Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
Thirdparty cookies: How they work and how to stop them from tracking you across the web https://www.welivesecurity.com/2022/09/15/third-party-cookies-how-work-stop-tracking-across-web/
For many years, privacy advocates have been sounding the alarm on the use of cookies to track, profile, and serve personalized ads to web users. The discussion has been especially acute over cookies used for cross-site tracking, in which a website leaks or offers visitor data to third-party services included in the site. In response, some of the major web browser vendors stepped up their efforts in the past two years to offer improved or new options to block third-party cookies.
In 2020, Apple updated Intelligent Tracking Prevention in Safari and, in 2021, Mozilla rolled out Total Cookie Protection in Firefox to clamp down on tracking via third-party cookies.
Tomi Engdahl says:
White House: U.S. agencies have 90 days to create inventory of all software https://therecord.media/white-house-u-s-agencies-have-90-days-to-create-inventory-of-all-software/
The White House released new guidance this week ordering federal agencies to create a full inventory of the software they use within 90 days. In a letter to all heads of executive departments and agencies, White House Office of Management and Budget (OMB) director Shalanda Young said a wide-ranging cybersecurity executive order handed down last May by President Joe Biden directed the NIST to publish guidance on how the agencies can better protect government systems through more secure software.
Tomi Engdahl says:
Top 5 CNAPP-Solved Security Challenges
https://www.trendmicro.com/en_us/devops/22/i/cnapp-solved-security-challenges.html
Traditionally, runtime security and development security have been treated as separate problems. Cloud-native application security programs consisted of many different tools, each with its own objective, control panel, and view of risk. These tools were mainly event-driventhey would only initiate scans when alerts were raised.
This approach limited the sharing of data and did not facilitate the remediation of vulnerable application components in a simple, prioritized, and frictionless way that meets the security, speed, and communication needs of development, operations, and security.
Tomi Engdahl says:
Uusia tietoturvavaatimuksia laite- ja ohjelmistotuotteille
https://www.uusiteknologia.fi/2022/09/16/uusia-tietoturvavaatimuksia-laite-ja-ohjelmistotuotteille/
Euroopan komission on esitellyt ehdotuksensa uudeksi kyberkestävyyssäädökseksi, jolla halutaan suojellaan kuluttajia ja yrityksiä tietoturvaominaisuuksiltaan puutteellisilta tuotteilta. Tämän alan ensimmäinen EU:n laajuinen lainsäädäntö asettaisi pakollisia kyberturvavaatimuksia digi tuotteille niiden koko elinkaaren ajaksi.
Säädöksellä lisätään valmistajien vastuuta velvoittamalla ne tarjoamaan tietoturvatukea ja ohjelmistopäivityksiä havaittujen haavoittuvuuksien korjaamiseksi. Samalla varmistetaan, että kuluttajat saavat riittävästi tietoa ostamiensa ja käyttämiensä tuotteiden kyberturvallisuudesta.
Kun verkkoon liitetyt älytuotteet yleistyvät, yhden tuotteen kyberturvapoikkeama voi vaikuttaa koko tarjontaketjuun ja johtaa taloudellisen ja sosiaalisen toiminnan vakaviin häiriöihin EU:n sisämarkkinoilla, heikentää tietoturvaa tai jopa johtaa hengenvaaraan.
Uudella säädöksellä halutaan varmistaa, että digitaaliset tuotteet, kuten verkkoon yhteydessä olevat laitteet ja ohjelmistot, olisivat kuluttajien kannalta nykyistä tietoturvallisempia. Ehdotus perustuu EU:n tuotelainsäädännön uusiin puitteisiin.
Ehdotus sisältää digitaalisia elementtejä sisältäviä tuotteita koskevat a) säännöt tuotteiden markkinoille saattamiselle, b) vaatimukset tuotteiden suunnittelulle, kehittämiselle ja tuotannolle, c) vaatimukset haavoittuvuuksien käsittelyprosesseille, joilla varmistetaan kyberturvallisuus tuotteiden koko elinkaaren ajan, sekä d) säännöt markkinaseurantaa ja -valvontaa varten.
https://ec.europa.eu/commission/presscorner/detail/fi/ip_22_5374
Komissio on tänään esitellyt ehdotuksensa uudeksi kyberkestävyyssäädökseksi, jolla suojellaan kuluttajia ja yrityksiä tietoturvaominaisuuksiltaan puutteellisilta tuotteilta. Tämä alan ensimmäinen EU:n laajuinen lainsäädäntö asettaa pakollisia kyberturvavaatimuksia digitaalisia toimintoja sisältäville tuotteille niiden koko elinkaaren ajaksi.
Margrethe Vestager, Euroopan digitaalisesta valmiudesta vastaava johtava varapuheenjohtaja, haluaa korostaa, että ihmisten pitää voida ostaa tuotteita EU:n sisämarkkinoilla ilman ylimääräisiä huolenaiheita. ”CE-merkinnällä varustettu lelu tai jääkaappi toimii turvallisesti, niin kuin sen on tarkoituskin toimia. Kyberkestävyyssäädöksellä varmistetaan nyt samoin, että verkkoon liitetyt laitteet ja ohjelmistot ovat suojattuja erilaisilta kyberhyökkäyksiltä. Säädöksen myötä vastuu tästä siirtyy valmistajille, niin kun pitääkin.”
Eurooppalaisen elämäntavan edistämisestä vastaava varapuheenjohtaja Margaritis Schinas jatkaa: ”Kyberkestävyyssäädös on vastaus tietoturvaongelmiin, joita esiintyy laajasti nykyaikaisessa yhteiskunnassa. EU on edelläkävijä luodessaan kyberturvaekosysteemiä. Tähän päästään sopimalla säännöistä, jotka koskevat kriittistä infrastruktuuria, kyberturvavalmiuksia ja kyberturvauhkiin varautumista ja kyberturvaan vaikuttavien tuotteiden sertifiointia. Tänään olemme täydentämässä tätä ekosysteemiä säädöksellä, joka vahvistaa tietoturvaa kodeissa, yrityksissä ja jokaisen verkkoon liitetyn tuotteen kohdalla. Kyberturvallisuudesta on tullut yhteiskunnallinen asia. Se ei enää voi olla pelkästään yritysten ongelma.”
Tämänpäiväinen ehdotus perustuu EU:n tuotelainsäädännön uusiin puitteisiin. Ehdotus sisältää
a) säännöt digitaalisia elementtejä sisältävien tuotteiden markkinoille saattamiselle niiden kyberturvallisuuden varmistamiseksi,
b) digitaalisia elementtejä sisältävien tuotteiden suunnittelua, kehittämistä ja tuotantoa koskevat olennaiset vaatimukset ja talouden toimijoiden velvollisuudet näiden tuotteiden suhteen,
c) olennaiset vaatimukset valmistajien käyttämille haavoittuvuuksien käsittelyprosesseille, joilla varmistetaan digitaalisia elementtejä sisältävien tuotteiden kyberturvallisuus koko niiden elinkaaren ajan, sekä näihin prosesseihin liittyvät talouden toimijoiden velvoitteet. Valmistajien on myös aktiivisesti raportoitava hyväksikäytetyistä haavoittuvuuksista ja poikkeamista;
d) säännöt markkinaseurantaa ja -valvontaa varten.
