Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.
Here is a list of relevant cyber security terms for 2018s:
AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.
Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.
Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.
Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.
Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.
Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.
Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017, browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.
Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.
Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.
Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.
Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?”
GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.
Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.
HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.
HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2. Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.
HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.
ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.
Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.
IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).
Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.
IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.
Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.
Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.
Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.
Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.
PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.
Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.
Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.
Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.
Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.
Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?
Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.
Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.
Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.
Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.
Sources:
Firefox, Chrome start calling HTTP connections insecure
Alert (TA17-075A) HTTPS Interception Weakens TLS Security
Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead
Cybersecurity Dangers Will Spike in 2018
We’re hitting rock bottom in cyber — let’s do something | TechCrunch
Mirai-makers plead guilty, Hajime still lurks in shadows
DARPA Takes Chip Route to ‘Unhackable’ Computers
Another AI attack, this time against ‘black box’ machine learnings
General Data Protection Regulation (Wikipedia)
Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already
Miten GDPR pitää huomioida ohjelmistokehityksessä?
Seven Seas Cybersecurity: Captain, We Have a Problem
In the Words of President Ronald Reagan, “Trust but Verify”
Why You Should Question These Most Common Cloud Assumptions
It’s 2018. Do You Know Where Your Data Are?
Improved IoT Security Starts with Liability for Companies, Not Just Legislation
Smart Factory Connectivity for the Industrial IoT
The Race for a Universal IoT Security Standard
Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises
The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.
Resolve to Mitigate Your Business’ Digital Risk in 2018
Emerging Trends in Vulnerability Management
Research reveals customer-facing web and mobile apps as top security challenge
Open Source Vulnerabilities: Are You Prepared to Run the Race?
Device Security for the Industrial Internet of Things
GDPR and Open Source: Best Practices
Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC
ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good
Threat Modeling the Internet of Things: Modeling Reaper
Engineering for Privacy Requires Standards
How to Make Adversaries Work Harder, While We Work Smarter, in 2018
2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices
Facebook Releases New Certificate Transparency Tools
iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group
Open Source Vulnerabilities: Are You Prepared to Run the Race?
U.S. Military to Send Cyber Soldiers to the Battlefield
Machine Learning & Security: Making Users Part of the Equation
Security is Not a Technology Profession
Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018
636 Comments
Tomi Engdahl says:
Ben Thompson / Stratechery:
Qualcomm-Broadcom merger threatened US security more because it would have dulled Qualcomm’s competitiveness beyond 5G than because Broadcom is a foreign firm
Qualcomm, National Security, and Patents
https://stratechery.com/2018/qualcomm-national-security-and-patents/
Tomi Engdahl says:
The US military could begin drafting 40-year-old hackers
https://thenextweb.com/insider/2018/03/13/the-us-military-could-begin-drafting-40-year-old-hackers/
The National Commission on Military, National and Public Service has begun seeking feedback on a host of possible changes to the way it could one day draft young men and women for military service. Currently, the “selective service requirements” preclude certain men and women, specifically those over a certain age, from participating.
But that could soon change.
A document set to be published in the Federal Register later this week outlines a series of possible tweaks to selective service requirements, including allowing men and women with in-demand skill sets (medical, dental, nursing, language, cybersecurity, and certain STEM occupations) to be drafted, regardless of age or gender.
Not unlike the private sector, the military is facing a skills shortage in recruiting and training the modern soldier.
https://s3.amazonaws.com/public-inspection.federalregister.gov/2018-03261.pdf?utm_campaign=pi%20subscription%20mailing%20list&utm_source=federalregister.gov&utm_medium=email
Tomi Engdahl says:
TypingDNA launches Chrome extension that verifies your identity based on typing
https://techcrunch.com/2018/03/14/typingdna-authenticator-chrome/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
TypingDNA has a new approach to verifying your identity based on how you type.
The startup, which is part of the current class at Techstars NYC, is pitching this as an alternative to two-factor authentication
The problem with two factor? TypingDNA Raul Popa put it simply: “It’s a bad user experience … Nobody wants to use a different device.”
So TypingDNA allows users to verify their identity without having to whip out their phone. Instead, they just enter their name and password into a window, then TypingDNA will analyze their typing and confirm that it’s really them.
The startup’s business model revolves around working with partners to incorporate the technology, but it’s also launching a free Chrome extension that works as an alternative to two-factor authentication on a wide range of services, including Amazon Web Services, Coinbase and Gmail.
Tomi Engdahl says:
The importance of cloud security
http://www.controleng.com/single-article/the-importance-of-cloud-security/0e16fd9cad643e79b447863f13624198.html
Moving to the cloud still provides many challenges for manufacturing organizations to overcome, but smooth transition is possible and definitely without fear provided companies take security seriously.
In many cases, the most valuable asset of a manufacturing organization, besides its people, is its business data. Data assets in the cloud are under constant threats in the form of data breaches, data corruption and destruction, temporary or permanent loss of access, and temporary or permanent loss of data.
Any of these issues can have serious consequences since they can cause failure to meet statutory, regulatory, or legal requirements. Cloud computing is about consolidating software and data resources and in this process manufacturing organizations are losing control over those resources. Moving to the cloud still provides many challenges for manufacturing organizations to overcome, but smooth transition is possible and definitely without fear.
Manufacturing organizations that have chosen to outsource information technology (IT) services and critical resources to the cloud, should also be concerned about vendor lock-in. This situation is characterized as a dependency on the CSP to maintain the manufacturer’s business operations that includes data and software applications. Manufacturing organizations must define the clear exit strategy and avoid any proprietary technologies and standards wherever and whenever possible.
Tomi Engdahl says:
Let’s Encrypt updates certificate automation, adds splats
ACME v2 and Wildcard Certificates now live
https://www.theregister.co.uk/2018/03/14/lets_encrypt_updates_certificate_automation_adds_splats/
Let’s Encrypt has updated its certificate automation support and added Wildcard Certificates to its system.
Certificate automation replaces what are otherwise manual and ad hoc mechanisms to apply for an X.509 certificate, and for the applicant’s admins to prove they manage the domain in the certificate.
ACME is the automation standard Let’s Encrypt first wrote. It’s described here (the proposed version is in its tenth edit).
Written with input from Let’s Encrypt, Cisco, the EFF and the University of Michigan, the ACME v2 document says the manual certificate application process looks like this:
Create the certificate signing request (CSR) and paste it into a certificate authority’s (CA’s) Web page;
Prove domain ownership by answering a challenge from the CA (either on its Web page, in a DNS record, or via e-mail to an admin at the CA); and
Download and install the certificate.
ACME is designed to get rid of the “out-of-band” human interaction in the process, so that getting a CA-provided certificate is “nearly as easy to deploy … as with a self-signed certificate”, the standard says.
It uses JSON messages over HTTPS to carry the certificate action requests. Once a user has registered an ACME account, there are four steps to get a certificate: submit the order, prove you control the domain (the standard supports a number of challenge-response formats for this), submit a CSR, and download the issued certificate.
To use ACME for certificate automation, you need a compatible client. As well as Let’s Encrypt’s recommended Certbot, there’s a list of another 70-plus clients plus libraries for nine languages here.
https://letsencrypt.org/docs/client-options/#acme-v2-compatible-clients
Tomi Engdahl says:
Microsoft Publishes Bi-annual Security Intelligence Report (SIR)
https://www.securityweek.com/microsoft-publishes-bi-annual-security-intelligence-report-sir
Microsoft’s 23rd bi-annual Security Intelligence Report (SIR) focuses on three topics: the disruption of the Gamarue (aka Andromeda) botnet, evolving hacker methodologies, and ransomware. It draws on the data analysis of Microsoft’s global estate since February 2017, including 400 billion email messages scanned, 450 billion authentications, and 18+ billion Bing webpage scans every month; together with the telemetry collected from the 1.2 billion Windows devices that opt in to sharing threat data with Microsoft.
It is worth noting that Microsoft applies machine learning (ML) artificial intelligence to this data to tune its own security software. Since the efficiency of ML-based endpoint protection relies on both the algorithms employed, and the size of the data pool from which it learns, the implication is that Windows Defender has the potential to become an increasingly effective protection tool.
Tomi Engdahl says:
Stephanie Condon / ZDNet:
Chrome Enterprise updated with new management capabilities including automatic forced re-enrollment, per-permission extension blacklisting, and more
Google announces new security features, partnerships for Chrome Enterprise
http://www.zdnet.com/article/google-announces-new-security-features-partnerships-for-chrome-enterprise/
Aiming to make Chrome Enterprise “the most secure endpoint solution for businesses in the cloud,” Google rolls out more partners like Citrix XenMobile and Zoho.
