Cyber security trends 2019

What are the top cyber trends to watch out for in 2019? Here’s what I have been hearing and reading:

First I present a new information security term: Virtual Security = Manufacturers claim that their products are secure. but in reality they are not.

New APT groups, and more regulations around data privacy, 2019 is set to be another big year in the cybersecurity space. Security is hard and getting harder in 2019. Good operational security is non trivial. Next generation dark markets are making cybercrime easier than ever before.

Gartner expects that the security market is expected to grow 8.7% in 2019 and hit $124 billion. Global spending on security products and services closed in 2018 in excess of $114 billion, marking a 12.4% increase from 2017.

A New Year’s Resolution: Security is Broken…Let’s Fix It. There are three strategies that show real promise for defending against tomorrow’s threats: Deploy Deception, Leverage Threat Intelligence, Think Proactively. Plan Now for Emerging Threats. Defending against these threats will require two things. The first is understanding the economic drivers of the criminal community, and the second is to adopt strategies and solutions that address and disrupt those drivers. Getting in front of the cyber-threat paradigm requires organizations to rethink their security strategies in 2019.

Many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, but when – and when they will finally find the hack has happened. For example it Marriott disclosed a four-year-long breach involving the personal and financial information of 500 million guests. Anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.

In today’s world, attackers intentionally look normal to evade automated defenses. With the rise of ransomware, fileless and non-malware attacks, it’s harder than ever to protect your endpoints with confidence. To prevent this, threat hunting has emerged as an essential process for organizations to preempt destructive attacks. This process is a proactive approach to cybersecurity that identifies gaps in defenses and stops attacks before they go too deep. The adversary is hunting for your security gaps…why aren’t you?

Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Attackers scan those systems for vulnerabilities actively in 2019. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late. Measure how good is your security. Data protection tools have been developed to measure the maturity of data protection issues in organization.

CEOs should ask the following questions about potential cybersecurity threats:
How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
How can my business create long-term resiliency to minimize our cybersecurity risks?
What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?
What can CEOs do to mitigate cybersecurity threats?

How Well Are You Protecting Your Brand from Digital Risk? Having a website is just the baseline for existing in digital world. Companies of all sizes are actively using social media to engage with customers and build loyalty for their brand. The Internet is an essential tool to grow your business, but it also poses digital risks to your brand reputation and integrity. Bad actors can spoof social media profiles of your company or brands. Cyber criminals will register and use web domains extremely similar to your actual domain names. Malicious apps that impersonate brands may use spyware to steal information from users. You might need to develop a brand protection program in 2019. Digital risk from brand exposure can lead to reputation damage, loss of intellectual property and customer trust and, ultimately, loss in revenue. This is what the brand managers need to think about in 2019. Successful hacking campaigns used to be all about keeping under the radar. But, for some, making a big splash is now now more important than lurking in the shadows.

Today, cybersecurity is moving beyond the financial impact to concerns over public safety, national security, and even cyberwarfare. The tech industry is becoming more worried about a cyberwar arms race. Microsoft boss thinks that cyber war cannot be won. High impact cyber attacks often affect the electricity network, water supply, financial markets, hospitals, and military families. Preparations for various cyber attacks in different sectors vary greatly. Energy and finance are the most advanced. We should all keep in mind two things: The proliferation of cyberweapons is already happening and arms control of cyberweapons hasn’t caught up. “Cyber is so wide that states alone cannot be sufficient in providing security” It seems also that authoritarian forces are trying to claw back control and even re-purposing the web in ways that undermine democracy.

It would be good for the company to be able to manage risks, prepare for major disruptions, and plan and practice recovery. Risk management requires the company to detect the attack itself. A large coordinated attack could attack our elections, our press, our telecommunications, our banks, and our military. According to a new report on digital freedom, authoritarian forces are clawing back control and even re-purposing the web in ways that undermine democracy. Tim Cook says that tech firms should prepare for ‘inevitable’ regulation.

We need to build cyber resilience to our networked systems. Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. “Cybersecurity, infrastructure security, is not a competitive advantage,” Bradford Willke, a top official in DHS’s Cybersecurity and Infrastructure Security Agency. If a good product or company fails because of a breach that could have been thwarted by sharing threat information, “there’s something that we’ve all lost.”

Up to 350 million voters across the EU are expected to take to the polls in May 2019, to elect 705 Members of European Parliament (MEPs). With threat actors already meddling in the elections process in various countries, including in the United States, interference is expected in next year’s European process as well.

Did you remember to test the security? Every developer team should know how to code securely and how to test security. This kind of basic hygiene with information security creates the basis for genuinely intact applications. The basic thing for the tester in terms of data security is user identification and access, securing stability, encryption, firewalls, intruder detection, anonymization of information. All these things can be tested with different techniques, tools and methods. It is a good idea to ask a security professional if you do not know how to do this.

You will see many big data beaches also in 2019. Cybersecurity headlines in recent years have been dominated by companies losing money by being hacked and leaking the data of millions of customers. 2018 was again a banner year for breaches, check for example list of Biggest cyber security breaches 2018. In 2018 the mantra became “another day, another data breach.” 2018 has been the year par excellence for data protection, when data leaks, exfiltrations, and abuses have made headlines all over the world. Some companies have worked on improving their security, but overall there has not been so much activity going on that it would considerably change the situation for better in 2019. And against this backdrop of increased awareness about the challenges that working with sensitive data can entail, there is one regulation that has come to the fore: the GDPR (General Data Protection Regulation), which has been mandatory since May 25 this year.

