Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
https://techcrunch.com/2023/08/04/window-snyder-cybersecurity-trailblazer/
Tomi Engdahl says:
https://hackersonlineclub.com/athena-unlocking-next-level-pentesting-os/
Tomi Engdahl says:
New SEC Rules Require U.S. Companies to Reveal Cyber Attacks Within 4 Days
https://thehackernews.com/2023/07/new-sec-rules-require-us-companies-to.html
The U.S. Securities and Exchange Commission (SEC) on Wednesday approved new rules that require publicly traded companies to publicize details of a cyber attack within four days of identifying that it has a “material” impact on their finances, marking a major shift in how computer breaches are disclosed.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC chair Gary Gensler said. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
To that end, the new obligations mandate that companies reveal the incident’s nature, scope, and timing, as well as its impact. This disclosure, however, may be delayed by an additional period of up to 60 days should it be determined that giving out such specifics “would pose a substantial risk to national security or public safety.”
Tomi Engdahl says:
“The key word here is ‘material’ and being able to determine what that actually means,” Safe Security CEO Saket Modi told The Hacker News. “Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels.”
That said, the rules do not extend to “specific, technical information about the registrant’s planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”
https://thehackernews.com/2023/07/new-sec-rules-require-us-companies-to.html
Tomi Engdahl says:
This Is What Happens When People Start Actually Reading Privacy Policies https://themarkup.org/hello-world/2023/08/12/this-is-what-happens-when-people-start-actually-reading-privacy-policies
A recent controversy about Zoom’s ability to train AI on users’ conversations shows the importance of reading the fine print Over the past quarter-century, privacy policies—the lengthy, dense legal language you quickly scroll through before mindlessly hitting “agree”—have grown both longer and denser. A study released last year found that not only did the average length of a privacy policy quadruple between 1996 and 2021, they also became considerably more difficult to understand.
While machine learning can be a useful tool in understanding the universe of privacy policies, its presence inside of a privacy policy can set off a firestorm. Case in point: Zoom.
Tomi Engdahl says:
NSA, Viasat say 2022 hack was two incidents; Russian sanctions resulted from investigation https://therecord.media/viasat-hack-was-two-incidents-and-resulted-in-sanctions
Officials from the National Security Agency (NSA) and satellite internet provider Viasat provided new details on the headline-grabbing cyberattack on the company at the onset of Russia’s invasion of Ukraine.
The cyberattack last February left Viasat’s KA-SAT modems inoperable in Ukraine. The attack had several other downstream effects, causing the malfunction of 5,800 Enercon wind turbines in Germany and disruptions to thousands of organizations across Europe.
According to U.S. and European Union officials, the attack on Viasat was intended to degrade the ability of the Ukrainian government and military to communicate.
Tomi Engdahl says:
Lapsus$ hackers took SIM-swapping attacks to the next level https://www.bleepingcomputer.com/news/security/lapsus-hackers-took-sim-swapping-attacks-to-the-next-level/
The U.S. government released a report after analyzing simple techniques, e.g.
SIM swapping, used by the Lapsus$ extortion group to breach dozens of organizations with a strong security posture.The
Department of Homeland Security (DHS) Cyber Safety Review Board (CSRB) finalized its analysis and describes the group’s tactics and techniques in a report that also includes recommendations for the industry.
The group used SIM swapping to gain access to a target company’s internal network and steal confidential information like source code, details about proprietary technology, or business and customer-related documents.
Tomi Engdahl says:
To Battle New Threats, Spy Agencies to Share More Intelligence With Private Sector https://www.msn.com/en-us/money/news/to-battle-new-threats-spy-agencies-to-share-more-intelligence-with-private-sector/ar-AA1f5JKb
U.S. spy agencies will share more intelligence with U.S. companies, nongovernmental organizations and academia under a new strategy released this week that acknowledges concerns over new threats, such as another pandemic and increasing cyberattacks.