Uusilla säännöillä siirretään tasapainoisesti vastuuta valmistajille, joiden on varmistettava, että EU:n markkinoille saatettavien digitaalisia elementtejä sisältävien tuotteiden tietoturvavaatimukset täyttyvät. Näin säännöt tuovat hyötyjä kuluttajille ja yleensäkin kansalaisille sekä digitaalisia tuotteita käyttäville yrityksille, koska ne lisäävät läpinäkyvyyttä digitaalisia elementtejä sisältävien tuotteiden tietoturvaominaisuuksien suhteen sekä parantavat perusoikeuksien, kuten yksityisyyden suoran ja tietosuojan, tasoa.
Muuallakin maailmassa kyllä haetaan näihin kysymyksiin ratkaisuja, mutta kyberkestävyysasetus tulee todennäköisesti olemaan kansainvälinen vertailukohta kehityssuunnalle myös EU:n sisämarkkinoiden ulkopuolella. Kyberkestävyyssäädöksen nojalla vahvistettavat EU:n standardit helpottavat sen täytäntöönpanoa ja ovat EU:n kyberturvateollisuudelle vahva selkäranka maailmanmarkkinoilla.
Ehdotus etenee nyt Euroopan parlamentin ja neuvoston käsittelyyn. Kunhan ehdotus on hyväksytty, talouden toimijoilla ja EU-mailla on kaksi vuotta aikaa sopeutua uusiin vaatimuksiin. Poikkeuksena tähän on valmistajien velvollisuus raportoida aktiivisesti hyväksikäytetyistä haavoittuvuuksista ja poikkeamista, jota sovellettaisiin jo vuoden kuluttua voimaantulosta, koska tämä raportointivelvollisuus edellyttää vähemmän organisatorisia järjestelyjä kuin muut uudet velvoitteet. Komissio tarkastelee säädöstä säännöllisesti uudelleen ja raportoi sen toiminnasta.
Kyberturvallisuus on yksi komission tärkeimmistä painopisteistä ja digitaalisen ja verkotetun Euroopan kulmakivi. Kyberhyökkäysten lisääntyminen koronaviruskriisin aikana on osoittanut, kuinka tärkeää on suojella sairaaloita, tutkimuskeskuksia ja muuta infrastruktuuria. Alalla tarvitaan vahvoja toimia, jotta EU:n talous ja yhteiskunta saadaan tulevaisuuden vaatimusten mukaisiksi. On arvioitu, että tietoturvaloukkauksista aiheutuvat vuotuiset kustannukset ovat vähintään 10 miljardia euroa, ja ilkivaltaisista yrityksistä häiritä verkkoliikennettä arvioidaan aiheutuvan vähintään 65 miljardin euron vuotuiset kustannukset (radiolaitedirektiiviin liittyvää komission delegoitua asetusta koskeva komission yksiköiden vaikutustenarviointi).
Joulukuussa 2020 esitellyssä kyberturvallisuusstrategiassa ehdotetaan kyberturvan integroimista tarjontaketjun kaikkiin osiin ja EU:n toimien ja resurssien tiiviimpää yhdistämistä neljällä kyberturvaan liittyvällä alalla, jotka ovat sisämarkkinat, lainvalvonta, diplomatia ja puolustus.
Uusi kyberkestävyyssäädös täydentää EU:n olemassa olevia kyberturvapuitteita, joihin sisältyvät verkko- ja tietojärjestelmien turvallisuutta koskeva direktiivi (ns. NIS-direktiivi), kyberturvallisuusdirektiivi (ns. NIS 2 -direktiivi), josta Euroopan parlamentti ja neuvosto pääsivät hiljattain yhteisymmärrykseen, sekä EU:n kyberturvasäädös.
Tomi Engdahl says:
Henkilötodistus muuttuu digitaaliseksi – myös verkkoasiointiin
https://www.uusiteknologia.fi/2022/09/15/henkilotodistus-muuttuu-digitaaliseksi-myos-verkkoasiointiin/
Suomessa Digi- ja väestötietovirasto kehittää uudenlaista digitaalista mobiililaitteissa toimivaa henkilötodistusta. Uusi ratkaisu on tarkoitus ottaa käyttöön vuonna 2023. Tänään eduskunnalle annettiin esitys digitaalisen henkilöllisyystodistuksen käytön mahdollistavasta lainsäädännöstä. Tuleva ratkaisu soveltuu myös verkkoasiointiin.
Uutta mobiilisovellusta voivat testata jo henkilöllisyyttä tarkastavat organisaatiot, jotta ne pystyvät valmistautumaan käyttöönottoon. Testikäytössä on ollut kaikkiaan kaksi erillistä mobiilisovellusta: digitaalisen henkilöllisyyden sovellus ja sen tarkastussovellus.
Tomi Engdahl says:
When It Comes to Security, Don’t Overlook Your Linux Systems
https://www.securityweek.com/when-it-comes-security-don%E2%80%99t-overlook-your-linux-systems
As I pointed out earlier this year, Linux systems are a popular delivery mechanism for malware. While they’re not the most popular – that distinction goes to HTML and Javascript – don’t think you can ignore them. Linux-based attacks are very much still happening.
Our researchers have observed that over the previous six months, HTML has been the most common method of malware delivery, with a difference of about 10% between it and Javascript. HTML hit a new high in May.
This isn’t particularly shocking. It appears that every platform, with the exception of XML, which had a minor increase in March and a subsequent decline in April, stayed largely consistent. Given that most malware developers employ and specialize in just one malware delivery platform, this is to be anticipated.
The two front-runners were HTML and Javascript, but LNK also did well.
While Linux wasn’t among the most prevalent malware delivery methods, that doesn’t mean it can’t make an impact. Today, the majority of Linux-based malware attacks are related to crypto-mining. Furthermore, attackers who use this kind of delivery method typically use it to stage attacks, automate authentication attacks, or continue an attack even after a vulnerability has been found and exploited.
If you look at the most prevalent threats on the Linux platform, it’s hardly surprising that Mirai is at the top of the list when we compare the volume of general Linux activity with what we know about Linux-based malware attacks. This botnet has been around since 2016, but six years later, it is still being used, exploited and updated.
The second most common ELF type we saw, BitCoinMiner, reflects more recent trends. The next group of threats are scattered and have a low volume, including Tsunami, Agent and DDoS. However, being low in volume does not always equate to having little impact. So, let’s take a look at other ELF detections that can provide further information about other things that use Linux.
While it’s clear that Miner samples are by far the most frequent ELF detections, several ransomware strains – like AvosLocker, Hive and Vigorf – also use Linux. AvosLocker is a well-known ransomware that is usually distributed and sold on the dark web as ransomware-as-a-service (RaaS). Although AvosLocker was discovered for the first time in July 2021, it has proven difficult for organizations and businesses to combat due to its capacity to be targeted and modified by criminals as they see fit.