How much are the first fines for GDPR infringement? It remains to be seen in 2019 as sanctions on big 2018 leaks start to appear. Infringement of GDPR regulation can incur fines of up to 4% of a company’s annual global turnover, or up to €20 million. The economic sanctions that we have seen so far in 2018 have clearly relatively conservative compared to the highest possible penalties, but with the recent spate of high profile data leaks – Marriott, British Airways, Quora – it won’t be long before harsher fines start to appear. Remember that by having appropriate protection for the personal data that your company manages, you can avoid sanctions.

IoT malware and email hacks are on the rise again. Blackmail demand claims will continue unfortunately also in 2019 and will become more innovative. In 2018 we first saw blackmail extortion with claims to have nailed you watching porn and the sender infected your computer by hacking your account or placing malware. All sorts of variants exist. There was also Spammed Bomb Threat Hoax that demands Bitcoin.Then there has been a New Extortion Email Threatens to Send a Hitman Unless You Pay $4,000 in bitcoin. As long as ransoms are paid and relatively easy attacks, such as phishing campaigns, are successful, bad actors will continue to use these techniques.

The number of attacks using IoT hardware is increasing in 2019. IoT is still insecure. As the number of IoT devices, such as smart home network monitoring systems, increase, the threat is constantly increasing. According to Nokia report IoT botnet operations accounted for 78 percent of malware detection events in the communications service provider (CSP) networks in 2018.

Many IoT protocols are still implemented without proper security. The CoAP protocol is the next big thing for DDoS attacks. Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attack. That is because most of today’s CoAP implementations forgo using hardened security modes for a “NoSec” security mode that keeps the protocol light, but also vulnerable to DDoS abuse.

Mirai botnet has been active since 2016. And several followers to it are still active. Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms. And you will not get rid of the new variations of it in 2019. Latest example is With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit. Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices. Miori is just one of the many Mirai offshoots. There is another very similar variant called Shinoa.

Regulating cyber security features on networked devices seems to be on rise. Germany proposes router security guidelines. It would like to regulate what kind of routers are sold and installed across the country. California became the first state with an Internet of Things cybersecurity law: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means less generic default credentials for a hacker to guess. In Finland security label created by FICORA’s Cybersecurity Center promises that will make it easy for consumers to identify a sufficiently secure devices in 2019.

Ransomware attack will continue in 2019. Hospital cybersecurity seems to be a pressing problem in 2019. The healthcare industry’s accelerating adoption of sophisticated networks, connected devices and digital records has revolutionized clinical operations and patient care but has also left modern hospitals acutely vulnerable to cyber attack. Recent high-profile hacks have brought these mounting threats sharply into focus. One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over year 2018. There is a number of technological, cultural and regulatory issues that complicate healthcare cybersecurity.

DNS system is still full of “ugly hacks” that keep it running. Malicious actors have found innovative ways to take down the DNS and the landscape growing more problematical. Hopefully it will get robust in 2019. Vendors of DNS software, as well as large public DNS providers, are going to remove certain workarounds on February 1st, 2019, otherwise known as DNS Flag Day. Don’t Let DNS Flag Day Become Your DNS Doomsday. The result of this “line in the sand” means that all domains hosted on these poorly coded DNS servers will fail to resolve correctly across all the recursive resolvers built by and run by the consortium. So your SPF, DKIM, DMARC, most TXT and PTR records will fail. This will be a very bad day for anyone who doesn’t take time to address this issue BEFORE February 1st, 2019.

TLS 1.3 was published as of August 2018. It has been over eight years since the last major encryption protocol update. With the HTTP/2 protocol update in late 2015, and now TLS 1.3 in 2018, encrypted connections are now more secure and faster than ever. With OpenSSL 1.1.1 library many applications can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. Add this to list of existing TLS ecosystem woes. Malicious sites will increasingly use SSL certificates to look legitimate.

Remember to update your PHP version early in 2019. PHP 5.6 support and security updates have ended. PHP 5. is still widely used in many web services. FICORA’s Cybersecurity Center recommends giving up the use of old PHP versions, especially for services that are publicly available on the Internet. Currently the latest version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Currently the latest PHP version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Because the new PHP7 is not fully compatible with the old PHP5, so many sites need also updates to the site PHP code. If you can’t for some reason update PHP version, special attention should be paid to the security of the server and its environment.

Cloud security is still a problem for many organizations in 2019. The 2018 Cloud Security Spotlight Report noted that 84% of respondents claim traditional security solutions either don’t work at all or have limited functionality in the cloud. Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security (62%). Lack of staff resources and expertise to manage cloud security seems to be the largest barrier to cloud adoption for many companies. Many clouds are nowadays relatively secure, but Are You Using Them Securely? It’s time to stop obsessing over unsubstantiated cloud security worries and start focusing more on new approaches to cloud control. It is time to better manage your cloud deployments in 2019.

The Cybersecurity Industry Doesn’t Have Artificial Intelligence Right Yet. AI in security will be talked on in 2019. 2018 was The Year Machine Intelligence Arrived in Cybersecurity. “Intelligence” is a word heavily freighted in cybersecurity technology because it covers a wide variety of techniques and product: Expert systems, machine learning, deep learning, and artificial intelligence are all represented in the whole, with each being used and promoted by different vendors and service organizations. Antivirus protection is one of the tasks to which companies are applying intelligence. The vast majority of intelligence being used in security is “machine learning” rather than “artificial intelligence.” The application of artificial intelligence (AI) via the implementation of machine learning (ML) is the fastest growing area of cybersecurity, but it seems Artificial Intelligence in Cybersecurity is Not Delivering on its Promise at least yet. What has been largely missing from this assertion is independent verification that the theoretical benefits promoted by ML vendors translate to actual benefits in use. Also cyber-criminals start to use AI to make better attacks.

