Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
Suomalaisyritykset: kyberuhat riistäytyvät käsistä
https://etn.fi/index.php/13-news/13687-suomalaisyritykset-kyberuhat-riistaeytyvaet-kaesistae
Trend Micron uusi tutkimus osoittaa, että organisaatioilla on suuria vaikeuksia tunnistaa ja turvata digitaalinen hyökkäyspinta-alansa, mikä vaikeuttaa tuntuvasti riskinhallintatoimia. Lähes puolet yrityksistä myöntää, että heidän digitaalinen hyökkäyspinta-alansa on ”riistäytymässä käsistä”.
Tutkimus paljastaa, että 53 prosenttia suomalaisista organisaatioista ovat huolissaan kasvavasta hyökkäyspinnastaan. Yhtä moni vastaajista totesi uhkaympäristön ”kasvavan jatkuvasti ja muuttuvan koko ajan sotkuisemmaksi.” Kansainvälisesti tämä huolestutti vain 37 prosenttia vastaajia. Vain 40 prosenttia suomalaisista yrityksistä pystyy määrittelemään hyökkäyspinnan laajuuden omissa järjestelmissään.
Näkyvyyden ongelmat vaikuttavat olevan suurin syy organisaatioiden vaikeuksiin kyberriskiensä hallinnassa ja ymmärtämisessä. Yli puolet vastaajista (55 %) kertoo, että heillä on järjestelmissään turvallisuutta vaarantavia kuolleita kulmia. Verkkoresurssien ja pilviympäristöjen kerrottiin olevan kaikkein läpinäkymättömimpiä ja vaikeimmin seurattavia. Keskimäärin vastaajat arvioivat tuntevansa vain 63 prosenttia hyökkäyspinnastaan.
Tutkimus paljastaa myös, että yli puolet suomalaisista organisaatioista (56 %) ei pidä riskialttiuden arviointimenetelmäänsä riittävänä. Tämä käy ilmi tutkimuksen muista havainnoista:
Vain 37 prosentilla on selkeä menetelmä riskialttiuden arviointiin
42 % vastaajista tarkistaa/päivittää altistumisriskiään vain kuukausittain tai harvemmin
Vain 16 % tarkistaa riskialtistuksensa päivittäin
Tomi Engdahl says:
Today, cybersecurity training programs focused solely on awareness fall short in these ways:
Create panic instead of deep understanding. Traditional user training campaigns may help employees pass awareness tests, but awareness without understanding can create a culture of risk aversion and panic as executives make assumptions based on fear.
Stop short of changing behaviors. Despite years of standards such as ISO 27001 requiring security awareness and training as part of a security program, training has not achieved desired results.
Spend the most money to simply tick a compliance box. Regulations such as ISO 27001 have elevated the importance of security awareness and training (SA&T); however, they remain vague about why or how to do it.
https://www.skillsoft.com/resources/how-to-manage-the-human-risk-in-cybersecurity-pg10080a1?utm_source=security+week&utm_medium=display&utm_campaign=SKL+IT-SW-NA+FY23-ALL-PM-How+to+Manage+Human+risk+in+Cybersecurity&utm_content=SKSTDForresterReport
Tomi Engdahl says:
EC Hacking: Your Laptop Has A Microcontroller
https://hackaday.com/2022/06/07/ec-hacking-your-laptop-has-a-microcontroller/
Recently, I stumbled upon a cool write-up by [DHowett], about reprogramming a Framework laptop’s Embedded Controller (EC). He shows us how to reuse the Caps Lock LED, instead making it indicate the F1-F12 key layer state – also known as “Fn lock”, AKA, “Does your F1 key currently work as F1, or does it regulate volume”. He walks us through adding custom code to your laptop’s EC firmware and integrate it properly into the various routines the EC runs.
Wait… Microcontroller code? GPIOs? This brings us to the question – what is the EC, really? To start with, it’s just a microcontroller. You can find an EC in every x86 computer, including laptops, managing your computer’s lower-level functions like power management, keyboard, touchpad, battery and a slew of other things. In Apple land, you might know them as SMC, but their function is the same.
Why have we not been reprogramming our ECs all this time? That’s a warranted question, too, and I will tell you all about it.
The EC controls a whole bunch of devices in your laptop. Not devices connected to USB, LVDS/eDP or PCIe, because those would fall within the purview of the chipset. Instead, these are devices like power switches, the charger chip, and various current monitors, since these have to work correctly even when the chipset and CPU are powered off. But of course, it’s not just power management – there’s a whole lot of things in a laptop you need GPIOs for.
Your laptop’s power button is connected directly to the EC. As a result, your EC is the first thing to get powered on; and if a broken laptop of yours has no reaction to the power button, it means the EC can’t do its power management job for whatever reason. In fact, if you check Framework laptop’s recently published reduced schematics, you’ll see that the EC has it own separate power rail coming directly from the battery.
How does it even talk to the chipset? For about two decades, ECs have been using the LPC bus – a four-bit wide bus superficially resembling qSPI. Apart from ECs, it’s only really been used by TPMs in the recent times. LPC uses frequencies from 25MHz to 100MHz.
LPC is about two decades old, and is a direct successor to the ISA bus – in fact, in some laptop schematics from 2003 you’ll find the EC connected through ISA instead, but it’s all LPC beyond that. However, recent ECs talk eSPI instead, a qSPI-like interface meant to replace LPC, and the Framework EC talks eSPI, too.
Every EC has firmware, and every laptop (and desktop, and server!) has an EC. The EC firmware is nearly always closed-source. As such, the EC firmware is one of the binary blobs we tend to miss when talking about proprietary parts inside our computers. Often, the EC firmware is stored on the same SPI flash chip as the BIOS – other times, there’s a separate external or on-chip flash, in which case, you typically have an UART bootloader you can reflash your EC through. All of that depends on which specific manufacturer and model of the EC you have.
Often, your EC is built on something like ARM or 8051 architecture, other times it’s something more obscure like CompactRISC. The common thing is – at most, you’ll get a binary blob when it comes to your EC’s firmware. At some point, when Google got into laptop business, a group of their engineers presumably said “enough”, and open-sourced their EC code – which is what Framework has been building on when it comes to their own EC firmware. Last year, System76 opened up their EC code, too. Unfortunately, the situation remains dire for other laptop manufacturers.
Could your EC get backdoored? Not likely – it tends to be harder to modify and update EC firmware than it is to do the same with BIOS images. Now, could you yourself modify your EC’s behavior? It’s at least technically possible, and I’d argue that you should have always been able to do that.
https://www.howett.net/posts/2022-04-adding-an-ec-feature-1/
Tomi Engdahl says:
Lily Hay Newman / Wired:
MongoDB announces “Queryable Encryption”, which the company says lets users search their data while it remains encrypted, in preview as part of MongoDB 6.0
A Long-Awaited Defense Against Data Leaks May Have Just Arrived
https://www.wired.com/story/mongodb-queryable-encryption-databases/
MongoDB claims its new “Queryable Encryption” lets users search their databases while sensitive data stays encrypted. Oh, and its cryptography is open source.
After years of data breaches, leaks, and hacks leaving the world desperate for tools to stem the illicit flow of sensitive personal data, a key advance has appeared on the horizon.
On Tuesday, MongoDB is announcing “Queryable Encryption,” a feature that will allow database users to search their data while it remains encrypted. The tool, which is debuting in preview as part of MongoDB 6.0, attempts to bridge academic cryptography findings and real-world environments so users can adopt the feature without needing advanced theoretical expertise. Crucially, Queryable Encryption is built to work with existing databases rather than requiring users to re-architect their systems before they can take advantage of it.
MongoDB Releases Queryable Encryption Preview
https://www.mongodb.com/blog/post/mongodb-releases-queryable-encryption-preview
Today we are announcing the Preview release of Queryable Encryption, which allows customers to encrypt sensitive data from the client side, store it as fully randomized encrypted data on the database server side, and run expressive queries on the encrypted data.
With the introduction of Queryable Encryption, MongoDB is the only database provider that allows customers to run expressive queries, such as equality (available now in preview) and range, prefix, suffix, substring, and more (coming soon) on fully randomized encrypted data. This is a huge advantage for organizations that need to run expressive queries while also confidently securing their data.
Although existing encryption solutions (in-transit and at-rest) cover many regulatory use cases, none of them protects sensitive data while it is in use. In-use data encryption often is a requirement for high-sensitivity workloads for customers in financial services, healthcare, and critical infrastructure organizations. Currently, challenges around in-use encryption technologies include:
In-use encryption is highly complex, involving custom code from the application side in order to encrypt, process, filter, and decrypt the data to show it to the users. It also involves managing encryption keys in order to encrypt/decrypt the data.
Developers need cryptography experience in order to design a secure encryption solution.
Current solutions have limited or no querying capabilities, which makes using encrypted data in applications difficult.
Some of the existing tools, such as homomorphic encryption or secure enclaves have performance unsuited to scalable encrypted search, require proprietary hardware, or have uncertain security properties.