The National Intelligence Strategy, which sets broad goals for the sprawling U.S. intelligence community, says that spy agencies must reach beyond the traditional walls of secrecy and partner with outside groups to detect and deter supply-chain disruptions, infectious diseases and other growing transnational threats.
Tomi Engdahl says:
https://www.securityweek.com/india-passes-data-protection-legislation-in-parliament-critics-fear-privacy-violation/
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / TechCrunch:
Q&A with an FBI agent on targeting and taking down DDoS-for-hire sites, why Christmas is the busiest DDoS time, how attacks have changed over 10 years, and more
How the FBI goes after DDoS cyberattackers
In an interview at Black Hat, the FBI explains how they target and take down DDoS-for-hire sites
https://techcrunch.com/2023/08/12/fbi-ddos-for-hire-cyberattackers/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cudGVjaG1lbWUuY29tLw&guce_referrer_sig=AQAAAGSfXmoQsNedO68xISnyXSxeoqCNaMf518IeJe4vNwFaZnlGLrFAMZQOGbVaB29l4mRfYXoEdl68qCgAOAoDRcFszS2kdwVfXbEEu60MbpjLv8lMfXlyDRKiasbUTuW23czV4upBWIxVJoOd8Gt0FJRtb1UMvWdgnikVtWDcnt5N
Tomi Engdahl says:
US Cyber Safety Board to Review Cloud Attacks
https://www.securityweek.com/us-cyber-safety-board-to-review-cloud-attacks/
The US government’s CSRB will conduct a review of cloud security to provide recommendations on improving identity management and authentication.
Tomi Engdahl says:
Email Security
Email – The System Running Since 71’
https://www.securityweek.com/email-the-system-running-since-71/
Working remotely is here to stay and businesses should continue to make sure their basic forms of communication are properly configured and secured.
Tomi Engdahl says:
Don’t Expect Quick Fixes in ‘Red-Teaming’ of AI Models. Security Was an Afterthought
https://www.securityweek.com/dont-expect-quick-fixes-in-red-teaming-of-ai-models-security-was-an-afterthought/
Security in current AI models was an afterthought in their training as data scientists amassed breathtakingly complex collections of images and text.
Tomi Engdahl says:
CISO Conversations: CISOs in Cloud-based Services Discuss the Process of Leadership
https://www.securityweek.com/ciso-conversations-cisos-in-cloud-based-services-discuss-the-process-of-leadership/
SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.
Tomi Engdahl says:
Managing and Securing Distributed Cloud Environments
https://www.securityweek.com/managing-and-securing-distributed-cloud-environments/
The complexity and challenge of distributed cloud environments often necessitate managing multiple infrastructure, technology, and security stacks, multiple policy engines, multiple sets of controls, and multiple asset inventories.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2023/08/11/linuxiin-isketaan-yha-useammin/
Tomi Engdahl says:
https://www.securityweek.com/managing-and-securing-distributed-cloud-environments/
Tomi Engdahl says:
https://www.securityweek.com/white-house-offers-prize-money-for-hacker-thwarting-ai/
Tomi Engdahl says:
https://www.securityweek.com/automated-security-control-assessment-when-self-awareness-matters/
Tomi Engdahl says:
Linuxiin isketään yhä useammin
https://www.uusiteknologia.fi/2023/08/11/linuxiin-isketaan-yha-useammin/
Kiristyshaittaohjelmien kaltaiset hyökkäykset yleistyvät jatkuvasti. Uusimpana Trend Micron mukaan hyökkäysten määrä on kasvussa myös Linux-alustoille. Ja samaan aikaan kyberrikolliset hyödyntävät yhtiön raportin mukaan entistä enemmän tekoälyä sekä muita uusia teknologioita hyökkäystensä tehostamiseen ja virtaviivaistamiseen.
