Cyber security trends for 2018

Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.

Here is a list of relevant cyber security terms for 2018s:

AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.

Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.

Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.

Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.

Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.

Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.

Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.

Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.

Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.

Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.

Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.

Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?

GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.

Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.

HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.

HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.

ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.

Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.

IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).

Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.

Integrate: Many gaps in security are due to an inability for disparate technologies to share information. Integration is key to making sure you get the most from your technology investments.

IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.

Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.

Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.

Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.

Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.

Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.

PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.

Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.

Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.

Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.

Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.

Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?

Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.

Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.

Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.

When: The myth of being able to detect every breach, insider threat or lateral movement has been punctured. Security teams are realizing they need to prepare themselves for “when” they will be breached, rather than “if.”

Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.


HTTP/2 (Wikipedia)

Usage of HTTP/2 for websites

HTTPS (Wikipedia)

Firefox, Chrome start calling HTTP connections insecure

Alert (TA17-075A) HTTPS Interception Weakens TLS Security


Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead


Cybersecurity Dangers Will Spike in 2018

We’re hitting rock bottom in cyber — let’s do something | TechCrunch

Virtual Security

Mirai-makers plead guilty, Hajime still lurks in shadows

DARPA Takes Chip Route to ‘Unhackable’ Computers

Another AI attack, this time against ‘black box’ machine learnings

GDPR Portal: Site Overview

General Data Protection Regulation (Wikipedia)

Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already

Miten GDPR pitää huomioida ohjelmistokehityksessä?

Seven Seas Cybersecurity: Captain, We Have a Problem

In the Words of President Ronald Reagan, “Trust but Verify”

Why You Should Question These Most Common Cloud Assumptions

It’s 2018. Do You Know Where Your Data Are?

Improved IoT Security Starts with Liability for Companies, Not Just Legislation

Smart Factory Connectivity for the Industrial IoT

The Race for a Universal IoT Security Standard

Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises

The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.

Resolve to Mitigate Your Business’ Digital Risk in 2018

Emerging Trends in Vulnerability Management

Research reveals customer-facing web and mobile apps as top security challenge

Open Source Vulnerabilities: Are You Prepared to Run the Race?

Device Security for the Industrial Internet of Things

GDPR and Open Source: Best Practices

Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC

ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good

Threat Modeling the Internet of Things: Modeling Reaper

Engineering for Privacy Requires Standards

How to Make Adversaries Work Harder, While We Work Smarter, in 2018

2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices

Facebook Releases New Certificate Transparency Tools

iWelcome and Launch Kantara Initiative Consent Management Solutions Work Group

Open Source Vulnerabilities: Are You Prepared to Run the Race?

U.S. Military to Send Cyber Soldiers to the Battlefield

Machine Learning & Security: Making Users Part of the Equation

Security is Not a Technology Profession

State of IPv6 Deployment 2017

Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018





  1. Tomi Engdahl says:

    Prioritizing Flaws Based on Severity Increasingly Ineffective: Study

    The large number of vulnerabilities found every year has made it increasingly difficult for organizations to effectively prioritize the security holes exposing their applications and networks, according to a new report published on Wednesday by Tenable.

    The company, which helps organizations reduce their cyber risk, has conducted a detailed analysis of the flaws discovered last year and in the first half of 2018.

  2. Tomi Engdahl says:

    Getting ROI From a Security Advisory Board That Works: Part 1 – Why

    The Biggest Mistake People Make With Security Advisory Boards is Not Using Them

    The SAB meetings provide an opportunity to bring senior leadership into the security discussion and process. Because the discussions are often at a strategic level, the whole C-Suite can understand and appreciate the information. The more they are involved, the more likely it is that they will support the resulting conclusions and suggestions. This is extremely helpful in getting executive buy-in for major security initiatives at risk of meeting resistance from other constituencies within the organization.

  3. Tomi Engdahl says:

    The Weakest Link in Cybersecurity Isn’t Human, It’s the Infrastructure
    Welcome to Motherboard’s third annual hacking week.

    When someone gets hacked, many people impulsively blame the victim. We’re conditioned to think that they did something wrong; we presume that they had a bad password, reused passwords across websites, didn’t turn on two-factor authentication, or otherwise made some sort of mistake that a more security-conscious person wouldn’t have.

    The truth is often a little more complicated. While there are of course things you can do to make yourself less of a target and to harden your accounts, the fact remains that hackers are increasingly exploiting systematic failures by large companies, and that there is often little or nothing the average user can do to prevent a breach. The business models of many companies rely on monetizing and selling user data; internet of things and new startups rarely take security as seriously as they should; massive hacks of companies like Equifax and T-Mobile make our social security numbers less private than they ever have before.

    The “weakest link” in cybersecurity is often no longer the human, it’s the infrastructure that increasingly controls our data without giving us a chance to do anything about it. In this brave new digital world, what can you really do to protect yourself?

  4. Tomi Engdahl says:

    Busting Cybersecurity Silos

    Cybersecurity is among the most siloed disciplines in all of IT. The industry is exceedingly fragmented between many highly specialized companies. In fact, according to IBM estimates, the average enterprise uses 80 different products from 40 vendors. To put this in perspective, imagine a law enforcement officer trying to piece together the events surrounding a crime based solely on witness statements written in multiple languages — one in Chinese, another in Arabic, a third in Italian, etc. Security operations centers (SOCs) face a similar challenge all the time.

    For example, a security team may need to coordinate access records with Lightweight Directory Access Protocol (LDAP) profiles, database access logs and network activity monitoring data to determine whether a suspicious behavior is legitimate or the work of an impostor. Security information may even need to be brought in from external sources such as social networks to validate an identity. The process is equivalent to performing a massive database join, but with incompatible data spread across a global network.

    As defenders of cybersecurity, we need to take a similar approach to sharing security information and building collaborative solutions that will address the evolving cybersecurity threat landscape.