Machine learning can reduce the usefulness of CAPTCHA. Machine learning model breaks CAPTCHA systems on 33 highly visited websites very quickly.

Destructive malware has been employed by adversaries for years. Destructive targeted attacks have a critical impact on businesses, causing the loss of data or crippling business operations. NotPetya and Wannacry affected several companies around the world. OlympicDestroyer affected the Olympic Games organization.

Old destructive attacks can persist for a long time. Wannacry is not dead when 2019 starts. Eighteen months after the initial outbreak of the WannaCry Ransomware infection, the malware continues to rear its head on thousands, if not hundreds of thousands, of infected computers. The kill switch has been activates so the ransomware component would not activate, but the infection continues to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live.

Spectre and Meltdown vulnerabilities that were found in 2017 and became public the beginning of 2018 will continue. I have been following this saga since I reported it first in Finland at on-line magazine. Spectre-like variations continued to be discovered, just as academics predicted at the start of 2018. Intel and other processor manufacturers have worked on fixed, but there has been numerous new vulnerability variation reported over the year on the same theme, latest published in late 2018. Is Spectre making a comeback? I expect you will not get rid of new variations on this vulnerability theme in 2019. There are still many side channel flaws to be found on modern processors.

USB security is still fundamentally broken in 2019. USB drives are a security threat to process control systems because USB drives can cause serious disruption to process facilities through unsecure or malicious files. USB-borne malware continues to present a major threat to industrial control systems (ICS) nearly a decade after the Stuxnet attacks on Iran’s nuclear infrastructure first highlighted the danger.

The air gap is low-tech but still has value as a barrier against cyber attacks. But air gaps, once a valuable barrier against cyberattacks, are disappearing from industrial control systems. As smart shipping and other network-connected industrial control systems (ICS) grow, the air gap loses value as a barrier against cyber attacks. The use of air gaps has eroded or disappeared altogether, thanks to increasingly intertwined OT (operational technology) and IT (information technology). Also air gaps can’t protect against “an ill-informed person’s actions,” as was the case with the notorious 2010 Stuxnet attack on Iran’s nuclear facilities.

There are still major problems cyber security in industrial system. Major problems in industrial cyber security are inadequate software updates, the following non-upgraded systems, and common usage ids for updating. While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading.

Perimeter-less security is hot in 2019. You can’t build anymore well defined perimeters around all of your systems. Welcome to a World of Zero Trust. Zero Trust Privilege approach is based on six fundamental elements: Verify Who, Contextualize the Privileged Access Request, Establish a Secure Admin Environment, Grant Least Privilege, Audit Everything, Apply Adaptive Security Controls.

Can You Mitigate Against Mission Impossible? Most probably you can’t. Focus on the Countless Manageable Vulnerabilities That You Can Control and Protect Against Them. Cybersecurity risks need help from contracts and insurance beyond technologies, policies, and people. Pretending cybersecurity risks aren’t there isn’t on any list of best practices.

Credential abuse is at the core of many hacks in 2019. Usually the easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity. Equipped with the right credentials, cyber adversaries and malicious insiders can wreak havoc on an organization’s network, exfiltrate sensitive data, or even siphon off funds — all while concealing their malicious activities from threat detection solutions.

Good database security planning is essential for protecting a company’s most important assets because if attackers can shut companies out of their own data can quickly cripple an organization. Leaked data can also become costly with costs of data leak itself, regulatory costs (including GDPR fines) and bad reputation that can affect revenue for a long time.

Just on the end of 2018 there was reports on SQLite vulnerabilities. Magellan is a number of vulnerabilities that exist in SQLite that were able to successfully implement remote code execution in Chromium browsers (already fidex). This vulnerability can have a wide range of influence in 2019 because SQLite is widely used in all modern mainstream operating systems and software. There is potential that Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers. I expect to see reports against attacks against many different systems and system users failing to secure their systems.

DevSecOps is having a positive impact on security, but the state of security still has a long way to go as over 13 percent of applications contain at least one critical vulnerability. According to Veracode’s State of Software Security (SOSS) report, 87.5 percent of Java applications, 92 percent of C++ applications, and 85.7 percent of .NET application contain at least one vulnerability. Even with a stronger focus on security in 2019, most software will still riddled with security vulnerabilities.

Misconfigured server infrastructure is often considered one of the most significant causes of data breaches within the IT industry. This human error phenomenon is usually unintentional, but it can have catastrophic consequences regarding the exposure of sensitive personal information as well as potentially damaging the reputation of your business.Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security.

4 mobile security threats that companies must fight in 2019: Cryptojacking, Data breaches, Insecure networks and Social engineering attacks. Also Mobile Spear phishing campaigns will form the cornerstone for targeted attacks on organizations. The Wi-Fi attack vector isn’t going away any time soon, despite 5G hype. I don’t expect the assault on mobile to slow down as according to Gartner’s Market Guide to Mobile Threat Defense, 42 million mobile malware attacks take place each year.

Google says that Android 9 Brings Significant Security Advancements. Google has focused on aspects such as platform hardening, anti-exploitation, hardware-backed security. There are also new protections for the Application Sandbox.

Ultrasonic Tracking are Beacons on the Rise. It is an inaudible sound with encoded data that can be used on a listening device with suitable application to receive information that could be just about anything. There are numerous scenarios in which ultrasonic tracking beacons can be surreptitiously used and misused.

