Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime https://unit42.paloaltonetworks.com/domain-shadowing/
Cybercriminals compromise domain names to attack the owners or users of the domains directly, or use them for various nefarious endeavors, including phishing, malware distribution, and command and control (C2) operations. A special case of DNS hijacking is called domain shadowing, where attackers stealthily create malicious subdomains under compromised domain names. Shadowed domains do not affect the normal operation of the compromised domains, making it hard for victims to detect them. The inconspicuousness of these subdomains often allows perpetrators to take advantage of the compromised domains benign reputation for a long time.
Tomi Engdahl says:
Databases. EXPOSED! (Redis)
https://censys.io/databases-exposed-redis/
There are 39,405 unauthenticated Redis services out of 350,675 total Redis services on the public internet. Almost 50% of unauthenticated Redis services on the internet show signs of an attempted compromise.
In this new series of posts, we decided to answer the question: What is the state of databases on the Internet?. We can answer this question in extreme detail using our dataset. This report is the first of several. Over the coming months, we will release a detailed analysis of several different database technologies, and we will begin our journey into Databases. EXPOSED! with the popular in-memory
database: Redis
Tomi Engdahl says:
Identifying file manipulation in system files https://www.gdatasoftware.com/blog/2022/09/37511-detecting-file-manipulation-in-system-files
File modifications happen for a number of reasons, the most innocuous one being data corruption or inadvertent partial downloads. Both scenarios often result in non-working files. However, attackers and viruses manipulate original files in a manner that they still work, but additionally execute their own malicious code. In some cases the malicious code is not even there anymore because the files have been cleaned by antivirus software, but the indications of manipulation remain. Regardless of the reason that these manipulations occur, being able to identify them is important to avoid instability, less secure systems and system infections.
Tomi Engdahl says:
Native function and Assembly Code Invocation https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation/
For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief.
While in some cases it is just possible to understand the function logic and reimplement it in a higher-level language, this is not always feasible, and it becomes less feasible the more the logic of the original function is fragile and sophisticated. This is an especially sore issue when dealing with custom hashing and encryption a single off-by-one error somewhere in the computation will cause complete divergence of the final output, and is a mighty chore to debug. In this article, we walk through 3 different ways to make this shortcut happen, and invoke functions directly from assembly.
Tomi Engdahl says:
The art and science behind Microsoft threat hunting: Part 2 https://www.microsoft.com/security/blog/2022/09/21/the-art-and-science-behind-microsoft-threat-hunting-part-2/
We discussed Microsoft Detection and Response Teams (DART) threat hunting principles in part 1 of The art and science behind Microsoft threat hunting blog series. In this follow-up post, we will talk about some general hunting strategies, frameworks, tools, and how Microsoft incident responders work with threat intelligence.. In DART, we follow a set of threat hunting strategies when our analysts start their investigations. These strategies serve as catalysts for our analysts to conduct deeper investigations. For the purposes of this blog, we are listing these strategies under the assumption that a compromise has been confirmed in the customers environment.
Tomi Engdahl says:
Phishing Campaigns Use Free Online Resources https://isc.sans.edu/forums/diary/Phishing+Campaigns+Use+Free+Online+Resources/29074/
A phishing campaign needs some resources: bandwidth, CPU, storage, For a very long time, a lot of phishing kits have been hosted on compromised servers. The most popular are CMS with weak configurations or outdated. I think that WordPress is the number one in this category. By careful, it does not mean that WordPress is a bad CMS.
Most vulnerabilities are introduced through plugins. Once compromised, the phishing kit files are copied on the server and usually are reachable via the /wp-content/ or /wp-plugin/ directories.
Tomi Engdahl says:
Unpatched 15-year old Python bug allows code execution in 350k projects https://www.bleepingcomputer.com/news/security/unpatched-15-year-old-python-bug-allows-code-execution-in-350k-projects/
A vulnerability in the Python programming language that has been overlooked for 15 years is now back in the spotlight as it likely affects more than 350,000 open-source repositories and can lead to code execution. Disclosed in 2007 and tagged as CVE-2007-4559, the security issue never received a patch, the only mitigation provided being a documentation update warning developers about the risk.
Tomi Engdahl says:
European Spyware Investigators Criticize Israel and Poland
https://www.securityweek.com/european-spyware-investigators-criticize-israel-and-poland
European Parliament members investigating the use of surveillance spyware by European Union governments sharply criticized Israel on Wednesday for a lack of transparency in allowing the sale of powerful Israeli spyware to European governments that have used it against critics.
The European lawmakers also condemned the Polish government for refusing to meet with them during a fact-finding visit to Warsaw that ended Wednesday.
“It is regrettable and we condemn the fact that the Polish authorities did not want to cooperate with our investigation committee,” Jeroen Lenaers, the head of the delegation, said at a news conference in Warsaw.
“We think it also is a telling sign of the complete lack of importance this government attaches to checks and balances, to democratic scrutiny and to dialog with elected representatives.”
Tomi Engdahl says:
How “Long-Sightedness” Can Improve Security and Fraud Programs
https://www.securityweek.com/how-long-sightedness-can-improve-security-and-fraud-programs
Looking long is an important skill for cybersecurity and fraud teams to develop
When I was younger, I wore glasses for distance. I had no problem reading without glasses in those days. As I’ve gotten older, my distance vision has improved, and I now need glasses for reading and computer work. Sadly, trying to read or work at the computer without glasses is now headache-inducing.
You might ask what my middle-aged vision has to do with security and fraud. If you know me and follow my writing, it likely won’t surprise you to hear that I believe there are important lessons we can learn from my declining near vision.
Tomi Engdahl says:
Tiesitkö tätä? Tietoturvatyökaluissa on aina vakavia haavoittuvuuksia
https://etn.fi/index.php?option=com_content&view=article&id=14026&via=n&datum=2022-09-21_15:50:41&mottagare=31202
Tietoturvayritykset toimittavat yrityksille monimutkaisia ohjelmistoja, joiden tehtävä on pitää verkko ja käyttäjät turvassa. Check Pointin asiantuntija Moti Sagey muistutti kuitenkin, että myös heidän työkaluissaan on virheitä. Jopa vakavia haavoittuvuuksia.
Esimerkiksi viime vuonna Check Pointin työkaluista löytyi 8 korkean luokan eli ns. high risk -haavoittuvuutta. – Korjasimme haavoittuvuudet keskimäärin kolmessa päivässä, Sagey sanoi.
