Cyber trends for 2023

Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.

HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.

Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.

Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications

Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.

Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.

Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.

MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.

Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.

EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?

USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.

Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.

Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.

Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.

Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.

Governance: For boards and management, heightened pressure around climate action dovetails with the SEC’s proposed rules about cybersecurity oversight, which may soon become law. When they do, companies will need to prepare for more disclosures about their cybersecurity policies and procedures. With fresh scrutiny on directors’ cybersecurity expertise, or lack thereof, boards will need to take their cyber savviness to the next level as well.

Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.

Auditing: Audit’s role in corporate governance and risk management has been evolving. Once strictly focused on finance and compliance, internal audit teams are now increasingly expected to help boards and executive management identify, prioritize, manage and mitigate interconnected risks across the organization.

Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workersleaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.

Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers

Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.

Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.

Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”

Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.

Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,

War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.

Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.

ISC: ICS and SCADA systems remain trending attack targets also in 2023.

Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.

Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.

PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.

SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.

Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.

Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.

Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.

MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!

Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-

Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.

VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.

AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.

AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?

Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.

Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.

Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.

Sources:

Asiantuntija neuvoo käyttämään pilkkua sala­sanassa – taustalla vinha logiikka

Overseeing artificial intelligence: Moving your board from reticence to confidence

Android is adding support for updatable root certificates amidst TrustCor scare

Google Play now lets children send purchase requests to guardians

Diligent’s outlook for 2023: Risk is the trend to watch

Microsoft will turn off Exchange Online basic auth in January

Google is letting businesses try out client-side encryption for Gmail

Google Workspace Gets Client-Side Encryption in Gmail

The risk of escalation from cyberattacks has never been greater

Client-side encryption for Gmail available in beta

AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range

Microsoft: Edge update will disable Internet Explorer in February

Is Cloud Native Security Good Enough?

The Privacy War Is Coming

Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023

Google Chrome preparing an option to block insecure HTTP downloads

Cyber attacks set to become ‘uninsurable’, says Zurich chief

The Dark Risk of Large Language Models

Police Must Prepare For New Crimes In The Metaverse, Says Europol

Policing in the metaverse: what law enforcement needs to know

Cyber as important as missile defences – an ex-NATO general

Misconfigurations, Vulnerabilities Found in 95% of Applications

Mind the Gap

Yritysten kyberturvassa edelleen isoja aukkoja Asiantuntija: Kysymys jopa kansallisesta turvallisuudesta

Personnel security in the cloud

Multi-factor auth fatigue is real – and it’s why you may be in the headlines next

MFA Fatigue attacks are putting your organization at risk

Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience | News | European Parliament

NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset

Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?

Poor software costs the US 2.4 trillion

Passkeys Now Fully Supported in Google Chrome

Google Takes Gmail Security to the Next Level with Client-Side Encryption

Executives take more cybersecurity risks than office workers

NIST Retires SHA-1 Cryptographic Algorithm

NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm

WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

Over 85% of Attacks Hide in Encrypted Channels

GitHub Announces Free Secret Scanning, Mandatory 2FA

Leaked a secret? Check your GitHub alerts…for free

Data Destruction Policies in the Age of Cloud Computing

Why PCI DSS 4.0 Should Be on Your Radar in 2023

2FA is over. Long live 3FA!

Google: With Cloud Comes APIs & Security Headaches

Digesting CISA’s Cross-Sector Cybersecurity Performance Goals

Zero Trust Shouldnt Be The New Normal

Don’t click too quick! FBI warns of malicious search engine ads

FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads

Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users

Kyberturvan ammattilaisista on huutava pula

Is Enterprise VPN on Life Support or Ripe for Reinvention?