PUAs are being weaponized. PUA is the acronym for “Potentially Unwanted Application.” This is a general category used by all vendors to tag particular applications that can be misused by malicious people. Recently, an active campaign was spotted in the well-known Emotet Banking Trojan, which makes use of Freeware system tools but with an obscure purpose.

Microsoft has officially announced ‘Windows Sandbox’ for running applications in isolation. Microsoft’s coming ‘Windows Sandbox’ feature is a lightweight virtual machine that allow users to run potentially suspicious software in isolation. Windows 10 19H1 Build 18305 adds support for a new sandbox feature for isolating potentially suspicious apps, plus several other new security fixes.

It seems that Security Teams Need to Maintain Packet-level Visibility Into All Traffic Flowing Across Their Networks. The most destructive disaster is the one you do not see coming. While there is no evacuating cyberspace to avoid a storm of hackers, prior warning gives security teams a chance to stop cybercriminals before they can wreak havoc and make off with sensitive customer data or company secrets. There is an all too common adage that it is not a question of if a company will be hacked, but when they will find the hack. The realities of the cyberspace make it too difficult to reliably keep hackers out of corporate networks. That is not to say security teams should give up, but rather that they need to shift their goals.

Is 5G Technology a Blessing or a Curse for Security? Depends Who You Ask. It is best to Prepare for the Coming 5G Security ThreatsBut do we understand the 5G security threats to come? Most probably not, because it seems that the general understanding of 5G is pretty shallow for very many organizations. Many countries are not comfortable with the Chinese building its 5G network.

Somewhat quietly over the past couple of years there has been a flurry of breakthroughs in biometric technology (especially face and fingerprint recognition). New Boom in Facial Recognition Tech Prompts Privacy Alarms. Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn. Now facial recognition appears to be on the verge of blossoming commercially. There is potential risk that Surveillance Inhibits Freedom of Expression.

Old outdated encryption technologies refuse to die.  MD5 and SHA-1 are still used in 2018 and their use does not seen to end in 2019. The current state of cryptanalysis against MD5 and SHA-1 allows for collisions, but not for pre-images. Still, it’s really bad form to accept these algorithms for any purpose.

Law is trying to weaken encryption in some countries. A newly enacted law rushed through Australia’s parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals. “I think it’s detrimental to Australian and world security,” said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM. It could be a be a boon to the criminal underworld by undermining the technical integrity of the internet, hurting digital security and user privacy. We need good encryption in 2019 to keep Internet safe.

The payment card industry is thinking about security standards such as EMV 3D Secure and emerging technologies such as contactless payments.

The use of bug bounty programs to find security vulnerabilities in software and services is increasing.In January, the EU starts running Bug Bounties on Free and Open Source Software where European Commission to start offering bug bounties on 14 Free Software projects like Notepad++ and VLC that the EU institutions rely on. Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program

You might need a password manager in 2019 more than you needed it now. If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember and sometimes are easily hackable. Nobody likes passwords but they’re a fact of life. How do you make them better? You need a password manager. Some examples for proposed alternatives to passwords include biometric identification, disposable passwords, certificate-based systems and FIDO2 USB sticks.

You might also need two-factor authentication can save you from hackers. If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts and it usually (when implemented well) only adds a few extra seconds to your day.

Two factor authentication has been considered as best practice for some time, but even that alone might not be enough in 2019. Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.

Two factor authentication can be hacked. Phishing Attempts That Bypass 2FA are here to stay. As we try to up our security game, the bad guys up their tactics too. shared an interesting write up about phishing attacks that are bypassing 2FA. If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account as Hackers Bypass Gmail 2FA at Scale. Although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message. Some users likely need to switch to a more robust methods.

Keep in mind that your phone number can be a key for a hacker to many of your services. You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.



  1. Tomi Engdahl says:

    Six Steps to Segmentation in a Perimeterless World

    1. Define Objectives. Setting objectives and laying out a clear roadmap is the best path to a successful segmentation journey.

    2. Identify, Classify and Prioritize Assets. Working closely with key stakeholders, you’re now ready to define sets of assets and classify them by business impact, risk, function, and regulatory requirements. This classification is used to define security control capabilities and to help set priorities through clearly defined criteria.

    3. Gain Visibility to Support and Augment the Strategy. To validate your work from step two, you need visibility into actual traffic and devices to ensure you haven’t missed anything. This process includes considering the types of traffic of interest (North, South, East and West), all physical and virtual devices collecting traffic, where to gather data (WAN edge, Access Layer, Cloud), the best sources of data, and an analytics platform to monitor, analyze, and report on the information. With the right tools and processes you can identify actual devices within a segment and trusts or policy with other segments.

    Six Steps to Segmentation in a Perimeterless World, Part 2

    4. Technology Design and Policy Development. There are two aspects to a functioning segmentation solution: detailed technology designs and thoughtful segmentation policies.

    5. Validating Design and Policy. With a detailed technology design and segmentation policies in place, you are now ready to review the final deployment model against the original business objectives developed in step one. All key stakeholders should be included in the review and sign-off as this is the final point in the segmentation planning process to make major adjustments before deployment begins.

    6. Enforcement and Monitoring. The right approach to enforcement can ensure your policies are dynamic in nature and that your segmentation program is sustainable. A solution that provides enterprise-wide visibility into network traffic flow data across campus, data center, and cloud environments can assist in multiple ways. First, network traffic flow data can be used in combination with User and Entity Behavior Analytics (UEBA) and machine learning to create a baseline for the network and connected devices. By comparing observed network behavior derived from flow data to define policy, the solution can confirm if the deployed policies are in fact being enforced as expected. This accelerates the audit process and provides assurances that segmentation policies are effective at reducing the attack surface area and enterprise security risk. If policies are not operating as intended, or if new devices are discovered, the solution can also modify or create enforcement policy files and update enforcement platforms.

