Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.
Here is a list of relevant cyber security terms for 2018s:
AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.
Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.
Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.
Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.
Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.
Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.
Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017, browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.
Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.
Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.
Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.
Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?”
GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.
Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.
HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.
HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2. Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.
HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.
ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.
Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.
IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).
Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.
IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.
Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.
Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.
Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.
Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.
PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.
Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.
Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.
Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.
Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.
Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?
Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.
Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.
Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.
Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.
Sources:
Firefox, Chrome start calling HTTP connections insecure
Alert (TA17-075A) HTTPS Interception Weakens TLS Security
Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead
Cybersecurity Dangers Will Spike in 2018
We’re hitting rock bottom in cyber — let’s do something | TechCrunch
Mirai-makers plead guilty, Hajime still lurks in shadows
DARPA Takes Chip Route to ‘Unhackable’ Computers
Another AI attack, this time against ‘black box’ machine learnings
General Data Protection Regulation (Wikipedia)
Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already
Miten GDPR pitää huomioida ohjelmistokehityksessä?
Seven Seas Cybersecurity: Captain, We Have a Problem
In the Words of President Ronald Reagan, “Trust but Verify”
Why You Should Question These Most Common Cloud Assumptions
It’s 2018. Do You Know Where Your Data Are?
Improved IoT Security Starts with Liability for Companies, Not Just Legislation
Smart Factory Connectivity for the Industrial IoT
The Race for a Universal IoT Security Standard
Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises
The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.
Resolve to Mitigate Your Business’ Digital Risk in 2018
Emerging Trends in Vulnerability Management
Research reveals customer-facing web and mobile apps as top security challenge
Open Source Vulnerabilities: Are You Prepared to Run the Race?
Device Security for the Industrial Internet of Things
GDPR and Open Source: Best Practices
Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC
ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good
Threat Modeling the Internet of Things: Modeling Reaper
Engineering for Privacy Requires Standards
How to Make Adversaries Work Harder, While We Work Smarter, in 2018
2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices
Facebook Releases New Certificate Transparency Tools
iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group
Open Source Vulnerabilities: Are You Prepared to Run the Race?
U.S. Military to Send Cyber Soldiers to the Battlefield
Machine Learning & Security: Making Users Part of the Equation
Security is Not a Technology Profession
Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018
636 Comments
Tomi Engdahl says:
Cybersecurity training still neglected by many employers
https://www.welivesecurity.com/2018/05/21/cybersecurity-training-still-neglected/
While training employees will not guarantee complete cyber safety for companies, it could go a long way to making workers more cyber-aware
When it comes to wrapping a chain of defensives around an organization’s information systems and the valuable data that they process, it is often said that “employees are the weakest link” in that chain. In fact, I am participating in a webinar this week titled: Cybersecurity Training in the Workplace – How to Fix Your Weakest Links (check here for more details).
But some people have argued that the “weak link” label is unfair to employees. In this article I will explain why they might be right, and then talk about the best way forward so we can all be strong links in the information security chain.
Whose fault is it that you didn’t know this?
Consider this scenario: an employee opens an email attachment despite a warning, displayed on their screen, that doing so is unsafe. If opening that attachment results in a malware infection that compromises the organization’s network, then management may see that employee as a weak link.
But what if that employee was not trained to heed those warnings? What if they were not aware of the very nasty consequences that such clicks can produce? You could argue that the lack of training and awareness is management’s fault, and therefore management is the weak link.
If you are wondering what the chances are that an employee in 2018 has received no cybersecurity training from their employer, I have an answer: based on the survey we ran earlier this month, the chances are a rather alarming one in three.
Standard of due care: if a cybersecurity incident at your organization results in any kind of lawsuit or insurance claim, it is pretty much inevitable that the question of how much cybersecurity training was provided to employees will come up. I am fairly certain that “none” fails the “reasonableness” test, meaning the organization will be judged to have taken less than due care to protect its systems.
Contract violation: many companies include cybersecurity-related training requirements in contracts with vendors.
Regulatory risk: organizations that don’t provide employees with cybersecurity training run the risk of sanctions and even fines under various laws and regulations. In America, these include HIPAA, PCI, and even state laws, like Massachusetts 201 Cmr 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth.
Good news
Fortunately, there is some good news on the cost front: your organization can now get some free online cybersecurity training from multiple reputable sources. I say “some” because free training is typically not customized to your organization, and every organization should provide some cybersecurity training that is specific to its own needs.
Tomi Engdahl says:
Compliance is Not Synonymous With Security
https://www.securityweek.com/compliance-not-synonymous-security
While the upcoming GDPR compliance deadline will mark an unprecedented milestone in security, it should also serve as a crucial reminder that compliance does not equal security. Along with the clear benefits to be gained from upholding the standards enforced by GDPR, PCI DSS, HIPAA, and other regulatory bodies often comes a shift toward a more compliance-centric security approach. But regardless of industry or regulatory body, achieving and maintaining compliance should never be the end goal of any security program. Here’s why:
Compliance does not guarantee security
Compliance standards are not comprehensive
Threats evolve faster than compliance standards do
Despite the fact that compliance standards should be but one component of a larger security strategy, achieving and maintaining compliance remains a burdensome and resource-intensive process. Factors ranging from strict deadlines and implementation complexities to steep non-compliance penalties are why, for many organizations, adopting a compliance-centric security approach can seem like a reasonable and judicious decision. But above all else, it’s crucial to remember that while many compliance standards do provide clear and substantial security benefits, they are neither comprehensive nor flexible enough to serve as the sole focal point of an effective security program.
Tomi Engdahl says:
Identity Theft Statistics
https://www.pandasecurity.com/mediacenter/news/identity-theft-statistics/
Identity theft affects millions of people each year. According to a Harris Poll, nearly 60 million Americans have been affected by identity theft in 2017. However, what is even more shocking is only three in five adults who took the survey said they have ever looked at their credit report. Monitoring your credit report can help protect your finances from theft. Read on to learn the types of identity theft, identity theft statistics, and how to stay safe.
How Has Identity Theft Increased Substantially?
It is evident that the risk of identity theft is quite high and it is safe to save it will not be dropping anytime soon. This is mainly due to data breaches. Data breaches involve a company or other organization’s customer’s information including but not limited to Social Security numbers, addresses, credit card numbers, bank information and other personal information being accessed illegally.
According to the Identity Theft Resource Center (ITRC), there were 1,579 data breaches in 2017, exposing nearly 179 million records.
Another quite harmful data breach in the past few years was 2016’s Uber hack. Hackers stole data from 57 million Uber customers, and the company paid $100,000 to cover up the theft.
Who Are More Likely to Be Victims of Identity Theft?
According to War on Identity Theft, Americans are significantly more likely to be victims of identity theft than anyone other country in the world 143 million Americans faced an increased risk of identity theft after the Equifax hack stole a plethora of users’ private information. This was just one breach, with the total amount of identities stolen at 791 million in the U.S. in 2016 alone. France was the next largest amount of identities stolen, at 85 million identities total.
Another large market for identity theft is social media. Active social media users have a 30 percent higher risk of becoming victims because of their information reaching increased exposure. Specifically Facebook, Instagram, and Snapchat users face a 46 percent higher risk of account takeover than those who do not have these social accounts.
E-commerce shoppers are consistently exposing their financial information and have a higher risk of credit card fraud. 62 percent of these e-commerce shoppers made an online purchase within the past week. While they can be likely victims of identity theft, e-commerce shoppers are also quick to catch fraudulent activity, minimizing the damage. 78 percent of fraud victims within the e-commerce community detected fraud within one week.