Cyber as important as missile defences – an ex-NATO general

1,768 Comments

  1. Tomi Engdahl says:

    Flipper Zero, osa 5: Älä kopioi edes oman autosi avaimia
    21.10.202308:11
    Mikrobitti kokeili someilmiöksi noussutta hakkerin monitoimityökalu Flipper Zeroa. Juttusarjan viidennessä osassa pohdimme autonavainten turvallisuutta.
    https://www.mikrobitti.fi/uutiset/flipper-zero-osa-5-ala-kopioi-edes-oman-autosi-avaimia/fec011b1-1370-4780-86e6-7f2ed3ec6ddf

    Reply
  2. Tomi Engdahl says:

    Varomaton verkkoskannaus voi kaataa tuotantoympäristön – ”laite sai tiettyyn porttiin odottamatonta liikennettä”
    Kari Ahokas17.11.202310:31|päivitetty17.11.202314:02TIETOTURVA
    Vaatimus tuotannon jatkuvuudesta tuo omat vaikeutensa operatiivisen teknologian tietoturvalle.
    https://www.tivi.fi/uutiset/varomaton-verkkoskannaus-voi-kaataa-tuotantoympariston-laite-sai-tiettyyn-porttiin-odottamatonta-liikennetta/3a6b1cfa-ea9b-4d2a-9192-9423b4b727b1

    Vaatimus tuotannon jatkuvuudesta tuo omat vaikeutensa operatiivisen teknologian tietoturvalle. Tietoturvapäivityksiä voi tehdä harvassa olevien suunniteltujen huoltokatkojen aikana. Koneiden seisottaminen maksaa rahaa.

    Reply
  3. Tomi Engdahl says:

    Näin saat Chromeen tallennetut salasanat esille muutamalla klikkauksella
    Joakim Kullas28.8.202321:04SALASANANHALLINTASELAIMETSOVELLUKSET JA PALVELUT
    Chromen salasananhallintaan on lisätty ominaisuus, jolla salasanat saa kaivettua esille muutamalla klikkauksella.
    https://www.tivi.fi/uutiset/nain-saat-chromeen-tallennetut-salasanat-esille-muutamalla-klikkauksella/a6ffbb11-55b2-44f4-8935-a8177573c8cf

    Reply
  4. Tomi Engdahl says:

    Raspberry Pi Used To Hijack Casino Card Shuffler
    News
    By Mark Tyson published August 11, 2023
    They’re not bluffing
    https://www.tomshardware.com/news/raspberry-pi-enables-security-researchers-to-hijack-casino-card-shuffling-machine

    Reply
  5. Tomi Engdahl says:

    Sites scramble to block ChatGPT web crawler after instructions emerge
    Restrictions don’t apply to current OpenAI models, but will affect future versions.
    https://arstechnica.com/information-technology/2023/08/openai-details-how-to-keep-chatgpt-from-gobbling-up-website-data/

    Reply
  6. Tomi Engdahl says:

    Digiturvan konsultti laskuttaa jopa 1350 euroa per päivä – samasta palvelusta pyydetään yli tuplahintoja
    Aleksi Kolehmainen22.11.202314:32|päivitetty22.11.202318:05JULKISEN HALLINNON ICT
    Listasimme digiturvan osa-alueella konsultoinnin päivähintoja. Kerromme myös mikä oli niiden mediaani ja keskihajonta.
    https://www.tivi.fi/uutiset/digiturvan-konsultti-laskuttaa-jopa-1350-euroa-per-paiva-samasta-palvelusta-pyydetaan-yli-tuplahintoja/096260c8-0915-4ede-a20f-a03826575be0

    Reply
  7. Tomi Engdahl says:

    How to apply natural language processing to cybersecurity
    https://venturebeat.com/ai/how-to-apply-natural-language-processing-to-cybersecurity/

    Cybersecurity is imperative in the modern digital landscape. As businesses and individuals conduct more activities online, the scope of potential vulnerabilities expands. Here’s the exciting part — natural language processing (NLP) is stepping onto the scene.

    This innovative technology enhances traditional cybersecurity methods, offering intelligent data analysis and threat identification. As digital interactions evolve, NLP is an indispensable tool in fortifying cybersecurity measures.

    Reply
  8. Tomi Engdahl says:

    Asiantuntijan neuvo hetkeen, kun turvallisuus pettää: ”Jokaisella tulisi olla tiedossa puhelin­­numero” https://www.is.fi/digitoday/tietoturva/art-2000009990536.html

    Reply
  9. Tomi Engdahl says:

    Inhimillisiä virheitä ei voi eliminoida tietoturvassa. Mutta niiden vaikutusta voi vähentää.