    This is easier said than done, as the cybersecurity industry has not been successful in enabling information to be shared, federated and contextualized in a way that drives effective security outcomes. But the barriers aren’t solely technical; corporate policies, customer privacy concerns and regulations all combine to inhibit information sharing. We must enable collaboration in ways that don’t undermine the interests of the collaborators.

    The Keys to Building a Community Across Cybersecurity Silos

    Sharing security data and insights and developing an ecosystem across cybersecurity silos is a transformational concept for the industry — one that requires people, process and technology adaptations. As organizations embrace secure digital transformations, security professionals need to adopt a risk-based approach to security management built on insights from several sources that include both technical and business contexts.

    As security becomes more distributed within an organization, processes need to evolve to support integrated and collaborative operations.

    The security industry is taking steps to address the complexity problem with standards designed to efficiently share data and insights. Standards such as STIX/TAXII, OpenC2 and CACAO are rapidly maturing and gaining adoption for their ability to enable vendors and their customers to choose what data to share. More than 50 cybersecurity vendors have adopted or plan to adopt STIX as a standard for data interchange, according to OASIS.

  5. Tomi Engdahl says:

    Cybersecurity Future Trends: Why More Bots Means More Jobs
    October 11, 2018 | By Grant Gross

    As the technological world hurls into the 2020s and cybersecurity future trends become reality, many experts expect the industry to evolve rapidly. Among the paradigm shifts still to come from digital innovation, data protection is bound to change and expand beyond the capabilities of today’s most common tools.

    Above all, expect artificial intelligence (AI) to take a bigger role in cybersecurity as the IT industry seeks more efficient ways to shut down attacks immediately — or even before they happen.

  6. Tomi Engdahl says:

    The greatest mobile security threats facing enterprises

    To diminish threats on unsecured networks, enterprises can take the following action.

  7. Tomi Engdahl says:

    What the Onslow Water and Sewer Authority Can Teach About Responsible Disclosure

    Critical Infrastructure Operators Must Plan for Scenarios in Which a Physical and Cyber Event Occur Simultaneously

    This case study is worth exploring in more detail for several reasons. First, it is commendable to see such a swift, responsible, and transparent disclosure by the water utility. Second, the fact that the malware did not bleed into ONWASA’s OT networks is indicative of either luck, good cyber hygiene, or a combination of both. And lastly, the proximity of the attack’s timing to Hurricane Florence highlights the degree to which incident response plans must account for physical and environmental conditions.

    Let’s delve deeper into each one of these points.

    Swift, Responsible, and Transparent Disclosure

    As mentioned, ONWASA first discovered the malicious activity on October 4th. The malware EMOTET, a known trojan that typically targets the financial sector, was persistent on their network and ultimately launched the Ryuk ransomware on October 13th. Just two days later, ONWASA’s CEO, Jeffrey Hudson, released a detailed press release outlining the background of the infection and the steps taken by the utility to mitigate what he described as a “targeted” operation carried out by cyber criminals. By this point, at least some of their customers were undoubtedly experiencing problems interfacing with the utility, either online or otherwise. Hudson’s statements were critical to assuaging any concerns among ONWASA’s customers that the water supply was threatened or dangerous to consume. He drew a clear distinction between ONWASA’s business operations and their water operations.

    Containing the Incident

    Part of the reason the messaging was so successful in this instance is because the scope of the incident was limited to business services. In cases of ransomware impacting organizations with a sizeable OT footprint, such as public utilities, containing the incident is usually a product of good cyber hygiene, luck, or some combination thereof.

    Timing is Everything

    Finally, perhaps the most consequential part of this story is that the attack occurred relative to Hurricane Florence, the Category 4 storm that struck the Carolinas less than a month earlier in September and brought more than 35 inches of rain. The aftermath of such a storm is perhaps the most critical time for a water and sewage utility like ONWASA. Their operations are fundamental to ensuring the health and safety of citizens during the recovery process.

    Fortunately, in this case, water and wastewater services were not disrupted and ONWASA’s plants were capable of operating manually until the affected systems were restored. This highlights two critical points.

  8. Tomi Engdahl says:

    The cyber insurance question
    Prevention is the best option but people continue to search for the easiest way out

    “We have become accustomed to the fact that the cybercriminals are winning and with law enforcement struggling to contain it”

    “It seems very few people believe that prevention is the best option because people will always seek the easiest way out”

    Cyber insurance is currently booming and many insurers are offering varying levels of protection to customers who (personally) seem in the dark about a lot when it comes to cybersecurity. We all know that scaring tactics aren’t the best way to go about selling a product yet increasing hacking stories in the media are certainly making CEOs a bit twitchy. Rightly so that C suite staff should be raising their heads above their monitors when it comes to their infrastructure security but is insurance better than prevention? Do they think insurance is prevention? Even forgetting ethics for a moment, paying a criminal to receive your data back could be just as catastrophic should malware be transmitted along with the back up – along with your premium increasing in the next year with your insurer.

  9. Tomi Engdahl says:

    The threats that have got Europol worried

    1.- Ransomware
    2.- Cryptojacking
    3.- DDoS
    4.- Social engineering

    How to avoid these threats

    1.- Prevention and cyber-resilience. Companies cannot wait until an attack comes in order to try to stop it. They must act preventively, as well as being up to speed with new cyberattack strategies, so that no new methods take them by surprise.

    2.- Advanced cybersecurity solutions. At the same time, it is vital to have technological solutions that help to maintain corporate cybersecurity. Panda Adaptive Defense not only acts against foreseeable attacks, but, above all, it detects all kinds of possible threats beforehand, monitoring in real time the activity in each organization, staying ahead of the cybercriminals.

    3.- Employee awareness As we always say, a lot of the time, employees are the most effective point of entry for cybercrime. This is why companies not only need to make their employees aware of what they must and mustn’t do; they also need to enact clear action protocols for the cases where these employees suspect that a possible threat may be at the doors.