Tomi Engdahl says:
Hacked Drupal Sites Deliver Miners, RATs, Scams
https://www.securityweek.com/hacked-drupal-sites-deliver-miners-rats-scams
The Drupal websites hacked by cybercriminals using the vulnerabilities known as Drupalgeddon2 and Drupalgeddon3 deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.
Two highly critical flaws were patched in recent months in the Drupal content management system (CMS). The security holes are tracked as CVE-2018-7600 and CVE-2018-7602, and they both allow remote code execution.
Tomi Engdahl says:
Two Vulnerabilities Patched in BIND DNS Software
https://www.securityweek.com/two-vulnerabilities-patched-bind-dns-software
Updates announced on Friday by the Internet Systems Consortium (ISC) for BIND, the most widely used Domain Name System (DNS) software, patch a couple of vulnerabilities.
One of the vulnerabilities, tracked as CVE-2018-5737, can allow a remote attacker to cause operational problems, including degradation of the service or a DoS condition.
The vulnerability impacts BIND 9.12.0 and 9.12.1 if the server is configured to allow recursion to clients and the max-stale-ttl parameter has a value other than zero. The issue has been patched in BIND 9.12.1-P2, but workarounds are also available.
The second flaw, CVE-2018-5736, is also remotely exploitable, but only if the attacker can trigger a zone transfer.
This vulnerability impacts BIND 9.12.0 and 9.12.1, and it has been patched in version 9.12.1-P1.
Tomi Engdahl says:
Dell Patches Vulnerability in Pre-installed SupportAssist Utility
https://www.securityweek.com/dell-patches-vulnerability-pre-installed-supportassist-utility
Dell Patches Local Privilege Escalation in SupportAssist
Dell recently addressed a local privilege escalation (LPE) vulnerability in SupportAssist, a tool pre-installed on most of all new Dell devices running Windows.
Tomi Engdahl says:
IT’s adult day care dilemma
https://it.toolbox.com/blogs/kevinbeaver/its-adult-day-care-dilemma-050718?mid=6158450&lgid=3441165&mailing_id=3843071&lpid=699&tfso=149898
Curious, malicious or otherwise careless users can create all sorts of information security-related issues in your business including:
· Malware infections that can install keylogging software, or worse, ransomware on your computers or allow your systems to be accessed and controlled by outsiders looking to attack others
· Exposed intellectual property which can negate the time, money and effort you’ve put into the legal side of protecting your business assets
· Compromised personally-identifiable information that can lead to compliance violations and subsequent legal problems
· Accessing illicit web sites that can create HR-related challenges such as sexual harassment that you might not be ready to take on
Here are four steps you can get started with, right now, to keep your computer systems in check:
1. Determine what information is where. Critical systems and sensitive information are everywhere across your network including on mobile devices and out in the cloud.
2. Understand how unprotected systems and information and your employees’ choices are putting your business at risk .
3. Do something to minimize your risks with technology, like documented policies and employee training that underscores why sensitive information need to be protected along with technical controls to keep it all in check.
4. Continually test your systems for new or previously-undiscovered weaknesses. Refine and repeat this process over time.
Tomi Engdahl says:
Your Account Has Been Attacked! Principles of FIDO and How Secured Hardware Tokens Can Protect Online Accounts
https://event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&partnerref=EETHOME&eventid=1668765&sessionid=1&key=45F207D1807C0A74AFE7EC2C4C950C4D®Tag=&sourcepage=register
Password-attacks of accounts are a persistent problem. This is a major concern not only for users and providers of services, but also for IT and Internet Security Officers.
hardware-based multifactor authentication using the FIDO (Fast IDentity Online) standard significantly improves protection while streamlining the user experience
Tomi Engdahl says:
Home> Community > Blogs > Measure of Things
The end of privacy demands transparency
https://www.edn.com/electronics-blogs/measure-of-things/4460669/The-end-of-privacy-demands-transparency
The Privacy Act of 1974 proscribes how federal agencies can acquire and use data that can identify you, personally identifiable information (PII). In addition to many other provisions, it requires government agencies to (quoting from the website FAQs):
Collect only information that is relevant and necessary to carry out an agency function.
Maintain no secret records on you.
Explain, at the time the information is being collected, why it is needed and how it will be used.
Ensure that the records are used only for the reasons given, or seek your permission when another purpose for their use is considered necessary or desirable.
Allow you to find out about disclosures of your records to other agencies and persons.”
We now know that the NSA broke this law and then hid their illegal acts by classifying the documentation. Perhaps I’m naïve, but I don’t think that covering up illegal acts is the purpose of classifying state secrets, at least not in the United States.
Tomi Engdahl says:
Attackers Hide in Plain Sight as Threat Hunting Lags: Report
https://www.securityweek.com/attackers-hide-plain-sight-threat-hunting-lags-report
ISO Survey Shows the Importance of Threat Hunting in the Finance Sector
The finance sector has one of the most robust cybersecurity postures in industry. It is heavily regulated, frequently attacked, and well-resourced — but not immune to cybercriminals. Ninety percent of financial institutions were targeted by ransomware alone in the past 12 months.
Endpoint protection firm Carbon Black surveyed the CISOs of 40 major financial institutions during April 2018 to understand how the finance sector is attacked and what concerns its defenders. Two things most stand out: nearly half (44%) of financial institutions are concerned about the security posture of their technology service providers (TSPs — the supply chain); and despite their resources, only 37% have established threat hunting teams.
Concern over the supply chain is not surprising. Cybercriminals are increasingly attacking third-parties (who may be less well-protected or have their own security issues) to gain access to the primary target. The Federal Deposit Insurance Corporation (FDIC) is also concerned about the supply chain, and has developed an examination process that includes reviewing public information about the TSPs and their software.
Tomi Engdahl says:
Best Practices in Securing DevOps
https://www.securityweek.com/best-practices-securing-devops
Unfortunately, DevOps security ― or DevSecOps as it is now called ― is often underrepresented for the following reasons:
● Most security professionals are not familiar with the commonly used tools in the DevOps pipeline; especially as it relates to their interoperability and automation capabilities;
● Most security professionals don’t know what containers are, let alone what their unique security challenges might be;
● Security is perceived as counterproductive to DevOps agility; and
● Today’s security infrastructure is still based on hardware designs, which often lag the concept of software-defined and programmability, which makes it challenging to incorporate security controls into the DevOps pipeline in an automated fashion.
While microservices and containers provide significant benefits, they also introduce unique new risks.
Tomi Engdahl says:
Cloud computing service model, control, and security risks
https://www.controleng.com/single-article/cloud-computing-service-model-control-and-security-risks/30ce1ae0c62543844d31e9a503e1d4bc.html
Cloud computing promises better and more efficient usage of resources and virtually unlimited scalability and greater flexibility, but they also carry a number of technical and business risks that manufacturers need to be aware of.
Cloud service model expectations
With cloud service models, each one has slightly different expectations in terms of controls and security risks related to critical data assets and software applications in the cloud.
Information as a service (IaaS): In terms of cloud service models, with IaaS model the CSP provides an underlying infrastructure (computational capabilities, storage, and network management) and the manufacturing organization uses these resources to manage its data and software applications. IaaS provides the greatest control over resources and triggers he least security risk for the manufacturing organization.
Platform as a service (PaaS): With the PaaS model, the CSP provides not only the infrastructure, but also the application development platform. The manufacturing organization has fewer infrastructure elements to manage, but still retains control over some system administration. This reduces the responsibility of the manufacturing organization, but translates into less control over resources, and thus higher security risk for the organization.
