Cyber security trends for 2018

Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.

Here is a list of relevant cyber security terms for 2018s:

AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.

Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.

Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.

Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.

Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.

Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.

Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.

Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.

Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.

Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.

Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.

Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?

GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.

Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.

HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.

HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.

ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.

Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.

IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).

Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.

Integrate: Many gaps in security are due to an inability for disparate technologies to share information. Integration is key to making sure you get the most from your technology investments.

IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.

Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.

Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.

Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.

Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.

Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.

PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.

Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.

Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.

Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.

Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.

Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?

Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.

Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.

Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.

When: The myth of being able to detect every breach, insider threat or lateral movement has been punctured. Security teams are realizing they need to prepare themselves for “when” they will be breached, rather than “if.”

Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.

Sources:

HTTP/2 (Wikipedia)

Usage of HTTP/2 for websites

HTTPS (Wikipedia)

Firefox, Chrome start calling HTTP connections insecure

Alert (TA17-075A) HTTPS Interception Weakens TLS Security

Blockchain

Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead

Selainlouhinta

Cybersecurity Dangers Will Spike in 2018

We’re hitting rock bottom in cyber — let’s do something | TechCrunch

Virtual Security

Mirai-makers plead guilty, Hajime still lurks in shadows

DARPA Takes Chip Route to ‘Unhackable’ Computers

Another AI attack, this time against ‘black box’ machine learnings

GDPR Portal: Site Overview

General Data Protection Regulation (Wikipedia)

Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already

Miten GDPR pitää huomioida ohjelmistokehityksessä?

Seven Seas Cybersecurity: Captain, We Have a Problem

In the Words of President Ronald Reagan, “Trust but Verify”

Why You Should Question These Most Common Cloud Assumptions

It’s 2018. Do You Know Where Your Data Are?

Improved IoT Security Starts with Liability for Companies, Not Just Legislation

Smart Factory Connectivity for the Industrial IoT

The Race for a Universal IoT Security Standard

Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises

The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.

Resolve to Mitigate Your Business’ Digital Risk in 2018

Emerging Trends in Vulnerability Management

Research reveals customer-facing web and mobile apps as top security challenge

Open Source Vulnerabilities: Are You Prepared to Run the Race?

Device Security for the Industrial Internet of Things

GDPR and Open Source: Best Practices

Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC

ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good

Threat Modeling the Internet of Things: Modeling Reaper

Engineering for Privacy Requires Standards

How to Make Adversaries Work Harder, While We Work Smarter, in 2018

2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices

Facebook Releases New Certificate Transparency Tools

iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group

Open Source Vulnerabilities: Are You Prepared to Run the Race?

U.S. Military to Send Cyber Soldiers to the Battlefield

Machine Learning & Security: Making Users Part of the Equation

Security is Not a Technology Profession

State of IPv6 Deployment 2017

Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018

 


 

 

93 Comments

  1. Tomi Engdahl says:

    Proposed Legislation Would Create Office of Cybersecurity at FTC
    http://www.securityweek.com/proposed-legislation-would-create-office-cybersecurity-ftc

    Punitive Data Breach Legislation Proposed Post-Equifax

    Two Democratic senators, Elizabeth Warren, D-Mass., and Mark Warner, D-Va, introduced a bill Wednesday that would provide the Federal Trade Commission (FTC) with punitive powers over the credit reporting industry — primarily Equifax, Credit Union and Experian — for poor cybersecurity practices.

    The bill is in response to the huge Equifax breach disclosed in September, 2017. “Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach,” said Senator Warren in a Wednesday statement.

    Reply
  2. Tomi Engdahl says:

    How Antivirus Software Can be the Perfect Spying Tool
    http://www.securityweek.com/how-antivirus-software-can-be-perfect-spying-tool

    Your antivirus product could be spying on you without you having a clue. It might be intentional but legitimate behavior, yet (malicious) intent is the one step separating antivirus software from a cyber-espionage tool. A perfect one, experts argue.

    Because we trust the antivirus to keep us safe from malware, we let it look at all of our files, no questions asked. Regardless of whether personal files or work documents, the antivirus has access to them all, which allows it to work as needed.

    We do expect a security product to work in this manner, as most of them have been designed to scan all files on the system to detect any possible threats, and we accept this behavior as being part of our computer’s protection mechanism.

    What if the very same features that are meant to protect us from threats become the threats themselves? Would it be possible for an antivirus application to be used as a spying tool, to flag documents of interest and exfiltrate them instead of keeping our files safe? The answer appears to be “Yes!”

    “In order for AV to work correctly, it has to be plumbed into the system in such a way that it can basically see and control anything the system can do. Memory allocation, disk reads and writes, communication, etc… This means that it is essentially in the middle of all transactions within the OS. Therefore, it makes a pretty good candidate for take over and compromise,” Jason Kent, CTO at AsTech, told SecurityWeek via email.

    Reply
  3. Tomi Engdahl says:

    Let’s Encrypt Disables TLS-SNI-01 Validation
    http://www.securityweek.com/lets-encrypt-disables-tls-sni-01-validation

    Free and open Certificate Authority (CA) Let’s Encrypt on Tuesday disabled TLS-SNI-01 validation after learning that users could abuse it to obtain certificates for domains they do not own.

    The issue was found to have been created by the use of the ACME TLS-SNI-01 challenge type for domains on a shared hosting infrastructure. Discovered by Frans Rosén of Detectify, the bug could be abused for malicious purposes, which sparked Let’s Encrypt to disable TLS-SNI-01 validation entirely.

    The issue doesn’t appear to be related to the certificate authority itself, but to a combination of factors. However, it is centered on the manner in which the ACME server (the CA) validates a domain name’s IP address as part of ACME protocol’s TLS-SNI-01 challenge.

    Reply
  4. Tomi Engdahl says:

    Top 10 Antivirus Software For Windows – 2018 Edition
    https://www.techworm.net/2018/01/top-10-antivirus-software-windows-2018-edition.html

    Viruses, worms, Trojan horses and the like often perform malicious acts, such as deleting files, accessing personal data, cause widespread damage, or using your computer to attack other computers. Antivirus software is an important tool to help prevent such attacks.

    Reply
  5. Tomi Engdahl says:

    The Policy Machine
    http://www.slate.com/articles/technology/future_tense/2015/04/the_dangers_of_letting_algorithms_enforce_policy.html

    The dangers of letting algorithms make decisions in law enforcement, welfare, and child protection.

    Public services are becoming increasingly algorithmic, a reality that has spawned hyperbolic comparisons to RoboCop and Minority Report, enforcement droids and pre-cogs. But the future of high-tech policymaking looks less like science fiction and more like Google’s PageRank algorithm.