Tärkein viesti oli, että verkon kiristyshaittaohjelmat ovat ottaneet tähtäimeensä erityisesti Linuxin, sillä siihen kohdistuneet hyökkäysten määrä kasvoi jo viime vuonna 75 prosentilla edellisvuoteen verrattuna. Ja sama kehitys jatkui myös tammi-kesäkuussa, jossa Linuxiin kohdistuvien kiristyshaittaohjelmahyökkäysten määrä kasvoi 62 prosenttia edellisvuoden samaan ajanjaksoon verrattuna.
https://www.trendmicro.com/vinfo/fi/security/research-and-analysis/threat-reports/roundup/stepping-ahead-of-risk-trend-micro-2023-midyear-cybersecurity-threat-report
Tomi Engdahl says:
Kiristyshaittaohjelmilla isketään nyt Linuxiin
https://etn.fi/index.php/13-news/15189-kiristyshaittaohjelmilla-isketaeaen-nyt-linuxiin
Tietoturvayhtiö Trend Micro on julkistanut tietoturvaraportin, joka tarjoaa yhteenvedon kyberrikollisten toimista vuoden 2023 ensimmäisellä puoliskolla. Raportista selviää esimerkiksi, että kiristyshaittaohjelmien kaltaiset hyökkäystavat yleistyvät jatkuvasti ja erityisen jyrkässä kasvussa niiden määrä on Linux-alustoilla.
Raportin mukaan Trend Micro on estänyt yli 86 miljardia uhkaa kuluvan vuoden tammi- ja heinäkuun välisenä aikana. Edellisvuoden samalla ajanjaksolla havaittiin ja estettiin 63 miljardia uhkaa. Kyberrikolliset hyödyntävät erityisen paljon sähköpostia murtautuakseen yritysten verkkoihin. Vuoden ensimmäisellä puoliskolla estettiin 37 miljardia sähköpostiuhkaa. Suomessa näitä uhkia estettiin 26 miljoonaa kertaa.
Linux-järjestelmiin kohdistuvien hyökkäysten määrä kasvoi viime vuonna 75 prosentilla vuoteen 2021 verrattuna. Sama tahti jatkuu edelleen. Vuoden 2023 ensimmäisellä puoliskolla Linuxiin kohdistuvien kiristyshaittaohjelmahyökkäysten määrä kasvoi 62 prosenttia edellisvuoden samaan ajanjaksoon verrattuna.
Linux-järjestelmiin kohdistuvien hyökkäysten määrä kasvoi viime vuonna 75 prosentilla vuoteen 2021 verrattuna. Sama tahti jatkuu edelleen. Vuoden 2023 ensimmäisellä puoliskolla Linuxiin kohdistuvien kiristyshaittaohjelmahyökkäysten määrä kasvoi 62 prosenttia edellisvuoden samaan ajanjaksoon verrattuna.
Niillä isketään erityisesti pankki- ja rahoitusalan organisaatioihin. Jos tietoturvauhkia tarkastellaan laajemmin, niin suurimmassa vaarassa ovat valmistava teollisuus ja terveydenhuoltoalan toimijat.
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/stepping-ahead-of-risk-trend-micro-2023-midyear-cybersecurity-threat-report
Tomi Engdahl says:
https://www.uusiteknologia.fi/2023/08/10/nama-haittaohjelmat-kiusaavat-erityisesti-pc-ja-android-kayttajia/
Tomi Engdahl says:
Älä luota tuntemattomaan!
https://etn.fi/index.php?option=com_content&view=article&id=15138&via=n&datum=2023-07-14_13:27:13&mottagare=30929
Älä luota tuntemattomaan!
Julkaistu: 12.07.2023
Networks Business
Zero Trust eli nollaluottamusmalli tarkoittaa tietojärjestelmien suojausperiaatetta, jossa mihinkään tunnistamattomaan tai todentamattomaan ei luoteta. Tietoturvayhtiö Fortinetin kyselyn mukaan kaksi kolmesta yrityksestä noudattaa tätä periaatetta.
