Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,204 Comments
Tomi Engdahl says:
https://sudosecurity.org/devsecops-important-failures/
Tomi Engdahl says:
https://github.com/ComodoSecurity/openedr
https://github.com/ComodoSecurity/openedr
We at OpenEDR believe in creating a cybersecurity platform with its source code openly available to public, where products and services can be provisioned and managed together. EDR is our starting point. OpenEDR is a full blown EDR capability. It is one of the most sophisticated, effective EDR code base in the world and with the community’s help it will become even better.
OpenEDR is free and its source code is open to public. OpenEDR allows you to analyze what’s happening across your entire environment at base-security-event level. This granularity enables accurate root-causes analysis needed for faster and more effective remediation.
Tomi Engdahl says:
3 areas of implicitly trusted infrastructure that can lead to supply chain compromises https://www.helpnetsecurity.com/2021/05/13/supply-chain-compromises/
To get a broader understanding of what organizations are up against, lets look at three major supply chain compromises that occurred during the first quarter of 2021. Each one of these supply chain attacks targeted a different piece of implicitly trusted infrastructureinfrastructure that you may or not be paying attention to as a potential target in your organization.. 1. Package squatting via software package repositories. 2. Malicious commits via version control systems. 3. Man-in-the-middle attacks via TLS certificates
Tomi Engdahl says:
Consumers Unforgiving of Merchants Data Failings https://www.infosecurity-magazine.com/news/consumers-unforgiving-of-merchants/
New research has revealed that most American consumers who shop online will cease doing business with a merchant that mishandles their data..
The finding emerged from the May 2021 Securing eCommerce study, carried out by PYMNTS.com in collaboration with NuData, which surveyed a census-balanced panel of nearly 2,400 American consumers.
Tomi Engdahl says:
Four Years On: Two-thirds of Global Firms Still Exposed to WannaCry https://www.infosecurity-magazine.com/news/twothirds-global-firms-exposed/
Over two-thirds (67%) of organizations are still running an insecure Windows protocol largely responsible for the infamous WannaCry and NotPetya attacks of 2017 and 2018, according to new research..
Security vendor ExtraHop used its network detection and response (NDR) capabilities to analyze anonymized metadata from an unspecified number of customer networks, in order to better understand where they may be vulnerable to outdated protocols.. Report at https://assets.extrahop.com/pdfs/security-advisories/insecure-protocols.pdf
Tomi Engdahl says:
TRADING SCHEME RESULTING IN 30 MILLION IN LOSSES UNCOVERED https://www.europol.europa.eu/newsroom/news/trading-scheme-resulting-in-%E2%82%AC30-million-in-losses-uncovered
On 11 May 2021, a large criminal network involved in investment fraud and money laundering was dismantled as a result of a cross border operation supported by Europol and Eurojust. The investigation, led by Germany, involved law enforcement and judicial authorities from Bulgaria, Israel, Latvia, North-Macedonia, Poland, Spain and Sweden. .
The criminal network created different trading online platforms advertising substantial profits from investments in high-risk options and cryptocurrencies. The criminal group ran at least four of such professionally looking trading platforms, luring victims through advertisements in social media and search engines.
Tomi Engdahl says:
Visiona vastuullinen vesihuolto
https://www.huoltovarmuuskeskus.fi/a/visiona-vastuullinen-vesihuolto
Vesihuollossa varmistetaan laadukkaat ja turvalliset huoltopalvelut sekä uudistetaan alaa hiilineutraaliksi kiertotalouden edelläkävijäksi vuoteen 2030 mennessä. Näin linjataan tuoreessa kansallisen vesihuollon uudistusohjelmassa, jota myös Huoltovarmuuskeskus (HVK) oli valmistelemassa.. Ohjelma:
https://julkaisut.valtioneuvosto.fi/bitstream/handle/10024/163046/MMM_2021_7.pdf?sequence=4&isAllowed=y.
“Vesihuoltopalvelujen häiriöttömän toiminnan turvaaminen ja riskien nykyistä parempi hallinta, mukaan lukien kyberturvallisuus, vaativat muutoksia toimintaan koko maassa. “
Tomi Engdahl says:
Eviction Guidance for Networks Affected by the SolarWinds and Active
Directory/M365 Compromise
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a
CISA has provided this guidance to federal agencies with networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity. Conducting each step in this guidance is necessary to fully evict the adversary [...]. Failure to perform comprehensive and thorough remediation activity will expose enterprise networks and cloud environments to substantial risk for long-term undetected APT activity, and compromised organizations will risk further loss of sensitive data and erosion of public trust in their networks.