    But algorithmic decision-making takes on a new level of significance when it moves beyond sifting your search results and into the realm of public policy. The algorithms that dominate policymaking — particularly in public services such as law enforcement, welfare, and child protection — act less like data sifters and more like gatekeepers, mediating access to public resources, assessing risks, and sorting groups of people into “deserving” and “undeserving” and “suspicious” and “unsuspicious” categories.

    Reply
  6. Tomi Engdahl says:

    Beyond the Rhetoric of Algorithmic Solutionism
    https://points.datasociety.net/beyond-the-rhetoric-of-algorithmic-solutionism-8e0f9cdada53

    If you ever hear that implementing algorithmic decision-making tools to enable social services or other high stakes government decision-making will increase efficiency or reduce the cost to taxpayers, know that you’re being lied to. When implemented ethically, these systems cost more. And they should.

    Reply
  7. Tomi Engdahl says:

    New York Times:
    House votes 256 to 164 to extend Section 702 FISA warrantless surveillance program for six years with minimal changes; bill now proceeds to the Senate

    House Extends Surveillance Law, Rejecting New Privacy Safeguards
    https://www.nytimes.com/2018/01/11/us/politics/fisa-surveillance-congress-trump.html

    Reply
  8. Tomi Engdahl says:

    Google’s true origin partly lies in CIA and NSA research grants for mass surveillance
    https://qz.com/1145669/googles-true-origin-partly-lies-in-cia-and-nsa-research-grants-for-mass-surveillance/

    Two decades ago, the US intelligence community worked closely with Silicon Valley in an effort to track citizens in cyberspace. And Google is at the heart of that origin story. Some of the research that led to Google’s ambitious creation was funded and coordinated by a research group established by the intelligence community to find ways to track individuals and groups online.

    Reply
  9. Tomi Engdahl says:

    Secure SD-WAN: The First Step Toward Zero Trust Security
    https://securityintelligence.com/secure-sd-wan-the-first-step-toward-zero-trust-security/?cm_mmc=PSocial_Facebook-_-Security_Optimize%20the%20Security%20Program-_-WW_EP-_-23470666_TrackingPixel&cm_mmca1=000017VH&cm_mmca2=10004525&cm_mmca4=23470666&cm_mmca5=49882944&cm_mmca6=151e5b15-af99-4a4c-a1e2-545bf370f461&cvosrc=social%20network%20paid.facebook.WebsiteClicks%20CSuite%20Job%20Title%20SD%20WAN_SD%20Behav_DesktopMobile%20Tablet_1x1&cvo_campaign=000017VH&cvo_pid=23470666

    Imagine the typical network architecture of any enterprise. It’s usually an unruly collection of network connections going in all directions between a wide array of infrastructure devices on a legacy flat network. Every time the infrastructure requires a change, you take a deep breath and open up the network diagram, hoping you can somehow wedge your new requirements into this complex environment.

    The time and cost to manage this network infrastructure seems to rise every year. To address this dilemma, IT leaders are looking to software-defined technologies and zero trust security. They’re eager to take advantage of the simplicity and cost savings but wary of the security implications.

    Reply
  10. Tomi Engdahl says:

    2018 is Going to be a Bad Year for Security
    https://nyotron.com/2018-cybersecurity-predictions/

    2017 was a busy year for hackers who used new, ingenious attack vectors and methods such as fileless malware to hold organizations ransom and steal their sensitive data. These threats are almost certain to continue in 2018 and, along with them, there will be even bigger challenges.

    Five leading security experts have shared their top predictions for cybersecurity in 2018. They forecast that attackers will be armed with more advanced weapons such as AI-powered malware to create the biggest ever attacks that breach previously considered safe havens—well-guarded critical infrastructure, public clouds, block chains and more.

    Unfortunately, security experts see the attackers winning the war on malware since many organizations are working with old defense systems.

    The cybersecurity war is going to get even larger and nastier in 2018 with risks emerging throughout the supply chain and attacks designed specifically to destroy a company’s brand.

    Reply
  11. Tomi Engdahl says:

    5 blockchain trends to watch for in 2018
    What to expect from blockchain in the coming year
    https://enterprisersproject.com/article/2017/12/5-blockchain-trends-watch-2018?sc_cid=7016000000127ECAAY

    But what is blockchain’s role in the enterprise? These days, a growing number of companies are testing out blockchain’s power to help facilitate transactions and track assets via its distributed ledger technology, in which every party has a copy of the same record and no one can change it without everyone knowing.

    1. Blockchain will move from pilot to production
    “Blockchains are appearing in pilot projects everywhere,”

    2. Use of zero knowledge proofs will grow
    Everyone agrees that one powerful use of blockchain will be as a platform for transactions between corporate parties. But what form will that platform take? Some experts predict that large enterprises will create their own private blockchain networks, which suppliers and other business partners will join.

    “The long-term future of the blockchain depends on the ability of companies to conduct private business over a public, shared infrastructure.”

    3. Blockchain networks will learn how to enforce the rule of law
    “Smart contracts are powerful tools for automating business process operations, and they will become key productivity enablers for enterprises looking to harness blockchain technology,” Brody says. But there’s one problem: What happens when parties to a contract get into a dispute?
    These matters are usually settled by the courts, but they have no authority over blockchain networks, which are decentralized, have no single arbiter or enforcer, and generally cross geographic borders.

    4. Blockchain will come into its own as an asset-tracking tool
    “There are still far too many blockchain systems that seem to treat this amazing new technology as a nifty kind of digital notary or distributed database service,” Brody says, adding that people who see blockchain only in these terms are missing something important. Tokenization – using blockchain tokens (or “coins”) to represent specific assets – is a game-changing use for this technology.

    5. There will be a crash sometime in the next few years

    Reply
  12. Tomi Engdahl says:

    Hackers increasingly target patient records as HCPs do little to protect data – research
    https://hotforsecurity.bitdefender.com/blog/hackers-increasingly-target-patient-records-as-hcps-do-little-to-protect-data-research-19441.html

    One in five healthcare professionals has experienced breaches of patient data, yet many also say they’re “very confident” in their facility’s ability to protect that data against theft, according to a survey by University of Phoenix College of Health Professions.

    Despite increased data breaches in all industries, only a quarter of registered nurses (RNs) have seen changes in the way their companies handle data security over the past year.

    The data also reveals a worrying disconnect between healthcare professionals’ confidence in protecting sensitive patient data and the actual protection of that data.