Kolme päivä voi kuulostaa pitkältä ajalta, mutta vielä huonommin menee kilpailijoilla. PaloAlto Networksin työkaluista löytyi viime vuonna 111 vakavaksi luokiteltua haavoittuvuutta ja niiden korjaamiseen meni keskimäärin 72 päivää. Fortinetillä vakavia haavoittuvuuksia oli 50 ja korjaamiseen kului keskimäärin 82 päivää.
Ciscon työkalujen koodissa haavoittuvuuksia oli 152 ja ne korjattiin keskimäärin 51 päivässä. Kaiken kaikkiaan luvut ovat hämmästyttäviä. Luvut perustuvat yritysten julkisesti ilmoittamiin haavoittuvuuksiin. Niihin voi tutustua CVE-sivustolla (Common Vulnerabilities and Exposures).
Sageyn mukaan tällä hetkellä käynnissä on muutos, jossa kyberhyökkäyksiin reagoimisen sijaan painotetaan reaaliaikaista uhkien tunnistamista. Check Pointilla tärkein työkalu tähän on yhtiön ThreatCloud-palvelu, joka skannaa kaikkien asiakkaiden verkkoja. Sageyn mukaan sen teho perustuu yli 30 tekoälyyn perustuvaan päättelyyn, joiden avulla uhat tunnistetaan alle 2 sekunnissa.
Tomi Engdahl says:
Joseph Cox / VICE:
Documents: multiple US military branches have bought access to Team Cymru’s Augury internet monitoring tool, which claims to cover 90%+ of internet traffic — The “Augury” platform includes highly sensitive network data that Team Cymru, a private company, is selling to the military. “It’s everything.
Revealed: US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data
https://www.vice.com/en/article/y3pnkw/us-military-bought-mass-monitoring-augury-team-cymru-browsing-email-data
The “Augury” platform includes highly sensitive network data that Team Cymru, a private company, is selling to the military. “It’s everything. There’s nothing else to capture except the smell of electricity,” one cybersecurity expert said.
Multiple branches of the U.S. military have bought access to a powerful internet monitoring tool that claims to cover over 90 percent of the world’s internet traffic, and which in some cases provides access to people’s email data, browsing history, and other information such as their sensitive internet cookies, according to contracting data and other documents reviewed by Motherboard.
Additionally, Sen. Ron Wyden says that a whistleblower has contacted his office concerning the alleged warrantless use and purchase of this data by NCIS, a civilian law enforcement agency that’s part of the Navy, after filing a complaint through the official reporting process with the Department of Defense, according to a copy of the letter shared by Wyden’s office with Motherboard.
Tomi Engdahl says:
“The network data includes data from over 550 collection points worldwide, to include collection points in Europe, the Middle East, North/South America, Africa and Asia, and is updated with at least 100 billion new records each day,” a description of the Augury platform in a U.S. government procurement record reviewed by Motherboard reads.
Tomi Engdahl says:
Jos joudut tietoturvaloukkauksen kohteeksi
Tältä sivulta löydät toimintaohjeita, jos olet joutunut henkilötietoihin kohdistuvan tietoturvaloukkauksen kohteeksi.
https://tietosuoja.fi/jos-joudut-tietoturvaloukkauksen-kohteeksi
Tomi Engdahl says:
7 Years of Scarlet Mimic’s Mobile Surveillance Campaign Targeting Uyghurs https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/
In this report, we present a technical analysis and describe the evolution of the campaign in the last seven years. Although a small part of this campaign was briefly discussed in Cyble’s publication as an isolated and unattributed incident, in this article we put the whole campaign in perspective and outline almost a decade’s worth of persistent efforts in phone surveillance of the Uyghur community.
Tomi Engdahl says:
Cambodian authorities crack down on cyber slavery amid international pressure https://www.theregister.com/2022/09/22/cambodian_authorities_crack_down_on/
Lured by fake jobs, victims are isolated abroad and forced to carry out crypto, romance scams and more
Tomi Engdahl says:
IT Security Takeaways from the Wiseasy Hack https://thehackernews.com/2022/09/it-security-takeaways-from-wiseasy-hack.html
Last month Tech Crunch reported that payment terminal manufacturer Wiseasy had been hacked. Although Wiseasy might not be well known in North America, their Android-based payment terminals are widely used in the Asia Pacific region and hackers managed to steal passwords for 140, 000 payment terminals.
Tomi Engdahl says:
They Are Watching’: Inside Russia’s Vast Surveillance State https://www.nytimes.com/interactive/2022/09/22/technology/russia-putin-surveillance-spying.html
A cache of nearly 160, 000 files from Russia’s powerful internet regulator provides a rare glimpse inside Vladimir V. Putin’s digital crackdown.
Tomi Engdahl says:
How Organizational Structure, Personalities and Politics Can Get in the Way of Security
https://www.securityweek.com/how-organizational-structure-personalities-and-politics-can-get-way-security
Cyberattacks and data breaches continue to rise year-over-year and another so-called silver bullet technology isn’t going to stop that trend. The reality is the bad guys are looking at the entire playing field, but we are not because organizational structure, personalities and politics get in the way.
Security organizations are traditionally structured as a collection of separate groups—including network, endpoint and cloud—tasked with protecting their part of the infrastructure and stopping certain types of threats. Each group uses its own set of security technologies from different vendors, and they bring in their own third-party data and intelligence sources for context. These silos make it extremely difficult to share data between tools or teams in any real way. And while these teams may roll up to the same person, they each have their own budgets and are laser-focused on achieving success for their projects so they can get funded…sometimes at the expense of another project. Personalities and politics start creeping in due to this unintentional (or sometimes maybe intentional) competition. In the end these divisions make it incredible difficult to create a unified defense. Instead, we’re simply creating an obstacle course for attackers that they are all too adept at successfully navigating.
Looking to the future of cybersecurity, we know that any discussion must include automation. But disconnects within an organization prevent us from making meaningful progress. A recent SANS survey (PDF) found that 97% of respondents report difficulties in rolling out automation initiatives due to technology issues, siloed departments and lack of trust in outcomes. Additionally, the misalignment between CISOs and their organizations around security automation and organization maturity makes it more difficult to overcome the structural and cultural challenges required to move up through maturity levels and promote an approach that cuts across the entire business.