  10. Tomi Engdahl says:

    Cybersecurity Professionals
    Focus on Developing
    New Skills as Workforce
    Gap Widens

  11. Tomi Engdahl says:

    Abandoned Web Applications: Achilles’ Heel of FT 500 Companies

    The numbers reveal that:

    70% of FT 500 can find access to some of their websites being sold on Dark Web
    92% of external web applications have exploitable security flaws or weaknesses
    19% of the companies have external unprotected cloud storage
    2% of external web applications are properly protected with a WAF
    Every single company has some non-compliances with GDPR

  12. Tomi Engdahl says:

    Adversaries Take Advantage of the Seams. Let’s Close Them.

    Adversaries are Increasingly Masterful at Taking Advantage of Seams Between Technologies and Teams to Infiltrate Organizations

    “It’s not a matter of if, but when and how you’ll be attacked” has become the security mantra and the industry is using it as a rallying cry as we innovate to reduce the impact of breaches. For years organizations have relied on a defense-in-depth strategy for protection. Yet despite the multiple point products deployed, the volume and velocity of compromises and breaches continue to increase. There are many reasons why this is occurring, stemming from the fact that we have seams in our defenses. Our layers of protection and our security teams are largely unintegrated and operate in silos.

    The 2018 Cost of a Data Breach study (PDF) by Ponemon Institute finds the current dwell time has actually increased to 197 days from 191 the year prior. The mean time to contain is now up as well, rising to 69 days from 66. It takes organizations nearly nine months to mitigate risk and get back to business as usual. As timeframes extend, the damage and costs associated with breaches increase.

    2018 Cost of a Data Breach Study: Global Overview
    Benchmark research sponsored by IBM Security
    Independently conducted by Ponemon Institute LLC

  13. Tomi Engdahl says:

    What Does Your Cloud Strategy Include, and Are You Transitioning Securely?

    Organizations Need the Right Technologies and Talent in Place to Ensure a Secure Transition to the Cloud

    In my previous column, I wrote about the evolution in security from hardware and point products, to an approach that increasingly relies on security DevOps. However, there is another transition that is also well underway – the shift to the cloud. The RightScale 2018 State of the Cloud Report finds that 96 percent of respondents use cloud, with public cloud adoption increasing to 92 percent from 89 percent in 2017.

    I bet if you asked each of the 997 survey respondents to describe their use of the cloud you’d get 997 different answers. That’s because the move to the cloud comes in many different forms, each with its own set of implications for security teams. Here are just a few:

    SaaS offerings: Services like Office 365, Google, Box, Dropbox and Salesforce are some of the most common services organizations rely on that are accessed through the cloud.

    Employee cloud usage: Employees are using cloud services without ever involving IT. In the case of Shadow IT, these may be legitimate tools to help them get their jobs done. Other times they are using services simply for entertainment

    SecOps in the cloud: According to Gartner, by 2019 more than 30% of the 100 largest vendors’ new software investments will have moved to cloud-only, and this includes investments in security technologies. If you are moving secOps to the cloud, there are many ramifications. Can the service address your bandwidth and oversight requirements?

    Corporate services in the cloud: Many organizations are taking advantage of the cloud to respond to business opportunities and challenges with agility – adding new services as needed and rapidly expanding capacity during periods of peak demand. If your organization is among this group, there are some important questions to ask: What infrastructure, apps, and data are moving to the public cloud and when? Will shifting to the cloud introduce gaps in our defenses and, if so, what security precautions can we take?

    Below are a few recommendations:

    • Consider a Cloud Access Security Broker (CASB) which simplifies access management at scale. When a user leaves the organization or changes roles, access can be updated automatically across all cloud services through a single, easy to read pane.

    • With more employees connecting to cloud apps directly through the internet, a Secure Internet Gateway offers visibility into internet activity across all locations, devices, and users, and blocks threats before they ever reach your network or endpoints.

    • Firewall cloud solutions can protect cloud workloads as they expand, contract or shift location.

    • IT and security professionals with a deep understanding of cloud can be hard to find. Even with various certifications, there’s no substitute for specific knowledge of the actual service.

    • Your team has tremendous technical and institutional knowledge that you don’t want to lose, but they may not have other skills needed to support the transition to the cloud, such as knowledge of JSON and Python. Offer training

    • While in-house staff comes up to speed, look for additional bench strength in the form of outsourced talent that can fill the skills gap and provide advisory and implementation services.

    • Break the cycle of Shadow IT. As part of good security governance, architectural groups and committees should meet on a regular basis and include all key stakeholders from business, IT and security.

    As you shift to the cloud, remember that this is a journey and that no two journeys are alike.

  14. Tomi Engdahl says:

    HITRUST Common Security Framework – Improving Cyber Resilience?

    Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the HITRUST CSF as part of HIPPA assessments establish a much higher standard of scrutiny for privacy and disclosure requirements, compared to many other verticals. This is justified, since the industry maintains a vast amount of highly sensitive data on individuals, which is extremely coveted by cyber criminals. Healthcare records are a hot commodity on the Dark Web, fetching much higher selling prices than credit cards.

    HITRUST CSF has become the most widely-adopted security framework in the U.S. healthcare industry. Like the NIST Cybersecurity Framework, it integrates relevant regulations (e.g., HIPAA) and standards (NIST 800-53, ISO 27001, PCI DSS) into a single overarching security framework. So what benefits does HITRUST CSF offer healthcare organizations?

    Security-minded, mature healthcare providers typically already have a solid security program in place that incorporates many of the standards, guidelines, and best practices referenced in the framework. While HITRUST CSF doesn’t necessarily improve cyber resilience for these types of organizations, it does provide a common nomenclature and methodology to help less advanced providers assess their level of security preparedness and benchmark their programs.