Tomi Engdahl says:
How Bidens new executive order plans to prevent another SolarWinds attack https://therecord.media/how-bidens-new-executive-order-plans-to-prevent-another-solarwinds-attack/
President Biden signed a sweeping executive order on Wednesday aimed at protecting federal networks, as the East Coast continues to deal with the fallout from a ransomware attack that shut down one of the nations largest fuel pipelines for several days. The Biden administration has been drafting the order over the last few months, and is designed less to address an incident like the one experienced by Colonial Pipeline, a privately-owned critical infrastructure operator that is believed to have been hit by a criminal gang, than it is aimed at preventing a future SolarWinds-like incident.
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
Also:
https://www.bleepingcomputer.com/news/security/biden-issues-executive-order-to-increase-us-cybersecurity-defenses/.
https://arstechnica.com/information-technology/2021/05/biden-signs-executive-order-to-strengthen-us-cybersecurity/
Tomi Engdahl says:
Phishing, ransomware, web app attacks dominate data breaches in 2021, says Verizon Business DBIR https://www.zdnet.com/article/phishing-ransomware-web-app-attacks-dominate-data-breaches-in-2021-says-verizon-business-dbir/
Web applications represented 39% of all data breaches in the last year with phishing attacks jumping 11% and ransomware up 6% from a year ago, according to the Verizon Business Data Breach Investigations Report. The report, based on 5,358 breaches from 83 contributors around the world, highlights how the COVID-19 pandemic move to the cloud and remote work opened up a few avenues for cybercrime. Verizon Business found that 61% of all breaches involved credential data.
Consistent with previous years, human negligence was the biggest threat to security.
Tomi Engdahl says:
DNA selvitti: Tässä suomalaisten 3 suurinta pelkoa verkossa https://www.is.fi/digitoday/tietoturva/art-2000007973955.html
Teleoperaattori DNA:n Digitaaliset elämäntavat -tutkimuksessa vastaajilta kysyttiin muun muassa erilaisista digitaaliseen turvallisuuteen liittyvistä aiheista. DNA:n tiedotteen mukaan tutkimuksessa nousi esiin etenkin kolme asiaa, joita suomalaiset pitivät verkossa uhkina. Vastaajista 37 prosenttia huoletti henkilötietojen menettäminen tietomurron yhteydessä. Toiseksi ja kolmanneksi kyselyssä sijoittuivat identiteettivarkauksiin liittyvät huolet. Aiheutuneiden haittojen selvittäminen ja korjaaminen huoletti
36 prosenttia vastaajista. Taloudellisia haittoja uhkana piti 34 prosenttia vastaajista
Tomi Engdahl says:
Ransomware: How the NHS learned the lessons of WannaCry to protect hospitals from attack https://www.zdnet.com/article/ransomware-how-the-nhs-learned-the-lessons-of-wannacry-to-protect-hospitals-from-attack/
Four years ago, the UK’s National Health Service suddenly found itself one of the most high profile victims of a global cyber attack. On 12 May 2017, WannaCry ransomware hit organisations around the world, but hospitals and GP surgeries throughout England and Scotland were particularly badly affected. A significant number of services were disrupted as malware encrypted computers used by NHS trusts, forcing thousands of appointments to be cancelled and ambulances to be rerouted.
Tomi Engdahl says:
Despite Heightened Breach Fears, Incident Response Capabilities Lag
https://www.darkreading.com/attacks-breaches/despite-heightened-breach-fears-incident-response-capabilities-lag/d/d-id/1341000
Heightened data breach concerns especially since the global COVID-19 outbreak early last year don’t appear to have prompted significantly improved incident response (IR) plans or capabilities at many organizations. A new survey of 500 security and risk leaders conducted by Wakefield Research on behalf of Red Canary, Kroll, and VMware shows more than one-third (36%) of organizations still don’t have a structured IR process in place.. Report:
https://redcanary.com/resources/guides/the-state-of-incident-response-2021/
Tomi Engdahl says:
Ransomware world in 2021: who, how and why https://securelist.com/ransomware-world-in-2021/102169/
As the world marks the second Anti-Ransomware Day, theres no way to deny it: ransomware has become the buzzword in the security community.
And not without good reason. The threat may have been around a long time, but its changed. Year after year, the attackers have grown bolder, methodologies have been refined and, of course, systems have been breached. Yet, much of the media attention ransomware gets is focused on chronicling which companies fall prey to it. In this report, we take a step back from the day-to-day ransomware news cycle and follow the ripples back into the heart of the ecosystem to understand how it is organized.
Tomi Engdahl says:
DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks https://us-cert.cisa.gov/ncas/alerts/aa21-131a
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entitya pipeline companyin the United States. Malicious cyber actors deployed DarkSide ransomware against the pipeline companys information technology (IT) network. At this time, there is no indication that the entitys operational technology (OT) networks have been directly affected by the ransomware.