SANS 2022 Cyber
Threat Intelligence
Survey
https://www.threatq.com/documentation/Survey-CTI-2022-ThreatQuotient.pdf
Tomi Engdahl says:
Datalta vaaditaan nyt suvereniteettia
https://etn.fi/index.php/13-news/14035-datalta-vaaditaan-nyt-suvereniteettia
IDC:n tietoturvatutkimuksissa datan suojaaminen on edelleen yritysten ykkösprioriteetti ja yksityisyys ja GDPR tulevat heti toisena. Niiden perään on noussut datan suvereniteetti, kertoi IDC:n Euroopan tutkimusjohtaja Joel Stradling yhtiönsä tietoturvatapahtumassa Helsingissä.
Suvereniteetti on globaalin pilvimaailman ilmiö. Mikäli data on jossakin toisessa maassa, se on tämän maan lakien ja säädösten alainen. Datan suvereniteetti tarkoittaa sitä, että yritykset – tai laajemmin käyttäjät – pystyvät itse määräämään, miten dataa reguloidaan.
Joel Stradlingin mukaan suvereniteetin vaatimus näkyy monella tapaa. – Esimerkiksi 43 prosenttia yrityksistä haluaa nyt säilyttää GDPR:n alaisen datan Euroopassa, Stradling kertoi.
Toinen tärkeä kasvava trendi on kyberresilienssi eli kyky palautua kyberhyökkäyksistä nopeasti. – Kyse on siitä, että on valmistautunut kaikkeen. Kyberturvassa ei voi olla enää kiinnostunut vain kriisinhallinnasta. – Yritysten turvallisuusstrategiat nojaavat yhä vahvemmin kolmeen pilariin: luottamus, kyberresilienssi ja datasuvereniteetti, Stradling paalutti.
Kyse on vakavasta ongelmasta. Esimerkiksi McAfeen tutkimuksen mukaan yritykseltä vie tietomurron havaitsemisesta keskimäärin 19 tuntia ongelman ratkaisuun.
- Yritysten pitää olla varautuneita kaikkeen. Ongelmia muodostuu siitä, että yrityksille voi olla jopa 80 eri toimittajan työkaluja ja näiden ylläpito ja päivittäminen on yhä vaikeampaa. Samaan aikaan juridiset vaatimukset kasvavat, Stradling kuvasi.
Käytännössä Euroopassa tarvitaan jopa 200-300 tuhatta tietoturva-ammattilaista, kun työssä ollaan siirrytty hybridimalliin. Tämä tulee johtamaan kybersuojauksen ulkoistamiseen ja malleihin, joissa tietoturva ostetaan palveluna.
Tomi Engdahl says:
Tory Newmyer / Washington Post:
DARPA hires crypto intelligence firm Inca Digital to conduct a year-long review of cryptocurrencies, assessing threats to national security and law enforcement
Pentagon launches effort to assess crypto’s threat to national security
New project is part of the U.S. government’s wider crackdown on illicit uses of digital assets
https://www.washingtonpost.com/business/2022/09/23/darpa-crypto-national-security/
The military’s innovation office is launching a sweeping review of cryptocurrencies to assess threats to national security and law enforcement posed by the rise of digital assets.
The Defense Advanced Research Projects Agency — better known as DARPA, the office that developed the earliest technology undergirding the internet — has hired crypto intelligence firm Inca Digital to conduct the year-long project. The company will develop tools that give the Pentagon a granular view of crypto markets’ inner workings, in part to help authorities crack down on illicit uses of digital assets.
“The program underway here involves mapping out the cryptocurrency universe in some detail,” Mark Flood, a program manager with the agency, said in an interview with The Washington Post. Beyond fighting illicit finance, the office aims to use the data for insights into dynamics shaping traditional financial markets, where detailed information is harder to gather.
The deal is the latest evidence that federal agencies are ramping up efforts to thwart rogue regimes, terrorists and other criminal actors using crypto to fund their operations.
The Treasury Department last month issued its first-ever sanctions against software code to target Tornado Cash, a service that helped North Korean hackers and others launder stolen crypto. This week, the department issued a request for public input on crypto’s national security and illicit finance risks.
Tomi Engdahl says:
What we know about the Optus cyber attack, and how to strengthen your online security
https://www.abc.net.au/news/2022-09-22/what-we-know-about-the-optus-cyber-attack-security-tips/101466504
Both current and former Optus customers may have potentially been involved in a data breach as a result of a cyber attack on the telecommunications company.
Optus says it noticed “unusual activity” yesterday afternoon and is now working with the Australian Cyber Security Centre and the Australian Federal Police.
Tomi Engdahl says:
PiTuKri auttaa laittamaan yrityksen tietoturvan kuntoon
https://www.dna.fi/yrityksille/blogi/-/blogs/pitukri-auttaa-laittamaan-yrityksen-tietoturvan-kuntoon?utm_source=facebook&utm_medium=linkad&utm_content=ILTE-artikkeli-pitukri-auttaa-laittamaan-yrityksen-tietoturvan-kuntoon&utm_campaign=H_ILTE_MES_22-35-39_artikkelikampanja&fbclid=IwAR3nGndntox0H3dsly5sh7Gm5Gc14Kl6yOa1KAm2wDju4Oce-lWzekJt38M
Pilvipalvelujen käytön lisääntyminen on nostanut tietoturvan ylläpitämisen vaikeuskerrointa. Miten voit varmistaa, että organisaatiosi ei joudu hyökkääjien uhriksi? Traficomin pilvipalvelujen turvallisuuden arviointikriteeristö on hyvä reseptikirja turvan rakentamiseen tai sen tason arviointiin.
Turvan suunnittelua ei kuitenkaan tarvitse lähteä tekemään täysin puhtaalta pöydältä. Hyvän avun antaa Traficomin julkaisema pilvipalvelujen turvallisuuden arviointikriteeristö, PiTuKri.