  15. Tomi Engdahl says:

    Misconfiguration a Top Security Concern for Containers

    Report Demonstrates that Security Needs to be Included in Containerization

    Although the acceptance and adoption of containers within DevOps is growing, concern over their security remains strong. Thirty-five percent of respondents to a new survey believe their company does not adequately invest in container security, while a further 15% don’t think their company takes the threat to containers seriously.

    The survey (PDF) was undertaken by StackRox among 230 IT staff — almost half of whom identify IT security as their primary role. More than 45% are employed in companies with more than 10,000 employees, while 58% are employed in either the fintech or technology sectors. The StackRox inaugural report, ‘The State of Container Security’, found that most organizations feel unprepared to adequately secure cloud-native applications, despite the surging adoption of containers and Kubernetes.

    Docker is the most popular container runtime, used by 189 of the respondents. Kubernetes, originally developed by Google, is the most popular container orchestrator, used by 122 of the respondents. Docker Swarm is the second most popular orchestrator, used by 93 of the respondents primarily from the larger organizations with 5,000 or more employees.

  16. Tomi Engdahl says:

    Phishing Training is a Tool, Not a Solution

    If You Find Yourself Frequently Blaming Users for Successful Attacks, You Know Your Security is Not Working

    Training users to recognize phishing is a best practice, an important “tool in the toolbox” as an IT manager once told me, and definitely something I agree with among a list of steps to improve one’s security posture. But I’ve heard anecdotes recently about IT managers prioritizing training above investing in better automated security, and have begun to wonder if training firms and many security providers who now offer it have been a bit too successful in their marketing, effectively convincing many that the job of protection should be shifted to the end user.

    A lot of phishing training is going on. A recent study by Osterman Research asked organizations a series of questions about phishing and user training, among other issues, and ascertained that 93% of organizations give their employees some kind of phishing awareness training. Of course, doing this “right” is not in everyone’s budget, or runs quickly into a limit of tolerance on the time to be taken from the schedules of busy employees.

    Can you (really) spot the fake?

    Such training, everyone agrees, is good. Everybody knows that security is about layers, and having alert users is another layer. But anybody signing up for sessions for their company should understand it in that context—it’s another tool, not a solution

    I was struck in the Osterman survey report by the fact that over half of IT and security managers rate their users “highly” or “extremely” capable of recognizing mass phishing and spear phishing emails (59% and 54%, respectively). What’s generating such confidence among this group?

    A CIO at a large company told me recently that he feels that 40 percent of his users will “click on anything,” which seems realistic to me, and, if true, still means 60 percent of users are bringing some utility to the task of identifying phishing emails.

    Blame the victims?

    It’s a truism of security that users are the Achilles heel or “weak link” in any system of defenses. I recognize the wisdom in this, although sometimes it sounds to me a bit like blaming airline passengers for their plane going down. It seems at any security event today, there is a lot of touting of user training by user-education and, more recently, large security companies, pushing messaging along the lines of “protection starts with people”. Is this really the user’s responsibility?

    Security is the weakest link – not the user

    My view is that if you find yourself frequently blaming users for successful attacks, you know your security is not working. I agree that we should be thinking about how users work, what they do and how it affects the security posture of the business, but does security really start with them?

  17. Tomi Engdahl says:

    Getting ROI From a Security Advisory Board That Works: Part 1 – Why

    The Biggest Mistake People Make With Security Advisory Boards is Not Using Them

  18. Tomi Engdahl says:

    Why User Behavior Analytics Is an Application, Not a Cybersecurity Platform

    Last year, a cybersecurity manager at a bank near me brought in a user behavior analytics (UBA) solution based on a vendor’s pitch that UBA was the next generation of security analytics. The company had been using a security information and event management (SIEM) tool to monitor its systems and networks, but abandoned it in favor of UBA, which promised a simpler approach powered by artificial intelligence (AI).

    One year later, that security manager was looking for a job. Sure, the UBA package did a good job of telling him what his users were doing on the network, but it didn’t do a very good job of telling him about threats that didn’t involve abnormal behavior. I can only speculate about what triggered his departure, but my guess is it wasn’t pretty.

    UBA hit the peak of the Gartner hype cycle last year around the same time as AI. The timing isn’t surprising given that many UBA vendors tout their use of machine learning to detect anomalies in log data. UBA is a good application of SIEM, but it isn’t a replacement for it. In fact, UBA is more accurately described as a cybersecurity application that rides on top of SIEM — but you wouldn’t know that the way it’s sometimes marketed.

    User Behavior Analytics Versus Security Information and Event Management

    While SIEM and UBA do have some similar features, they perform very different functions. Most SIEM offerings are essentially log management tools that help security operators make sense of a deluge of information. They are a necessary foundation for targeted analysis.

    UBA is a set of algorithms that analyze log activity to spot abnormal behavior, such as repeated login attempts from a single IP address or large file downloads. Buried in gigabytes of data, these patterns are easy for humans to miss. UBA can help security teams combat insider threats, brute-force attacks, account takeovers and data loss.

  19. Tomi Engdahl says:

    What is Threat Hunting and why is it necessary?

    In this ecosystem, Threat Hunting stands out as one of the most important trends of the last few years in corporate cybersecurity. But in order to understand why Threat Hunting is such an important concept nowadays, it is vital to understand exactly what it is.

    What is Threat hunting? This concept can be defined as “…the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.”

    What makes it different? Proactivity is what really sets Threat Hunting apart from traditional threat management measures such as firewalls, intrusion detection systems (IDS), sandboxing, and SIEM systems. All these measures involve an investigation after a potential attack or a security incident have set of the alarm. That is, they are reactive, not proactive measures.

  20. Tomi Engdahl says:

    4 Tips to Make the Most of Your Security Budget

    Despite frequent news headlines describing large-scale data breaches around the globe, chief information security officers (CISOs) still struggle to justify security investments to top leadership. According to Gartner, security spending makes up only about 5.6 percent of overall IT funds.