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Android Security 2017 Year in Review: 60.3% of potentially harmful Android apps were detected via machine learning, Play Protect reviews 50B+ apps every day
Google: 60.3% of potentially harmful Android apps in 2017 were detected via machine learning
https://venturebeat.com/2018/03/15/google-60-3-of-potentially-harmful-android-apps-in-2017-were-detected-via-machine-learning/
Google released its Android Security 2017 Year in Review report today, the fourth installment of the company’s attempt to educate the public about Android’s various layers of security and its failings. One of the most interesting learnings to come out of the report is that 60.3 percent of Potentially Harmful Apps (PHAs) were detected via machine learning.
The detection is done by a service called Google Play Protect, which is enabled on over 2 billion devices (running Android 4.3 and up) to constantly scan Android apps for malicious activity. Play Protect uses a variety of tactics to keep users and their data safe, but machine learning is particularly effective in helping catch PHAs.
Tomi Engdahl says:
Nearly every other business network has a crypto miner
According to the data security company Check Point’s statistics, some 42 percent of corporate networks were found in February by a crypto-lawn. In the fifth organization, Coinhive, which was lympic Monero, was ranked number one in the Top 5 list of malware. Crisis cryptool Cryptoloot rose to rank two, with a prevalence rising from 7 per cent in January to 14 per cent in February.
In Finland, the number one malware was Roughted, but Cryptoloot and Coinhive followed it.
- Cryptominers have steadily increased over the last four months. They slow down the work of PCs and servers, but when they reach the corporate network they can cause more damage. Therefore, it is even more important that companies have access to a multi-layer cybersecurity strategy that protects both known and unknown threats, says Maya Horowitz, a research group of Check Point’s security researchers.
The most common malware in Finland in February
Roughted – A versatile ad spreader and malware distributor
2. Cryptoloot – The Crusher Louder
3. Coinhive – a cryptolourager that raises Monero
4. The cryptolouwer to be planted on JSEco’s website
5. Fireball Browser Capable through which you can download malware to the victim’s machine
Source: http://www.etn.fi/index.php/13-news/7716-lahes-joka-toisessa-yritysverkossa-kryptolouhija
Tomi Engdahl says:
Hybrid cloud security fundamentals: 4 things to know
https://enterprisersproject.com/article/2018/3/hybrid-cloud-security-fundamentals-4-things-know?sc_cid=7016000000127ECAAY
Here are the core issues about hybrid cloud security that IT leaders should understand – and be able to explain to others in the organization
As with any significant IT change, adopting a hybrid cloud model requires revisiting your security practices. Done right, hybrid cloud should help improve security. The flexibility that comes with multiple environments, each with their own benefits and attendant costs, enables IT leaders to keep some types of sensitive or critical data on-premises, for example, while still embracing the enormous potential of private and public clouds.
However, security must be a visible piece of your overall hybrid cloud strategy, or you might be introducing new risks without taking the appropriate steps to mitigate them.
“There is no denying that hybrid cloud infrastructure is part of the new business reality,” says Guy Peer, VP of R&D and co-founder at Unbound. “Therefore, IT leaders must make hybrid cloud security a priority, if they haven’t already.”
Tomi Engdahl says:
In 1988, A College Kid’s Screw-Up Changed The Internet Forever
http://www.iflscience.com/technology/in-1988-a-college-kids-screwup-changed-the-internet-forever/
On the evening of November 2, 1988, in a quiet computer lab at MIT, a student majorly screwed up.
Robert Tappan Morris, a 23-year-old computer science student at Cornell University, had written 99 lines of code and launched the program onto the ARPANET, the early foundation of the Internet. Unbeknownst to him, he had just unleashed one of the Internet’s first self-replicating, self-propagating worm – “the Morris Worm” – and it would change the way we saw the Internet forever.
Tomi Engdahl says:
Reuters:
China to apply its social credit system to flights and trains, barring access for infractions like spreading false info and not paying fines, starting May 1
China to bar people with bad ‘social credit’ from planes, trains
https://www.reuters.com/article/us-china-credit/china-to-bar-people-with-bad-social-credit-from-planes-trains-idUSKCN1GS10S
Tomi Engdahl says:
The United Kingdom government issued a policy report, Secure by Design, calling on Internet of Things device manufacturers to eliminate default passwords, to provide greater transparency in vulnerability disclosure, and to secure credential storage.
The Internet of Things poses an “Internet of Trouble” threat to national security with its devices so easily susceptible to cyberattacks, Morgan Wright of the Center for Digital Government notes in this analysis. “The point is that poorly secured technology – a vast majority of it from overseas – is being cobbled together to form a massively destructive cyber weapon being aimed at the United States. IoT is taking slingshots and turning them into missiles,”
Juniper Research predicts worldwide spending on cybersecurity solutions will reach $134 billion by 2022, with small businesses accounting for most of those expenditures.
Source: https://semiengineering.com/the-week-in-review-iot-89/
Tomi Engdahl says:
Google Reviews Over 50 Billion Android Apps Daily
https://www.securityweek.com/google-reviews-over-50-billion-android-apps-daily
Play Protect, the security service that arrived on Android last year, reviews more than 50 billion apps each day, Google claims.
Launched in May 2017, Google Play Protect brings together various security services for Android, many of which have been available for years, but without being as visible as they are now. Mainly designed to protect users from Potentially Harmful Apps (PHAs), it reviews not only billions of apps, but other potential sources of PHAs as well and user devices, to take action when necessary.
Play Protect was designed to automatically check Android devices for PHAs at least once a day, and also provides users with the possibility to conduct additional reviews at any time. Because of these daily checks, nearly 39 million PHAs were removed last year, the Internet giant reveals.
Tomi Engdahl says:
Why do the Vast Majority of Applications Still Not Undergo Security Testing?
https://www.securityweek.com/why-do-vast-majority-applications-still-not-undergo-security-testing
Did you know that 84% of all cyber attacks target applications, not networks? What’s even more curious is that 80% of Internet of Things (IoT) applications aren’t even tested for security vulnerabilities.
It is 2018, and despite all the evidence around us, we haven’t fully accepted the problem at hand when it comes to software security. Because we haven’t accepted the problem, we are not making progress in addressing the associated vulnerabilities. Which is why after an active 2017, we are already seeing numerous new attacks before we leave the first quarter of the year.
So why the lack of progress?
The evidence that software is a primary attack point is everywhere, yet many choose to ignore security testing—at least for four out of every five IoT applications running today. Since IoT has proven to be an attractive attack vector, one would think that securing them would be of the utmost importance. Apparently not.
Effectively evaluating secure code
The RSA Conference will be upon us in April, and a trip through the exhibit hall will find numerous application security testing (AST) vendors of all shapes, sizes, and approaches, each breathlessly promising you they are the one silver bullet you need to test your software security. At best they are telling you a partial truth, as the nature of today’s software demands multiple tests to comprehensively evaluate the security of any application. That is because applications contain three specific components where vulnerabilities can be found, and each must be tested in a different way for security testing to be complete.
1. The code you write. In spite of the adoption of open source and the move to agile methodologies, one thing remains constant: Your coders still write code. Source code analysis (static analysis) is designed to find security vulnerabilities and quality issues in your code as it’s being developed.
2. The code you get from open source. With the growing use of open source, the amount of code from external sources in any application is rising exponentially. This open source code may contain profound vulnerabilities that immediately become part of your software. Software composition analysis (SCA) detects open source and third-party component risks in development and production. It also identifies potential licensing issues in open source code used in your applications.
3. The running application. When code is deployed on the web, the runtime environment must be tested for vulnerabilities through dynamic testing. Testing the application in its running state will reveal problems simply not detectable by static analysis. For high-risk applications, many organizations step up their game by including the human element in the dynamic testing process in the form of ethical hacking.
Getting a sense of the problem here? Taking IoT as a widespread example, 80% of these applications are not tested at all. For the one-fifth that does receive some form of testing, the testing is likely incomplete. And we already established that many organizations find but do not fix problems.
No wonder the news in 2018 sounds all too familiar.
So how do you move your organization forward? While I do not have a silver bullet for you, I do have practical advice:
● Rebalance your IT security priorities and budgets to shift the emphasis where the problem exists—software security.
● Build a software security group that can then construct and manage a rational and comprehensive software testing program.
● Employ tools and programs that empower developers to write secure, quality software from the start. Building security in is a far better approach than trying to test yourself clean.
