Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.
Here is a list of relevant cyber security terms for 2018s:
AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.
Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.
Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.
Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.
Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.
Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.
Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017, browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.
Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.
Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.
Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.
Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?”
GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.
Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.
HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.
HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2. Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.
HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.
ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.
Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.
IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).
Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.
IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.
Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.
Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.
Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.
Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.
PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.
Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.
Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.
Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.
Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.
Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?
Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.
Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.
Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.
Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.
Sources:
Firefox, Chrome start calling HTTP connections insecure
Alert (TA17-075A) HTTPS Interception Weakens TLS Security
Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead
Cybersecurity Dangers Will Spike in 2018
We’re hitting rock bottom in cyber — let’s do something | TechCrunch
Mirai-makers plead guilty, Hajime still lurks in shadows
DARPA Takes Chip Route to ‘Unhackable’ Computers
Another AI attack, this time against ‘black box’ machine learnings
General Data Protection Regulation (Wikipedia)
Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already
Miten GDPR pitää huomioida ohjelmistokehityksessä?
Seven Seas Cybersecurity: Captain, We Have a Problem
In the Words of President Ronald Reagan, “Trust but Verify”
Why You Should Question These Most Common Cloud Assumptions
It’s 2018. Do You Know Where Your Data Are?
Improved IoT Security Starts with Liability for Companies, Not Just Legislation
Smart Factory Connectivity for the Industrial IoT
The Race for a Universal IoT Security Standard
Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises
The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.
Resolve to Mitigate Your Business’ Digital Risk in 2018
Emerging Trends in Vulnerability Management
Research reveals customer-facing web and mobile apps as top security challenge
Open Source Vulnerabilities: Are You Prepared to Run the Race?
Device Security for the Industrial Internet of Things
GDPR and Open Source: Best Practices
Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC
ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good
Threat Modeling the Internet of Things: Modeling Reaper
Engineering for Privacy Requires Standards
How to Make Adversaries Work Harder, While We Work Smarter, in 2018
2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices
Facebook Releases New Certificate Transparency Tools
iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group
Open Source Vulnerabilities: Are You Prepared to Run the Race?
U.S. Military to Send Cyber Soldiers to the Battlefield
Machine Learning & Security: Making Users Part of the Equation
Security is Not a Technology Profession
Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018
636 Comments
Tomi Engdahl says:
Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs
https://www.zdnet.com/article/over-nine-million-cameras-and-dvrs-open-to-apts-botnet-herders-and-voyeurs/
Re-branded IP cameras and DVRs sold by over 100 companies can be easily hacked, researchers say.
Tomi Engdahl says:
Leave no dark corner
http://mobile.abc.net.au/news/2018-09-18/china-social-credit-a-model-citizen-in-a-digital-dictatorship/10200278?pfmredir=sm
China is building a digital dictatorship to exert control over its 1.4 billion citizens. For some, “social credit” will bring privileges — for others, punishment.
Tomi Engdahl says:
First UEFI malware discovered in wild is laptop security software hijacked by Russians
https://arstechnica.com/information-technology/2018/10/first-uefi-malware-discovered-in-wild-is-laptop-security-software-hijacked-by-russians/
“LoJax” repurposed LoJack anti-theft agent as rootkit that could survive OS re-installs.
Tomi Engdahl says:
Intel’s commitment to making its stuff secure is called into question
Security is a process or at least an aspiration
https://www.theregister.co.uk/2018/10/08/intel_security_commitment/
Tomi Engdahl says:
What to Do and What to Avoid When Implementing Security in the DevOps Lifecycle
https://www.tripwire.com/state-of-security/devops/what-to-do-and-what-to-avoid-when-implementing-security-in-the-devops-lifecycle/
DevOps is redefining the way organizations handle software development. But it’s also challenging security professionals in their efforts to manage digital risk. With that said, there are security teams need to be strategic about how they approach DevOps security.
Traditional security cultures are always ready to say NO, fail to share information across the organization, and do not tolerate failure. This directly contradicts the DevOps culture, which creates a diverse working environment, empowers teams, enables collaboration and problem-solving, fails fast, and continuously improves. Building a successful DevSecOps program requires security teams to embrace this culture. Security must understand the engineering process and tools that enable DevOps teams to move quickly before contributing.
Many security teams fail because they do not understand the tools, jump in too quickly, and disrupt the engineering workflow.
Tomi Engdahl says:
Triangulating Beyond the Hack: Stolen Records Just One Tool in a Comprehensive Kit
https://www.securityweek.com/triangulating-beyond-hack-stolen-records-just-one-tool-comprehensive-kit
Technical Hacks to Compromise Sensitive Systems Are Just One Tool in a Much Larger Toolkit
In simpler times, cybersecurity was a fairly straightforward proposition. You had your firewall, your gateway. You monitored traffic and scanned for viruses. The bad guys weren’t even always that bad, per se. Sometimes they were just there for kicks.
But these are not simpler times. In today’s world of sophisticated criminals, hacktivism, espionage and cyber warfare, threats can come from anywhere, and for a variety of more malevolent reasons than 10 or 15 years ago.
One of the most pressing security challenges is the way “hacks” are evolving to include more than just an intrusion to an IT system. Yes, hacking into protected information is still a critical concern. And we’re seeing more efforts to triangulate information from separate hacks to increase its value, as well as an evolution of how stolen information is used.
Tomi Engdahl says:
Tapping into Diversity to More Effectively Mitigate Digital Risk
https://www.securityweek.com/tapping-diversity-more-effectively-mitigate-digital-risk
This October marks the 15th year of National Cybersecurity Awareness Month (NCSAM). The initiative is described as “a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.” As security professionals, we recognize that to more effectively defend against adversaries we must work together and collaborate across groups. But if we don’t take advantage of our true collective strength by embracing diversity and inclusion, we’re compromising our efforts. Inventor of the World Wide Web, Tim Burners-Lee said, “We need diversity of thought in the world to face the new challenges.” How well are we tapping into diversity of thought in the field of cybersecurity?