    1. Assess Risks, Assets and Resources

    A CISO should first thoroughly evaluate the systems, data and other business assets that are both valuable and potentially at risk in the organization. Today, this makes up an ever-evolving network, and priorities will shift over time to reflect changes in the business and the threat landscape.

    “You should first identify and document the assets you need to protect most,”

    2. Align the Security Budget With Business Goals

    When demonstrating the return on security investment to executives and board directors, security leaders must speak the language of money. How does security serve the business?

    “CISOs should always align with the business when evaluating how to spend,” said Larry Friedman, CISO at Carbonite. “Security spend should be calculated based on the risk associated with assuring continuity with important business processes.”

    3. Hire and Train Good People

    The oft-lamented cybersecurity skills gap shows few signs of closing. A recent report from the International Information System Security Certification Consortium (ISC2) placed the worldwide cybersecurity skills gap at almost 3 million unfilled positions, and about two-thirds of businesses believe they have inadequately staffed security teams.

    It stands to reason that one of the best investments in a security program is an effective staff. However, in a tight market for employers seeking talent, organizations may have to look inward and invest in training employees who otherwise might not have considered a security career.

    4. Invest in Security Culture

    An effective cybersecurity strategy must include a corporate culture in which every employee values security. But the “2018 Cybersecurity Culture Report” from the Information Systems Audit and Control Association (ISACA) and Capability Maturity Model Integration (CMMI) Institute found that most organizations still struggle with establishing a security culture. In addition, 95 percent of survey respondents noted a gap between their current and desired organizational culture of cybersecurity.

    What does it mean to build security culture into business? It’s means getting all employees — from the security team to the executive suite — to feel invested in the company’s security and risk posture and to engage in secure behavior. Investments in security culture could include initiatives such as awareness training, a secure development life cycle program, and rewards for employees who demonstrate compliance and report incidents.

  21. Tomi Engdahl says:

    Small Businesses, Big Breaches

    I like small companies and I love startups – I’ve spent 19 of my 23-year professional career working for them – but they increasingly outpunch their weight when they are the source of a data breach. This distorted scale is illustrated by data aggregator Exactis, which had 8 employees on LinkedIn when their breach of 350 million personal records became public. Additionally, Silicon Valley startup Apollo showed 49 employees on LinkedIn a week after its loss of over 200 million personal records hit the news. Of course, large companies suffer breaches too, but they have far more resources to defend themselves.

    The uneven ‘small business to big breach’ ratio is a direct reflection of how cloud computing has changed the economies of scale for small businesses. When I co-founded a company in 2010, we were able to get up and running for under $5,000. It would have easily cost 10 times that amount if we had started the same company a decade earlier.

    There are many reasons that small businesses find themselves unprepared to protect against data breaches. Today, the same technology and hustle that allows small businesses to disrupt giant competitors can also create risks to consumer privacy and even national security that these companies are not equipped to manage. Small businesses move quickly, and the pace of innovation is always faster than their ability to maintain security and compliance. Additionally, many small business operators have a risk tolerance that is off the charts, understandable since entrepreneurship is inherently risky, however, this trait can warp a business owner’s ability to grasp the seriousness of the problem. Finally, putting solutions and personnel in place to protect high value data is extremely expensive. Most small businesses do not have the capital, or the employee bandwidth to make these investments which leaves them inordinately mismatched when compared to a potential attacker.

  22. Tomi Engdahl says:

    CVSS Scores Often Misleading for ICS Vulnerabilities: Experts

    While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading, which can have negative consequences for organizations, particularly if they rely solely on CVSS for prioritizing patches.

    Maintained by the CVSS Special Interest Group (SIG), CVSS “provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.” The score, which reflects the severity of a vulnerability, should help organizations assess and prioritize weaknesses in their systems. The score can reflect a low (0.1-3.9), medium (4.0-6.9), high (7.0-8.9) or critical (9.0-10.0) severity.

    The current version of the system, CVSSv3, allows users to calculate a base score – which is constant over time and across environments – using factors such as attack vector, attack complexity, required privileges, user interaction, scope, confidentiality, integrity, and availability. The temporal score, which reflects characteristics that may change over time but not across environments, is calculated based on exploit code maturity, remediation level, and report confidence. The environmental score, which represents attributes relevant to a particular user’s environment, is calculated based on the importance of the affected asset, measured in terms of confidentiality, integrity and availability.

    The way a CVSS score is calculated is transparent, but it’s still not uncommon for vendors and researchers to disagree on the severity rating assigned to a vulnerability.

    CVSS scoring was originally developed for IT systems and is often not accurate in the case of industrial systems

    The use of CVSS for rating ICS vulnerabilities

    Moreno Carullo, co-founder and CTO of Nozomi Networks, believes that while CVSS has value because it standardizes vulnerability scoring, it should only serve as a guide.

    “You should always have a look at the vector and evaluate your own ‘score,’ based on what makes the most sense for your environment,” Carullo said.

    Paolo Emiliani, industrial and SCADA research security analyst at Positive Technologies, says the CVSS score should be applied to specific industrial processes for it to be efficient in prioritizing vulnerabilities.

    John Elder, senior ICS security consultant at Applied Risk, believes CVSS scores can be misleading in both IT and ICS environments due to the different scenarios required for exploitation. However, he says the CVSS score can be a good starting point when assessing the full impact of a vulnerability.

    “Another argument against the effectiveness of CVSS scoring for ICS devices is the numerical values of the exploitability weights,” Kfir told SecurityWeek. “The current numerical weight values are calculated based on historical and statistical data of cyber-incidents, which are mostly from IT networks. As a consequence, the scoring based on this method is biased against ICS devices as there is not a wide historical database of incidents for numerically estimating the ‘exploitability’ value on ICS networks.”