Tomi Engdahl says:
Number of industrial control systems on the internet is lower then in 2020…but still far from zero https://isc.sans.edu/forums/diary/Number+of+industrial+control+systems+on+the+internet+is+lower+then+in+2020but+still+far+from+zero/27412/
With the recent ransomware attack that impacted operation of one of the major US pipelines[1], I thought it might be a good time to revisit the old topic of internet-connected industrial systems. Since operational technologies are generally used to support/control processes that directly impact the physical world, the danger of successful attacks on them should be self-evident, as should the need to protect them.
Tomi Engdahl says:
Vulnerable Protocols Leave Firms Open to Further Compromises
https://www.darkreading.com/risk/vulnerable-protocols-leave-firms-open-to-further-compromises/d/d-id/1340993
Companies may no longer have Internet-facing file servers or weakly secured Web servers, but attackers that get by the perimeter have a wide-open landscape of vulnerability. Nearly nine out of every 10 companies have devices that use outdated protocols, such as Microsoft’s Server Message Block version 1 for sharing files, giving attackers that breach the network perimeter an easy avenue to extend a compromise, according to a new report by network security firm ExtraHop.
Tomi Engdahl says:
Biden Signs Executive Order on Strengthening Cybersecurity Defenses: Feedback Friday
https://www.securityweek.com/biden-signs-executive-order-strengthening-cybersecurity-defenses-feedback-friday
U.S. President Joe Biden this week signed an executive order on improving the country’s cybersecurity defenses. The order represents the government’s response to the SolarWinds and other significant attacks carried out by foreign threat actors.
The executive order focuses on removing barriers to threat information sharing, adopting more modern security solutions (e.g. zero trust architecture), enhancing the security of the software supply chain by requiring developers to improve their security practices, establishing a Cyber Safety Review Board that will review and assess significant incidents, and standardizing the government’s response to vulnerabilities and incidents.
Executive Order on Improving the Nation’s Cybersecurity
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Tomi Engdahl says:
Summary of Vulnerabilities
https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md
Design Flaws
• CVE-2020-24588: Accepting non-SPP A-MSDU frames: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SPP A-MSDU frames, which is mandatory as part of 802.11n, an adversary can abuse this to inject arbitrary network packets.
• CVE-2020-24587: Reassembling fragments encrypted under different keys: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
• CVE-2020-24586: Not clearing fragments from memory when (re)connecting to a network: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that received fragments must be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
Implementation flaws allowing trivial packet injection
• CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network): Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
• CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network): Vulnerable Wi-Fi implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
• CVE-2020-26140: Accepting plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
• CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
Other Implementation Vulnerabilities
• CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated: Vulnerable Access Points (APs) forward EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. An adversary might be able to abuse this in projected Wi-Fi networks to launch denial-of-service attacks against connected clients, and this makes it easier to exploit other vulnerabilities in connected clients.
• CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers: Vulnerable WPA, WPA2, or WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.
• CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments: Vulnerable WEP, WPA, WPA2, or WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
• CVE-2020-26142: Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.
• CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
Tomi Engdahl says:
IPv6 security
https://hackaday.com/2021/05/14/this-week-in-security-fragattacks-the-pipeline-codecov-and-ipv6/
As a new Starlink customer (review coming soon), and consequently using IPv6 for the first time, I’m excited and a bit concerned by IPv6. The excitement should be obvious, but I’m concerned because so many of our security habits and assumptions don’t necessarily translate to IPv6. For example, you probably know exactly what ports, if any, you’re exposing on your public IPv4 address. Have you stopped and thought about what ports are exposed on your IPv6 addresses? Remember that Windows HTTP hack from above? I fully expect to eventually see a worm that replicates over IPv6, though various means.
There are, thankfully, already some IPv6 port scanning services. It might be worth taking a minute to double-check that your IPv6 firewall is working as intended, if you have IPv6 service. IPv6 is working seamlessly enough that your ISP may have rolled out support without you noticing, but if you are concerned with security, you should notice — we’ve all gotten a bit lax, taking IPv4 NAT routing for granted.
Tomi Engdahl says:
Kyberturvallisuuskeskus saa lisää vastuita
https://www.uusiteknologia.fi/2021/05/12/kyberturvallisuuskeskus-saa-lisaa-vastuita/
Liikenne- ja viestintäviraston Kyberturvallisuuskeskus on saamassa uusia vastuita samalla kun keskus muuttuu myös kansalliseksi kyberturvallisuuden koordinaatiokeskukseksi. Uusi rooli vahvistaa keskuksen mahdollisuuksia tukea suomalaista tietoturva-alaa Euroopan tasolla.