Although it may feel like we’ve been beating the diversity drum for a long time, the truth is we still have a long way to go. New research from Cybersecurity Ventures finds that women make up 20 percent of the global cybersecurity workforce. While up from the 11 percent number that has been widely quoted for years, 20 percent is still a far cry from where it should be
Tomi Engdahl says:
Stop Saying Privacy Is Dead
https://medium.com/s/story/stop-saying-privacy-is-dead-513dda573071
Our lives are still rich in personal privacy — and we should fight to keep it that way
Tomi Engdahl says:
Many paths to a cyber career
You don’t need to code or hack or wear a hoodie for these jobs
https://www.raytheon.com/cyber/news/feature/many-paths-cyber-career?WT.mc_id=twitter_socialmedia_N/A&utm_source=twitter&utm_medium=organic&utm_campaign=N/A&linkId=57898000
Tomi Engdahl says:
Garrett M. Graff / Wired:
How US got China to scale back cyber espionage in 2015 by publicly charging Chinese hackers, arresting a spy in Canada, and taking a firm stance in negotiations
https://www.wired.com/story/us-china-cybertheft-su-bin/
Tomi Engdahl says:
We’re killing off passwords. But are we ready for what will replace them?
https://www.zdnet.com/article/were-killing-off-passwords-but-are-we-ready-for-what-will-replace-them/
Getting rid of passwords is a good idea, but we need to think through the consequences of the most likely replacement, too.
Tech security people hate passwords because resetting forgotten passwords is the most tedious job in the world, and also they know everybody else is terrible at password security anyway.
The rest of us don’t like passwords much either, mainly because the security people won’t let us use our old favourites like 1234 or pa55w0rd. And we don’t like having to remember complicated passwords, so we write them down on a piece of paper, and then lose it. And then we have to go and ask nicely for tech to reset the password. Again.
Nobody likes passwords. Apart from the hackers who find them, steal them or crack them with ease, that is. That’s because passwords are still the keys to the kingdom in many cases; once a crook has them, there is often little else to stop them doing what they want.
So what about the next step? Here smartphones are well ahead of the PC world, by using biometrics — fingerprints and facial recognition — as the standard way to log on. Something you have is replaced with something you are.
Microsoft has already outlined how it plans to kill off passwords in Windows 10 using a combination of multi-factor authentication and biometrics via Windows Hello, a service it says is being used by more than 47 million people.
Tomi Engdahl says:
Thieves and Geeks: Russian and Chinese Hacking Communities
https://www.recordedfuture.com/russian-chinese-hacking-communities/
Tomi Engdahl says:
Thieves and Geeks:
Russian and Chinese
Hacking Communities
https://go.recordedfuture.com/hubfs/reports/cta-2018-1010.pdf
Tomi Engdahl says:
Don’t Let Your Guard Down: The Challenges of Phishing
https://associationsnow.com/2018/10/dont-let-your-guard-down-the-challenges-of-phishing/
Even savvy tech users can get nailed by someone actively trying to trick them via a phishing email. What can you do to keep your association’s employees—and your organization’s data—safe?
Whether a fluke or by skill, I pulled off a pretty impressive trick last week. As of this writing, I am one of two people, out of hundreds, to have beaten an incredibly challenging game with flying colors.
Tomi Engdahl says:
Making it real—harnessing data gravity to build the next gen SOC
https://cloudblogs.microsoft.com/microsoftsecure/2018/10/15/making-it-real-harnessing-data-gravity-to-build-the-next-gen-soc/
In our first blog, Diana and I talked about the concept of data gravity and how it could, conceptually, help organizations take a more “cloud-ready” approach to security operations and monitoring. In this post we address the question: “How do we make this a reality in the security operations center (SOC) while we are under increased and constant pressure from motivated threat actors?”
The answer lies in a new approach to monitoring called Security Orchestration, Automation and Response (SOAR), which is founded upon addressing the challenge of connecting and investigating issues across multiple security platforms. SOAR addresses the challenges of evolving security operations beyond the traditional security information and event management (SIEM) model into one that allows correlation across all the data gravity wells. Core to this is being able to take an event from one system (for example an endpoint like a laptop) and in real-time correlate that across different systems—such as a mail hygiene gateway—in order to build evidence and apply context needed for a fast and efficient investigation. This is something that analysts have historically done manually to investigate an issue: look across multiple different evidence points to find the information behind an event to determine if it’s a false positive or if needs further investigation. Historically deciding what incidents need investigation was left to the SIEM model, but as we discussed in the last blog both the difficulties with false positives and the rules of data gravity make this more difficult to achieve.
Tomi Engdahl says:
Collection Strategies: The Key Differentiator Among Threat Intelligence Vendors
https://www.securityweek.com/collection-strategies-key-differentiator-among-threat-intelligence-vendors
The outcome of an intelligence operation depends largely on the data that fuels it. Even the most sophisticated operation will fail to produce intelligence of value if its data is not also of value. This concept highlights the biggest differentiator and most important factor to consider when choosing a threat intelligence vendor: data source coverage and, more specifically, collection strategy.
What types of sources comprise your collection strategy?
Most vendors’ collection strategies include Deep & Dark Web (DDW) and open web sources, but the manner in which these sources are often described to prospective customers can be confusing at best and misleading at worst. W
Sources can and should be described and categorized far more granularly than just DDW or open web. Within each of these broad categories exist numerous types of sources containing highly differentiated data that can make all the difference between a failed intelligence operation and a successful one. These sources generally include:
- Private or invite-only forums
- Chat services platforms
- Illicit marketplaces
- Payment card shops
- Paste sites
- Social media sites
Given that both DDW and open web sources tend to be poorly delineated in the market, it’s important to understand specifically what sources comprise a vendor’s collection strategy before you decide to become a customer.