Kriteeristö ottaa kantaa 11 eri osa-alueeseen, joita voidaan käyttää suunnittelun apuna pilveen siirtymisen yhteydessä tai olemassa olevien palvelujen turvan arvioinnissa.
https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/file/Pilvipalveluiden_turvallisuuden_arviointikriteeristo_PiTuKri_v1_1.pdf
Tomi Engdahl says:
Suomen kyberosaaminen on huomattu Natossa https://www.tivi.fi/uutiset/tv/8a935d45-c14f-446a-be87-da9ed68f49eb
Suomen voitto Locked shields -kyberpuolustusharjoituksessa huhtikuussa oli osoitus Suomen korkeatasoisesta kyberosaamisesta eikä jäänyt huomaamatta Naton sisällä. Jäsenyyshakemuksen ja F-35-konehankintojen vuoksi Suomella onkin nyt harvinainen mahdollisuus ja aikaikkuna nostaa omaa näkyvyyttään Naton sisällä ja hyödyntää sen kaupalliset mahdollisuudet. myös:
https://www.tivi.fi/uutiset/tv/df03f7a6-2ff1-4c9c-b217-1fe880258d39 – Suomen Nato-jäsenyys lähestyy voisiko kyberhyökkäys aktivoida 5.
artiklan? [TILAAJILLE]
Tomi Engdahl says:
How Threat Actors Use Underground Marketplaces https://intel471.com/blog/how-threat-actors-use-underground-marketplaces
In the future, cyber underground marketplaces will likely continue to trade goods. Moreover, with surface web marketplaces such as Genesis continuing to operate in the clear and therefore increasing exposure, they will have a continuous stream of customers interested in purchasing nefarious goods. History has shown that when global and local economies are in retreat, individuals can make cash by both buying and selling compromised assets.
Tomi Engdahl says:
Hakkerilegenda Harri Hurstilla on suomalaisille selkeä varoitus “Venäläiset ovat tällaisissa hyökkäyksissä erityisen taitavia”
https://www.kauppalehti.fi/uutiset/hakkerilegenda-harri-hurstilla-on-suomalaisille-selkea-varoitus-venalaiset-ovat-tallaisissa-hyokkayksissa-erityisen-taitavia/bebbc68b-a5a3-4ccb-ab73-ea0e915abe3b
[TILAAJILLE]. Rikolliset maksavat pimeässä verkossa suomalaisten pankkitiedoista seitsenkertaista hintaa verrattuna monien muiden maiden kansalaisten tietoihin. Osa hintaerosta selittyy suomalaisten hölmöydellä.
Tomi Engdahl says:
This image shows its own MD5 checksum and it’s kind of a big deal https://www.bleepingcomputer.com/news/security/this-image-shows-its-own-md5-checksum-and-its-kind-of-a-big-deal/
Generating checksums – cryptographic hashes such as MD5 or SHA-256 functions for files is hardly anything new and one of the most efficient means to ascertain the integrity of a file, or to check if two files are identical. However, generating a file containing its own checksum as part of its content is a task quite daunting, if not seemingly impossible due to a paradox involved in the process. That has not stopped a researcher from creating a PNG image that contains the file’s MD5 checksum, visible within the matrix of pixels that make up the image.
Tomi Engdahl says:
No Protection Against Nation-State
https://intel471.com/blog/no-protection-against-nation-state
In August 2022, the insurance behemoth Lloyd’s of London announced that from next Spring, they would no longer be covering the losses of nation-state cyber attacks. In a memo to their 76 insurance syndicates, they explained that although they are “strongly supportive” of cyber attack coverage, the risk from nation-state sponsored attacks is too great and too costly.
Tomi Engdahl says:
Tietoturva-alan opiskelijoita ei valmistu riittävästi eikä koulutus vastaa työelämän tarpeita, kertoo yliopistotutkimus
https://yle.fi/uutiset/3-12637353
Suomessa on pulaa kyberturva-alan osaajista, mutta oppilaitoksissa annettavan koulutuksen taso ei vastaa työelämän vaatimuksia. Asia ilmenee Jyväskylän yliopiston loppukesällä julkaisemasta tutkimuksesta, jossa selvitettiin kyberturvallisuuden koulutusohjelman muutostarpeita. Kyberturvallisuusalan kattojärjestö FISC:in mukaan vuonna 2025 tarve olisi 15 000:lle alan osaajalle Suomessa. Liikenne- ja viestintäministeriön kyberosaamistarvetta mittaavan kyselyn mukaan
73 prosenttia viranomaisista sekä elinkeinoelämän ja kolmannen sektorin toimijoista kokee merkittävää osaamispulaa. Tutkimuksesta ilmenee, että osaajapula on esteenä yrityskasvulle. Suomen yrityksistä
35 prosenttia kokee osaajapulan olevan merkittävä yrityskasvun este.
Tomi Engdahl says:
MIT Report Validates Impact Of Deep Learning For Cybersecurity https://www.forbes.com/sites/tonybradley/2022/09/23/mit-report-validates-impact-of-deep-learning-for-cybersecurity/
Artificial intelligence and machine learning are ubiquitous in cybersecurity marketingand often confused with each other and with deep learning. A recent report from MIT clarifies the distinction between the three, and emphasizes the value of deep learning for more effective cybersecurity. Report:
https://www.deepinstinct.com/pdf/mit-deep-learning-delivers-proactive-cyber-defense
Tomi Engdahl says:
US Nuclear Security Administration criticized by watchdog over cybersecurity failures https://therecord.media/us-nuclear-security-administration-criticized-by-watchdog-over-cybersecurity-failures/
The U.S. agency that maintains and modernizes the country’s nuclear stockpile was criticized by a government watchdog this week for lackluster cybersecurity policies that endangered both IT and operational technology networks. The U.S. Government Accountability Office (GAO) published an 81-page report on Thursday outlining the cybersecurity failings of the National Nuclear Security Administration
(NNSA) a separately-organized agency within the Department of Energy
(DOE) tasked with managing U.S. nuclear weapons at eight laboratory and production sites across the country.
Tomi Engdahl says:
Sweden Tests Cyber Defenses as War and NATO Bid Raise Security Risks
https://www.wsj.com/articles/sweden-tests-cyber-defenses-as-war-and-nato-bid-raise-security-risks-11663925402
Military, government and corporate cyber defense experts participated in an exercise focused on protecting the internet infrastructure
Tomi Engdahl says:
VPN Providers Flee India as a New Data Law Takes Hold https://www.wired.com/story/vpn-firms-flee-india-data-collection-law/
Many companies have pulled physical servers from the country as a mandate to collect customer data goes into effect.