Tomi Engdahl says:
The Value of Threat Intelligence is Clear, But Are You Capturing It All?
https://www.securityweek.com/value-threat-intelligence-clear-are-you-capturing-it-all
The recent SANS 2018 Cyber Threat Intelligence Survey (PDF) finds 81% of cybersecurity professionals affirm that threat intelligence is providing value and helping them do their jobs better. The millions of threat-focused data points available, the many sources of global threat data we subscribe to, and the internal threat and event data from our layers of defense and SIEMs provide a significant amount of threat intelligence. But are we capturing all the value we can to truly strengthen our defenses and accelerate detection and response?
As I’ve said before, not all threat intelligence is equal. Threat intelligence that is of value to your organization, may not be of value to another. How do you get the most value from your threat intelligence? It comes down to relevance, and that’s determined by your industry/geography, your environment and your skills/capabilities.
https://www.sans.org/reading-room/whitepapers/threats/cti-security-operations-2018-cyber-threat-intelligence-survey-38285
Tomi Engdahl says:
Europe’s New Privacy Law Will Change the Web, and More
https://www.wired.com/story/europes-new-privacy-law-will-change-the-web-and-more
Consumers have long wondered just what Google and Facebook know about them, and who else can access their personal data. But internet giants have little incentive to give straight answers — even to simple questions like, “Why am I being shown this ad?”
On May 25, however, the power balance will shift towards consumers, thanks to a European privacy law that restricts how personal data is collected and handled. The rule, called General Data Protection Regulation or GDPR, focuses on ensuring that users know, understand, and consent to the data collected about them. Under GDPR, pages of fine print won’t suffice. Neither will forcing users to click yes in order to sign up.
Tomi Engdahl says:
18.5 Million Websites Infected With Malware at Any Time
https://www.securityweek.com/185-million-websites-infected-malware-any-time
There are more than 1.86 billion websites on the internet. Around 1% of these — something like 18,500,000 — are infected with malware at a given time each week; while the average website is attacked 44 times every day.
Sitelock has published its Q4 2017 Website Security Insider analysis of malware and websites based on statistics from 6 million of its 12 million customers. All these customers use at least one of Sitelock’s malware scanners, while a smaller subset also use the firm’s cloud-based web application firewall (WAF). The WAF provides insight into DDoS attacks against websites, while the sca≈nners provide insight to the state of malware in websites.
The analysis shows an increase of around 20% in the number of infected websites over Q3 2017. “We went from about 0.8% of our user base in Q3 to a little over 1% in Q4,” Sitelock research analyst Jessica Ortega told SecurityWeek. A 0.2% increase seems a small number, but it implies that up to 18.5 million websites worldwide may be infected with malware at any given time.
Despite the increase in infected sites, continued Ortega, “The total number of attacks or attempted attacks actually decreased by about 20% — so what we’re seeing is that it takes fewer attack attempts to compromise the websites. Attackers are becoming sneakier, and more difficult-to-decode malware is coming through.”
One of the problems is that the average website is very easy to compromise. Sitelock’s analysis in Q4 found an average of 414 pages per site containing cross-site scripting (XSS) vulnerabilities; 959 pages per site containing SQL injection (SQLi) vulnerabilities; and 414 pages per site containing cross-site request forgery (CSRF) vulnerabilities.
Tomi Engdahl says:
How do you make a hacker happy? Leave your systems un-patched without the latest fixes.
Verizon’s 2015 Data Breach Report revealed that 99.9% of vulnerability exploits happen more than a year after the specific vulnerability was reported. Better patch management could have significantly lowered that number. It only takes one missed patch to present vulnerabilities that expose your system to downtime, loss of data, and failure to comply with regulations.
Tomi Engdahl says:
GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries
https://www.securityweek.com/github-security-alerts-lead-fewer-vulnerable-code-libraries
GitHub says the introduction of security alerts last year has led to a significantly smaller number of vulnerable code libraries on the platform.
The code hosting service announced in mid-November 2017 the introduction of a new security feature designed to warn developers if the software libraries used by their projects contain any known vulnerabilities.
The new feature looks for vulnerable Ruby gems and JavaScript NPM packages based on MITRE’s Common Vulnerabilities and Exposures (CVE) list. When a new flaw is added to this list, all repositories that use the affected version are identified and their maintainers informed. Users can choose to be notified via the GitHub user interface or via email.
When it introduced security alerts, GitHub compared the list of vulnerable libraries to the Dependency Graph in all public code repositories.
Tomi Engdahl says:
Netflix Launches Public Bug Bounty Program
https://www.securityweek.com/netflix-launches-public-bug-bounty-program
Netflix announced on Wednesday the launch of a public bug bounty program with rewards of up to $15,000, and Dropbox has made some changes to its vulnerability disclosure policy, promising not to sue researchers.
Netflix has had a vulnerability disclosure policy for the past 5 years and a private bug bounty program since September 2016. The company has now decided to make its bug bounty initiative public through the Bugcrowd platform.
Tomi Engdahl says:
Proaction, Not Reaction: Predictive Policing in the IoT Era
http://www.sealevel.com/community/blog/proaction-not-reaction-predictive-policing-in-the-iot-era/
Policing is a complicated matter in the 21st century. Consider the following statistics:
The US Office of Highway Police reported approximately 3.2 trillion vehicle miles of travel in 2017, with 2.9 trillion (90%) of those miles happening in urban systems.
According to the CIA World Factbook, 65% of the US population (about 215 million people) is between the ages of 15 and 64.
Conversations are happening between 238 million cellphone users.
In 2015, there were more than 265 million civilian guns in the United States.
These massive data sets exclude negative social influences that have increased in severity over time, such as systemic prejudice or the opioid crisis. Between the raw volume and the complexity of influencing factors, it is no wonder that traditional policing has become overwhelming. To simplify and improve their public work, Federal and local agencies have reformulated their tactics to engage in “predictive policing.”
What is predictive policing?
Predictive policing means maintaining law and order by “predicting” crime rather than reacting to events.
However, this predictive ability is not a Minority Report prophecy but a two-part policing method that uses analytics and critical responses to improve public safety. By tracking and analyzing data as well as monitoring it in real time, patterns can be seen that reveal insight about future crime. This insight may be about incidents, places, groups and people. Those patterns are followed up with interventional protocols rather than reactive or defensive procedures.
What technology does predictive policing use?
The primary tool of predictive policing is big data. Depending on the technical organization assisting the agency, the data may be geographic, personal, open source or crime data. The data may be historic or gathered in real-time. Examples of data collected include the rain forecast, payday schedules in a region, local events, construction, daylight duration times and previous criminal events at a specific location. These data streams are collected from traditional means — eyewitness accounts and filed reports — or they may be more modern. Modern tools include sensors, high-definition cameras and drones. Arranging sensors in an integrated, distributed model is another achievement that has improved data collection.
When is predictive policing applicable?
Predictive policing can be used across a range of enforcement issues. For example, in Chicago, officers have used their algorithm to reduce the homicide rate by 39 percent over a seven month period. Fresno was one of the first cities in the United States to apply predictive policing technology to violent crimes and see those rates drop as well.
As recently as January 2018, Japan announced that it was creating an AI system to beef up its security protocols prior to the 2020 Tokyo Olympics. New iterations of predictive policing have also been applied to traffic situations: systems can predict where drivers are more likely to have accidents or engage in unlawful behavior (such as running red lights).
The drawback to technology-driven law enforcement is that it does not identify social issues as preventable factors. Thus, predictive policing is less helpful when applied during protests or when crime is heavily influenced by poverty, systemic oppression or lack of basic resources.
What is the future of predictive policing?
Dark data and automation will be two hurdles to overcome
However, with the era of IoT, edge computing predictive policing solutions offer the opportunity to handle these issues. A police department with a smart city infrastructure will have the most opportunity to automate their initiatives and manage dark data effectively.
A law-and-order edge-computing network looks different than other cloud-based solutions. These smart observers would be able to draw patterns instantaneously with real time data capture and harnessing. Equipped with processors and AI programs, these devices would be able to minimize the amount of information being relayed to central stations (thus diminishing the potential for dark data) and communicate directly with officers, automating the policing process. By being at the source, predictions could arrive faster, increasing the likelihood of preventing future crime.
Tomi Engdahl says:
Silicon Valley Has Failed to Protect Our Data. Here’s How to Fix It
https://www.bloomberg.com/news/articles/2018-03-21/paul-ford-facebook-is-why-we-need-a-digital-protection-agency
It’s time for a digital protection agency. It’s clear ethics don’t scale, and it’s not just Facebook’s problem
Tomi Engdahl says:
Securing The Internet Of Things: A Two-Fold Challenge
https://www.forbes.com/sites/forbestechcouncil/2018/03/20/securing-the-internet-of-things-a-two-fold-challenge/#45f2213822a9
One word summarizes the challenge of securing the Internet of Things (IoT): scale.