  2. Tomi Engdahl says:

    No Matter Where You Go in Cyberspace, Someone is Watching

    If you use a map application to get directions, now ‘they’ know where you are going; when you give a review on Yelp, now ‘they’ know where you’ve been.

    May I be the first to wish you a belated Happy Cyber Security Day! What? You didn’t know there was such a holiday? Yeah, me neither.

    From the “What-could-possibly-go-wrong?” department
    For example, the Japanese government has authorized the hacking of 200 million IoT devices. It seems the members of the Japanese technorati are no better at developing passwords than are their American counterparts, so — before the Olympics hits Tokyo in 2020 — they not only want to determine how vulnerable is the public, but they also want to make sure everyone knows.

    The National Institute of Information and Communications Technology (NICT) will begin the program in February with a trial run of 200 million webcams and modems. NICT employees will attempt to log into the devices using default account names and passwords. When they find a vulnerable device, the ISP and local authorities will be alerted so they can contact the device owner and give security recommendations.

  3. Tomi Engdahl says:

    Prepare to Defend Your Network Against Swarm-as-a-Service

    Swarm technology may be a game changer for the bad guys if organizations don’t change their tactics.

    The digital world we now inhabit creates unprecedented opportunities – both for good and for ill. One of these possibilities is swarm-based tools that can be used to either attack or defend the network.

    This possibility, or set of possibilities, has arisen due to dramatic advances in swarm-based intelligence and technologies. For example, a new methodology was announced by scientists in Hong Kong that uses natural swarm behaviors to control clusters of nano-robots. These micro-swarms can be directed to perform precise structural changes with a high degree of reconfigurability, such as extending, shrinking, splitting and merging.

    A potential upshot of these capabilities is the creation of large swarms of intelligent bots—swarmbots—that can operate collaboratively and autonomously. They are composed of clusters of compromised devices with specialized skillsets that can work collectively to solve problems, the commoditization of fuzzing—a process for discovering zero-day vulnerabilities in hardware and software interfaces and applications—and machine learning poisoning: training automated security devices to intentionally overlook certain threats.

    Currently, hackers-for-hire build custom exploits for a fee, and even new advances such as ransomware-as-a-service requires black hat engineers to stand up different resources, such as building and testing exploits and managing back-end C2 servers.

    Criminal consumers could preselect different types of swarms to use in a custom attack, such as:

    Pre-programmed swarms that use machine learning to break into a device or network
    That perform AI fuzzing to detect Zero-Day exploit points
    Designed to move laterally across a network to expand the attack surface
    That can evade detection and/or collect and exfiltrate specific data targets
    Designed to cross the cyber/physical device divide to take control of a target’s physical as well as networked resources

  4. Tomi Engdahl says:

    Five things we learned about responding to cyber security incidents in 2018

    2018 was another big year in cyber security: data breaches continued to dominate headlines, hundreds of millions of consumer records were compromised, and the reputations of big-name brands were called into question over their preparation for and response to incidents. Spurred on by this and increasing regulation, cyber security became a top concern for CEOs and moved its way further up the boardroom agenda, resulting in a commitment from many organisations to invest more in cyber security.

    Here are five key lessons we learned about responding to cyber security breaches in 2018:

    1. Attackers are continuing to take advantage of organisations yet to master the “hard basics” of cyber security
    2. Organisations cannot always control when they will be breached, but they can control how they respond
    3. Time pressures for organisations to effectively respond to incidents are increasing while incidents become more complex
    4. Management and coordination of major incidents is a more significant challenge to organisations than technical analysis
    5. Outsourced service providers can be the key enabler, or the key barrier, to an effective incident response (and in some cases even the cause of the incident)

  5. Tomi Engdahl says:

    Introducing Adiantum: Encryption for the Next Billion Users

    Storage encryption protects your data if your phone falls into someone else’s hands. Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted. Today, Android offers storage encryption using the Advanced Encryption Standard (AES). Most new Android devices have hardware support for AES via the ARMv8 Cryptography Extensions. However, Android runs on a wide range of devices.

  6. Tomi Engdahl says:

    8 AWS Security Best Practices to Mitigate Risk

    There are a lot of benefits that come with having Amazon Web Services (AWS) as your cloud platform, alone or as part of a hybrid or multi-cloud environment. The agility and flexibility of AWS’s platform as a service (PaaS) and infrastructure as a service (IaaS) make it possible for your organization’s network to be responsive, innovative, and ready for change. But there are security considerations. Outlined below are these considerations, along with security best practices to help keep your AWS environment properly configured and secure.

    1. Visibility

    Cloud resources are ephemeral, which makes it difficult to keep track of assets.
    Best practice: Use a cloud security solution that provides visibility into the volume and types of resources (virtual machines, load balancers, security groups, users, etc.) across multiple cloud accounts and regions in a single pane of glass

    2. Exposed root accounts

    Your root accounts can do the most harm when unauthorized parties acquire access to them. Administrators often forget to disable root API access.
    Best practice: Root accounts must be protected by multi-factor authentication and used sparingly.

    3. IAM access keys

    IAM access keys are often not rotated. This weakens IAM’s ability to secure your user accounts and groups, giving cyber attackers a longer time window to acquire them.
    Best practice: Rotate or change your access keys at least once every 90 days.

    4. Authentication practices

    According to Verizon’s annual Data Breach Investigations Report, lost or stolen credentials are a leading cause of cloud security incidents. It is not uncommon to find access credentials to public cloud environments exposed on the internet. Organizations need a way to detect account compromises.
    Best practice: Strong password policies and multi-factor authentication (MFA) should be enforced in AWS environments.