Tomi Engdahl says:
ECF22: Hyökkäystä Ukrainaan valmisteltiin vuosia
https://etn.fi/index.php/72-ecf/14040-ecf22-hyoekkaeystae-ukrainaan-valmisteltiin-vuosia
Tomi Engdahl says:
Kashmir Hill / New York Times:
A look at The Follower, an art project using open-source facial recognition software to match Instagram photos with EarthCam video footage of people taking them — A tech-savvy artist unearthed video footage of people working hard to capture the perfect shot for Instagram.
https://www.nytimes.com/2022/09/24/technology/surveillance-footage-instagram.html
Tomi Engdahl says:
Andy Greenberg / Wired:
Researchers say Slack and Microsoft Teams have fundamental issues vetting third-party apps and should overhaul their app model to be more like traditional OSes — New research shows how third-party apps could be exploited to infiltrate these sensitive workplace tools.
Slack’s and Teams’ Lax App Security Raises Alarms
https://www.wired.com/story/slack-microsoft-teams-app-security/
New research shows how third-party apps could be exploited to infiltrate these sensitive workplace tools.
Collaboration apps like Slack and Microsoft Teams have become the connective tissue of the modern workplace, tying together users with everything from messaging to scheduling to video conference tools. But as Slack and Teams become full-blown, app-enabled operating systems of corporate productivity, one group of researchers has pointed to serious risks in what they expose to third-party programs—at the same time as they’re trusted with more organizations’ sensitive data than ever before.
A new study by researchers at the University of Wisconsin-Madison points to troubling gaps in the third-party app security model of both Slack and Teams, which range from a lack of review of the apps’ code to default settings that allow any user to install an app for an entire workspace. And while Slack and Teams apps are at least limited by the permissions they seek approval for upon installation, the study’s survey of those safeguards found that hundreds of apps’ permissions would nonetheless allow them to potentially post messages as a user, hijack the functionality of other legitimate apps, or even, in a handful of cases, access content in private channels when no such permission was granted.
“Slack and Teams are becoming clearinghouses of all of an organization’s sensitive resources,”
Tomi Engdahl says:
“Left and Right of Boom” – Having a Winning Strategy
https://www.securityweek.com/left-and-right-boom-having-winning-strategy
As security practitioners are painfully aware, it is not a matter of if but when their organization will come under cyberattack. Given this year’s geopolitical events, the likelihood of falling victim to an attack has exponentially increased. And while the cybersecurity landscape will continue to evolve; many organizations seem to be holding on to the belief that deploying more preventive security tools will result in greater protection against these threats.
According to Gartner, organizations are expected to spend $172.58 billion on IT security and risk management technologies in 2022 alone. Despite this level of investment, hardly a week goes by without a new high-profile cyberattack (e.g., Los Angeles Unified School District, Samsung, KeyBank, Okta, DoorDash, and Twilio). Reality is that we can never eliminate cyber risk entirely, but we can manage it more effectively with “Left and Right of Boom” processes and procedures, creating a winning strategy by splitting an organization’s cybersecurity investments between strategic preparedness, prevention, and incident response.
Essential “Left of Boom” Processes
Getting started on such a path can be intimidating, especially for smaller organizations with limited resources, but in a recent discussion (see video below), a group of industry-leading cybersecurity practitioners called out some of the critical steps to be considered on the path to “Left of Boom”:
• Understand hardware and software inventory to have the necessary visibility to create meaningful metrics and assess security efficacy.
• Move to the cloud to leverage the major providers’ inherent security measures and subsequently reduce the attack surface.
• Implement multi-factor authentication (MFA) and least privilege to minimize the risk of lateral movement.
• Make the endpoint resilient, as in a work-from-anywhere era all devices constitute the new enterprise perimeter.
• Apply network segmentation to minimize the risk of lateral movement.
• Run anti-malware and make sure the software is not only installed but functioning as intended.
• Establish Zero Trust principles by adopting a “never trust, always verify” mentality for cybersecurity and risk management.
Unfortunately, there is no such thing as 100 percent protection. Therefore, we cannot solely focus on “Left of Boom” processes, but also have to talk about the “Right of Boom”.
Create Your Go-Bag for “Right of Boom”
Most businesses lack what really matters for a complete recovery — pro-active resilience or the ability to bounce back when struck down and come back as strong as ever. Like people who live in an earthquake zone, businesses need to have a cybersecurity “go-bag” that they can grab as soon as disaster strikes.
Historically, IT and security professionals’ top priority regarding cyber resiliency has been securing and restoring critical infrastructure, such as servers and key business systems. Yet, in today’s “work-from-anywhere” world, the threat of cyberattacks is greatly exacerbated by the geographic distribution of endpoints. This new model has expanded the potential attack surface, lowered barriers to entry, and reduced IT teams’ visibility into devices. In fact, “The Value of Zero Trust in a WFA World” report (PDF) found that 97% of surveyed IT experts believed that remote workers are exposed to at least some added risk, with roughly 47% believing the risk was either high or extremely high.
Gone are the days when workers could simply walk over to the IT department to address their security problems. Therefore, organizations need the right tooling and technology to secure their endpoints remotely, at scale, so they can effectively remove malware and restore their critical applications after a crippling attack.
To ensure the highest level of cyber resilience and enable endpoint reconnection after compromise, businesses must have persistent defense technology with firmware-embedded capabilities. This is because any form of defense that lives on an endpoint can only be effective if it remains operational and functions as intended. In doing so, organizations can measure the health and compliance of endpoint security controls and promptly identify when applications are disabled, misconfigured, or otherwise exploited. And they can empower those mission-critical applications to self-heal and recover automatically without user intervention, even when starting from ground zero after a complete wipe. Considering the associated benefits, it’s not surprising that the National Institute of Standards and Technology (NIST) is propagating the use of these survivable, trustworthy secure systems as part of a balanced “Left and Right of Boom” strategy.
Tomi Engdahl says:
Christopher Mims / Wall Street Journal:
A look at some of the challenges of zero-trust, which creates friction for users and employees as businesses try to fight hackers; only 22% of companies use MFA
Why Even Big Tech Companies Keep Getting Hacked—and What They Plan to Do About It
https://www.wsj.com/articles/cyberattacks-hacking-lapsuss-zero-trust-okta-uber-rockstar-11663969967?mod=djemalertNEWS
Hackers keep tricking employees to gain access to corporate networks, so companies are changing their approach to make it harder to wreak havoc once they’re in
The companies that should know best how to fight hackers, tech firms, have reached an arresting conclusion: The weakest link in security, as it’s been since the Trojan War, is humans.