Software as a service (SaaS): Using the SaaS model, the CSP has total control over the infrastructure and development platforms, but also has control over administering the software applications. Even so, manufacturing organizations may still be responsible for securing the data produced by SaaS applications. Although this may help manufacturing organizations reduce costs and speed time to market, SaaS model is associated with least control over resources and the highest risk for the organization.
Tomi Engdahl says:
Personal privacy vs. public security: fight!
https://techcrunch.com/2018/05/06/personal-privacy-vs-public-security-fight/?sr_share=facebook&utm_source=tcfbpage
Personal privacy is a fairly new concept. Most people used to live in tight-knit communities, constantly enmeshed in each other’s lives. The notion that privacy is an important part of personal security is even newer, and often contested, while the need for public security — walls which must be guarded, doors which must be kept locked — is undisputed. Even anti-state anarchists concede the existence of violent enemies and monsters.
Rich people can afford their own high walls and closed doors. Privacy has long been a luxury, and it’s still often treated that way; a disposable asset, nice-to-have, not essential.
And so when technological security is treated as a trade-off between public security and privacy, as it almost always is these days, the primacy of the former is accepted. Consider the constant demands for “golden key” back doors so that governments can access encrypted phones which are “going dark.” Its opponents focus on the fact that such a system will inevitably be vulnerable to bad actors — hackers, stalkers, “evil maids.” Few dare suggest that, even if a perfect magical golden key with no vulnerabilities existed, one which could only be used by government officials within their official remit, the question of whether it should be implemented would still be morally complex.
Public security is essential; privacy is nice-to-have.
…Except.
…Except this dichotomy between “personal privacy” and “public security,” all too often promulgated by people who should know better, is completely false, a classic motte-and-bailey argument in bad faith. When we talk about “personal privacy” in the context of phone data, or license plate readers, or genetic data, or encrypted messaging, we’re not talking about anything even remotely like our instinctive human understanding of “privacy,” that of a luxury for the rich, inessential for people in healthy close-knit communities. Instead we’re talking about the collection and use of personal data at scale; governments and corporations accumulating massive amounts of highly personal information from billions of people.
This accumulation of data is, in and of itself, not a “personal privacy” issue, but a massive public security problem.
Cardinal Richelieu famously said, “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.” Imagine how much easier it gets if the establishment has access to everything
A third problem is that technology keeps getting better and better at manipulating the public based on their private data. Do you think ads are bad now? Once AIs start optimizing the advertising → behavior → data feedback loop, you may well like the ads you see
When accumulated private data can be used to manipulate public opinion on a massive scale, privacy is no longer a personal luxury.
Tomi Engdahl says:
Politico:
Investigation reveals US national security panel CFIUS lacks resources to vet all investment and M&A deals that give the Chinese access to cutting-edge US tech
How China acquires ‘the crown jewels’ of U.S. technology
https://www.politico.com/story/2018/05/22/china-us-tech-companies-cfius-572413
The U.S. fails to adequately police foreign deals for next-generation software that powers the military and American economic strength.
Tomi Engdahl says:
Oracle plans to dump risky Java serialization
https://www.infoworld.com/article/3275924/java/oracle-plans-to-dump-risky-java-serialization.html
A “horrible mistake” from 1997, the Java object serialization capability for encoding objects has serious security issues
Oracle plans to drop from Java its serialization feature that has been a thorn in the side when it comes to security. Also known as Java object serialization, the feature is used for encoding objects into streams of bytes. Used for lightweight persistence and communication via sockets or Java RMI, serialization also supports the reconstruction of an object graph from a stream.
Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.
To replace the current serialization technology, a small serialization framework would be placed in the platform once records, the Java version of data classes, are supported. The framework could support a graph of records, and developers could plug in a serialization engine of their choice, supporting formats such as JSON or XML, enabling serialization of records in a safe way. But Reinhold cannot yet say which release of Java will have the records capability.
Tomi Engdahl says:
Trends 2018: Critical infrastructure attacks on the rise
https://www.welivesecurity.com/2018/05/30/trends-2018-critical-infrastructure-attacks/?
Healthcare sectors, critical manufacturing, food production and transportation also said to be targets for cybercriminals
Cyberthreats to critical infrastructure jumped into the headlines in 2017, starting with a Reuters report in January that a recent power outage in Ukraine “was a cyber-attack”. In last year’s Trends report we said that we expected infrastructure attacks to “continue to generate headlines and disrupt lives in 2017”. Sadly, we were right, and unfortunately, I have to say that the same trend is likely to continue in 2018 for reasons outlined in this update. It should be noted that critical infrastructure is more than just the power grid and includes the defense and healthcare sectors, critical manufacturing and food production, water, and transportation.
Tomi Engdahl says:
Cyber insurance: Is it worth the investment?
https://www.cio.com/article/3276658/cyber-attacks-espionage/cyber-insurance-is-it-worth-the-investment.html
While cyber liability insurance policies are complex and proving claims can be daunting, CIOs in the midmarket space agree access to resources provided in the policies make the investment worthwhile.
Last year, Aon Inpoint reported about 80 percent of buyers of stand-alone cyber premiums were medium-sized to large companies. However, smaller firms are increasingly assessing their cyber exposure risk as concerns about the potential impact of a cyber incident continue to rise.
“The majority of breaches worldwide occur at companies with 1,000 employees or less because they’re low-hanging fruit for hackers,” explained Ed McGuire, director of specialty insurance at FBinsure. “These companies have minimal IT staff and moderate budgets.”
Prior to this month’s long-anticipated GDPR laws going into effect, the healthcare, financial, and retail industries have been the most frequent targets for highly publicized cyber attacks. Nearly a third of global breaches occur in the healthcare field because patient data is so valuable, and fines for failing to disclose a known breach can climb well into the millions.
Tomi Engdahl says:
Companies urged to ensure supply chain security
By Anthony Spadafora 2018-06-05T15:08:22.155ZNews
The supply chain remains the weakest link for a majority of organisations.
https://www.itproportal.com/news/companies-urged-to-ensure-supply-chain-security/
New research from Citrix has revealed that large businesses in the UK are overlooking the cybersecurity resilience of external providers within their supply chain network which could leave them vulnerable to an attack.
The company’s recent poll surveyed 750 IT security decision makers in companies with 250 or more employees across the UK, to better understand their level of preparation for cyber-attacks. The research also explored whether businesses are conducting the necessary due diligence when assessing new suppliers.
Tomi Engdahl says:
Moving to the Public Cloud? Security Starts With You
https://www.securityweek.com/moving-public-cloud-security-starts-you
consider these three factors.
1. Security is a partnership. The cloud provider is typically responsible for the security of the cloud, and you are responsible for the security in the cloud. As the consumer and builder of applications that run in the cloud, you need to apply your own security smarts to that environment. For example, each provider brings a set of security capabilities that customers should take advantage of, including a significant amount of telemetry. This can include data about the administrators logged in, events they have undertaken to change the configuration of the environment, activity happening against your public APIs, and other network activity occurring within your environment. This telemetry is in the form of data feeds, not processed security insights. There’s valuable information you don’t want to miss, but making sense of it all can be a challenge. You need to focus your resources on understanding what’s hidden inside these data feeds, or you’ll fall short in your role as a partner.