Queryable Encryption removes operational heavy-lifting, resulting in faster app development without sacrificing data protection, compliance, and data privacy security requirements.
Here is a sample flow of operations in which an authenticated user wants to query the data, but now the user is able to query on fully randomly encrypted data. In this example, let’s assume we are retrieving the SSN number of a user.
When the application submits the query, MongoDB drivers first analyze the query.
Recognizing the query is against an encrypted field, the driver requests the encryption keys from the customer-provisioned key provider, such as AWS Key Management Service (AWS KMS), Google Cloud KMS, Azure Key Vault, or any KMIP-enabled provider, such as HashiCorp Vault.
The driver submits the query to the MongoDB server with the encrypted fields rendered as ciphertext.
Queryable Encryption implements a fast, searchable scheme that allows the server to process queries on fully encrypted data, without knowing anything about the data. The data and the query itself remain encrypted at all times on the server.
The MongoDB server returns the encrypted results of the query to the driver.
The query results are decrypted with the keys held by the driver and returned to the client and shown as plaintext.
Tomi Engdahl says:
Commercial Satellites Are National Security’s Next Frontier
https://spectrum.ieee.org/commercial-satellite-imagery-national-security162
Governments no longer operate all the best spy sats in the sky
On February 18, President Biden, citing U.S. intelligence, announced to the world “we have reason to believe the Russian forces are planning and intend to attack Ukraine in the coming week, in the coming days.” In the months leading up to the invasion in late February, the U.S. intelligence community had been revealing details of Putin’s war plans and disclosing highly classified real-time intelligence in the form of satellite imagery and providing detailed analysis of the movement of Russian forces.
Rather than waiting for bits of unclassified information revealed during official government briefings, the general public has watched the tragic crisis of Russia’s invasion of Ukraine unfold day-by-day. Never before have we had access to so much real-time data about an ongoing war initiated by a major power such as Russia. Every day, there are countless images, videos, audio files, data about traffic patterns on Google Maps, and high-resolution satellite imagery being shared over social media.
“In the past, only a handful of countries had access to such exquisite capabilities. Today, if other governments, or even NGOs and individuals, disagree with the information provided by one government, they can release their own imagery to prove their point.”
Matt Korda, Senior Research Associate at the Federation of American Scientists (FAS), says the handling of this crisis differs from those in previous decades when “governments still maintained a monopoly on satellite imagery. They could decide whether to disclose particular images, how they wanted to do it, and when they wanted to inform the public about things. That is no longer the case. Today, people can conduct surveillance operations from their own homes.”
Several expert analysts interviewed by IEEE Spectrum agree that the rise of affordable and easily accessible commercial satellite imagery played a role in Biden’s early release of U.S. intelligence on Russia’s invasion of Ukraine.
This time around, the U.S. government appears to have learned from past mistakes. Lewis says, “they’ve grasped that their public strategy had to be different because the expectations of their audience were different. They made falsifiable claims and released commercial satellite imagery to back them up. The government fully expected that civil society would be able to check and verify the claims.”
“Unclassified commercial satellite data acts as an ‘unblinking eye’ and is giving the world access to what was once only held by governments, promoting greater global security and accountability.”
Hanham says she’s “hopeful and inspired that the U.S. is providing actionable intelligence to build trust. This is data that you can share with allies and adversaries alike, and intelligence sources remain protected. Because it’s commercially available, it’s subject to verification by third parties.”
Commercial satellite images, she says, have exerted a powerful equalizing force. “In the past, only a handful of countries had access to such exquisite capabilities,” she says. “Today, if other governments, or even NGOs and individuals, disagree with the information provided by one government, they can release imagery from a commercial provider to prove their point.”
A number of private companies such as Planet and Capella Space are changing the way national security professionals do business by offering affordable access to high-resolution imagery and having an impact on the ground.
Planet operates the world’s largest fleet of Earth imaging satellites, capturing a daily scan of the entire Earth’s surface at a resolution of 3 meters with its PlanetScope constellation of 200 satellites. According to Planet, the company’s SkySat constellation of 21 satellites captures images of ground-level detail down to 50 centimeter length scale—up to ten times per day.
AI and machine learning “will unlock the potential of geospatial data to everyone—not just the experts.”
Dan Getman, Vice President of Product at Capella Space, speaks about the advantages of synthetic aperture radar (SAR) sensors, which “can provide visibility through all weather conditions—clouds, fog, smoke, rain—and capture clear imagery 24-7, day and night, across the globe.”
As recent as five years ago, SAR imagery was far beyond reach of most organizations except for advanced intelligence agencies. Today, Capella offers a wide range of commercial customers access to SAR imagery in a 50 cm ground resolution, allowing for identification of specific features and characteristics of objects on the ground.
It’s hard to imagine national security ever returning to a world in which governments held all the secrets gathered by their own spy satellite programs. “People are visual learners,” Lewis says. “It’s one thing to be told about a facility and another thing to look at a picture. This is a different way of knowing—the difference between showing and telling. It’s not perfect, but it’s really helpful. And it fundamentally changes how you think.”
Tomi Engdahl says:
Router security in 2021
https://securelist.com/router-security-2021/106711/
A router is a gateway from the internet to a home or office despite being conceived quite the opposite. Routers are forever being hacked and infected, and used to infiltrate local networks. Keeping this gate locked so that no one can stroll right through is no easy task. It is not always clear just how this locking works, especially when it comes to home routers, whose users are by no means all security pros. What’s more, it’s not uncommon for routers to be full of holes. Since the start of the pandemic, however, router security has received more attention. Many companies introduced remote working for employees, some of whom never returned to the office. If before the pandemic few people worked from home, now their number is significant. As a result, cybercriminals now see home routers as gateways to corporate networks, and companies as potential attack vectors. Proof of the heightened attention in network devices comes from the sharp rise in the number of vulnerabilities found in them in recent years.
Tomi Engdahl says:
EU cybersecurity agency chief warns of cyberthreats and spillovers https://www.euractiv.com/section/cybersecurity/news/eu-cybersecurity-agency-chief-warns-of-cyberthreats-and-spillovers/
On the occasion of the 2022 pan-European cyber preparedness exercises programme, Cyber Europe, the executive director of the EU agency for cybersecurity (ENISA) warned that states must remain alert for cyber incidents and potential spillovers. While ENISA already monitored about 300 cyber events in relation to the Russian aggression against Ukraine, apart from the Viasat attack, no incidents with a major impact have been reported to date. “However, 100 of these events were spillover incidents, meaning they affected other countries as well, ”
Juhan Lepassaar, ENISA’s executive director, said in a press briefing on Wednesday (8 June).
Tomi Engdahl says:
Mental Health In Cybersecurity
51% Of Workers Take Meds, Me Included
https://www.forbes.com/sites/daveywinder/2022/06/08/mental-health-in-cybersecurity-51-of-workers-take-meds-me-included/
A recent report looking at the state of mental health in cybersecurity has revealed some very worrying industry statistics. Worrying, but sadly not at all surprising. Cybersecurity professionals are not alone in working within a stressful, at times unbearably so, industry.
However, that a survey of more than 1, 000 professionals from security teams across the U.S. and Europe found that half (50.8%) had been prescribed meds for their mental health, cannot be ignored. This editorial exploration of mental health within the cybersecurity industry begins, as seems appropriate, with Thomas Kinsella. I asked the co-founder of security automation company Tines, responsible for the report that this article hangs from, if cybersecurity is more prone to mental health issues than other IT sectors?. The report:
https://www.tines.com/reports/state-of-mental-health-in-cybersecurity/
Tomi Engdahl says:
Speech-Related Offenses Should be Excluded from the Proposed UN Cybercrime Treaty
https://www.eff.org/deeplinks/2022/06/speech-related-offenses-should-be-excluded-proposed-un-cybercrime-treaty
Governments should protect people against cybercrime, and they should equally respect and protect people’s human rights. However, across the world, governments routinely abuse cybercrime laws to crack down on human rights by criminalizing speech. So it is concerning that some UN Member States are proposing vague provisions to combat hate speech to a committee of government representatives (the Ad Hoc Committee) convened by the UN to negotiate a proposed UN Cybercrime treaty. These proposals could make it a cybercrime to humiliate a person or group, or insult a religion using a computer, even if such speech would be legal under international human rights law. Including offenses based on harmful speech in the treaty, rather than focusing on core cybercrimes, will likely result in overbroad, easily abused laws that will sweep up lawful speech and pose an enormous menace to the free expression rights of people around the world.
Tomi Engdahl says:
macOS will soon block unknown USB-C accessories by default
https://techcrunch.com/2022/06/07/macos-usb-accessory-security/
A new security feature in Apple’s upcoming macOS 13 Ventura will automatically block new USB-C devices from communicating with the operating system until the accessory can be approved by the user.
According to Apple’s description, the feature will be enabled by default and will require the user to approve a USB-C accessory before it can talk to the operating system essentially an on-screen pop-up asking the user for permission. Apple says this doesn’t apply to power adapters, standalone displays and connections to an approved hub and devices can still charge even if you don’t approve the accessory.