Kyberturvallisuuden koordinaatiokeskuksen nimeämisen taustalla on Euroopan kyberturvallisuuden teollisuus-, teknologia- ja tutkimusosaamiskeskuksesta ja kansallisten koordinaatiokeskusten verkoston perustamisesta annettava asetus, joka on tarkoitus antaa vielä tämän vuoden aikana.
Uuden kansallisen koordinaatiokeskuksen olisi tarkoitus toimia Suomen yhteys-, koordinaatio- ja tukipisteenä koordinaatiokeskusten verkostossa. Lisäksi sen tehtävänä on koota sidosryhmistään yhteisö, joka toimii osana EU:n laajuista kyberturvallisuuden osaamisyhteisöä.
Tomi Engdahl says:
F-Secure siirsi yrityksen suojan pilveen
https://etn.fi/index.php/13-news/12157-f-secure-siirsi-yrityksen-suojan-pilveen
F-Secure on tänään tuonut markkinoille uuden pilvipohjaisen alustan nimeltä F-Secure Elements, joka virtaviivaistaa organisaatioiden tapaa käyttää kyberturvallisuuspalveluita. F-Secure Elements on saatavana F-Securen kumppaneilta määräaikaisina lisenssitilauksina tai käyttöperusteisella laskutuksella.
Pilvipohjainen alusta antaa organisaatioille mahdollisuuden valita tietoturvapalveluita tarpeiden mukaan.
F-Secure Elements on modulaarinen alusta, joka yhdistää päätelaitesuojauksen, päätelaitteen uhkien tunnistuksen ja välittömän vasteen (EDR), haavoittuvuuksien hallinnan ja pilvipalvelujen (kuten Microsoft Office 365) suojauksen.
Pandemian aikana monet asiakkaat turhautuivat, kun tietoturvatuotteiden myyjät eivät suostuneet neuvottelemaan lisenssien käyttöä uusiksi, vaikka organisaatiossa lisenssien käyttö olisi laskenut henkilöstön lomautusten vuoksi. F-Secure Elementsin käyttöpohjaisen laskutuksen läpinäkyvyyden ansiosta organisaatiot voivat tehdä päätöksiä investoinneista ja eikä käyttämättömistä lisensseistä tai palveluista tarvitse maksaa.
Tomi Engdahl says:
Censorship, Surveillance and Profits: A Hard Bargain for Apple in China https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html
Internal Apple documents reviewed by The New York Times, interviews with 17 current and former Apple employees and four security experts, and new filings made in a court case in the United States last week provide rare insight into the compromises Mr. Cook has made to do business in China.. Chinese state employees physically manage the computers. Apple abandoned the encryption technology it used elsewhere after China would not allow it. And the digital keys that unlock information on those computers are stored in the data centers theyre meant to secure.. Also
https://twitter.com/matthew_d_green/status/1394394630523871233
Tomi Engdahl says:
Crypto-mining gangs are running amok on free cloud computing platforms https://therecord.media/crypto-mining-gangs-are-running-amok-on-free-cloud-computing-platforms/
Over the course of the last few months, some crypto-mining gangs have switched their modus operandi from attacking and hijacking unpatched servers to abusing the free tiers of cloud computing platforms.. The list of services that have been abused this way includes the likes of GitHub, GitLab, TravisCI, LayerCI, CircleCI, Render, CloudBees CodeShip, Sourcehut, and Okteto.
Tomi Engdahl says:
Microsoft, Adobe Exploits Top List of Crooks Wish List https://threatpost.com/top-microsoft-adobe-exploits-list/166241/
The exploit market is accommodating cybercrooks hunger for puncturing Microsoft products, according to Trend Micro. A second data point (see chart below) shows that 61 percent of sold exploits targeted Microsoft products, including Office, Windows, Internet Explorer and Microsoft Remote Desktop Protocol (RDP).. Researchers found that the average price for exploits that threat actors were willing to pay was $2,000.
The crooks are going after fresh, tender new vulnerabilities, with 52 percent of exploits on their wish list being less than 2 years old: an age bracket that also accounts for 54 percent of exploits being sold..
Also
https://www.darkreading.com/vulnerabilities—threats/47–of-criminals-buying-exploits-target-microsoft-products/d/d-id/1341037
Tomi Engdahl says:
Latest phones are great at thwarting Wi-Fi tracking. Other devices, not so much study https://www.theregister.com/2021/05/18/wifi_tracking_failures/
“We think this per-connection randomization scheme is a significant step in the right direction and has become the standard across modern mobile devices as of iOS 14 and Android 10,” Ellis Fenske, assistant professor of cyber science at the US Naval Academy told The Register, in a personal rather than institutional capacity.