    5. Access privileges

    AWS IAM can be deployed to manage all of your user accounts and groups, with policies and detailed permission options. Unfortunately, admins often assign overly permissive access to AWS resources.
    Best practice: Your configuration of IAM, like any user permission system, should comply with the principle of “least privilege.” That means any user or group should only have the permissions required to perform their job, and no more.

    6. Broad IP ranges for security groups and unrestricted outbound traffic

    Security groups are like a firewall that controls traffic to the AWS environment. Unfortunately, admins often assign security groups IP ranges that are broader than necessary. Research from Unit 42’s cloud research team found that 85% of resources associated with security groups don’t restrict outbound traffic at all.
    Best practice: Limit the IP ranges you assign to each security group in such a way that everything networks properly, but you aren’t leaving a lot more open than you’ll need.

    7. Audit history

    Organizations need oversight into user activities to reveal account compromises, insider threats, and other risks.
    Best Practice: AWS CloudTrail is a web service that provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. It must be used. Enabling CloudTrail simplifies security analysis, resource change tracking, and troubleshooting.

    8. Unpatched hosts

    It is your responsibility to ensure the latest security patches have been applied to hosts within your AWS environment. Unit 42 provides insight into a related problem.
    Best practice: Make sure hosts are frequently patched and apply any necessary hotfixes that are released by your OEM vendors.

  7. Tomi Engdahl says:

    DDoS Attacks in Q4 2018

    during the November 2017–November 2018 period, the number of devices using CoAP increased almost 100 times, which is a major cause for concern.

  8. Tomi Engdahl says:

    To Improve Critical Infrastructure Security, Bring IT and OT Together

    As connectivity in the industrial internet of things (IIoT) continues to accelerate, efforts to secure industrial control systems (ICSs) struggle to keep pace. While many ICS security conversations have involved endpoint security, improving the state of ICS security demands attention to more than just endpoints.

    Attacks on critical infrastructure systems are proliferating. Nearly half (41.2 percent) of ICS computers suffered a malicious software attack in H1 2018, according to Kaspersky Lab. Despite growing security concerns, traditionally air-gapped operational technology (OT) is increasingly being tasked with using internet-connected devices to improve operational processes, reduce costs and minimize downtime.

    Until security becomes a priority, industrial organizations will remain soft targets for threat actors.

  9. Tomi Engdahl says:

    I won’t bother hunting and reporting more Sony zero-days, because all I’d get is a lousy t-shirt
    It’s 2019. Should billion-dollar corps do better than offer swag for vulns?

    Hunting for exploitable security bugs in software is not an easy way to make a living, and vulnerability researchers say vendors who don’t pay out for reports are making life even harder while putting their own products at risk.

    Such was the case with João Figueiredo, a researcher in Brazil who tracked down and reported remote code execution vulnerabilities in two websites run by Sony and Sony Pictures. Those flaws were rated as a critical risk, and earned Figueiredo recognition on the hacktivity page of HackerOne, hired by Sony to handle its bug bounties.

    It could, however, have been an even bigger disclosure, with potentially more security holes in the entertainment giant’s systems reported, had Sony offered Figueiredo better incentives. With just a t-shirt up for grabs, though, he decided to leave it at two.

  10. Tomi Engdahl says:

    Nämä ovat viisi pahinta tietoturvauhkaa: Viranomainen antoi ohjeet torjuntaan

    Kyberturvallisuuskeskus listasi pahimmat tietoturvauhat yksityishenkilöille.

    1. Tunnukset vuotavat rikollisille
    2. Varo verkkohuijaria
    3. Huonosti suojatut laitteet
    4. Tarkkana sovelluskaupassa
    5. Suojaudu tietovuodoilta

    Konna tahtoo pankkitunnuksesi

  11. Tomi Engdahl says:


    Imagine it, a smart city, full of sensors and connected technology. Rules are not necessary, because the city controls itself. Garbage is collected when the bins are full, traffic lights set to give way to pedestrians – or a fast flow of cars during rush hour. Residents ask permission for an event to the rest of the residents via crowdsourcing. It may seem a bit far-fetched, but this is exactly what Sidewalks Labs, a subsidiary of Google, is going to build for $50 million in Toronto, Canada.

    “This is a dry run for a Google-city where democracy is a thing of the past. Who owns the data? And do users have anything to say about this? Do we want a society in which everything is automated?”

  12. Tomi Engdahl says:

    Justin Rohrlich / Quartz:
    Automatic license plate readers, once limited to law enforcement, are now being used by private citizens, raising fears of abuse and new legal, ethical issues

    In just two years, 9,000 of these cameras were installed to spy on your car

    The surveillance state is no longer limited to the state.

    For years, police departments have been tracking people’s cars with cameras that capture the license plate number of every vehicle that passes by. The Electronic Frontier Foundation, a San Francisco-based digital privacy nonprofit, has described the technology as “a form of mass surveillance.”

    Now, a new generation of tech firms has made it possible for private citizens to use the devices, known as automatic license plate readers, or ALPRs—without the strict oversight that governs this type of data collection by law enforcement.

    A 3,000% increase

    Automatic license plate readers, or ALPRs, have long been geared toward local, state, and federal law enforcement users. The systems can be mounted on utility poles, streetlights, overpasses, in police cars, even within traffic cones and digital speed display signs that show drivers how fast they’re going. Once a vehicle’s plate is photographed, and the date, time, and location are recorded, an algorithm checks it against a database of cars that cops are looking for.