It’s actually a two-fold challenge. The first issue is the sheer number of IoT devices connected to the internet — a total that continues to grow every year. Gartner estimates that number will reach 26 billion by 2020. Secondly, how can device manufacturers and security providers possibly scale the process of identifying and authenticating each and every one of those devices?
Hardware developers must prioritize security in the design process but should do so in a way that does not diminish the user experience. Leveraging public key infrastructure (PKI) and digital certificates can be used to meet these requirements.
The KRACK bug targets a serious flaw in WPA2, a common protocol used to secure modern wireless networks.
For most IoT hardware manufacturers, security has been an afterthought. This forces them to retrofit devices after the fact, with solutions to address malicious entities when they are discovered. It is an expensive, time-consuming and ineffective approach.
For that reason, security in IoT implementations must be a critical component of the device design and manufacturing processes to ensure that basic security requirements are in place. For decades, digital certificates have been the security backbone of networked devices like servers, routers, printers and fax machines. PKI can do the same for the internet of things.
Certificates can be used to encrypt data at rest. PKI also enables the authentication of users, systems and devices without the need for tokens, password policies or other cumbersome user-initiated factors. In mutual authentication scenarios, certificates will uniquely identify devices that enhance authorization and secure device-to-device communication. As a result, certificates ensure that any data or messages transferred cannot be altered.
manufacturers to embrace “security by default.” PKI provides this capability, and certificate authorities (CAs) that are used to operating large-scale PKI systems
CAs have the necessary expertise to ensure a manufacturer adequately addresses the needs for strong authentication and encryption capabilities in the design of a new device. Failure to do so can turn any connected device into a security vulnerability and open the door for a cyberattack and unauthorized access to an organization’s network and data.
The automation of certificate issuance and management will play a critical role in ensuring the integration of PKI-based encryption is seamless and does not force manufacturing engineers and software developers to become PKI technology experts. Automated platforms also provide audits and checkpoints every step of the way for security teams.
Of course, the effort to automate certificate issuance and make the process easier for non-security staff can introduce risks around ensuring the legitimacy of certificate requests. Encryption is like any other technology — it can be used for good or malicious purposes. This requires CAs to strike a balance between providing the advantages of automated certificate issuance and stopping cyberattackers from exploiting the trust and reputation of CAs.
There must also be agreement on standards for data sharing and security.
As the IoT market continues to grow, we constantly need to be coming up with new methods and tools to ensure proper data security, authentication and mutual trust.
Tomi Engdahl says:
GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries
https://www.securityweek.com/github-security-alerts-lead-fewer-vulnerable-code-libraries
GitHub says the introduction of security alerts last year has led to a significantly smaller number of vulnerable code libraries on the platform.
The code hosting service announced in mid-November 2017 the introduction of a new security feature designed to warn developers if the software libraries used by their projects contain any known vulnerabilities.
The new feature looks for vulnerable Ruby gems and JavaScript NPM packages based on MITRE’s Common Vulnerabilities and Exposures (CVE) list. When a new flaw is added to this list, all repositories that use the affected version are identified and their maintainers informed. Users can choose to be notified via the GitHub user interface or via email.
When it introduced security alerts, GitHub compared the list of vulnerable libraries to the Dependency Graph in all public code repositories.
The Dependency Graph is a feature in the Insights section of GitHub that lists the libraries used by a project. Since the introduction of security alerts, this section also informs users about vulnerable dependencies, including CVE identifiers and severity of the flaws, and provides advice on how to address the issues.
Tomi Engdahl says:
Do Business Leaders Listen to Their Own Security Professionals?
https://www.securityweek.com/do-business-leaders-listen-their-own-security-professionals
Survey Shows a Disconnect Between Business Leaders and Security Professionals
A new research report published this week claims, “A disconnect about cybersecurity is causing tension among leaders in the C-suite — and may be leaving companies vulnerable to breaches as a result.”
The specific disconnect is over the relative importance between anti-malware and identity control — but it masks a more persistent issue: do business leaders even listen to their own security professionals?
The basis for this assertion comes from two sources: the Verizon 2017 Data Breach Investigations Report (DBIR), and the report’s own research. DBIR states, “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” The new research (PDF), conducted by Centrify and Dow Jones Customer Intelligence shows that companies’ security officers agree with the view, while their CEOs do not. Centrify surveyed 800 senior executives in November 2017.
Tomi Engdahl says:
Security Practitioners: 10 Signs You Need to be More Direct
https://www.securityweek.com/security-practitioners-10-signs-you-need-be-more-direct
So how can we as security practitioners identify areas in which directness can help us improve? I present: 10 signs you need to be more direct.
1. Bad ideas hang around
2. Good ideas don’t come forward
3. The team has no idea where it stands
4. Strategic direction and goals are unclear
5. Everything is above average – always
6. Vendors are in the dark
7. You don’t reply to email more than you do reply
8. Executives get things sugar-coated
9. You avoid conflict at all costs
10. The story keeps changing
Tomi Engdahl says:
Something Deeply Disturbing And Illegal Has Been Found Hidden Within Bitcoin’s Transaction Log
http://www.iflscience.com/technology/links-to-child-pornography-found-hidden-in-bitcoins-transaction-log/
Bitcoin’s price began to drop early this year, leading many economists and investors to speculate that the cryptocurrency bubble is about to burst spectacularly.
Yet a recently published analysis by German researchers highlights how one of the digital currency’s greatest strengths could lead to its downfall, regardless of monetary value.
According to their report, governments across the world could be forced to outlaw Bitcoin due to users’ ability to store illegal – and disturbing – content within its open-access transaction ledger, called the blockchain.
The problem? To buy, sell, or trade bitcoin, every user must download a copy of the blockchain in its entirety, meaning that they are technically in possession of all the undeletable content contained within. And perhaps unsurprisingly, given human nature, many misuse the blockchain to store objectionable content
dozens of folders contained links to copyright or privacy-infringing content, and two were link lists to child pornography websites.
Tomi Engdahl says:
Energy Sector Most Impacted by ICS Flaws, Attacks: Study
https://www.securityweek.com/energy-sector-most-impacted-ics-flaws-attacks-study
The energy sector was targeted by cyberattacks more than any other industry, and many of the vulnerabilities disclosed last year impacted products used in this sector, according to a report published on Monday by Kaspersky Lab.
The security firm has analyzed a total of 322 flaws disclosed in 2017 by ICS-CERT, vendors and its own researchers, including issues related to industrial control systems (ICS) and general-purpose software and protocols used by industrial organizations.
Of the total number of security holes, 178 impact control systems used in the energy sector. Critical manufacturing organizations – this includes manufacturers of primary metals, machinery, electrical equipment, and transportation equipment – were affected by 164 of these vulnerabilities.
Other industries hit by a significant number of vulnerabilities are water and wastewater (97), transportation (74), commercial facilities (65), and food and agriculture (61).
Many of the vulnerabilities disclosed last year impacted SCADA or HMI components (88), industrial networking devices (66), PLCs (52), and engineering software (52). However, vulnerabilities in general purpose software and protocols have also had an impact on industrial organizations, including the WPA flaws known as KRACK and bugs affecting Intel technology.
Tomi Engdahl says:
We need to go deeper: Meltdown and Spectre flaws will force security further down the stack
Turns out performance at all costs has been rather costly
https://www.theregister.co.uk/2018/03/26/attacks_go_down_the_stack/
Around 2003, a computer security portent that had been cheerlessly simmering away for years suddenly came to the boil.
This was an era stricken by malware attacks on a scale few had prepared for, running software beset with flaws some vendors seemed disinclined to acknowledge let alone fix.
Vulnerabilities, including high-severity ones, were nothing new, of course, but on the back of the internet megatrend they seemed to be getting more dangerous, causing global trouble in a matter of hours, infamously through fast-spreading worms such as that year’s Blaster and SQL Slammer.
Blaster was a particularly ironic example because the vulnerability it targeted – a buffer overrun in Windows DCOM RPC – had ostensibly been patched a month before the attack. But having a patch and applying it were not, it turned out, the same thing.
What was going on? On the face of it, it appeared that high-rated vulnerabilities – especially ones exploiting the innovation of zero-day flaws – were supercharging malware in ways that were going to require new thinking and far better processes.
Now Google’s vice president security and privacy engineering (CISO), Eschelbeck’s big idea was the Laws of Vulnerabilities (PDF), a way to understand how quickly Qualys’s enterprise customers were patching flaws.
What interested him was vulnerability “half-life”, or how long it took to reduce the occurrence of a flaw by 50 per cent, which in 2003 was an average of 30 days in a world where exploits could appear within days.