    Reply
  10. Tomi Engdahl says:

    The fun part of security audits is that everybody knows that they’re a good thing, and also that they’re rarely performed prior to another range of products being shoved into the market. This would definitely seem to be the case with fingerprint sensors as found on a range of laptops that are advertised as being compatible with Windows Hello. It all began when Microsoft’s Offensive Research and Security Engineering (MORSE) asked the friendly people over at Blackwing Intelligence to take a poke at a few of these laptops, only for them to subsequently……

    EASILY BYPASS LAPTOP FINGERPRINT SENSORS AND WINDOWS HELLO
    https://hackaday.com/2023/11/27/easily-bypass-laptop-fingerprint-sensors-and-windows-hello/?fbclid=IwAR34G8F2ETJg3-VAkunPu7r_QXCPwbPIVh6_1bKgB86T4VKUpMKDOVCUbP4

    Reply
  11. Tomi Engdahl says:

    Myitkö vanhan Android-puhelimesi eteenpäin? Tätä et olisi halunnut tietää
    Android-puhelimesta on mahdollista kaivaa edellisen omistajan tietoja, vaikka puhelin olisikin palautettu tehdasasetuksiin.
    https://www.iltalehti.fi/digiuutiset/a/766fb7e6-b51a-4c45-9f7a-5574e8246879

    Tietoturvallisuuden perusasioihin kuuluu, että toiselle henkilölle myytävä tai lahjoitettava laite palautetaan ensin tehdasasetuksiin. Tämä pätee niin tietokoneisiin kuin älypuhelimiinkin.

    Android-käyttöjärjestelmällä varustetusta älypuhelimesta palauttaminen ei vastoin yleistä luuloa kuitenkaan poista kaikkia tietoja. Pahantahtoisen tai muuten vain urkkimaan taipuvaisen seuraavan omistajan on yhä mahdollista kaivaa puhelimesta tietoa sen aiemmasta omistajasta.

    Tehdasasetuksiin palautetun puhelimen tiedot on mahdollista palauttaa esimerkiksi Cellebrite-yhtiön UFED-työkalulla. Sen käyttäjiin kuuluu lähinnä viranomaisia, mutta käytettyjä laitteita on myös myyty eteenpäin internetissä, jolloin jotkin niistä ovat saattaneet joutua epäilyttävien tahojen hallintaan.

    Estä tietojen kaivaminen

    On toki epätodennäköistä, että tyypillisen puhelimen omistajan tietoja yritetään saada Android-puhelimelta uudelleen esiin. Kyseisen mahdollisuuden varalta tietojensa hävittämiseen voi halutessaan kuitenkin käyttää tehdasasetuksiin palauttamisen lisäksi myös toista menetelmää, joka on tallennustilan ylikirjoitus.

    Android-puhelimilta ei löydy omasta takaa tallennustilan ylikirjoituksen mahdollisuutta. Siihen on kuitenkin saatavilla useampi ohjelma, esimerkiksi FMA Centerin Secure Wipe Out.

    Ylikirjoitusohjelma täyttää puhelimen tallennustilan satunnaisella ykkösiä ja nollia sisältävällä datalla.

    Ylikirjoituksen voi myös hoitaa itse tyhjentämällä ensin Android-puhelimen tallennustilan ja täyttämällä sen sitten kokonaan satunnaisella merkityksettömällä sisällöllä.

    Reply
  12. Tomi Engdahl says:

    Graham Starr / Bloomberg:
    Okta tells customers that hackers who breached its network stole information on all users of its customer support system, greater than the 1% claimed previously — – Okta had earlier said breach affected about 1% of customers — Company said some Okta employee information was also stolen

    Okta Says Hackers Stole Data for All Customer Support Users
    https://www.bloomberg.com/news/articles/2023-11-29/okta-says-hackers-stole-data-for-all-customer-support-users#xj4y7vzkg

    Okta had earlier said breach affected about 1% of customers
    Company said some Okta employee information was also stolen

    Reply
  13. Tomi Engdahl says:

    No Laws Protect People From Deepfake Porn. These Victims Fought Back
    A group of young women in a New York City suburb, horrified to learn their photographs had been manipulated and posted online, took matters into their own hands.
    https://www.bloomberg.com/news/features/2023-11-29/deepfake-porn-victims-learn-us-has-no-federal-laws-to-fight-it#xj4y7vzkg

    Reply
  14. Tomi Engdahl says:

    Voiko Suomen verkot kaataa sabotaasilla? Näin vastaa tele­operaattori https://www.is.fi/digitoday/tietoturva/art-2000010019299.html

    VAIKKA Suomessa eletään poikkeuksellisia aikoja, yhteiskunnan toiminnan kannalta elintärkeän tietoliikenteen toimiminen on hyvissä käsissä. Näin vakuuttavat teleoperaattori Telian teknologiajohtaja Jari Collin sekä 5g-ohjelmajohtaja .

    Kilpailija Elisan tietoliikennekaapelin vaurioituminen yhdessä Balticconnector-kaasuputken kanssa herättivät pelkoja siitä, voiko Suomea vahingoittaa tietoliikenneyhteyksiä sabotoimalla.

    Runkoverkossa on vähintään kaksinkertainen varmistus kaikkialla. Jos varayhteyskin pettäisi, tietoa siirretään mobiiliverkkojen kautta. Jos kiinteät laajakaistaliittymät sakkaavat, mobiiliyhteys on vaihtoehto.

    JOS runkoverkkojen toimintaa uhkaa sähkökatko, tilanne on kiperämpi. Jokaisella mobiilitukiasemalla on akusto 2–4 tunnin toiminta-aikaa varten.

    Mitä tärkeämpi tukiasema on kyseessä, sitä järeämpiä ovat varavirtaratkaisut. Sairaaloiden lähellä olevilla tukiasemilla on omat generaattorit sähköntuotantoa varten.

    Jos sähkökatko alkaa, tukiasemia aletaan ajaa pienemmällä teholla. Korkeammat taajuudet lakkaavat toimimasta. Kapasiteettia pienennetään hallitusti tarpeen mukaan.

    Varavoimaa koordinoidaan myös kilpailijoiden kanssa, jotta esimerkiksi hätäpuhelut menevät läpi. Hätäpuhelut ovat soittajan operaattorista riippumattomia ja välittyvät missä verkossa vain.

    UHKAKUVIA on myös nähty verkkojen sukupolvenvaihdoksessa. Kaikki Suomen teleoperaattorit ajavat parhaillaan alas 3g-verkkojaan. Niiden taajuudet annetaan uudemman sukupolven verkoille, yleensä 4g:lle.

    Joissain tapauksissa tämä on aiheuttanut yksittäisiä ongelmia, jos useamman vuoden ikäiset verkkoon kytketyt laitteet ovat nojanneet 3g-tekniikkaan.

    Reply
  15. Tomi Engdahl says:

    Laivan ankkuri katkaisi Elisan tietoliikenne­kaapelin – pitäisikö nettiyhteydet turvata ”Suomi-satelliitilla”? https://www.is.fi/digitoday/tietoturva/art-2000010026919.html

    Reply
  16. Tomi Engdahl says:

    Stop social engineering at the IT help desk
    How Secure Service Desk thwarts social engineering attacks and secures user verification
    https://www.theregister.com/2023/11/23/stop_social_engineering_at_the/

    Reply
  17. Tomi Engdahl says:

    Tekoälyltä suojautuminen vaatii uusia työkaluja
    https://etn.fi/index.php/13-news/15612-tekoaelyltae-suojautuminen-vaatii-uusia-tyoekaluja

    Turvallisiin IoT-laitteisiin ja niiden kehitykseen keskittyvä Foundries.io ennustaa, että valtion sääntely ja markkinaosuuden menettämisen riski saavat sulautettujen laitteiden OEM-valmistajat omaksumaan tiukat uudet käytännöt suojaamiseen. Ne takaavat päästä päähän -turvallisuuden kaikkien tuotteiden käyttöiän ajan.

    Foundries.io perustettiin lokakuussa 2017, jolloin kyberturvallisuushuolet rajoittuivat enimmäkseen pilvilaskenta-alustoille. Sulautettujen sovellusten kehityskäytännöt eivät juurikaan kiinnittäneet huomiota jatkuvan ylläpidon ja turvallisuuden tarpeeseen.

    Nykyään pilvipohjaisten sovellusten kehittäminen ja tekoälyn käyttötapaukset pakottavat sulautetut kehittäjät ottamaan kyberturvallisuuden paljon vakavammin. Foundries.io odottaa, että sulautettujen laitteiden OEM-valmistajat kohtaavat yhä enemmän tietoturvauhkia seuraavien vuosien aikana vuosikymmenen loppuun mennessä.

    Vihamielisempää ympäristöä ruokkivat geopoliittiset jännitteet ja konfliktit valtioiden kanssa, jotka käyttävät kyberturvallisuutta sotilaallisena ja poliittisena aseena. Turvallisuuskuvaa vaikeuttaa myös tekoälypohjaisten ohjelmistotyökalujen ilmaantuminen, joilla voidaan luoda ja muokata uusia haittaohjelmien muotoja suurella nopeudella.

    Samaan aikaan Foundries.io:n johtoryhmän mukaan epävarmaa alkuperää olevien avoimen lähdekoodin ohjelmistopakettien (OSS) lisääntyvä käyttö tarjoaa kyberhyökkääjille lisäportteja suojaamattomien sulautettujen tuotteiden haavoittuvuuksiin.

    Vastauksena näyttää siltä, että käyttöön otetaan uusia lainsäädäntö- ja turvallisuusstandardeja, mukaan lukien EU:n ja Yhdysvaltojen hallitusten jo ilmoittamat toimenpiteet: EU:n kyberkestävyyslaki sekä Valkoisen talon ja kongressin kansallinen kyberturvallisuusstrategia. Samaan aikaan kuluttajien huolet yksityisyydestä ja kasvava tietoisuus tietoturvaloukkausten taloudellisista ja maineeseen liittyvistä kustannuksista antavat OEM-valmistajille vahvemman kannustimen investoida aikaa ja rahaa kyberpuolustuksensa vahvistamiseen.

    Reply
  18. Tomi Engdahl says:

    Nyt jysähti: Microsoft päätti jatkaa Windows 10:n tukiaikaa – mukaan pääsee yhdellä ehdolla
    5.12.202322:44|päivitetty5.12.202322:44
    Lokakuussa 2025 tiensä päähän saapuva Windows 10 on saanut yllättäen jatkoaikaa.
    https://www.mikrobitti.fi/uutiset/nyt-jysahti-microsoft-paatti-jatkaa-windows-10n-tukiaikaa-mukaan-paasee-yhdella-ehdolla/eb896a8b-6a30-4e1c-94f2-d74ee8b8598a

    Windows 10 on kirjoitushetkellä täysin ylivoimaisesti suosituin Windows-käyttöjärjestelmä, joten Microsoftin päätös jatkaa sen tukemista ei välttämättä tule kaikille yllätyksenä.

    Sen sijaan yllättävää on, että tukiaikaa päätettiin saman tien jatkaa peräti kolmella vuodella. Käytännössä siis Windows 10:lle tullaan julkaisemaan tietoturvakorjauksia aina vuoteen 2028 asti.

    Microsoft tarjosi maksullista tukiajan jatkoa Windows 7 -käyttöjärjestelmälle. Tarkoituksena oli, että ne yritykset jotka eivät voineet vielä siirtyä eteenpäin, saivat ostettua lisää elinaikaa laitteilleen.

    Reply
  19. Tomi Engdahl says:

    Bruce Schneier / Schneier on Security:
    The internet enabled mass surveillance, and AI will enable mass spying, once limited by human labor, by making troves of data searchable and understandable — Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide …

    AI and Mass Spying
    https://www.schneier.com/blog/archives/2023/12/ai-and-mass-spying.html

    Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.

    Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone. Our phones track our locations. Credit cards track our purchases. Apps track whom we talk to, and e-readers know what we read. Computers collect data about what we’re doing on them, and as both storage and processing have become cheaper, that data is increasingly saved and used. What was manual and individual has become bulk and mass. Surveillance has become the business model of the internet, and there’s no reasonable way for us to opt out of it.