    Reply
  13. Tomi Engdahl says:

    How Machine Learning Can Help Identify Cyber Vulnerabilities
    https://hbr.org/2017/12/how-machine-learning-can-help-identify-cyber-vulnerabilities

    Historically, no matter how much money an organization spends on cybersecurity, there is typically one problem technology can’t solve: humans being human. Gartner expects worldwide spending on information security to reach $86.4 billion in 2017, growing to $93 billion in 2018, all in an effort to improve overall security and education programs to prevent humans from undermining the best-laid security plans. But it’s still not enough: human error continues to reign as a top threat.

    According to IBM’s Cyber Security Intelligence Index, a staggering 95% of all security incidents involve human error. It is a shocking statistic, and for the most part it’s due to employees clicking on malicious links, losing or getting their mobile devices or computers stolen, or network administrators making simple misconfigurations.

    As the adage goes, “to err is human” — people are going to make mistakes. So we need to find ways to better understand humans, and anticipate errors or behaviors that are out of character

    risk-based authentication enables better visibility of error-prone users, or those that have opened avenues of opportunity for cybercriminals in the past, helping to solve the “human” problem of cybersecurity.

    In order to achieve this, we must first understand that all users are not on the same playing field.

    there is no “one size fits all” approach to navigating the human element of security, and organizations can no longer rely on traditional automated technologies that take a “set it and forget it” mentality.

    While it may go against traditional instincts around security, which usually centers on control and restrictions to fight human error, it’s best to let employees just be themselves — and design your systems to cope with that.

    Reply
  14. Tomi Engdahl says:

    In Germany, online hate speech has real-world consequences
    https://www.economist.com/blogs/graphicdetail/2018/01/daily-chart-8

    A new study finds that anti-refugee rhetoric on Facebook is correlated with physical attacks

    Reply
  15. Tomi Engdahl says:

    Ransomware and Bitcoin Enter New Phase
    http://www.securityweek.com/ransomware-and-bitcoin-enter-new-phase

    The phenomenal appreciation in Bitcoin’s value against the dollar, up roughly 18x in 2017 and 4x since September, gives us pause to consider – from a security perspective – what this might mean for ransomware in the near and distant future.

    Ransomware and Bitcoin Codependency

    It is not an exaggeration to say that without each other, ransomware and Bitcoin might not exist at all. I think it’s largely understood that the rise of a virtual, anonymized and easy-to-use payment system was a key factor in making ransomware the phenomenon it is today.

    I believe the fundamental importance of ransomware to the development of Bitcoin is slightly less obvious to some. A back-of-the-envelope calculation based on ransomware payment estimates and data from Bitcoin.com suggests that ransomware payments accounted for as much as 20 percent of the Bitcoin “money supply” in 2016 and through the beginning of 2017y, until the recent run-up. One-fifth is a market-moving part of any currency’s float.

    Reply
  16. Tomi Engdahl says:

    Next INpact launches a browser extension to see who is tracking you online
    https://techcrunch.com/2018/01/11/next-inpact-launches-a-browser-extension-to-see-who-is-tracking-you-online/?utm_source=tcfbpage&sr_share=facebook

    The upcoming ePrivacy and GDPR regulations in Europe have been a wake-up call in many ways. Arguably, bitcoin-mining scripts and Spectre JavaScript examples also have made people realize that you’re not in control of what your browser is loading.

    Browsing the web feels like writing a blank check every time you load a page. Maybe you just want to read an article. And yet, many big websites embed dozens of third-party JavaScript calls

    Ad servers as well as big tech companies, such as Facebook and Google, can track your browsing habits and serve code that hasn’t been reviewed in any way.

    Next INpact launches a browser extension to see who is tracking you online
    Posted Jan 11, 2018 by Romain Dillet (@romaindillet)

    French tech media company Next INpact just launched an interesting project today. Kimetrak is a simple browser extension that lets you see how your favorite website is tracking you and selling your privacy.

    The upcoming ePrivacy and GDPR regulations in Europe have been a wake-up call in many ways. Arguably, bitcoin-mining scripts and Spectre JavaScript examples also have made people realize that you’re not in control of what your browser is loading.

    Browsing the web feels like writing a blank check every time you load a page. Maybe you just want to read an article. And yet, many big websites embed dozens of third-party JavaScript calls (and unfortunately TechCrunch is one of them).

    Ad servers as well as big tech companies, such as Facebook and Google, can track your browsing habits and serve code that hasn’t been reviewed in any way. Those companies can then build comprehensive profiles about you and leverage cookies to read and store personal data.

    That’s why many people install ad-blocking extensions or disable JavaScript altogether. Some extensions, such as Ghostery or uBlock Origin, show you a list of all the scripts from third-party domains that got blocked.

    But Kimetrak isn’t an ad blocker. The extension wants to educate people about trackers on the web.

    https://github.com/david-legrand/kimetrak

    Reply
  17. Tomi Engdahl says:

    World Economic Forum Publishes Cyber Resiliency Playbook
    http://www.securityweek.com/world-economic-forum-publishes-cyber-resiliency-playbook

    World Economic Forum Publishes Playbook for Developing Cyber Resiliency Through Public/Private Collaboration

    The World Economic Forum (WEF) has released a playbook for public-private collaboration to improve cyber resiliency ahead of the launch of a new Global Centre for Cybersecurity at the Annual Meeting 2018 taking place on January 23-26 in Davos, Switzerland.

    The background to the WEF playbook is the complexity and sometimes conflicting requirements for governments to provide physical and cyber security for their citizens without unnecessarily intruding on personal privacy, and without damaging legitimate multinational businesses. Success, it claims, “depends on collaboration between the public and private sectors.”

    There are two sections to the playbook: a reference architecture for public-private collaboration, and cyber policy models. There is no attempt to provide a global norm in this process, nor a methodology for implementing individual policy models. It is an intra-country model, and implementation will depend upon each nation’s unique values.

    Cyber Resilience: Playbook for Public- Private Collaboration
    https://www.weforum.org/reports/cyber-resilience-playbook-for-public-private-collaboration?utm_source=SecurityWeek

    Cyber Resilience: Playbook for Public-Private Collaboration helps leaders develop a baseline understanding of the key issues and policy positions relating to cybersecurity and resilience. The policy models discussed in detail include Zero-Days, Vulnerability Liability, Attribution, Intelligence Sharing, Botnet Disruption, Monitoring, National Security Roles, Encryption, Cross-Border Data, Notification Requirements, Duty of Assistance, Active Defence, Liability Thresholds, and Cyber Insurance.