Perma-flaws
And yet despite this, vulnerabilities march on with a predictable logic. Having colonised OSes and web and PC applications, the vulnerability problem is now menacing firmware and side-channel microcode through the proof-of-concept (PoC) vulnerabilities such as Meltdown and Spectre.
Hotel insomnia
The good news, notes Carsten Eiram, chief research officer at vulnerability analysis firm Risk Based Security, is that none so far involves remote code execution, which gives defenders a chance of detecting and blocking them.
Even when fixes are not easy or even possible, mitigations are. It’s messy and slow but liveable providing the industry can quickly fashion a reliable mitigation channel.
“In general, these types of vulnerabilities are very rare compared to the total number of vulnerabilities reported each year,” Eiram says. “The bar is higher than many other types of vulnerabilities.”
“If a low-level remote code execution issue is discovered that for some reason cannot be properly mitigated or fixed without replacements, it would be a huge problem.”
What constrains mitigation is the number of moving parts. For Meltdown and Spectre, the hardware maker (Intel) had to push the mitigation to work with what the OS maker (Microsoft) deemed possible. The latter then had to tell antivirus vendors about this in case their products were making unsupported calls into memory that might interfere with OS Kernel Patch Protection (KPP), setting a registry key to indicate compatibility.
Tellingly, Microsoft ended up hosting Intel’s patches to speed distribution in case Intel’s own efforts fell short. Cooperation between industry tiers suddenly mattered.
“We’ve been trying to get as low level as possible. Security is leaving the operating system to go deeper down the stack… to sit between the CPU and the software,” according to Arsene.
His company last year announced Hypervisor Introspection (HVI), a data centre security technology developed in conjunction with Citrix that protects virtualized servers from the thorny problem of malware exploiting shared memory.
At the time it looked like an interesting sledgehammer for a peanut-sized problem, less so now that people have had time to speculate as to how Meltdown and Spectre-primed malware might escape hypervisors in ways that not long ago sounded hypothetical.
“While patching is good, that doesn’t address the core issue which is at some point you need to upgrade your hardware,” says Liviu. “If until now we thought of security as exploiting vulnerabilities in code, this goes to prove that this code can run much deeper than we thought.”
The Laws of Vulnerabilities: Six Axioms for Understanding Risk
https://www.qualys.com/docs/laws-of-vulnerabilities.pdf
Tomi Engdahl says:
Statistics Say Don’t Pay the Ransom; but Cleanup and Recovery Remains Costly
https://www.securityweek.com/statistics-say-dont-pay-ransom-cleanup-and-recovery-remains-costly
Businesses have lost faith in the ability of traditional anti-virus products to detect and prevent ransomware. Fifty-three percent of U.S companies infected by ransomware in 2017 blamed legacy AV for failing to detect the ransomware. Ninety six percent of those are now confident that they can prevent future attacks, and 68% say this is because they have replaced legacy AV with next-gen endpoint protection.
Thes details come from a February 2018 survey undertaken by Vanson Bourne for SentinelOne, a next-gen provider, allowing SentinelOne to claim, “This distrust in legacy AV further confirms the required shift to next-gen endpoint protection in defending against today’s most prominent information security threats.” This is a fair statement, but care should be taken to not automatically confuse ‘legacy AV’ with all traditional suppliers — many can also now be called next-gen providers with their own flavors of AI-assisted malware detection.
SentinelOne’s Global Ransomware Report 2018 (PDF) questioned 500 security and risk professionals (200 in the U.S., and 100 in each of France, Germany and the UK) employed in a range of verticals and different company sizes.
The result provides evidence that paying a ransom is not necessarily a solution to ransomware. Forty-five percent of U.S. companies infected with ransomware paid at least one ransom, but only 26% had their files unlocked. Furthermore, 73% of those firms that paid the ransom were targeted at least once again. Noticeably, while defending against ransomware is a security function, responding to it is a business function: 44% of companies that paid up did so without the involvement or sanction of the IT/security teams.
SentinelOne: Global Ransomware Study 2018
https://go.sentinelone.com/rs/327-MNM-087/images/Ransomware%20Research%20Data%20Summary%202018.pdf
Tomi Engdahl says:
Cambridge Analytica’s leak shouldn’t surprise you, but it should scare you
Facebook is not alone in making everyone’s data available for whatever purpose.
https://theoutline.com/post/3796/cambridge-analyticas-leak-shouldnt-surprise-you-but-it-should-scare-you
Tomi Engdahl says:
Why Does Data Exfiltration Remain an Almost Unsolvable Challenge?
https://www.securityweek.com/why-does-data-exfiltration-remain-almost-unsolvable-challenge
From hacked IoT devices to corporate infrastructures hijacked for crypto-mining to automated ransomware, novel and sophisticated cyber-attacks are notoriously hard to catch. It is no wonder that defending against these silent and never-seen-before threats dominates our security agendas. But while we grapple with the challenge of detecting the unknown, data exfiltration – an old and very well-known risk – doesn’t command nearly the same amount of attention. Yet data exfiltration happens, and it happens by the gigabyte.
As attackers improve their methods of purloining the sensitive data we trust our organizations to keep safe, one critical question remains: why does data exfiltration present the security community with such a formidable challenge?
The challenge in identifying indicators of data exfiltration lies partly in the structure of today’s networks. As our businesses continue to innovate, we open the door to increased digital complexity and vulnerability – from BYOD to third party supply chains, organizations significantly amplify their cyber risk profile in the name of optimal efficiency.
Against this backdrop, our security teams are hard-pressed to identify the subtle telling signs of a data exfiltration attempt in the hope to stop it in its tracks. To add to the complexity, they need to find the proverbial needle in an ever growing haystack of hundreds of thousands of devices on their network that they did not build, install, or even know existed.
Networks today are much like living organisms: they grow, they shrink, and they evolve at a rapid rate. If we think about a network as a massive data set that changes hundreds, if not thousands, of times per second, then we have to realize that no security team will ever be able to keep up with which actions are authorized versus which actions are indicative of data exfiltration.
The Old Approach Needs Victims Before it Can Offer Solutions
Compounding the challenge of today’s labyrinthine networks, stretched security teams are always on the offense – fighting back-to-back battles against the latest form of unpredictable threat. So how can security teams cut through the noise and discern the subtle differences between legitimate activity and criminal data exfiltration campaigns?
Five years ago, we relied on historical intelligence to define tomorrow’s attack. But the never-ending cycle of data breaches have taught us that these approaches were just as insufficient then as they are now.
Organizations are increasingly turning to AI technology for the answer, capable of identifying subtle deviations from normal network activity. By understanding the nuances of day-to-day network activity, self-learning technology correlates seemingly-irrelevant pieces of information to form a comprehensive picture of what is happening within our network borders. Consequently, AI spots the subtle indicators of exfiltration as it’s happening – giving security teams valuable time to mitigate the crisis before it becomes a headline.
Tomi Engdahl says:
The Big Business of Bad Bots
https://www.securityweek.com/big-business-bad-bots
Bad bots are big news largely because of the FBI investigation into Russia’s involvement in the 2016 presidential election. But bad bots are a bigger problem than automated tweeting: 42.2% of all website traffic comes from bots; and 21.8% of it is down to bad bots.
Distil Networks’ 2018 Bad Bot Report, based on an analysis of hundreds of billions of bad bot requests, shows that bad bot traffic increased by 9.5% in 2017. Bad bots differ from good bots, whose traffic also increased by 8.8% to 20.4%. It means that only — on average — 57.8% of visiting traffic comes from a genuine human being interested in the website content.
Good bots are those that all websites require. They include the search engine page indexing bots from Google and Bing, and they bring humans to the site. Bad bots, however, are secretive and nefarious. They come from outright criminals and commercial competitors; and their purpose is to detract and/or steal from the website.
Distil highlights eight different bad bot functions: price scraping, content scraping, account takeover, account creation, credit card fraud, denial of service, gift card balance checking, and denial of inventory. They fall into three primary categories: competitive, organized criminal, and nuisance.
Price scraping and content scraping are generally competitor attacks. Price scraping allows competitors to maintain price levels slightly lower to score more highly in search engine rankings. Content scraping is simply the theft of proprietary content to augment another site’s own content.
Account takeover bots are automated attempts at illegal log-ins. They can deliver brute-force attacks cycling through the most popular passwords to see if one of them works, or they can use the process known as credential stuffing.
Distil reports a 300% increase in credential stuffing bad bots in the weeks following a new major credential theft.