Tomi Engdahl says:
EU extends sanctions against Chinese, Russian, and N. Korean hackers for another year https://therecord.media/eu-extends-sanctions-against-chinese-russian-and-n-korean-hackers-for-another-year/
The European Union has extended today the legal framework that allows it to sanction foreign hackers, effectively extending its existing sanctions on Chinese, Russian, and North Korean hackers for another year, until May 18, 2022.
Tomi Engdahl says:
Cloud Configuration Risks Exposed
https://f.hubspotusercontent40.net/hubfs/1665891/Threat%20reports/AquaSecurity_Cloud_security_report_H1-2021.pdf
There are numerous security posture issues across infrastructure as a service (IaaS) and platform as a service (PaaS) accounts, which suggests a wide-ranging lack of understanding of proper infrastructure configuration. 82.4% of environments had open to the internet issues..
8% percent of small and midsize business users fixed every detected issue, versus only 1% of enterprise users.. More than 50% of organizations get alerts about misconfigured services that have left ports open to the world. But only 68% of these issues were fixed and even then, the average time to do so was 24 days.
Tomi Engdahl says:
Ransomware victim shows why transparency in attacks matters https://www.bleepingcomputer.com/news/security/ransomware-victim-shows-why-transparency-in-attacks-matters/
On May 5th, green energy tech provider Volue suffered a Ryuk ransomware attack that impacted some of their front-end customer platforms.. Since then, Volue has been transparent about the cyberattack by providing webcasts, daily updates, and the email addresses and phone numbers for their CEO and CFO for questions about the attack.. Volue’s transparency is in stark contrast to the disclosures typically seen in ransomware attacks and should be used as a model for future disclosures.
Tomi Engdahl says:
Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing
https://www.securityweek.com/despite-warnings-cloud-misconfiguration-problem-remains-disturbing
Misconfigurations are often introduced by cloud users either by actions or failure to implement available controls, are often left unremedied even when known, and take too long to be fixed when they are fixed.
Cloud Security Posture Management (CSPM) firm Aqua Security has analyzed the anonymized cloud configuration data of hundreds of its clients over a period of 12 months. The intent was to discover the size of the cloud misconfiguration problem, and the response from industry to known issues.
Tomi Engdahl says:
Aqua found (PDF) that more than 50% of organizations receive alerts about misconfigured services with all ports open to anyone with internet access – but only 68% were fixed, taking an average of 24 days. More than 40% of the organizations had at least one misconfigured Docker API, that took an average of 60 days to fix.
Partly, suggests Aqua, this is caused by the changing business processes that accompany a move into the cloud. “Cloud-native applications improve agility by giving more people access to define the environment, but we see many organizations move away from a centralized approach to security,” said Assaf Morag, lead data analyst with Aqua’s Nautilus research team. “The traditional model of permitting only a small, highly skilled team of security practitioners to make all configuration changes has given way to a modern, decentralized approach. Development teams are making configuration decisions or applying services, and that can have dramatic implications for the security posture of an organization’s production environment.”
This may also be the underlying cause behind the vast number of exposed data-containing storage buckets left in the cloud. The most publicly visible cloud misconfiguration issue occurs when a data owner leaves the data in storage that is open to the internet. We learn of new examples weekly. In fact, most major cloud service providers (CSPs) have initial storage default settings set to ‘private’ — but this seems to frequently be changed by the user to “0.0.0.0/0,” “::/0,” or all protocols and ports; presumably to improve ease of use. This may be when one developer spins up something like an S3 bucket, but decides he must open access to other remote developers – and in attempting to do so, he or she opens access for everyone.
Encryption of data at rest is a service provided by the major CSPs. In AWS it must be enabled by the user, while Google Cloud Services and Azure provide it by default. Some companies simply don’t enable it, while other companies actively disable it.
Aqua found that 60.8% of organizations had MFA disabled, and only 38.8% remediated the issue, taking an average of 65.2 days to do so. Nearly 18% had a deviation from the principle of least privilege, with only 40.7% of them correcting the issue in an average of 55.8 days. Unused credentials are an even bigger problem, involving 88.2% of organizations. This was remediated by a higher number of companies (73.3%), but they took an average of 76.3 days to do so.
https://www.securityweek.com/despite-warnings-cloud-misconfiguration-problem-remains-disturbing
Tomi Engdahl says:
European Union Extends Framework for Cyberattack Sanctions
https://www.securityweek.com/european-union-extends-framework-cyberattack-sanctions
The European Council this week announced its decision to extend for one year the framework for sanctions against cyberattacks that threaten the European Union and its member states.