Increasingly, they are taking a new approach: Trust no one.
The philosophy, known as zero-trust architecture, assumes that no matter how robust a company’s external defenses are, hackers can get in. So companies need to make sure that even users inside a network can’t do serious damage.
This past week, Uber and the Rockstar Games unit of videogame company Take-Two Interactive Software each disclosed major hacks that disrupted their operations. They joined a list of victims this year that includes some of the most technologically adept companies on the planet, such as identity-verification company Okta and chip giant Nvidia.
What many of these hacks have in common is that they succeeded by tricking a person in or close to the target company into giving up network-access credentials or other critical information, a technique known as social engineering.
The hacks at the two companies, which declined to discuss their approach to security, are increasing the push for zero-trust within their peer group. Zero-trust is a broad concept, but at base it means that no part of a company’s IT systems should assume that any other part—human or software—is who or what it claims to be. All systems are assumed to be compromised by hackers already.
As big and well-resourced companies have gotten better at protecting against purely technical exploits of their systems, these social-engineering attacks have become more popular, say cybersecurity experts and the Federal Bureau of Investigation. It is, after all, easier to upgrade a computer than the human mind.
Moats aren’t enough
In the traditional approach to cybersecurity, “We just built a giant moat around the castle, and once you breached that moat, you were in,” says Boe Hartman, a former chief technology officer at Goldman Sachs, where he led the team that built the consumer-banking infrastructure that made possible Apple’s credit card and its vaunted privacy features.
This kind of perimeter security made sense at a time when corporate networks consisted mainly of PCs that were physically connected in an office building—or, if they were off-site, to a virtual private network, or VPN.
These days, a staggering variety of devices, employees and outside contractors connect to corporate systems, in an ever-larger panoply of ways, from personal mobile devices and home computers to cloud services and internet-of-things devices. Today, relying solely on protection of every device and account that might connect to a company’s systems isn’t just difficult, but frequently disastrous, since attackers have to breach only a single gate to get access to the whole kingdom.
Every component of a system should be skeptical that you are who you say you are and are doing what you should be doing.
The zero-trust approach seeks to limit such havoc. “Zero trust is based on the idea that you don’t trust anything in your system anymore,” says Anshu Sharma, chief executive of Skyflow, a startup that uses zero-trust principles to safeguard personal data for other companies. “Just because you’re in the building, you don’t get access to important stuff.”
Many of the design principles that guide engineers building zero-trust systems are easy to understand. If you’ve found yourself having to log back into corporate systems or your bank’s website more often of late, that’s a version of the zero-trust tactic of regularly “rotating” the credentials that allow people and computers to access other systems. The idea is that even if attackers got in with your account, they’d have limited time to do damage.
Another zero-trust principle, known as behavioral analysis, is that software should monitor the behavior of those on a network and flag anyone doing something unusual, like trying to make an extra-large bank withdrawal. (This is the same kind of analysis that leads your bank to send you a text if you make an out-of-character credit-card purchase, for example, when you’re traveling to a new city.)
The consistent theme is that every component of a system should be skeptical, even if you’ve identified yourself and gained access, that you are who you say you are and are doing what you should be doing.
Zero-trust systems can create friction for users and employees, because security is always a balance between giving people the access they need and demanding that they prove their identity. This is also by design, a concept known as the “principle of least privilege,” or giving people access only to the things they need, when they need them, and no more. But it runs counter to the priorities of many businesses, which are focused more on maximizing the efficiency of their operations than securing them.
A decade of zero-trust
While many businesses are only now adopting true zero-trust systems, the security industry has been talking about the trust problem for well over a decade.
One company that realized early on that walls and moats were no longer adequate protection was Google. It learned the hard way; starting in 2009, coordinated attacks by hackers associated with the Chinese government attempted to penetrate the Google-hosted email accounts of Chinese human-rights activists, The Wall Street Journal reported.
Soon after, Google began implementing its version of zero-trust systems, which it called BeyondCorp. A spokeswoman says its approach applies to all parts of an IT system—users, devices, applications, and services, regardless of ownership or physical or network location. All those elements are treated with the same inherent suspicion. The shift actually makes it easier for employees to work from anywhere, without a VPN, she adds.
Naturally, Google also turned it into a product that can be used by companies which pay for its cloud services.
There are numerous other consultants and vendors happy to teach zero-trust principles, or sell systems built with them. Okta specializes in zero-trust human identity-verification systems. (The fact that Okta itself has recently become a hacking victim demonstrates how hackers can get past the “borders” of company security—even at companies that specialize in security.) Zscaler does the same for access for software and devices. Palo Alto Networks helps build zero-trust networks. The list goes on. Yet businesses—including big, sophisticated tech companies—continue to suffer losses of proprietary data, source code and customer information.
Rome wasn’t rebuilt in a day
Creating a top-to-bottom zero-trust architecture for a company’s existing IT infrastructure requires commitment from its most senior leaders, and can ultimately necessitate what is essentially a gut renovation of its systems, says Mr. Hartman, now co-founder of Nomi Health, a healthcare startup.
So Nvidia knew a thing or two about zero trust. Yet in March, its systems were compromised—likely, as my colleagues reported this week, by Lapsus$, the same group of young hacker-pranksters that struck Uber and others. Afterward, CEO Jensen Huang said the incident was a wake-up call and vowed to accelerate Nvidia’s embrace of zero-trust architecture.
Rolling out this system isn’t without its downsides, including how it can limit the productivity of engineers who all want as much access as possible. Striking a balance between security and accessibility means constant conversations between security teams and the employees they serve, says Justin Boitano, vice president of enterprise computing at Nvidia. It helps, he adds, that Mr. Huang was forthright after the March attack, and “employees seem to understand that we live in a new world now, and potentially there are bad people living on your network.”
Okta, which also was likely hit in March by Lapsus$, said in a blog post tallying the aftermath of that breach that the company had come out much better than initially feared by its own engineers. According to a forensic report prepared by an outside cybersecurity firm, the attacker was in its systems for only 25 minutes, viewed and took screenshots of two customer accounts, and was unable to log in directly to any customers’ Okta accounts or make any changes to internal systems.
Okta now requires subcontractors, like the one that was breached, to use zero-trust security architectures, and all of them must demonstrate that they have the same level of security in their systems that Okta has in its own, says a company spokesman. Okta touts its own systems as zero-trust, and the company credits its zero-trust architecture with preventing hackers from getting any further into its systems than they did.