2. Think also of compliance. Just because you’ve covered your security bases doesn’t mean you’re compliant. Compliance regimes have their own requirements outlined in a controls matrix that you measure against and report on periodically, demonstrating that the controls are working as expected. But when you try to apply a matrix developed for your private data center to the public cloud, the ways certain controls are realized no longer exist. The tools and processes have changed along with the underlying environment. Adding to the challenge, most organizations aren’t just using one public cloud but multiple public clouds. For every public cloud, you need to revisit your controls matrix and redefine how the control will be realized to ensure compliance.
3. Shadow IT is alive and well. The IT department isn’t the only group engaging in public cloud partnerships. Shadow IT remains prevalent today with business units establishing their own interface with public cloud providers. Often, once they’ve built the applications they need to help the business grow, they’ll turn the relationship over to IT to handle ongoing support, maintenance and, of course, security.
Tomi Engdahl says:
Real-Time Payments And How To Secure Them
How to combat fraud and manage account data faster and more safely.
https://semiengineering.com/real-time-payments-and-how-to-secure-them/
http://info.rambus.com/real-time-payments-and-how-to-secure-them
Tomi Engdahl says:
Battleships Over BGP
https://hackaday.com/2018/06/07/battleships-over-bgp/
The Border Gateway Protocol (BGP) is one of the foundations of the internet. It’s how the big routers that shift data around the Internet talk to each other, passing info on where they can send data to. It’s a simple protocol, with each router sending text messages that advertise the routes that they carry. The administrators of these routers create communities, each with an individual code, and this information is passed between routers. Most top-level ISPs don’t spread this data far, but [Ben Cox] realized that his ISP did. and that he could use this as an interesting way to transmit data over the Internet. What data to send? He decided to play battleships.
Playing battleships over BGP
https://blog.benjojo.co.uk/post/bgp-battleships
BGP is the glue of the internet. For a protocol that was produced on two napkins in 1989 it is both amazing and horrifying that it runs almost all of the ISP to ISP interactions and is now a very fundemental part of the internet.
BGP normally gets a bad rep, mainly because of its default trusting nature of peers, and the hard task of verifying a routes legitimacy. This is why we hear about BGP hijackings of varying severity from the whole of youtube to a section of all AWS Route 53 requests.
However to understand this, you also have to understand how the topology of the internet works.
A router isn’t much use if it cannot route anything
the globally accepted way to do this between ISPs is to setup BGP on both sides, and let the sides “announce” to each other what they can route
BGP also has a way to encode information with a route called communities.
Defined in RFC1997 (sadly written in 1996, so. close.) a community can be attached to a route announcement, and consists of a 32bit number.
After some testing, it appears that every tier 1 network strips communities except former Level 3 who carry communties from origin router to customer router.
Knowing that I could do “indirect communication” over BGP now, I wanted to somehow use this to conduct some non conventional communication.
Tomi Engdahl says:
What We’ve Got Here is Failure to Communicate!
https://www.securityweek.com/what-weve-got-here-failure-communicate
Many enterprises have been taking stock of their security architecture as well as assessing gaps and redundancies (see last month’s article Wading Through Tool Overload and Redundancy?). Sometimes it is the result of a post breach investigation, and the post investigation finger pointing. Sometimes it is due to new management taking stock of the company’s risk exposure. Sometimes it is a financially driven exercise to better understand budgets and bang for the buck. Regardless of the motivation, what many are finding is that they don’t really have an architecture so much as a bunch of disparate parts sitting in silos across the environment. Looking back at it all, CISOs may wonder how they got there, but hindsight is always 20/20.
The parts in question were likely procured with the best of intentions, to serve a purpose at some point in time, from the prevalent vendor in that space. It is a good practice to take a step back every now and then and refactor your environment, making sure the various technologies and processes are up to the current day’s challenges and those of the foreseeable future.
The typically fragmented “best of breed” security architecture of many large enterprises results in protective gaps, vendor management challenges and finger pointing. The gaps are not necessarily the result of going with the wrong tool or vendor in a space. The best point solutions will be hard pressed to protect the business in today’s complex, multi-channel mobile and cloud driven environment.
Tomi Engdahl says:
Right-Sized Security
Different strategies for different companies and markets.
https://semiengineering.com/right-sized-security/
Security is a key design consideration of any connected product. Nefarious parties can and will attempt to exploit security flaws in order to capture sensitive data, gain device control, or for a myriad of other reasons.
When considering security needs and implementation in their systems, Device OEMs must balance a number of factors. Security is obviously a very important factor; however, designers must also consider items like bill of material (BOM) targets, device size targets, and design complexity. Factoring in those choices, it is obvious that there is no one security implementation that is right for everyone.
Tomi Engdahl says:
Does cyber insurance make us more (or less) secure?
https://www.csoonline.com/article/3280990/security/does-cyber-insurance-make-us-more-or-less-secure.html
Underwriting cyber risk remains more art than science, but in the absence of regulation, cyber insurance might still be the best hope for improving cybersecurity practices across the board — at least for now.
If data is the new oil, then we’re looking at pelicans soaked in crude on a beach.
When an oil tanker goes down or an oil rig explodes, dumping millions of gallons of petroleum into the ocean, we clean up the spill, we look for first causes, and we hold the company — even individuals — responsible for the harm they’ve caused to a shared resource: the environment we all live in.
When a company like Equifax commits gross negligence for failing to secure our data, and a breach pumps 147.9 million records onto the internet, the company’s directors keep their jobs, their cyber insurance policy pays out, and the company posts a profit.
The Equifax breach harmed pretty much every adult in the U.S., and the company has yet to face any real consequences for its incompetence. Is this the future of cyber risk insurance — commit gross negligence and get away with it?
The moral hazard of cyber risk insurance
“Moral hazard” is the term insurance wonks use to discuss the misplaced incentives that insurance can create. It’s not a new problem; it has been a part of insurance underwriting since the days of sail.
The time-tested strategy by insurance carriers to limit moral hazard is to use insurance deductibles and co-pays, and to cap maximum payouts. That way the insured shares in the financial risk and is motivated to drive safely, to install smoke detectors, and to deploy strong cybersecurity controls in their enterprise.
The moral hazard of cyber insurance haunts boardrooms. The market remains in its infancy, and insurance carriers are still grappling with how to deal with this problem. Non-technical C-suite executives looking to manage cyber risk can and do fall into this trap. If you’re paying for insurance, why bother applying strong cybersecurity controls? It’s cheaper and easier to just hang out for the insurance payout and not bother doing the hard work of improving your security posture.
Tomi Engdahl says:
CISOs’ newest fear? Criminals with a big data strategy
Reg roundtable disses pen testers and security theatre
https://www.theregister.co.uk/2015/06/19/security_roundtable_may_2015/
On Target
Our IT execs happily admitted (under conditions of strict anonymity) that security theatre is now a vital part of their jobs, meaning that they unleash shock and awe to get the budgets they need to fight the battle that they know they will never actually win.
A lot of boards still think that security is a product, like a USB stick – or, worse still, an anti-virus tool like they use at home. Our IT execs were really quite scornful of the way that AV is over-sold to semi-technical management who regard installation as the job done. AV is necessary but the execs bemoaned the long time for updates as well as the hassle, which includes the way every couple of months some AV product decides that a Windows DLL is a virus and bricks the whole machine.
More than one of them questioned the sustainability of the traditional model, yet no new one is readily visible.
Tomi Engdahl says:
Industrial IoT: Protecting the Physical World from Cyber Attacks
https://www.securityweek.com/industrial-iot-protecting-physical-world-cyber-attacks
The convergence of industrial IoT and intelligent automation has been a boon for many enterprises, allowing machines to take on tasks that previous generations of automation could not handle. This shift mirrors the way that connected devices have transformed home life for many consumers. Companies are now able to automate tasks through a connected network spanning devices, applications and control systems. This includes things as simple as smart lighting in an office building to more industrial applications, like self-driving mining equipment or robotics.