Apple says that accessories that are already connected will automatically work when updating to the new macOS software.
Tomi Engdahl says:
RSA Spot the real fake
https://www.welivesecurity.com/2022/06/07/rsa-spot-the-real-fake/
Following a session on deepfakes (which we’ve written about a while back), it’s easy to wonder how long until deepfakes as a service (DFaaS, pronounced “deface” I guess?) hits the pseudo-legit market in the form of very-difficult-to-detect account hacks you can rent. Let’s say you want to get into a jilted partner’s insurance policy and file a fake claim. Just assemble a combination of voice and video of “them”
to convincingly trick a company into issuing a hefty payout for a car that never wrecked. They have that here. In case insurance companies get better at spotting fakes, there are a host of open source projects to help your rent-a-fake get better. Right now it’s not obvious this kind of thing would get flagged, especially when paired with reasonable social engineering chops.
Tomi Engdahl says:
EXCLUSIVE: U.S. Government Ordered Travel Companies To Spy On Russian Hacker For Years And Report His Whereabouts Every Week https://www.forbes.com/sites/thomasbrewster/2022/06/08/exclusive-us-government-ordered-travel-companies-to-spy-on-russian-hacker-for-years-and-report-his-whereabouts-every-week/
A Forbes legal challenge forces the unsealing of documents that reveal for the first time the scope of secretive surveillance orders that track the movements of individuals around the globe. Critics say the government isn’t doing enough to inform the public about the unusual initiative, which involves multi-billion-dollar private companies. In 2015, the U.S. Secret Service was on the hunt for Aleksei Burkov, an infamous Russian hacker suspected of facilitating the theft of $20 million from stolen credit cards on the Cardplanet website. The methods the agency used to pursue him, revealed for the first time as a result of a Forbes legal challenge, show how the U.S. government was able to strong-arm two data companies into spying on him for two years based on the authority of a 233-year-old law and to issue weekly reports on his whereabouts. The government has never disclosed how many other individuals could be under such prolonged and unconventional surveillance.
Tomi Engdahl says:
It Doesn’t Pay to Pay: Study Finds Eighty Percent of Ransomware Victims Attacked Again
https://www.securityweek.com/it-doesnt-pay-pay-study-finds-eighty-percent-ransomware-victims-attacked-again
It doesn’t pay to pay. This advice on ransomware payment is often given, but rarely enumerated. Now it has been. A new study finds that 80% of companies that paid a ransom were hit a second time, with 40% paying again. Seventy percent of these paid a higher amount the second time round.
These figures come from an April 2022 Cybereason study that queried 1,456 cybersecurity professionals from organizations with 700 or more employees. The shocking nature of the statistics, published in Ransomware: The True Cost to Business (PDF) go much deeper.
It’s not a problem that can be ignored with the vague belief, ‘it won’t happen to me’. Seventy-three percent of organizations have suffered at least one ransomware attack in the past 24 months – up 33% from last year.
Sixty percent of companies admitted ransomware gangs had been in their network from one to six months before they were discovered – a key indicator of a double extortion attack. But paying the double extortion fee doesn’t really help; nearly 200,000 companies never received their data back after paying. And the criminals still have the data regardless. Thirty-five percent of companies suffered C-level ‘resignations’ because of a ransomware attack.
Ransomware
The True Cost to Business
2022
A Global Study on Ransomware Business Impact
https://www.cybereason.com/hubfs/dam/collateral/reports/Ransomware-The-True-Cost-to-Business-2022.pdf
Ransomware continues to dominate the
threat landscape in 2022. Organizations are
under siege from a wide variety of threats,
but ransomware offers threat actors a
unique combination of very low risk with very
high reward—which is why the volume of
ransomware attacks nearly doubled from the
previous year, and the total cost of ransomware
was estimated to exceed $20 billion.
Ransomware is also more sinister because
of the increasingly blurred lines between
cybercrime gangs and nation-state
adversaries who influence the objectives of
ransomware attacks while also making it more
difficult to bring the threat actors to justice.
I often refer to these groups as “state-
ignored,” where nation-state adversaries look
the other way as long as the ransomware
targets align with their strategic goals, or
“state-controlled,” where the threat actors
are executing attacks on behalf of and at
the direction of the nation-state. The US
Cybersecurity and Infrastructure Security
Agency (CISA) reported that 14 out of 16
critical infrastructure sectors have been
targeted by ransomware attacks.
Organizations that are hit by a ransomware
attack face a no-win situation. The only options
are to either ignore the ransom demand,
rebuild and restore compromised systems
from backups, and pray that the threat
actor doesn’t leak or sell your organization’s
sensitive data, or pay the ransom to obtain the
decryption key from the attackers.
While paying the ransom may seem like
the easier choice, our research this year
proves once again that it does not pay to
pay. Organizations that paid a ransom were
frequently unable to recover all of their data,
and many were hit by additional ransomware
attacks—often by the same threat actors.
The best defense against ransomware
attacks is to ensure your data is not stolen or
encrypted in the first place through effective
prevention, detection and response. It is
my hope that your organizations will find
this report insightful and that it will serve
to inform your organization’s strategies to
remain undefeated by ransomware.
Ransomware continues to be a dominant
concern for organizations. Despite significant
action by the Biden Administration in the US,
coordinated efforts by government and law
enforcement agencies around the world, and an
increased focus on ransomware, the volume of
attacks nearly doubled in 2021.
Of the 1400+ cybersecurity professionals who
participated in this second study, nearly three-
quarters (73%) said their organization was
targeted by at least one ransomware attack
in the preceding 24 months, compared to just
55% of companies who had been targeted by at
least one attack in our 2021 report, a staggering
increase of 33% year over year.
Ransomware attacks can negatively
impact an organization in many ways, with
combined losses potentially reaching tens
or even hundreds of millions of dollars.
Last year’s study revealed that the vast
majority of organizations that had suffered
a ransomware attack also experienced
a significant business impact, whether
revenue loss, reputational damage, unplanned
workforce reductions, or in some cases
business disruption..
Short-term impacts revealed in the report
included disruption of critical business
processes due to the inability to access
critical systems and data, costs associated
with incident response and other mitigation
efforts, lost productivity, and the cost of the
ransom payment itself if the organization
chose to acquiesce to the extortion demand,
among others.
Longer-term impacts included diminished
revenue, damage to the organization’s brand
and reputation, the loss of key executives,
employee layoffs, loss of customers and
strategic partners, and the viability of the
business altogether in some instances.
The results demonstrated some regional
deviations, with organizations in Japan (95%),
Italy (90%), and the UK (83%) among the most
likely to have been targeted by a ransomware
attack in the preceding two-year period, while
organizations in the US (46%) and Germany
(69%) were among the least likely to have been
targeted
While the majority of organizations
participating in the study reported they were
targeted by a ransomware attack, not all
organizations experienced a negative business
impact. Ransomware victims in the US fared
the best (32%) and were least likely to have
been negatively impacted. In comparison,
organizations in Japan (69%), Italy (63%), and
France (52%) were most likely to report an
impact on their operations.
As well, there was some variance by industry
vertical, with the Legal (92%), Manufacturing
(78%), Financial Services (78%), and Human
Resources (77%) sectors most likely to have
been affected by a ransomware attack.
Ransomware is a lucrative business that will
continue to be a threat. Attackers continue to
find innovative ways to extort victims, so it is
more crucial than ever for organizations to be
able to defend against ransomware attacks.
Despite the ongoing cybersecurity talent
shortage, the study revealed a significant
increase in the number of respondents who
believe their organizations have the right talent
to defend against ransomware attacks: 88%
this year vs. 60% last year, a nearly 50% increase
year over year.
The other good news: nearly three-fourths
of respondents indicated they believe their
organization has the right contingency plans to
manage a ransomware attack–a number that
remained relatively unchanged year over year.
Education had
the lowest confidence level in its people, at 71%,
and in its processes, at 53%.
This is particularly concerning because
colleges and school systems are frequent
ransomware targets.
While many respondents believe their business is
prepared for a ransomware attack, their faith may be
misguided. Our year-over-year data shows a significant
disconnect and a false sense of confidence between how
prepared respondents say they are vs. how prepared
their organizations actually are to deal with a successful
ransomware attack.
Of the organizations that paid one or more
ransom demands following successful attacks,
nearly half (49%) said their primary motivation
for paying was to avoid any loss of revenue,
while 41% cited the need to expedite recovery
as the main driver for payment, both of which
seemingly make sense from a business viability
and continuity standpoint.
Some companies decided to pay the
ransom because they weren’t prepared
for a ransomware attack. For example, 27%
said they paid the ransom because they
hadn’t backed up their data. One-third (34%)
indicated they were simply too short-staffed
to attempt an effective response without the
assistance of the attackers, both of which are
preventable conditions for organizations that
take the threat of ransomware seriously and
are indicators that these organizations simply
aren’t prepared.