Microsoft says a Lapsus$ attack on its systems in March breached only one account and was quickly detected and dealt with, and didn’t lead to any leaks of customer data. Vasu Jakkal, the company’s corporate vice president of security, says the lack of damage was a result of Microsoft’s own internal zero-trust architecture.
Without such architecture, an attacker can, on average, move from gaining access to a system to entering sensitive parts of it in just over an hour, Ms. Jakkal adds.
“Attacks can come from anywhere, from anyone, and be done to anyone,” says Ms. Jakkal. “There’s no company, no matter how big or small, who are not vulnerable to attacks.”
Adopting a zero-trust approach means changing many layers of security. Those include adding multifactor authentication on company accounts, and giving users and systems the least access they actually need. It’s also a good idea to put the most sensitive data in one place and protect it vigorously, rather than sprinkling it throughout a company’s databases. (Consolidating sensitive data in one protected place is precisely what Skyflow, Mr. Sharma’s startup, does.)
The breadth of changes means that companies rebuilding old systems need to set priorities, says Mr. Hartman, starting with protecting their crown jewels—source code, other intellectual property, customer information, and the like. Later, they can work through other parts of their systems. The scale of the challenge explains, in part, why only 22% of companies have implemented multifactor authentication—such as biometrics, push notifications or device-based authentication, in addition to a password—even though it is one of the best front-line cyber defenses for access, says Ms. Jakkal.
Even proponents acknowledge that zero-trust is no silver bullet, in no small part because it takes so much time and effort to make it a reality. But in a world where regulators, shareholders and customers are all ready to hold companies and their leaders accountable for hacks and data breaches, and attackers are more resourceful and aggressive than ever, companies might not have much choice. They have to commit to making themselves less vulnerable.
“The new world is, you’ve got to assume there are always going to be bad people on your network,” says Mr. Boitano of Nvidia. “And the question is how do you protect your resources and the intellectual property of the company.”
Tomi Engdahl says:
Pentesting Tips
One of the tasks in doing a red-team test is to look for user accounts. The trouble you can run into is that brute-forcing possible user names leaves log entries, and that can get you caught. [Lars Karlslund] caught wind of LDAP Ping Requests, and immediately made the connection to user enumeration. The purpose of this was originally to easily test domain controllers for reachability, and also for certain capabilities or configurations. One of the test specifications you choose is username. [Lars]’s new tool, ldapnomnom, uses this facility to query 10,000 usernames a second. Find all the users!
https://hackaday.com/2022/09/23/this-week-in-security-malwarebytes-goes-nuts-uber/
LDAP Nom Nom
Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP)
https://www.reddit.com/r/netsec/comments/xhpyjs/ldapnomnom_anonymously_bruteforce_active/
Looks for enabled normal user accounts. No Windows audit logs generated. High speed ~ up to 10K/sec – go beyond 25K/sec with multiple servers!
Tomi Engdahl says:
LDAP Nom Nom
Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP)
Looks for enabled normal user accounts. No Windows audit logs generated. High speed ~ up to 10K/sec – go beyond 25K/sec with multiple servers!
https://github.com/lkarlslund/ldapnomnom
Tomi Engdahl says:
Electronic Frontier Foundation:
Analysis: 16 smartphone apps used as ankle monitor alternatives in the US access wide swaths of information, contain third-party trackers, and are unreliable
Study of Electronic Monitoring Smartphone Apps Confirms Advocates’ Concerns of Privacy Harms
https://www.eff.org/deeplinks/2022/09/study-electronic-monitoring-smartphone-apps-confirms-advocates-concerns-privacy
Researchers at the University of Washington and Harvard Law School recently published a groundbreaking study analyzing the technical capabilities of 16 electronic monitoring (EM) smartphone apps used as “alternatives” to criminal and civil detention. The study, billed as the “first systematic analysis of the electronic monitoring apps ecosystem,” confirmed many advocates’ fears that EM apps allow access to wide swaths of information, often contain third party trackers, and are frequently unreliable. The study also raises further questions about the lack of transparency involved in the EM app ecosystem, despite local, state, and federal government agencies’ increasing reliance on these apps.
As of 2020, over 2.3 million people in the United States were incarcerated, and an additional 4.5 million were under some form of “community supervision,” including those on probation, parole, pretrial release, or in the juvenile or immigration detention systems. While EM in the form of ankle monitors has long been used by agencies as an “alternative” to detention, local, state, and federal government agencies have increasingly been turning to smartphone apps to fill this function. The way it works is simple: in lieu of incarceration/detention or an ankle monitor, a person agrees to download an EM app on their own phone that allows the agency to track the person’s location and may require the person to submit to additional conditions such as check-ins involving face or voice recognition. The low costs associated with requiring a person to use their own device for EM likely explains the explosion of EM apps in recent years. Although there is no accurate count of the total number of people who use an EM app as an alternative to detention, in the immigration context alone, today nearly 100,000 people are on EM through the BI Smartlink app, up from just over 12,000 in 2018. Such a high usage calls for a greater need for public understanding of these apps and the information they collect, retain, and share.
Tomi Engdahl says:
Telian palveluita nurin – tämä kaikki ei toimi https://www.is.fi/digitoday/art-2000009094846.html
Telian järjestelmävika vaikuttaa muun muassa verkkosivustoon, asiakasportaaliin ja mobiilivarmenteeseen.
Tomi Engdahl says:
“Ei tämä kovin harvinaista ole” – apulaistietosuojavaltuutettu pitää Kuopion tietoturvaloukkausta inhimillisenä virheenä
https://yle.fi/uutiset/74-20000333
Tietosuojavaltuutetun toimistoon tulee vuosittain vireille noin 11 000 asiaa, joista puolet on tietoturvaloukkauksia koskevia ilmoituksia.
Tomi Engdahl says:
EDR vs XDR vs MDR: What’s the Difference? And Why Does It Matter?
https://www.secureworks.com/blog/edr-vs-xdr-vs-mdr-whats-the-difference
Discover which solution is most ideal for your organization today.
Endpoint Detection and Response (EDR)
As its name implies, EDR helps you detect and respond to threats on your organization’s endpoints. An endpoint is any device that connects to your organization’s network — whether it’s a desktop PC on your premises, a storage controller in your data center, or an employee’s laptop that they’re using from a remote location.