Ask if the vendor has access to sources that map to your IRs, and if the answer is yes, dig deeper with follow-up questions such as:
- Which of your sources would be most suitable for my IRs and why?
- Should you lose access to those sources, are suitable backups available?
- What are some examples of how your collection strategy has supported customers with similar IRs?
- What are your collection strategy’s most substantial weakness or blind spots with respect to my IRs?
What role does automation play in your collection strategy?
Most vendors automate collection to some degree. But when automation plays too little or too large a role in a vendor’s collection strategy, it could signify a red flag. In general, sources that are easier to access are easier to collect data from automatically. Open web sources such as paste sites are a case in point; because these sites are openly, freely, and safely accessible to anyone with internet access, most vendors can and do collect data from them automatically.
Tomi Engdahl says:
Hiding in Plain Sight: The Dangers of Insider Threats
https://www.electronicdesign.com/automotive/hiding-plain-sight-dangers-insider-threats?Issue=ED-004_20181018_ED-004_428&sfvc4enews=42&cl=article_2_b&utm_rid=CPG05000002750211&utm_campaign=20751&utm_medium=email&elq2=97ac8ba2001c43ec9ffb14b96c211420
With news swirling in response to the Tesla breach in June, Varonis’ Brian Vecci offers four signs of insider threats to watch for at a company.
Today’s employees are increasingly tech-savvy. They can easily navigate a file server to find valuable files to copy. They’re also likely to use tools, such as personal cloud storage, that could be leveraged to steal critical information. Furthermore, employees often are less loyal to the companies they work for and may not see anything wrong with taking essential files.
Chances are, you wouldn’t be able to spot a malicious insider at your company.
You’ve got to look for signs that you’ve been compromised. Here are four signs to watch for:
“Ghosts” on your network: Ghosts are accounts belonging to former employees that can still access your network. Former employees, especially those who parted on bad terms, may try to log back into company systems, either out of curiosity or to do damage by copying or deleting files.
Unusual activity during “off” hours: While your employees may make a habit of working in the middle of the night, on weekends, and during holidays, if their work patterns suddenly change, you have every reason to be suspicious. An outsider could be posing as an insider by using an employee’s account to log in, or an insider could be snooping around on your file stores when no one is likely to be watching.
Suspicious file access: Searching for, viewing, or copying data that’s not relevant to an employee’s job are all signs of possible insider activity. Employees will try to avoid detection at all costs; they may grab a few files to copy or even delete them. Those who can access corporate email accounts for other employees and executives may try to cover their tracks by marking viewed messages as “unread.”
Saving or printing massive amounts of information: If an employee leaves your company, they may try to take their files with them—perhaps in the mistaken belief that if they did the work, it belongs to them. Alternatively, they could be looking to profit from selling insider information. If they begin taking files, they could also be intent on providing this data to a third party.
Know that it’s not always an insider at fault – an outside attacker can steal employee credentials. You must lock down your employee data, intellectual property, client lists, and other vital information you wouldn’t want walking out the door. Consider initiating policies prohibiting, for example, the use of personal email on work devices. Try to foster trust with your employees so that when they do click on a phishing attempt, they’re comfortable reporting it to IT immediately.
Tomi Engdahl says:
3 Public Cloud Security Myths Debunked
https://www.securityweek.com/3-public-cloud-security-myths-debunked
MYTH: “The public cloud is not safe.”
TRUTH: When public cloud technology was new, there were concerns that it did not provide the requisite levels of security to keep data safe. These concerns were valid as the technology was not yet proven; however, this is no longer the case. Cloud providers now have years of experience, dating back to the early 1990s when modern cloud computing was first introduced. Over the decades, they’ve fine-tuned data and application access, ensuring strong governance, rights management and systems monitoring.
While the focus for on-premise and cloud-based IT is the same – to ensure application availability and security – cloud providers are able to scale this approach across multiple businesses and geographies. This scale and experience means that public cloud solutions, as long as they are well-managed, can actually prove more secure and reliable than their on-premise counterparts.
MYTH: “The public cloud is easier to attack.”
TRUTH: Many enterprises think that embracing the public cloud is tantamount to placing all of their digital eggs in one basket. The concern here is that if the provider is attacked, all access to their data – and therefore the ability to conduct business – could be lost. In most cases, however, a successful attack requires there to be an unpatched vulnerability in order to gain access. As we know, keeping up-to-date with patches is one of the biggest challenges for any organization today.
A key benefit of the public cloud is that the provider takes the responsibility for patching and monitoring the network, as well as adding extra layers of security to separate internal network systems from externally accessible applications and data.
MYTH: “In the public cloud, anyone can access my data.”
TRUTH: One of the biggest concerns people have with public cloud is the worry that they will lose control if they entrust it with their data. By essentially relinquishing a stronghold on the data, there are understandable questions about how secure it could possibly be. However, one of the key benefits that SaaS providers grant is data privacy. In fact, I would go as far to say that data in public cloud is harder for the “wrong people” to access than on-premise data.
For example, public cloud data is protected by authentication controls, which are constantly monitored by the cloud provider. And remember, it’s not just your data they are monitoring, but it’s many other customers as well.
The bottom line
In the end, the biggest truth about security in public cloud is that it provides security at scale. As a single organization, everything you do is at a scale of one. You might learn from peers, monitor systems and patch and update applications, but there is no shared benefit to this approach. And, with the widely-documented shortage of skilled cybersecurity professionals available, it can be hard to keep up.