Industrial IoT: More devices, more risks
Enterprises looking to streamline many aspects of day-to-day work including manufacturing, operations, and logistics are the ones driving adoption of industrial IoT technology. These implementations are becoming more common, even in unexpected ways. Something as simple as a smart light bulb, as mundane as an elevator, or as complex as a factory robot, may all be connected to the same network, yet under the covers can be hidden a small footprint Windows, Linux or other UNIX operating environment that must be protected. As industrial IoT continues to grow in the years to come, the types of deployments will be divided into two major categories:
● Fixed-function devices – Connected devices that exist on the outer edge of the typical IT purview, such as building components (cameras, lighting, locks, etc.) and collaboration tools (video conferencing, smart TVs, etc.).
● Operational Technology (OT/IIoT) – Industrial and operations technologies such as Supervisory Control and Data Acquisition systems (SCADA) and Distributed Control Systems (DCS) that run the business behind the scenes.
Consider the recent VPNFilter malware attack. According to reports, at least one million routers were infected with the VPNFilter malware, which allowed attackers to monitor traffic on infected devices or even remotely destroy them, cutting off internet access. That number continues to rise, as does the number of different routers that are vulnerable.
How to protect Industrial IoT Deployments
While the current state of IoT security leaves many longer-term concerns that must be addressed, there are ways businesses can protect themselves today. The first step to securing industrial IoT is simple – understand what is connected to your your network. There are so many different devices that can be connected, that it’s easy for even the simplest of things to fall through the cracks when you don’t know what is on your network, such as changing default passwords on new devices.
Next, it is important to harden environments that are running software for connected devices.
The operating system running connected devices should also be hardened through complete monitoring of everything including files, settings, events, logs and application behavior.
The benefits of an increasingly connected enterprise are clear, but so too are the risks. CISOs have spent time and money on data protection strategies, but now is the time to ensure they have a robust industrial IoT strategy that matches the investment being made on the business efficiencies these systems can introduce. While protecting data is absolutely critical, it’s equally important that all CISOs think about how to protect these industrial infrastructures, as not doing so can have catastrophic results.
Tomi Engdahl says:
Window Snyder Joins Intel as Chief Software Security Officer
https://www.securityweek.com/window-snyder-joins-intel-chief-software-security-officer
Intel on Monday announced that Window Snyder has joined the company’s Software and Services Group as chief software security officer, vice president and general manager of the Intel Platform Security Division.Window Snyder joins Intel
The decision, effective July 9, comes after Intel was forced to rethink its cybersecurity strategy following the disclosure of the Spectre and Meltdown vulnerabilities early this year, and less than one week after the chip giant announced the resignation of Brian Krzanich as CEO and member of the board of directors.
Tomi Engdahl says:
UK Publishes Minimum Cyber Security Standard for Government Departments
https://www.securityweek.com/uk-publishes-minimum-cyber-security-standard-government-departments
The UK government’s Cabinet Office has published the first iteration of its Minimum Cyber Security Standard, which will be incorporated into the Government Functional Standard for Security. The standard is mandatory for all government departments (which includes ‘organizations, agencies, Arm’s Length Bodies and contractors’); but provides an excellent security checklist/framework for all commercial organizations.
It is a surprisingly short document (PDF); just seven pages comprising 10 sections under five categories: Identify, Protect, Detect, Respond and Recover.
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/719067/25062018_Minimum_Cyber_Security_Standard_gov.uk__3_.pdf
Tomi Engdahl says:
The Next Big Cyber-Attack Vector: APIs
https://www.securityweek.com/next-big-cyber-attack-vector-apis
With cyber-attacks on enterprise networks becoming more sophisticated, organizations have stepped up perimeter security by investing in the latest firewall, data and endpoint protection, as well as intrusion prevention technologies. In response, hackers are moving to the path of least resistance and looking for new avenues to exploit. Many security experts believe the next wave of enterprise hacking will be carried out by exploiting Application Programming Interfaces (APIs).
In fact, cyber adversaries are already targeting APIs when planning their attacks. The data breach at Panera Bread is a good example. The bakery-café chain left an unauthenticated API endpoint exposed on its website, allowing anyone to view customer information such as username, email address, phone number, last four digits of the credit card, birthdate, etc. Ultimately, data belonging to more than 37 million customers was leaked over an eight-month period. This raises the question on how to minimize the growing cyber security risk associated with APIs without hampering the benefits they provide in terms of agile development and expanded functionality.
API usage in application development has become the new de facto standard, whereby developers take advantage of integrating functionality from third-party provided services rather than building all the capabilities they need from scratch. This allows for a more agile development process for new products and services.
Common attack methods being used to exploit APIs include:
● API Parameter Tampering – Hackers are often use this technique to either reverse engineer an API or gain further access to sensitive data.
● Session Cookie Tampering – These attacks attempt to exploit cookies in order to bypass security mechanisms or send false data to application servers.
● Man-in-the-Middle Attacks – By eavesdropping on an unencrypted connection between an API client and server, hackers can access sensitive data.
● Content Manipulation – By injecting malicious content (e.g., poisoning JSON Web tokens), exploits can be distributed and executed in the background.
● DDoS Attacks – Poorly written code can be used to consume computer resources by sending invalid input parameters, subsequently causing a disruption to the API-supported Web application.
take the following precautions:
1. Think Security
2. Apply Common Industry Security Best Practices and Standards
3. Monitor via API Gateway
When disparate APIs are stored in an applications code base, an API gateway can be used to monitor, analyze and throttle traffic to minimize the risk of DDoS attacks, and enforce preset security policies (e.g., authentication rules).
Tomi Engdahl says:
Demystifying the Dark Web and Mitigating Risks
https://www.securityweek.com/demystifying-dark-web-and-mitigating-risks
Monitoring a Variety of Data Dources is Important to Understand Threats, Vulnerabilities and How to Manage Risk
Threat modeling is an iterative process that needs to be updated whenever there are substantial changes to either assets or threats. Typically, the process consists of:
1. Defining an organization’s assets – critical business processes, high-value systems, intellectual property (IP), etc.
2. Identifying which systems comprise those assets – for example, databases, Enterprise Resource Planning (ERP) systems, and more.
3. Creating a security profile for each system – this includes which security controls are currently used to protect the identified software applications, such as, firewalls, Endpoint Detection and Response (EDR) systems, web proxies, etc. and which known vulnerabilities are present.
4. Identifying potential threats – hacktivists, cyber criminals, freelancers, nation states, a disgruntled employee, etc.
5. Prioritizing potential threats and documenting adverse events and the actions taken in each case – this is accomplished by working from known examples of documented attacks and internal risk concerns, and attempting to foresee what the organizational impact of particular threats could be.
With a threat model in place, you can match the highest severity risks to appropriate tactics, techniques and procedures (TTPs) of threat actors. This helps to target security controls and hardening measures – used for mitigation and remediation – that you need to put in place in your organization.
Tomi Engdahl says:
You Know You’re at Risk, Now What?
https://www.securityweek.com/you-know-youre-risk-now-what
Tomi Engdahl says:
Four common API vulnerabilities and how to prevent them
https://www.helpnetsecurity.com/2018/07/03/common-api-vulnerabilities/
Tomi Engdahl says:
Security Performance in the Cloud: Not All Solutions Are Created Equal
https://www.securityweek.com/security-performance-cloud-not-all-solutions-are-created-equal
An assumption made by many security professionals is that any performance differences between physical security devices are eliminated when those security software images are run on identical cloud hardware. But the truth is, there are still significant performance differences between solutions, and those differences can be critical both from a processing perspective as well as cost.