  23. Tomi Engdahl says:

    Subject: Invoice. The cause of 6 out of 10 of the most effective phishing campaigns in 2018

  24. Tomi Engdahl says:

    Soft Skills, Solid Benefits: Cybersecurity Staffing Shifts Gears to Bring in New Skill Sets

    With millions of unfilled cybersecurity jobs and security experts in high demand, chief information security officers (CISOs) are starting to think outside the box to bridge the skills gap. Already, initiatives such as outsourced support and systems automation are making inroads to reduce IT stress and improve efficiency — but they’re not enough to drive long-term success.

    Enter the next frontier for forward-thinking technology executives: Soft skills.

    How Important Are Soft Skills in the Enterprise?

    Soft skills stem from personality traits and characteristics. Common examples include excellent communication, above-average empathy and the ability to demystify tech jargon, as opposed to the certifications and degrees associated with traditional IT skills.

    Historically, IT organizations have prioritized harder skills over their softer counterparts — what good is empathy in solving storage problems or improving server uptime? However, as noted by Forbes, recent Google data revealed measurable benefits when teams contain a mix of hard and soft skills. The search giant found that the “highest-performing teams were interdisciplinary groups that benefited heavily from employees who brought strong soft skills to the collaborative process.”

    How Can Companies Quantify Qualitative Skill Sets?

    Soft skills drive value, but how can organizations quantify qualitative characteristics? Which skill sets offer the greatest value for corporate objectives?

    It’s Time to Prioritize Softer Skill Sets

    There’s obviously solid value in soft skills — according to a study from the University of Michigan, these skills offer a 256 percent return on investment (ROI). For CISOs, the message is clear: It’s time to prioritize softer skill sets, re-evaluate hiring and recruitment practices, and prepare for a future where the hard skills of AI-enhanced technology require a soft balance to drive cybersecurity success.

  25. Tomi Engdahl says:

    Retail Cybersecurity Is Lagging in the Digital Transformation Race, and Attackers Are Taking Advantage

    Digital transformation is dominating retailers’ attention — and their IT budgets. As a result, significant gaps in retail cybersecurity are left unfilled just as retail IT faces new challenges, from infrastructure moving to the cloud without clear security policies to an array of new threat vectors focused on personal customer information, ransomware and underprotected business-to-business (B2B) connections.

  26. Tomi Engdahl says:

    Cybersecurity professionals need to think like cybercriminals to do their job, Josephine Wolff, an assistant professor at the Rochester Institute of Technology, writes in this opinion piece. “We should think carefully about the skills we need, about the rules and principles that we know how to teach and also about how to encourage students to break those rules and find ways around those principles,” she concludes.

    How Do You Get Students to Think Like Criminals?

    The skills needed for cybersecurity jobs aren’t easy to learn in the classroom.

  27. Tomi Engdahl says:

    When to Cut Your Losses on a Wasteful Security Project

    In a December 2011 Forbes article entitled “How To Waste $100 Billion: Weapons That Didn’t Work Out”, author Loren Thompson discusses a number of government weapons programs that were scrapped after billions of dollars were sunk. The circumstances under which each project went south vary, but they do share one very interesting point in common. What is that point? That the question of when to cut losses should have been asked and discussed at several different points along the way. Unfortunately, it never was, and the results speak for themselves.

    Managing a large, complex military project is, not surprisingly, extremely complex. Nonetheless, as with any project, checkpoints should be installed along the way to ensure that the project is moving towards achieving its goals on time and within budget. When this doesn’t happen, projects can veer off course into the realm of over time and over budget, as was the case with the projects referenced in Loren Thompson’s Forbes article.

    So what does this have to do with information security? I would argue that lessons from the field of project management can offer us valuable insight that we can leverage to improve and strengthen our respective security programs. How so? Allow me to elaborate.

    Any information security organization will have a number of different initiatives and projects going on at any given time.

    So what are some ways in which organizations can avoid the trap of a wasteful project Though not an exhaustive list, I provide five suggestions here:

    1. Go back to basics: When we ask ourselves how we can assess what activities bring added value to the security organization, we need to go back to basics to find the answer.

    2. Enforce project management: If you think that project management best practices are only for weapons programs and software projects, think again. Everyone should be familiar with project management techniques. Why should security efforts be run any less formally than any other project?

    3. Keep an eye on budgets: It goes without saying that budgets in security are never large enough to cover all of the bases that a security organization wants to cover. So why throw money towards people, process, and technology that don’t bring value? The amount of money being spent on various different efforts should be correlated to the value-add those efforts bring.

    4. Keep an eye on schedules: Who loves to see a project run over schedule and be delivered late or never at all? No one. Absolutely no one. So why let things get out of hand? Set up gates and checkpoints along the way to evaluate progress against project goals.

    5. Avoid bright shiny objects: The security profession seems to get distracted by bright shiny objects every now and again. Every so often, a new type of product or service comes along that generates an unwarranted amount of buzz, hype, and hysteria. Often, all of this attention comes without any mapping back to real operational problems that organizations are looking to solve.

  28. Tomi Engdahl says:

    Windows 10 Quality approach for a complex ecosystem

    Today we are re-releasing the October 2018 Update after pausing to investigate a small but serious issue. This is the first time in Windows 10’s “Windows as a Service” history that we have taken such an action, and as such it has naturally led to questions about the work we do to test and validate Windows quality before we begin rolling it out broadly.

    While our measurements of quality show improving trends on aggregate for each successive Windows 10 release, if a single customer experiences an issue with any of our updates, we take it seriously. Today, I will share an overview of how we work to continuously improve the quality of Windows and our Windows as a Service approach. As part of our commitment to being more transparent about our approach to quality, this blog will be the first in a series of more in-depth explanations of the work we do to deliver quality in our Windows releases.