Tomi Engdahl says:
A History of Defense-in-Depth; and the Evolution of Data Sharing
https://www.securityweek.com/history-defense-depth-and-evolution-data-sharing
We need a new way to manage access to data. No, not because the “good guys” are losing to Advanced Persistent Threats, nation-state attackers, or whatever term we use to describe the cybersecurity boogey-man du jour. We need a new way to manage access to data because the old ways don’t work in the cloud. The cloud is not evil from a security standpoint, but cloud adoption has introduced two critical shifts to enterprise computing:
- An environment that is totally accessed and managed from anywhere in the world
- Empowering users to choose and administer IT solutions, also known as Shadow IT
e-Defense-in-Depth.com
In the late 90s, companies started exposing some infrastructure and data to the Internet as we put a lower case “e” in front of everything and sold dogfood online. We had cloud computing back then but we called it Application Service Providers or Managed Service Providers. ASPs and MSPs were niche and expensive. Most attacks came in the form of Worms – malware designed to spread itself and cause disruption instead of steal data. Sensitive data was still only available if you had a remote access account (e.g. Virtual Private Network) and only certain resources were available to users connected remotely.
Defense in Depth as a Service
Today, businesses of all sizes are and should be embracing cloud services. We can deploy software with the swipe of a credit card and no one needs to learn how to install, configure or administer it. Reputable cloud providers like Microsoft, Google, and Amazon have massive security budgets, top-notch security personnel, and a level of standardization that legacy businesses cannot achieve. Brilliant.
Otherwise put, we need proactive and automated checks and balances on cloud access management and information sharing. Accomplishing this requires a few basic steps.
1. Understand which cloud services users are accessing: This is sometimes called Cloud App Discovery and many companies, including Microsoft, offer it for free.
2. Understand what data is stored in those cloud services: You can do very basic data discovery using an Internet search engine and keywords, but you’ll need specialized data discovery software for anything more advanced or for data repositories that are not indexed.
3. Triage the data based on risk tolerance: Use the results from the data discovery to discuss which information is overly exposed based on your acceptance of risk.
4. Enforce boundaries: The security teams must define and enforce acceptable use of information so users are able to work efficiently provided they’re within the boundaries of enterprise policy.
Tomi Engdahl says:
Who’s Winning the Cybercrime Battle?
https://www.securityweek.com/whos-winning-cybercrime-battle
Although the U.S. Congress must have designated literally thousands of commemorative days, weeks and months, I’m a bit partial to this month’s designation, National Cybersecurity Awareness month, now in its 15th year. Although I tend to think quite a bit on this topic during the other 11 months as well, it does make me pause to reflect on how cybersecurity awareness has evolved over this time period, and contrast that with the evolution of cybersecurity effectiveness.
In terms of general awareness, I’d say the ongoing battle against cybercrime, once relegated to implausible Matthew Broderick movies, is today a mainstream topic and has woven its way globally into our every-day culture—as the subject of an upcoming new television series, at packed-house scam prevention seminars, and even as a subject for placard-waving flash mobs. My barber is eager for tips on web and email security.
Tomi Engdahl says:
Seven Security Activities You Should Automate
https://www.securityweek.com/seven-security-activities-you-should-automate
Below, I have suggested seven processes that should be automated in order to save valuable time during incident response and security investigation procedures, and help organizations improve their overall cybersecurity posture.
1. SIEM Escalation
2. Reputation Lookups
3. Risk Scoring
4. Blocking Users
5. Guided Investigations
6. Reporting Thresholds
7. Notifications and Task Assignments
Conclusion
Like any tool, automation should be implemented with careful consideration. It is true that it can bring value to just about any security team, but the amount of value will depend entirely on how well you match it to your most pressing needs, existing security infrastructure, and organizational procedures. This has been merely a sampling of the processes that can be automated, and with so much innovation currently happening in the industry, it’s worth taking some time to think about what other automated processes also provide you with value.
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/nailla-tempuilla-lannistuu-sinnikkainkin-hakkeri-ohjaa-lopulta-vaikka-usa-n-puolustushallinnon-kimppuun-6746155
https://www.tivi.fi/Kaikki_uutiset/haaste-hyvaksytty-kansanedustaja-uskoo-it-jarjestelman-torjuvan-hakkerointiyritykset-hakkerit-vastasivat-6737846
Tomi Engdahl says:
The Enduring Password Conundrum
https://www.securityweek.com/enduring-password-conundrum
Earlier this month, the State of California made headlines by passing legislation that will require hardware manufacturers to implement unique hardcoded passwords for every connected device they produce and force users to change it upon first use. The bill, which takes effect in January 2020, renewed the debate surrounding our continued reliance on passwords as the primary method for access control and authentication.
Since the introduction of username and password authentication, the threatscape has changed dramatically. Today’s infrastructures are borderless, sensitive data often resides in the cloud, and workers are accessing enterprise resources from anywhere and everywhere. This evolution has made many legacy controls obsolete, particularly passwords, whose effectiveness has been questioned for years.
Since 81 percent of hacking-related breaches leverage either stolen, default, or weak passwords, the California ban on default passwords for connected devices (a.k.a. Internet of Things) is a step in the right direction. Eliminating the same easy-to-guess password from millions of devices will remove a common attack vector and reduce the risk of Denial of Service attacks, spam campaigns, and other malicious assaults that exploit hijacked devices. However, the use of weak default passwords extends beyond connected devices. As a result, this legislation is only addressing a small subset of use cases.
Tomi Engdahl says:
Overcoming Common SD-WAN Security Mistakes
https://www.securityweek.com/overcoming-common-sd-wan-security-mistakes
Digital transformation is about much more than moving workflows to the cloud and adopting IoT. It is about retooling the entire network to make it faster, more efficient, much more flexible, and cost-effective. Which means it also includes things like agile software and application development, rethinking access and onboarding, and creating dynamic and adaptable network environments.
