Vision One https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html
We recently investigated a case related to the BlackCat ransomware group using the Trend Micro Vision One platform, which comes with extended detection and response (XDR) capabilities. BlackCat (aka AlphaVM or AlphaV) is a ransomware family created in the Rust programming language and operated under a ransomware-as-a-service
(RaaS) model. Our data indicates that BlackCat is primarily delivered via third-party frameworks and toolsets (for example, Cobalt Strike) and uses exploitation of exposed and vulnerable applications (for example, Microsoft Exchange Server) as an entry point.
Tomi Engdahl says:
Mobile MitM: Intercepting your Android App Traffic On the Go https://www.eff.org/deeplinks/2022/04/mobile-mitm-intercepting-your-android-app-traffic-go
In order to audit the privacy and security practices of the apps we use on a daily basis, we need to be able to inspect the network traffic they are sending. An app asking for permission to your location may only use it to send it to your friends, or it may be tracking your every move. Without knowing exactly what traffic is being sent, youd never know. Traditionally, this has been the job of dynamic analysis – running the app and capturing traffic as the user interacts with it. A typical setup might involve a test device where the app runs, connected to a wireless access point running mitmproxy, Burp Suite or something similarly tasked with recording traffic.
Tomi Engdahl says:
Sysmon’s RegistryEvent (Value Set)
https://isc.sans.edu/forums/diary/Sysmons+RegistryEvent+Value+Set/28558/
A colleague asked me about Sysmon’s event ID 13 RegistryEvent (Value Set). They wanted to know if binary data could be recorded in event 13.. Sysmon can record changes to the registry by configuring setting RegistryEvent. This is an example of a simple config to record all registry changes (don’t use this in production).
Tomi Engdahl says:
Didier Stevens – New Tool: pngdump.py (Beta) https://blog.didierstevens.com/2022/04/18/new-tool-pngdump-py-beta/
Here is a new tool Im releasing as beta: pngdump.py. Its a tool to analyze PNG files. Unlike jpegdump, you can not yet select items for further analysis.
Tomi Engdahl says:
Why you shouldnt automate your VirusTotal uploads https://blog.malwarebytes.com/101/2022/04/why-you-shouldnt-automate-your-virustotal-uploads/
It is important to realize that uploading certain files to VirusTotal may result in leaking confidential data, which could result in a breach of confidentiality, or worse. We have warned against uploading personal information, as does VirusTotal itself on their home page.
But apparently some organizations have automated the uploading of email attachments without really thinking through the possible consequences.
Tomi Engdahl says:
[PYSA] Ransomware Group In-Depth Analysis https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis
The group behind PYSA ransomware has earned notoriety for targeting government agencies, educational institutions, and the healthcare sector. The group is known to carefully research high-value targets before launching its attacks, compromising enterprise systems and forcing organizations to pay large ransoms to restore their data. They are listed as one of the most advanced ransomware groups that carry out their operations off the radar.. The PRODAFT Threat Intelligence team detected and gained visibility into PYSA’s ransomware infrastructure and analyzed its findings to gain insight into how the criminal operation works.
Tomi Engdahl says:
The Biggest Cloud Security Challenges in 2022 | Check Point Software https://blog.checkpoint.com/2022/04/18/the-biggest-cloud-security-challenges-in-2022-check-point-software/
Cloud adoption has grown rapidly in recent years. While many organizations were already moving to the cloud, the COVID-19 pandemic accelerated this transition. With the normalization of remote work, companies needed to be able to support and provide critical services to their off-site workforce. As a result, over 98% of organizations use some form of cloud-based infrastructure, and over three-quarters
(76%) have multi-cloud deployments composed of services from two or more cloud providers. These cloud environments host critical business applications and store sensitive company and customer data.
Tomi Engdahl says:
New Industrial Spy stolen data market promoted through cracks, adware https://www.bleepingcomputer.com/news/security/new-industrial-spy-stolen-data-market-promoted-through-cracks-adware/
Threat actors have launched a new marketplace called Industrial Spy that sells stolen data from breached companies, as well as offering free stolen data to its members. While stolen data marketplaces are not new, instead of extorting companies and scaring them with GDPR fines, Industrial Spy promotes itself as a marketplace where businesses can purchase their competitors’ data to gain access to trade secrets, manufacturing diagrams, accounting reports, and client databases.
Tomi Engdahl says:
Office Protects You From Malicious ISO Files https://isc.sans.edu/forums/diary/Office+Protects+You+From+Malicious+ISO+Files/28554/
A couple of weeks ago, Johannes gave me a malicious ISO file he had
received: an ISO file containing a PE file. And that made me wonder:
“has Microsoft changed the behavior of Windows or Office when it handles untrusted ISO files?”. Years ago, at the ISC, we started to see malicious ISO files. Since Windows 10 (and later) supports mounting of ISO files, and that the “mark-of-web” is often not propagated to the contained files, it is a way to bypass Protected View in Office.