    Reply
  18. Tomi Engdahl says:

    Google, Intel, Microsoft, Others Scramble to Fix Cybersecurity Vulnerabilities
    https://www.designnews.com/electronics-test/google-intel-microsoft-others-scramble-fix-cybersecurity-vulnerabilities/33683154458098?ADTRK=UBM&elq_mid=2888&elq_cid=876648

    Big names in the electronics industry, including Google, Intel and Microsoft, are struggling to repair security holes brought about by recently revealed weakness in hardware.

    Hardware flaws may be the new big security gap in computers and phones. In the last few days, it has become apparent that Intel, Microsoft, and other leading electronics companies have been struggling for months to overcome security holes that affect billions of processors worldwide. Intel, Microsoft, and Google released statements assuring customers the fixes are complete or in process. Yet some experts warn that the fixes could hurt performance.

    Some Fixes Are Still on the Way

    The vulnerability apparently has the potential to let attackers through security barriers. “The flaw allows apps or hackers to bypass Kernel security systems and access cached sensitive information within the memory,” Marty P. Kamden, CMO of NordVPN told Design News. “This has led to the redesign of Windows and Linux Kernels. It seems that this particular bug has probably impacted most of the Intel processors manufactured in the past 10 years.”

    Some systems have already been updated with fixes, while other system repairs are still in the process of updating. “Apple and Linux developers have released patches that in one way or another are able to mitigate the possible damage which might emerge from this major flaw, while Windows users must still wait for an update,” said Kamden. “We recommend that people keep their devices updated regardless of the OS used. However, each person must assess their threat level individually until all security patches are completed and publicly released.”

    Reply
  19. Tomi Engdahl says:

    Shared Accounts Increasingly Problematic for Critical Infrastructure: ICS-CERT
    http://www.securityweek.com/shared-accounts-increasingly-problematic-critical-infrastructure-ics-cert

    Assessments conducted last year by the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) showed that boundary protection remains the biggest problem in critical infrastructure organizations, but identification and authentication issues have become increasingly common.

    Critical infrastructure owners and operators can ask ICS-CERT to conduct onsite cybersecurity assessments of their industrial control systems (ICS) in order to help them strengthen their cybersecurity posture.

    Improper network boundary protection, which includes inadequate boundaries between enterprise and ICS networks and the inability to detect unauthorized activity on critical systems, has been the most common type of weakness since 2014.

    As for identification and authentication issues, these can include the lack of mechanisms for tracing user actions if an account gets compromised, and increased difficulty in securing accounts belonging to former employees, particularly ones with administrator access.

    Identification and authentication issues first made ICS-CERT’s top six weakness categories in 2015, when it was on the fourth position. In 2016 it jumped one position and last year it was the second most common security weakness.

    Of all the identification and authentication issues, shared and group accounts are particularly concerning.

    “[Shared and group accounts] make it difficult to identify the actual user and they allow malicious parties to use them with anonymity. Accounts used by a shared group of users typically have poor passwords that malicious actors can easily guess and that users do not change frequently or when a member of the group leaves,” ICS-CERT said in its latest Monitor report.

    https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Nov-Dec2017_S508C.pdf

    Reply
  20. Tomi Engdahl says:

    Big Brother is Watching, But That’s OK Within Limits
    http://www.securityweek.com/big-brother-watching-thats-ok-within-limits

    How Can a Company Protect its Information and Operations Without Running Askew of Data Privacy Laws and the Concerns of its Customers?

    We are all familiar with the literary and movie versions of the “big brother is watching you” scenario. It usually begins under the umbrella of protecting society from the bad guys and ends up with a police state that violates the rights of everyday citizens. Some privacy advocates and regulators fear that security tools and methods that track a person’s computing activities or location will lead to such a dystopian future. Security advocates feel the “greater good” is better served through these tools. Reality is probably somewhere in the middle, but maintaining a balance in these matters is the way to go.

    The tension between security and privacy is not new. Security tools by their very nature need to monitor and inspect users’ and machines’ computing activities. A policeman wearing a blindfold and earplugs won’t be very effective. In the public and private domains, there are laws that protect our rights from an unlawful invasion of privacy. Without probable cause, police can’t just enter your home to see if by some chance the law is being broken.

    Our work environments lie somewhere in between private and public, and have additional interests to protect other than our own.

    Between the security and logging required by some industry regulations, and the risk of insider threats, most mid-sized and large enterprises have a broad suite of tools to monitor, log and analyze the activities taking place on their network and computers. For example, there are SEC regulations that require brokerages to capture and store all broker email, chat and voice communication for six years on non-rewriteable storage. Another example is the behavioral analytics technology companies deploy to identify and mitigate insider threats, which requires capturing and analyzing user behavior and other vectors for anomalies and correlation.

    Most would say that a company has a right to protect their assets and operations, and certainly to comply with industry regulations.

    The bigger challenge facing companies is around how all that security data is being used. Where does it reside? How is it being protected? Who has access to it? Does it apply to my personal communication? Does it apply to my personal device that is connected to the corporate network and email? Add in the variety and complexity of laws that vary from country to country and even state to state, and you need a law degree to manage a security operations center.

    Reply
  21. Tomi Engdahl says:

    Cyber Attacks Continue to Succeed
    https://www.eetimes.com/author.asp?section_id=36&doc_id=1332843

    Spectre and Meltdown demonstrate weaknesses in current hardware cybersecurity that will force a huge paradigm shift within the semiconductor industry.

    Spectre and Meltdown, two methods of exploiting security vulnerabilities found in Intel, AMD and Arm processors, demonstrate weaknesses in current hardware cybersecurity that will force a huge paradigm shift within the semiconductor industry.

    Software-based cybersecurity, the go-to measure to ensure a system won’t be hacked, addresses software vulnerabilities but overlooks hardware design. That’s because more than $150 billion is spent a year on software-based cyber security tools, while relatively little is spent on hardware security tools, and there continues to be a stream of hacks and breaches.

    Reply
  22. Tomi Engdahl says:

    Hawaii’s emergency alert interface looks straight out of the ’90s
    https://techcrunch.com/2018/01/16/hawaiis-emergency-alert-interface-looks-straight-out-of-the-90s/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    No one who’s used a long-running government website expects such things to be fancy — just functional. But there’s a limit to what can be tolerated, and I believe we’ve reached it with Hawaii’s emergency alert system, which is so dated that it would be hilarious if it hadn’t just caused a statewide panic.