  29. Tomi Engdahl says:

    Attackers Are Landing Email Inboxes Without the Need to Phish

    According to an alert published earlier this year by the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Traditionally, social engineering and intrusion techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account. These methods play out as follows:

    1. Social engineering and email spoofing: Attackers will use social engineering to pose as a colleague or business partner and send fake requests for information or the transfer of funds.

    2. Account takeover: Here, attackers use information-stealing malware and key loggers to gain access to and hijack a corporate email account, which they then use to make fraudulent requests to colleagues, accounting departments and suppliers.

    These techniques have served threat actors well for quite some time. But now we are seeing new, more expeditious methods emerge to gain access to business email accounts.

    Here’s how these alternative methods work:

    1. Paying for access. It’s common for accounts to be shared and sold across criminal forums, and the emails of finance departments and CEO/CFOs are no exception.

    2. Getting lucky with previously compromised credentials.

    3. Searching across misconfigured archives and file stores. Inboxes, particularly those of finance departments and CEO/CFOs, are replete with financially-sensitive information such as contract scans, purchase orders, and payroll and tax documents.

    BEC is becoming increasingly profitable for threat actors as organizations are making it easy for adversaries to gain access to the valuable information that sits within these inboxes.

  30. Tomi Engdahl says:

    The dangers of public IPs

    Almost every ISP offers an option to use a public IP address. Other names are “static IP,” “Internet-routable IP,” and sometimes “real IP.” Some people buy this option having a specific purpose in mind, some opt in just for the sake of it. However, public IP addresses can pose numerous risks. To find out what they’re all about, who might need them, and what the dangers are, read on.

    The NAT mechanism can be nested — for example, your home Wi-Fi router, itself subject to the provider’s NAT, creates a local network with its own private IP addresses and then redirects to your devices packets sent to and from the provider’s network. Everything would seem to be fine, so why the need for static IP address?

    NAT works great just as long as all connections are initiated from the internal network — in other words, when it is you opening sites, downloading files, and watching videos. But when it comes to connecting to your device from the Internet, NAT is not up to the job. Packets arriving at the provider’s public IP address will go precisely nowhere, because they are not a response to anyone’s internal request, and their target destination is unknown.

    So, when access to your network is needed from the outside, the solution is to use a public IP address. In our company telephone analogy, it’s a direct-dial number rather than the general switchboard.

    Why bother with public IP?

    Using a public IP address can be useful if, say, you want to access files on your home computer when at work or visiting friends, instead of storing them in the cloud.

    Static IP addresses are also very popular with gamers, who use them to set up their own servers — with their own rules, mods, and maps — for multiplayer games and invite friends to join in. Also, a public IP address is needed for streaming games from a remote device such as an Xbox, PlayStation, or gaming PC to a laptop when playing away from home.

    Sometimes, a public IP address is required to operate video surveillance and other security systems, or smart home solutions, but that applies primarily to outdated ones

    Most modern systems are cloud-based. This means registering your home devices on a special trusted server, whereupon all commands you send go to the server, not directly to the devices. The devices then periodically “poke” the server to see if it has any commands for them. With this approach, a static IP is not required

    What’s dangerous about public IPs?

    The main risk of using a public IP address is the same as the advantage: It allows anyone, anywhere to connect to your device directly from the Internet — and that includes cybercriminals. As they say, when you connect to the Internet, the Internet connects to you, in this case — directly. By exploiting various vulnerabilities, cybercriminals can get their hands on your files and steal confidential information to sell or for blackmail.

    What’s more, attackers can change your Internet access settings, for example, forcing the router to feed you phishing websites where they can pinch your login credentials.

    How do hackers know who to attack? For a start, there exist publicly available Internet services that regularly scan all IP addresses for vulnerabilities, making thousands of devices with exploitable bugs just a couple of clicks away.

    Incidentally, your real IP address can be used not only to hack into your home network, but also to carry out a DDoS attack, by bombarding you with packets from different devices simultaneously and overloading your Internet channel and router. Your ISP is protected against this — are you?

    How to stay protected

    The best way to stay protected is, of course, not to use a public IP address at all, especially if you are not sure that you need it. Don’t be fooled by ISP ads, however persuasive they may be.

    But if you are sure that static IP is for you, you have to work harder on your protection. The first step is to change the default password on the router. This won’t guard against hackers exploiting vulnerabilities in a particular model, but it will save you from less-skilled attackers. It’s a good idea to use a router model with as few hacker-friendly bugs as possible, but for that you have to do some research, rummaging around online for the latest information.

    Router firmware should be regularly updated; updates generally fix errors found in earlier versions. And it should go without saying that all built-in protection tools should be turned on

  31. Tomi Engdahl says:

    How to detect a critical security incident?

    Working as an IT security manager in a company is far from simple. It is not just a case of generally protecting corporate cybersecurity. It’s about being resilient, watching out for new attack methods, forming a preventive defense team, building action protocols in case of vulnerability, and making sure all employees are aligned with these goals within the company.

    However, taking on too many tasks at once can water down the purpose of these tasks, and have just the opposite effect: the real threats stop being taken care of effectively.

    Alerts ignored out of fatigue

    At least, this is what a recent survey carried out by Imperva shows. According to this report, analyzing security alerts takes up a disproportionate percentage of work time, something that, at times, can end up being counterproductive for the company.

    How to detect critical incidents?

    There are several ways to detect the whether the company is facing a critical security incident. Moreover, with these measures, the scope and relevance of this incident can be evaluated too.

    1.- Traffic anomalies Servers and connections that are particularly confidential tend to have a relatively stable volume of traffic. If a company experiences an unusual increase in this traffic, it should be on the lookout.

    2.- Accessing accounts without permission. Employee and director accounts usually follow a hierarchy according to the information that they are allowed to access. As employees are usually the easiest entry point for cybercrime, if the connection privileges of one of their accounts are suddenly increased, this may be cause for a corporate cybersecurity alarm.