Another ransomware variation called Vigorf gained popularity in March 2022 and, in terms of count, overtook both Hive (ransomware) and Miner malware in June. Additionally, Stealthworker, a Golang-based malware that uses brute force and was identified in 2019, is still there, albeit in very small amounts.
Defeating all malware comers
Clearly, it would be unwise to discount the potential impact of Linux-based malware attacks on your network security status. Volume size is not necessarily commensurate with the potential for harm. When it comes to securing your network, you need to be aware of all threats and prepared to defend against them all.
The good news is that in most cases, if you find malware on one of your systems, your SOC team can contain a compromised unit if they can detect and respond to it in near-real time. But this usually requires teams to recognize malicious functionality, which can be hard to do because malware developers specialize in evading detection. This is a good reminder that the basics of cyber hygiene coupled with services like digital risk protection (DRPS), and a comprehensive security mesh approach go a long way toward helping organizations stay on top of malware, regardless of its delivery mechanism.
Tomi Engdahl says:
EU Wants to Toughen Cybersecurity Rules for Smart Devices
https://www.securityweek.com/eu-wants-toughen-cybersecurity-rules-smart-devices
The European Union’s executive arm proposed new legislation Thursday that would force manufacturers to ensure that devices connected to the internet meet cybersecurity standards, making the 27-nation bloc less vulnerable to attacks.
The EU said a ransomware attack takes place every 11 seconds, and the global annual cost of cybercrime is estimated at 5.5 trillion euros in 2021. In Europe alone, cyberattacks cost between 180 and 290 billion euros each year, according to EU officials.
The European Commission said an increase of cyberattacks was witnessed during the coronavirus pandemic and that Russia’s war in Ukraine has raised concerns that European energy infrastructure could also be targeted amid a global energy crunch.
The law, proposed as the Cyber Resilience Act, aims to remove from the EU market all products with digital elements that are not adequately protected.
Tomi Engdahl says:
”Suomen Google-sisäänkirjautuminen” sai nimen – tällainen on salasanat korvaava palvelu https://www.is.fi/digitoday/art-2000008774676.html
Voittoa tavoittelemattoman osuuskunnan kehittämä palvelu on Sinuna.
SUOMEEN kehitettävä tunnistautumisjärjestelmä on saanut nimen. Kansallinen ”Google-kirjautuminen” eli useamman palvelun käytön samoilla tunnuksilla mahdollistava sisäänkirjautuminen on nimeltään Sinuna.
Loppuvuodesta 2022 kuluttajille lanseerattavan Sinuna-palvelun on määrä korvata salasanat. Alkuvaiheessa sisäänkirjautuminen tapahtuu sähköpostivahvistuksella, ja myöhemmin tunnistuksesta on määrä kehittää vahva. Tämä tarkoittaa sitä, että se olisi pankkitunnusten, mobiilivarmenteen ja sähköisen henkilökortin veroinen sisäänkirjautumistapa.
Mukana olevat yritykset pääsevät testaamaan palvelua kesäkuussa. Hankkeen perustajajäsenet ovat Yleisradio, Alma Media, Nixu ja Digital Living International, mutta osuuskunta on avoin uusille jäsenille.
Palvelua kehittävän Suomen Tunnistautumisosuuskunnan uutena toimitusjohtajana aloitti huhtikuun alussa aiemmin muun muassa KPMG:llä ja Nixulla työskennellyt Mikko Nurmi.
Hankkeessa on yhdistetty media-alalle jo aikaisemmin suunniteltu yhteistunnistautumishanke ja muun yrityskentän käynnistämä SisuID-projekti.
Tomi Engdahl says:
Suomalaisyritys kehittää digitaalista henkilökorttia – tähän kaikkeen sitä voisi käyttää https://www.is.fi/digitoday/mobiili/art-2000008972404.html
Tomi Engdahl says:
Futureproofing Computer Security
https://academicpositions.com/story/futureproofing-computer-security
Living our lives online is not without risk – issues like identity theft and banking fraud have affected many of us as we share more and more of our personal data over the internet. Computer systems need advanced mathematical tools to disguise or encrypt our information and keep it safe from prying eyes.
Tomi Engdahl says:
Cyber Chief: Ireland’s position in the world does not protect it from attacks by other countries
https://www.thejournal.ie/richard-browne-ncsc-ireland-interview-5861990-Sep2022/
Tomi Engdahl says:
https://techcrunch.com/2022/09/12/apple-passkey/
Tomi Engdahl says:
Facebook engineers aren’t sure where all user data is kept
https://www.malwarebytes.com/blog/news/2022/09/facebook-engineers-arent-sure-where-all-user-data-is-kept
Tomi Engdahl says:
https://techcrunch.com/2022/09/14/yubo-is-about-to-verify-the-age-of-all-its-users-using-facial-age-estimation/
Tomi Engdahl says:
Dotless domains: Home to the Internet’s shortest URLs
https://www.bleepingcomputer.com/news/technology/dotless-domains-home-to-the-internet-s-shortest-urls/
You may be familiar with some of the shortest internet domains used by major companies, such as m.me and fb.me from Facebook (Meta) and Twitter’s t.co URL shortener.
But, it’s possible for live domain names to be even shorter than these choices—and contain no dots.
Tomi Engdahl says:
Tämän vuoksi huijausviestejä tulee ämpärikaupalla vuodesta toiseen https://www.is.fi/digitoday/tietoturva/art-2000009059356.html
Tomi Engdahl says:
When It Comes to Security, Don’t Overlook Your Linux Systems
https://www.securityweek.com/when-it-comes-security-don%E2%80%99t-overlook-your-linux-systems
As I pointed out earlier this year, Linux systems are a popular delivery mechanism for malware. While they’re not the most popular – that distinction goes to HTML and Javascript – don’t think you can ignore them. Linux-based attacks are very much still happening.
Tomi Engdahl says:
US Agencies Publish Security Guidance on Implementing Open RAN Architecture
https://www.securityweek.com/us-agencies-publish-security-guidance-implementing-open-ran-architecture
The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published guidance on implementing an Open Radio Access Network (RAN) architecture.
A general-purpose document titled Open Radio Access Network Security Considerations, the guidance is based on current knowledge and recommended practices and should apply to a variety of industries.
“Open RAN is the industry term for the evolution of traditional RAN architecture to open interoperable interfaces, virtualization, and big data and AI-enabled intelligence,” the document reads.
An Open RAN architecture, CISA and the NSA explain, opens the door to cloudification and virtualization, while promoting ‘increased competition, vendor diversity, and innovation’ by creating a multi-vendor ecosystem.
Open RAN can increase resiliency and flexibility in telecommunications networks through the adoption of ‘best-of-breed’ solutions from multiple vendors and also takes advantage of the security features of 5G, while offering increased transparency to help identify and address issues in real-time, the document notes.