Tomi Engdahl says:
Risky Business: The Fifth Element
https://www.securityweek.com/risky-business-fifth-element
The logic is to streamline the company’s mitigation efforts and allow you to focus more time and investment where it matters most—on the unique risks inherent to the business.
That is to say, you won’t hire a company just for DDoS and WAF. You’ll hire a company for IDaaS, IPS, encryption/decryption, SSL orchestration, governance, risk and compliance (GRC).
And over time, you’ll dial in your use of these services. Spin them up when they’re needed most. Ratchet them back when they’re not in demand. Pay only for what you use. This is a strategic way to contain costs as you may only fully use your GRC service when it’s time for an audit, enabling the company to increase its capacity without having a consulting service on site.
All of this will dramatically change how CISOs function and how their teams are structured. Instead of hiring dozens of people to build and maintain multiple systems, CISOs will shift to focus on the data that powers the business and how it flows through and interacts with these outsourced relationships.
And yes, I am going so far as to say this shift is inevitable, because it’s being driven by some pretty clear economic pressures:
Talent scarcity
It’s well-known that there are a lot of open job reqs in cybersecurity. I mean a lot—more than a million today. And according to Center for Cyber Safety and Education’s 2017 Global Information Security Workforce Study, there may be as many as 1.8 million open jobs in the field by 2022.
Economies of scale
Most CISOs will never be able to address all of a company’s risk anyway. They’ll never have enough resources to truly cover all of them.
Tomi Engdahl says:
Most FTSE 100 boards kept in the dark about cyber resilience plans
Infosec bods worry it could be used against firms if disclosed
https://www.theregister.co.uk/2018/03/28/cyber_resilience_planning_ftse_100/
Only one in five FTSE 100 companies disclose testing of online business protection plans.
Most (57 per cent) of FTSE 100 companies talk about their overall crisis management, contingency or disaster recovery plans within their annual reports but few in comparison mention cybersecurity. Just 21 per cent of UK Blue Chip businesses regularly share security updates with the board at least twice a year, according to a study by management consultancy Deloitte.
Cyber risk testing would include services such as “ethical hacking” (AKA penetration testing) to find vulnerabilities in their IT systems. Security testing will become even more important with the advent of the EU’s General Data Protection Regulation, due to swing into effect in June, under which data breaches in the UK and other member states will be punished with much tougher financial sanctions.
Phill Everson, head of cyber risk services at Deloitte UK, said: “Would-be hackers look for weaknesses in a system to gain access, so testing remains vital in ensuring strong cyber resilience. The 20 per cent of companies that disclosed testing for these vulnerabilities in our analysis demonstrate to investors that the company has ways to continually and proactively test for flaws, whilst also showing commitment in fixing them if identified.”
Tomi Engdahl says:
Tom Pendergast / Wired:
GDPR in the EU and similar laws in other countries, along with Facebook/Cambridge Analytica scandal, may point to global shift in favor of personal data control — THE HEADLINES ABOUT the trade wars being touched off by President Trump’s new tariffs may telegraph plenty of bombast and shots fired …
The Next Cold War Is Here, and It’s All About Data
https://www.wired.com/story/opinion-new-data-cold-war
The headlines about the trade wars being touched off by President Trump’s new tariffs may telegraph plenty of bombast and shots fired, but the most consequential war being waged today is a quieter sort of conflict: It’s the new Cold War over data protection. While the Facebook/Cambridge Analytica crisis currently burns as the latest, hottest flare-up in this simmering conflict, tensions may increase even more on May 25, 2018, when the European Union’s General Data Protection Regulation comes into effect.
Tomi Engdahl says:
Why Multi-cloud Security Requires Rethinking Network Defense
https://www.securityweek.com/why-multi-cloud-security-requires-rethinking-network-defense
The Need to Rethink Security For Our Cloud Applications Has Become Urgent
Companies are utilizing the public cloud as their primary route to market for creating and delivering innovative applications. Striving to gain a competitive advantage, organizations of all sizes and in all vertical sectors now routinely tap into infrastructure as a service, or IaaS, and platform as a service, or PaaS, to become faster and more agile at improving services through applications.
Along the way, companies are working with multiple cloud providers to create innovative new apps with much more speed and agility. This approach is opening up unprecedented paths to engage with remote workers, suppliers, partners and customers. Organizations that are good at this are first to market with useful new tools, supply chain breakthroughs and customer engagement innovations.
There’s no question that IaaS, PaaS and their corollary, DevOps, together have enabled businesses to leapfrog traditional IT processes. We are undergoing a digital transformation of profound scope – and things are just getting started. Companies are beginning to leverage the benefits of being able to innovate with unprecedented agility and scalability; however, to take this revolution to the next level, we must take a fresh approach to how we’re securing our business networks.
Limits to legacy defense
Simply put, clunky security approaches, pieced together from multiple vendors, result in a fragmented security environment where IT teams must manually correlate data to implement actionable security protections. This level of human intervention increases the likelihood for human error, leaving organizations exposed to threats and data breaches. What’s more, security tools that are not built for the cloud significantly limit the agility of development teams.
Cloud collaboration, fueled by an array of dynamic and continually advancing platforms, is complex; and this complexity has introduced myriad new layers of attack vectors. We’ve seen how one small oversight, such as forgetting to change the default credentials when booting up a new cloud-based workload, can leave an organization’s data exposed or allow attackers to leverage resources to mine cryptocurrency.
Tomi Engdahl says:
11 Myths About Fingerprint Sensors and Multifactor Authentication
http://www.electronicdesign.com/industrial-automation/11-myths-about-fingerprint-sensors-and-multifactor-authentication?PK=UM_Classics03118&utm_rid=CPG05000002750211&utm_campaign=16290&utm_medium=email&elq2=ec1c9c8296134213b95f3ffa0f18a470
What’s true and what’s not when it comes to fingerprint sensors and multifactor authentication on mobile devices?
1. It’s easy to spoof a fingerprint.
Not true. Despite what you see in the movies or in security demos, spoofing a fingerprint by taking a high-resolution photo or recovering a latent print is very difficult.
2. Optical sensors are less secure than capacitive sensors because they store the actual fingerprint image.
Not true. A smartphone or PC that observes basic privacy and security principles never stores a complete image of your biometric information.
3. If a bad guy gets the fingerprint image off of your phone or PC, he can use it to access your phone.
Not true. As stated in Myth #2, no fingerprint image will be stored in your PC or phone. Because fingerprint images aren’t stored, they can’t be stolen from your device.
4. Multi-factor biometric security on mobile devices is hard and/or expensive to do.
Partially true.
5. Contextual factors aren’t enough to secure a mobile device.
True, but… it should say that contextual factors “alone” aren’t enough to secure a mobile device. In combination with biometric authentication, they can be part of an overall very strong and user-friendly solution.
6. Fingerprint sensors have to be on the home button or back of the smartphone.
Not true. Fingerprint sensors are available in a broad range of form factors
7. Biometric authentication is just for security.
Not true. Once a user’s identity is established, there are myriad ways that information can be put to productive use. For example, it can be used to customize the user experience, or to select preferences.
8. Optical sensors are too big/power-hungry for fingerprint scanning in a mobile device.
Not true. Technology advances have now made optical sensors small and efficient enough to be used in mobile devices
9. All fingerprint solutions are equal, so cost should be the deciding factor.
Not true. Fingerprint-sensor providers offer distinctly different solutions spanning different technologies (e.g., capacitive vs. optical), varying security levels, form-factor options, power consumption, durability, and notably software solutions.
10. Biometrics are too difficult/too expensive to manage for use in enterprise environments.
Not true. Fingerprint solutions are more secure than typical username/password configurations in enterprise environments. They also eliminate cumbersome password resets and IT support calls, making them easier to maintain and support.
11. Encryption is enough to protect a fingerprint template file.
Not true. The purpose of encryption is to protect the template file while it’s being stored, generally in a small amount of non-volatile RAM (NVRAM). However, many occasions arise when the template must be decrypted, most notably during the test for a match. It must also be protected during these operations.
Tomi Engdahl says:
Who’s Responsible For Security?
https://semiengineering.com/whos-responsible-for-security-3/
Experts at the Table, part 3: How to manage the cost of security; the value of passwords; insignificant versus real threats.
SE: If something is manufactured in one place, shipped somewhere else for assembly and then shipped to a distributor, how do you know what you’re getting is the real thing?
Hayton: We started this with mobile phones, and because we enable payments on mobile phones as a trusted execution environment, people need to know that it’s a trusted device. We do ‘trust injection’ on a lot of different devices. But that’s pretty simple. We trust whoever is making the phone, and they do it all themselves. IoT isn’t like that. You outsource to module makers. In some markets you get a hologram. We’re doing something similar with digital holograms, whereby we can track different stages during manufacturing. ‘Here’s a sticker to put on this to say this device is at this stage, so later I can say it’s gone through stages A, B, C and D in the right order.’ But it doesn’t tell you if those people have actually done the right thing.