12RANSOMWARE
The decision to pay a ransom demand is
not easy, especially for organizations with a
critical infrastructure designation like those
in the Healthcare sector. In cases where
ransomware prevents access to crucial
systems and data needed to provide care, the
consequences could be dire the longer the
attack persists. This urgency explains why
nearly one-third of respondents (28%) said
they paid the ransom demand because any
delays in remediation could result in injury or
loss of life.
This research demonstrates that paying the
ransom doesn’t guarantee a faster recovery
from the attack, despite the claims attackers
may make to entice organizations to pony up. In
fact, of the organizations that reported having
paid a ransom demand, only 42% said the
payment resulted in restoration of all systems
and data, a significant decrease from the 51%
who said they fully recovered systems and
data in the 2021 study. Furthermore, 54% said
that system issues persisted or that some data
was corrupted after decryption, up from 46%
in 2021. This data strongly suggests that it still
does not pay to pay.
Paradoxically, 78% of organizations that
indicated they did not pay a ransom said
they were able to fully restore systems and
data without receiving the decryption key
at all. Given the counterintuitive results here,
one must ask why the outcomes would be
better for organizations that did not pay a
ransom. Were they simply better prepared to
respond?
One of the toughest decisions a business
will ever make is whether to pay a ransom
demand following a successful attack.
This decision is particularly difficult for
any organization to make in the heat of
incident response. There are no clear-cut
best practices to follow that work for every
organization in every circumstance. Every
ransomware attack scenario needs to be
evaluated on a case-by-case basis because
each infiltration, attack group, victim
organization, jeopardized data set, and
impacted third-party situation is unique, and
there are numerous factors that need to be
considered when determining whether or not
to make a payment.
That said, this research found that it clearly
does not pay to pay. Of the organizations
that chose to pay a ransom demand, the
vast majority (nearly 80%) indicated they
were victims of at least one subsequent
ransomware attack. Of those who were hit
a second time with ransomware, nearly half
(48%) indicated the attack was perpetrated
by the same attackers, which remained
unchanged from the 2021 study.
Two-thirds (68%) who paid a ransom and were
hit again reported that the second attack
came less than a month after the first and that
the threat actors demanded an even higher
ransom amount the second time around. Of
the organizations that paid a ransom following
the first attack, nearly half (44%) also paid the
second ransom demand, and nearly one in ten
(9%) said they paid a ransom demand three
times or more.
Let those statistics sink in: nearly 8-out-of-10
companies that paid a ransom were hit by a
second ransomware attack—almost half of
which were perpetrated by the same threat
actors. Adding insult to injury, more than two-
thirds of those subsequent attacks demanded
a higher ransom than the initial attack, and
nearly 6-out-of-10 organizations were unable
to recover all of their systems and data even
after paying the ransom.
Our research found that certain industry
segments are virtually guaranteed to be hit a
second time after paying a ransom demand.
Companies in the Legal (100%), Human
Resources (100%), Engineering (91%), and
Manufacturing (85%) sectors were most likely
to have suffered a second attack after having
paid a ransom. Larger organizations with more
than 1,500 employees were also preferred
targets for repeated attacks (88%).
The big takeaway from both this year’s study
and the last is that it really does not make
sense to pay a ransom demand unless there
is the risk of losses that go beyond monetary
costs, such as when human life is at risk.
Ransomware attacks involve a variety of
infection vectors, but ransomware actors
traditionally prefer some methods over
others. In a 2020 study, researchers found
that unsecured Microsoft Remote Desktop
Protocol (RDP) connections were leveraged in
over half of all ransomware attacks. This was
followed by phishing emails at approximately a
quarter of all ransomware infections and the
exploitation of software vulnerabilities at 12%.
As noted by ZDNet, some digital crime
groups specialize in scanning the web for
these exposed ports. When they find them,
they carry out brute-force attacks to gain
access. They can then sell that access on
Dark Web marketplaces, giving attackers
like ransomware groups an opportunity
to establish a foothold in an organization’s
network.
Then there are the attacks that leverage
exploits of known and unknown vulnerabilities.
Ransomware attacks have evolved
dramatically over the last few years, from a
small cottage industry conducting essentially
nuisance attacks like phishing and drive-by
exploits to a highly complex business model
known for its efficiency, specialization,
innovation, and technical sophistication.
While broad, random attacks are still prevalent,
ransomware purveyors are moving away from
high-volume attacks with low ransom demands
in favor of more focused, custom attacks
aimed at organizations selected for their ability
and likelihood to pay multi-million-dollar ransom
demands. It is becoming increasingly common
for ransomware attacks to involve complex
attack sequences in low-and-slow campaigns
designed to infiltrate as much of the targeted
network as possible versus infecting a single
machine with the ransomware payload.
These more complex ransomware operations,
or RansomOps, involve highly targeted,
complex attack sequences conducted by
sophisticated threat actors.
Unlike early iterations of ransomware attacks
that relied on “spray-and-pray” tactics to
infect large numbers of victims while seeking
relatively small ransom demands, RansomOps
attacks are much more intricate and akin to
the stealthy operations conducted by nation-
state threat actors.
RansomOps also involve a great deal of
reconnaissance on the targets, which are
carefully chosen for their ability to pay
substantial ransom demands and high
likelihood to pay, given they may be in an
industry with the potential for significant ripple
effects should their operations be disrupted,
such as with Healthcare and other critical
infrastructure organizations.
With a RansomOps campaign, the actual
ransomware payload that encrypts data
happens essentially at the tail-end of the
attack. Of the organizations that suffered
a ransomware attack in the last 24 months,
63% reported that the attackers were in
their networks for up to six months before
being detected, 21% said it was seven to twelve
months of dwell time, and 16% said attackers
were in their networks for a year or more
before security teams became aware of the
network compromise.
The silver lining: there are potentially weeks
or even months’ of detectable activity that
could allow organizations to disrupt an attack
before it results in serious impact, provided
they have the right tools in place to detect the
RansomOps attack sequence early versus
later in the kill chain at payload delivery
The shift to more complex RansomOps attacks
has also led to a rise in supply chain attacks. A
supply chain attack enables attackers to focus
on compromising just one organization, which
then allows them to compromise the entire
customer base. The attack against managed
IT services provider Kaseya in 2021 that led to
further attacks on their customers is a prime
example of a supply chain attack.
“Supply chain vulnerabilities are amongst
the most significant cyber threats facing
organisations today,”
n this study, most organizations (64%) that
suffered a successful ransomware attack
in the last 24 months indicated the primary
infection vector was a third-party supply
chain compromise. Small to medium-
sized organizations were more likely to
be compromised via supply chain attacks,
while larger organizations were more apt
to be infected by direct attacks on their
environments.
Organizations have adapted to the rising
threat of ransomware attacks with improved
data backup practices, so they can simply
restore their data if necessary. Cybercriminals
have responded by introducing additional
incentives for organizations to pay the
ransom. While lateral movement through
the targeted network is a primary goal for
RansomOps threat actors to maximize both
the impact on the targeted organizations
and the potential ransom payout, these
more complex operations often also seek to
exfiltrate sensitive data from the victim before
detonating the encryption payload so they can
leverage it to force a ransom payment through
double extortion techniques.
With double extortion, the ransomware
encrypts the victim’s data and demands
payment in exchange for a decryptor within
the ransom note, as expected. However, the
threat actor can also apply additional pressure
to victims who would not usually pay a ransom
by threatening to leak or sell the exfiltrated
data. With double extortion, the options for
organizations become more limited.
only one ransomware
gang was using the tactic in 2019, but by the end
of Q1 2021, researchers observed ransomware
attacks that included threats to publish
exfiltrated data if a ransom demand was not
paid had increased to 77% of all ransomware
attacks.
The steady increase in the volume, complexity,
and severity of ransomware attacks is
driving increases in security budgets, with
86% of respondents indicating an increase
in their security budgets to defend against
ransomware attacks. Overall, two-thirds (66%)
of respondents stated their security programs
increased significantly-between 11% and 50%
The average increase in security budgets
across all participants in the study was 20%,
demonstrating that ransomware is among
the leading drivers for security spending
across organizations of all sizes and industry
verticals.
Since it was introduced to the market, cyber
insurance adoption has been rapid and
widespread, with 93% of respondents indicating
their organizations have a cyber insurance
policy in place, up from 75% in the 2021 report.
Of those with cyber insurance, 84% indicated
their policies include coverage specifically for
ransomware attacks, up from just 54% in last
year’s report.
Generally, the larger the organization, the less
likely they were to have cyber insurance for
ransomware attacks.
Generally, the larger the organization, the less
likely they were to have cyber insurance for
ransomware attacks. In fact, the larger the
company, the less likely they were to have any
cyber insurance at all, with 9% of companies
with 1,500 or more employees reporting no
cyber insurance protection.
The other budget winners in the effort to
counter ransomware attacks were hiring
additional security talent at 51% and additional
security awareness training for employees
at 50%. Organizations in Germany and Japan
were most likely to invest more funds into
hiring at 61% and 60%, respectively, while
organizations in the UAE (40%) and Singapore
(41%) were the least likely to spend the
additional budget on new hires.