Tomi Engdahl says:
99% of cloud identities are overly permissive, opening door to attackers | CSO Online
https://www.csoonline.com/article/3656793/99-of-cloud-identities-are-overly-permissive-misconfigured-iam-opening-door-to-attackers.html
Palo Alto Unit 42 report highlights five threat groups targeting cloud infrastructure and reveals their credential-focused attack methods.
Almost all cloud users, roles, services, and resources grant excessive permissions leaving organizations vulnerable to attack expansion in the event of compromise, a new report from Palo Alto’s Unit 42 has revealed. The security vendor’s research discovered that misconfigured identity and access management (IAM) is opening the door to malicious actors that are targeting cloud infrastructure and credentials in attacks.
The findings indicate that when it comes to IAM in the cloud, organizations are struggling to put good governance in place. The report also identifies five attack groups that have been detected targeting cloud environments and reveals their attack methods.
Tomi Engdahl says:
Microsoft is adding a new driver-blocklist feature to Windows Defender on Windows 10
https://www.zdnet.com/article/microsoft-is-adding-a-new-driver-blocklist-feature-to-windows-defender-on-windows-10-and-11/
Microsoft is adding a new security option to Windows Defender that is meant to help protect against malicious drivers on Windows 10 and 11 devices.
Microsoft is adding a new Vulnerable Driver Blocklist feature to Windows Defender on Windows 10, Windows 11, and Windows Server 2016 or newer releases. This feature is aimed at helping IT Pros to protect users against malicious and exploitable drivers.
The feature will be enabled by default on Windows 10 in S Mode, as well as on devices that have the Memory Integrity Core Isolation feature, which relies on virtualization-based security. (This Core Isolation Memory Integrity feature also is known as Hypervisor-protected Code Integrity or HVCI). More details are available in this Microsoft article about recommended driver block rules.
This blocking feature will rely on a list of blocked drivers maintained by Microsoft in conjunction with OEM partners. As explained on ghacks.net, the reason these drivers may be marked as blocked is they are known security vulnerabilities that can be exploited to elevate Windows kernel privileges; they act as malware or certificates used to sign malware, or they exhibit behaviors that circumvent the Windows Security Model and can be used to elevate Windows kernel privileges.
Tomi Engdahl says:
Useimmat yritykset pelkäävät joutuvansa tietomurron uhriksi
https://etn.fi/index.php/13-news/13445-useimmat-yritykset-pelkaeaevaet-joutuvansa-tietomurron-uhriksi
Trend Micro on julkaissut uusimman kansainvälisen Cyber Risk Index (CRI) -tutkimuksensa, joka koostaa yhteen havainnot vuoden 2021 jälkimmäiseltä puoliskolta. Tutkimukseen osallistuneiden mukaan jopa 76 prosenttia kansainvälisistä organisaatioista uskoo, että niitä vastaan hyökätään onnistuneesti seuraavan vuoden aikana.
Luku on hälyttävä. Lisäksi joka neljäs yritys uskoo, että joku verkkorikollinen onnistuu “erittäin todennäköisesti” murtautumaan sen verkkoon. Raportin havaintojen mukaan 84 prosenttia vastanneista kertoo joutuneensa edeltävien 12 kuukauden aikana yhden tai useamman onnistuneen kyberhyökkäyksen kohteeksi. Yli kolmannes (35 %) kertoo kokeneensa seitsemän tai useampia hyökkäyksiä.
Tomi Engdahl says:
Cyber Risk Index (CRI)
Trend Micro and the Ponemon Institute investigate cybersecurity gaps
https://www.trendmicro.com/en_fi/security-intelligence/breaking-news/cyber-risk-index.html
Tomi Engdahl says:
Attacker Dwell Times Down, But No Consistent Correlation to Breach Impact: Mandiant
https://www.securityweek.com/attacker-dwell-times-down-no-consistent-correlation-breach-impact-mandiant
While the median attacker dwell time has declined in recent years, it has no consistent correlation to the effect of a breach
The good news is that median intruder dwell time is down again – down from 24 days in 2020 to 21 days in 2021. The bad news is the figure gives little indication of the true nature of successful intruder activity across the whole security ecosphere.
Dwell time is the length of time between assumed initial intrusion and detection of an intrusion. The usual assumption is that the shorter the dwell time, the less damage can be done. This is not a valid assumption across all intrusions.
The figures come from Mandiant’s M-Trends 2022 report (PDF), which is based on the firm’s breach investigations between October 1, 2020, and December 31, 2021. They show that the median dwell time figure has consistently declined over the last few years: from 205 days in 2014 through 78 (2018), 56 (2019), 24 (2020) to 21 (2021). The problem is that the dwell time has no consistent correlation to the breach effect.
During the same period of rapid decline over the last few years, there has been an equally rapid rise in successful ransomware attacks. The median dwell time for a ransomware attack in the Americas and EMEA is just four days, inevitably dragging down the overall median figure.
At the same time, individual lengthy dwell times have not been eliminated. Eight percent of Mandiant’s investigations revealed dwell times of more than a year and a half, while half of these had dwell times of more than 700 days. Furthermore, 20% of the investigations revealed dwell times between 90 and 300 days.
So, the extent of the decline in the median dwell time figure may have less to do with improving defensive postures than with increasing and successful criminal ransomware attacks.