“The deployment of Open RAN introduces new security considerations for mobile network operators (MNO). By nature, an open ecosystem that involves a disaggregated multi-vendor environment requires specific focus on changes to the threat surface area at the interfaces between technologies integrated via the architecture,” CISA and the NSA note.
https://www.cisa.gov/sites/default/files/publications/open-radio-access-network-security-considerations_508.pdf
Tomi Engdahl says:
Industry Reactions to Govt Requiring Security Guarantees From Software Vendors
https://www.securityweek.com/industry-reactions-govt-requiring-security-guarantees-software-vendors
The White House has announced new guidance with the aim of ensuring that federal agencies only use secure software.
Building on the cybersecurity executive order signed by President Joe Biden in May 2021, a memorandum from the OMB requires federal agencies to comply with NIST guidance — for secure software development and supply chain security — when using third-party software. In order to ensure compliance, agencies will have to at least obtain a self-attestation form from software developers whose products they are using or plan on using.
The forms must be obtained within 270 days for critical software and within one year for other software.
https://www.securityweek.com/us-government-wants-security-guarantees-software-vendors
Tomi Engdahl says:
Zero-Day Exploit Detection Using Machine Learning https://unit42.paloaltonetworks.com/injection-detection-machine-learning/
Code injection is an attack technique widely used by threat actors to launch arbitrary code execution on victim machines through vulnerable applications. In 2021, the Open Web Application Security Project
(OWASP) ranked it as third in the top 10 web application security risks. Given the popularity of code injection in exploits, signatures with pattern matches are commonly used to identify the anomalies in network traffic (mostly URI path, header string, etc.). However, injections can happen in numerous forms, and a simple injection can easily evade a signature-based solution by adding extraneous strings.
Therefore, signature-based solutions will often fail on the variants of the proof of concept (PoC) of Common Vulnerabilities and Exposures (CVEs). In this blog, we explore how deep learning models can help provide more flexible coverage that is more robust to attempts by attackers to avoid traditional signatures.
Tomi Engdahl says:
PrivateLoader: the loader of the prevalent ruzki PPI service https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/
SEKOIA observed that PrivateLoader is one of the most widely used loaders in 2022. It is used by a Pay-Per-Install service to deploy multiple malicious payloads on the infected hosts. First observed in May 2021, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server. SEKOIA analysts tracked PrivateLoaders network infrastructure for several months and recently conducted an in-depth analysis of the malware. In parallel, we also monitored activities related to the ruzki PPI malware service.
Tomi Engdahl says:
EU moves to protect journalists from spyware https://therecord.media/eu-moves-to-protect-journalists-from-spyware/
European Union lawmakers are aiming to protect journalists from member states targeting them with spyware following a number of high-profile incidents across the bloc. Alongside measures promoting ownership transparency and editorial independence, the European Media Freedom Act (EMFA) proposed on Friday will introduce strong safeguards against the use of spyware against media, journalists and their families.. B:
Article 4 of the regulation an EU instrument which has direct effect without member states needing to reflect it with their own legislation introduces a general prohibition on member states.
Tomi Engdahl says:
Explained: Fuzzing for security
https://www.malwarebytes.com/blog/news/2022/09/explained-fuzzing-for-security
Fuzzing, or fuzz testing, is defined as an automated software testing method that uses a wide range of invalid and unexpected data as input to find flaws in the software undergoing the test. The flaws do not necessarily have to be security vulnerabilities. Fuzzing can also bring other undesirable or unexpected behavior of the software to light. But its good to realize that bugs discovered through fuzzing account for the majority of new CVE entries.
Tomi Engdahl says:
Bosnia and Herzegovina investigating alleged ransomware attack on parliament https://therecord.media/bosnia-and-herzegovina-investigating-alleged-ransomware-attack-on-parliament/
Prosecutors in Bosnia and Herzegovina are investigating a wide-ranging cyberattack that has crippled the operations of the countrys parliament. For nearly two weeks, the website for the countrys parliament has been down, and local news outlet Nezavisne spoke with several lawmakers who said they were told to not even turn on their computers, barring them from access to their email accounts and official documents. A spokesperson for the prosecutors office of Bosnia and Herzegovina told The Record that they were assigned the case a couple of days ago.
Tomi Engdahl says:
A Guide to Improving Security Through Infrastructure-as-Code https://research.nccgroup.com/2022/09/19/a-guide-to-improving-security-through-infrastructure-as-code/
Modern organizations evolved and took the next step when they became digital. Organizations are using cloud and automation to build a dynamic infrastructure to support more frequent product release and faster innovation. This puts pressure on the IT department to do more and deliver faster. Automated cloud infrastructure also requires a new mindset, a change in the approach about change and risk from them.
Depending on the way that people use the technology though, it can reduce the risk and improve the quality of the infrastructure.
Tomi Engdahl says:
External attack surface and ongoing cybercriminal activity in APAC region https://securelist.com/external-attack-surface-and-ongoing-cybercriminal-activity-in-apac-region/107430/
To prevent a cyberattack, it is vital to know what the attack surface for your organization is. To be prepared to repel the attacks of cybercriminals, businesses around the world collect threat intelligence themselves or subscribe for threat intelligence services.
Continuous threat research enables Kaspersky to discover, infiltrate and monitor resources frequented by adversaries and cybercriminals worldwide. Kaspersky Digital Footprint Intelligence leverages this access to proactively detect threats targeted at organizations worldwide, their assets or brands, and alert our customers to them.
Tomi Engdahl says:
Kolumni: Kuka pelkää kyberuhkaa?
https://www.tivi.fi/uutiset/tv/a1f64341-fbc6-47e6-95ed-6658a8f04601
Internet on valtava. Kun yrittää ajatella kaikkia niitä kaikkia palvelimia, reitittimiä ja kaapeleita, jotka avaavat meille ovet loputtomaan määrään tietoa, saattaa tuntea olonsa pieneksi. Se on kuin yrittäisi ymmärtää, kuinka avaruus jatkuu äärettömästi. Omalla tavallaan myös internet on kuin pimeä kosmos ympärillämme.
Postatessamme sosiaaliseen mediaan tai keskustelupalstoille, on vaikea kuvitella, kuka meitä oikein katselee. Tuntuu siltä kuin jättäisimme jatkuvasti näkymättömiä jälkiä joita myös jätämme kun käytämme internetiä.
Tomi Engdahl says:
Preventing ISO Malware
https://isc.sans.edu/diary/Preventing+ISO+Malware+/29062
In the last few weeks, Ive seen a significant uptick in systems infected with Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things.
Tomi Engdahl says:
Eyeglass Reflections Can Leak Information During Video Calls
https://www.securityweek.com/eyeglass-reflections-can-leak-information-during-video-calls
A group of academic researchers have devised a method of reconstructing text exposed via participants’ eyeglasses and other reflective objects during video conferences.
Zoom and other video conferencing tools, which have been widely adopted over the past couple of years as a result of the Covid-19 pandemic, may be used by attackers to leak information unintentionally reflected in objects such as eyeglasses, the researchers say.
“Using mathematical modeling and human subjects experiments, this research explores the extent to which emerging webcams might leak recognizable textual and graphical information gleaming from eyeglass reflections captured by webcams,” the academics note in their research paper.