Surprisingly, the addition of new security
technologies like NGAV, Endpoint Protection,
and Endpoint Detection and Response solutions
was a priority for 47% of organizations. It is
interesting to note that investment in new
technologies designed to prevent or disrupt
ransomware attacks was only the fourth
most common choice for where to allocate
additional security budget.
This may be due to the fact that most of
the organizations participating in the study
have already made significant investments
in prevention, detection and response
solutions, but given the level of increased
investment in cyber insurance, one might
conclude that these organizations are not
necessarily confident that they have the right
solutions in place to adequately defend against
ransomware attacks.
While cyber insurance can be an effective
tool for transferring some of the risk of a
ransomware attack, it doesn’t mitigate all of it or
provide any meaningful defense. Even if a cyber
insurance policy covers a ransom demand,
it may not cover a number of other financial
consequences, such as lost revenue, cost of
remediation, higher insurance premiums,
regulatory fines, legal fees, and the like.
What’s more, cyber insurance will not protect
an organization from being among the 8-out-
of-10 that are hit with a second ransomware
attack—and it is doubtful that cyber insurance
would cover back-to-back ransom payments
within a month.
Once an organization has been compromised
with ransomware, no clear-cut “best option”
is available. If the ransom is not paid, business
may grind to a halt for days or weeks as data is
manually restored from backups–assuming
the organization has backups.
If a ransomware attack includes data
exfiltration for double extortion, not paying
the ransom also means accepting the risk that
sensitive data and intellectual property may be
exposed publicly–and the legal and regulatory
consequences that can stem from such
exposure. Again, the financial, legal, regulatory,
and reputational impact of a ransomware
attack–including lost business and productivity
and the cost of recovery efforts–can often
exceed the ransom demand.
The alternative is to pay the ransom, but
that comes with issues and risks as well. As
noted earlier
The best option for defending against
ransomware is to be proactive and prevent an
attack at the outset, to detect and disrupt an
attack in progress as early as possible, and to
be prepared to respond to a successful attack
swiftly.
28RANSOMWARE
Follow Security Hygiene Best Practices:
This includes timely patch management
and ensuring operating systems and other
software are regularly updated, offsite
data backups, implementing a security
awareness program for employees, and
deploying best-in-class security solutions
on the network.
Implement Multi-Layer Prevention
Capabilities: Prevention solutions like
NGAV should be standard on all enterprise
endpoints across the network to thwart
ransomware attacks leveraging both
known TTPs as well as custom malware.
Deploy Endpoint and Extended Detection
and Response (EDR and XDR): Point
solutions for detecting malicious activity
like a RansomOps attack across the
environment provides the visibility required
to end ransomware attacks before data
exfiltration occurs or the ransomware
payload can be delivered
Ensure Key Stakeholders Can Be Reached:
Responders should be available at any time
of day as critical mitigation efforts can be
delayed during weekend/holiday periods.
Having clear on-call duty assignments for
off-hours security incidents is crucial.
Conduct Periodic Table-Top Exercises:
These cross-functional drills should
include key decision-makers from Legal,
Human Resources, IT Support, and other
departments all the way up to the executive
team for smooth incident response.
Ensure Clear Isolation Practices: This can
stop further ingress into the network or
the spread of ransomware to other devices
or systems. Teams should be proficient
at disconnecting a host, locking down a
compromised account, blocking a malicious
domain, etc
Evaluate Managed Security Services
Provider Options: If your security
organization has staffing or skills shortages,
establish pre-agreed response procedures
with your MSPs so they can take immediate
action following an agreed-upon plan.
Lock Down Critical Accounts for Weekend
and Holiday Periods: The usual path
attackers take in propagating ransomware
across a network is to escalate privileges
to domain-level admin and then deploy
the ransomware. Those highest privilege
accounts, in many cases, are rarely
required to be in use during the weekend
or holiday breaks. Teams should create
highly-secured, emergency-only accounts
in the Active Directory that are only used
when other operational accounts are
temporarily disabled as a precaution or
inaccessible during a ransomware attack.
Tomi Engdahl says:
CISA Clarifies Criteria for Adding Vulnerabilities to ‘Must Patch’ List
https://www.securityweek.com/cisa-clarifies-criteria-adding-vulnerabilities-must-patch-list
The US Cybersecurity and Infrastructure Security Agency (CISA) has provided clarifications on the criteria for adding vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
The KEV catalog was launched in November 2021 with roughly 300 entries. There are now more than 730 entries and the database continues to grow as CISA becomes aware of other new or old vulnerabilities that have been exploited in the wild.
Tomi Engdahl says:
Snowflake Launches Cybersecurity Workload to Find Threats Across Massive Data Sets
https://www.securityweek.com/snowflake-launches-cybersecurity-workload-find-threats-across-massive-data-sets
Data cloud company Snowflake (NYSE: SNOW) is the latest enterprise technology firm looking to help fuel the massive data lakes that power enterprise security programs.
Snowflake this week launched a new Cybersecurity workload that helps cybersecurity teams to better protect their enterprises using its platform and an extensive ecosystem of partners delivering security capabilities with connected applications, cybersecurity teams can quickly gain visibility and automation at cloud-scale.
“With Snowflake’s Data Cloud, cybersecurity teams can break down data silos to enable better visibility, deliver advanced analytics that remove manual processes, and give security teams a clearer picture of evolving risks and threats coming their way,” Omer Singer, Head of Cybersecurity Strategy at Snowflake, explained in a blog post.
With Snowflake’s Data Cloud, customers can unify logs and enterprise data and store virtually unlimited amounts of “hot” data cost effectively for years.
“Customers are able to efficiently store years of high-volume data, search with scalable on-demand compute resources,” Snowflake says, “and gain insights using universal languages like SQL and Python, currently in private preview. With Snowflake, organizations can also unify their security data with enterprise data in a single source of truth, enabling contextual data from HR systems or IT asset inventories to inform detections and investigations for higher fidelity alerts, and running fast queries on massive amounts of data.”
https://www.snowflake.com/blog/cybersecurity-workload/
Tomi Engdahl says:
Ransomware-maksu jo keskimäärin miljoona dollaria
https://etn.fi/index.php/13-news/13704-ransomware-maksu-jo-keskimaeaerin-miljoona-dollaria
Tietoturvayhtiö Palo Alto Networksin mukaan kiristysohjelmien keskimääräiset lunnasmaksut ovat nousseet tänä vuonna jo 71 prosenttia lähes miljoonaan dollariin. Vuoden viiden ensimmäisen kuukauden aikana ransomware-lunnasmaksu kasvoi 925 162 dollariin.
Puhutaan siis jo lähes miljoonan dollarin kiristyssummasta. Luku ei sisällä uhreille aiheutuvia lisäkustannuksia, kuten korjauskuluja, seisokkiajan kuluja tai mainevahinkoja. Kasvu on ollut hurjaa, kun sitä vertaa vuoden 2020 keskimääräiseen ransomware-maksuun, joka oli noin 300 000 dollaria.
Palo Alto Networksin mukaan suurin osa lunnasmaksuista oli alle 500 dollaria vielä vuonna 2016. Päivittäin darkwebissä julkaistaan keskimäärin seitsemän uutta ransomware-uhria.
Average Ransom Payment Up 71% This Year, Approaches $1 Million
https://www.paloaltonetworks.com/blog/2022/06/average-ransomware-payment-update/
Tomi Engdahl says:
Suomalaisen passin saa darkwebistä alle kympillä
https://etn.fi/index.php/13-news/13700-suomalaisen-passin-saa-darkwebistae-alle-kympillae
Kyberturvallisuusyritys NordVPN:n tutkimuksessa on analysoitu yhtä pimeän verkon kauppapaikoista, jossa on myyty tähän mennessä laittomasti yli 720 000 kohdetta tai tietoja yhteensä 16,1 miljoonan euron edestä. Tutkimus paljastaa, että suomalaisen passin voi ostaa vain 9,30 euron hintaan. Hinta on alhainen muihin maihin verrattuna.
Myynnissä oleviin kohteisiin eri puolilta maailmaa kuului passeja, henkilöllisyystodistuksia, ajokortteja, sähköpostitietoja, maksukorttitietoja, kännykkänumeroita, verkkotilejä, pankkien kirjautumistietoja, kryptotilejä ja muuta yksityistä tietoa.
NordVPN:n kyberturvallisuusasiantuntija Adrianus Warmenhoven yksi kauppapaikka on vain jäävuoren huippu. – Pimeässä verkossa on tällä hetkellä yli 30 000 verkkosivua. On hyvä muistaa, että vain 4 prosenttia koko Internetistä on niin sanottua pintaverkkoa, joka on kaikkien internetin käyttäjien ulottuvilla.
Suomalaiset passit olivat maailman neljänneksi halvimpia keskihinnalla 9,30 euroa. Tšekkiläiset, slovakialaiset ja liettualaiset passit olivat kalleimpia (keskihinta 3542,50 euroa). Hinta riippuu monista tekijöistä, kuten siitä, miten helposti asiakirjan voi väärentää, kuinka laajasti niitä myydään, ja kuinka yleisesti niitä ostetaan.