The primary initial infection vector across all Mandiant’s investigations is an exploit, at 37% (eight points higher than in 2020). Supply chain compromises were the second most frequent at 17% (up from less than 1% in 2020). Eighty-six percent of the supply chain breaches were related to SolarWinds and SUNBURST.
A further 14% of intrusions involved an initial infection vector related to a prior compromise, including handoffs from one group to another. One positive finding, however, is that there were far fewer intrusions related to phishing (down from 23% in 2020 to just 11% in 2021). “This speaks to organizations’ ability to better detect and block phishing emails as well as enhanced security training of employees to recognize and report phishing attempts,” says Mandiant.
https://www.mandiant.com/media/15671
Tomi Engdahl says:
Economic Warfare: Attacks on Critical Infrastructure Part of Geopolitical Conflict
https://www.securityweek.com/economic-warfare-attacks-critical-infrastructure-part-geopolitical-conflict
We’ve known for years that since at least March of 2016, Russian government threat actors have been targeting multiple U.S. critical infrastructure sectors including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI), and other agencies have acknowledged this for quite some time in many of their technical alerts and statements.
In the intervening years, with the acceleration of digital transformation, cyber criminals and nation-state actors have increasingly set their sights on these sectors. The convergence of physical and digital assets brings competitive advantage but also inevitable risks. Attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure, have brought into sharp focus the vulnerability of cyber-physical systems (CPS) and the impact on lives and livelihoods when they are disrupted. Now, overwhelming signs indicate critical infrastructure companies are in the bullseye of geopolitical conflict.
In early April, high-voltage electrical substations operated by an energy provider in Ukraine were targeted with Industroyer2 malware, with the intent of causing damage by manipulating industrial control systems (ICS). And on April 13, 2022, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI warned that threat actors have developed custom-made tools to target ICS and supervisory control and data acquisition (SCADA) devices.
Tomi Engdahl says:
MIT Technology Review:
A look at AI-powered surveillance in South Africa, powered by CCTV cameras, video analytics, and fiber internet; Vumacam operates 5,000+ cameras in Johannesburg
South Africa’s private surveillance machine is fueling a digital apartheid
https://www.technologyreview.com/2022/04/19/1049996/south-africa-ai-surveillance-digital-apartheid/
As firms have dumped their AI technologies into the country, it’s created a blueprint for how to surveil citizens and serves as a warning to the world.
This story is part one of MIT Technology Review’s series on AI colonialism, the idea that artificial intelligence is creating a new colonial world order. It was supported by the MIT Knight Science Journalism Fellowship Program and the Pulitzer Center. Read the introduction to the series here.
Tomi Engdahl says:
New video this week: learn Intrusion Analysis and Threat Hunting with Suricata, taught by Peter Manev.
https://www.youtube.com/watch?v=mbwU8y6H5Zo
Tomi Engdahl says:
CISA expands cyber defense initiative with industrial control systems partnership https://therecord.media/cisa-expands-cyber-defense-initiative-with-industrial-control-systems-partnership/
Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly announced Wednesday the expansion of the Joint Cyber Defense Collaborative (JCDC) to incorporate industry leaders including security vendors, integrators, and distributors. As the U.S.
government continues to build upon and push for public cooperation in cybersecurity and resilience initiatives, the announced partnership with industrial control systems and operational technology (ICS/OT) experts is expected to enhance public and private collaboration.
Tomi Engdahl says:
Hive Ransomware Analysis
https://www.varonis.com/blog/hive-ransomware-analysis
During a recent engagement with a customer, the Varonis Forensics Team investigated a ransomware incident. Multiple devices and file servers were compromised and encrypted by a malicious threat group known as Hive. First observed in June 2021, Hive is an affiliate-based ransomware variant used by cybercriminals to conduct ransomware attacks against healthcare facilities, nonprofits, retailers, energy providers, and other sectors worldwide. Hive is built for distribution in a Ransomware-as-a-service model that enables affiliates to utilize it as desired.
Tomi Engdahl says:
Proposed US Guidance, Legislation Show Increasing Importance of Cloud Security
https://www.securityweek.com/proposed-us-guidance-legislation-show-increasing-importance-cloud-security
The United States is working on guidance and legislation that show the government is placing increasing importance on cloud security.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday announced that it’s seeking public comment on a couple of guidance documents created as part of a project called Secure Cloud Business Applications (SCuBA), whose goal is to help improve visibility, standards and security practices for government cloud.
“The project was established to develop consistent, effective, modern, and manageable security configurations that will help secure agency information assets stored within cloud environments,” CISA said.
SCuBAOne of the documents is the SCuBA Technical Reference Architecture (TRA), a security guide designed to help federal agencies adopt technology for cloud deployment, adaptable solutions, secure architecture, zero trust and agile development.