Schaeffer: In silicon we’re going to start to see identities on possibly every part. But you have to create a scalable model. If you have a very-low-power piece of silicon, a PUF might be really good for that if you don’t already have a crypto engine on it.
Povey: We’re working with companies like Data-IO to enable the OEM to deploy certificates and identity material at the point of manufacturing. You have to get the identity in there early with a digital hologram or certificate.
Canel: You’ll see a fragmented ecosystem with security. You’re going to have solutions with no root of trust—sensors that are 10 cents or 15 cents embedded into a building when that building is being put together. You’ll see devices with parts that cell for 50 cents. And then you’ll see parts with tamper resistance and security, and those will sell for $10. You’ll see a spectrum of solutions. We will have to deal with a set of inconsistent environments. There will be vertical markets that are fully regulated and companies that are concerned about their reputations, and we’ll see some level of normalization of practices.
SE: But there are a lot of touch points along the way, from the IP developers to the manufacturers to the distributors. Doesn’t each one require the same level of scrutiny? And is that realistic?
Schaeffer: It doesn’t need the same level of scrutiny. There can be some secure mechanisms put into place, but you have to choose the right tool for the right job. If I can get one key and use that to penetrate one device, that’s fine. That’s not a scalable attack. If I can use one device to get a key to penetrate 1,000 devices, that’s not alright. That will need either more protection or a secure mechanism. But we can have a set of devices where you have the same level of security. Then it will be up to the OEM to determine which technique is appropriate for a particular application.
Povey: Instead of who takes responsibility, we have to change the math. We have to take security and turn it from a cost into an intrinsic value—an underpinning enabler for the system. Then, everybody will make the right decision. Instead of saying, ‘I’ve got to put a root of trust in this and it will cost me 30 cents,’ or ‘I have to write better software and it will cost me $1 million,’ you are building a strategic relationship with your customer who you can sell to again and again. You deliver updates, management services and high value. That becomes part of the purchasing requirement. You can do better analytics because you trust the data and derive value out of that. And if you can defend your brand, that’s valuable. The only way to make this work is to change the business models.
Canel: Along those lines, insurance companies are going to play a very important role in a lot of industries.
SE: How much of this is the consumer’s responsibility? You have to change passwords regularly, which most people don’t.
Hayton: Passwords are terrible, but that’s a narrow view of security. You’re putting your password into a device and connecting to some multinational corporation that is awake every minute of every hour. Shouldn’t you be more concerned about that than whether your password is good or not? Typing in the password has been a long time in dying, but it is beginning to die. I’ve got a fingerprint sensor in my phone and another one on my PC. There are better ways to log in. You can’t trust users to come up with good passwords and then not forget them.
Schaeffer: The question is who bears the responsibility if you do something stupid like that. If someone steals money from my bank account from my Gmail account, who’s liable?
Povey: Most consumers don’t care and shouldn’t have to care. So many of the devices on the IoT won’t have user interfaces. We can’t even enter a password. For a smart home, you do have to enable services to help manage services and to maintain them. A lot of consumers don’t update their PCs, and they’re easy to update. They certainly won’t update their heating systems, their cars, their toasters. You have to outsource that to a trusted third party. In the industrial IoT, that has to go back to the info team to manage. There are better ways for IT teams to manage large, complex systems. Patching coming from the OEM has to be backed up and deployed at a certain time when the system is in the quietest mode. We can move away from passwords there and to certificate-based technology. We have to go back to better security technologies, which can be managed through good systems.
SE: This has ramifications that go well beyond a device. A toaster may seem insignificant, but it can burn down a house, and lots of toasters can burn down an entire community.
Holmberg: A lot of what has been discussed here involves infrastructure. When you think about software, that has to be developed in a different way.
Schaeffer: The FDA is starting to move in that direction. They know safety. Security is part of that.
Tomi Engdahl says:
Microsoft Warns Windows 7 Is Dangerous To Use [Updated]
https://www.forbes.com/sites/gordonkelly/2017/01/17/microsoft-windows-7-security-hardware-support-problems/#3cebf6e6ecdb
Do you use Windows 7? Microsoft MSFT +1.84% says you are placing yourself in danger…
In a new post on the official Microsoft Newsroom, the company has warned Windows 7 users the ageing platform suffers from a number of serious failings including security deficiencies and hardware restrictions while reiterating all support for the platform is ending. It’s scary stuff.
“Today, [Windows 7] does not meet the requirements of modern technology, nor the high security requirements of IT departments,” says Markus Nitschke, Head of Windows at Microsoft Germany.
The Microsoft post (originally written in German) goes into more detail actively attacking Windows 7 for its “long-outdated security architectures” and warning any users and businesses who are running that they are more susceptible to cyber attacks.
But the remarkable beatdown of its own platform doesn’t stop there. Microsoft says that sticking with Windows 7 will result in “higher operating costs” for users due to problems with reliability and compatibility.
Microsoft completes this somber vision for Windows 7 by emphasising that life cycle is ending and when that happens it will no longer provide any security updates or technical support.
What To Think? Reality Vs Scare Tactics
Let me be absolutely clear: Microsoft is taking extreme liberties with the truth and Windows 7 users should not panic. Instead they should see this for what it is – a desperate attempt by the company to push users to Windows 10 after the infamous nagging stopped. So let’s break down Microsoft’s claims:
Yes, Windows 10 does technically have better security BUT Windows 7 remains a very secure operating system if you are going to keep it up to date with the latest security patches.
Yes, Windows 7 doesn’t support the latest AMD, Intel and Qualcomm chipsets but that is ONLY because Microsoft chose to make them incompatible.
Yes, technically Windows Store apps are only compatible with Windows 10 but I’ve seen ZERO evidence any hardware or software companies are no longer supporting Windows 7
Yes, Windows 7 support will end and Microsoft will cut off all support but not until January 14th 2020.
And finally, Microsoft has been here before. In January 2016 the company warned Windows 7 users they choose the platform “at your own risk, at your own peril”. Again technically that’s true but it’s true of almost anything
The reality is this: Microsoft wants all users on Windows 10 because it gives Microsoft far greater control over updates and privacy
So ultimately all this scaremongering makes no sense. Why? Because avoiding Windows 10 long term is impossible if you wish to remain a Windows user. Microsoft’s decision to make older versions of Windows incompatible with new hardware has ensured that, so the company will get what it wants.
Tomi Engdahl says:
Security for the Ages: Make it Memorable
https://www.securityweek.com/security-ages-make-it-memorable
Those of us That Spend our Lives in Security Sometimes Forget How our Field Looks and Sounds to Others
Let’s take a look at ten situations in which we can leverage this powerful lesson.
1. Conferences: I’ve sat through a fair number of conference talks in my life. Some have been better than others.
2. Board: What I took away from these encounters is the extremely high level at which the board thinks about risk. It’s incredibly strategic and miles away from tactical.
3. Executives: While perhaps not as high level as the board, executives are still pretty high level. Tactical mumbo jumbo will put them into a trance. Best to tune your message to the audience and ensure it will resonate and stay with them.
4. Team: Your team needs to have a good idea of where you’re going and what you expect from them. The message needs to articulate that clearly in terms that are meaningful to the broader team.
5. Stakeholders: In order for any security organization to be effective, it needs to work collaboratively with the business. The way the business thinks about risk, however, will be different than the way the security team does.
6. Customers: Your customers likely want to understand that you take their data and privacy seriously.
7. Peers: We all benefit from peer interactions. People who understand what our day-to-day professional life is like, the challenges we face, and who run in our circles.
8. Clients: If you are a security consultant, how do you sell your or your firm’s services to potential clients? Do you talk about all of the skills and capabilities you have? Or, do you talk about how you can address the problems and challenges that the client may have in the language of the client? I will leave it to you to decide which approach is generally more effective.
9. Insurance: Cyber insurance is becoming a hot topic. While the field is still in its infancy, insurance companies are beginning to take an interest in how they can more appropriately assess risk.
10. Vendors: As an enterprise, you likely understand that your supply chain can introduce risk into your overall information security posture. Assessing, measuring, and tracking this risk over time is an important part of managing third party risk.
Tomi Engdahl says:
Breaches Increasingly Discovered Internally: Mandiant
https://www.securityweek.com/breaches-increasingly-discovered-internally-mandiant
Organizations are getting increasingly better at discovering data breaches on their own, with more than 60% of intrusions in 2017 detected internally, according to FireEye-owned Mandiant.