    3.- Excessive consumption and suspicious files. If the company detects an increase in the performance of its memory or hard drives, it may be that someone is accessing them illicitly, or even leaking data. This may also be the case if you find a file of suspicious size that is trying to remain hidden.

  32. Tomi Engdahl says:

    CVSS Scores Often Misleading for ICS Vulnerabilities: Experts

    While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading, which can have negative consequences for organizations, particularly if they rely solely on CVSS for prioritizing patches.

  33. Tomi Engdahl says:

    IBM security study: Mega data breaches cost $40 million to $350 million

    The average cost of a data breach is $3.86 million, according to a study by IBM Security and Ponemon Institute. But the cost of “mega breaches,” where 1 million to 50 million records are lost, can run from $40 million to $350 million.

    IBM Security and Ponemon conducted interviews with nearly 500 companies that experienced data breaches, and they collected information on hundreds of cost factors surrounding a breach, including technical investigations and recovery, notifications, legal and regulatory requirements, cost of lost business, and loss of reputation.

    Overall, the study found that hidden costs in data breaches — such as lost business, negative impact on reputation and employee time spent on recovery — are difficult and expensive to manage. For example, the study found that a third of the cost of “mega breaches” (over 1 million lost records) were derived from lost business.

  34. Tomi Engdahl says:

    Researchers Introduce Smart Greybox Fuzzing

    A team of researchers has introduced the concept of smart greybox fuzzing, which they claim is much more efficient in finding vulnerabilities in libraries that parse complex files compared to existing fuzzers.

    Fuzzing is used to find software vulnerabilities by sending malformed input to the targeted application. If the software crashes or behaves unexpectedly, it could indicate the presence of a security flaw. There are three main types of fuzzing: blackbox fuzzing, where the tester has zero knowledge of the target; whitebox fuzzing, where there is full knowledge of the target and the testing is done through the source code; and greybox fuzzing, where the tester has some knowledge of the targeted application.

    According to the experts, AFLsmart is highly efficient in analyzing libraries that parse structurally complex files, such as audio, video, image, document and database files.

  35. Tomi Engdahl says:

    Security Automation Can be a Game Changer for Any SOC or CSIRT, Including Yours

    As I’ve written about in previous articles, security automation technology is creating impressive gains for security and incident response teams, by helping them improve operational effectiveness, increase speed and agility, and reduce risk. More and more security analysts and SOC managers are beginning to understand the potential of automation as they experience it firsthand or hear about it from their peers.

  36. Tomi Engdahl says:

    7 Non-Computer Hacks That Should Never Happen—threats/7-non-computer-hacks-that-should-never-happen/d/d-id/1333194

    From paper to IoT, security researchers offer tips for protecting common attack surfaces that you’re probably overlooking.

  37. Tomi Engdahl says:

    Security Tip (ST18-007)
    Questions Every CEO Should Ask About Cyber Risks

    What should CEOs know about the cybersecurity threats their companies face?

    CEOs should ask the following questions about potential cybersecurity threats:

    How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
    What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
    How can my business create long-term resiliency to minimize our cybersecurity risks?
    What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
    What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?

    What can CEOs do to mitigate cybersecurity threats?

  38. Tomi Engdahl says:

    Faster fuzzing ferrets out 42 fresh zero-day flaws

    A group of researchers has found 42 zero-day flaws in a range of software tools using a new take on an old concept. The team, from Singapore, Australia and Romania, worked out a better approach to a decades-old testing technique called fuzzing.

    There are three broad kinds of fuzzing.

    Black box fuzzing knows nothing about the target program and just throws as many combinations as possible at it indiscriminately. This is fast, but it isn’t good at exposing bugs buried deep inside a program.

    White box fuzzing is at the other end of the spectrum, analysing the structure of the program in depth to understand how it functions. This lets it tailor its tests to particular logic flows in the program code, increasing the percentage of a program’s function that it can look at, which testers call ‘coverage’. It can uncover some deep and meaningful bugs, but it can be slow and time-consuming.

    Grey box fuzzing looks for a happy medium. Instead of analysing a program’s structure, it uses some ‘seed’ files designed to generate valid inputs and mutates them by flipping bits in those files. When it finds a result that it considers interesting, it adds the input that generated it to the list of seed files and then iterates on that.

  39. Tomi Engdahl says:

    Not A Security Boundary: Breaking Forest Trusts

    For years Microsoft has stated that the forest was the security boundary in Active Directory. For example, Microsoft’s “What Are Domains and Forests?” document (last updated in 2014) has a “Forests as Security Boundaries” section which states (emphasis added):

    Each forest is a single instance of the directory, the top-level Active Directory container, and a security boundary for all objects that are located in the forest. This security boundary defines the scope of authority of the administrators. In general, a security boundary is defined by the top-level container for which no administrator external to the container can take control away from administrators within the container. As shown in the following figure, no administrators from outside a forest can control access to information inside the forest unless first given permission to do so by the administrators within the forest.

  40. Tomi Engdahl says:

    G DATA Techblog: Malware Analysis with a Graph Database

    Graph databases are growing in popularity because their connection-oriented data model is a natural fit for many domains where the connections between entities are of central importance. We discuss in this post whether a graph database can help us to analyse malware, both manually and for machine learning.

  41. Tomi Engdahl says:

    Hot fuzz: Bug detectives whip up smarter version of classic AFL fuzzer to hunt code vulnerabilities
    Flaw-spotting toolkit already has 42 zero-days to its name

  42. Tomi Engdahl says:

    One in three CISOs view cloud as a security risk

    Uncontrolled cloud expansion is more worrying than legacy IT or insider threats

    The cloud may be powering a great deal of business transformation, but many security leaders aren’t entirely happy about it, as new research reveals that one-third of CISOs view the cloud as their biggest security risk.


Leave a Comment

Your email address will not be published. Required fields are marked *