According to the researchers, evolving webcam technology may result in optical attacks that rely on using multiframe super resolution techniques for the reconstruction of the reflected content.
Dubbed ‘webcam peeking attack’, a threat model devised by academics shows that it is possible to obtain an accuracy of over 75% when reconstructing and recognizing text with heights as small as 10 mm, captured by a 720p webcam.
“We further apply this threat model to web textual contents with varying attacker capabilities to find thresholds at which text becomes recognizable. Our user study with 20 participants suggests present-day 720p webcams are sufficient for adversaries to reconstruct textual content on big-font websites,” the researchers note.
Private Eye: On the Limits of
Textual Screen Peeking via Eyeglass Reflections
in Video Conferencing
https://arxiv.org/pdf/2205.03971.pdf
Tomi Engdahl says:
What’s Old Is New Again: GPT-3 Prompt Injection Attack Affects AI
https://hackaday.com/2022/09/16/whats-old-is-new-again-gpt-3-prompt-injection-attack-affects-ai/
What do SQL injection attacks have in common with the nuances of GPT-3 prompting? More than one might think, it turns out.
Many security exploits hinge on getting user-supplied data incorrectly treated as instruction. With that in mind, read on to see [Simon Willison] explain how GPT-3 — a natural-language AI — can be made to act incorrectly via what he’s calling prompt injection attacks.
Prompt injection attacks against GPT-3
https://simonwillison.net/2022/Sep/12/prompt-injection/
Prompt injection
This isn’t just an interesting academic trick: it’s a form of security exploit. The obvious name for this is prompt injection.
Here’s why it matters.
GPT-3 offers a paid API. That API is already being used by people to build custom software that uses GPT-3 under the hood.
Somewhat surprisingly, the way you use that API is to assemble prompts by concatenating strings together!
A surprising thing about working with GPT-3 in this way is that your prompt itself becomes important IP. It’s not hard to imagine future startups for which the secret sauce of their product is a carefully crafted prompt.
Tomi Engdahl says:
Open Source Risks with New Technologies: AI, GitHub Copilot, Blockchain & More
https://www.brighttalk.com/webcast/13983/552156?utm_source=brighttalk-recommend&utm_campaign=mysubscriber_weekly_email&utm_medium=email&utm_content=comingup&utm_term=372022
The evolution of newer technologies, like artificial intelligence, machine learning, GitHub Copilot, blockchain, cryptocurrencies, DeFi, APIs, containers, and SaaS/PaaS/IaaS, raise new open source legal issues and license selection and compliance considerations.
With these technologies becoming increasingly common place, do you have a strategy to manage your risk and compliance?
Tomi Engdahl says:
Jamk ja Huoltovarmuuskeskus ryhtyvät kehittämään huoltovarmuuskriittisten toimialojen kybervalmiuksia https://www.huoltovarmuuskeskus.fi/a/jamk-ja-huoltovarmuuskeskus-ryhtyvat-kehittamaan-huoltovarmuuskriittisten-toimialojen-kybervalmiuksia
Jyväskylän ammattikorkeakoulun (Jamk) IT-instituutti ja Huoltovarmuuskeskus ovat tehneet sopimuksen kyberturvallisuusharjoitustoiminnan kehittämisestä huoltovarmuuskriittisille toimijoille. Projektissa mahdollistetaan huoltovarmuuskriittisten toimialojen säännöllinen harjoittelu Jamkin RGCE-kyberharjoitusympäristössä. Kyberturvallisuustoimintaa kehitetään osana Huoltovarmuuskeskuksen Digitaalinen turvallisuus 2030 -ohjelmaa.
RGCE-harjoitusympäristöä laajennetaan niin, että myös huoltovarmuuskriittisten toimialojen organisaatiot voivat kouluttaa ja harjoittaa henkilöstöään kyberturvallisuuden osalta. Henkilöstö oppii suojaamaan digitaalista toimintaympäristöään kyberpoikkeamatilanteissa ja tunnistamaan ympäristönsä kehityskohteita. Koulutus ja harjoittelu parantavat valmiuksia kriittisen infrastruktuurin suojaamiseen ja nopeutettuun palautumiseen kyberpoikkeamatilanteista.
Tomi Engdahl says:
MFA Fatigue: Hackers new favorite tactic in high-profile breaches https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/
Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue. When breaching corporate networks, hackers commonly use stolen employee login credentials to access VPNs and the internal network. The reality is that obtaining corporate credentials is not extremely difficult for threat actors, who can use various methods, including phishing attacks, malware, leaked credentials from data breaches, or purchasing them on dark web marketplaces.
Tomi Engdahl says:
Security Risks in Logistics APIs Used by E-Commerce Platforms https://www.trendmicro.com/en_us/research/22/i/security-risks-in-logistics-apis-used-by-e-commerce-platforms-.html
Our research examines the security flaws that we found in the logistics API implementation of e-commerce platforms that can potentially expose the consumers personal information. We discuss the security risks that such flaws present for software engineers, e-commerce platform providers, and consumers. The connectivity that weve experienced of late has improved at an unprecedented speed and scale largely because application programming interfaces (APIs) enable the seamless integration of different systems from different entities.
APIs integrate data and services between businesses and third-party vendors to address various market needs, enhance the provision of services, and obtain consumer insights, thus driving the significant growth of e-commerce in recent years.
Tomi Engdahl says:
Credential Phishing Targeting Government Contractors Evolves Over Time https://cofense.com/blog/credential-phishing-targeting-government-contractors-evolves-over-time
Threat actors are running a series of campaigns spoofing several departments of the United States government. The emails claim to request bids for government projects but lead victims to credential phishing pages instead. These campaigns have been ongoing since at least mid-2019 and were first covered in our Flash Alert in July 2019.
These advanced campaigns are well crafted, have been seen in environments protected by secure email gateways (SEGs), are very convincing, and appear to be targeted. They have evolved over time by improving the email contents, the PDF contents, and the appearance and behavior of the credential phishing pages.
Tomi Engdahl says:
Can your iPhone be hacked? What to know about iOS security https://www.welivesecurity.com/2022/09/19/can-iphone-be-hacked-what-know-ios-security/
Here are some of the most common ways that an iPhone can be compromised with malware, how to tell its happened to you, and how to remove a hacker from your device. Lets be clear: if your iPhone or iPad is connected to the internet, theres a risk it might get hacked.
Sure, statistics seem to support the idea that your iOS device is pretty safe (and Apple keeps adding new safety features), but your security largely hinges on how you actually use the device. In this article, well look at some of the most common ways for malware to compromise iPhones, some warning signs your own phone may have been hacked, and how to fight back.
Tomi Engdahl says:
Defense-in-Depth Updates for Azure Identity SDK and Azure Key Vault SDK plus Best Practice Implementation Guidance https://msrc-blog.microsoft.com/2022/09/20/defense-in-depth-updates-for-azure-identity-sdk-and-azure-key-vault-sdk-plus-best-practice-implementation-guidance/
Today, Microsoft released a new version of the Azure Key Vault Software Development Kit (SDK) and Azure Identity SDK that includes defense-in-depth feature improvements. We also published best practice guidance to help protect applications and services that allow externally controlled input into the Azure Key Vault client URI for processing. While most applications using the SDKs are safe, applications which take user provided Key Vault or Managed HSM resource URIs may be at risk of leaking authentication information if URIs are not validated correctly.