Established in 2017, the framework allows member states to take restrictive measures against cyberattacks, including to prevent, discourage, deter and respond to malicious activities. Last year, the European Council announced a decision to extend the framework until May 18, 2021.
On Monday, the council announced that the framework has been prolonged until May 18, 2022. This means that the EU and member states may continue to take restrictive measures when dealing with cyberattacks.
Tomi Engdahl says:
FBI: IC3 Received 6 Million Cybercrime Complaints Since Inception
https://www.securityweek.com/fbi-ic3-received-6-million-cybercrime-complaints-inception
The Federal Bureau of Investigation says its Internet Crime Complaint Center (IC3) received more than one million cybercrime complaints over the past 14 months.
Established in 2000 as the Internet Fraud Complaint Center and renamed in 2002, IC3 has received a total of 6 million complaints to date. The first million complaints were logged after nearly seven years. In March last year, only weeks before its 20th anniversary, the Center topped 5 million complaints.
In addition to collecting and reporting on this data, the IC3 also issues alerts to the public about new scams or upticks in specific crimes. It also provides federal and other government agencies with access to the collected data.
Over the past several years, the Center has seen a steady increase in the number of reported cybercrime incidents. Between 2019 and 2020, the number of complaints went up nearly 70%, but the increase in reported losses wasn’t as sharp.
Throughout 2020, the IC3 received roughly 800,000 cybercrime complaints, which resulted in losses of approximately $4.2 billion. In 2019, the Center received nearly 467,000 complaints, with the reported losses totaling $3.5 billion.
Tomi Engdahl says:
Security Automation: Data is More Important Than Process
https://www.securityweek.com/security-automation-data-more-important-process
Automation can’t be just about running the process, but must include three important stages
I’ve written a lot about the challenges their Security Operations Centers (SOCs) face with respect to data, systems and people as they transform to become detection and response organizations. The key elements required include relevant and prioritized data, bi-directional integration across systems, and passive and active collaboration. What brings it all together, particularly given the shortage of security personnel, is automation.
New product categories have emerged to tackle the automation challenge, including Security Orchestration, Automation and Response (SOAR) platforms and tools and Extended Detection and Response (XDR) solutions. But the truth is, the security industry’s approach to automation has overlooked the vastly different needs of detection and response use cases because the focus has been on defining a process and automating the steps needed to complete that process. That works fine if you’re in a static environment doing the same thing over and over again. But for detection and response, which is dynamic and variable, that’s not the case. What is learned from performing an action is far more important than the action itself, so you need to look at inputs and outputs to the process.
Tomi Engdahl says:
How Stubbornness Can Harm an Organization’s Security Posture
https://www.securityweek.com/how-stubbornness-can-harm-organizations-security-posture
Too often, when we are set in our ways, we can get dismissive
Some people are open to change, receptive to feedback, seek diverse data points, and are willing to weigh different perspectives. Other people are quite the opposite. Still others are somewhere in between. Where a person falls on the stubbornness spectrum and why they behave stubbornly has always interested me.
Stubbornness is defined as “dogged determination not to change one’s attitude or position on something.”
Despite my interest in this topic, I know neither what drives a stubborn person nor what makes a flexible one. That hasn’t stopped me, however, from observing different behaviors and deducing a few security lessons over the course of my career.
In this piece, I’d like to analyze five statements stubborn people often say, discuss how they harm an organization’s security posture, and suggest ways forward in each case.
“We’ve always done it this way”
“I’ve already decided that this is the right approach”
“We’ve already committed to doing this”
“I don’t care what the data say”
“They don’t know what they’re talking about”
Tomi Engdahl says:
Apple Platform Security Guide Updated With Details on Authentication Features
https://www.securityweek.com/apple-platform-security-guide-updated-details-authentication-features
Apple this week updated its Platform Security Guide to provide more details on a couple of recently announced authentication features.
Apple’s Platform Security Guide contains detailed technical information on the security technologies and features implemented in its products. The first guide was released in 2015, but it only covered the iOS operating system. In its current form, the guide also provides information on macOS and hardware.
The May 2021 update to the Platform Security Guide focuses on two topics: Touch ID on the iMac’s Magic Keyboard, and the iPhone unlock with Apple Watch feature in iOS 14.5. Both these authentication features were announced by Apple in April.
Tomi Engdahl says:
Try This One Weird Trick Russian Hackers Hate
May 17, 2021
https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/
In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick.