Secure Cloud Business Applications (SCuBA) Technical Reference Architecture (TRA)
https://www.cisa.gov/sites/default/files/publications/SCuBA_TRA_RFC_EG_508c.pdf
Extensible Visibility Reference Framework (eVRF) Program Guidebook
https://www.cisa.gov/sites/default/files/publications/eVRF_Guidebook_RFC_508C.pdf
Tomi Engdahl says:
Economic Warfare: Attacks on Critical Infrastructure Part of Geopolitical Conflict
https://www.securityweek.com/economic-warfare-attacks-critical-infrastructure-part-geopolitical-conflict
We’ve known for years that since at least March of 2016, Russian government threat actors have been targeting multiple U.S. critical infrastructure sectors including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI), and other agencies have acknowledged this for quite some time in many of their technical alerts and statements.
In the intervening years, with the acceleration of digital transformation, cyber criminals and nation-state actors have increasingly set their sights on these sectors. The convergence of physical and digital assets brings competitive advantage but also inevitable risks. Attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure, have brought into sharp focus the vulnerability of cyber-physical systems (CPS) and the impact on lives and livelihoods when they are disrupted. Now, overwhelming signs indicate critical infrastructure companies are in the bullseye of geopolitical conflict.
In early April, high-voltage electrical substations operated by an energy provider in Ukraine were targeted with Industroyer2 malware, with the intent of causing damage by manipulating industrial control systems (ICS). And on April 13, 2022, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI warned that threat actors have developed custom-made tools to target ICS and supervisory control and data acquisition (SCADA) devices.
Since the beginning of the year, we’ve seen a steady drumbeat of alerts and new resources available for critical infrastructure organizations. A joint Cybersecurity Advisory, authored by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI, released in January, 2022, details tactics, techniques, and procedures associated with a number of Russian state actors. Given these threat actors’ demonstrated capabilities and activities, it comes as no surprise that CISA is stepping in and speaking directly to operators of critical infrastructure networks, giving them specific indicators of compromise to look out for and any unexplained equipment behavior.
Tomi Engdahl says:
When Is It Right to Stay Silent?
https://www.securityweek.com/when-it-right-stay-silent
If you know that a person or group has poor intentions, it may make sense to begin documenting and reporting nefarious activity
In both our professional and personal lives, we are sometimes witness to things that may be kept hidden from others.There are, of course, perfectly healthy situations where information is, rightfully, on a need to know basis. Unfortunately, there are also less healthy situations where information about potential harm or damage is held close or even withheld entirely. These types of situations raise a number of questions, among them: When is it right to stay silent? When is it right to speak up?
To say that it is difficult to know what to do in these types of situations would be an understatement. It is normal to wrestle with whether to turn a blind eye or to speak up. While what to do in these types of situations is far from a binary decision, I’d like to offer a few thoughts that may help guide a person that finds themselves in this type of a tough spot:
Intentions
It may seem to go without saying, though intentions do matter. The same action with different intentions can have vastly different meanings and ramifications. That is why it is often best to reserve judgment when we observe something. We simply don’t know the facts of the situation, the broader context in which it is occurring, and/or the intentions of the person or group doing it.
Actions
People or groups who act in bad faith know that talk is cheap. As such, they often know just the right words to say to distract people from looking at their actions. This can include flirting with, cozying up to, and/or sweet talking influencers and decision makers who they don’t want getting wise to them. It is important to remember that actions speak louder than words. Observing, documenting, and reporting the actions of bad faith actors is the only way to shed light on them. Even armed with facts, it may be extremely difficult to get people to actually look at the evidence that appears before their very eyes.
Information withheld to mislead
There is a reason that the phrase “the truth, the whole truth, and nothing but the truth” is said by witnesses as they are sworn in and put under oath. By telling half-truths, selectively omitting details, inserting bits of the truth here and there, and blatantly lying, bad faith actors can very easily mislead people. Misleading people is a great way for those with poor intentions to keep the attention off of themselves and for them to craft public opinion
Abuse
As gray as an area as speaking up might be, particularly when we don’t know all of the facts, the situation becomes more black and white when abuse is happening. Abuse takes many different forms, among them psychological and emotional. Unlike physical and sexual abuse, psychological and emotional abuse don’t leave physical scars and evidence, even though they can cause a tremendous amount of damage. Because of the lack of physical signs, the perpetrators are often able to harm their victims in secret for years without being discovered.
Tomi Engdahl says:
Päivittyykö autosi ohjelmisto yöllä? Kesällä se pitää tapahtua turvatusti
https://etn.fi/index.php/13-news/13458-paeivittyykoe-autosi-ohjelmisto-yoellae-kesaellae-se-pitaeae-tapahtua-turvatusti
Uudet autot alkavat tunnetusti olla ”tietokoneita pyörillä” ja niihin tuodaan säännölisesti uusia ominaisuuksia ja korjauksia ohjelmistopäivityksillä. YK:n alainen UNECE (United Nations Economic Commission for Europe) vaatii, että heinäkuusta lähtien autojen OTA-päivitykset on tehtävä kyberturvallisesti.
Heinäkuussa tulee käyttöön INECEn WP.29-asetus. Se määrää, että langattomia ohjelmistopäivityksiä tukevien ajoneuvojen on todistettava, että tietoturva on suojattu kyberturvallisuuden hallintajärjestelmällä kehityksen, valmistuksen ja valmistuksen jälkeen.