Because cloud performance is a baseline requirement for competing in the digital marketplace, organizations cannot afford for security to be a bottleneck. Transactions need to be inspected at digital speeds. Of course, elastic scalability helps eliminate such bottlenecks, which is why the cloud is such an ideal platform. But scalability comes at a cost. Spinning up additional firewalls unnecessarily, for example, can have a real impact on your cost of doing business.
Part of the challenge is that performance scaling is more complex than it might seem. For simplicity’s sake, let’s divide scalability into two functions: scaling out and scaling up.
Tomi Engdahl says:
UK Financial Authorities Publish Paper On Operational Resilience
https://www.securityweek.com/uk-financial-authorities-publish-paper-operational-resilience
UK Financial Authorities’ Paper on Resilience Potentially Silos Continuity from Data Protection
The Bank of England (BofE), the UK’s Prudential Regulation Authority (PRA), and the UK’s Financial Conduct Authority (FCA) — together known as the financial supervisory authorities — have jointly published a discussion paper (PDF) on building operational resilience into the financial sector. While cyber is a major risk, the concept is to build resilience to all risks including cyber.
Regulated firms, financial market infrastructures (FMIs), consumers, industry bodies, auditors, specialist third-party providers, professional advisors and other regulators are invited to comment on the paper by 5 October 2018. The paper notes that there is currently no global framework for resilience, and says that the authorities “will share our insights with the global regulatory community.”
https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/discussion-paper/2018/dp118.pdf
Tomi Engdahl says:
In Security, What We Don’t See Can Hurt Us
https://www.securityweek.com/security-what-we-dont-see-can-hurt-us
Tomi Engdahl says:
As Facial Recognition Use Grows, So Do Privacy Fears
https://www.securityweek.com/facial-recognition-use-grows-so-do-privacy-fears
The unique features of your face can allow you to unlock your new iPhone, access your bank account or even “smile to pay” for some goods and services.
The same technology, using algorithms generated by a facial scan, can allow law enforcement to find a wanted person in a crowd or match the image of someone in police custody to a database of known offenders.
Facial recognition came into play last month when a suspect arrested for a shooting at a newsroom in Annapolis, Maryland, refused to cooperate with police and could not immediately be identified using fingerprints.
Tomi Engdahl says:
Version 1.0
-
June 2018
1
Minimum Cyber Security Standard
This is the first technical standard that will be incorporated into the Government Functional Standard for Security once publishee
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/719067/25062018_Minimum_Cyber_Security_Standard_gov.uk__3_.pdf
Tomi Engdahl says:
MYTH: Cloud security means your organization’s data is well-protected.
FACT: You’re responsible for securing your data as it flows to and from the cloud.
AND: The data on cloud might not be as safe as you expect it to be according to cloud companty security sales talk. There are many ways you and cloud operators can mess up so that your data gets accidentally exposed to outsiders – many companies have put sensitive data to cloud without access control so that anyone can read them!
Tomi Engdahl says:
Why The IIoT Is Not Secure
Don’t blame the technology. This is a people problem.
https://semiengineering.com/iiot-security-puzzle-and-fragmented-market-solving-it/
The Internet of Things is famously insecure, but not because the technology to build it or secure it is immature. Likewise, severely insufficient security on the Industrial IoT suffers from a lack of will. Neither tech buyers nor providers have yet invested the same effort expended in other areas of the tech world to create and adopt steps that will make everyone safer, according to chipmakers and analysts.
“My evaluation of security in the IIoT? Zero,” said Richard Soley, executive director of the Industrial Internet Consortium (IIC), which issues IIoT guidelines, and chairman and CEO of the Object Management Group. “Nearly all implementations of the IIoT I’ve seen assume you’re going to build a wall around them and they won’t need extra security because the perimeter will keep any threats away. That’s nonsense. On the consumer Internet, 80% of breaches involve something inside the perimeter that breaks security, whether it’s malware, or a phishing call, or an insider you shouldn’t have trusted.”
This is especially unnerving because of how much is connected to the IIoT. No longer just about the IoT and connectivity to the factory floor, the IIoT has many use cases, from utilities and transportation to in-building systems, like HVAC and lighting.
“You hear a lot of horror stories,”
Facing the OT/IT divide
Many technical issues contribute to the fractured, uncoordinated nature of security in the IIoT market, but the focus and security habits of the end users responsible for the projects comes up in almost every discussion about it. Operational security staff just don’t seem to understand or believe in security risks in the same way IT staff and chipmakers do, according to Steve Hanna, senior principal in the U.S. for Germany-based Infineon Technologies.
The three heaviest contributors to IIoT spending in 2018, according to IDC, will be manufacturing ($189 billion), transportation ($85 billion), and utilities ($73 billion).
Traditional IT people deal with end users, wrestle with malware and infosec issues and go back to deal with more users, who are a consistent source of access for attackers. Phishing emails—lying to people via electronic text with no digital wizardry involved—accounted for 93% of social attacks and were involved in 98% of all incidents (successful or not) and 88% of financial pretexting attacks, according to the cybersecurity report of record Verizon’s “2017 Data Breach Investigations Report”.
Guidelines and standards—pick one and stick to it
There is plenty of information out there, and plenty of guidelines, from the IIC, NIST, IEC, ISO, Trusted Security Group, Cisco, IBM, the Dell-focused EdgeX Foundry, European Industrie 4.0, the Object Management Group, and IEEE.
“It’s not that we don’t have standards or guidelines, we have too many of both,” Hanna said. “What we don’t have is a way to consolidate on the best ones and get participation from security companies, for example, to help create the kind of integrated standards and support fabric that’s common in other areas.”
The problem with hardware
The devices themselves are also a problem. Unlike in the x86 world, every IIoT device is different.
Most are built to one degree or another on Arm Cortex microcontrollers or IP but are so heavily customized to accomplish the specific task required for the one project they were designed for that there is little resemblance or chance for interoperability among chipsets from different vendors.
Nearly all Arm microcontroller IP includes some degree of security – or at least the wiring that would make secure boot, encryption, authentication or fully functional PKI certificate management possible, according to Rob Coombs, director of business development for Arm’s IoT Device IP business.
To even get started, a security service needs three things:
The ability to access and activate security embedded by the silicon vendor;
An API or other method to allow a PaaS or other cloud service to link to and control the device;
A database with data outlining how to handle the other two steps—covering as wide a swath as possible of the chaotic horde of devices and chipsets making up the IoT.
The cloud service—or whatever application is providing the control—has to be able to communicate with the devices it controls. It also must keep them from communicating with unauthorized devices to reduce the chance of contracting Mirai or any other strain of malware, and build up a database of common behaviors to use as a template and quash any unusual activity.
Tomi Engdahl says:
Skills That a ‘Next-Level’ Pentester Should Have
https://threatpost.com/skills-that-a-next-level-pentester-should-have/134416/
Top tier penetration testers are a breed of their own. Here is how to make sure your pentester is topnotch.
The field of penetration testing has grown rapidly since the United States Department of Defense’s Tiger Teams first emerged on the computer scene. With that growth, we’ve seen different skill-sets, approaches and quality levels emerge among penetration-testing professionals.
The following skills provide a huge differentiation for professionals in this field.