    Look at that! Just a jumble of contextless plain links, with drills and tests heedlessly mixed in. It’s easy to see how this happened. We all click the wrong link now and then, but the consequence isn’t destabilizing an entire state. You can’t hit the back button on a million text messages and broadcast warnings.

    You can see that at the top of the list a new entry: BMD False Alarm.

    Again, these sorts of websites are usually ridiculously old and hooked into hardwired systems even older than they, so it’s not much of a surprise to see how shabby this one is.

    Reply
  23. Tomi Engdahl says:

    BlackBerry Launches Security Product for Automotive, Other Industries
    http://www.securityweek.com/blackberry-launches-security-product-automotive-other-industries

    BlackBerry announced on Monday the launch of Jarvis, a new cybersecurity service designed to help companies in the automotive and other sectors find vulnerabilities in their software.

    Jarvis has been described by BlackBerry as a cloud-based static binary code analysis software-as-a-service (SaaS) product. The tool is currently used by automakers, including Britain’s largest car maker, Jaguar Land Rover, but BlackBerry says it is ideal for other types of organizations as well, including in the healthcare, aerospace, defense, and industrial automation sectors.

    Modern cars use hundreds of software components, including many provided by third-party vendors across several tiers. While this approach has some advantages, it also increases the chances of vulnerabilities making it into the software somewhere along the supply chain.

    Jarvis aims to address this issue by scanning code and offering actionable information within minutes. In addition to finding vulnerabilities, the service also helps ensure compliance with various standards.

    https://blackberry.qnx.com/en/products/jarvis?utm_source=Public-Relations&utm_medium=Press-Release&utm_campaign=Jarvis&utm_content

    Reply
  24. Tomi Engdahl says:

    Mobile sensor data reveals your PIN code

    If you have secured your phone with a PIN, no one can open it. Wrong. Researchers from Singapore’s Nanyang Technical University have developed an application that, based on sensor data, is able to guess the PIN code of the user with 99.5 percent confidence with three attempts.

    Dr Shiwam Bhasin’s leading group developed an Android application that collects data from six device sensors. Based on data, the app could have guessed the correct total of 10,000 possible PIN combinations.

    The application evaluates the keypad PIN number based on how the phone is held in hand and how it moves when pressed.

    According to researchers, the app shows big problems in smartphone security. Collecting and utilizing sensor data does not require permission from the user. In addition, data is freely available to all applications.

    The Data Researchers application collected an accelerometer, a gyroscope, an angular velocity sensor, a magnetometer, a proximity sensor, a barometer, and an ambient light sensor. The researchers taught their own identification algorithm so that three different users bargained 70 four-digit PINs randomly. At the same time, the application stored the reactions of all six sensors.

    Using the machine learning method, a classification algorithm was used to filter the collected data, which can be identified with great certainty when pressing the PIN code number.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=7412&via=n&datum=2018-01-17_14:58:41&mottagare=31202

    Reply
  25. Tomi Engdahl says:

    Google, Intel, Microsoft, Others Scramble to Fix Cybersecurity Vulnerabilities
    https://www.designnews.com/electronics-test/google-intel-microsoft-others-scramble-fix-cybersecurity-vulnerabilities/33683154458098?ADTRK=UBM&elq_mid=2908&elq_cid=876648

    Big names in the electronics industry, including Google, Intel and Microsoft, are struggling to repair security holes brought about by recently revealed weakness in hardware.

    Reply
  26. Tomi Engdahl says:

    Industrial System Cyberattacks Aim for Sabotage
    https://www.designnews.com/automation-motion-control/industrial-system-cyberattacks-aim-sabotage/207848967658105?ADTRK=UBM&elq_mid=2908&elq_cid=876648

    More like vandals than thieves and unlike IT attackers who seek personal and financial data, industrial hacks seek to destroy systems.

    As cyberattacks become more prevalent and sophisticated, the nature of the attacker is changing. We’re seeing fewer lone wolves, and more organized criminals who are packaging attack kits and selling them on the dark web. Their attacks aim at either commerce or control. The IT intruders seek commercially valuable personal or financial data, while operational technology (OT) attacks seek control of plants or factories for potential sabotage.

    Sometimes OT attackers want to do damage, while other times they hide and wait. For years, we’ve heard rumors that hostile governments have placed potentially destructive cyber-bugs in US power plants, but they are reluctant to set their bugs in motion, because the US has bugs in their plants, as well.

    “The attackers’ goals for IT systems is information exfiltration, but for industrial OT systems, the attacker’s goal is typically sabotage,” Ashok Banerjee, CTO for enterprise security products at Symantec, told Design News. “Attackers typically want to have remote control of the industrial network and be able to disable a power grid or cause a collision or explosion. Typically, attackers hold this control for extended intervals, triggering it when needed.”

    The Race to Counter Cyberattacks

    Since the beginnings of the first computer viruses, there has been a race between the hackers and cyber protection. Banerjee believes the defense against attacks is finally pulling ahead in the race. “Cyberattacks and cyber defense have co-evolved. With the rise of cybersecurity, attackers with increasing sophistication have flown just below the radar of three or four different products,” said Banerjee. “2018 will be the year where multiple products will orchestrate learnings across static scans, network behavior, process behavior, IO behavior, content behavior, and IoT interactions to determine benign and malicious elements. This will be the year where multiple technologies work together to protect from the next frontiers of attacks.”

    A Changing Perimeter Is Difficult to Secure

    Securing the perimeter was much easier in the days when the perimeter simply surrounded a building or an industrial operation. Connectivity has changed the very nature of the perimeter. “The perimeter is more porous than ever before. Our greatest assets are increasingly in the cloud. That includes customer data in CRM or HR data in Workday,” s

    Reply
  27. Tomi Engdahl says:

    Cyber Attacks Continue to Succeed
    https://www.eetimes.com/author.asp?section_id=36&doc_id=1332843

    Spectre and Meltdown demonstrate weaknesses in current hardware cybersecurity that will force a huge paradigm shift within the semiconductor industry.

    Spectre and Meltdown, two methods of exploiting security vulnerabilities found in Intel, AMD and Arm processors, demonstrate weaknesses in current hardware cybersecurity that will force a huge paradigm shift within the semiconductor industry.