Tämän määräyksen täyttämiseksi järjestelmä vaatii mekanismeja, jotka pitävät autojen ohjelmistojen tiedot turvassa ja hyvin suojattuna. Auton järjestelmien kehittäjät ovat työstäneet näitä mekanismeja jo pidemmän aikaa. Yksi ratkaisuista perustuu Excelforen ja IIJ Globalin yhteistyöhön.
Tomi Engdahl says:
Tänä vuonna tehtailtu jo 30 miljoonaa uutta haittakoodia
https://etn.fi/index.php/13-news/13457-taenae-vuonna-tehtailtu-jo-30-miljoonaa-uutta-haittakoodia
Verkkorikolliset ovat ahkeria helpon rahan toivossaan. Atlas VPN raportoi, että tänä vuonna on löydetty jo yli 30 miljoonaa uutta haittakoodia. Tämä tarkoittaa 316 tuhatta uutta uhkaa verkon käyttäjille joka päivä.
Haittaohjelma on yhteistermi kaikentyyppisille haittaohjelmille, mukaan lukien tietokonevirukset, madot, vakoiluohjelmat, kiristysohjelmat ja monet muut. Kun tarkastellaan haittaohjelmien tilastoja kuukausittain, tammikuussa nähtiin eniten uusia haittaohjelmia. Yhteensä vuoden ensimmäisen kuukauden aikana rekisteröitiin 11,41 miljoonaa uutta haittaohjelmanäytettä.
Helmikuussa uusia haittakoodinpätkiä löytyi 8,93 miljoonaa ja maaliskuussa 8,77 miljoonaa. Huhtikuu on vielä kesken, mutta tässä kuussa on löydetty 5,65 miljoonaa uutta haittaohjelmanäytettä.
Nykyään yksikään internetin käyttäjä ei ole turvassa haittaohjelmilta. Kyberrikolliset kehittävät jatkuvasti uusia haittaohjelmauhkia hyödyntääkseen sekä tietokoneita että mobiililaitteita. Jotkut käyttöjärjestelmät on kuitenkin kohdistettu enemmän kuin toiset.
Windows-käyttäjillä on suurin riski saada haittaohjelmia, sillä tähän mennessä on havaittu 25,48 miljoonaa uutta Windows-haittaohjelmanäytettä.
Tänä vuonna tunnistettiin myös ennennäkemättömiä Android-haittaohjelmauhkia. Yhteensä yli 536 tuhatta uutta Android-haittaohjelmanäytettä on löydetty.
Tomi Engdahl says:
Nyt kannattaa varoa some-alustojen linkkejä!
https://etn.fi/index.php/13-news/13452-nyt-kannattaa-varoa-some-alustojen-linkkejae
Tietoturvayritys Check Pointin tutkijat kertovat uusimmassa brändiväärennösraportissaan, että kyberrikollisten tietojenkalastelussa jäljittelemien brändien kärkikolmikossa olivat tammi-maaliskuussa LinkedIn, DHL ja Google. LinkedInin osuus oli jo yli puolet.
Brand Phishing -raportista selviää, mitä tuotemerkkejä kyberrikolliset useimmin hyödynsivät kalastellessaan uhrien henkilö- tai pankkitietoja. Useimmin jäljitellyksi brändiksi tammi-maaliskuussa 2022 kiri ensimmäistä kertaa verkkoyhteisöpalvelu LinkedIn. Sen osuus kaikista tietojenkalasteluyrityksistä oli yli puolet (52 prosenttia), mikä merkitsee jopa 44 prosentin nousua edellisestä vuosineljänneksestä.
Viime kvartaalin ykkönen, DHL, sijoittui nyt toiseksi ja sitä koski 14 prosenttia kaikista brändiväärennöksistä. Raportti osoittaa nousevan trendin, jossa kyberkonnat pyrkivät imitoimaan sosiaalisia verkostoja. Aiemmin ne ovat suosineet kuljetus- ja logistiikka-alan lisäksi teknologiayhtiöitä, kuten Googlea, Microsoftia ja Applea. Sosiaalisen median palveluista LinkedInin lisäksi kärkikymmenikköön ylsi WhatsApp, jonka nimissä tehtiin lähes joka 20. tietojenkalasteluhyökkäys.
Tomi Engdahl says:
Starting cyber security
https://www.facebook.com/groups/shahidzafar/permalink/5322998587719225/
CompTia Security+ is the best fit for your situation. After that, you should start looking for the field you’d like to specialize.
There’s also a free GRC course from PhD Gerald Auger, you can find more resources on his YouTube channel (Gerald Auger – simply cyber).
Erika,
The Security+ is a great place to start and then explore the other certs CompTIA has to offer especially the three other cyber security certs. Also, find your local cybersecurity associations( Issa.org owasp.org, etc) and see what events they have going on. finally, there are plenty of CTF events around the industry get yourself involved in one near you
As a foundation, the CompTIA Security trio is never a bad place to start (A+, Network+, and Security+). Try to continue with vendor neutral certs if possible unless you know that you’ll be committing a path to Cisco, Amazon, Microsoft, etc. You can view an interactive layout of security certs (with different pathways and levels, as well as pricing for each cert) at https://pauljerimy.com/security-certification-roadmap/
Hope this helps!