    ALPRs can capture roughly 2,000 plates a minute, on vehicles traveling up to 120 miles per hour, casting an astonishingly wide net.

    Unlike traditional ALPR systems, which consist of professional-grade equipment priced beyond the reach of most civilians—and even some smaller police departments—the new setups rely on off-the-shelf security cameras.

    At least one company, OpenALPR, offers software for free, on Github. Anyone who downloads it can turn a single web-connected camera into an automatic license plate reader that can monitor traffic across a four-lane highway with 99% accuracy. (Customers pay between $49 and $995 monthly for optional cloud-based storage and analysis.)

    OpenALPR competitor PlateSmart Technologies, another company that markets ALPR systems to the general public, advertises various uses in security and “business intelligence,”

    Schools can also use the systems to control access to their campuses, and hospitals can track staff, visitors, and patients, PlateSmart tells prospective customers. Casinos can connect to law enforcement databases

    Ethical issues

    Unlike police and other law enforcement users of ALPR, private citizens are not beholden to constitutional protections barring unlawful search and seizure, or racial profiling, for example. Civilian users don’t have to worry about departmental review boards or internal affairs units watching over them, either.

    At least 16 states have statutes related to ALPR use and data retention, which civilians are required to follow. However, the states that do have rules don’t do a very good job of publicizing them. “It’s possible not a lot of users realize this when trying out the software,” says Dave Maass of the Electronic Frontier Foundation.

    The ALPR industry itself is not regulated—nothing currently prohibits ALPR companies from marketing their data—so the potential for misuse is high

  13. Tomi Engdahl says:

    Encrypted malware: a threat facilitated by the GDPR?

    One of the positive consequences of the increased concern for personal and corporate cybersecurity is the fact that Internet user are increasingly vigilant with their data and who they share it with. At the same time, online platforms have intensified their efforts to provide secure, private browsing in order to safeguard their and their users’ information.

    And this trend is on the up. According to the Global Internet Phenomena Report, written by Sandvine, even very conservative estimates suggest that over 50% of Internet traffic is encrypted. And more and more platforms are turning to end-to-end encryption to ensure that their communications are private.

    The GDPR encourages even more encryption

    In fact, beyond companies own willingness to encrypt their communications, there are two cases where the GDPR requires encryption: firstly, when it considers that there is a high risk that this data will be breached; secondly, when said organizations use this data for a different purpose than that expressed to the user when their data was requested. A lack of encryption, therefore, can mean that offending companies are infringing the GDPR (and thus facing the subsequent sanctions of up to €20 million or 4% of the company’s global annual turnover). But that’s not all; encryption can also be of help to these companies, since, if they were to suffer a cyberattack, they wouldn’t need to inform their users about it if their information is correctly encrypted and protected.

    A window for encrypted malware

    However, all of this has its downside; encrypted traffic is already becoming one of the largest niches for cybercrime: according to Ixia’s 2018 Security Report, cybercriminals are starting to carry out attacks in this kind of traffic. In fact, Gartner states that half of cyberattacks carried out in 2019 using malware will use some kind of encryption, while by 2020, the figure is set to rise to 70%.

    There are two particularly worrying things about encrypted malware: the first is the fact that it can be found on platforms that have encrypted traffic; this means that users, believing themselves to be safe, let their guard down, trust the platform, and thus become more vulnerable. The second is the fact that this malicious software can to hide its true nature, meaning that some cybersecurity systems do not detect it until it is too late.

    How to avoid encrypted malware attacks

    If a company wants to avoid attacks that use encrypted malware, they need to follow a series of measures that will keep their corporate cybersecurity safe:

    1.- Vigilant browsing. When employees are browsing the Internet, they must exercise caution,
    2.- Monitoring of processes. Since encrypted malware has the ability to slip past some traditional protection solutions, being able to constantly monitor everything that is happening on the system is more important than ever.
    3.- Offline backups and online files. There are ever more companies that, when it comes to safeguarding their information, choose to double up: firstly by storing a large part of their information in the cloud, so that their physical devices are not affected in case of infection. Secondly, by storing secure backups offline, to keep them from being affected by a possible a posteriori infection.

  14. Tomi Engdahl says:

    Microsoft: 70 percent of all security bugs are memory safety issues

    Percentage of memory safety issues has been hovering at 70 percent for the past 12 years.

  15. Tomi Engdahl says:

    Threatpost Poll: Over Half of Firms Asked Struggle with Mobile Security

    A Threatpost poll found that 52 percent don’t feel prepared to prevent a mobile security incident from happening. The results reflect a challenging mobile security landscape.

  16. Tomi Engdahl says:

    Threatpost Poll: Is It Impossible to Secure Mobile Devices?

    From spyware to leaky apps, mobile devices are facing a heightened level of threats. Are we prepared to secure them?

    Between applications and operating systems, a slew of mobile threats continue to pop up – and when it comes to security, it’s getting harder and harder for enterprises to keep up.

    Just in the past week, Apple patched a massive flaw in its FaceTime allowing a bad actor to eavesdrop on victims; while a malicious app that aimed to steal cryptocurrency from users was removed from Google’s official Android App Store.

    Are enterprise companies prepared to take on this onslaught of security threats as the workforce becomes increasingly dependent on mobile devices?

  17. Tomi Engdahl says:

    Verkkohyökkäys voi lamaannuttaa sairaalan – esimerkkejä löytyy jo Suomestakin

    Tietojärjestelmään ujutettu haittaohjelma, palvelunestohyökkäys, hakkerointi. Siinä muutamia ulkopuolelta tulevia uhkia, joihin myös sairaaloiden pitää varautua.