Tomi Engdahl says:
Deconstructing Florian’s Bicycle
https://windowsir.blogspot.com/2022/09/deconstructing-florians-bicycle.html
Not long ago, Florian Roth shared some fascinating thoughts via his post, The Bicycle of the Forensic Analyst, in which he discusses increases in efficiency in the forensic review process. I say “review”
here, because “analysis” is a term that is often used incorrectly, but that’s for another time. Specifically, Florian’s post discusses efficiency in the forensic review process during incident response.
After reading Florian’s article, I had some thoughts that I wanted share to that would extend what he’s referring to, in part because I’ve seen, and continue to see the need for something just like what is discussed. I’ve shared my own thoughts on this topic previously.
Tomi Engdahl says:
Hookup site targeted by typo-squatters
https://www.malwarebytes.com/blog/news/2022/09/contact-site-subject-of-typo-squatting-for-dubious-advertising-extensions-and-fake-warnings
Ethical hacker and security researcher Kody Kinzie shared with BleepingComputer a list of over 50 domains of which many are spelling variations of the brand name Sniffies. Sniffies identifies itself as a modern, map-based, meetup app for gay, bi, and curious guys.. Kody used an open source tool called DNSTwist to generate a list of lookalike domains for Sniffies.com. Out of the 3531 possibilities generated by the tool, 51 represented valid domains. “I saw a good amount of domains registered with the same MX server set up, even though the domains were hosted on random platforms.”. A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. So that would imply that the domains were set up by the same threat-actor.
Tomi Engdahl says:
Game dev 2Ks support site hacked to push malware via fake tickets https://www.bleepingcomputer.com/news/security/game-dev-2k-s-support-site-hacked-to-push-malware-via-fake-tickets/
Hackers have compromised the support system of American video game publisher 2K and now are sending support tickets to gamers containing the RedLine password-stealing malware. 2K is the publisher behind numerous popular game franchises, including NBA 2K, Borderlands, WWE 2K, PGA Tour 2K, Bioshock, Civilization, and Xcom. Starting today, 2K customers began receiving emails stating that they opened support tickets on 2ksupport.zendesk.com, 2K’s online support ticketing system. While the users confirmed these tickets had been created, numerous recipients on Twitter and Reddit stated that they were not the ones who opened the tickets.
Tomi Engdahl says:
Chainsaw: Hunt, search, and extract event log records
https://isc.sans.edu/diary/Chainsaw%3A+Hunt%2C+search%2C+and+extract+event+log+records/29066
I first spotted Chainsaw courtesy of Florian Roths Twitter feed given that Chainsaw favors using Sigma as one of its rule engines. Chainsaw is a standalone tools that provides a simple and fast method to triage Windows event logs and identify interesting elements within the logs while applying detection logic (Sigma and Chainsaw) to detect malicious activity. Chainsaws powerful first-response capability offers a generic and fast method of searching through event logs for keywords.
Tomi Engdahl says:
Cross-Layer Security: A Holistic View of Internet Security https://freedom-to-tinker.com/2022/09/20/cross-layer-security-a-holistic-view-of-internet-security/
On February 3, 2022, attackers launched a highly effective attack against the Korean cryptocurrency exchange KLAYswap. We discussed the details of this attack in our earlier blog post Attackers exploit fundamental flaw in the webs security to steal $2 million in cryptocurrency.. However, in that post we only scratched the surface of potential countermeasures that could prevent such attacks. In this new post, we will discuss how we can defend the web ecosystem against attacks like these. his attack was composed of multiple exploits at different layers of the network stack. We term attacks like this, cross-layer attacks, and offer our perspective on why they are so effective. Furthermore, we propose a practical defense strategy against them that we call cross-layer security.
Tomi Engdahl says:
Quantifying ROI in Cybersecurity Spend
https://www.securityweek.com/quantifying-roi-cybersecurity-spend
In cybersecurity, there are too many variables on both the attack and defense sides to easily calculate ROI for specific spends
You cannot separate cost and value in business: value is used to justify cost. Business value is measured by the return on investment (ROI) from cost. By understanding current ROI it is easier to justify future cost because you know the value. But this is a problem: how do you measure or quantify ROI in cybersecurity spend?
The problem
“A good day in security is when nothing bad happens,” says Sounil Yu, CISO at JupiterOne. The problem for understanding ROI is why did nothing bad happen? Was it luck, and on that day, you were not attacked by an elite hacker? Was it because you maintain a thorough patching program? Was it because of one or more of your cybersecurity controls – but which one or ones were successful, and how much cost to the firm did they prevent? None of these is easy to explain or quantify if nothing bad happened.
But, continues Yu, “Calculating some form of value from security expenditures becomes necessary for security leaders to differentiate luck from skill.” This is important information to convey to the board or whoever controls the security budget. ‘Luck’ can promote an optimism bias; that is, the belief that since nothing has happened, nothing is likely to happen. This will make it harder to obtain future budget because it may be considered unnecessary.
Yet, understanding what security controls have been effective (to convey the skill level) is difficult. “There is limited data to make reliable estimates on likelihood,” said Yu. “For example, the massive increases in cyber insurance this year resulting from waves of successful ransomware attacks represents the gross miscalculations of likelihood made by most insurers. In other words, those who are highly incentivized to use rigorous actuarial methods to calculate the value of security controls still got it quite wrong.”
Nevertheless, comments John Hellickson, field CISO at cybersecurity firm Coalfire, with increased board oversight of cybersecurity, “It’s important to tie specific cyber investments that can show improvement to cyber maturity and reduction of risk to key business objectives.”
ROI on Cybersecurity The problem in cybersecurity is that there are too many variables on both the attack and defense sides to easily calculate ROI for specific spends.
Some areas can be quantified
Not all elements of an ROI calculation are impossible – for example, the cost of specific failure in certain areas. “There are areas where you can quantify losses, making the cost of mitigating controls realistic,” says Rick Holland, CISO and VP of strategy at Digital Shadows. He cites the cost of lost revenue if an ecommerce site is forced offline (which can be used to justify DDoS mitigation spend); while B2C companies can forecast the impact of stolen credentials (justifying spend on enhanced authentication solutions).
Taking this approach to its logical conclusion, the CISO can approach the board with a total cost of cybersecurity failure and a budget request to mitigate all loss. It’s a nice idea, but one that won’t float. The board will not entertain total failure, but will demand to know the likelihood of individual failures.
“Putting a percentage likelihood number on the probability you will be breached is very subjective, and I’d be skeptical of most organizations’ ability to do this,” says Holland. “When quantifying risk in economic terms, there are so many variables that are challenging to calculate,” he adds. “There is no ‘easy button’ when quantifying cybersecurity ROI; for most companies, it can be more art than science.”