Suomalaiset tiedot, joita pystyttiin hankkimaan väsytyshyökkäyksellä tai arvaamalla, olivat myynnissä paljon matalampaan hintaa. Sama pätee muihinkin maihin. Maksukorttien tiedot maksoivat noin 8,60 euroa. Toinen helppo tapa, jota hakkerit käyttävät tietojen tai digitaalisen omaisuuden varastamiseen, on ”credential stuffing” eli kirjautumistietojen täyttöhyökkäys (tällöin vuodettua salasanaa tai sähköpostiosoitetta käytetään pääsyn hankkimiseksi toiselle alustalle). Tästä syystä verkkotilien hinnat ovat matalia: hakkeroidun Netflix-tilin voi ostaa 9,30 eurolla, Uber-tilin 11,20 eurolla ja Twitter-tilin vaivaisella 1,90 eurolla.
Tapaustutkimus pimeästä verkosta:
Näin hakkerit tienaavat 17,3 miljoonaa dollaria tiedoillasi
https://nordvpn.com/fi/research-lab/dark-web-case-study/
Yleisiä tilastoja analysoiduista markkinoista:
Myyntikohteiden lukumäärä: > 22 000
Todennettuja myyntejä: > 720 000
Todennetut tulot myynneistä: >17,3 miljoonaa dollaria.
Tomi Engdahl says:
A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia https://thehackernews.com/2022/06/a-decade-long-chinese-espionage.html
A previously undocumented Chinese-speaking advanced persistent threat
(APT) actor dubbed Aoqin Dragon has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013.
Tomi Engdahl says:
Even the Most Advanced Threats Rely on Unpatched Systems https://thehackernews.com/2022/06/even-most-advanced-threats-rely-on.html
Common cybercriminals are a menace, there’s no doubt about it from bedroom hackers through to ransomware groups, cybercriminals are causing a lot of damage. But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups.
Tomi Engdahl says:
Saalis keskimäärin 862519 euroa, kasvu 71% viranomaiselta tiukka ohje uhreille https://www.is.fi/digitoday/tietoturva/art-2000008872095.html
KIRISTYSOHJELMAHYÖKKÄYKSET maksavat yrityksille ja muille organisaatioille selvästi entistä enemmän, tietoturvayhtiö Palo Alto Networks arvioi. Yhtiön mukaan keskimääräiset lunnasmaksut ovat nousseet tänä vuonna jo lähes miljoonaan dollariin. [More https://www.paloaltonetworks.com/blog/2022/06/average-ransomware-payment-update/
Tomi Engdahl says:
Supply chain attacks will get worse: Microsoft Security Response Center boss https://www.theregister.com/2022/06/09/microsoft_supply_chain_attacks/
RSA CONFERENCE Major supply-chain attacks of recent years we’re talking about SolarWinds, Kaseya and Log4j to name a few are “just the tip of the iceberg at this point, ” according to Aanchal Gupta, who leads Microsoft’s Security Response Center.
Tomi Engdahl says:
IPhoneihin ja Maceihin iso muutos ei enää salasanoja https://www.is.fi/digitoday/tietoturva/art-2000008874787.html
Verkkosivuille ja sovelluksiin kirjautumiselle tarjoutuu turvallisempi vaihtoehto iPhonejen ja Macien uusissa käyttöjärjestelmissä.
Tomi Engdahl says:
Et halua antaa dataasi Googlelle tai Applelle? Tässä sinulle puhelin
https://etn.fi/index.php/13-news/13707-et-halua-antaa-dataasi-googlelle-tai-applelle-taessae-sinulle-puhelin
Nashvillessä sijaitsevan Vanderbiltin yliopiston tutkimuksessa havaittiin, että Android lähettää dataa Googlelle 340 kertaa päivässä, vaikka puhelin on käyttämättömänä. Jos et halua jakaa dataasi hakukonejätille tai Applelle, sinulle on vaihtoehtoja. Yksi niistä on Murena.
Murena on Mandrake Linuxin alunperin rakentaneen Gael Duvalin projekti, joka alkoi jo vuonna 2017. Viisi vuotta myöhemmin Duval kheittäjineen on lanseerannut Murena One X2:n. Se on ensimmäinen markkinoille saapunut huippuluokan Android-puhelin, joka käyttää avoimen lähdekoodin /e/OS Android -versiota.
Murena ei suinkaan ole ensimmäinen yritys kehittää vaihtoehto Google-pohjaiselle Androidille ja Applen iOS:lle. Tätä on yritetty Windowsilla, Ubuntulla ja Firefoxilla, huonoin tuloksi. Duvalin lähestymistapa eroaa näistä, sillä hän pyrki puhdistamaan Androidin kaikesta siitä, jolla Google urkkii käyttäjän tietoja.
/e/OS:ssä useimmat Googlen palvelut on poistettu ja korvattu MicroG-palveluilla. MicroG korvaa Googlen kirjastot puhtaasti avoimen lähdekoodin toteutuksilla ilman linkkejä Googlen palveluihin. Tämä tarkoittaa kirjastoja ja sovelluksia, jotka tarjoavat Google Play-, Maps-, Geolocation- ja Messaging-palveluita.
Tomi Engdahl says:
RSA Conference 2022 – Announcements Summary
https://www.securityweek.com/rsa-conference-2022-vendor-announcements-summary-day-1
https://www.securityweek.com/rsa-conference-2022-announcements-summary-day-2
https://www.securityweek.com/rsa-conference-2022-announcements-summary-day-3
Tomi Engdahl says:
US Details Chinese Attacks Against Telecoms Providers
https://www.securityweek.com/us-details-chinese-attacks-against-telecoms-providers
Several US government agencies have issued a joint cybersecurity advisory to provide information on the techniques and tactics that China-linked threat actors have been using to compromise telecom companies and network services providers.
The Chinese nation-state adversaries continue to rely on publicly available tools and known vulnerabilities to compromise networks and establish an infrastructure. They target entities around the world, both in public and private sectors, the US agencies say.
Chinese APTs readily exploit publicly known vulnerabilities to compromise network devices such as SOHO routers and NAS devices, reads the joint advisory authored by the NSA, CISA and the FBI.
Tomi Engdahl says:
https://www.securityweek.com/us-details-chinese-attacks-against-telecoms-providers
Since 2020, the three US agencies have observed the Chinese threat actors mainly abusing vulnerabilities in devices from Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652), Citrix (CVE-2019-19781), DrayTek (CVE-2020-8515), D-Link (CVE-2019-16920), Fortinet (CVE-2018-13382), MikroTik (CVE-2018-14847), Netgear (CVE-2017-6862), Pulse (CVE-2019-11510 and CVE-2021-22893), QNAP (CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, and CVE-2019-7195), and Zyxel (CVE-2020-29583).
The threat actors also use open-source tools to scan for vulnerabilities and perform reconnaissance, including RouterSploit (exploitation framework for embedded devices) and RouterScan (a framework for vulnerability scanning), which allow them to identify makes, models, and known bugs that can be exploited.
“Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting,” the joint advisory reads.
The threat actors were observed obtaining the credentials necessary to access the underlying SQL database of a critical RADIUS server and then dumping the stored credentials, including cleartext and hashed passwords.
Using these credentials, the attackers then connected to Cisco and Juniper routers via SSH, executed commands, and then exfiltrated current router configuration.
Tomi Engdahl says:
https://www.securityweek.com/rsa-conference-2022-vendor-announcements-summary-day-1
Cloud Security Alliance releases results of Zero Trust survey
The Cloud Security Alliance (CSA) has released a new report named “CISO Perspectives and Progress in Deploying Zero Trust.” A survey of more than 800 IT and security professionals found that 80% of C-level executives view Zero Trust as a priority, 94% are in the process of implementing a Zero Trust strategy, and 77% are increasing their budget for Zero Trust over the next 12 months.
MITRE introduces “System of Trust”
The MITRE Corporation announced the introduction of “System of Trust,” a free and open platform that offers a new knowledge base of supply chain security risks, as well as a security risk assessment process.
Delivering a proactive approach to finding and mitigating threats, the System of Trust details 14 risk areas for organizations to evaluate, and contains more than 2,200 specific supply chain security risk questions. The framework scores and ranks risks to help identify strengths and weaknesses, and offers a common vocabulary that can be understood across suppliers, supplies, and services.
Tomi Engdahl says:
Näin suomalaisten tietoja myydään pimeässä verkossa: Passi, maksukortit https://www.is.fi/digitoday/tietoturva/art-2000008874482.html
SUOMALAISILTA varastettujen tietojen myynnistä pimeässä verkossa on saatu uusia lukuja. Tietoturvayhtiö NordVPN kävi läpi yksityiskohtaisesti yhden kauppapaikan ja löysi myynnistä muun muassa passeja ja henkilökortteja, maksukorttitietoja, verkkopalveluiden tilejä, kirjautumistietoja pankkeihin ja kryptotileille ja muita yksityisiä tietoja.