Top of the list for many organizations is the adoption of SD-WAN, which extends the advantages of digital transformation to branch offices. It provides them with instant access to distributed resources, whether they are located in a central data center, in a multi-cloud deployment, or somewhere else across the connected network. And it does this without the rigid implementation requirements and expensive overhead of traditional MPLS connections.
Common SD-WAN Security Mistakes
The challenge is that SD-WAN is often adopted with only a cursory consideration of security. SD-WAN projects tend to be driven by the networking team, and a lot of organizations get so swept up in the cost-saving benefits of SD-WAN that they completely forget about security.
Tomi Engdahl says:
From Voting to Security Operations, 5 Considerations for Better Decision Making
https://www.securityweek.com/voting-security-operations-5-considerations-better-decision-making
Tomi Engdahl says:
Whack-A-Mole: The Impact of Threat Intelligence on Adversaries
https://threatvector.cylance.com/en_us/home/whack-a-mole-the-impact-of-threat-intelligence-on-adversaries.html
Tomi Engdahl says:
Open-Source Phishing Framework
https://getgophish.com
Gophish is a powerful, open-source phishing framework that makes it easy to test your organization’s exposure to phishing.
Tomi Engdahl says:
Pineapple Pi Is the Portable Hacking Station You Need
https://blog.hackster.io/pineapple-pi-is-the-portable-hacking-station-you-need-8b14c2550c54
Tomi Engdahl says:
Cybersecurity Needs Women: Here’s Why
https://www.forbes.com/sites/laurencebradford/2018/10/18/cybersecurity-needs-women-heres-why/#33e4a9ef47e8
October is Cybersecurity Awareness Month, and there’s no better time for women to start gaining and leveraging that awareness. Because of the massive shortage of cybersecurity professionals today, it’s more critical than ever for historically underrepresented demographics to help fill the need.
According to Cybersecurity Ventures, there will be up to 3.5 million job openings by 2021. Meanwhile, women make up only 20% of the cybersecurity workforce.
Tomi Engdahl says:
How the cloud has made you more secure
https://www.infoworld.com/article/3316637/cloud-security/how-the-cloud-has-made-you-more-secure.html
While many still believe that the cloud is less secure, the reality is that your data is safer now due to the cloud—and the cloud has changed the security game for all types of systems
Wow, we are near to having 20 percent of our enterprise workloads in the cloud and the world has not collapsed around us—despite such predictions even just three years ago.
One of the big fears was over security. But your information is actually safer in the cloud than it is in your own data center. At work are three factors.
1. Cloud providers have invested substantially in security
The industry is spending as much as 75 percent of its R&D dollars on cloud-based security systems.
2. AI is making security smarter—and more scalable
The use of AI with security, which is mostly driven by the cloud, has given cloud security an upper hand in finding and eliminating vulnerabilities—and getting automatically smarter while doing it.
3. The costs of security have come down
Cloud providers have pushed down security costs. The on-demand model promoted by public cloud providers is almost always cheaper than traditional enterprise software licenses.
The cloud has made you more secure
Who would have thought this would be the case?—that the “evil and scary cloud” that was supposed to make your data more vulnerable has actually made data more secure, and likely to be even more secure in the near future.
Tomi Engdahl says:
Communication is Broken Between CISOs and the Rest of the Business
https://www.securityweek.com/communication-broken-between-cisos-and-rest-business
In a recent survey of business communication by the well-known audit and consulting firm PwC, board directors were asked to rate the quality of presentations they receive from senior managers. CISOs ranked at the bottom of the list with just 19% of CISO presentations being rated as “excellent.”
Ask a CISO for a reaction, and you might get this: “The problem is the C-suite and the board just don’t understand technology.” Continuing with, “I showed them the stats on our patching cadence, CVSS score and NIST CSF maturity rating and they just looked at me blankly.”
Time was, the rest of the business might have bought into the idea IT security was unique among business functions, with processes, standards and language too technical to be understood by ordinary business folk. Cybersecurity management is technical, the thinking went, therefore the results could only be expressed in technical language, too.
Questions like:
CFO: “How much cyber risk do we have? Are we spending too much or too little?”
Audit: “Did you fix the high priority issues?”
CIO: “Are we spending our cybersecurity budget on the right things? What’s the ROI?”
Board/CEO: “We don’t want to be the next news headline. Are we secure?”
Now, the tables have turned: It’s the CISO who faces a vocabulary test at every senior-level meeting. Forward-looking infosec leaders are realizing they need to align themselves with the way the rest of the business thinks or fall into irrelevance.
That means a shift in how CISOs understand cybersecurity risk. Factor Analysis of Information Risk (FAIR), an international standard model for quantifying cyber risk in financial terms, provides a pragmatic way to approach the problem.
According to FAIR, a risk always involves a “loss event” – in other words, the probability that some threat actor, e.g. a cyber criminal, uses some technique, e.g. use of stolen user credentials, that results an adverse effect, e.g. a data breach, causing a form of financial loss within a certain timeframe.
So, a risk is not a vulnerability, ransomware, the cloud or Fancy Bear, but rather they might be factors that contribute to risk.
It’s an exercise in critical thinking that clears away a lot of the mental brush for CISOs that mix up communication. With a focus on loss events, infosec leaders can start analysis of probable occurrence and probable impact of cybersecurity incidents, based on internal or industry data, and frame the conversation truly around risk, much as other business units can discuss market, financial, operational or enterprise risk. As in other risk management disciplines, cyber risk can be estimated as a range of probable financial outcomes, not “8 on a scale of 10” or “yellow but not as bad as red.”