This is an important comment, because it specifies the two primary but opposite approaches: cybersecurity as an art and cybersecurity as a science.
Treating cybersecurity as an art
Bernard Montel, technical director EMEA at Tenable, remembers the time he was asked how he would recruit engineers for a SOC. “The answer was, I don’t want to have an expert on firewalls or pentesting. I would love to get a gamer – someone who never gives up, someone with a lot of curiosity, someone who wants to discover maps or some part of the game they’ve never seen before and try again and again and again. That is better mindset for me. Someone doing, you know, hunting or investigations rather than just having a subject expert on network security.”
This use of personal experience, knowledge and understanding and being able to think outside the (scientific) box is a good example of the art of cybersecurity.
Jadee Hanson, CIO and CISO at Code42 is a firm believer that successfully implementing security is an art form. She’s not even keen on the term ‘ROI’, preferring to call it cost/benefit analysis. The key areas are understanding your company’s security maturity level, understanding the company’s risk acceptance levels, and making what is essentially a subjective decision on the areas that need to and can be maintained or improved.
She thinks of security as an internal insurance policy to protect the ROI of other parts of the business. “At the end of the day,” she said, “security is a G&A (general and administrative expense) function of the organization. We function to protect the ROI for other parts of the organization that generate true revenue.”
Marketing is an example. “Let’s say marketing has a target RoI of 10% more revenue resulting from marketing spend. In security, our task is to have the right security control, the right deployment and the right configuration of that product to protect marketing’s ROI by protecting the technology used by marketing.”
The way to achieve this is through a thorough understanding of the business and its goals, which is achieved by balancing the company’s security maturity against the company’s risk tolerance. The former is controlled by available budget, while the latter will vary from firm to firm.
“If you’re a smaller company, you can afford to take on a lot more risk. Your culture is one that is already centered around risk taking; so, you’re going to have a lower budget and you’re only going to focus on the most important items. If you’re a larger company, or regulated, your culture is one where you can’t afford any security misstep. You’ll have a higher budget and you’re going to focus on closing as many risks as possible via people, process and technology.”
Missing from this argument is stressing over security spend ROI. The key is understanding the business expectations rather than the science of probability, and then aligning risk tolerance (which is a variable) with actual risks (which vary) in accordance with available budget (another variable) and available controls. The available controls are the biggest variable.
Science
Stan Black, CISO at Delinea, leans toward the scientific approach. “Of the (primary) types of risk treatment [avoidance, reduction, transfer, acceptance],” he said, “cybersecurity ROIs generally fall into two main categories, risk avoidance and reduction. Both categories can be quantified in ratios of cost versus financial risk. For an example, if we implement privileged access, the risk of privacy fines and legal fees will be reduced by nn%.”
Richard Seiersen, the CRO at cyber insurance firm Resilience, is a strong believer in the scientific approach to ROI quantification. “My job,” he told SecurityWeek, “is to build quantitative models for insurance, working with our actuarial science and data science team.” He has a background in quantitative science, being the author of a standard textbook (How to Measure Anything in Cybersecurity Risk), and more recently, The Metrics Manifesto.
His basic view is that although actuarial data for cybersecurity is more limited than other insurance areas, the science of probability is designed to produce accurate forecasts from limited data. “Is it precise? No. Is it accurate? Yes.”
He used ransomware as an example. “We have a lot of data on extortion,” he said; pointing out that even the criminals use a form of ROI forecasting while setting their extortion fees. “You don’t see extortion fees that are beyond the revenue of the victim.”
The amount of data available from ransomware attacks is continually growing. “
The question becomes, what’s the buy across my whole portfolio based on the cost of control relative to its value in reducing the likelihood of loss? Which set of controls have the best return on investment from a dollar perspective. What is the cost of the controls that will give me the best reduction of probable future loss?
Seiersen believes all CISOs already do this in at least an informal manner even where they reject the scientific approach. “They’re doing what I call naïve benchmarking. What does Gartner say? What does Forrester say? I’ll get on Slack and see what my CISO peers believe. I’ll ask what they think about this control versus that control. They’re doing a vague benchmark, looking at cost relative to the priorities – and then they’re placing a bet.”
This, he suggests, is normal and what most people do all the time. “But it’s a hyper naive, semi quantitative approach to doing things. I’m suggesting it can be done better.”
He is a fierce believer that the formal, scientific approach can lead to a better understanding of both existing and potential ROI on security spend. “Probability is a tool used to measure subjective forecasts. That’s what it is used for. Anyone rejecting this is standing against the whole history of science, and that doesn’t make any sense to me.”
Is it even necessary?
There is one question left unasked in this art versus science approach to calculating ROI. Is ROI even necessary? Are we too hung up on the concept of return on investment in cybersecurity spend? Hanson believes we probably are.
“Security’s function is to protect the ROI of the business departments that actually generate revenue for the business. As a G&A function, it is more like HR or legal than marketing or sales or manufacturing. I think we must move away from thinking of it as part of the organization that increases revenue and think of it more as just a standard function that every organization should have in place.”
Tomi Engdahl says:
Vulnerability Management Fatigue Fueled by Non-Exploitable Bugs
https://www.securityweek.com/vulnerability-management-fatigue-fueled-non-exploitable-bugs
Research shows that companies can have over 100,000 vulnerabilities in their systems, but 85% cannot realistically be exploited
Vulnerability management firm Rezilion commissioned Ponemon Institute to conduct research into the state of vulnerability management, given the known difficulties in timely patching and the continuous growth in the number of new vulnerabilities that need to be patched or otherwise mitigated.
“The survey (PDF) is based on responses from 634 IT and security practitioners, primarily based in North America,” Larry Ponemon, chairman of Ponemon Institute told SecurityWeek. “All of the respondents work in organizations that have an effective DevSecOps program in place. Technically, it has a margin of error of approximately 3.5%.”
One of his biggest concerns is that less than half of the respondents (47%) believe their development team ‘is able to deliver both an enhanced customer experience and secure applications’.
The problem may stem from one of the headline findings of the research: companies are faced with a backlog of 100,000 vulnerabilities within their systems. Not all are exploitable – in fact, 85% cannot or cannot realistically be exploited. Nevertheless, 15,000 remaining vulnerabilities is a frightening number.
“The root cause of the problem,” suggested Liran Tancman, CEO at Rezilion, “is the time it takes to detect, prioritize and remediate each vulnerability. More than half of the respondents [actually 77%] said it takes 21 minutes for each one.”
If you do the math, it would take someone 430 days working 12 hours every day, to clear this backlog even after detecting just the exploitable vulnerabilities. And with more new vulnerabilities being reported every day, this is clearly an unsustainable approach.
The key takeaway from all the statistics uncovered by the research, suggests Tancman, is that respondents feel they lack adequate tooling to solve the problem, and the only real solution is automation.