    Spying is another matter. It has long been possible to tap someone’s phone or put a bug in their home and/or car, but those things still require someone to listen to and make sense of the conversations. Yes, spyware companies like NSO Group help the government hack into people’s phones, but someone still has to sort through all the conversations. And governments like China could censor social media posts based on particular words or phrases, but that was coarse and easy to bypass. Spying is limited by the need for human labor.

    AI is about to change that. Summarization is something a modern generative AI system does well. Give it an hourlong meeting, and it will return a one-page summary of what was said. Ask it to search through millions of conversations and organize them by topic, and it’ll do that. Want to know who is talking about what? It’ll tell you.

    Reply
  20. Tomi Engdahl says:

    Asiantuntijalta neuvo, joka kannattaa toteuttaa nopeasti: ”Sopikaa perheen sisäinen sala­sana”
    Uusi huijaustyyppi on useimmille vielä vieras.
    https://www.is.fi/digitoday/tietoturva/art-2000010033938.html

    TEKOÄLYPOHJAISTEN huijausten muuttuessa yhä kehittyneemmiksi tulisi ihmisten varautua niihin uusilla keinoilla.

    Tekoälyllä pystytään väärentämään niin liikkuvaa kuvaa kuin ääntä ja on odotettavissa, että niitä käytetään petoksiin yhä enemmän. Maailmalla on jo törmätty ensimmäisiin tapauksiin, joissa oman lapsen ääntä on väärennetty ja soitettu huijauspuhelu tämän nimissä.

    Tietokirjailija Petteri Järvinen neuvoo sopimaan perheen sisäisen salasanan soittajan henkilöllisyyden varmistamiseksi.

    – On odotettavissa, että huijarit alkavat kloonata ääntä ja soittaa esim. lapsen nimissä vanhemmille rahaa pyytäen. Kannattaa varautua jo nyt: sovi perheen sisäinen salasana, jolla voit tarvittaessa tunnistaa aidon soittajan, Järvinen kirjoittaa viestipalvelu X:ssä.

    Ääntä on mahdollista kopioida ja kloonata poimimalla sitä esimerkiksi sosiaalisessa mediassa julkaistuilta videoilta.

    Reply
  21. Tomi Engdahl says:

    Thomas leikkii työkseen kissaa ja hiirtä verkkorikollisten kanssa: ”Yritysten tietoturvan heikoin lenkki on ihminen”
    Kyberrikollisten jahtaaminen on väsymätöntä, vaativaa työtä. Kokenut tietoturvakonsultti paljastaa, millaisia keinoja rikolliset nykyään käyttävät ja kuinka hyökkäyksiltä kannattaa suojautua.
    https://www.is.fi/mainos/art-2000010005024.html

    Reply
  22. Tomi Engdahl says:

    Washington Post:
    US officials: China is ramping up its ability to disrupt key US infrastructure; 2023 victims include a Hawaii water utility, a West Coast port, and a pipeline — A utility in Hawaii, a West Coast port and a pipeline are among the victims in the past year, officials say

    https://www.washingtonpost.com/technology/2023/12/11/china-hacking-hawaii-pacific-taiwan-conflict/

    Reply
  23. Tomi Engdahl says:

    RISK MANAGEMENT
    Humans Are Notoriously Bad at Assessing Risk
    When too much subjectivity is mixed into risk assessment, it can produce a risk picture that is not an accurate representation of reality.
    https://www.securityweek.com/humans-are-notoriously-bad-at-assessing-risk/

    Risk assessment should be a rational and objective undertaking. We as humans, with our emotions, can sometimes be irrational and subjective. As security professionals, this would seem to put us at odds with our duty to objectively assess, manage, and mitigate risk.

    Unfortunately, subjectivity introduces bias, which skews risk assessment. When too much subjectivity is mixed into risk assessment, it can produce a risk picture that is not an accurate representation of reality. This, in turn, results in a poorer overall security posture.

    Given this, how can security professionals remove as much subjectivity as possible from risk assessment? There are likely many different approaches that can be taken.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*