Tomi Engdahl says:
A Renewed Push to Improve the Nation’s Cybersecurity
https://www.securityweek.com/renewed-push-improve-nations-cybersecurity
Biden’s Executive Order to improve the nation’s cybersecurity is a good first step, but it is unlikely to materially change the defensive posture of the nation
In response to recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline ransomware attack, President Biden on May 12, 2021 signed an Executive Order (EO) to improve the nation’s cybersecurity and protect federal government networks. For close observers, this seems to be like Groundhog Day, as past incoming administrations have issued similar executive orders to address insufficient cybersecurity defenses that leave public and private sector entities vulnerable to attacks. The National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Department of Homeland Security’s Continuous Diagnostic and Mitigation (CDM) Program are good examples of past attempts to strengthen the federal government’s security posture and improve cyber resilience. The big question is whether the proposed actions in this new EO are attainable.
In this context, the EO highlights numerous areas of weakness in the nation’s cybersecurity defense strategy and proposes many commendable practices to mitigate them, such as:
• Remove Barriers to Threat Information Sharing Between the Government and the Private Sector: To enable more effective defenses of federal agencies and improve the nation’s resilience, IT service providers will be required to share certain data breach information that could impact government networks.
• Modernize and Implement Stronger Cybersecurity Standards in the Federal Government: To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the federal government must take decisive steps to modernize its approach to cybersecurity, including accelerating movement to secure cloud services, establishing a Zero Trust architecture, and deploying foundational security tools such as multi-factor authentication and data encryption.
• Improve Software Supply Chain Security: Besides establishing baseline security standards for the development of software sold to the federal government, the EO calls for the creation of a pilot program to create an “energy star” type of certification so the government – and the public at large – can quickly determine whether software was developed securely.
• Establish a Cybersecurity Safety Review Board: To analyze what happened in a cyber-attack and derive concrete recommendations for improving cybersecurity, the EO calls for the creation of a Cybersecurity Safety Review Board, which is co-chaired by government and private sector leads. This board is modeled after the National Transportation Safety Board, which is used to investigate airplane crashes and other incidents.
• Create a Standard Playbook for Responding to Cyber Incidents: To assure preparedness in taking uniform steps to identify and mitigate cyber threats, the EO calls for the creation of a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. The playbook will also provide the private sector with a template for its response efforts.
• Improve Detection of Cybersecurity Incidents on Federal Networks: Acknowledging the slow and inconsistent deployment of foundational cybersecurity tools and practices across government agencies, the EO calls for the deployment of a centralized endpoint detection and response initiative, active cyber-hunting, containment and remediation, as well as incident response.
• Improve Investigative and Remediation Capabilities: The EO creates cybersecurity event log requirements for federal departments and agencies.
Tomi Engdahl says:
Evil Logitech – erm I ment USB cable
https://luemmelsec.github.io/Building-An-Evil-USB-Cable/
I already heared about something like this in the past, which reminded me of the expensive O.MG cable from HAK5 or the USB Ninja.. But If you like to tinker a little bit and are on a budget, you can pretty much get the same results for like 30 bucks.
Tomi Engdahl says:
Recycle Your Phone, Sure, But Maybe Not Your Number https://krebsonsecurity.com/2021/05/recycle-your-phone-sure-but-maybe-not-your-number/
Researchers in the computer science department at Princeton University say they sampled 259 phone numbers at two major wireless carriers, and found 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked.. Paper at https://recyclednumbers.cs.princeton.edu/assets/recycled-numbers-latest.pdf
Tomi Engdahl says:
Six Ransomware Gangs Claim 290+ New Victims in 2021, Potentially Reaping $45M for the Hackers https://s3.ca-central-1.amazonaws.com/esentire-dot-com-assets/assets/resourcefiles/esentire_threat-report_Six-Ransomware-Gangs-Claim-290-New-Victims.pdf
In order to get a better handle on the true scope of ransomware, eSentires security research team, the Threat Response Unit (TRU) decided to focus on the current activity of four of the top ransomware gangs and two emerging ransomware groups.. (Ryuk/Conti, Sodin/REvil, CLOP, DoppelPaymer, DarkSide and Avaddon)
Tomi Engdahl says:
US introduces bills to secure critical infrastructure from cyber attacks https://www.bleepingcomputer.com/news/security/us-introduces-bills-to-secure-critical-infrastructure-from-cyber-attacks/
“Other measures passed in todays markup include bills to help State and Local governments protect their networks, provide critical infrastructure owners and operators with mitigation strategies against critical vulnerabilities, and establish a national cyber exercise program to promote more regular testing of preparedness and resilience to cyber attacks against critical infrastructure,” the . Committee said in a press release.