“This is a significant loss of time and dollars spent just trying to get through the massive vulnerability backlogs that organizations’ possess,”
Simply relying on third party lists of critical vulnerabilities doesn’t solve the problem. Tancman gave the CISA KEV (known exploited vulnerabilities) list as an example. “Certainly, this is a great place to start,” he said. However, he added, “Take Log4J [CVE-2021-44228, included in the KEV list]. We hear from our customers they may have 10,000 incidences of Log4J, but only 100 are exploitable in their environment. You have them but the specific vulnerable function is not running.”
His point is that such vulnerability lists are a good place to start. “But then understanding what’s really executed in your environment versus what is just sitting there silent and not doing anything, is a way to filter the list.” He went on to mention ‘shadow software’ – software that exists in the system but is not detected by traditional scanners because of the way it’s packaged, causing further difficulties.
Software bill of materials (SBOMs) are a good place to start when examining what is included in an app. “But that’s limited,” he said. “For example, you won’t see things inside containers and, again, many times it’s nested. So, what we do in Rezilion is to look not only on the file system but also in memory. We see everything that is executed all the way to the function level. Even if it’s packaged in a peculiar manner, we will still see it.”
Rezilion’s automated vulnerability solution does three things. “The first one is we create a dynamic software bill of materials that you plug in to your environment and immediately see all the software you have,” said Tancman. “You can search on Log4J and immediately see where you have it.”
The second is vulnerability validation. “We use our runtime intelligence, our understanding of not only what you have, but what it’s actually doing and how it’s executing.” This generally shows that something like 85% of vulnerabilities don’t require fixing because although you have them, they’re not attackable and they’re not exploitable.
“So, we take this 100,000 vulnerabilities backlog and make it a 15,000 backlog. Then we help with smart remediation. One thing we often see is that when you group those vulnerabilities by software components you can create strategies that just by touching 100 components, you are going to knock out 10,000 vulnerabilities.”
Tomi Engdahl says:
The VC View: The AppSec Evolution
https://www.securityweek.com/vc-view-appsec-evolution
Eliminating friction and making AppSec scalable starts with designing solutions built for developers
While zero-days like the recent Spring4Shell create headlines, an unfortunate infosec reality is that hackers exploit already well-known vulnerabilities to breach networks. The CISA’s list of the Top Routinely Exploited Vulnerabilities makes that abundantly clear. In 2020, 8 of the top twelve exploits were from 2019 or earlier.
That’s why Application Security (AppSec) tooling like IAST/DAST scanners that can detect vulnerabilities in production workloads are so critical, and the evolution of the AppSec space is one of the most important post-pandemic security trends.
Before we dive into the specifics of AppSec, let’s clear up a common misconception: AppSec and DevSecOps are complementary, but they are NOT the same. DevSecOps is about building security into the SDLC and “shifting left”, while AppSec is about finding, preventing, and fixing issues once workloads are deployed to production.
Put simply: DevSecOps is about pre-deployment and AppSec is post-deployment.
Specifically, the AppSec category includes tools like IAST, DAST, RASP, WAFs, IPS/IDS, and bot management solutions. Traditionally, AppSec tooling was siloed between development (dev) and operations (ops). Dev implemented IAST agents while ops ran ad-hoc scans. Or, worst, security scans were simply tacked on post-deployment without any dev involvement at all.
But in a world where DevOps culture and CI\CD pipelines are the norm, manual scans and siloed security. Businesses need AppSec solutions aligned with the collaborative and agile culture that has made DevOps so powerful. That means emphasizing collaboration, eliminating friction, and enabling automation. Ad-hoc scans and annual pen-tests are useful, but they don’t provide the same protection as tooling inherently part of the delivery pipeline.
Tomi Engdahl says:
Huijarit anastivat suomalaisilta yli 10 miljoonaa euroa alkuvuonna – ”Vain jäävuoren huippu” https://www.is.fi/digitoday/art-2000009083984.html
Tomi Engdahl says:
Google, Microsoft can get your passwords via web browser’s spellcheck
https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/
Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and in some cases, passwords, to Google and Microsoft respectively.
While this may be a known and intended feature of these web browsers, it does raise concerns about what happens to the data after transmission and how safe the practice might be, particularly when it comes to password fields.
Both Chrome and Edge ship with basic spellcheckers enabled. But, features like Chrome’s Enhanced Spellcheck or Microsoft Editor when manually enabled by the user, exhibit this potential privacy risk.
Tomi Engdahl says:
Developing a Strong Cybersecurity Workforce: Introducing the European Cybersecurity Skills Framework https://www.enisa.europa.eu/news/developing-a-strong-cybersecurity-workforce-introducing-the-european-cybersecurity-skills-framework
Designed to contribute to building a competent cybersecurity workforce, the European Cybersecurity Skills Framework was the focus of the conference organised over the past two days by the European Union Agency for Cybersecurity (ENISA). The Cybersecurity Skills Conference highlighted the actions taken by ENISA to create a common understanding of the roles, competencies, skills and expert knowledge required to engage in a professional activity in the field and introduced the features of the new European Cybersecurity Skills Framework (ECSF).
Tomi Engdahl says:
Authentication methods: choosing the right type https://www.ncsc.gov.uk/guidance/authentication-methods-choosing-the-right-type
This guidance helps organisations to select an appropriate method to authenticate their customers who are accessing online services. It’s intended for retailers, hospitality providers and utility services, but can be used by any organisation who need to authenticate customers when accessing online apps or websites. Adding any of the methods described here (ie in addition to password authentication) will significantly increase the security of your customer accounts. There are several authentication methods that provide security that goes ‘beyond passwords’. This guidance summarises the benefits and limitations of each method, so you can choose the one that’s most appropriate for your organisation – and your customers. It also provides links to more detailed NCSC guidance on each of the authentication methods.
Tomi Engdahl says:
Näin suuren summan rahaa suomalaiset menettivät huijareille tammi-kesäkuussa Rikollisten mielikuvitus ei lopu kesken
https://www.kauppalehti.fi/uutiset/nain-suuren-summan-rahaa-suomalaiset-menettivat-huijareille-tammi-kesakuussa-rikollisten-mielikuvitus-ei-lopu-kesken/b9e2ed28-3be9-4890-b232-76a583571a43
Tästä on tulossa vilkas petovuosi, Finanssiala kertoo. Suomalaiset menettivät huijareille 10,8 miljoonaa euroa pelkästään tammikesäkuun aikana, tiedottaa Finanssiala. Samalla ajanjaksolla pankit torjuivat huijauksia 6,7 miljoonan euron edestä, tai ainakin niillä saadut rahat onnistuttiin palauttamaan huijatuksi tulleille. Pankkien tietoon tuli yhteensä 1841 huijausta, joista lähes puolessa oli valepoliiseja tai tietojenkalastelua. Tuottoisimpia huijauskeinoja roistoille ovat
dokumentti- ja rakkaushuijaukset, joiden osuus oli 3,8 miljoonaa euroa. Lukumääräisesti eniten oli valepoliisihuijauksia ja erilaisia tietojenkalasteluja, lähes puolet, Finanssiala ry:n petos- ja rikostorjunnasta vastaava johtaja Niko Saxholm sanoo tiedotteessa.