The company’s M-Trends report for 2018 shows that the global median time for internal detection dropped to 57.5 days in 2017, compared to 80 days in the previous year. Of the total number of breaches investigated by Mandiant last year, 62% were discovered internally, up from 53% in 2016.
On the other hand, it still took roughly the same amount of time for organizations to learn that their systems had been compromised. The global median dwell time in 2017 – the median time from the first evidence of a hack to detection – was 101 days, compared to 99 days in 2016.
Tomi Engdahl says:
Blair Hanley Frank / VentureBeat:
Amazon announces AWS Secrets Manager, which allows developers to programmatically insert credentials in applications without writing them into the source code — Amazon Web Services announced a new service today that could solve one of the biggest security headaches facing users of the cloud platform.
AWS Secrets Manager plugs a major cloud security hole
https://venturebeat.com/2018/04/04/aws-secrets-manager-plugs-a-major-cloud-security-hole/
Amazon Web Services announced a new service today that could solve one of the biggest security headaches facing users of the cloud platform. The AWS Secrets Manager will allow developers to programmatically insert the credentials their applications need without writing them into the source code itself or setting them as environment variables.
Leaked credentials written into source code have been one of the biggest security risks for customers of the cloud platform. The Secrets Manager will let customers replace that risk with a small function that goes and pulls down the correct credentials when it’s run for database access and connections to other services.
While AWS Secrets Manager works with credentials for databases managed by the cloud provider’s Relational Database Service, it also works with third-party API keys, like those provided by Twitter and other companies. The service also handles automatic rotation of those security credentials.
(To be clear, this isn’t an AWS-only problem: users of other cloud platforms have similar issues with managing credentials for their applications.)
In addition to the Secrets Manager, AWS also announced a new Firewall Manager that lets companies centrally control settings for the AWS Web Application Firewall across multiple accounts. Along similar lines, an update to the AWS Config Rules service will allow customers to manage different compliance rules for their configurations across multiple accounts.
Finally, the cloud provider announced a Private Certificate Authority feature for its security certificate management service.
Tomi Engdahl says:
Tokenization Beyond Payments
How to protect sensitive data with unique identification credentials
https://semiengineering.com/tokenization-beyond-payments/
Tokenization is a process by which sensitive data is replaced with unique identification credentials that retain all essential information about the data without exposing said sensitive data to attacks. While traditional payment methods pass critical identification information through several points, tokenization minimizes the amount of data a business needs to keep on hand.
http://info.rambus.com/tokenization-beyond-payments
While traditional payment methods pass critical identification information through several points, tokenization minimizes the amount of data a business needs to keep on hand. Becoming popular with small and mid-sized businesses since it can strengthen the security of credit card and e-commerce transactions while keeping costs low, tokenization can expand beyond the world of payments.
Tomi Engdahl says:
In Modern Data Centers Security Must Take Center Stage
https://www.securityweek.com/modern-data-centers-security-must-take-center-stage
As Your Organization Modernizes the Data Center and Shifts to Cloud-based Environments, You Must Rethink Your Approach to Security
Data centers are changing rapidly and how we protect them must as well. Auto manufacturers must allow an expansive ecosystem of partners access to proprietary designs and confidential data to ensure the latest makes and models land in dealerships as promised while protecting their competitive edge. Hospitals need to provide nurses, physicians, administrators, and patients with varying levels of access to information while keeping in mind regulatory and compliance issues. Financial institutions engaged in high-frequency trading need highly-available and highly-secure environments for compute-intensive workloads. State and local governments are now expected to provide all stakeholders – residents, law enforcement, social services, public works, etc. – with access to the information they need, and only what they need, when and where they need it.
The technology advances behind these scenarios – virtualization, cloud, and software defined networking – are changing the scope and function of the modern data center. Data and workloads are constantly moving across multi-cloud and physical data centers and security policies must adjust in lock-step. DevOps teams are rolling out new application and services quickly. And there is a huge influx of data from big data analytics.
As your organization modernizes the data center and shifts to cloud-based environments, you must rethink your approach to security, increasing visibility and control without compromising agility and performance.
Tomi Engdahl says:
Companies Have Little Control Over User Accounts and Sensitive Files: Study
https://www.securityweek.com/companies-have-little-control-over-user-accounts-and-sensitive-files-study
Lack of Control Over Sensitive Files Leaves Companies Open to GDPR Failure
Security teams are urged to assume intruders are already on their networks. The quantity and frequency of data loss breaches lends credence to that assumption. The implication is that perimeter defenses are insufficient, and that sensitive data needs to be locked down as far as possible within the networks. A new study shows, however, that 41% of companies have more than 1.000 sensitive files open to everyone with access to the network.
Each year, New York, NY-based data protection and governance firm Varonis analyzes the results of its risk assessments on new and potential customers. Its 2018 Global Data Risk Report (PDF) contains the findings of 130 corporate risk analyses conducted during 2017. It looks for free-form data at risk from existing intruders and potential malicious insiders; and the process examined more than 6 billion individual files from 30 different industries across more than 50 countries.
The results clearly show that companies are struggling to control sensitive data contained in free-form text documents. A common problem is leaving files open to global access groups. For example, 58% of companies have more than 100,000 folders open to everyone — and the bigger the company, the worse the problem. Eighty-eight percent of companies with more than 1 million folders have more than 100,000 open folders.
The problem becomes more pressing when those files contain sensitive data — defined here as information subject to regulations such as GDPR, PCI, and HIPAA. The Varonis platform works by looking at both the structure of the network, and the content of the files. In this study it found that 41% of companies have more than 1,000 sensitive files open to everyone.
Tomi Engdahl says:
AWS Launches New Tools for Firewalls, Certificates, Credentials
https://www.securityweek.com/aws-launches-new-tools-firewalls-certificates-credentials
Amazon Web Services (AWS) announced on Wednesday the launch of several tools and services designed to help customers manage their firewalls, use private certificates, and safely store credentials.
Private Certificate Authority
One of the new services is called Private Certificate Authority (CA) and it’s part of the AWS Certificate Manager (ACM). The Private CA allows AWS customers to use private certificates without the need for specialized infrastructure.
AWS Secrets Manager
The new AWS Secrets Manager is designed to make it easier for users to store, distribute and rotate their secrets, including credentials, passwords and API keys. The storage and retrieval of secrets can be done via the API or the AWS Command Line Interface (CLI), while built-in or custom AWS Lambda functions provide the capabilities for rotating credentials.
AWS Firewall Manager
The new AWS Firewall Manager is designed to simplify administration of AWS WAF web application firewalls across multiple accounts and resources. Administrators can create policies and set up firewall rules and they are automatically applied to all applications, regardless of the region where they are hosted.
Amazon EFS data encrypted in transit
Amazon also announced that it has added support for encrypting data in transit for the Amazon Elastic File System (EFS), a file system designed for cloud applications that require shared access to file-based storage. Support for encrypting data at rest has already been available.
Tomi Engdahl says:
Improved Visibility a Top Priority for Security Analysts
https://www.securityweek.com/improved-visibility-top-priority-security-analysts
Security Analysts Require Improved Visibility as well as Improved Threat Detection
Vendors listen to existing and potential customers to understand how to improve their products over time. At the smallest level, they use focus groups. At the largest level they employ market research firms to query thousands or more respondents from relevant employments and industry sectors. Some way in-between, they run their own relatively small-scale surveys primarily for their own benefit.
This is what Boston, MA-based next-gen endpoint protection firm Barkly did, querying some 70 IT and security professionals to understand what mid-market users look for and are not currently getting from their endpoint security controls. Not surprisingly, 60% of the respondents say that adding to or improving protection is their top priority — possibly because 88% of them consider that there are types of attacks (for example, the growing practice of employing fileless attacks) that current security simply does not block.
More surprising, however, is that 40% of the respondents prioritize improving forensic and response capabilities as their current top priority. This may partly be driven by the new breed of regulations — and in particular, GDPR — that demand increasingly rapid incident disclosure, and remediation of the breach vector to prevent repeats.
Tomi Engdahl says:
Need for leadership in cybersecurity
https://www.aaltopro.fi/en/aalto-leaders-insight/2018/need-for-leadership-in-cybersecurity
Things change – either through a crisis or leadership, with leadership being the best option of the two.
This includes digital security and its development, whether done as risk management or to strengthen your competitive edge.
“Clarifying and strengthening leadership is a key issue in realizing Finland’s cybersecurity vision.”
We should ask “how can we strengthen trust?” rather than “how can we strengthen security?””