What are the top cyber trends to watch out for in 2019? Here’s what I have been hearing and reading:
First I present a new information security term: Virtual Security = Manufacturers claim that their products are secure. but in reality they are not.
New APT groups, and more regulations around data privacy, 2019 is set to be another big year in the cybersecurity space. Security is hard and getting harder in 2019. Good operational security is non trivial. Next generation dark markets are making cybercrime easier than ever before.
Gartner expects that the security market is expected to grow 8.7% in 2019 and hit $124 billion. Global spending on security products and services closed in 2018 in excess of $114 billion, marking a 12.4% increase from 2017.
A New Year’s Resolution: Security is Broken…Let’s Fix It. There are three strategies that show real promise for defending against tomorrow’s threats: Deploy Deception, Leverage Threat Intelligence, Think Proactively. Plan Now for Emerging Threats. Defending against these threats will require two things. The first is understanding the economic drivers of the criminal community, and the second is to adopt strategies and solutions that address and disrupt those drivers. Getting in front of the cyber-threat paradigm requires organizations to rethink their security strategies in 2019.
Many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, but when – and when they will finally find the hack has happened. For example it Marriott disclosed a four-year-long breach involving the personal and financial information of 500 million guests. Anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.
In today’s world, attackers intentionally look normal to evade automated defenses. With the rise of ransomware, fileless and non-malware attacks, it’s harder than ever to protect your endpoints with confidence. To prevent this, threat hunting has emerged as an essential process for organizations to preempt destructive attacks. This process is a proactive approach to cybersecurity that identifies gaps in defenses and stops attacks before they go too deep. The adversary is hunting for your security gaps…why aren’t you?
Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Attackers scan those systems for vulnerabilities actively in 2019. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late. Measure how good is your security. Data protection tools have been developed to measure the maturity of data protection issues in organization.
CEOs should ask the following questions about potential cybersecurity threats:
How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
How can my business create long-term resiliency to minimize our cybersecurity risks?
What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?
What can CEOs do to mitigate cybersecurity threats?
How Well Are You Protecting Your Brand from Digital Risk? Having a website is just the baseline for existing in digital world. Companies of all sizes are actively using social media to engage with customers and build loyalty for their brand. The Internet is an essential tool to grow your business, but it also poses digital risks to your brand reputation and integrity. Bad actors can spoof social media profiles of your company or brands. Cyber criminals will register and use web domains extremely similar to your actual domain names. Malicious apps that impersonate brands may use spyware to steal information from users. You might need to develop a brand protection program in 2019. Digital risk from brand exposure can lead to reputation damage, loss of intellectual property and customer trust and, ultimately, loss in revenue. This is what the brand managers need to think about in 2019. Successful hacking campaigns used to be all about keeping under the radar. But, for some, making a big splash is now now more important than lurking in the shadows.
Today, cybersecurity is moving beyond the financial impact to concerns over public safety, national security, and even cyberwarfare. The tech industry is becoming more worried about a cyberwar arms race. Microsoft boss thinks that cyber war cannot be won. High impact cyber attacks often affect the electricity network, water supply, financial markets, hospitals, and military families. Preparations for various cyber attacks in different sectors vary greatly. Energy and finance are the most advanced. We should all keep in mind two things: The proliferation of cyberweapons is already happening and arms control of cyberweapons hasn’t caught up. “Cyber is so wide that states alone cannot be sufficient in providing security” It seems also that authoritarian forces are trying to claw back control and even re-purposing the web in ways that undermine democracy.
It would be good for the company to be able to manage risks, prepare for major disruptions, and plan and practice recovery. Risk management requires the company to detect the attack itself. A large coordinated attack could attack our elections, our press, our telecommunications, our banks, and our military. According to a new report on digital freedom, authoritarian forces are clawing back control and even re-purposing the web in ways that undermine democracy. Tim Cook says that tech firms should prepare for ‘inevitable’ regulation.
We need to build cyber resilience to our networked systems. Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. “Cybersecurity, infrastructure security, is not a competitive advantage,” Bradford Willke, a top official in DHS’s Cybersecurity and Infrastructure Security Agency. If a good product or company fails because of a breach that could have been thwarted by sharing threat information, “there’s something that we’ve all lost.”
Did you remember to test the security? Every developer team should know how to code securely and how to test security. This kind of basic hygiene with information security creates the basis for genuinely intact applications. The basic thing for the tester in terms of data security is user identification and access, securing stability, encryption, firewalls, intruder detection, anonymization of information. All these things can be tested with different techniques, tools and methods. It is a good idea to ask a security professional if you do not know how to do this.
You will see many big data beaches also in 2019. Cybersecurity headlines in recent years have been dominated by companies losing money by being hacked and leaking the data of millions of customers. 2018 was again a banner year for breaches, check for example list of Biggest cyber security breaches 2018. In 2018 the mantra became “another day, another data breach.” 2018 has been the year par excellence for data protection, when data leaks, exfiltrations, and abuses have made headlines all over the world. Some companies have worked on improving their security, but overall there has not been so much activity going on that it would considerably change the situation for better in 2019. And against this backdrop of increased awareness about the challenges that working with sensitive data can entail, there is one regulation that has come to the fore: the GDPR (General Data Protection Regulation), which has been mandatory since May 25 this year.
How much are the first fines for GDPR infringement? It remains to be seen in 2019 as sanctions on big 2018 leaks start to appear. Infringement of GDPR regulation can incur fines of up to 4% of a company’s annual global turnover, or up to €20 million. The economic sanctions that we have seen so far in 2018 have clearly relatively conservative compared to the highest possible penalties, but with the recent spate of high profile data leaks – Marriott, British Airways, Quora – it won’t be long before harsher fines start to appear. Remember that by having appropriate protection for the personal data that your company manages, you can avoid sanctions.
IoT malware and email hacks are on the rise again. Blackmail demand claims will continue unfortunately also in 2019 and will become more innovative. In 2018 we first saw blackmail extortion with claims to have nailed you watching porn and the sender infected your computer by hacking your account or placing malware. All sorts of variants exist. There was also Spammed Bomb Threat Hoax that demands Bitcoin.Then there has been a New Extortion Email Threatens to Send a Hitman Unless You Pay $4,000 in bitcoin. As long as ransoms are paid and relatively easy attacks, such as phishing campaigns, are successful, bad actors will continue to use these techniques.
The number of attacks using IoT hardware is increasing in 2019. IoT is still insecure. As the number of IoT devices, such as smart home network monitoring systems, increase, the threat is constantly increasing. According to Nokia report IoT botnet operations accounted for 78 percent of malware detection events in the communications service provider (CSP) networks in 2018.
Many IoT protocols are still implemented without proper security. The CoAP protocol is the next big thing for DDoS attacks. Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attack. That is because most of today’s CoAP implementations forgo using hardened security modes for a “NoSec” security mode that keeps the protocol light, but also vulnerable to DDoS abuse.
Mirai botnet has been active since 2016. And several followers to it are still active. Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms. And you will not get rid of the new variations of it in 2019. Latest example is With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit. Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices. Miori is just one of the many Mirai offshoots. There is another very similar variant called Shinoa.
Regulating cyber security features on networked devices seems to be on rise. Germany proposes router security guidelines. It would like to regulate what kind of routers are sold and installed across the country. California became the first state with an Internet of Things cybersecurity law: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means less generic default credentials for a hacker to guess. In Finland security label created by FICORA’s Cybersecurity Center promises that will make it easy for consumers to identify a sufficiently secure devices in 2019.
Ransomware attack will continue in 2019. Hospital cybersecurity seems to be a pressing problem in 2019. The healthcare industry’s accelerating adoption of sophisticated networks, connected devices and digital records has revolutionized clinical operations and patient care but has also left modern hospitals acutely vulnerable to cyber attack. Recent high-profile hacks have brought these mounting threats sharply into focus. One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over year 2018. There is a number of technological, cultural and regulatory issues that complicate healthcare cybersecurity.
DNS system is still full of “ugly hacks” that keep it running. Malicious actors have found innovative ways to take down the DNS and the landscape growing more problematical. Hopefully it will get robust in 2019. Vendors of DNS software, as well as large public DNS providers, are going to remove certain workarounds on February 1st, 2019, otherwise known as DNS Flag Day. Don’t Let DNS Flag Day Become Your DNS Doomsday. The result of this “line in the sand” means that all domains hosted on these poorly coded DNS servers will fail to resolve correctly across all the recursive resolvers built by and run by the consortium. So your SPF, DKIM, DMARC, most TXT and PTR records will fail. This will be a very bad day for anyone who doesn’t take time to address this issue BEFORE February 1st, 2019.
TLS 1.3 was published as of August 2018. It has been over eight years since the last major encryption protocol update. With the HTTP/2 protocol update in late 2015, and now TLS 1.3 in 2018, encrypted connections are now more secure and faster than ever. With OpenSSL 1.1.1 library many applications can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. Add this to list of existing TLS ecosystem woes. Malicious sites will increasingly use SSL certificates to look legitimate.
Remember to update your PHP version early in 2019. PHP 5.6 support and security updates have ended. PHP 5. is still widely used in many web services. FICORA’s Cybersecurity Center recommends giving up the use of old PHP versions, especially for services that are publicly available on the Internet. Currently the latest version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Currently the latest PHP version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Because the new PHP7 is not fully compatible with the old PHP5, so many sites need also updates to the site PHP code. If you can’t for some reason update PHP version, special attention should be paid to the security of the server and its environment.
Cloud security is still a problem for many organizations in 2019. The 2018 Cloud Security Spotlight Report noted that 84% of respondents claim traditional security solutions either don’t work at all or have limited functionality in the cloud. Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security (62%). Lack of staff resources and expertise to manage cloud security seems to be the largest barrier to cloud adoption for many companies. Many clouds are nowadays relatively secure, but Are You Using Them Securely? It’s time to stop obsessing over unsubstantiated cloud security worries and start focusing more on new approaches to cloud control. It is time to better manage your cloud deployments in 2019.
The Cybersecurity Industry Doesn’t Have Artificial Intelligence Right Yet. AI in security will be talked on in 2019. 2018 was The Year Machine Intelligence Arrived in Cybersecurity. “Intelligence” is a word heavily freighted in cybersecurity technology because it covers a wide variety of techniques and product: Expert systems, machine learning, deep learning, and artificial intelligence are all represented in the whole, with each being used and promoted by different vendors and service organizations. Antivirus protection is one of the tasks to which companies are applying intelligence. The vast majority of intelligence being used in security is “machine learning” rather than “artificial intelligence.” The application of artificial intelligence (AI) via the implementation of machine learning (ML) is the fastest growing area of cybersecurity, but it seems Artificial Intelligence in Cybersecurity is Not Delivering on its Promise at least yet. What has been largely missing from this assertion is independent verification that the theoretical benefits promoted by ML vendors translate to actual benefits in use. Also cyber-criminals start to use AI to make better attacks.
Machine learning can reduce the usefulness of CAPTCHA. Machine learning model breaks CAPTCHA systems on 33 highly visited websites very quickly.
Destructive malware has been employed by adversaries for years. Destructive targeted attacks have a critical impact on businesses, causing the loss of data or crippling business operations. NotPetya and Wannacry affected several companies around the world. OlympicDestroyer affected the Olympic Games organization.
Old destructive attacks can persist for a long time. Wannacry is not dead when 2019 starts. Eighteen months after the initial outbreak of the WannaCry Ransomware infection, the malware continues to rear its head on thousands, if not hundreds of thousands, of infected computers. The kill switch has been activates so the ransomware component would not activate, but the infection continues to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live.
Spectre and Meltdown vulnerabilities that were found in 2017 and became public the beginning of 2018 will continue. I have been following this saga since I reported it first in Finland at Uusiteknologia.fi on-line magazine. Spectre-like variations continued to be discovered, just as academics predicted at the start of 2018. Intel and other processor manufacturers have worked on fixed, but there has been numerous new vulnerability variation reported over the year on the same theme, latest published in late 2018. Is Spectre making a comeback? I expect you will not get rid of new variations on this vulnerability theme in 2019. There are still many side channel flaws to be found on modern processors.
USB security is still fundamentally broken in 2019. USB drives are a security threat to process control systems because USB drives can cause serious disruption to process facilities through unsecure or malicious files. USB-borne malware continues to present a major threat to industrial control systems (ICS) nearly a decade after the Stuxnet attacks on Iran’s nuclear infrastructure first highlighted the danger.
The air gap is low-tech but still has value as a barrier against cyber attacks. But air gaps, once a valuable barrier against cyberattacks, are disappearing from industrial control systems. As smart shipping and other network-connected industrial control systems (ICS) grow, the air gap loses value as a barrier against cyber attacks. The use of air gaps has eroded or disappeared altogether, thanks to increasingly intertwined OT (operational technology) and IT (information technology). Also air gaps can’t protect against “an ill-informed person’s actions,” as was the case with the notorious 2010 Stuxnet attack on Iran’s nuclear facilities.
There are still major problems cyber security in industrial system. Major problems in industrial cyber security are inadequate software updates, the following non-upgraded systems, and common usage ids for updating. While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading.
Perimeter-less security is hot in 2019. You can’t build anymore well defined perimeters around all of your systems. Welcome to a World of Zero Trust. Zero Trust Privilege approach is based on six fundamental elements: Verify Who, Contextualize the Privileged Access Request, Establish a Secure Admin Environment, Grant Least Privilege, Audit Everything, Apply Adaptive Security Controls.
Can You Mitigate Against Mission Impossible? Most probably you can’t. Focus on the Countless Manageable Vulnerabilities That You Can Control and Protect Against Them. Cybersecurity risks need help from contracts and insurance beyond technologies, policies, and people. Pretending cybersecurity risks aren’t there isn’t on any list of best practices.
Credential abuse is at the core of many hacks in 2019. Usually the easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity. Equipped with the right credentials, cyber adversaries and malicious insiders can wreak havoc on an organization’s network, exfiltrate sensitive data, or even siphon off funds — all while concealing their malicious activities from threat detection solutions.
Good database security planning is essential for protecting a company’s most important assets because if attackers can shut companies out of their own data can quickly cripple an organization. Leaked data can also become costly with costs of data leak itself, regulatory costs (including GDPR fines) and bad reputation that can affect revenue for a long time.
Just on the end of 2018 there was reports on SQLite vulnerabilities. Magellan is a number of vulnerabilities that exist in SQLite that were able to successfully implement remote code execution in Chromium browsers (already fidex). This vulnerability can have a wide range of influence in 2019 because SQLite is widely used in all modern mainstream operating systems and software. There is potential that Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers. I expect to see reports against attacks against many different systems and system users failing to secure their systems.
DevSecOps is having a positive impact on security, but the state of security still has a long way to go as over 13 percent of applications contain at least one critical vulnerability. According to Veracode’s State of Software Security (SOSS) report, 87.5 percent of Java applications, 92 percent of C++ applications, and 85.7 percent of .NET application contain at least one vulnerability. Even with a stronger focus on security in 2019, most software will still riddled with security vulnerabilities.
Misconfigured server infrastructure is often considered one of the most significant causes of data breaches within the IT industry. This human error phenomenon is usually unintentional, but it can have catastrophic consequences regarding the exposure of sensitive personal information as well as potentially damaging the reputation of your business.Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security.
4 mobile security threats that companies must fight in 2019: Cryptojacking, Data breaches, Insecure networks and Social engineering attacks. Also Mobile Spear phishing campaigns will form the cornerstone for targeted attacks on organizations. The Wi-Fi attack vector isn’t going away any time soon, despite 5G hype. I don’t expect the assault on mobile to slow down as according to Gartner’s Market Guide to Mobile Threat Defense, 42 million mobile malware attacks take place each year.
Google says that Android 9 Brings Significant Security Advancements. Google has focused on aspects such as platform hardening, anti-exploitation, hardware-backed security. There are also new protections for the Application Sandbox.
Ultrasonic Tracking are Beacons on the Rise. It is an inaudible sound with encoded data that can be used on a listening device with suitable application to receive information that could be just about anything. There are numerous scenarios in which ultrasonic tracking beacons can be surreptitiously used and misused.
PUAs are being weaponized. PUA is the acronym for “Potentially Unwanted Application.” This is a general category used by all vendors to tag particular applications that can be misused by malicious people. Recently, an active campaign was spotted in the well-known Emotet Banking Trojan, which makes use of Freeware system tools but with an obscure purpose.
Microsoft has officially announced ‘Windows Sandbox’ for running applications in isolation. Microsoft’s coming ‘Windows Sandbox’ feature is a lightweight virtual machine that allow users to run potentially suspicious software in isolation. Windows 10 19H1 Build 18305 adds support for a new sandbox feature for isolating potentially suspicious apps, plus several other new security fixes.
It seems that Security Teams Need to Maintain Packet-level Visibility Into All Traffic Flowing Across Their Networks. The most destructive disaster is the one you do not see coming. While there is no evacuating cyberspace to avoid a storm of hackers, prior warning gives security teams a chance to stop cybercriminals before they can wreak havoc and make off with sensitive customer data or company secrets. There is an all too common adage that it is not a question of if a company will be hacked, but when they will find the hack. The realities of the cyberspace make it too difficult to reliably keep hackers out of corporate networks. That is not to say security teams should give up, but rather that they need to shift their goals.
Is 5G Technology a Blessing or a Curse for Security? Depends Who You Ask. It is best to Prepare for the Coming 5G Security Threats. But do we understand the 5G security threats to come? Most probably not, because it seems that the general understanding of 5G is pretty shallow for very many organizations. Many countries are not comfortable with the Chinese building its 5G network.
Somewhat quietly over the past couple of years there has been a flurry of breakthroughs in biometric technology (especially face and fingerprint recognition). New Boom in Facial Recognition Tech Prompts Privacy Alarms. Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn. Now facial recognition appears to be on the verge of blossoming commercially. There is potential risk that Surveillance Inhibits Freedom of Expression.
Old outdated encryption technologies refuse to die. MD5 and SHA-1 are still used in 2018 and their use does not seen to end in 2019. The current state of cryptanalysis against MD5 and SHA-1 allows for collisions, but not for pre-images. Still, it’s really bad form to accept these algorithms for any purpose.
Law is trying to weaken encryption in some countries. A newly enacted law rushed through Australia’s parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals. “I think it’s detrimental to Australian and world security,” said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM. It could be a be a boon to the criminal underworld by undermining the technical integrity of the internet, hurting digital security and user privacy. We need good encryption in 2019 to keep Internet safe.
The payment card industry is thinking about security standards such as EMV 3D Secure and emerging technologies such as contactless payments.
The use of bug bounty programs to find security vulnerabilities in software and services is increasing.In January, the EU starts running Bug Bounties on Free and Open Source Software where European Commission to start offering bug bounties on 14 Free Software projects like Notepad++ and VLC that the EU institutions rely on. Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program.
You might need a password manager in 2019 more than you needed it now. If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember and sometimes are easily hackable. Nobody likes passwords but they’re a fact of life. How do you make them better? You need a password manager. Some examples for proposed alternatives to passwords include biometric identification, disposable passwords, certificate-based systems and FIDO2 USB sticks.
You might also need two-factor authentication can save you from hackers. If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts and it usually (when implemented well) only adds a few extra seconds to your day.
Two factor authentication has been considered as best practice for some time, but even that alone might not be enough in 2019. Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.
Two factor authentication can be hacked. Phishing Attempts That Bypass 2FA are here to stay. As we try to up our security game, the bad guys up their tactics too. Amnesty.org shared an interesting write up about phishing attacks that are bypassing 2FA. If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account as Hackers Bypass Gmail 2FA at Scale. Although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message. Some users likely need to switch to a more robust methods.
Keep in mind that your phone number can be a key for a hacker to many of your services. You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.
810 Comments
Tomi Engdahl says:
China Uses DNA to Track Its People, With the Help of American Expertise
https://www.nytimes.com/2019/02/21/business/china-xinjiang-uighur-dna-thermo-fisher.html
The Chinese authorities turned to a Massachusetts company and a prominent Yale researcher as they built an enormous system of surveillance and control.
Tomi Engdahl says:
DDoS Attacks Ranked As Highest Threat by Enterprises
https://www.bleepingcomputer.com/news/security/ddos-attacks-ranked-as-highest-threat-by-enterprises/
US and EMEA security professionals interviewed by the Neustar International Security Council (NISC) in January 2019 said that DDoS attacks are perceived as the highest threat to their organizations, with roughly half of their companies having been attacked in 2018.
Another 75% of all professionals who took part in NISC’s study said that they are deeply concerned about “bot traffic (bot robots and scrapers) stealing company information, despite the same number already deploying a bot traffic manager solution.”
Tomi Engdahl says:
Access control in enterprises is crucial to maintaining sufficient defenses against cyberattacks, writes Richard Bird, chief customer information officer at Ping Identity. Most companies use the Active Directory tool to manage access to IT systems and data, he notes. “But while Active Directory gives companies an efficient way to provide network access to employees, partners and vendors, it was never built with security in mind, which makes it easy to exploit,” Bird writes. Access management policies should not be considered equivalent to access control, he asserts.
Source: https://semiengineering.com/week-in-review-iot-security-auto-32/
More:
Cybersecurity Starts With Access Control
https://www.forbes.com/sites/forbestechcouncil/2019/02/07/cybersecurity-starts-with-access-control/#35770d51324a
Humans are often pegged as the weakest link in cybersecurity — and to a great extent, that’s true. But in my experience, this axiom misses the bigger point: The reason it’s true is that most companies do not have effective access control.
While training employees to think like hackers can certainly make your company more resilient to cyberattacks, there is always a risk that someone will be compromised. The surest way to limit your organization’s exposure to such risks is to verify the proper controls are in place at the individual level, governing what people can access, when and how.
Companies that haven’t solved for access control are not only putting themselves at risk — they are also suboptimizing every dollar of their cybersecurity spend. What good is spending a million dollars on a firewall if hackers can slip right past it by pretending to be someone else?
Tomi Engdahl says:
Got Critical Infrastructure? Then You Should Know How To Protect It
https://www.securityweek.com/got-critical-infrastructure-then-you-should-know-how-protect-it
Both IT and OT Teams Should be Able to Quickly Access and Analyze all Data Relevant to Their Needs
Tomi Engdahl says:
Escalating DNS attacks have domain name steward worried
https://www.welivesecurity.com/2019/02/25/escalating-dns-attacks-domain-name-worried/
The keeper of the internet’s ‘phone book’ is urging a speedy adoption of security-enhancing DNS specifications
To foil attacks that tamper with the DNS infrastructure, ICANN is now urging domain owners and DNS services to deploy a set of specifications called Domain Name System Security Extensions (DNSSEC). At present, the implementation rate of specifications that ensure the validity of the data by digitally signing it is less than 20 percent, according to information from APNIC.
ICANN Calls for Full DNSSEC Deployment, