Cyber security trends for 2022

Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.

Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.

Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.

Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats

“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.

Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).

Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.

Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.

Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.

In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.

The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.

Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf

“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.

Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.

Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf

Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”

Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks

Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.

3,062 Comments

  1. Tomi Engdahl says:

    Suomalaisyritykset: kyberuhat riistäytyvät käsistä
    https://etn.fi/index.php/13-news/13687-suomalaisyritykset-kyberuhat-riistaeytyvaet-kaesistae
    Trend Micron uusi tutkimus osoittaa, että organisaatioilla on suuria vaikeuksia tunnistaa ja turvata digitaalinen hyökkäyspinta-alansa, mikä vaikeuttaa tuntuvasti riskinhallintatoimia. Lähes puolet yrityksistä myöntää, että heidän digitaalinen hyökkäyspinta-alansa on ”riistäytymässä käsistä”.
    Tutkimus paljastaa, että 53 prosenttia suomalaisista organisaatioista ovat huolissaan kasvavasta hyökkäyspinnastaan. Yhtä moni vastaajista totesi uhkaympäristön ”kasvavan jatkuvasti ja muuttuvan koko ajan sotkuisemmaksi.” Kansainvälisesti tämä huolestutti vain 37 prosenttia vastaajia. Vain 40 prosenttia suomalaisista yrityksistä pystyy määrittelemään hyökkäyspinnan laajuuden omissa järjestelmissään.
    Näkyvyyden ongelmat vaikuttavat olevan suurin syy organisaatioiden vaikeuksiin kyberriskiensä hallinnassa ja ymmärtämisessä. Yli puolet vastaajista (55 %) kertoo, että heillä on järjestelmissään turvallisuutta vaarantavia kuolleita kulmia. Verkkoresurssien ja pilviympäristöjen kerrottiin olevan kaikkein läpinäkymättömimpiä ja vaikeimmin seurattavia. Keskimäärin vastaajat arvioivat tuntevansa vain 63 prosenttia hyökkäyspinnastaan.
    Tutkimus paljastaa myös, että yli puolet suomalaisista organisaatioista (56 %) ei pidä riskialttiuden arviointimenetelmäänsä riittävänä. Tämä käy ilmi tutkimuksen muista havainnoista:

    Vain 37 prosentilla on selkeä menetelmä riskialttiuden arviointiin
    42 % vastaajista tarkistaa/päivittää altistumisriskiään vain kuukausittain tai harvemmin
    Vain 16 % tarkistaa riskialtistuksensa päivittäin

    Reply
  2. Tomi Engdahl says:

    Today, cybersecurity training programs focused solely on awareness fall short in these ways:

    Create panic instead of deep understanding. Traditional user training campaigns may help employees pass awareness tests, but awareness without understanding can create a culture of risk aversion and panic as executives make assumptions based on fear.
    Stop short of changing behaviors. Despite years of standards such as ISO 27001 requiring security awareness and training as part of a security program, training has not achieved desired results.
    Spend the most money to simply tick a compliance box. Regulations such as ISO 27001 have elevated the importance of security awareness and training (SA&T); however, they remain vague about why or how to do it.

    https://www.skillsoft.com/resources/how-to-manage-the-human-risk-in-cybersecurity-pg10080a1?utm_source=security+week&utm_medium=display&utm_campaign=SKL+IT-SW-NA+FY23-ALL-PM-How+to+Manage+Human+risk+in+Cybersecurity&utm_content=SKSTDForresterReport

    Reply
  3. Tomi Engdahl says:

    EC Hacking: Your Laptop Has A Microcontroller
    https://hackaday.com/2022/06/07/ec-hacking-your-laptop-has-a-microcontroller/

    Recently, I stumbled upon a cool write-up by [DHowett], about reprogramming a Framework laptop’s Embedded Controller (EC). He shows us how to reuse the Caps Lock LED, instead making it indicate the F1-F12 key layer state – also known as “Fn lock”, AKA, “Does your F1 key currently work as F1, or does it regulate volume”. He walks us through adding custom code to your laptop’s EC firmware and integrate it properly into the various routines the EC runs.

    Wait… Microcontroller code? GPIOs? This brings us to the question – what is the EC, really? To start with, it’s just a microcontroller. You can find an EC in every x86 computer, including laptops, managing your computer’s lower-level functions like power management, keyboard, touchpad, battery and a slew of other things. In Apple land, you might know them as SMC, but their function is the same.

    Why have we not been reprogramming our ECs all this time? That’s a warranted question, too, and I will tell you all about it.

    The EC controls a whole bunch of devices in your laptop. Not devices connected to USB, LVDS/eDP or PCIe, because those would fall within the purview of the chipset. Instead, these are devices like power switches, the charger chip, and various current monitors, since these have to work correctly even when the chipset and CPU are powered off. But of course, it’s not just power management – there’s a whole lot of things in a laptop you need GPIOs for.

    Your laptop’s power button is connected directly to the EC. As a result, your EC is the first thing to get powered on; and if a broken laptop of yours has no reaction to the power button, it means the EC can’t do its power management job for whatever reason. In fact, if you check Framework laptop’s recently published reduced schematics, you’ll see that the EC has it own separate power rail coming directly from the battery.

    How does it even talk to the chipset? For about two decades, ECs have been using the LPC bus – a four-bit wide bus superficially resembling qSPI. Apart from ECs, it’s only really been used by TPMs in the recent times. LPC uses frequencies from 25MHz to 100MHz.

    LPC is about two decades old, and is a direct successor to the ISA bus – in fact, in some laptop schematics from 2003 you’ll find the EC connected through ISA instead, but it’s all LPC beyond that. However, recent ECs talk eSPI instead, a qSPI-like interface meant to replace LPC, and the Framework EC talks eSPI, too.

    Every EC has firmware, and every laptop (and desktop, and server!) has an EC. The EC firmware is nearly always closed-source. As such, the EC firmware is one of the binary blobs we tend to miss when talking about proprietary parts inside our computers. Often, the EC firmware is stored on the same SPI flash chip as the BIOS – other times, there’s a separate external or on-chip flash, in which case, you typically have an UART bootloader you can reflash your EC through. All of that depends on which specific manufacturer and model of the EC you have.

    Often, your EC is built on something like ARM or 8051 architecture, other times it’s something more obscure like CompactRISC. The common thing is – at most, you’ll get a binary blob when it comes to your EC’s firmware. At some point, when Google got into laptop business, a group of their engineers presumably said “enough”, and open-sourced their EC code – which is what Framework has been building on when it comes to their own EC firmware. Last year, System76 opened up their EC code, too. Unfortunately, the situation remains dire for other laptop manufacturers.

    Could your EC get backdoored? Not likely – it tends to be harder to modify and update EC firmware than it is to do the same with BIOS images. Now, could you yourself modify your EC’s behavior? It’s at least technically possible, and I’d argue that you should have always been able to do that.

    https://www.howett.net/posts/2022-04-adding-an-ec-feature-1/

    Reply
  4. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    MongoDB announces “Queryable Encryption”, which the company says lets users search their data while it remains encrypted, in preview as part of MongoDB 6.0

    A Long-Awaited Defense Against Data Leaks May Have Just Arrived
    https://www.wired.com/story/mongodb-queryable-encryption-databases/

    MongoDB claims its new “Queryable Encryption” lets users search their databases while sensitive data stays encrypted. Oh, and its cryptography is open source.

    After years of data breaches, leaks, and hacks leaving the world desperate for tools to stem the illicit flow of sensitive personal data, a key advance has appeared on the horizon.

    On Tuesday, MongoDB is announcing “Queryable Encryption,” a feature that will allow database users to search their data while it remains encrypted. The tool, which is debuting in preview as part of MongoDB 6.0, attempts to bridge academic cryptography findings and real-world environments so users can adopt the feature without needing advanced theoretical expertise. Crucially, Queryable Encryption is built to work with existing databases rather than requiring users to re-architect their systems before they can take advantage of it.

    MongoDB Releases Queryable Encryption Preview
    https://www.mongodb.com/blog/post/mongodb-releases-queryable-encryption-preview

    Today we are announcing the Preview release of Queryable Encryption, which allows customers to encrypt sensitive data from the client side, store it as fully randomized encrypted data on the database server side, and run expressive queries on the encrypted data.

    With the introduction of Queryable Encryption, MongoDB is the only database provider that allows customers to run expressive queries, such as equality (available now in preview) and range, prefix, suffix, substring, and more (coming soon) on fully randomized encrypted data. This is a huge advantage for organizations that need to run expressive queries while also confidently securing their data.

    Although existing encryption solutions (in-transit and at-rest) cover many regulatory use cases, none of them protects sensitive data while it is in use. In-use data encryption often is a requirement for high-sensitivity workloads for customers in financial services, healthcare, and critical infrastructure organizations. Currently, challenges around in-use encryption technologies include:

    In-use encryption is highly complex, involving custom code from the application side in order to encrypt, process, filter, and decrypt the data to show it to the users. It also involves managing encryption keys in order to encrypt/decrypt the data.

    Developers need cryptography experience in order to design a secure encryption solution.

    Current solutions have limited or no querying capabilities, which makes using encrypted data in applications difficult.

    Some of the existing tools, such as homomorphic encryption or secure enclaves have performance unsuited to scalable encrypted search, require proprietary hardware, or have uncertain security properties.

    Queryable Encryption removes operational heavy-lifting, resulting in faster app development without sacrificing data protection, compliance, and data privacy security requirements.

    Here is a sample flow of operations in which an authenticated user wants to query the data, but now the user is able to query on fully randomly encrypted data. In this example, let’s assume we are retrieving the SSN number of a user.

    When the application submits the query, MongoDB drivers first analyze the query.

    Recognizing the query is against an encrypted field, the driver requests the encryption keys from the customer-provisioned key provider, such as AWS Key Management Service (AWS KMS), Google Cloud KMS, Azure Key Vault, or any KMIP-enabled provider, such as HashiCorp Vault.

    The driver submits the query to the MongoDB server with the encrypted fields rendered as ciphertext.

    Queryable Encryption implements a fast, searchable scheme that allows the server to process queries on fully encrypted data, without knowing anything about the data. The data and the query itself remain encrypted at all times on the server.

    The MongoDB server returns the encrypted results of the query to the driver.

    The query results are decrypted with the keys held by the driver and returned to the client and shown as plaintext.

    Reply
  5. Tomi Engdahl says:

    Commercial Satellites Are National Security’s Next Frontier
    https://spectrum.ieee.org/commercial-satellite-imagery-national-security162

    Governments no longer operate all the best spy sats in the sky

    On February 18, President Biden, citing U.S. intelligence, announced to the world “we have reason to believe the Russian forces are planning and intend to attack Ukraine in the coming week, in the coming days.” In the months leading up to the invasion in late February, the U.S. intelligence community had been revealing details of Putin’s war plans and disclosing highly classified real-time intelligence in the form of satellite imagery and providing detailed analysis of the movement of Russian forces.

    Rather than waiting for bits of unclassified information revealed during official government briefings, the general public has watched the tragic crisis of Russia’s invasion of Ukraine unfold day-by-day. Never before have we had access to so much real-time data about an ongoing war initiated by a major power such as Russia. Every day, there are countless images, videos, audio files, data about traffic patterns on Google Maps, and high-resolution satellite imagery being shared over social media.

    “In the past, only a handful of countries had access to such exquisite capabilities. Today, if other governments, or even NGOs and individuals, disagree with the information provided by one government, they can release their own imagery to prove their point.”

    Matt Korda, Senior Research Associate at the Federation of American Scientists (FAS), says the handling of this crisis differs from those in previous decades when “governments still maintained a monopoly on satellite imagery. They could decide whether to disclose particular images, how they wanted to do it, and when they wanted to inform the public about things. That is no longer the case. Today, people can conduct surveillance operations from their own homes.”

    Several expert analysts interviewed by IEEE Spectrum agree that the rise of affordable and easily accessible commercial satellite imagery played a role in Biden’s early release of U.S. intelligence on Russia’s invasion of Ukraine.

    This time around, the U.S. government appears to have learned from past mistakes. Lewis says, “they’ve grasped that their public strategy had to be different because the expectations of their audience were different. They made falsifiable claims and released commercial satellite imagery to back them up. The government fully expected that civil society would be able to check and verify the claims.”

    “Unclassified commercial satellite data acts as an ‘unblinking eye’ and is giving the world access to what was once only held by governments, promoting greater global security and accountability.”

    Hanham says she’s “hopeful and inspired that the U.S. is providing actionable intelligence to build trust. This is data that you can share with allies and adversaries alike, and intelligence sources remain protected. Because it’s commercially available, it’s subject to verification by third parties.”

    Commercial satellite images, she says, have exerted a powerful equalizing force. “In the past, only a handful of countries had access to such exquisite capabilities,” she says. “Today, if other governments, or even NGOs and individuals, disagree with the information provided by one government, they can release imagery from a commercial provider to prove their point.”

    A number of private companies such as Planet and Capella Space are changing the way national security professionals do business by offering affordable access to high-resolution imagery and having an impact on the ground.

    Planet operates the world’s largest fleet of Earth imaging satellites, capturing a daily scan of the entire Earth’s surface at a resolution of 3 meters with its PlanetScope constellation of 200 satellites. According to Planet, the company’s SkySat constellation of 21 satellites captures images of ground-level detail down to 50 centimeter length scale—up to ten times per day.

    AI and machine learning “will unlock the potential of geospatial data to everyone—not just the experts.”

    Dan Getman, Vice President of Product at Capella Space, speaks about the advantages of synthetic aperture radar (SAR) sensors, which “can provide visibility through all weather conditions—clouds, fog, smoke, rain—and capture clear imagery 24-7, day and night, across the globe.”

    As recent as five years ago, SAR imagery was far beyond reach of most organizations except for advanced intelligence agencies. Today, Capella offers a wide range of commercial customers access to SAR imagery in a 50 cm ground resolution, allowing for identification of specific features and characteristics of objects on the ground.

    It’s hard to imagine national security ever returning to a world in which governments held all the secrets gathered by their own spy satellite programs. “People are visual learners,” Lewis says. “It’s one thing to be told about a facility and another thing to look at a picture. This is a different way of knowing—the difference between showing and telling. It’s not perfect, but it’s really helpful. And it fundamentally changes how you think.”

    Reply
  6. Tomi Engdahl says:

    Router security in 2021
    https://securelist.com/router-security-2021/106711/
    A router is a gateway from the internet to a home or office despite being conceived quite the opposite. Routers are forever being hacked and infected, and used to infiltrate local networks. Keeping this gate locked so that no one can stroll right through is no easy task. It is not always clear just how this locking works, especially when it comes to home routers, whose users are by no means all security pros. What’s more, it’s not uncommon for routers to be full of holes. Since the start of the pandemic, however, router security has received more attention. Many companies introduced remote working for employees, some of whom never returned to the office. If before the pandemic few people worked from home, now their number is significant. As a result, cybercriminals now see home routers as gateways to corporate networks, and companies as potential attack vectors. Proof of the heightened attention in network devices comes from the sharp rise in the number of vulnerabilities found in them in recent years.

    Reply
  7. Tomi Engdahl says:

    EU cybersecurity agency chief warns of cyberthreats and spillovers https://www.euractiv.com/section/cybersecurity/news/eu-cybersecurity-agency-chief-warns-of-cyberthreats-and-spillovers/
    On the occasion of the 2022 pan-European cyber preparedness exercises programme, Cyber Europe, the executive director of the EU agency for cybersecurity (ENISA) warned that states must remain alert for cyber incidents and potential spillovers. While ENISA already monitored about 300 cyber events in relation to the Russian aggression against Ukraine, apart from the Viasat attack, no incidents with a major impact have been reported to date. “However, 100 of these events were spillover incidents, meaning they affected other countries as well, ”
    Juhan Lepassaar, ENISA’s executive director, said in a press briefing on Wednesday (8 June).

    Reply
  8. Tomi Engdahl says:

    Mental Health In Cybersecurity
    51% Of Workers Take Meds, Me Included
    https://www.forbes.com/sites/daveywinder/2022/06/08/mental-health-in-cybersecurity-51-of-workers-take-meds-me-included/
    A recent report looking at the state of mental health in cybersecurity has revealed some very worrying industry statistics. Worrying, but sadly not at all surprising. Cybersecurity professionals are not alone in working within a stressful, at times unbearably so, industry.
    However, that a survey of more than 1, 000 professionals from security teams across the U.S. and Europe found that half (50.8%) had been prescribed meds for their mental health, cannot be ignored. This editorial exploration of mental health within the cybersecurity industry begins, as seems appropriate, with Thomas Kinsella. I asked the co-founder of security automation company Tines, responsible for the report that this article hangs from, if cybersecurity is more prone to mental health issues than other IT sectors?. The report:
    https://www.tines.com/reports/state-of-mental-health-in-cybersecurity/

    Reply
  9. Tomi Engdahl says:

    Speech-Related Offenses Should be Excluded from the Proposed UN Cybercrime Treaty
    https://www.eff.org/deeplinks/2022/06/speech-related-offenses-should-be-excluded-proposed-un-cybercrime-treaty
    Governments should protect people against cybercrime, and they should equally respect and protect people’s human rights. However, across the world, governments routinely abuse cybercrime laws to crack down on human rights by criminalizing speech. So it is concerning that some UN Member States are proposing vague provisions to combat hate speech to a committee of government representatives (the Ad Hoc Committee) convened by the UN to negotiate a proposed UN Cybercrime treaty. These proposals could make it a cybercrime to humiliate a person or group, or insult a religion using a computer, even if such speech would be legal under international human rights law. Including offenses based on harmful speech in the treaty, rather than focusing on core cybercrimes, will likely result in overbroad, easily abused laws that will sweep up lawful speech and pose an enormous menace to the free expression rights of people around the world.

    Reply
  10. Tomi Engdahl says:

    macOS will soon block unknown USB-C accessories by default
    https://techcrunch.com/2022/06/07/macos-usb-accessory-security/
    A new security feature in Apple’s upcoming macOS 13 Ventura will automatically block new USB-C devices from communicating with the operating system until the accessory can be approved by the user.
    According to Apple’s description, the feature will be enabled by default and will require the user to approve a USB-C accessory before it can talk to the operating system essentially an on-screen pop-up asking the user for permission. Apple says this doesn’t apply to power adapters, standalone displays and connections to an approved hub and devices can still charge even if you don’t approve the accessory.
    Apple says that accessories that are already connected will automatically work when updating to the new macOS software.

    Reply
  11. Tomi Engdahl says:

    RSA Spot the real fake
    https://www.welivesecurity.com/2022/06/07/rsa-spot-the-real-fake/
    Following a session on deepfakes (which we’ve written about a while back), it’s easy to wonder how long until deepfakes as a service (DFaaS, pronounced “deface” I guess?) hits the pseudo-legit market in the form of very-difficult-to-detect account hacks you can rent. Let’s say you want to get into a jilted partner’s insurance policy and file a fake claim. Just assemble a combination of voice and video of “them”
    to convincingly trick a company into issuing a hefty payout for a car that never wrecked. They have that here. In case insurance companies get better at spotting fakes, there are a host of open source projects to help your rent-a-fake get better. Right now it’s not obvious this kind of thing would get flagged, especially when paired with reasonable social engineering chops.

    Reply
  12. Tomi Engdahl says:

    EXCLUSIVE: U.S. Government Ordered Travel Companies To Spy On Russian Hacker For Years And Report His Whereabouts Every Week https://www.forbes.com/sites/thomasbrewster/2022/06/08/exclusive-us-government-ordered-travel-companies-to-spy-on-russian-hacker-for-years-and-report-his-whereabouts-every-week/
    A Forbes legal challenge forces the unsealing of documents that reveal for the first time the scope of secretive surveillance orders that track the movements of individuals around the globe. Critics say the government isn’t doing enough to inform the public about the unusual initiative, which involves multi-billion-dollar private companies. In 2015, the U.S. Secret Service was on the hunt for Aleksei Burkov, an infamous Russian hacker suspected of facilitating the theft of $20 million from stolen credit cards on the Cardplanet website. The methods the agency used to pursue him, revealed for the first time as a result of a Forbes legal challenge, show how the U.S. government was able to strong-arm two data companies into spying on him for two years based on the authority of a 233-year-old law and to issue weekly reports on his whereabouts. The government has never disclosed how many other individuals could be under such prolonged and unconventional surveillance.

    Reply
  13. Tomi Engdahl says:

    It Doesn’t Pay to Pay: Study Finds Eighty Percent of Ransomware Victims Attacked Again
    https://www.securityweek.com/it-doesnt-pay-pay-study-finds-eighty-percent-ransomware-victims-attacked-again

    It doesn’t pay to pay. This advice on ransomware payment is often given, but rarely enumerated. Now it has been. A new study finds that 80% of companies that paid a ransom were hit a second time, with 40% paying again. Seventy percent of these paid a higher amount the second time round.

    These figures come from an April 2022 Cybereason study that queried 1,456 cybersecurity professionals from organizations with 700 or more employees. The shocking nature of the statistics, published in Ransomware: The True Cost to Business (PDF) go much deeper.

    It’s not a problem that can be ignored with the vague belief, ‘it won’t happen to me’. Seventy-three percent of organizations have suffered at least one ransomware attack in the past 24 months – up 33% from last year.

    Sixty percent of companies admitted ransomware gangs had been in their network from one to six months before they were discovered – a key indicator of a double extortion attack. But paying the double extortion fee doesn’t really help; nearly 200,000 companies never received their data back after paying. And the criminals still have the data regardless. Thirty-five percent of companies suffered C-level ‘resignations’ because of a ransomware attack.

    Ransomware
    The True Cost to Business
    2022
    A Global Study on Ransomware Business Impact
    https://www.cybereason.com/hubfs/dam/collateral/reports/Ransomware-The-True-Cost-to-Business-2022.pdf

    Ransomware continues to dominate the
    threat landscape in 2022. Organizations are
    under siege from a wide variety of threats,
    but ransomware offers threat actors a
    unique combination of very low risk with very
    high reward—which is why the volume of
    ransomware attacks nearly doubled from the
    previous year, and the total cost of ransomware
    was estimated to exceed $20 billion.

    Ransomware is also more sinister because
    of the increasingly blurred lines between
    cybercrime gangs and nation-state
    adversaries who influence the objectives of
    ransomware attacks while also making it more
    difficult to bring the threat actors to justice.

    I often refer to these groups as “state-
    ignored,” where nation-state adversaries look
    the other way as long as the ransomware
    targets align with their strategic goals, or
    “state-controlled,” where the threat actors
    are executing attacks on behalf of and at
    the direction of the nation-state. The US
    Cybersecurity and Infrastructure Security
    Agency (CISA) reported that 14 out of 16
    critical infrastructure sectors have been
    targeted by ransomware attacks.

    Organizations that are hit by a ransomware
    attack face a no-win situation. The only options
    are to either ignore the ransom demand,
    rebuild and restore compromised systems
    from backups, and pray that the threat
    actor doesn’t leak or sell your organization’s
    sensitive data, or pay the ransom to obtain the
    decryption key from the attackers.

    While paying the ransom may seem like
    the easier choice, our research this year
    proves once again that it does not pay to
    pay. Organizations that paid a ransom were
    frequently unable to recover all of their data,
    and many were hit by additional ransomware
    attacks—often by the same threat actors.

    The best defense against ransomware
    attacks is to ensure your data is not stolen or
    encrypted in the first place through effective
    prevention, detection and response. It is
    my hope that your organizations will find
    this report insightful and that it will serve
    to inform your organization’s strategies to
    remain undefeated by ransomware.

    Ransomware continues to be a dominant
    concern for organizations. Despite significant
    action by the Biden Administration in the US,
    coordinated efforts by government and law
    enforcement agencies around the world, and an
    increased focus on ransomware, the volume of
    attacks nearly doubled in 2021.
    Of the 1400+ cybersecurity professionals who
    participated in this second study, nearly three-
    quarters (73%) said their organization was
    targeted by at least one ransomware attack
    in the preceding 24 months, compared to just
    55% of companies who had been targeted by at
    least one attack in our 2021 report, a staggering
    increase of 33% year over year.

    Ransomware attacks can negatively
    impact an organization in many ways, with
    combined losses potentially reaching tens
    or even hundreds of millions of dollars.
    Last year’s study revealed that the vast
    majority of organizations that had suffered
    a ransomware attack also experienced
    a significant business impact, whether
    revenue loss, reputational damage, unplanned
    workforce reductions, or in some cases
    business disruption..

    Short-term impacts revealed in the report
    included disruption of critical business
    processes due to the inability to access
    critical systems and data, costs associated
    with incident response and other mitigation
    efforts, lost productivity, and the cost of the
    ransom payment itself if the organization
    chose to acquiesce to the extortion demand,
    among others.
    Longer-term impacts included diminished
    revenue, damage to the organization’s brand
    and reputation, the loss of key executives,
    employee layoffs, loss of customers and
    strategic partners, and the viability of the
    business altogether in some instances.

    The results demonstrated some regional
    deviations, with organizations in Japan (95%),
    Italy (90%), and the UK (83%) among the most
    likely to have been targeted by a ransomware
    attack in the preceding two-year period, while
    organizations in the US (46%) and Germany
    (69%) were among the least likely to have been
    targeted

    While the majority of organizations
    participating in the study reported they were
    targeted by a ransomware attack, not all
    organizations experienced a negative business
    impact. Ransomware victims in the US fared
    the best (32%) and were least likely to have
    been negatively impacted. In comparison,
    organizations in Japan (69%), Italy (63%), and
    France (52%) were most likely to report an
    impact on their operations.
    As well, there was some variance by industry
    vertical, with the Legal (92%), Manufacturing
    (78%), Financial Services (78%), and Human
    Resources (77%) sectors most likely to have
    been affected by a ransomware attack.

    Ransomware is a lucrative business that will
    continue to be a threat. Attackers continue to
    find innovative ways to extort victims, so it is
    more crucial than ever for organizations to be
    able to defend against ransomware attacks.

    Despite the ongoing cybersecurity talent
    shortage, the study revealed a significant
    increase in the number of respondents who
    believe their organizations have the right talent
    to defend against ransomware attacks: 88%
    this year vs. 60% last year, a nearly 50% increase
    year over year.
    The other good news: nearly three-fourths
    of respondents indicated they believe their
    organization has the right contingency plans to
    manage a ransomware attack–a number that
    remained relatively unchanged year over year.

    Education had
    the lowest confidence level in its people, at 71%,
    and in its processes, at 53%.
    This is particularly concerning because
    colleges and school systems are frequent
    ransomware targets.

    While many respondents believe their business is
    prepared for a ransomware attack, their faith may be
    misguided. Our year-over-year data shows a significant
    disconnect and a false sense of confidence between how
    prepared respondents say they are vs. how prepared
    their organizations actually are to deal with a successful
    ransomware attack.

    Of the organizations that paid one or more
    ransom demands following successful attacks,
    nearly half (49%) said their primary motivation
    for paying was to avoid any loss of revenue,
    while 41% cited the need to expedite recovery
    as the main driver for payment, both of which
    seemingly make sense from a business viability
    and continuity standpoint.

    Some companies decided to pay the
    ransom because they weren’t prepared
    for a ransomware attack. For example, 27%
    said they paid the ransom because they
    hadn’t backed up their data. One-third (34%)
    indicated they were simply too short-staffed
    to attempt an effective response without the
    assistance of the attackers, both of which are
    preventable conditions for organizations that
    take the threat of ransomware seriously and
    are indicators that these organizations simply
    aren’t prepared.

    12RANSOMWARE
    The decision to pay a ransom demand is
    not easy, especially for organizations with a
    critical infrastructure designation like those
    in the Healthcare sector. In cases where
    ransomware prevents access to crucial
    systems and data needed to provide care, the
    consequences could be dire the longer the
    attack persists. This urgency explains why
    nearly one-third of respondents (28%) said
    they paid the ransom demand because any
    delays in remediation could result in injury or
    loss of life.

    This research demonstrates that paying the
    ransom doesn’t guarantee a faster recovery
    from the attack, despite the claims attackers
    may make to entice organizations to pony up. In
    fact, of the organizations that reported having
    paid a ransom demand, only 42% said the
    payment resulted in restoration of all systems
    and data, a significant decrease from the 51%
    who said they fully recovered systems and
    data in the 2021 study. Furthermore, 54% said
    that system issues persisted or that some data
    was corrupted after decryption, up from 46%
    in 2021. This data strongly suggests that it still
    does not pay to pay.

    Paradoxically, 78% of organizations that
    indicated they did not pay a ransom said
    they were able to fully restore systems and
    data without receiving the decryption key
    at all. Given the counterintuitive results here,
    one must ask why the outcomes would be
    better for organizations that did not pay a
    ransom. Were they simply better prepared to
    respond?

    One of the toughest decisions a business
    will ever make is whether to pay a ransom
    demand following a successful attack.

    This decision is particularly difficult for
    any organization to make in the heat of
    incident response. There are no clear-cut
    best practices to follow that work for every
    organization in every circumstance. Every
    ransomware attack scenario needs to be
    evaluated on a case-by-case basis because
    each infiltration, attack group, victim
    organization, jeopardized data set, and
    impacted third-party situation is unique, and
    there are numerous factors that need to be
    considered when determining whether or not
    to make a payment.

    That said, this research found that it clearly
    does not pay to pay. Of the organizations
    that chose to pay a ransom demand, the
    vast majority (nearly 80%) indicated they
    were victims of at least one subsequent
    ransomware attack. Of those who were hit
    a second time with ransomware, nearly half
    (48%) indicated the attack was perpetrated
    by the same attackers, which remained
    unchanged from the 2021 study.

    Two-thirds (68%) who paid a ransom and were
    hit again reported that the second attack
    came less than a month after the first and that
    the threat actors demanded an even higher
    ransom amount the second time around. Of
    the organizations that paid a ransom following
    the first attack, nearly half (44%) also paid the
    second ransom demand, and nearly one in ten
    (9%) said they paid a ransom demand three
    times or more.

    Let those statistics sink in: nearly 8-out-of-10
    companies that paid a ransom were hit by a
    second ransomware attack—almost half of
    which were perpetrated by the same threat
    actors. Adding insult to injury, more than two-
    thirds of those subsequent attacks demanded
    a higher ransom than the initial attack, and
    nearly 6-out-of-10 organizations were unable
    to recover all of their systems and data even
    after paying the ransom.

    Our research found that certain industry
    segments are virtually guaranteed to be hit a
    second time after paying a ransom demand.
    Companies in the Legal (100%), Human
    Resources (100%), Engineering (91%), and
    Manufacturing (85%) sectors were most likely
    to have suffered a second attack after having
    paid a ransom. Larger organizations with more
    than 1,500 employees were also preferred
    targets for repeated attacks (88%).

    The big takeaway from both this year’s study
    and the last is that it really does not make
    sense to pay a ransom demand unless there
    is the risk of losses that go beyond monetary
    costs, such as when human life is at risk.

    Ransomware attacks involve a variety of
    infection vectors, but ransomware actors
    traditionally prefer some methods over
    others. In a 2020 study, researchers found
    that unsecured Microsoft Remote Desktop
    Protocol (RDP) connections were leveraged in
    over half of all ransomware attacks. This was
    followed by phishing emails at approximately a
    quarter of all ransomware infections and the
    exploitation of software vulnerabilities at 12%.

    As noted by ZDNet, some digital crime
    groups specialize in scanning the web for
    these exposed ports. When they find them,
    they carry out brute-force attacks to gain
    access. They can then sell that access on
    Dark Web marketplaces, giving attackers
    like ransomware groups an opportunity
    to establish a foothold in an organization’s
    network.

    Then there are the attacks that leverage
    exploits of known and unknown vulnerabilities.

    Ransomware attacks have evolved
    dramatically over the last few years, from a
    small cottage industry conducting essentially
    nuisance attacks like phishing and drive-by
    exploits to a highly complex business model
    known for its efficiency, specialization,
    innovation, and technical sophistication.
    While broad, random attacks are still prevalent,
    ransomware purveyors are moving away from
    high-volume attacks with low ransom demands
    in favor of more focused, custom attacks
    aimed at organizations selected for their ability
    and likelihood to pay multi-million-dollar ransom
    demands. It is becoming increasingly common
    for ransomware attacks to involve complex
    attack sequences in low-and-slow campaigns
    designed to infiltrate as much of the targeted
    network as possible versus infecting a single
    machine with the ransomware payload.

    These more complex ransomware operations,
    or RansomOps, involve highly targeted,
    complex attack sequences conducted by
    sophisticated threat actors.

    Unlike early iterations of ransomware attacks
    that relied on “spray-and-pray” tactics to
    infect large numbers of victims while seeking
    relatively small ransom demands, RansomOps
    attacks are much more intricate and akin to
    the stealthy operations conducted by nation-
    state threat actors.

    RansomOps also involve a great deal of
    reconnaissance on the targets, which are
    carefully chosen for their ability to pay
    substantial ransom demands and high
    likelihood to pay, given they may be in an
    industry with the potential for significant ripple
    effects should their operations be disrupted,
    such as with Healthcare and other critical
    infrastructure organizations.

    With a RansomOps campaign, the actual
    ransomware payload that encrypts data
    happens essentially at the tail-end of the
    attack. Of the organizations that suffered
    a ransomware attack in the last 24 months,
    63% reported that the attackers were in
    their networks for up to six months before
    being detected, 21% said it was seven to twelve
    months of dwell time, and 16% said attackers
    were in their networks for a year or more
    before security teams became aware of the
    network compromise.

    The silver lining: there are potentially weeks
    or even months’ of detectable activity that
    could allow organizations to disrupt an attack
    before it results in serious impact, provided
    they have the right tools in place to detect the
    RansomOps attack sequence early versus
    later in the kill chain at payload delivery

    The shift to more complex RansomOps attacks
    has also led to a rise in supply chain attacks. A
    supply chain attack enables attackers to focus
    on compromising just one organization, which
    then allows them to compromise the entire
    customer base. The attack against managed
    IT services provider Kaseya in 2021 that led to
    further attacks on their customers is a prime
    example of a supply chain attack.

    “Supply chain vulnerabilities are amongst
    the most significant cyber threats facing
    organisations today,”

    n this study, most organizations (64%) that
    suffered a successful ransomware attack
    in the last 24 months indicated the primary
    infection vector was a third-party supply
    chain compromise. Small to medium-
    sized organizations were more likely to
    be compromised via supply chain attacks,
    while larger organizations were more apt
    to be infected by direct attacks on their
    environments.

    Organizations have adapted to the rising
    threat of ransomware attacks with improved
    data backup practices, so they can simply
    restore their data if necessary. Cybercriminals
    have responded by introducing additional
    incentives for organizations to pay the
    ransom. While lateral movement through
    the targeted network is a primary goal for
    RansomOps threat actors to maximize both
    the impact on the targeted organizations
    and the potential ransom payout, these
    more complex operations often also seek to
    exfiltrate sensitive data from the victim before
    detonating the encryption payload so they can
    leverage it to force a ransom payment through
    double extortion techniques.

    With double extortion, the ransomware
    encrypts the victim’s data and demands
    payment in exchange for a decryptor within
    the ransom note, as expected. However, the
    threat actor can also apply additional pressure
    to victims who would not usually pay a ransom
    by threatening to leak or sell the exfiltrated
    data. With double extortion, the options for
    organizations become more limited.

    only one ransomware
    gang was using the tactic in 2019, but by the end
    of Q1 2021, researchers observed ransomware
    attacks that included threats to publish
    exfiltrated data if a ransom demand was not
    paid had increased to 77% of all ransomware
    attacks.

    The steady increase in the volume, complexity,
    and severity of ransomware attacks is
    driving increases in security budgets, with
    86% of respondents indicating an increase
    in their security budgets to defend against
    ransomware attacks. Overall, two-thirds (66%)
    of respondents stated their security programs
    increased significantly-between 11% and 50%

    The average increase in security budgets
    across all participants in the study was 20%,
    demonstrating that ransomware is among
    the leading drivers for security spending
    across organizations of all sizes and industry
    verticals.

    Since it was introduced to the market, cyber
    insurance adoption has been rapid and
    widespread, with 93% of respondents indicating
    their organizations have a cyber insurance
    policy in place, up from 75% in the 2021 report.
    Of those with cyber insurance, 84% indicated
    their policies include coverage specifically for
    ransomware attacks, up from just 54% in last
    year’s report.
    Generally, the larger the organization, the less
    likely they were to have cyber insurance for
    ransomware attacks.

    Generally, the larger the organization, the less
    likely they were to have cyber insurance for
    ransomware attacks. In fact, the larger the
    company, the less likely they were to have any
    cyber insurance at all, with 9% of companies
    with 1,500 or more employees reporting no
    cyber insurance protection.
    The other budget winners in the effort to
    counter ransomware attacks were hiring
    additional security talent at 51% and additional
    security awareness training for employees
    at 50%. Organizations in Germany and Japan
    were most likely to invest more funds into
    hiring at 61% and 60%, respectively, while
    organizations in the UAE (40%) and Singapore
    (41%) were the least likely to spend the
    additional budget on new hires.

    Surprisingly, the addition of new security
    technologies like NGAV, Endpoint Protection,
    and Endpoint Detection and Response solutions
    was a priority for 47% of organizations. It is
    interesting to note that investment in new
    technologies designed to prevent or disrupt
    ransomware attacks was only the fourth
    most common choice for where to allocate
    additional security budget.

    This may be due to the fact that most of
    the organizations participating in the study
    have already made significant investments
    in prevention, detection and response
    solutions, but given the level of increased
    investment in cyber insurance, one might
    conclude that these organizations are not
    necessarily confident that they have the right
    solutions in place to adequately defend against
    ransomware attacks.
    While cyber insurance can be an effective
    tool for transferring some of the risk of a
    ransomware attack, it doesn’t mitigate all of it or
    provide any meaningful defense. Even if a cyber
    insurance policy covers a ransom demand,
    it may not cover a number of other financial
    consequences, such as lost revenue, cost of
    remediation, higher insurance premiums,
    regulatory fines, legal fees, and the like.

    What’s more, cyber insurance will not protect
    an organization from being among the 8-out-
    of-10 that are hit with a second ransomware
    attack—and it is doubtful that cyber insurance
    would cover back-to-back ransom payments
    within a month.

    Once an organization has been compromised
    with ransomware, no clear-cut “best option”
    is available. If the ransom is not paid, business
    may grind to a halt for days or weeks as data is
    manually restored from backups–assuming
    the organization has backups.
    If a ransomware attack includes data
    exfiltration for double extortion, not paying
    the ransom also means accepting the risk that
    sensitive data and intellectual property may be
    exposed publicly–and the legal and regulatory
    consequences that can stem from such
    exposure. Again, the financial, legal, regulatory,
    and reputational impact of a ransomware
    attack–including lost business and productivity
    and the cost of recovery efforts–can often
    exceed the ransom demand.

    The alternative is to pay the ransom, but
    that comes with issues and risks as well. As
    noted earlier

    The best option for defending against
    ransomware is to be proactive and prevent an
    attack at the outset, to detect and disrupt an
    attack in progress as early as possible, and to
    be prepared to respond to a successful attack
    swiftly.

    28RANSOMWARE
    Follow Security Hygiene Best Practices:
    This includes timely patch management
    and ensuring operating systems and other
    software are regularly updated, offsite
    data backups, implementing a security
    awareness program for employees, and
    deploying best-in-class security solutions
    on the network.
    Implement Multi-Layer Prevention
    Capabilities: Prevention solutions like
    NGAV should be standard on all enterprise
    endpoints across the network to thwart
    ransomware attacks leveraging both
    known TTPs as well as custom malware.
    Deploy Endpoint and Extended Detection
    and Response (EDR and XDR): Point
    solutions for detecting malicious activity
    like a RansomOps attack across the
    environment provides the visibility required
    to end ransomware attacks before data
    exfiltration occurs or the ransomware
    payload can be delivered

    Ensure Key Stakeholders Can Be Reached:
    Responders should be available at any time
    of day as critical mitigation efforts can be
    delayed during weekend/holiday periods.
    Having clear on-call duty assignments for
    off-hours security incidents is crucial.

    Conduct Periodic Table-Top Exercises:
    These cross-functional drills should
    include key decision-makers from Legal,
    Human Resources, IT Support, and other
    departments all the way up to the executive
    team for smooth incident response.

    Ensure Clear Isolation Practices: This can
    stop further ingress into the network or
    the spread of ransomware to other devices
    or systems. Teams should be proficient
    at disconnecting a host, locking down a
    compromised account, blocking a malicious
    domain, etc

    Evaluate Managed Security Services
    Provider Options: If your security
    organization has staffing or skills shortages,
    establish pre-agreed response procedures
    with your MSPs so they can take immediate
    action following an agreed-upon plan.

    Lock Down Critical Accounts for Weekend
    and Holiday Periods: The usual path
    attackers take in propagating ransomware
    across a network is to escalate privileges
    to domain-level admin and then deploy
    the ransomware. Those highest privilege
    accounts, in many cases, are rarely
    required to be in use during the weekend
    or holiday breaks. Teams should create
    highly-secured, emergency-only accounts
    in the Active Directory that are only used
    when other operational accounts are
    temporarily disabled as a precaution or
    inaccessible during a ransomware attack.

    Reply
  14. Tomi Engdahl says:

    CISA Clarifies Criteria for Adding Vulnerabilities to ‘Must Patch’ List
    https://www.securityweek.com/cisa-clarifies-criteria-adding-vulnerabilities-must-patch-list

    The US Cybersecurity and Infrastructure Security Agency (CISA) has provided clarifications on the criteria for adding vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

    The KEV catalog was launched in November 2021 with roughly 300 entries. There are now more than 730 entries and the database continues to grow as CISA becomes aware of other new or old vulnerabilities that have been exploited in the wild.

    Reply
  15. Tomi Engdahl says:

    Snowflake Launches Cybersecurity Workload to Find Threats Across Massive Data Sets
    https://www.securityweek.com/snowflake-launches-cybersecurity-workload-find-threats-across-massive-data-sets

    Data cloud company Snowflake (NYSE: SNOW) is the latest enterprise technology firm looking to help fuel the massive data lakes that power enterprise security programs.

    Snowflake this week launched a new Cybersecurity workload that helps cybersecurity teams to better protect their enterprises using its platform and an extensive ecosystem of partners delivering security capabilities with connected applications, cybersecurity teams can quickly gain visibility and automation at cloud-scale.

    “With Snowflake’s Data Cloud, cybersecurity teams can break down data silos to enable better visibility, deliver advanced analytics that remove manual processes, and give security teams a clearer picture of evolving risks and threats coming their way,” Omer Singer, Head of Cybersecurity Strategy at Snowflake, explained in a blog post.

    With Snowflake’s Data Cloud, customers can unify logs and enterprise data and store virtually unlimited amounts of “hot” data cost effectively for years.

    “Customers are able to efficiently store years of high-volume data, search with scalable on-demand compute resources,” Snowflake says, “and gain insights using universal languages like SQL and Python, currently in private preview. With Snowflake, organizations can also unify their security data with enterprise data in a single source of truth, enabling contextual data from HR systems or IT asset inventories to inform detections and investigations for higher fidelity alerts, and running fast queries on massive amounts of data.”

    https://www.snowflake.com/blog/cybersecurity-workload/

    Reply
  16. Tomi Engdahl says:

    Ransomware-maksu jo keskimäärin miljoona dollaria
    https://etn.fi/index.php/13-news/13704-ransomware-maksu-jo-keskimaeaerin-miljoona-dollaria

    Tietoturvayhtiö Palo Alto Networksin mukaan kiristysohjelmien keskimääräiset lunnasmaksut ovat nousseet tänä vuonna jo 71 prosenttia lähes miljoonaan dollariin. Vuoden viiden ensimmäisen kuukauden aikana ransomware-lunnasmaksu kasvoi 925 162 dollariin.

    Puhutaan siis jo lähes miljoonan dollarin kiristyssummasta. Luku ei sisällä uhreille aiheutuvia lisäkustannuksia, kuten korjauskuluja, seisokkiajan kuluja tai mainevahinkoja. Kasvu on ollut hurjaa, kun sitä vertaa vuoden 2020 keskimääräiseen ransomware-maksuun, joka oli noin 300 000 dollaria.

    Palo Alto Networksin mukaan suurin osa lunnasmaksuista oli alle 500 dollaria vielä vuonna 2016. Päivittäin darkwebissä julkaistaan keskimäärin seitsemän uutta ransomware-uhria.

    Average Ransom Payment Up 71% This Year, Approaches $1 Million
    https://www.paloaltonetworks.com/blog/2022/06/average-ransomware-payment-update/

    Reply
  17. Tomi Engdahl says:

    Suomalaisen passin saa darkwebistä alle kympillä
    https://etn.fi/index.php/13-news/13700-suomalaisen-passin-saa-darkwebistae-alle-kympillae

    Kyberturvallisuusyritys NordVPN:n tutkimuksessa on analysoitu yhtä pimeän verkon kauppapaikoista, jossa on myyty tähän mennessä laittomasti yli 720 000 kohdetta tai tietoja yhteensä 16,1 miljoonan euron edestä. Tutkimus paljastaa, että suomalaisen passin voi ostaa vain 9,30 euron hintaan. Hinta on alhainen muihin maihin verrattuna.

    Myynnissä oleviin kohteisiin eri puolilta maailmaa kuului passeja, henkilöllisyystodistuksia, ajokortteja, sähköpostitietoja, maksukorttitietoja, kännykkänumeroita, verkkotilejä, pankkien kirjautumistietoja, kryptotilejä ja muuta yksityistä tietoa.

    NordVPN:n kyberturvallisuusasiantuntija Adrianus Warmenhoven yksi kauppapaikka on vain jäävuoren huippu. – Pimeässä verkossa on tällä hetkellä yli 30 000 verkkosivua. On hyvä muistaa, että vain 4 prosenttia koko Internetistä on niin sanottua pintaverkkoa, joka on kaikkien internetin käyttäjien ulottuvilla.

    Suomalaiset passit olivat maailman neljänneksi halvimpia keskihinnalla 9,30 euroa. Tšekkiläiset, slovakialaiset ja liettualaiset passit olivat kalleimpia (keskihinta 3542,50 euroa). Hinta riippuu monista tekijöistä, kuten siitä, miten helposti asiakirjan voi väärentää, kuinka laajasti niitä myydään, ja kuinka yleisesti niitä ostetaan.

    Suomalaiset tiedot, joita pystyttiin hankkimaan väsytyshyökkäyksellä tai arvaamalla, olivat myynnissä paljon matalampaan hintaa. Sama pätee muihinkin maihin. Maksukorttien tiedot maksoivat noin 8,60 euroa. Toinen helppo tapa, jota hakkerit käyttävät tietojen tai digitaalisen omaisuuden varastamiseen, on ”credential stuffing” eli kirjautumistietojen täyttöhyökkäys (tällöin vuodettua salasanaa tai sähköpostiosoitetta käytetään pääsyn hankkimiseksi toiselle alustalle). Tästä syystä verkkotilien hinnat ovat matalia: hakkeroidun Netflix-tilin voi ostaa 9,30 eurolla, Uber-tilin 11,20 eurolla ja Twitter-tilin vaivaisella 1,90 eurolla.

    Tapaustutkimus pimeästä verkosta:
    Näin hakkerit tienaavat 17,3 miljoonaa dollaria tiedoillasi
    https://nordvpn.com/fi/research-lab/dark-web-case-study/

    Yleisiä tilastoja analysoiduista markkinoista:

    Myyntikohteiden lukumäärä: > 22 000

    Todennettuja myyntejä: > 720 000

    Todennetut tulot myynneistä: >17,3 miljoonaa dollaria.

    Reply
  18. Tomi Engdahl says:

    A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia https://thehackernews.com/2022/06/a-decade-long-chinese-espionage.html
    A previously undocumented Chinese-speaking advanced persistent threat
    (APT) actor dubbed Aoqin Dragon has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013.

    Reply
  19. Tomi Engdahl says:

    Even the Most Advanced Threats Rely on Unpatched Systems https://thehackernews.com/2022/06/even-most-advanced-threats-rely-on.html
    Common cybercriminals are a menace, there’s no doubt about it from bedroom hackers through to ransomware groups, cybercriminals are causing a lot of damage. But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups.

    Reply
  20. Tomi Engdahl says:

    Saalis keskimäärin 862519 euroa, kasvu 71% viranomaiselta tiukka ohje uhreille https://www.is.fi/digitoday/tietoturva/art-2000008872095.html
    KIRISTYSOHJELMAHYÖKKÄYKSET maksavat yrityksille ja muille organisaatioille selvästi entistä enemmän, tietoturvayhtiö Palo Alto Networks arvioi. Yhtiön mukaan keskimääräiset lunnasmaksut ovat nousseet tänä vuonna jo lähes miljoonaan dollariin. [More https://www.paloaltonetworks.com/blog/2022/06/average-ransomware-payment-update/

    Reply
  21. Tomi Engdahl says:

    Supply chain attacks will get worse: Microsoft Security Response Center boss https://www.theregister.com/2022/06/09/microsoft_supply_chain_attacks/
    RSA CONFERENCE Major supply-chain attacks of recent years we’re talking about SolarWinds, Kaseya and Log4j to name a few are “just the tip of the iceberg at this point, ” according to Aanchal Gupta, who leads Microsoft’s Security Response Center.

    Reply
  22. Tomi Engdahl says:

    IPhoneihin ja Maceihin iso muutos ei enää salasanoja https://www.is.fi/digitoday/tietoturva/art-2000008874787.html
    Verkkosivuille ja sovelluksiin kirjautumiselle tarjoutuu turvallisempi vaihtoehto iPhonejen ja Macien uusissa käyttöjärjestelmissä.

    Reply
  23. Tomi Engdahl says:

    Et halua antaa dataasi Googlelle tai Applelle? Tässä sinulle puhelin
    https://etn.fi/index.php/13-news/13707-et-halua-antaa-dataasi-googlelle-tai-applelle-taessae-sinulle-puhelin

    Nashvillessä sijaitsevan Vanderbiltin yliopiston tutkimuksessa havaittiin, että Android lähettää dataa Googlelle 340 kertaa päivässä, vaikka puhelin on käyttämättömänä. Jos et halua jakaa dataasi hakukonejätille tai Applelle, sinulle on vaihtoehtoja. Yksi niistä on Murena.

    Murena on Mandrake Linuxin alunperin rakentaneen Gael Duvalin projekti, joka alkoi jo vuonna 2017. Viisi vuotta myöhemmin Duval kheittäjineen on lanseerannut Murena One X2:n. Se on ensimmäinen markkinoille saapunut huippuluokan Android-puhelin, joka käyttää avoimen lähdekoodin /e/OS Android -versiota.

    Murena ei suinkaan ole ensimmäinen yritys kehittää vaihtoehto Google-pohjaiselle Androidille ja Applen iOS:lle. Tätä on yritetty Windowsilla, Ubuntulla ja Firefoxilla, huonoin tuloksi. Duvalin lähestymistapa eroaa näistä, sillä hän pyrki puhdistamaan Androidin kaikesta siitä, jolla Google urkkii käyttäjän tietoja.

    /e/OS:ssä useimmat Googlen palvelut on poistettu ja korvattu MicroG-palveluilla. MicroG korvaa Googlen kirjastot puhtaasti avoimen lähdekoodin toteutuksilla ilman linkkejä Googlen palveluihin. Tämä tarkoittaa kirjastoja ja sovelluksia, jotka tarjoavat Google Play-, Maps-, Geolocation- ja Messaging-palveluita.

    Reply
  24. Tomi Engdahl says:

    US Details Chinese Attacks Against Telecoms Providers
    https://www.securityweek.com/us-details-chinese-attacks-against-telecoms-providers

    Several US government agencies have issued a joint cybersecurity advisory to provide information on the techniques and tactics that China-linked threat actors have been using to compromise telecom companies and network services providers.

    The Chinese nation-state adversaries continue to rely on publicly available tools and known vulnerabilities to compromise networks and establish an infrastructure. They target entities around the world, both in public and private sectors, the US agencies say.

    Chinese APTs readily exploit publicly known vulnerabilities to compromise network devices such as SOHO routers and NAS devices, reads the joint advisory authored by the NSA, CISA and the FBI.

    Reply
  25. Tomi Engdahl says:

    https://www.securityweek.com/us-details-chinese-attacks-against-telecoms-providers

    Since 2020, the three US agencies have observed the Chinese threat actors mainly abusing vulnerabilities in devices from Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652), Citrix (CVE-2019-19781), DrayTek (CVE-2020-8515), D-Link (CVE-2019-16920), Fortinet (CVE-2018-13382), MikroTik (CVE-2018-14847), Netgear (CVE-2017-6862), Pulse (CVE-2019-11510 and CVE-2021-22893), QNAP (CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, and CVE-2019-7195), and Zyxel (CVE-2020-29583).

    The threat actors also use open-source tools to scan for vulnerabilities and perform reconnaissance, including RouterSploit (exploitation framework for embedded devices) and RouterScan (a framework for vulnerability scanning), which allow them to identify makes, models, and known bugs that can be exploited.

    “Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting,” the joint advisory reads.

    The threat actors were observed obtaining the credentials necessary to access the underlying SQL database of a critical RADIUS server and then dumping the stored credentials, including cleartext and hashed passwords.

    Using these credentials, the attackers then connected to Cisco and Juniper routers via SSH, executed commands, and then exfiltrated current router configuration.

    Reply
  26. Tomi Engdahl says:

    https://www.securityweek.com/rsa-conference-2022-vendor-announcements-summary-day-1

    Cloud Security Alliance releases results of Zero Trust survey

    The Cloud Security Alliance (CSA) has released a new report named “CISO Perspectives and Progress in Deploying Zero Trust.” A survey of more than 800 IT and security professionals found that 80% of C-level executives view Zero Trust as a priority, 94% are in the process of implementing a Zero Trust strategy, and 77% are increasing their budget for Zero Trust over the next 12 months.

    MITRE introduces “System of Trust”

    The MITRE Corporation announced the introduction of “System of Trust,” a free and open platform that offers a new knowledge base of supply chain security risks, as well as a security risk assessment process.

    Delivering a proactive approach to finding and mitigating threats, the System of Trust details 14 risk areas for organizations to evaluate, and contains more than 2,200 specific supply chain security risk questions. The framework scores and ranks risks to help identify strengths and weaknesses, and offers a common vocabulary that can be understood across suppliers, supplies, and services.

    Reply
  27. Tomi Engdahl says:

    Näin suomalaisten tietoja myydään pimeässä verkossa: Passi, maksukortit https://www.is.fi/digitoday/tietoturva/art-2000008874482.html
    SUOMALAISILTA varastettujen tietojen myynnistä pimeässä verkossa on saatu uusia lukuja. Tietoturvayhtiö NordVPN kävi läpi yksityiskohtaisesti yhden kauppapaikan ja löysi myynnistä muun muassa passeja ja henkilökortteja, maksukorttitietoja, verkkopalveluiden tilejä, kirjautumistietoja pankkeihin ja kryptotileille ja muita yksityisiä tietoja.

    Reply
  28. Tomi Engdahl says:

    11 infamous malware attacks: The first and the worst https://www.csoonline.com/article/3663051/11-infamous-malware-attacks-the-first-and-the-worst.html
    Whether by dumb luck or ruthless skill, these malware attacks left their mark on the internet.

    Reply
  29. Tomi Engdahl says:

    Cloud data breaches: 4 biggest threats to cloud storage security https://blog.malwarebytes.com/business/2022/06/cloud-data-breaches-4-biggest-threats-to-cloud-storage-security/
    In this post, we’ll break down the four big threats to cloud storage security that SMBs should be ready to address.

    Reply
  30. Tomi Engdahl says:

    Europarlamentaarikko yllättyi: tietokoneelta löytyi 10 vuoden Yandex-eväste
    https://www.tivi.fi/uutiset/tv/7e7e7839-b0b6-4249-8797-ceeeee8372d5
    Poliittiset päättäjätkään eivät ole suojassa digijättien datankeruulta, kertoo Sitran Digivalta-selvitys. Tämä saattaa altistaa päättäjät hybridivaikuttamiselle.

    Reply
  31. Tomi Engdahl says:

    FBI, DOJ say less than 25% of NetWalker ransomware victims reported incidents https://therecord.media/fbi-doj-say-less-than-25-of-netwalker-ransomware-victims-reported-incidents/
    Just one fourth of all NetWalker ransomware victims reported incidents to law enforcement, according to officials from the FBI and Justice Department who led the takedown of the group.

    Reply
  32. Tomi Engdahl says:

    Cybersecurity Courses Ramp Up Amid Shortage of Professionals
    https://www.securityweek.com/cybersecurity-courses-ramp-amid-shortage-professionals

    The pressure was on. Someone, somewhere, was attacking computer systems so customers couldn’t reach certain websites. In a windowless room in Denver, Zack Privette had worked all morning with his security team to figure out what the cyber strangers were up to.

    “What’s happened is that we have an attacker who has been going through our different websites and they found a vulnerability into our active directory and …,” Privette explained to Richard Mac Namee, identified as chief operating officer of the company under attack.

    “OK, I’m not technical. What does that mean?” interrupted Mac Namee, who is really the director of the new Cybersecurity Center at Metropolitan State University of Denver. And he’s actually quite technical.

    Reply
  33. Tomi Engdahl says:

    Billion-Dollar Valuations Can’t Halt Layoffs at OneTrust, Cybereason
    https://www.securityweek.com/billion-dollar-valuations-cant-halt-layoffs-onetrust-cybereason

    Two cybersecurity vendors that recently boasted of raising hundreds of millions of dollars at unicorn valuations have confirmed staff cuts as the turmoil in the capital markets start to wreak havoc on late-stage startups.

    Reply
  34. Tomi Engdahl says:

    38 Tech Leaders Sign Cyber Resilience Pledge
    https://www.securityweek.com/38-tech-leaders-sign-cyber-resilience-pledge

    The Coalition to Reduce Cyber Risk (CR2) announced this week that it has been joined by 37 organizations across eight countries in signing a pledge to improve cyber resilience and combat threats such as ransomware.

    This shows, CR2 notes, that organizations are aware of the importance of collaboration in countering evolving threats and in implementing risk-based cybersecurity globally.

    By signing the pledge, these organizations show their commitment to drive the development and implementation of risk-based approaches based on widely accepted standards and to support small businesses in adopting risk-based cybersecurity.

    Additionally, they pledged to improve cybersecurity standards and incorporate them in policies and controls, and to periodically perform assessments of these policies and controls, to ensure they continue to be standard-compliant.

    “Internationally recognized cybersecurity frameworks and standards that are based upon the principles of risk management and relevant across sectors support such implementation by strengthening consistency and continuity among interconnected sectors and throughout global supply chains,” CR2 notes.

    The adoption of these standards among companies and government agencies worldwide is expected to not only mitigate cyber risks, but to also facilitate economic growth.

    The CR2 Pledge
    https://www.crx2.org/pledge

    The signatories to this pledge understand that in order to enhance cyber resiliency and counter evolving cross-border cyber threats such as the growth of ransomware, we must enable the seamless implementation of risk-based approaches to cybersecurity around the world.

    Internationally recognized cybersecurity frameworks and standards that are based upon the principles of risk management and relevant across sectors support such implementation by strengthening consistency and continuity among interconnected sectors and throughout global supply chains.

    Increased and ongoing adoption of these frameworks and international standards by companies and governments around the world will mitigate cyber risks and facilitate economic growth. To further advance adoption of international approaches to cybersecurity risk management, we commit to:

    Encourage the development, evolution and implementation of risk-based approaches based on consensus-based frameworks, standards and risk management best practices, such as ISO/IEC 27110 and 27103, or the NIST Cybersecurity Framework;

    Support efforts of our vendors and supply chain contributors to adopt risk-based cybersecurity approaches in order to help small businesses flourish while improving the resiliency of the cyber ecosystem;

    Incorporate ISO/IEC 27110 and 27103, the NIST Cybersecurity Framework, or other widely accepted international cybersecurity standards as a foundation of our cybersecurity policies and controls wherever applicable and feasible; and

    Periodically reassess our cybersecurity policies and controls against revisions to such cybersecurity standards and actively participate in industry-driven initiatives to improve those standards.

    A commitment to internationally recognized cyber risk management approaches and frameworks that are relevant across sectors can bring widespread economic benefits, help governments achieve their policy goals, bolster collective security, and enhance cyber resiliency across the ecosystem.

    Reply
  35. Tomi Engdahl says:

    Chinese Cyberspy Group ‘Aoqin Dragon’ Targeting Southeast Asia, Australia Since 2013
    https://www.securityweek.com/chinese-cyberspy-group-aoqin-dragon-targeting-southeast-asia-australia-2013

    Reply
  36. Tomi Engdahl says:

    Backdoor Attacks From Windigo Operation Still Active
    https://www.securityweek.com/backdoor-attacks-windigo-operation-still-active

    Windigo, a malicious operation uncovered over three years ago, continues to be active despite a takedown attempt in 2014 and the sentencing of one conspirator in August 2017.

    At the core of Windigo was Linux/Ebury, an OpenSSH backdoor and credential stealer that was estimated to have infected over 25,000 servers worldwide during a two and a half year period prior to the botnet’s discovery. The systems were being abused to steal credentials, redirect web traffic to malicious sites, and send in excess of 30 million spam messages a day.

    The operation was uncovered by ESET researchers who worked together with CERT-Bund, the Swedish National Infrastructure for Computing, and other agencies to take it down. In 2015, Finnish authorities apprehended Maxim Senakh, one of the conspirators behind the operation. He was extradited to the United States last year and sentenced to 46 months in federal prison in August this year.

    Reply
  37. Tomi Engdahl says:

    Cyber Safe Green Energy
    https://www.txone.com/white-papers/cyber-safe-green-energy/?utm_source=SecurityWeek&utm_medium=newsletter&utm_campaign=GEnergy_WP&utm_content=300_200gif

    In our new white paper “Cyber Safe Green Energy”, we share experience from collaborating with industry leaders in green energy to secure work sites with the OT zero trust approach.

    Prevent cyber incidents that could interfere with power delivery, destroy property, or even endanger human lives
    Streamline oversight and compliance with regulations
    Neutralize insider threat and prevent supply chain attacks

    Reply
  38. Tomi Engdahl says:

    94% of Orgs Had an Insider Security Breach
    See 5 tips on reducing internal security risks.

    5 Ways to Create a Cybersecurity-Focused Work Culture
    https://www.skillsoft.com/blog/5-ways-to-create-a-cybersecurity-focused-work-culture?utm_source=security+week&utm_medium=display&utm_campaign=SKL+IT-SW-NA+FY23-ALL-PM-BLG-5+ways+to+create+a+cybesecurity+focused+wrk+culture&utm_content=SKSTDWorkplaceCybersecurity

    The importance of privacy and security cannot be overstated in an age where so much of our business infrastructure relies on technology. Unfortunately, it’s also this reliance that makes our infrastructure the perfect target for malicious actors.

    To combat and adapt to these threats, many companies, including Skillsoft and at least 16 US states, have appointed a chief information security officer (CISO) dedicated to minimizing technology risks for the organization.

    As a CISO, you must educate employees to guarantee the security of your organization. Ninety-four percent of organizations report that they’ve had an insider breach. The average cost of a data breach is $4.7 million, and 20% of breaches can be avoided by providing educational resources for employees.

    Cybersecurity training is key to keeping your organization safe. I see cybersecurity training — for leaders, practitioners, and other staff — as an essential part of a broad security strategy. When staff knows what to look for and have a clear picture of what their security teams do, they can better protect themselves and the organization’s data.