Focus on Business Logic and Business Impact
You’ve Got to Show it to Get Management’s Attention (PoC)
Uncovering the Undocumented
The Sum of Vulnerabilities
Highly Personalized Toolset
Custom Payloads and N-days
Overall, these skills are imperative to make a penetration test the most impactful and meaningful for both parties. By demonstrating these skills, the tester will be successful over his or her own personal technical goals and will be able to shed light onto cardinal issues.
The list was pulled together based on my experiences as a long time penetration tester.
Tomi Engdahl says:
Why do enterprises take a long time to install vital security updates
https://www.helpnetsecurity.com/2018/08/24/install-vital-security-updates/
More than a quarter (27%) of enterprise IT departments in the US are forced to wait at least a month before installing vital security updates, due to budgetary restraints and overly complex infrastructures. That’s according to Kollective’s new ‘State of Software Delivery’ report which examines the software testing and distribution bottlenecks throughout large organizations.
The report incorporates research from 260 IT managers, leaders and decision makers and highlights how the network security of US businesses is failing to meet industry expectations. These failings are especially common among large organizations – with 45% of those with more than 100,000 computer terminals waiting at least a month before they install vital security updates.
Tomi Engdahl says:
The Difference Between Sandboxing, Honeypots & Security Deception
https://www.darkreading.com/endpoint/the-difference-between-sandboxing-honeypots-and-security-deception/a/d-id/1332663
A deep dive into the unique requirements and ideal use cases of three important prevention and analysis technologies.
Sandboxing
The need for the analysis of network traffic and programs has existed almost since the dawn of networks and third-party programs. Sandboxing, introduced in the 1970s for testing artificial intelligence applications, allows malware to install and run in an enclosed environment, where researchers can monitor their actions to identify potential risks and countermeasures. Today, effective sandboxing is most often performed on dedicated virtual machines on a virtual host. This allows for malware to be safely tested against multiple different OS versions on machines that are segregated from the network.
Honeypots
Honeypots and honeynets are deliberately vulnerable systems meant to draw the attention of attackers. Honeypots are single hosts that entice attackers to attempt to steal valuable data or further scope out the target network. The idea behind honey nets, which began to circulate in 1999, is to understand the process and strategy of attackers. Honeynets are made up of multiple honeypots, often configured to emulate an actual network — complete with a file server, a web server, etc. — so that attackers believe they’ve successfully infiltrated a network. Instead, they’re actually in an isolated environment, under a microscope.
Cyber Deception
The core idea of cyber deception was first discussed in 1989 by Gene Spafford of Purdue University. Some argue that it more or less refers to modern, dynamic honeypots and honeynets and, fundamentally, they are correct. Security deception is a new term and so the definition hasn’t yet been set in stone, but in general it refers to a range of more-advanced honeypot and honeynet products that offer more automation for both detection and the implementation of defenses based on the data they gather.
Tomi Engdahl says:
NIST’s New Advice on Medical IoT Devices
https://www.securityweek.com/nists-new-advice-medical-iot-devices
Medical infusion pumps, which deliver medications to patients, are archetypal examples of the expanding threat surface being delivered by connected devices. Connecting these pumps to clinical systems can improve healthcare delivery, but if not properly secured could endanger the patient and expose the health delivery organization (HDO) infrastructure to intrusion.
NIST has now responded to these concerns by publishing SP 1800-8: Securing Wireless Infusion Pumps in Healthcare Delivery Organizations (PDF). NIST’s primary cybersecurity function is to develop standards and advice for federal agencies. Its 1800 Series, however, is a series of documents designed to present practical, usable, cybersecurity solutions to the cybersecurity community at large. Such documents do not describe regulations or mandatory practices, nor do they carry statutory authority.
SP 1800-8 applies “security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors. Ultimately,” it says, “we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk.” It does this using standards-based, commercially available cybersecurity technologies that protect the entire HDO infrastructure.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-8.pdf
Tomi Engdahl says:
Cyber Risk = Business Risk. Time for the Business-Aligned CISO
https://www.securityweek.com/cyber-risk-business-risk-time-business-aligned-ciso
Data breaches, ransomware and other cyber attacks causing massive reputation issues (Equifax), knocking down merger prices (Yahoo!) or interrupting operations on a global scale (the NotPetya virus victims), have elevated cybersecurity concerns from the server room to the boardroom. To heighten these apprehensions more, regulators have also made it clear they’ll be looking hard at corporate disclosure of cyber incidents like the U.S. Securities and Exchange Commission (SEC), and protection of personal data like the EU’s GDPR – and they’re just getting started. Cyber risk now equals risk to the whole business.
This is now a great opportunity for CISOs and other cybersecurity professionals to graduate to board and C-level discussions and score the level of resources and support they’ve wanted for a while. It’s also a challenge that many infosec pros won’t be prepared for. Now that you’ve got the attention of business top brass, can you connect with them? Can you be a business-aligned CISO?
Let’s take a quick look at the view from the C-suite and the boardroom. Two key points to know about that atmosphere:
1. Cyber risk is just another cost of doing business — and they are watching many of them. Cybersecurity is not a special skunkworks. Sure, it’s a field that requires plenty of technical expertise but so do operations, finance, and other business units.
2. They are used to seeing risk presented as “loss exposure” in dollars. Whether it’s market risk, credit risk or other components of enterprise risk management, other business units can answer questions about probable losses as a range of dollar amounts. Against those numbers, decision makers can set a “risk appetite”, a level of exposure to loss that guides responses, such as investing in more controls, buying insurance, living with it, etc.
Tomi Engdahl says:
Weak Security Socializes Risk
https://www.securityweek.com/weak-security-socializes-risk
Rather than some technical development, I was recently intrigued by something more “social” in nature, specifically the important levels of trust so many companies place in one another. Even while on my recent (otherwise) blissful vacation, I couldn’t miss the news in the New York Times and here in SecurityWeek that a small company had exposed 157 GB’s of highly sensitive data from over 100 customers, including the likes of GM, Ford, Fiat Chrysler, Toyota, Volkswagen and Tesla. The exposed data trove included everything from assembly line schematics to employee VPN access information, along with the small company’s own corporate contracts, bank account details, and scans of employee passports and driver’s licenses.
Are you a trojan horse?
I’m not an economist and hardly qualified to weigh the overall costs and benefits of the accelerating interconnectedness of our modern and frequently “virtual” economy. However, I can speak with modest authority to one real and specific risk, which very obviously many businesses still must take to heart and more aggressively manage, namely the ability of a single company to cause significant damage to their vendors, customers, and partners by being the weakest cybersecurity link in whatever business ecosystem they inhabit.
Enabled by technology, and in a quest for speed and efficiency, companies grant access to corporate data and give access to all sorts of systems today with the expectation that their business partner won’t turn out to be a trojan horse, carrying hackers and their malware (and trojans…) into the heart of their business.
This is not a new problem, but anybody feeling complacent should understand that it is a growing one. As business models evolve with technology and the degree of economic interdependency keeps growing, so does the shared “supply chain risk.”
Socializing risk
The 25 percent growth year-to-year in the number of companies with access to sensitive information also deserves attention, and I connect this rate of growth in interdependency to the growing number of “supply chain hacks” in the headlines, where a small- or mid-size firm has found itself at the center of the uproar. Among the more famous ones, there was the Target hack via an HVAC vendor employee who received an email that was carrying a system password-stealing malware attachment, the Home Depot multi-stage attack which began with stolen vendor credentials, and the Wendy’s breach via a supplier with remote access to cash registers.