Tomi Engdahl says:
Venäjä häiritsi Elon Muskin satelliittiyhteyksiä iskun torjumisesta tuli oppikirjaesimerkki https://www.is.fi/digitoday/art-2000008764642.html
USA:n puolustusministeriön mukaan elektronista sodankäyntiä nähdään sodissa jatkossa yhä enemmän, ja sen torjumisen on oltava nykyistä tehokkaampaa.
Tomi Engdahl says:
How Democracies Spy on Their Citizens
https://www.newyorker.com/magazine/2022/04/25/how-democracies-spy-on-their-citizens
The inside story of the worlds most notorious commercial spyware and the big tech companies waging war against it.
Tomi Engdahl says:
Critical infrastructure: Under cyberattack for longer than you might think https://www.welivesecurity.com/2022/04/21/critical-infrastructure-cyberattack-longer-think/
Lessons from history and recent attacks on critical infrastructure throw into sharp relief the need to better safeguard our essential systems and services
Tomi Engdahl says:
Google, Mandiant Share Data on Record Pace of Zero-Day Discoveries
https://www.securityweek.com/google-mandiant-share-data-record-pace-zero-day-discoveries
Google and Mandiant separately called attention to a dramatic surge in the discovery of in-the-wild zero-day attacks and warned that nation-state APT actors, ransomware gangs and private mercenary exploit firms are burning through zero-days at record pace.
According to data from Google’s Project Zero outfit, there were 58 in-the-wild zero-day discoveries last year, the most ever recorded since the company started tracking the problem.
A separate report from Mandiant said its threat intelligence team monitored a whopping 80 zero-days exploited in 2021, more than double the previous record seen in 2019.
“As an industry we’re not making 0-day hard,” Project Zero’s Maddie Stone said in a note documenting the attacks seen in 2021. “Attackers are having success using vulnerabilities similar to what we’ve seen previously and in components that have previously been discussed as attack surfaces,” Stone added.
”The proportion of financially motivated actors — particularly ransomware groups — deploying zero-day exploits also grew significantly, and nearly 1 in 3 identified actors exploiting zero-days in 2021 was financially motivated,” Sadowski said, noting that threat actors exploited zero-days in Microsoft, Apple, and Google products most frequently, likely reflecting the popularity of these vendors.
Among nation state-backed threat actors, Mandiant said Chinese groups consistently lead the way in the deployment of malware via zero-day exploitation.
“From 2012 to 2021, China exploited more zero-days than any other nation. However, we observed an increase in the number of nations likely exploiting zero-days, particularly over the last several years, and at least 10 separate countries have likely exploited zero-days since 2012,” according to the Mandiant data.
Mandiant said it also observed private vendors emerging as “significant exploit brokers” in 2021.
“We identified at least six zero-day vulnerabilities actively exploited in 2021, potentially by customers of malware vendors, including one reportedly exploited in tools developed by two separate vendors. In 2021, at least five zero-day vulnerabilities were reportedly exploited by an Israeli commercial vendor,” the company said.
Tomi Engdahl says:
Many Industrial Firms Say Cybersecurity Systems Cause Problems to Operations
https://www.securityweek.com/many-industrial-firms-say-cybersecurity-systems-cause-problems-operations
Despite an increase in cybersecurity incidents, many industrial organizations turn off security systems if they interrupt or otherwise impact operations, according to a global survey conducted earlier this year by Kaspersky.
Kaspersky reported recently that it only saw a small increase in the percentage of industrial control system (ICS) computers targeted in 2021, compared to the previous year.
However, of the more than 300 respondents who took part in the latest survey, half reported seeing an increase in security incidents affecting ICS or other operational technology (OT) systems since the end of 2019.
In the past year, nearly one-third of the organizations that took part in the survey experienced a high number of incidents (at least 20). These incidents are often related to staff violating IT security policies, devices getting infected with malware, or employees inappropriately using IT resources.
While many organizations have come to understand the importance of securing their OT environments, 40% of respondents admitted that the security tools they are currently using are not compatible with their automation systems, and 38% reported at least one event where cybersecurity products interrupted or in some way affected their operations.
When they experienced these disruptions, 30% of companies decided to turn off their security systems. Others made changes to production or automation systems to avoid conflicts, they changed security settings in an effort to find a balance between security and productivity, or they switched cybersecurity vendors.
Additional information, along with recommendations for improving OT security, is available in the “Kaspersky ICS Security Survey 2022” (PDF).
https://go.kaspersky.com/rs/kaspersky1/images/Kaspersky_ICS_Security_Survey_2022.pdf
Tomi Engdahl says:
Slight Increase in Attacks on ICS Computers in 2021: Report
https://www.securityweek.com/slight-increase-attacks-ics-computers-2021-report
Kaspersky said it saw only a small increase in the percentage of industrial control system (ICS) computers targeted in 2021 compared to the previous year, but there was a more significant rise for certain types of threats.