Tomi Engdahl says:
The Active Adversary Playbook 2021
https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/
The median time that attackers were able to remain in the target network before detection dwell time was 11 days. The longest intruder dwell time observed by rapid responders was 439 days (more than 15 months.). The release of ransomware is often the point at which an attack becomes visible to the IT security team. It is therefore not surprising that 81% of the incidents Sophos responded to involved ransomware. Ransomware attacks tend to have shorter dwell time than stealth attacks, because they are all about destruction..
RDP played a part in 90% of attacks. However, the way in which attackers used RDP is worth noting. In incidents that involved RDP, it was used for external access only in just 4% of cases.
Tomi Engdahl says:
How Attackers Weigh the Pros and Cons of BEC Techniques
https://www.darkreading.com/threat-intelligence/how-attackers-weigh-the-pros-and-cons-of-bec-techniques/d/d-id/1341060
Another upcoming tactic involves the aging report, or a financial report that lists outstanding payments due for a vendor or supplier.
It contains data on payments overdue, points of contact for each customer, and other information. Some BEC attackers now request an aging report instead of a wire transfer because they can use it to send convincing payment requests.
Tomi Engdahl says:
When Intrusions Dont Align: A New Water Watering Hole and Oldsmar https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/
During our investigation into the infamous water poisoning attempt against the citizens of Oldsmar, Florida Dragos discovered a Florida water utility contractor hosting malicious code on their website (i.e., a watering hole). This malicious code seemingly targeted water utilities, particularly in Florida, and more importantly, was visited by a browser from the city of Oldsmar on the same day of the .
poisoning event.. Using telemetry from Team Cymru Pure Signal Recon, Dragos determined that a user on a computer system on a network belonging to the City of Oldsmar, Florida browsed the compromised site at exactly 14:49 Coordinated Universal Time (UTC), or 9:49 am in the morning on 05 February 2021. This is the same network where an unknown actor reportedly compromised a water treatment control plant computer on
Tomi Engdahl says:
The Unified Kill Chain
https://www.unifiedkillchain.com/assets/The-Unified-Kill-Chain.pdf
Research shows that the traditional Cyber Kill Chain® (CKC), as presented by researchers of Lockheed Martin, is perimeter- and malware-focused. As such, the traditional model fails to cover other attack vectors and attacks that occur behind the organizational perimeter. The Unified Kill Chain offers significant improvements over these scope limitations of the CKC and the time-agnostic nature of .
Research shows that the traditional Cyber Kill Chain® (CKC), as presented by researchers of Lockheed Martin, is perimeter- and malware-focused. As such, the traditional model fails to cover other attack vectors and attacks that occur behind the organizational perimeter. The Unified Kill Chain offers significant improvements over these scope limitations of the CKC and the time-agnostic nature of
Tomi Engdahl says:
Phishing for Finance
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-phishing-for-finance-report-2021.pdf
In 2020, there were 193 billion credential stuffing attacks globally, with 3.4 billion of them in the financial services space, representing a 45% growth over 2019.. The number of web attacks targeting the financial services industry grew by 62%.. Targeting organizations that do leverage 2FA and MFA isnt worth the energy or effort for most low-level, opportunistic attackers.
Tomi Engdahl says:
Record-breaking DDoS activity surged into the first quarter of 2021.
https://www.netscout.com/blog/asert/beat-goes
According to research from NETSCOUTs ATLAS Security Engineering & Response Team (ASERT), threat actors launched approximately 2.9 million DDoS attacks in the first quarter of 2021, a 31% increase from the same time in 2020.
Tomi Engdahl says:
Japan to restrict private sector use of foreign equipment and tech:
Report
https://www.zdnet.com/article/japan-to-restrict-private-sector-use-of-foreign-equipment-and-tech-report/
The Japanese government will reportedly introduce new regulations across 44 sectors to bolster national cyber defence, partly in response to the Colonial Pipeline hack that occurred last week.. Three years ago, Japanese government agencies agreed to stop procuring equipment that could pose national security risks, such as those from Huawei and ZTE. With the latest mandate, the Japanese government now wants to extend that level of stringency to the private sector.
Tomi Engdahl says:
Cryptocurrency buzz drives record investment scam losses https://www.ftc.gov/news-events/blogs/data-spotlight/2021/05/cryptocurrency-buzz-drives-record-investment-scam-losses
Investing in cryptocurrency means taking on risks, but getting scammed shouldnt be one of them. Reports to the FTCs Consumer Sentinel1 suggest scammers are cashing in on the buzz around cryptocurrency and luring people into bogus investment opportunities in record numbers.
Since October 2020, reports have skyrocketed, with nearly 7,000 people reporting losses of more than $80 million on these . scams. Their reported median loss? $1,900. Compared to the same period a year earlier, thats about twelve times the number of reports and nearly 1,000% more in reported losses