    Reply
  28. Tomi Engdahl says:

    Cyber-attackers have a new way to damage data center infrastructure
    http://www.cablinginstall.com/articles/pt/2018/01/cyber-attackers-have-a-new-way-to-damage-data-center-infrastructure.html?cmpid=enl_cim_cim_data_center_newsletter_2018-01-16&pwhid=e8db06ed14609698465f1047e5984b63cb4378bd1778b17304d68673fe5cbd2798aa8300d050a73d96d04d9ea94e73adc417b4d6e8392599eabc952675516bc0&eid=293591077&bid=1974690

    A new kind of malware, known as Triton or TRISIS, goes after industrial safety systems that provide emergency shutdown capabilities. Experts say it can also be effective in attacking data center power and cooling systems. A recent Triton attack targeted Schneider Electric’s Triconex safety system, and the malware has already had at least one victim, the security research firms reported. Like Stuxnet and Industroyer, Triton is most likely to be used by nation-state attackers against critical infrastructure

    Attackers Have a New Way to Damage Data Center Infrastructure
    http://www.datacenterknowledge.com/security/attackers-have-new-way-damage-data-center-infrastructure

    A new kind of malware, known as Triton or TRISIS, goes after industrial safety systems that provide emergency shutdown capabilities. Experts say it can also be effective in attacking data center power and cooling systems.

    Data centers, for example, are filled with industrial control systems that manage life safety, power, cooling, and other critical environment factors, said Andrew Howard, CTO at Kudelski Security. “These systems provide a different attack vector into data centers,” he said.

    Damage caused by these kinds of attacks is different than damage from the more common cyber threats. “They typically have a greater impact on the availability of systems and data than on the confidentiality or integrity aspects,” Howard said.

    In addition, an attack on a data center’s safety system can have a larger “blast radius” than the traditional, more targeted attacks. For example, attackers might be going after just one of the companies using a particular data center. Taking out the entire facility would affect every other company that uses it.

    As global tensions rise, hostile nation states might step up these kinds of attacks

    “We are going to see increases in these types of covert attacks designed to do damage or create disruption,” he said. “Much more investment from operators to modernize these public services will be required to protect them from attack.”

    And it’s not just data centers’ safety systems that are at risk, said Ben Miller, director of threat operations at Dragos. “Data center HVAC and building automation systems are leveraging similar types of communications and controllers and are often overlooked,” he said. “Attacking these systems, similar to how TRISIS attacked safety systems, could impact backup power or cooling that are essential to equipment operation.”

    “Access to critical systems should not be universal and should be restricted via network segmentation, a locked-down host, and multi-step authentication,”

    Reply
  29. Tomi Engdahl says:

    Assessing Cyber and Physical Risks to Manufacturers
    http://www.securityweek.com/assessing-cyber-and-physical-risks-manufacturers

    Manufacturers serve as critical building blocks of modern society. They are integral to the existence of the products we consume, the essential services we need, and the infrastructure on which we rely. Our reliance on them also means that, according to the U.S. Department of Homeland Security (DHS), “a direct attack on or disruption of certain elements of the manufacturing industry could disrupt essential functions at the national level and across multiple critical infrastructure sectors.”

    Although security incidents that occur in consumer-facing industries like retail and financial services tend to attract the most attention, those suffered by manufacturers can be far more damaging. The challenge is that the manufacturing industry tends to be particularly susceptible to various cyber and physical security risks. Here’s why:

    Antiquated Operational Technology (OT) Environments
    Increasingly Complex Supply Chains
    An Abundance of Intellectual Property

    When it comes to accurately evaluating and mitigating security risks facing manufacturers, the above characteristics should serve purely a starting point. It’s crucial to remember that regardless of industry or function, safeguarding critical assets, proactively addressing cyber and physical threats, and assessing and mitigating risk accurately and effectively requires a comprehensive understanding of all factors contributing to an organization’s risk.

    Reply
  30. Tomi Engdahl says:

    The global threat index of the security company Check Point Software Technologies tells us that the cryptographic swiftness of the critique has become more rapid in December. Business scientists say that signs of cryptographic currency mining have already been found in every other (55%) corporate network in December.

    Source: https://www.uusiteknologia.fi/2018/01/16/kryptovaluutan-salalouhinta-nousussa/

    Reply
  31. Tomi Engdahl says:

    Cypriot attacks are increasingly threatening and growing in quantity and scope every day, according to Aoni’s 2018 Cybersecurity Predictions report. “The year 2017 will be remembered for a year that attracted Finnish companies to cybercrime later,” says Aon Finland’s Kyber Specialist Lauri Kononen.

    According to Aoni’s new security report, 2018 exposure to cyberbullying is expected to increase with three convergence trends: companies are increasingly dependent on technology, regulatory authorities’ desire to protect consumer information is growing and the value of intangible assets increases.

    Also, new online technologies from IoT will increase the need for cybersecurity.

    ” Increased outsourcing of services and the use of explosive IoTs will pose a challenge to traditional risk management, while in the future risk management should also take into account the security of systems and IoT equipment used by contract partners and service providers’, says Christa Heinonen, Aon Finland’s cyber specialist.

    Source: https://www.uusiteknologia.fi/2018/01/10/suomi-havahtui-kyberturvallisuuteen/

    Reply
  32. Tomi Engdahl says:

    Aon’s Cybersecurity 2018 Predictions: Companies Will Make Major Enterprise-Wide Changes to Address Cyber Risk
    https://www.prnewswire.com/news-releases/aons-cybersecurity-2018-predictions-companies-will-make-major-enterprise-wide-changes-to-address-cyber-risk-300578532.html

    Companies to take out more standalone cyber insurance policies; chief risk officer steps boldly into cybersecurity spotlight; greater regulatory pressure globally; increasing importance of multi-factor authentication; full extent of insider risk goes unreported.

    Reply
  33. Tomi Engdahl says:

    Russell Brandom / The Verge:
    Researchers find that COMPAS algorithm, used to determine if a defendant will reoffend, is no better than average person’s guess; developer disputes findings — Our most sophisticated crime-predicting algorithms may not be as good as we thought. A study published today in Science Advances takes …

    Mechanical Turkers may have out-predicted the most popular crime-predicting algorithm
    https://www.theverge.com/2018/1/17/16902016/compas-algorithm-sentencing-court-accuracy-problem

    Our most sophisticated crime-predicting algorithms may not be as good as we thought. A study published today in Science Advances takes a look at the popular COMPAS algorithm — used to assess the likelihood that a given defendant will reoffend — and finds the algorithm is no more accurate than the average person’s guess. If the findings hold, they would be a black eye for sentencing algorithms in general, indicating we may simply not have the tools to accurately predict whether a defendant will commit further crimes.