Fortinetin kyselyn perusteella tehty raportti 2023 State of Zero Trust Report osoittaa, että Zero Trust on edennyt kahden viime vuoden aikana. Vuoden 2021 raportin jälkeen yritykset ovat ottaneet uusia ratkaisuja käyttöön osana nollaluottamusstrategiaansa. Vuoden 2021 raportin mukaan 54 % yrityksistä hyödynsi nollaluottamusstrategiaa, nyt luku on 66 %.
Suomen Fortinetin teknologiajohtaja Jani Ekmanin mukaan nollaluottamusmalli on välttämättömyys nykypäivän tietoturvatyössä, erityisesti nyt, kun pandemia on muuttanut sitä, miten ja missä teemme töitä. – On hienoa nähdä, että luvut ovat kasvamaan päin, mutta silti huolestuttavaa, etteivät ne ole kasvaneet enemmän. Se voi johtaa epätasapainoiseen tilanteeseen, jossa jotkin toimijat ovat ottaneet käyttöön toimivat strategiat ja käytännöt mutta toiset eivät.
Monet organisaatiot ovat kuitenkin törmänneet haasteisiin nollaluottamusmallin käytössä. Lähes puolet (48 %) vastaajista kertoo kohtaavansa haasteita erityisesti nollaluottamusratkaisujen paikallisten, tietokeskuksissa sijaitsevien ja pilvipohjaisten palveluiden yhteensopivuudessa.
Tomi Engdahl says:
Identity & Access
CISA Releases Cyber Defense Plan to Reduce RMM Software Risks
https://www.securityweek.com/cisa-releases-cyber-defense-plan-to-reduce-rmm-software-risks/
CISA has published a cyber defense plan outlining strategies to help critical infrastructure organizations reduce the risks associated with RMM software.
The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday announced the release of a strategic plan to help critical infrastructure organizations reduce the risks associated with the use of remote monitoring and management (RMM) solutions.
The newly released RMM Cyber Defense Plan (PDF) was developed by the Joint Cyber Defense Collaborative (JCDC) in line with June 2023 guidance on securing remote access software against malicious attacks and aligns with the CISA Strategic Plan for 2023–2025.
“To support the CISA Strategic Plan, the JCDC RMM Cyber Defense Plan identifies a path forward to reduce risks to—and strengthen the resilience of—America’s critical infrastructure organizations that are dependent upon RMM products,” the agency notes.
The new plan, CISA says, is meant to identify ways in which RMM vendors can improve cybersecurity, as well as mechanisms to sustain cybersecurity collaborations in the area.
https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_0.pdf
https://www.securityweek.com/us-israel-provide-guidance-on-securing-remote-access-software/
Tomi Engdahl says:
Rapid7 Says ROI for Ransomware Remains High; Zero-Day Usage Expands
https://www.securityweek.com/rapid7-says-roi-for-ransomware-remains-high-zero-day-usage-expands/
A new report from Rapid7 says a ransomware gang like Cl0p would easily be able to afford a bevy of zero-day exploits for vulnerable enterprise software.
The Rapid7 mid-year review of the threat landscape is not reassuring. Ransomware remains high, basic security defenses are not being used, security maturity is low, and the return on investment for criminality is potentially enormous.
The review is compiled from the observations of Rapid7’s researchers and its managed services teams. It finds there were more than 1500 ransomware victims worldwide in H1 2023. These included 526 LockBit victims, 212 Alphv/BlackCat victims, 178 ClOp victims, and 133 BianLian victims. The figures are compiled from leak site communications, public disclosures, and Rapid7 incident response data.
These figures should be seen as conservative. They won’t include organizations that quietly and successfully pay the ransom as if nothing happened. Furthermore, downstream victims are still being calculated – for example, notes the report, “The number of incidents attributed to Cl0p in this chart is likely to be (significantly) low, since the group is still actively claiming new victims from their May 2023 zero-day attack on MOVEit Transfer.”