Extended Detection and Response (XDR)
XDR goes beyond EDR — and is thus “extended” — in several significant ways
Proprietary XDR will only be capable of aggregating cybersecurity-related data from tools developed by the XDR vendor and/or those from their certified partners.
Open XDR, on the other hand, accepts data from any source using industry-standard APIs.
Managed Detection and Response (MDR)
MDR is a catch-all term that refers to any detection-and-response solution delivered on an “as a service” basis with a packaged offering delivered by a managed security service provider (MSSP) or other security partner. Typically, such a service includes 24/7 monitoring of your environment, ongoing threat hunting, and collaborative investigation and remediation (since such activities almost invariably require some participation by your in-house IT staff).
Since MDR refers to any managed detection and response service, it’s incumbent upon you to determine whether an MDR provider is using EDR, XDR, user and entity behavior analytics (UEBA), SIEM, and/or any other specific technologies in their effort to keep your organization safe.
Also, use of MDR does not inherently eliminate your need for any in-house cybersecurity capabilities whatsoever. For example, your MDR provider may not offer vulnerability management like the identification and patching of common vulnerability and exposures (CVEs) as part of their service. You may also need a CISO or other cybersecurity leader to supervise your MDR, advocate internally for cybersecurity best practices such as multi-factor authentication and zero trust, implement a program for adversarial testing, work with your CFO to contract for appropriate cyber insurance coverage, etc.
EDR vs. XDR vs. MDR: Which One is Right for You?
No two organizations are precisely alike when it comes to cybersecurity. Your organization has its own unique infrastructure and its unique business risks.
The bottom line. Don’t assume one solution is more expensive than another. Costs can vary widely among EDR, XDR, and MDR solutions. Focus on your specific needs and consider your current staffing and existing investments, including potential tradeoffs between technologies and cost of in-house vs. outsourced resources. A simple cost analysis may challenge your assumptions.
One more key point: No decision is also a decision. Given how much is riding on your choice of EDR, XDR, or MDR, a natural tendency is to postpone taking action for another month or another quarter. It’s also prudent to not make a decision until you believe you’ve assembled enough information to make the right call.
What’s not prudent is to delay too long. Cybercriminals are acting now. Your organization is expanding its digital footprint now. Your employees, contractors, and supply-chain partners are all exposing you to new dangers now. So undue hesitation is not a viable risk-mitigation strategy.
You have to act decisively — and soon — to counter the relentless evolution of cyber criminality. That’s what cybersecurity leadership is ultimately all about.
Tomi Engdahl says:
Australia Mulls Tougher Cybersecurity Laws After Data Breach
https://www.securityweek.com/australia-mulls-tougher-cybersecurity-laws-after-data-breach
The Australian government said on Monday it is considering tougher cybersecurity rules for telecommunications companies and blamed Optus, the nation’s second-largest wireless carrier, for an unprecedented breach of personal data from 9.8 million customers.
Optus said last Thursday it had become aware the day before of the cyberattack which obtained the details of 9.8 million people — of Australia’s population of 26 million.
Cybersecurity Minister Clare O’Neil told Australian Broadcasting Corp. the hack was an “unprecedented theft of consumer information in Australian history.”
For 2.8 million current and former Optus customers, the breach involved “significant amounts of personal data,” including driver’s licenses and passport numbers, O’Neil said.
Those 2.8 million people are at significant risk of identity left and fraud, she said.
“The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” O’Neil told Parliament.
In some countries, such a breach would result in fines “amounting to hundreds of millions of dollars,” O’Neil said.
Australian law doesn’t currently allow for Optus to be fined for the breach.
“A very substantial reform task is going to emerge from a breach of this scale and size,” O’Neil said.
Tomi Engdahl says:
Huoltovarmuus ja pilvipalvelut
https://www.tivi.fi/uutiset/tv/294acf9d-f8db-4489-a670-af558a51a87f
Sana huoltovarmuus tunkeutui meidän kaikkien tietoisuuteen koronapandemian alkaessa. Perinteisten viljan, polttoaineiden ja perunoiden sijaan keskustelu pyöri maskien, suojavälineiden ja rokotteiden ympärillä. Venäjän hyökkäyssodan alettua katseet ovat kääntyneet kybervarautumiseen, ja huoltovarmuus nousee esille näissäkin keskusteluissa. Mistä on kyse, kun puhumme digitaalisen ympäristön huoltovarmuudesta?
Tomi Engdahl says:
Forensic artifacts in Office 365 and where to find them
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/forensic-artifacts-in-office-365-and-where-to-find-them/ba-p/3634865
Just like traditional endpoint-based data, log data in cloud services is available based on factors largely outside of the investigator’s control. There is often more than one place to view a particular set of data, and each location may have different retention periods. In this article, we aim to provide some explanations and tips for investigators to use to be able to easily understand in any situation what data is available, and in which portal.
Tomi Engdahl says:
Hacktivist Attacks Show Ease of Hacking Industrial Control Systems https://www.securityweek.com/hacktivist-attacks-show-ease-hacking-industrial-control-systems
Hacktivists might not know a lot about industrial control systems (ICS), but they’re well aware of the potential implications of these devices getting compromised. That is why some groups have been targeting these systems – which are often unprotected and easy to hack
- – to draw attention to their cause.
Tomi Engdahl says:
What happens with a hacked Instagram account – and how to recover it https://www.welivesecurity.com/2022/09/26/what-happens-hacked-instagram-account-how-recover/
Had your Instagram account stolen? Don’t panic – here’s how to get your account back and how to avoid getting hacked (again)
Tomi Engdahl says:
China’s infosec researchers obeyed Beijing and stopped reporting vulns… or did they?
https://www.theregister.com/2022/09/27/atlantic_council_china_vuln_research/
The number of vulnerability reports provided by Chinese information security researchers has fallen sharply, according to research by think tank The Atlantic Council, which also found a strangely commensurate increase in bug reports from unknown sources.
Tomi Engdahl says:
Security in the billions: Toward a multinational strategy to better secure the IoT ecosystem https://www.atlanticcouncil.org/in-depth-research-reports/report/security-in-the-billions/
This report offers a multinational strategy to enhance the security of the IoT ecosystem. It provides a framework for a clearer understanding of the IoT security landscape and its needsone that focuses on the entire IoT product lifecycle, looks to reduce fragmentation between policy approaches, and seeks to better situate technical and process guidance into cybersecurity policy.