Overall, Kaspersky blocked “malicious objects” on 39.6% of the ICS computers protected by its products, up from 38.6% in 2020. On the other hand, in the second half of 2021, the company observed attacks only against 31.4% of devices, the smallest of any six-month period since the start of 2020.
However, there were certain types of threats where the number of detections has been on an upwards trend in the past two years. This includes spyware (blocked on over 8.1% of devices compared to 5.6% in H1 2020), malicious scripts and phishing pages (9.3% up from 6.5%), and cryptocurrency miners (2.1% up from 0.9%).
In North America, nearly 20% of systems were targeted, roughly the same as in Western Europe, Kaspersky’s report shows. In comparison, the percentage of targeted systems exceeded 40% in many parts of Asia and even 50% in Africa and Southeast Asia.
The cybersecurity firm’s solutions blocked roughly 5,000 malware families and 20,000 malware variants on industrial systems in both the first and the second half of 2021. In terms of variants, this is roughly the same as in the previous two years. However, in terms of malware families, while there was no significant change in 2021 compared to 2020, the numbers are roughly double compared to 2019.
Tomi Engdahl says:
Today’s Network Is Different, Not Dead – Here’s How You Secure It
https://www.securityweek.com/todays-network-different-not-dead-heres-how-you-secure-it
Rapid changes to a network can easily result in gaps in protection and enforcement
The need to compete and operate in today’s marketplace is driving digital acceleration and expanding the digital footprint of businesses. Today’s critical resources are often dispersed across traditional data centers, cloud networks, branch offices, SaaS platforms, home offices, and even mobile end-user and IoT devices. To ensure that everyone has access to the resources they need, businesses now run on applications—which makes reliable, secure, and fast connections from anywhere to anywhere absolutely essential.
Tying this together is the modern hybrid network. Contrary to the rumors of its death, the network is here to stay, with hybrid networks at the center of how businesses operate for the foreseeable future. The real challenge is not how to replace the network but how to get all its moving parts working together more efficiently. The biggest challenge is that most networks have evolved organically. As a result, far too many IT teams spend a significant portion of their time troubleshooting workarounds, so users have a seamless experience whether working from the office, from home, or somewhere in between.
Nowhere is this challenge more valid than when trying to maintain consistent security across a distributed and evolving network. Securing digital acceleration across a hybrid network means we must stop thinking about networking and security as separate strategies. Instead, the infrastructure and security teams must converge their visions. As applications continue their cloud journey and devices become increasingly visible to everyone, secure networking that can tie everything together is critical.
The problem is that most currently deployed security solutions have two primary challenges. The first is they are only superficially connected to the network. And second, individual point security solutions deployed across the network, especially those from different vendors, simply don’t work together. As a result, when anything changes—adaptation and scale are the hallmarks of the modern hybrid network—security gaps are created, usually because the security device either didn’t recognize the change or was unable to adapt quickly enough. And as we have learned over these past two years, as businesses transitioned to a Work-from-Anywhere model, cybercriminals can quickly exploit those gaps to breach networks, steal or ransom data, corrupt systems, and disrupt business operations.
The critical importance of convergence
Most traditional security tools are designed to protect a single, predictable network segment. However, security systems can struggle to keep up when the network is in a constant state of flux—optimizing connections, redirecting workflows, adding new edges or endpoints, or scaling to meet shifting demands. Because each solution relies on its own set of configurations, rapid changes to the network can easily result in gaps in protection and enforcement.
What’s needed is a security-centric approach, and converging security with the network places security at the center of network decisions. This enables security to not just see changes but inform them so risky behavior can be prevented. It also allows security to automatically adapt its configurations, policies, and enforcement as part of those changes. Then, when the network has to suddenly scale, relocate resources, track mobile users or devices, or fine-tune connectivity, security is there. Security and the network can also operate collaboratively to securely redirect traffic or segment the network. And this collaboration is also essential for successfully implementing zero trust access rules that the network can help enforce.
Of course, because such convergence is essential for protecting today’s hybrid networks, vendors are suddenly claiming to be able to do it. But before you invest, you need to look under the hood. Does their solution truly support the routing, switching, and access protocols you need? Can protections and policies be applied consistently and operate natively across physical, multi-cloud, WAN, and OT networks and also support and secure home and mobile workers? Can essential networking and security policies be easily created, distributed, orchestrated, and updated through a single console? Does it include essential, fully integrated connectivity tools like SD-WAN, SD-Branch, ZTNA, and 5G? And does it also work seamlessly with cloud-based services like SWG and CASB? And does it include a complete portfolio of security solutions that each, in its own right, provides true, enterprise-grade protection?
Improving protection through consolidation
Not only do most security tools not integrate with the network, they can’t even talk to each other. Most organizations have collected a variety of security technologies from different vendors. Many were chosen to fill feature gaps or address a new security challenge. Others were purchased to protect new edge environments. But regardless of the reason, solution and vendor sprawl has become a severe challenge for many organizations. When each point solution must be separately configured through its own console, ensuring consistent policy deployment and configuration is next to impossible. So is detecting threats, especially when data needs to be hand correlated to detect suspicious behaviors.