Tomi Engdahl says:
11 infamous malware attacks: The first and the worst https://www.csoonline.com/article/3663051/11-infamous-malware-attacks-the-first-and-the-worst.html
Whether by dumb luck or ruthless skill, these malware attacks left their mark on the internet.
Tomi Engdahl says:
Cloud data breaches: 4 biggest threats to cloud storage security https://blog.malwarebytes.com/business/2022/06/cloud-data-breaches-4-biggest-threats-to-cloud-storage-security/
In this post, we’ll break down the four big threats to cloud storage security that SMBs should be ready to address.
Tomi Engdahl says:
Europarlamentaarikko yllättyi: tietokoneelta löytyi 10 vuoden Yandex-eväste
https://www.tivi.fi/uutiset/tv/7e7e7839-b0b6-4249-8797-ceeeee8372d5
Poliittiset päättäjätkään eivät ole suojassa digijättien datankeruulta, kertoo Sitran Digivalta-selvitys. Tämä saattaa altistaa päättäjät hybridivaikuttamiselle.
Tomi Engdahl says:
FBI, DOJ say less than 25% of NetWalker ransomware victims reported incidents https://therecord.media/fbi-doj-say-less-than-25-of-netwalker-ransomware-victims-reported-incidents/
Just one fourth of all NetWalker ransomware victims reported incidents to law enforcement, according to officials from the FBI and Justice Department who led the takedown of the group.
Tomi Engdahl says:
Cybersecurity Courses Ramp Up Amid Shortage of Professionals
https://www.securityweek.com/cybersecurity-courses-ramp-amid-shortage-professionals
The pressure was on. Someone, somewhere, was attacking computer systems so customers couldn’t reach certain websites. In a windowless room in Denver, Zack Privette had worked all morning with his security team to figure out what the cyber strangers were up to.
“What’s happened is that we have an attacker who has been going through our different websites and they found a vulnerability into our active directory and …,” Privette explained to Richard Mac Namee, identified as chief operating officer of the company under attack.
“OK, I’m not technical. What does that mean?” interrupted Mac Namee, who is really the director of the new Cybersecurity Center at Metropolitan State University of Denver. And he’s actually quite technical.
Tomi Engdahl says:
Billion-Dollar Valuations Can’t Halt Layoffs at OneTrust, Cybereason
https://www.securityweek.com/billion-dollar-valuations-cant-halt-layoffs-onetrust-cybereason
Two cybersecurity vendors that recently boasted of raising hundreds of millions of dollars at unicorn valuations have confirmed staff cuts as the turmoil in the capital markets start to wreak havoc on late-stage startups.
Tomi Engdahl says:
38 Tech Leaders Sign Cyber Resilience Pledge
https://www.securityweek.com/38-tech-leaders-sign-cyber-resilience-pledge
The Coalition to Reduce Cyber Risk (CR2) announced this week that it has been joined by 37 organizations across eight countries in signing a pledge to improve cyber resilience and combat threats such as ransomware.
This shows, CR2 notes, that organizations are aware of the importance of collaboration in countering evolving threats and in implementing risk-based cybersecurity globally.
By signing the pledge, these organizations show their commitment to drive the development and implementation of risk-based approaches based on widely accepted standards and to support small businesses in adopting risk-based cybersecurity.
Additionally, they pledged to improve cybersecurity standards and incorporate them in policies and controls, and to periodically perform assessments of these policies and controls, to ensure they continue to be standard-compliant.
“Internationally recognized cybersecurity frameworks and standards that are based upon the principles of risk management and relevant across sectors support such implementation by strengthening consistency and continuity among interconnected sectors and throughout global supply chains,” CR2 notes.
The adoption of these standards among companies and government agencies worldwide is expected to not only mitigate cyber risks, but to also facilitate economic growth.
The CR2 Pledge
https://www.crx2.org/pledge
The signatories to this pledge understand that in order to enhance cyber resiliency and counter evolving cross-border cyber threats such as the growth of ransomware, we must enable the seamless implementation of risk-based approaches to cybersecurity around the world.
Internationally recognized cybersecurity frameworks and standards that are based upon the principles of risk management and relevant across sectors support such implementation by strengthening consistency and continuity among interconnected sectors and throughout global supply chains.
Increased and ongoing adoption of these frameworks and international standards by companies and governments around the world will mitigate cyber risks and facilitate economic growth. To further advance adoption of international approaches to cybersecurity risk management, we commit to:
Encourage the development, evolution and implementation of risk-based approaches based on consensus-based frameworks, standards and risk management best practices, such as ISO/IEC 27110 and 27103, or the NIST Cybersecurity Framework;
Support efforts of our vendors and supply chain contributors to adopt risk-based cybersecurity approaches in order to help small businesses flourish while improving the resiliency of the cyber ecosystem;
Incorporate ISO/IEC 27110 and 27103, the NIST Cybersecurity Framework, or other widely accepted international cybersecurity standards as a foundation of our cybersecurity policies and controls wherever applicable and feasible; and
Periodically reassess our cybersecurity policies and controls against revisions to such cybersecurity standards and actively participate in industry-driven initiatives to improve those standards.
A commitment to internationally recognized cyber risk management approaches and frameworks that are relevant across sectors can bring widespread economic benefits, help governments achieve their policy goals, bolster collective security, and enhance cyber resiliency across the ecosystem.
Tomi Engdahl says:
Chinese Cyberspy Group ‘Aoqin Dragon’ Targeting Southeast Asia, Australia Since 2013
https://www.securityweek.com/chinese-cyberspy-group-aoqin-dragon-targeting-southeast-asia-australia-2013
Tomi Engdahl says:
Backdoor Attacks From Windigo Operation Still Active
https://www.securityweek.com/backdoor-attacks-windigo-operation-still-active
Windigo, a malicious operation uncovered over three years ago, continues to be active despite a takedown attempt in 2014 and the sentencing of one conspirator in August 2017.
At the core of Windigo was Linux/Ebury, an OpenSSH backdoor and credential stealer that was estimated to have infected over 25,000 servers worldwide during a two and a half year period prior to the botnet’s discovery. The systems were being abused to steal credentials, redirect web traffic to malicious sites, and send in excess of 30 million spam messages a day.
The operation was uncovered by ESET researchers who worked together with CERT-Bund, the Swedish National Infrastructure for Computing, and other agencies to take it down. In 2015, Finnish authorities apprehended Maxim Senakh, one of the conspirators behind the operation. He was extradited to the United States last year and sentenced to 46 months in federal prison in August this year.
Tomi Engdahl says:
Cyber Safe Green Energy
https://www.txone.com/white-papers/cyber-safe-green-energy/?utm_source=SecurityWeek&utm_medium=newsletter&utm_campaign=GEnergy_WP&utm_content=300_200gif
In our new white paper “Cyber Safe Green Energy”, we share experience from collaborating with industry leaders in green energy to secure work sites with the OT zero trust approach.
Prevent cyber incidents that could interfere with power delivery, destroy property, or even endanger human lives
Streamline oversight and compliance with regulations
Neutralize insider threat and prevent supply chain attacks
Tomi Engdahl says:
94% of Orgs Had an Insider Security Breach
See 5 tips on reducing internal security risks.
5 Ways to Create a Cybersecurity-Focused Work Culture
https://www.skillsoft.com/blog/5-ways-to-create-a-cybersecurity-focused-work-culture?utm_source=security+week&utm_medium=display&utm_campaign=SKL+IT-SW-NA+FY23-ALL-PM-BLG-5+ways+to+create+a+cybesecurity+focused+wrk+culture&utm_content=SKSTDWorkplaceCybersecurity
The importance of privacy and security cannot be overstated in an age where so much of our business infrastructure relies on technology. Unfortunately, it’s also this reliance that makes our infrastructure the perfect target for malicious actors.
To combat and adapt to these threats, many companies, including Skillsoft and at least 16 US states, have appointed a chief information security officer (CISO) dedicated to minimizing technology risks for the organization.
As a CISO, you must educate employees to guarantee the security of your organization. Ninety-four percent of organizations report that they’ve had an insider breach. The average cost of a data breach is $4.7 million, and 20% of breaches can be avoided by providing educational resources for employees.
Cybersecurity training is key to keeping your organization safe. I see cybersecurity training — for leaders, practitioners, and other staff — as an essential part of a broad security strategy. When staff knows what to look for and have a clear picture of what their security teams do, they can better protect themselves and the organization’s data.
Here are five ways to prepare your workforce for today’s and tomorrow’s threats:
1. Adopt a culture of regular, personalized training
Training significantly benefits individuals and their organizations. Training improves morale, fosters high-quality outcomes, and faster resolutions. However, the biggest inhibitor to security training is often employees’ workload. If they have too much going on, asking them to make time for security training can lead to burnout or disengagement with the material.
But, if training is the key to warding off phishing attacks and bad actors, leadership must build in time to complete training correctly.