    The accuracy, fairness, and limits of predicting recidivism
    http://advances.sciencemag.org/content/4/1/eaao5580

    Abstract

    Algorithms for predicting recidivism are commonly used to assess a criminal defendant’s likelihood of committing a crime. These predictions are used in pretrial, parole, and sentencing decisions. Proponents of these systems argue that big data and advanced machine learning make these analyses more accurate and less biased than humans. We show, however, that the widely used commercial risk assessment software COMPAS is no more accurate or fair than predictions made by people with little or no criminal justice expertise. We further show that a simple linear predictor provided with only two features is nearly equivalent to COMPAS with its 137 features.

    Reply
  34. Tomi Engdahl says:

    PureSec Emerges From Stealth With Security Product for Serverless Apps
    http://www.securityweek.com/puresec-emerges-stealth-security-product-serverless-apps

    Tel Aviv, Israel-based startup PureSec emerged from stealth mode on Wednesday with a security platform designed for serverless architectures and a guide that describes the top 10 risks for serverless applications.

    PureSec’s product is powered by the company’s Serverless Security Runtime Environment (SSRE) technology, which provides a trusted and safe environment for serverless functions.

    Applications built on serverless architectures do not require an always-on physical or virtual server. Instead, resources are provided dynamically as Backend-as-a-Service (BaaS) and Function-as-a-Service (FaaS) services. Amazon’s AWS Lambda, Microsoft’s Azure Functions, Google Cloud Functions and IBM BlueMix Cloud Functions are the most popular serverless platforms.

    Using serverless architectures has many advantages, including the fact that developers can focus on product functionality without having to worry about the server side, including when it comes to applying security patches. However, the developer is still responsible for ensuring that the application is resilient to attacks.

    PureSec’s product aims to address this by providing runtime protection via two layers: a firewall and a behavioral engine.

    “The first layer, the Serverless Function Firewall, makes sure that input going into the function is safe for usage as event input. It can detect application layer attacks that are relevant for serverless architectures – like NoSQL Injections, SQL Injections, XSS, Local File Inclusion, Runtime Code Injections, etc. It is working on the event-data for the function (the arguments), so it is protocol agnostic and can handle any kind of event triggers (it’s not limited to HTTP),” Segal told SecurityWeek.

    “Once the function starts executing, our behavioral detection engine monitors ‘operations’ and ‘interactions’ performed by the function in real-time, making sure that only good behaviors are performed. Our research team spent time modeling good behavior, as well as malicious behavior, and we can detect attempts to subvert function logic, attempt to access files in an unauthorized way, attempts to download malware or execute it, or leak data. This is purely behavioral and does not rely on signatures, in order to provide 0-day protection. It’s basically positive security applied to function behaviors,” he added.

    Reply
  35. Tomi Engdahl says:

    Hehe, still writing code for a living? It’s 2018. You could be earning x3 as a bug bounty hunter
    Oh, yeah, and learning new tricks and protecting stuff, sure
    http://www.theregister.co.uk/2018/01/17/bug_bounties_pay/

    Ethical hacking to find security flaws appears to pay better, albeit less regularly, than general software engineering.

    And while payment remains one of the top rationales for breaking code, hackers have begun citing more civic-minded reasons for their activities.

    A survey of 1,700 bug bounty hunters from more than 195 countries and territories by security biz HackerOne, augmented by the company’s data on 900 bug bounty programs, has found that white-hat hackers earn a median salary that’s 2.7 times that of typical software engineers in their home countries.

    In some places, the gap is far more pronounced. In India, for example, hackers make as much as 16 times the median programmer salary. In the US, they earn 2.4 times the median.

    “Bug bounty programs are taking off and with that comes enormous opportunities for hackers to earn competitive rewards for making the internet safer,” Lauren Koszarek, director of communications at HackerOne, told The Register today.

    Economics

    In the report, computer security breach archivist Troy Hunt opined that the lack of geographical barriers for bug hunting makes the economics appealing.

    “Consider what the ‘return’ component of the ROI is for someone living in a market where the average income is a fraction of that in the countries many of these services are based in,” he said. “This makes bounties enormously attractive and gets precisely the eyes you want looking at your security things.”

    Hackers on average cite improving skills (14.7 per cent), having fun (14 per cent), and being challenged (14 per cent) above making money (13.1 per cent) to explain their motivations.

    After that, it’s career advancement (12.2 percent), protecting and defending (10.4 per cent), doing good (10 per cent), helping others (8.5 per cent) and showing off (3 per cent).

    “Why do you choose the companies you hack?”, 23 per cent cited the bounty. After that, the most common sentiment was the challenge or opportunity to learn (20.5 per cent), followed by affinity for the company (13 per cent).

    According to the survey, approximately 12 per cent of hackers using HackerOne earn at least $20,000 annually from bug bounties, about 3 per cent make more than $100,000, and 1.1 per cent are making more than $350,000. So the majority of bug hunters rely on other income sources.

    Reply
  36. Tomi Engdahl says:

    Industrial System Cyberattacks Aim for Sabotage
    https://www.designnews.com/automation-motion-control/industrial-system-cyberattacks-aim-sabotage/207848967658105?ADTRK=UBM&elq_mid=2937&elq_cid=876648

    More like vandals than thieves and unlike IT attackers who seek personal and financial data, industrial hacks seek to destroy systems.

    Reply
  37. Tomi Engdahl says:

    Avoiding Server Disaster
    http://www.linuxjournal.com/content/avoiding-server-disaster

    Worried that your server will go down? You should be. Here are some disaster-planning tips for server owners.

    If you own a car or a house, you almost certainly have insurance.

    Unfortunately, disasters and mishaps are a fact of life in the computer industry. And so, just as you pay insurance and hope never to have to use it, you also need to take time to ensure the safety and reliability of your systems—not because you want disasters to happen, or even expect them to occur, but rather because you have to.

    I should note that most of the advice here assumes no redundancy in your architecture—that is, a single web server and (at most) a single database server. If you can afford to have a bunch of servers of each type, these sorts of problems tend to be much less frequent. However, that doesn’t mean they go away entirely. Besides, although people like to talk about heavy-duty web applications that require massive iron in order to run, the fact is that many businesses run on small, one- and two-computer servers. Moreover, those businesses don’t need more than that; the ROI (return on investment) they’ll get from additional servers cannot be justified. However, the ROI from a good backup and recovery plan is huge, and thus worth the investment.

    But even when considering those two extremes, you can see that a web application consists of only a few parts:

    The application software itself.