Disconnected and isolated systems also make it impossible to implement network-wide automation. And automation is crucial in a digital world where cyberthreats are measured in microseconds. Even AI-enhanced solutions are less effective within such a fragmented framework.
Enterprises, small businesses, and service providers alike all need to eliminate their isolated point solutions and focus long-term on a converged, universally deployable platform that enables operational efficiency and security automation without time-consuming workarounds. It’s the only way to maintain visibility, centralize control, and implement AI-powered services to detect and respond to threats automatically.
Security must step up its game
Convergence and consolidation are the foundations of a successful security strategy. They extend visibility and control across the hybrid network and improve performance through efficiencies and coordination—especially when the platform (like every other special-purpose device) includes custom-designed security processors designed to accelerate essential functions, like inline operations and the inspection of encrypted traffic.
However, few security vendors are interested in addressing the bigger picture. Instead, they either focus on specialized devices that add to IT overhead, disconnected portfolios that simply shift the burden of multi-console management to a single vendor, or are banking on organizations migrating their entire operations to the cloud. Each of these strategies is a dead end. Embracing digital acceleration and the hybrid networks that make it possible requires applying the exact same principles to security—implementing a unified platform that integrates networking and security that can seamlessly scale, adapt, and operate consistently across the distributed network.
Tomi Engdahl says:
2022 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT
https://www.synopsys.com/software-integrity/em/ossra-report.html?utm_medium=email&utm_source=eloqua&cmp=em-sig-eloqua&elq_email=tomi.engdahl%40netcontrol.fi&elq_country=Finland
The 2022 “Open Source Security and Risk Analysis” (OSSRA) report, in its 7th edition this year, examines vulnerabilities and license conflicts found in more than 2,400 codebases across 17 industries. The report offers recommendations to help security, legal, risk, and development teams better understand the security and risk landscape accompanying open source development and use.
OPEN SOURCE ENDURES
Open source continues to demonstrate staying power, serving again this year as the foundation for the vast majority of commercial codebases. In fact, it’s so intertwined in modern development that often, code owners aren’t even aware of the open source components in their own software.
The use of open source remains constant, and there’s promising progress with open source vulnerabilities. This year’s report shows a modest 3% decrease in vulnerabilities from the previous year, though the overall percentage of codebases containing vulnerabilities remains troublingly high. This trend indicates that progress toward minimizing risk is slow, but it’s moving in the right direction.
Contrasting the slight decrease in open source vulnerabilities is the more dramatic decrease in high-risk vulnerabilities. The percentage of codebases containing high-risk open source vulnerabilities decreased by 11% compared to last year’s report. This indicates that organizations are starting to stress the importance of prompt identification, prioritization, and mitigation of high-risk vulnerabilities.
OPERATIONAL RISK IS CONCERNING
Despite vulnerability improvements, a troubling number of codebases contained open source that had seen no development activity and no user updates in the last two years. When no feature upgrades, code improvements, or security remediation activity occurs for 24 months, it’s likely that a project is no longer being maintained at all.
Tomi Engdahl says:
Patrick Howell O’Neill / MIT Technology Review:
Mandiant: one-third of all hacker groups exploiting zero-days in 2021 were financially motivated criminals as opposed to government-backed cyberespionage groups — The most valuable hacking tools were once the domain of governments. Not anymore. — Organized cybercriminals with money …
Wealthy cybercriminals are using zero-day hacks more than ever
https://www.technologyreview.com/2022/04/21/1050747/cybercriminals-zero-day-hacks/
The most valuable hacking tools were once the domain of governments. Not anymore.
Tomi Engdahl says:
https://www.facebook.com/groups/shahidzafar/permalink/5331469580205459/
Hi, what are some of the website to learn cyber security practically?
tryhackme.com best choice
Hackthebox, tryhackme, overthewire, picoCTF
Rootme
Burp suit Port swinger academy for web
Udemy
Coursrea
Youtube
Google
Havent seen Overthewire being mentioned yet, its pretty cool. The OWASP Juice shop aswell.
Security blue team, they also have great labs, cost money though, try hack me is a better option. Hack the box is more advanced. Range-force has 30 free modules. Get on there and get them done.
I use academy.tcm-sec.com it is paid tho
Tomi Engdahl says:
The guy in a suit: don’t say problem, say a challenge that represents an opportunity.
Engineer: we have an availability challenge due to ddos which is a good opportunity for all the staff to go home as it seems weekend will start early this week, and once we are done fixing it you get the opportunity to take all the credit.
Tomi Engdahl says:
PortSwigger.net. Focus is on web application vulnerabilities. Lots of good labs using BurpSuite.
Look into OWASP at OWASP.org. Mainly all information and tools, guides, for web security
Tomi Engdahl says:
Chinese hackers behind most zero-day exploits during 2021 https://www.bleepingcomputer.com/news/security/chinese-hackers-behind-most-zero-day-exploits-during-2021/
Threat analysts report that zero-day vulnerability exploitation is on the rise, with Chinese hackers using most of them in attacks last year.