  18. Tomi Engdahl says:

    Botnets: weapons in the telecommunications war

    The consequences of this kind of attack

    When a company experiences a botnet attack, the possible consequences that it can experience are:

    1.- Network outage. Bots can be programmed to massively launch an endless number of requests to a website, making it crash via a distributed denial of service attack (DDoS). This is what happened to Liberia’s network. And we need look no further than the 2018 cyberattack on the University of Edinburgh website to find another example.

    2.- Network infections. A botnet attack might not simply target a company’s website; it may go directly for its IT systems. This way, the attack can have several points of entry to the same system, although having more than one isn’t necessary: if it manages to get into just one (the computer of an employee who downloaded a malicious attachment from an email, for example), the bot could begin to automatically infect the rest of the endpoints connected to the same network, fully compromising the company’s corporate cybersecurity.

    3.- Theft of information. If a cybercriminal manages to infiltrate a company’s IT system, they may be able to gain access to confidential material and documents. But, worse still, they may also be able to steal this information and distribute it to third parties, thus endangering the company’s business.

    4.- Theft of resources. In the last few years, as a direct result of the cryptocurrency boom, there have been more and more cybercriminals who turn to botnets to force a company’s computers to dedicate part of their resources to cryptomining.

  19. Tomi Engdahl says:

    Cyberinsurance and Acts of War

    I had not heard about this case before. Zurich Insurance has refused to pay Mondelez International’s claim of $100 million in damages from NotPetya. It claims it is an act of war and therefor not covered. Mondelez is suing.

  20. Tomi Engdahl says:

    The perils of using Internet Explorer as your default browser

    From time to time, I am asked by customers, “How do I ensure that all web traffic goes to Internet Explorer?” In fact, I was recently asked this question by someone trying to help a hospital. Now, I understand the scenario. In healthcare (as in many other industries), it’s often the case that you’re running with an extremely thin team. As a result, it can seem that using Internet Explorer be default for all situations is the “easy button” because, well, most of your sites were designed for Internet Explorer, so…just…always use it, ok?

    In short, this seems like a deliberate decision to take on some technical debt. It’s true that most organizations have some technical debt lying around. (For example, if you’ve disabled User Account Control, require a 32-bit OS or 32-bit Office suite, or are paying for extended support for a legacy version of Java, you have some technical debt.) But this technical debt? Well, it’s different.

  21. Tomi Engdahl says:

    These Are the Top Cybersecurity Threats to Watch
    BU cybersecurity expert talks about what the US should do to protect our data privacy

  22. Tomi Engdahl says:

    Google’s head of internet security says businesses should ignore cyber scare tactics and learn from history

    In an exclusive conversation with CNBC, Google’s head of security and privacy says businesses have more to learn about their own insecurity from the history of cybersecurity than from frightening headlines or scary pitch decks drom vendors.
    Heather Adkins has served in a top privacy and security spot at Google for 16 years.

  23. Tomi Engdahl says:

    Introducing Adiantum: Encryption for the Next Billion Users
    February 7, 2019

    Storage encryption protects your data if your phone falls into someone else’s hands. Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted. Today, Android offers storage encryption using the Advanced Encryption Standard (AES). Most new Android devices have hardware support for AES via the ARMv8 Cryptography Extensions. However, Android runs on a wide range of devices. This includes not just the latest flagship and mid-range phones, but also entry-level Android Go phones sold primarily in developing countries, along with smart watches and TVs. In order to offer low cost options, device manufacturers sometimes use low-end processors such as the ARM Cortex-A7, which does not have hardware support for AES. On these devices, AES is so slow that it would result in a poor user experience;

    In HTTPS encryption, this is a solved problem. The ChaCha20 stream cipher is much faster than AES when hardware acceleration is unavailable, while also being extremely secure. It is fast because it exclusively relies on operations that all CPUs natively support: additions, rotations, and XORs.

    For this reason, in 2014 Google selected ChaCha20 along with the Poly1305 authenticator, which is also fast in software, for a new TLS cipher suite to secure HTTPS internet connections. ChaCha20-Poly1305 has been standardized as RFC7539, and it greatly improves HTTPS performance on devices that lack AES instructions.

  24. Tomi Engdahl says:

    Crypto Mining, Mobile Malware Are Growing Cyber Security Theats

    A Check Point Software survey found that crypto mining and mobile malware, among other threats, are growing–in number and sophistication.

  25. Tomi Engdahl says:

    Bashe: the hypothetical $193 billion ransomware attack

    Around the world, hundreds of thousands of employees in thousands of companies receive an email from the company’s payroll department. It contains a PDF attachment with the details of the employees’ end of year bonuses. Some, the more cautious among them, delete the email, sensing that it could be a phishing attack. Others open the attachment, and release the worst cyberattack in history. 43% of the world’s devices are affected, all of their files encrypted. The cost of this attack reaches a staggering $85 billion.

  26. Tomi Engdahl says:

    Don’t Search for a Needle in a Haystack: Use Cases for Threat Intelligence

  27. Tomi Engdahl says:

    Security Professionals Win When They Can Master Risk Communications

    Demonstrating Effective Communication is a Foundation for Effective Security Operations

  28. Tomi Engdahl says:

    Hackers Can Turn Sex Robots Into Killing Machines, Security Expert Warns

    According to Nicholas Patterson, a cybersecurity lecturer at Deakin University in Melbourne, Australia, humanoid sex robots that have recently hit the market could potentially be hacked and turned into killing machines.

    Patterson gave this warning in a string of interviews with various UK publications



Leave a Comment

Your email address will not be published. Required fields are marked *