2. Align the security team and workforce
Something I’m excited to be working on at Skillsoft is creating more substantial alignment between our security teams and disciplines and our workforce. We plan to improve communication with monthly newsletters and other internal initiative and become more visible within the organization.
3. Pay close attention to trends in your organization
Take note of your attack surface regularly. The only way to successfully stave off threats is to be aware of all possible entry points. You must be able to message how you, your team, and every member of the organization affect and are affected by it. Make that information widely and readily available.
4. Collaborate with your partners & customers
You can use the same strategy you used to transform your workforce to engage with your partners and customers more regularly. By sharing trends, strategies, and new developments as they happen, you’re giving those who rely on you insight into how you’re keeping them safe. Education and communication help create a cyber-aware community where we’re all looking out for each other.
5. Focus on the right metrics
My key takeaway for leadership, especially other CISOs, is to remain focused on being prepared. It’s terrific if you’re able to block 99% of attacks, but if you don’t stay perpetually ready, that 1%will sneak through. Of course, scoring a five on your NIST assessment would be an outstanding achievement, but you must find balance and comfort in the level of risk you manage while working within the constraints of the organization. Having plans to combat attacks is ultimately a better use of your organization’s resources.
Skillsoft continues to see security training rise in importance for organizations across industries. Since last year, security training consumption rose nearly 60%, according to user data in Percipio.
Tomi Engdahl says:
Facilitating Convergence of Physical Security and Cyber Security With Open Source Intelligence
https://www.securityweek.com/facilitating-convergence-physical-security-and-cyber-security-open-source-intelligence
The desire to merge aspects of physical and cyber security is nothing new, especially in maturing enterprises that are proactively extending their security capabilities. Since many aspects of physical security are connected to the internet, enterprises have started to build fusion centers that combine disciplines. By doing so, they are able to converge cyber and physical security, close gaps in coverage, and scale security to protect facilities and hundreds of thousands of employees. The key to this convergence lies in open-source intelligence and how it can enrich many aspects of a physical security program.
Broadening the Definition of Open Source Intelligence
Many aspects of open source intelligence are similar or equivalent to traditional all-source intelligence methodologies seen in the intelligence cycle. Two main categories of datasets to map are traditional open source intelligence and non-traditional open source intelligence. Traditional open source intelligence datasets encompass the qualitative and quantitative collection and analysis of public, non-classified sources that deliver context such as archives, business records, dating sites and dark web. Non-traditional open source intelligence datasets include the human, signals, and imagery intelligence equivalents in OSINT– based on anything from threat actor engagement on social media to external telemetry (netflow, passive DNS, cookies) to social media photos used to pinpoint locations.
Defining the Key Capabilities of a Cyber Threat Intelligence Program
Before we dig into how cyber threat intelligence benefits a physical security program, let’s identify a list of some of the services, products, and analyses that a CTI program might address. The following services have significant overlap with physical security programs:
● Adversary infrastructure analysis
● Attribution analysis
● Dark Web tracking
● Internal threat hunting
● Threat research for identification and correlation of malicious actors and external datasets
● Intelligence report production
● Intelligence sharing (external to the organization)
● Tracking threat actors’ intentions and capabilities
Other CTI services generally do not overlap with physical security and remain the responsibility of cyber security teams. These services include malware analysis & reverse engineering, vulnerabilities research, and indicator analysis (enrichment, pivoting, and correlating to historical reporting).
Defining Overlap with CTI and Physical Security Programs
Security teams are now leveraging open source intelligence and cyber threat intelligence to provide critical information to physical security practitioners. The physical and corporate security programs of these teams generally consist of the following disciplines, with use cases that are at the center of the convergence of cyber and physical security disciplines:
● Executive Protection and Physical Asset Protection
● Travel Security
● Regulatory/Environmental Risk Specific to Business
● Geo-Political Risk
● Global Investigations
It is more and more clear that physical and information security disciplines have large overlaps. The use of OSINT to review coverage gaps and identify problems is not a small project and can take up to 18 months to complete according to GSOC
Tomi Engdahl says:
Lyceum.NET DNS Backdoor
https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor
Active since 2017, Lyceum group is a state-sponsored Iranian APT group that is known for targeting Middle Eastern organizations in the energy and telecommunication sectors and mostly relying on.NET based malwares. [Also https://thehackernews.com/2022/06/iranian-hackers-spotted-using-new-dns.html
Tomi Engdahl says:
Credentials for thousands of open source projects free for the takingagain!
https://arstechnica.com/information-technology/2022/06/credentials-for-thousands-of-open-source-projects-free-for-the-taking-again/
A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report.
Tomi Engdahl says:
Taking down the IP2Scam tech support campaign https://blog.malwarebytes.com/threat-intelligence/2022/06/taking-down-the-ip2scam-tech-support-campaign/
Tech support scams follow a simple business model that has not changed much over the years. After all, why change a recipe that continues to yield large profits.
Tomi Engdahl says:
Salasanojen loputon määrä raivostuttaa käyttäjiä ja tekee tietoturvarikollisten työn helpoksi Jyväskylässä kehitetään korvaajaa salasanoille
https://yle.fi/uutiset/3-12484896
Jyväskylän yliopiston hanke yrittää korvata salasanat turvallisemmalla tunnistautumismenetelmällä. Vaihtoehtoja on etsitty jo pitkään, mutta toistaiseksi mikään ratkaisu ei ole onnistunut korvaamaan salasanoja kokonaan.
Tomi Engdahl says:
Microsoft helps prevent lateral movement from compromised unmanaged devices https://www.helpnetsecurity.com/2022/06/13/microsoft-prevent-lateral-movement/
A new feature in Microsoft Defender for Endpoint can make it more difficult for attackers to perform lateral movement within company networks, as it allows admins to prevent traffic flowing to and from unmanaged devices that have been compromised.
Tomi Engdahl says:
Koverse Launches Zero Trust Data Platform
https://www.securityweek.com/koverse-launches-zero-trust-data-platform
New attribute-based access controls (ABAC) protect sensitive data to power demanding analytics, data science, and AI use cases
Zero trust at the data level provides better security than zero trust at the application level; and attribute-based access control (ABAC) rather than role-based access control (RBAC) provides more efficient and granular access to the data.
Both are key elements of the Koverse Data Platform (KDP), version 4.0 of which is now launched. The latest version introduces nothing that is fundamentally new to the platform, but concentrates on making it more accessible to more users.
”We’ve separated the functionality into different microservices that are all containerized,” said Aaron Cordova, CTO and cofounder at SAIC-owned Koverse; “and we have a new cloud-centric and flexible method of deployment.”
Tomi Engdahl says:
Lessons for Better Fraud Decision-Making
https://www.securityweek.com/lessons-better-fraud-decision-making
Have you ever stopped to think about how you go about deciding whether to try a new restaurant that you’ve never been to? Even if you don’t realize what you are doing, when you make this decision, you are likely collecting data around a number of different criteria, analyzing those data points, and then using that analysis to make a decision. Some of the criteria you evaluate might include:
● Does the restaurant serve the type of food that I want to eat?
● Is the restaurant located conveniently for me?
● Do the hours suit the time I want to eat?
● Am I willing to pay what the restaurant charges?
● Does the restaurant have good reviews?
● Is the restaurant clean?
These are just a few potential data points that a person might evaluate when deciding on whether to try a new restaurant. There are, of course, numerous other ones. Regardless of which data points are important to the decision maker, it is likely that the number of data points is somewhere between five and 10.
One or two data points would not be sufficient.
On the other hand, having 500 data points doesn’t make the decision-making process any easier either. Imagine if in addition to the six data points above, I had another 494 that I needed to evaluate. It would completely overwhelm me, and I would be unable to make effective use of nearly all of those data points.
I believe that we can learn a valuable lesson about better fraud decision-making from this restaurant choosing example.
If we think about it, detecting fraud is not about making a binary decision. If I look outside, either it is raining or it is not. That is something binary. Fraud on the other hand involves probabilistic decision-making. In real-time, I can be 10%, 50%, or 90% certain that something is fraud, though it is almost never the case that I can be 100% certain. Sure, I can be 100% certain that something was fraud long after it happened, though not in the moment as it is happening.
The reason for this is very simple. Fraud is business logic abuse. It is about using legitimate applications for fraudulent purposes. In other words, we are looking to understand the intent of the user as they interact with the application and journey through their session. That is not something that the traffic itself can tell us. We need to look beyond the traffic and understand the behavior of the user in the session, the resources they are requesting, and the device(s) and environment(s) from which they are operating.
Tomi Engdahl says:
Canada wants companies to report cyber attacks and hacking incidents
https://www.reuters.com/business/canada-wants-companies-report-cyber-attacks-hacking-incidents-2022-06-14/
Tomi Engdahl says:
https://uk.pcmag.com/security/138262/malware-that-can-survive-os-reinstalls-strikes-again-likely-for-cyberespionage
Tomi Engdahl says:
https://verdelehti.fi/2022/06/14/lailliset-palvelut-vahensivat-piratismia-ja-oikeudenkaynnit-olivat-vaara-tie/