    Here are five ways to prepare your workforce for today’s and tomorrow’s threats:
    1. Adopt a culture of regular, personalized training

    Training significantly benefits individuals and their organizations. Training improves morale, fosters high-quality outcomes, and faster resolutions. However, the biggest inhibitor to security training is often employees’ workload. If they have too much going on, asking them to make time for security training can lead to burnout or disengagement with the material.

    But, if training is the key to warding off phishing attacks and bad actors, leadership must build in time to complete training correctly.

    2. Align the security team and workforce

    Something I’m excited to be working on at Skillsoft is creating more substantial alignment between our security teams and disciplines and our workforce. We plan to improve communication with monthly newsletters and other internal initiative and become more visible within the organization.

    3. Pay close attention to trends in your organization

    Take note of your attack surface regularly. The only way to successfully stave off threats is to be aware of all possible entry points. You must be able to message how you, your team, and every member of the organization affect and are affected by it. Make that information widely and readily available.

    4. Collaborate with your partners & customers

    You can use the same strategy you used to transform your workforce to engage with your partners and customers more regularly. By sharing trends, strategies, and new developments as they happen, you’re giving those who rely on you insight into how you’re keeping them safe. Education and communication help create a cyber-aware community where we’re all looking out for each other.

    5. Focus on the right metrics

    My key takeaway for leadership, especially other CISOs, is to remain focused on being prepared. It’s terrific if you’re able to block 99% of attacks, but if you don’t stay perpetually ready, that 1%will sneak through. Of course, scoring a five on your NIST assessment would be an outstanding achievement, but you must find balance and comfort in the level of risk you manage while working within the constraints of the organization. Having plans to combat attacks is ultimately a better use of your organization’s resources.

    Skillsoft continues to see security training rise in importance for organizations across industries. Since last year, security training consumption rose nearly 60%, according to user data in Percipio.

    Reply
  39. Tomi Engdahl says:

    Facilitating Convergence of Physical Security and Cyber Security With Open Source Intelligence
    https://www.securityweek.com/facilitating-convergence-physical-security-and-cyber-security-open-source-intelligence

    The desire to merge aspects of physical and cyber security is nothing new, especially in maturing enterprises that are proactively extending their security capabilities. Since many aspects of physical security are connected to the internet, enterprises have started to build fusion centers that combine disciplines. By doing so, they are able to converge cyber and physical security, close gaps in coverage, and scale security to protect facilities and hundreds of thousands of employees. The key to this convergence lies in open-source intelligence and how it can enrich many aspects of a physical security program.

    Broadening the Definition of Open Source Intelligence

    Many aspects of open source intelligence are similar or equivalent to traditional all-source intelligence methodologies seen in the intelligence cycle. Two main categories of datasets to map are traditional open source intelligence and non-traditional open source intelligence. Traditional open source intelligence datasets encompass the qualitative and quantitative collection and analysis of public, non-classified sources that deliver context such as archives, business records, dating sites and dark web. Non-traditional open source intelligence datasets include the human, signals, and imagery intelligence equivalents in OSINT– based on anything from threat actor engagement on social media to external telemetry (netflow, passive DNS, cookies) to social media photos used to pinpoint locations.

    Defining the Key Capabilities of a Cyber Threat Intelligence Program

    Before we dig into how cyber threat intelligence benefits a physical security program, let’s identify a list of some of the services, products, and analyses that a CTI program might address. The following services have significant overlap with physical security programs:

    ● Adversary infrastructure analysis

    ● Attribution analysis

    ● Dark Web tracking

    ● Internal threat hunting

    ● Threat research for identification and correlation of malicious actors and external datasets

    ● Intelligence report production

    ● Intelligence sharing (external to the organization)

    ● Tracking threat actors’ intentions and capabilities

    Other CTI services generally do not overlap with physical security and remain the responsibility of cyber security teams. These services include malware analysis & reverse engineering, vulnerabilities research, and indicator analysis (enrichment, pivoting, and correlating to historical reporting).

    Defining Overlap with CTI and Physical Security Programs

    Security teams are now leveraging open source intelligence and cyber threat intelligence to provide critical information to physical security practitioners. The physical and corporate security programs of these teams generally consist of the following disciplines, with use cases that are at the center of the convergence of cyber and physical security disciplines:

    ● Executive Protection and Physical Asset Protection

    ● Travel Security

    ● Regulatory/Environmental Risk Specific to Business

    ● Geo-Political Risk

    ● Global Investigations

    It is more and more clear that physical and information security disciplines have large overlaps. The use of OSINT to review coverage gaps and identify problems is not a small project and can take up to 18 months to complete according to GSOC

    Reply
  40. Tomi Engdahl says:

    Lyceum.NET DNS Backdoor
    https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor
    Active since 2017, Lyceum group is a state-sponsored Iranian APT group that is known for targeting Middle Eastern organizations in the energy and telecommunication sectors and mostly relying on.NET based malwares. [Also https://thehackernews.com/2022/06/iranian-hackers-spotted-using-new-dns.html

    Reply
  41. Tomi Engdahl says:

    Credentials for thousands of open source projects free for the takingagain!
    https://arstechnica.com/information-technology/2022/06/credentials-for-thousands-of-open-source-projects-free-for-the-taking-again/
    A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report.

    Reply
  42. Tomi Engdahl says:

    Taking down the IP2Scam tech support campaign https://blog.malwarebytes.com/threat-intelligence/2022/06/taking-down-the-ip2scam-tech-support-campaign/
    Tech support scams follow a simple business model that has not changed much over the years. After all, why change a recipe that continues to yield large profits.

    Reply
  43. Tomi Engdahl says:

    Salasanojen loputon määrä raivostuttaa käyttäjiä ja tekee tietoturvarikollisten työn helpoksi Jyväskylässä kehitetään korvaajaa salasanoille
    https://yle.fi/uutiset/3-12484896
    Jyväskylän yliopiston hanke yrittää korvata salasanat turvallisemmalla tunnistautumismenetelmällä. Vaihtoehtoja on etsitty jo pitkään, mutta toistaiseksi mikään ratkaisu ei ole onnistunut korvaamaan salasanoja kokonaan.

    Reply
  44. Tomi Engdahl says:

    Microsoft helps prevent lateral movement from compromised unmanaged devices https://www.helpnetsecurity.com/2022/06/13/microsoft-prevent-lateral-movement/
    A new feature in Microsoft Defender for Endpoint can make it more difficult for attackers to perform lateral movement within company networks, as it allows admins to prevent traffic flowing to and from unmanaged devices that have been compromised.

    Reply
  45. Tomi Engdahl says:

    Koverse Launches Zero Trust Data Platform
    https://www.securityweek.com/koverse-launches-zero-trust-data-platform

    New attribute-based access controls (ABAC) protect sensitive data to power demanding analytics, data science, and AI use cases

    Zero trust at the data level provides better security than zero trust at the application level; and attribute-based access control (ABAC) rather than role-based access control (RBAC) provides more efficient and granular access to the data.

    Both are key elements of the Koverse Data Platform (KDP), version 4.0 of which is now launched. The latest version introduces nothing that is fundamentally new to the platform, but concentrates on making it more accessible to more users.

    ”We’ve separated the functionality into different microservices that are all containerized,” said Aaron Cordova, CTO and cofounder at SAIC-owned Koverse; “and we have a new cloud-centric and flexible method of deployment.”

    Reply
  46. Tomi Engdahl says:

    Lessons for Better Fraud Decision-Making
    https://www.securityweek.com/lessons-better-fraud-decision-making

    Have you ever stopped to think about how you go about deciding whether to try a new restaurant that you’ve never been to? Even if you don’t realize what you are doing, when you make this decision, you are likely collecting data around a number of different criteria, analyzing those data points, and then using that analysis to make a decision. Some of the criteria you evaluate might include:

    ● Does the restaurant serve the type of food that I want to eat?

    ● Is the restaurant located conveniently for me?

    ● Do the hours suit the time I want to eat?

    ● Am I willing to pay what the restaurant charges?

    ● Does the restaurant have good reviews?

    ● Is the restaurant clean?

    These are just a few potential data points that a person might evaluate when deciding on whether to try a new restaurant. There are, of course, numerous other ones. Regardless of which data points are important to the decision maker, it is likely that the number of data points is somewhere between five and 10.

    One or two data points would not be sufficient.

    On the other hand, having 500 data points doesn’t make the decision-making process any easier either. Imagine if in addition to the six data points above, I had another 494 that I needed to evaluate. It would completely overwhelm me, and I would be unable to make effective use of nearly all of those data points.

    I believe that we can learn a valuable lesson about better fraud decision-making from this restaurant choosing example.

    If we think about it, detecting fraud is not about making a binary decision. If I look outside, either it is raining or it is not. That is something binary. Fraud on the other hand involves probabilistic decision-making. In real-time, I can be 10%, 50%, or 90% certain that something is fraud, though it is almost never the case that I can be 100% certain. Sure, I can be 100% certain that something was fraud long after it happened, though not in the moment as it is happening.

    The reason for this is very simple. Fraud is business logic abuse. It is about using legitimate applications for fraudulent purposes. In other words, we are looking to understand the intent of the user as they interact with the application and journey through their session. That is not something that the traffic itself can tell us. We need to look beyond the traffic and understand the behavior of the user in the session, the resources they are requesting, and the device(s) and environment(s) from which they are operating.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*