Tomi Engdahl says:
Ransomware and the enterprise: A new white paper
https://www.welivesecurity.com/2018/10/29/ransomware-enterprise-new-white-paper/
Ransomware remains a serious threat and this new white paper explains what enterprises need to know, and do, to reduce risk
Throughout 2018 criminals have continued to target large organizations with ransomware. Today we introduce a new white paper that explains why ransomware is still a serious threat to your organization – regardless of size – and what can be done to reduce exposure to, and damage from, ransomware attacks.
The paper focuses on three particularly dangerous ransomware attack vectors: remote access, email, and supply chain. The paper is intended to help CEOs, CIOs, CISOs, and enterprise risk managers
Tomi Engdahl says:
Strengthening Industry Collaboration Through the Charter of Trust for a Secure Digital World
https://securityintelligence.com/strengthening-industry-collaboration-through-the-charter-of-trust-for-a-secure-digital-world/
Cybersecurity awareness month wraps up this week in Europe and the U.S., and it’s the perfect time to reiterate that digital transformation will only succeed if people and organizations can rely on the security of data and connected systems. Digitization and cybersecurity must progress in close association.
Security providers are responsible not only for innovating and implementing solutions, but also for building digital trust. Earlier this year, we saw the start of an initiative with great potential to make our digital world more secure and increase trust. This Charter of Trust brings together companies and players from a variety of industries to work with governments to “establish a reliable basis upon which confidence in a networked, digital world can take root and grow.”
Tomi Engdahl says:
Ten simple ways to get your staff interested in cyber security
https://www.itproportal.com/features/ten-simple-ways-to-get-your-staff-interested-in-cyber-security/
For the most part, it’s about tapping into human psychology, and the ways that people like to learn.
A crucial part of any cyber security strategy must be to focus on the human aspect – on developing security awareness, behaviour, and culture within the organisation. But improvements to all of these things depend on one major prerequisite: human interest. It may seem obvious, but it’s not something most businesses tend to think about when they attempt to train their staff.
Some organisations choose to give staff balky training manuals. Unsurprisingly, most staff aren’t interested enough to read beyond the first page. Even if people are somehow engaged enough to read through all of the company’s guidelines and advice, this rarely translates into improvements in cyber security behaviour. It’s one thing to read information; it’s another thing entirely to be able to act on that information.
1. Use a story
Stanford University research suggests that stories are up to 22 times more memorable than facts alone.
2. Keep things updated
Once upon a time, paying attention to the new and unusual things helped us escape threats – which is why we’re now hardwired to pay attention to anything new.
3. Use multimedia
Research shows very clearly that visual information and multimedia help in the learning processes; videos are processed up to 60,000 times faster than text, easing cognitive strain and ensuring messages sink in.
4. Avoid the complex
Somewhat tragically, we humans seem coded to avoid cognitive mental strain. It’s why we frequently prefer video to text (see above) and why pension enrolment rates in “opt-out” countries vastly outstrip enrolment rates in “opt-in” countries. We’re coded to avoid exertion.
The complex topic of cyber security might seem like it requires complex training, but simple, intuitive training will almost certainly be more effective than anything requiring increased effort.
5. Integrate cyber security with the everyday
Humans are reliant on what psychologists call schema to guide our behaviour in any given situation
Schema are why people tend to pay attention to cyber security during cyber security training classes but drop their guard the moment training ends. By customising training to embed elements of the day job into training itself, it’s possible to modify the existing workplace schema your people have.
6. Simulate attacks
Simulating cyber-attacks is perhaps the most direct way to increase engagement in cyber security training. They’re unignorable, they demand a reaction, and they provide valuable clues as to what areas of the business are at risk.
Nevertheless, metrics should be treated with care. While susceptibility rates can be useful for visualising the effectiveness of training, it has the potential to be misleading. All simulations differ
7. Develop a culture based on trust rather than surveillance
A security breach shouldn’t be an excuse to increase monitoring on staff. Simply accept what has happened and regard the breach as an opportunity to learn.
8. Educate people on threats at home
With remote working becoming such a popular option nowadays, people should understand the importance of cyber hygiene not just in the workplace, but also at home.
9. Use blended learning
Blended learning styles use multiple learning techniques to ensure individuals can tailor their learning to their specific needs.
10. Involve everyone
Another fundamental trait of the human psyche is our desire to belong to a group of some shape or form – which explains phenomena such as peer pressure, Groupthink and football hooliganism.
In the context of cyber security, it’s important to properly train your entire organisation on cyber security.
Tomi Engdahl says:
https://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html
Tomi Engdahl says:
Why a Dog Bite is a Lesson in Handling Cyberattacks
https://www.securityweek.com/why-dog-bite-lesson-handling-cyberattacks
Like dog bites, the negative impact of cyber incidents can go from bad to worse quickly—and the first 48 hours are critical. Here are four areas to consider when attacks occur:
Assess the scope and scale of the impact: Discovering a cyber incident can be a challenging time for any company but calling on a seasoned incident response (IR) team can help. Typically, an IR team would begin an engagement with a scoping or triage call to get a better understanding of what’s happened.
Plan and act to limit damage: Following an initial assessment, the IR team (often, a primary IR investigator and a support investigator) would meet with a system administrator, IT manager, or a member of the C-suite to define objectives for the first 24, 48, 72 hours, and the longer term.
The IR team’s efforts generally focus on the basics—getting critical systems up and running, restoring normal operations, expelling the attacker.
Be aware of the big picture: A common mistake many organizations make is trying to respond to an incident without first understanding its full scope. Too often, initial steps to block an attacker or “contain” an incident can backfire and give attackers the advantage. For example, if an attacker senses an intervention, he could easily embed deeper into the environment and become harder to track and stop.