Tomi Engdahl says:
Application Security
Google Brings AI Magic to Fuzz Testing With Eye-Opening Results
https://www.securityweek.com/google-brings-ai-magic-to-fuzz-testing-with-eye-opening-results/
Google sprinkles magic of generative-AI into its open source fuzz testing infrastructure and finds immediate success with code coverage.
Google has sprinkled the magic of artificial intelligence into its open source fuzz testing infrastructure and the results suggest LLM (large language model) algorithms will radically alter the bug-hunting space.
Google added generative-AI technology to its OSS-FUZZ project (a free service that runs fuzzers for open source projects and privately alerts developers to the bugs detected) and discovered a massive improvement in code coverage when LLMs are used to create new fuzz targets.
“By using LLMs, we’re able to increase the code coverage for critical projects using our OSS-Fuzz service without manually writing additional code. Using LLMs is a promising new way to scale security improvements across the over 1,000 projects currently fuzzed by OSS-Fuzz and to remove barriers to future projects adopting fuzzing,” the company said in a note with results from a months-long experiment.
AI-Powered Fuzzing: Breaking the Bug Hunting Barrier
https://security.googleblog.com/2023/08/ai-powered-fuzzing-breaking-bug-hunting.html
Since 2016, OSS-Fuzz has been at the forefront of automated vulnerability discovery for open source projects. Vulnerability discovery is an important part of keeping software supply chains secure, so our team is constantly working to improve OSS-Fuzz. For the last few months, we’ve tested whether we could boost OSS-Fuzz’s performance using Google’s Large Language Models (LLM).
This blog post shares our experience of successfully applying the generative power of LLMs to improve the automated vulnerability detection technique known as fuzz testing (“fuzzing”). By using LLMs, we’re able to increase the code coverage for critical projects using our OSS-Fuzz service without manually writing additional code. Using LLMs is a promising new way to scale security improvements across the over 1,000 projects currently fuzzed by OSS-Fuzz and to remove barriers to future projects adopting fuzzing.
https://google.github.io/oss-fuzz/
Tomi Engdahl says:
Tietoturvayhtiö Fortinetin mukaan Blck Basta -nimisen kiristyshaittaohjelmavariantin käyttö on lisääntynyt huomattavasti viime aikoina ja se on hiljattain noussut yhdeksi yleisimmin käytetyistä kiristyshaittaohjelmien varianteista. Black Bastan suosiota lisää sen ennennäkemättömän helppo saatavuus, sillä ohjelma on ostettavissa valmiina palveluna (Ransomware-as-a-Service, RaaS).
Haittakoodin kehittäjä tarjoaa Black Bastan käytöstä kiinnostuneille kokonaista infrastruktuuria, johon sisältyy erilaisia palveluja teknisestä tuesta maksujen käsittelyyn. Black Bastan kehittäjä puolestaan saa osan summasta, jonka palvelun ostaja saa lunnaina haittaohjelman uhrilta.
https://etn.fi/index.php/13-news/15216-suosittu-kiristyshaittaohjelma-leviaeae-valmiina-palveluna
Tomi Engdahl says:
KARHULLA ON ASIAA
DPF on uusi Privacy Shield – EU-komissiolta vihreä valo henkilödatan siirrolle USA:han
https://www.karhuhelsinki.fi/blogi/dpf-on-uusi-privacy-shield-eu-komissiolta-vihrea-valo-henkilodatan-siirrolle-usahan/
Euroopan komissio teki sydänkesällä 10. heinäkuuta 2023 merkittävän verkkosivujen ja digitaalisten palveluiden tietosuojaa koskevan päätöksen. Komissio hyväksyi EU:n ja USA:n välillä pitkään työstetyn Data Privacy Frameworkin eli DPF:n – tietosuojakehyksen, jonka tarkoituksena on suojata EU-kansalaisten henkilötiedon siirtoa Yhdysvaltoihin.
Tomi Engdahl says:
Threat Actors are Interested in Generative AI, but Use Remains Limited https://www.mandiant.com/resources/blog/threat-actors-generative-ai-limited
Since at least 2019, Mandiant has tracked threat actor interest in, and use of, AI capabilities to facilitate a variety of malicious activity. Based on our own observations and open source accounts, adoption of AI in intrusion operations remains limited and primarily related to social engineering.