In each case (and hundreds of others), the cost of ineffectual security fell hard on someone other than the initial victim, a kind of modified “moral hazard” problem, where one pursues risky behavior because the consequences are diluted or even transferred elsewhere. I say “modified” because I’m certain the weak links in this chain weren’t being reckless, and I believe they also suffered consequences.
But I think there is something to be said for the idea that too many businesses today continue to “underthink” and underinvest in the necessary layers of security, and therefore are, deliberately or not, guilty of socializing their risk.
Tomi Engdahl says:
Industry Sharing Feeds, A Step in the Right Direction but Not Enough
https://www.securityweek.com/industry-sharing-feeds-step-right-direction-not-enough
Combining data from your health history, nutrient testing, your fitness apps, DNA and more, the objective is to ensure you’re taking a supplement that makes sense for you and helps you reach your goals. This move towards personalization is happening in many aspects of our lives. And when it comes to what is best for you from a security standpoint, the more personalized, the better also holds true.
Security professionals are slowly getting there; however, many of the conversations I’ve had recently are about industry sharing groups instead of focusing on what my specific organization needs. The first Information Sharing and Analysis Centers (ISACs) came on the scene about 20 years ago with the intent of helping organizations protect their infrastructure, employees and customers from cyberthreats targeting their specific industry. There are dozens of ISACs today including financial services, retail, energy, supply chain, you name it. If you can think of an industry there’s probably a corresponding ISAC.
Tomi Engdahl says:
No, eight characters, some capital letters and numbers is not a good password policy
Western Oz infosec audit report was shocking, but only ‘cos it made public
https://www.theregister.co.uk/2018/08/28/bad_passwords_never_go_out_of_fashion/
Security Insider threat
No, eight characters, some capital letters and numbers is not a good password policy
Western Oz infosec audit report was shocking, but only ‘cos it made public
By John E Dunn 28 Aug 2018 at 15:40
108 Reg comments SHARE ▼
Password
Internal cybersecurity audits rarely make it to the public domain, but when they do it’s often an eye-popping read.
Take the Western Australian (WA) Auditor General’s 2017 recent report on the state of user account security in an Aussie state which tends a mammoth 234,000 Active Directory (AD) accounts across 17 state agencies.
We reported the news here, but what are the deeper implications? Well, this isn’t a problem unique to the government of Western Australia.
Bad passwords are one of those problems that never goes out of fashion, and sure enough, 60,000 (26 per cent) of the state’s AD passwords were found to be somewhere between easily guessed and downright lamentable.
Among these, ‘Password123’ was in use by 1,464 accounts, ‘Project10’ by 994, ‘support’ by 866, ‘password1’ by 813, and ‘October2017’ by 226, to pick only the top five worst offenders in popularity order.
In one particularly epic fail, the auditors said they were able to remotely access a test environment for the agency’s web system using the password ‘Summer123’.
“We identified a significant amount of production data in this environment,”
Tomi Engdahl says:
Can Russian hackers be stopped? Here’s why it might take 20 years
https://www.techrepublic.com/article/can-russian-hackers-be-stopped-heres-why-it-might-take-20-years/
Deterring hackers is almost impossible when the rewards are so great and the risks are so low. Can anything stop them?
Tomi Engdahl says:
Free, easy to use, and available to anyone: The powerful malware hiding in plain sight on the open web
https://www.zdnet.com/article/free-easy-to-use-and-available-to-anyone-the-powerful-malware-hiding-in-plain-sight-on-the-open-web/
“When the Russian military is using free stuff, you know how good that stuff is.”
When people hear about a cyber attack or hacking campaign, they may picture a well-oiled machine that’s taken time, skills and resources to build.
They imagine underground forums on the dark web, where attackers can buy powerful malware and unleash it on their target of choice.
But what if having access to the funding and contacts necessary to deliver attacks with the power of state-backed campaigns wasn’t required?
In some cases, tools which can be used to conduct malicious cyber operations, ranging from espionage to taking down infrastructure, are freely available on the open web. Even state-backed operations have taken advantage of these free tools, as part of sophisticated cyber campaigns.
There are various sources for this code, which is commonly available on developer forums and from code repositories like GitHub. There are often messages stating that the code is for research purposes only, but that doesn’t stop it being used for malicious intent.
“There are things which aren’t malware in the strictest sense of the word, but post-exploitation tools, like Metasploit and Mimikatz which malware operators frequently use,” says Robert Lipovsky, senior malware researcher at ESET.
“These tools are so incredibly simple that once you download it from GitHub, you go into the configuration file and change things — it’s very easily customizable,” says Randi Eitzman, senior cyber threat analyst at FireEye. “They’re not having to pay anyone for these services, it’s already on the internet for them”.
There are even forums and tutorial videos that allow attackers with even the lowest level of knowledge to attempt to grab a piece of the pie — especially when cryptocurrency mining is involved.
Tomi Engdahl says:
Crowdsourcing the hunt for software bugs is a booming business—and a risky one
https://www.technologyreview.com/s/611892/crowdsourcing-the-hunt-for-software-bugs-is-a-booming-businessand-a-risky-one/
Freelance cybersleuths can help companies find flaws in their code. But the bug hunters could fall afoul of anti-hacking laws.
They are the Ubers of the digital security world. Instead of matching independent drivers with passengers, companies like Bugcrowd and HackerOne connect people who like to spend time searching for flaws in software with companies willing to pay them for bugs they find.
This cybersecurity gig economy has expanded to hundreds of thousands of hackers, many of whom have had some experience in the IT security industry.
Code cleaners
More and more large companies like GM, Microsoft, and Starbucks, are now running “bug bounty” programs that offer monetary rewards to those who spot and report bugs in their software. Platforms like Bugcrowd can help by alerting the hacking community to programs being launched, prioritizing bugs sent on to firms, and handling things like payments.
Moreover, at a time when experts are forecasting that 3.5 million cybersecurity jobs worldwide will be vacant by 2021 because there aren’t enough skilled workers, freelancers can ease some of the strain on internal teams.
Still, the platforms face a couple of big challenges. One is to keep expanding the pool of talented bug hunters. Another is to establish greater legal clarity about what tools and techniques ethical hackers can safely use. Popular tactics such as using injection attacks, which involve inserting code into software applications that could change the way the programs are executed, could potentially lead to prosecution under anti-hacking laws such as America’s Computer Fraud and Abuse Act (CFAA).
There have already been cases where security researchers and reporters have faced possible legal action for unearthing and reporting vulnerabilities in companies’ code. It would take only a couple of high-profile lawsuits to have a chilling effect on the industry.
Hacker uni
To address the talent challenge, the crowdsourcing platforms are publishing far more content to help hackers upgrade their skills and to attract more people to gig work.
Legal air cover
On the legal front, the platforms are pushing for more “safe harbor” language to be inserted in contracts governing bug bounties. The aim, says Adam Bacchus of HackerOne, is to get companies to be clear that if hackers follow the rules of engagement within reason, they won’t wind up being taken to court.
Bugcrowd has partnered with Amit Elazari, a security researcher whose work has highlighted the need for safe harbor language, to launch an initiative called disclose.io to create a standardized framework for finding and reporting bugs. This would provide explicit authorization for using bug-hunting techniques that would normally be clear violations of provisions in anti-hacking statutes.
Bugcrowd Launches Disclose.io Open-Source Vulnerability Disclosure Framework to Provide a Safe Harbor for White Hat Hackers
https://www.bugcrowd.com/press-release/bugcrowd-launches-disclose-io-open-source-vulnerability-disclosure-framework-to-provide-a-safe-harbor-for-white-hat-hackers/