Expect the unexpected: Every company, environment, and incident is different. Some companies will have a more mature cybersecurity model and better understanding of their environment, making the IR team’s job easier, while others will need a lot of help to navigate the crisis.
Tomi Engdahl says:
Public Hacking Tools: Day in the Sun
https://threatvector.cylance.com/en_us/home/public-hacking-tools-day-in-the-sun.html
The old saying goes, “For every job, there is a tool.” In targeted cyber operations, the tools are often custom-designed for the specific job they’re doing. For example, Stuxnet zeroed in on a specific product made by a specific manufacturer as used in a specific country during a specific time period.
These tools are often devastating because they are tailored for the exact target at which they are aimed, and they have often taken into consideration the target’s defensive posture in order to neutralize it. But a new report by the UK’s National Cyber Security Centre (NCSC) draws attention to almost the opposite problem – the danger posed by a proliferation of generic, publicly available hacking tools that threat actors of all skill levels can, and indeed are, using with increased frequency and success.
The trend in the increased use of public tools is one we have noticed and are following at Cylance. In this blog post, we’ll take a look at the five tools identified by the Five Eyes and offer some commentary from the NCSC’s Report.
Tomi Engdahl says:
30 years ago, the world’s first cyberattack set the stage for modern cybersecurity challenges
https://www.cyberscoop.com/morris-worm-mirai-scott-shackelford-indiana-university/
Back in November 1988, Robert Tappan Morris, son of the famous cryptographer Robert Morris Sr., was a 20-something graduate student at Cornell who wanted to know how big the internet was – that is, how many devices were connected to it. So he wrote a program that would travel from computer to computer and ask each machine to send a signal back to a control server, which would keep count.
The program worked well – too well, in fact.
Tomi Engdahl says:
I know what you’re thinking: Outsource or in-source IT security? I’ve worked both sides, so here’s my advice…
The pros and cons of using internal and external talent, or a mix of both
https://www.theregister.co.uk/2018/11/02/cyber_security_sourcing/
Comment You’re a small or mid-sized business and have a growing sense of unease that you aren’t doing enough on cyber security. Must be all those headlines about ransomware infections and databases ransacked. Or – perhaps – you’re experiencing an upsurge in phishing attempts.
Congratulations – you’ve woken up to something that a surprising number of companies haven’t. But now you’ve patted yourself on the back, the big question is: what’s next?
SMBs spent on average 27 per cent more on security in 2017 than the year before
The average SMB probably can’t afford what one might call a “proper” CISO to direct their security strategy. By that I mean someone with extensive experience, and typically formal qualifications, such as Certified Information Systems Security Professional and Certified Information Security Manager. CISOs can command six-figure salaries with an average in the range of £85,497 with “regular” staff starting above the national average.
Security professionals are expensive because they’re in short supply. They have always been difficult to find, but the shortage is getting progressively worse according to ESG Research
It’s therefore pretty certain that you’ll need to use third-party help at some point.
ESG Research Suggests Cybersecurity Skills Shortage Is Getting Worse
https://www.esg-global.com/blog/esg-research-suggests-cybersecurity-skills-shortage-is-getting-worse
Smart CISOs are doing their best to cope with this situation by:
Consolidating and integrating security technologies. This includes building an integrated security operations and analytics platform architecture (SOAPA) that lets them manage and utilize security technology holistically rather than on a tool-by-tool basis.
Moving toward technologies with advanced analytics. Think of AI and machine learning as a helper application that can accelerate security processes and make the staff more productive.
Automating and orchestrating processes. Cybersecurity grew up with a reliance on manual processes but these processes can no longer scale to meet growing demands. As a result, security automation/orchestration has become a top priority for many organizations.
Taking a portfolio management approach to security. CISOs are taking stock of their people, skills, and limitations, and managing accordingly. How? Using cloud computing, SaaS offerings, and managed security services to cut costs, simplify security infrastructure, or delegate specific security controls and operations to 3rd
Investing in their people. Experienced infosec pros can change jobs at will and greatly increase their compensation in the process. To safeguard against massive attrition, CISOs are increasing staff compensation, investing in career development, mentoring, and training, providing opportunities for the staff to get involved in security research, and encouraging cybersecurity staff members to network with others through professional organizations like ISSA and others.
Tomi Engdahl says:
Understanding the art of phishing
https://www.itproportal.com/features/understanding-the-art-of-phishing/
The goal is to trick the recipient into believing the email is genuine, with the intention of getting the target to either download malware, or hand over personal information.
Tomi Engdahl says:
To Catch a Hacker: Toward a comprehensive strategy to identify, pursue, and punish malicious cyber actors
https://www.thirdway.org/report/to-catch-a-hacker-toward-a-comprehensive-strategy-to-identify-pursue-and-punish-malicious-cyber-actors
We are pleased to present our foundational paper of the Cyber Enforcement Initiative. In this paper, we define the problem and establish areas for future policy solutions. For those who would prefer, we have provided a PDF link for the full report.
Tomi Engdahl says:
Addressing the 3 Million Person Cybersecurity Workforce Gap
https://www.securityweek.com/addressing-3-million-cybersecurity-workforce-gap
The Biggest Problem is Not in Measuring the Accuracy of the Cybersecurity Skills/Workforce Gap, But in Finding a Way to Close It
(ISC)2′s Cybersecurity Workforce Study 2018 claims that cybersecurity professionals are focusing on developing new skills as the workforce gap widens. According to the recently released report, that gap now stands at more than 2.9 million workers globally — with 2.14 million cybersecurity staff required in the Asia-Pacific region, and almost half a million required in North America.