See also: *Add ‘writing malware’ to the list of things generative AI is not very good at doing* – But it may help with fuzzing:
https://www.theregister.com/2023/08/18/ai_malware_truth/
Tomi Engdahl says:
The Human Cost of Cryptomania
https://www.bloomberg.com/news/newsletters/2023-08-17/crypto-text-message-scams-lead-back-to-cambodia-slave-labor
An excerpt of a book on organized cybercrime, shedding light on the background of cryptocurrency scams.
Tomi Engdahl says:
5 Types of Cyber Crime Groups
https://www.trendmicro.com/en_us/ciso/23/e/cyber-crime-group-types.html
Discover the five main types of cyber crime groups: access as a service, ransomware as a service, bulletproof hosting, crowd sourcing, and phishing as a service as well as tips to strengthen your defense strategy.
Tomi Engdahl says:
The Vulnerability of Zero Trust: Lessons from the Storm 0558 Hack https://thehackernews.com/2023/08/the-vulnerability-of-zero-trust-lessons.html
While IT security managers in companies and public administrations rely on the concept of Zero Trust, APTS (Advanced Persistent Threats) are putting its practical effectiveness to the test. Analysts, on the other hand, understand that Zero Trust can only be achieved with comprehensive insight into one’s own network.
Tomi Engdahl says:
https://www.securityweek.com/ciso-conversations-cisos-in-cloud-based-services-discuss-the-process-of-leadership/
Tomi Engdahl says:
Israel, US to Invest $4 Million in Critical Infrastructure Security Projects
https://www.securityweek.com/israel-us-to-invest-4-million-in-critical-infrastructure-security-projects/
Israel and US government agencies have announced plans to invest close to $4 million in projects to improve the security of critical infrastructure systems.
Tomi Engdahl says:
Federally Insured Credit Unions Required to Report Cyber Incidents Within 3 Days
https://www.securityweek.com/federally-insured-credit-unions-required-to-report-cyber-incidents-within-3-days/
The National Credit Union Administration is requiring all federally insured credit unions to report cyber incidents within 72 hours of discovery.
Tomi Engdahl says:
Google Brings AI Magic to Fuzz Testing With Eye-Opening Results
Google sprinkles magic of generative-AI into its open source fuzz testing infrastructure and finds immediate success with code coverage.
https://www.securityweek.com/google-brings-ai-magic-to-fuzz-testing-with-eye-opening-results/
Tomi Engdahl says:
https://www.techdirt.com/2023/08/18/social-engineering-meets-hacking-with-prompt-hacking/
Tomi Engdahl says:
A Survey on Intrusion Detection Systems for Fog and Cloud Computing
https://www.mdpi.com/1999-5903/14/3/89?utm_campaign=journnews_ccbj_futureinternet&utm_medium=social_journ&utm_source=facebook&fbclid=IwAR1zGmQiLrcSfqssPRe8bi1XnJE2tdUdVXLYz802GWkLHIBIeVcBEZ5WN-E_aem_AXp73tMZLLRw3p-1dXSfAvE13r7qM95iDFX6HbvTCXAvZFpzOR_vqalYp4aERF7PtcQ9fE45Cxrj-ENlGuZ3LCYz
Tomi Engdahl says:
Suomalaisten tietoturvan tuntemuksessa on kaksi merkittävää aukkoa https://www.is.fi/digitoday/tietoturva/art-2000009791013.html
Tomi Engdahl says:
Tourists Give Themselves Away by Looking Up. So Do Most Network Intruders.
https://krebsonsecurity.com/2023/08/tourists-give-themselves-away-by-looking-up-so-do-most-network-intruders/
In large metropolitan areas, tourists are often easy to spot because they’re far more inclined than locals to gaze upward at the surrounding skyscrapers.
Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like data theft and ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior.
Tomi Engdahl says:
Joseph Cox / 404 Media:
A look at the dire state of Americans’ privacy, worsened by credit bureaus’ data policies; Telegram bots sell troves of personal info on targets for ~$15 in BTC — It took only a few seconds to uncover the target’s entire life. — On the messaging app Telegram, I entered a tiny amount …
The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15
https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/
Most Americans have very little choice but to provide their personal information to credit bureaus. Hackers have found a way into that data supply chain, and are advertising access in group chats used by violent criminals who rob, assault, and shoot targets.
This is the result of a secret weapon criminals are selling access to online that appears to tap into an especially powerful set of data: the target’s credit header. This is personal information that the credit bureaus Experian, Equifax, and TransUnion have on most adults in America via their credit cards. Through a complex web of agreements and purchases, that data trickles down from the credit bureaus to other companies who offer it to debt collectors, insurance companies, and law enforcement.
A 404 Media investigation has found that criminals have managed to tap into that data supply chain, in some cases by stealing former law enforcement officer’s identities, and are selling unfettered access to their criminal cohorts online. The tool 404 Media tested has also been used to gather information on high profile targets such as Elon Musk, Joe Rogan, and even President Joe Biden, seemingly without restriction. 404 Media verified that although not always sensitive, at least some of that data is accurate.
Tomi Engdahl says:
Makena Kelly / The Verge:
Meta says it remains committed to rolling out default E2EE for Messenger, which has opt-in E2EE, by the end of 2023, and shortly afterwards for Instagram DMs — Meta plans to roll out default end-to-end encryption for its Messenger product by the end of this year, the company confirmed in a blog post Tuesday.
Meta refreshes promise to roll out default end-to-end encryption in Messenger this yea
https://www.theverge.com/2023/8/22/23841490/meta-facebook-messenger-instagram-encryption-default
Tomi Engdahl says:
Check Point: iso piikki kyberhyökkäyksissä
https://etn.fi/index.php/13-news/15234-check-point-iso-piikki-kyberhyoekkaeyksissae
Check Pointin Mid-Year Security Report -tietoturvaraportin mukaan vanha ja uusi sekoittuvat kyberrikollisuudessa, kun tekoälystä ja USB-laitteista on yllättäen tullut rikoskumppaneita. Kiristysryhmät ovat tehostaneet toimintaansa hyödyntämällä yleisten ohjelmistojen haavoittuvuuksia, ja vuoden ensimmäisellä puoliskolla 48 ransomware-ryhmää on murtautunut jo yli 2200 kohteeseen.
Viikoittaiset kyberhyökkäykset lisääntyivät maailmanlaajuisesti vuoden toisella neljänneksellä kahdeksan prosenttia. Kasvu on suurinta kahteen vuoteen. Raportin mukaan kyberrikolliset yhdistävät hyökkäyksissään uuden sukupolven tekoälyteknologiaa ja jo pitkään käytössä olleita työkaluja, kuten USB-laitteita. Raportissa kerrotaan myös uusien ransomware-ryhmien myötä vuoden ensimmäisellä puoliskolla lisääntyneistä kiristyshyökkäyksistä.
Tomi Engdahl says:
https://pages.checkpoint.com/2023-mid-year-cyber-security-report.html
Tomi Engdahl says:
Industrial networks need better security as attacks gain scale https://www.zdnet.com/article/industrial-networks-need-better-security-as-attacks-gain-scale/
Critical infrastructures and operational technology systems will face increasing threats as they move toward common standards.
Tomi Engdahl says:
Artificial Intelligence and Clouds: A Complex Relationship of Collaboration and Concern https://www.forbes.com/sites/emilsayegh/2023/08/23/artificial-intelligence-and-clouds-a-complex-relationship-of-collaboration-and-concern/
In an age where technology headlines often teeter on the edge of dystopian narratives, the pervasive influence of Artificial Intelligence (AI) prompts us to contemplate its role. Is it a modern ally, a potential adversary, or perhaps a nuanced combination of both? This intricate interplay of AI’s capabilities has the potential to reshape the very foundation of the tech industry, with profound implications for choices related to procurement, supply chain management, risk assessment, cybersecurity, and other critical domains.
Tomi Engdahl says:
Remote access detection in 2023: Unmasking invisible fraud https://securityintelligence.com/posts/remote-access-detection-in-2023-unmasking-invisible-fraud/
In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through keystroke analysis.
Tomi Engdahl says:
Changes to UK Surveillance Regime May Violate International Law
https://www.justsecurity.org/87615/changes-to-uk-surveillance-regime-may-violate-international-law/
The United Kingdom (U.K.) government has recently unveiled plans to revise the Investigatory Powers Act 2016 (IPA), the primary legislation governing the surveillance of electronic communications in the United Kingdom. The proposed revisions include five objectives pertaining to changes in the notices regime within the IPA, the process through which the government can ask private companies to carry out surveillance on its behalf, such as interception of communications and equipment interference (hacking).
The proposed changes to the IPA notices regimes include an obligation to comply with the content of a potential notice during the review period and before a notice is actually served, an obligation to disclose technical information about the company’s systems during the same review period, measures to strengthen the extraterritorial application of the notices and obligations for companies to give advance notice to the U.K. Secretary of State before implementing any technical changes.
The existing IPA regime appears to already allow the U.K. government to demand that companies alter their services in a manner that may affect all users. For example, a technical capability notice requiring the “removal by a relevant operator of electronic protection” could be used to force a service, such as WhatsApp or Signal, to remove or undermine the end-to-end encryption of the services it provides worldwide, if the government considers that such a measure is proportionate to the aim sought.
While the proposal does not specify what technical changes would require notification, these may include changes in the architecture of software that would interfere with the U.K.’s current surveillance powers. As a result, an operator of a messaging service wishing to introduce an advanced security feature would now have to first let the Home Office know in advance. Device manufacturers would likely also have to notify the government before making available important security updates that fix known vulnerabilities and keep devices secure. Accordingly, the Secretary of State, upon receiving such an advance notice, could now request operators to, for instance, abstain from patching security gaps to allow the government to maintain access for surveillance purposes.
Device Security Guidance
Guidance for organisations on how to choose, configure and use devices securely
https://www.ncsc.gov.uk/collection/device-security-guidance/managing-deployed-devices/keeping-devices-and-software-up-to-date
Apple slams UK surveillance-bill proposals
https://www.bbc.com/news/technology-66256081
Apple says it will remove services such as FaceTime and iMessage from the UK rather than weaken security if new proposals are made law and acted upon.
Tomi Engdahl says:
The End of “Groundhog Day” for the Security in the Boardroom Discussion?
As the SEC cyber incident disclosure rules come into effect, organizations will be forced to seriously consider giving security leaders a seat at the table.
https://www.securityweek.com/the-end-of-groundhog-day-for-the-security-in-the-boardroom-discussion/
The positives of SEC involvement
Feedback from industry professionals highlights the pros and cons of the new SEC rules. But since the new rules are inevitable and disclosure reports are due beginning December 2023, the time has come to focus on the positives for the industry that the SEC is stepping-in.
Having some standardization of terminology, for example the definition of an incident and what is material and thus disclosure-worthy, will enable executive leadership to focus on exactly what is needed in the boardroom. This should save organizations from spending cycles setting their own policies, procedures, and reporting practices. The other positive is that the initiative will likely drive investments in security technology, which is a good thing for security professionals and organizations as they will be more protected.
Tomi Engdahl says:
US Government Publishes Guidance on Migrating to Post-Quantum Cryptography
CISA, NSA, and NIST urge organizations to create quantum-readiness roadmaps and prepare for post-quantum cryptography migration.
https://www.securityweek.com/us-government-publishes-guidance-on-migrating-to-post-quantum-cryptography/