    Static assets for that application.

    Configuration file(s) for the HTTP server(s).

    Database configuration files.

    Database schema and contents.

    Backing Up Databases

    You could argue that the difference between a “website” and a “web application” is a database. Databases long have powered the back ends of many web applications and for good reason—they allow you to store and retrieve data reliably and flexibly. The power that modern open-source databases provides was unthinkable just a decade or two ago, and there’s no reason to think that they’ll be any less reliable in the future.

    And yet, just because your database is pretty reliable doesn’t mean that it won’t have problems. This means you’re going to want to keep a snapshot (“dump”) of the database’s contents around, in case the database server corrupts information, and you need to roll back to a previous version.

    My favorite solution for such a problem is to dump the database on a regular basis, preferably hourly.

    Depending on the size of your database and the amount of disk space you have on hand, you’ll have to decide just how often you want to run dumps and how often you want to clean out old ones.

    Storing Backups

    But wait. It might be great to have these backups, but what if the server goes down entirely? In the case of the code, I mentioned to ensure that it was located on more than one machine, ensuring its integrity. By contrast, your database dumps are now on the server, such that if the server fails, your database dumps will be inaccessible.

    There are a few relatively easy and inexpensive solutions to this problem. If you have two servers—ideally in separate physical locations—you can use rsync to copy the files from one to the other. Don’t rsync the database’s actual files, since those might get corrupted in transfer and aren’t designed to be copied when the server is running. By contrast, the dumpfiles that you have created are more than able to go elsewhere. Setting up a remote server, with a user specifically for handling these backup transfers, shouldn’t be too hard and will go a long way toward ensuring the safety of your data.

    Conclusion

    When it comes to your servers, think less like an optimistic programmer and more like an insurance agent. Perhaps disaster won’t strike, but if it does, will you be able to recover? Making sure that even if your server is completely unavailable, you’ll be able to bring up your program and any associated database is crucial.

    Reply
  38. Tomi Engdahl says:

    What does GDPR enforcement mean for your business?
    https://www.synopsys.com/blogs/software-security/gdpr-enforcement/?cmp=em-sig-eloqua&utm_medium=email&utm_source=eloqua&elq_mid=363&elq_cid=166673

    Avoiding GDPR penalties for noncompliance

    If an organization is found noncompliant, the relevant supervisory authority will determine the exact level of penalty. This authority will consider several factors when determining the penalty, such as the seriousness of the infringement and whether the firm is deemed negligent. It will also consider whether the organization took steps to prevent a breach.

    The largest fines will be imposed on organizations that haven’t even attempted to comply with GDPR. The maximum fine is either €20 million or 4% of the organization’s worldwide annual turnover, whichever is higher.

    To avoid GDPR fines, an organization needs to communicate these points:

    This is what we’re doing to comply with GDPR.
    This is what we’re doing not to run afoul of compliance.
    This is what we’re doing to have a reasonable story to tell even when something bad does happen.

    You will need to review your security defects through the lens of the impact that GDPR has on your organization.

    Here are some actions to consider:

    Establish a data inventory.
    Who owns the data?
    Who touches the data?
    Identify where EU data resides.
    Backups (tape, Iron Mountain, etc.)
    Ephemeral/temporary storage (how to guarantee secure erasure?)
    Transactional data in a database transaction log
    Other
    Inventory applications that interact with EU data.
    Account for deployment models.
    On-premises
    Cloud
    Hybrid
    Rethink data storage.
    Consider functional changes to the applications to avoid violating GDPR

    Reply
  39. Tomi Engdahl says:

    You’ll Really Want An “Undo” Button When You Accidentally Send A Ballistic Missile Warning
    https://hackaday.com/2018/01/16/youll-really-want-an-undo-button-when-you-accidentally-send-a-ballistic-missile-warning/

    Hawaiians started their weekend with quite a fright, waking up Saturday morning to a ballistic missile alert that turned out to be a false alarm. In between the public anger, profuse apologies from officials, and geopolitical commentary, it might be hard to find some information for the more technical-minded. For this audience, The Atlantic has compiled a brief history of infrastructure behind emergency alerts.

    As a system intended to announce life-critical information when seconds count, all information on the system is prepared ahead of time for immediate delivery. As a large hodgepodge linking together multiple government IT systems, there’s no surprise it is unwieldy to use. These two aspects collided Saturday morning: there was no prepared “Sorry, false alarm” retraction message so one had to be built from scratch using specialized equipment, uploaded across systems, and broadcast 38 minutes after the initial false alarm.

    The Internet Broke Emergency Alerts
    https://www.theatlantic.com/technology/archive/2018/01/the-internet-broke-emergency-alerts/550520/

    America’s emergency notification systems were first built for war, and then rebuilt for peace. A false alarm in Hawaii shows that they didn’t anticipate how media works in the smartphone era.

    Reply
  40. Tomi Engdahl says:

    Fooling Speech Recognition With Hidden Voice Commands
    https://hackaday.com/2018/01/15/fooling-speech-recognition-with-hidden-voice-commands/

    It’s 2018, and while true hoverboards still elude humanity, some future predictions have come true. It’s now possible to talk to computers, and most of the time they might even understand you. Speech recognition is usually achieved through the use of neural networks to process audio, in a way that some suggest mimics the operation of the human brain. However, as it turns out, they can be easily fooled.

    The attack begins with an audio sample, generally of a simple spoken phrase, though music can also be used. The desired text that the computer should hear instead is then fed into an algorithm along with the audio sample.

    Audio Adversarial Examples
    http://nicholas.carlini.com/code/audio_adversarial_examples/

    Reply
  41. Tomi Engdahl says:

    Should You Shut Out Hackers from Inside the Car or the Cloud?
    http://innovation-destination.com/2018/01/11/shut-hackers-inside-car-cloud/?NL=ED-004&Issue=ED-004_20180118_ED-004_254&sfvc4enews=42&cl=article_2_b&utm_rid=CPG05000002750211&utm_campaign=14971&utm_medium=email&elq2=b17e0457b5fc47d885303ec16286628d

    The security schemes built to protect connected cars from hackers will extend from the electronics architecture to the cloud, where programs will cut off attacks before they reach the vehicle. But it is still not clear which form of security could be better equipped to impede threats to the growing number of cars connected to each other and the internet.

    It is also not clear which form of security could pay the largest dividends for investors in the emerging market for automotive cybersecurity, which generated less than $100 million in 2017 but will grow to $759 million by 2023, according to research firm IHS Markit.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*