The figures come from what (ISC)2 calls a ‘more holistic approach to measuring the gap’. Rather than simply subtracting supply from demand, this new calculation “takes other critical factors into consideration, including the percentage of organizations with open positions and the estimated growth of companies of different sizes.”
Whether this makes it any more scientific than other attempts to measure the cybersecurity workforce and skills gap is still questionable. (ISC)2 questioned 1,500 people around the world working on security. It therefore has its own built-in bias
Despite these concerns, the figures generated (PDF) are interesting. Fifty-nine percent of respondents claim their organization is at extreme or moderate risk due to a cybersecurity staff shortage.
https://www.isc2.org/-/media/ISC2/Research/2018-ISC2-Cybersecurity-Workforce-Study.ashx
Tomi Engdahl says:
Cyber-Attacks: How to Stop a Multibillion-Dollar Problem
https://blog.trendmicro.com/cyber-attacks-how-to-stop-a-multibillion-dollar-problem/
Tomi Engdahl says:
Companies implementing DevSecOps address vulnerabilities faster than others
https://www.helpnetsecurity.com/2018/11/05/implementing-devsecops/
A new study from CA Veracode includes promising signs that DevSecOps is facilitating better security and efficiency, and provides the industry with the company’s first look at flaw persistence analysis, which measures the longevity of flaws after first discovery.
The state of software security is improving
In every industry, organizations are dealing with a massive volume of open flaws to address, and they are showing improvement in taking action against what they find. According to the report, 69 percent of flaws discovered were closed through remediation or mitigation, an increase of nearly 12 percent since the previous report. This shows organizations are gaining prowess in closing newly discovered vulnerabilities, which hackers often seek to exploit.
Despite this progress, the new SOSS report also shows that the number of vulnerable apps remains staggeringly high, and open source components continue to present significant risks to businesses. More than 85 percent of all applications contain at least one vulnerability following the first scan, and more than 13 percent of applications contain at least one very high severity flaw.
Tomi Engdahl says:
Cyber-crooks think small biz is easy prey. Here’s a simple checklist to avoid becoming an easy victim
Make sure you’re spending your hard-earned cash on the ‘right’ IT security
https://www.theregister.co.uk/2018/11/05/right_cyber_security/
Tomi Engdahl says:
U.S. Government Publishes New Insider Threat Program Maturity Framework
https://www.securityweek.com/us-government-publishes-new-insider-threat-program-maturity-framework
National Insider Threat Task Force (NITTF) Releases New Insider Threat Program Maturity Framework
Some 18 months after WikiLeaks began to publish the Iraq War Logs exfiltrated by Chelsea Manning (at that time, Bradley Manning), President Obama issued a Presidential Memorandum: National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs Memorandum for the Heads of Executive Departments and Agencies.
“The resulting insider threat capabilities,” it said, “will strengthen the protection of classified information across the executive branch and reinforce our defenses against both adversaries and insiders who misuse their access and endanger our national security.”
Tomi Engdahl says:
Top 5 most notorious cyberattacks
https://www.kaspersky.com/blog/five-most-notorious-cyberattacks/24506/
WannaCry: A real epidemic
NotPetya/ExPetr: The costliest cyberattack to date
Stuxnet: A smoking cybergun
DarkHotel: Spies in suite rooms
Mirai: The fall of the Internet
Tomi Engdahl says:
Silent No More: Mobile Roamers Spur a Security Evolution
https://researchcenter.paloaltonetworks.com/2018/11/sp-silent-no-mobile-roamers-spur-security-evolution/
Were you a “silent roamer”?
If you used to travel internationally, turned off your cellular radio while searching desperately for an internet available café with Wi-Fi or purchased an in-country SIM, then you were a “silent roamer.” Today, with premium roaming charges significantly diminished by global mobile network operators, mobile subscribers don’t have to fear “bill shock,” change their usage patterns or avoid accessing their favorite services. International roaming has become part of the seamless mobile experience.
For mobile network operators, however, this step change in roaming has caused considerable change and exposed new vulnerabilities. Many network operators are still adjusting to the shift and are now re-examining security on the roaming network. Roaming traffic volumes, devices, and partners have all increased – exposing a broader attack surface for malicious actors and increasing the likelihood of unintentional events impacting network availability.
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/kyberhyokkays-voi-yllattaa-aina-tarvitaan-saannollisia-harjoituksia-6748345
Tomi Engdahl says:
Simpler, Smarter Security With Intelligent Orchestration
https://securityintelligence.com/simpler-smarter-security-with-intelligent-orchestration/?cm_mmc=PSocial_Facebook-_-Security_Resilient-_-WW_EP-_-25767399_Tracking%20Pixel&cm_mmca1=000024FH&cm_mmca2=10008742&cm_mmca4=25767399&cm_mmca5=54104136&cm_mmca6=959359dc-b23c-4009-b3b0-81f3824c183a&cvosrc=social%20network%20paid.facebook.Learn%20Engagement%20LP%20StaticLinkAd%20%20%20%20%20Lookalike%20%20%20%20%20Intelligent%20Orchestration_Prospecting_DesktopMobileTablet_1X1&cvo_campaign=000024FH&cvo_pid=25767399
Cyberattacks are growing more frequent, sophisticated and damaging, and organizations have invested hundreds of billions of dollars into arming themselves to fight back. This has led to new challenges, since today’s complex security environments and processes — or lack thereof — often hinder timely and effective response to attacks.
Today, the average organization deploys 75 security tools in its network.
We have seen the impact of these challenges with many recent high-profile data breaches. The initial attack is almost always detected by one or more of the dozens of security products deployed. In most cases, however, there are no mechanisms for prioritizing, channeling and triaging alerts, opening an incident response (IR) playbook and addressing the issue in near real time.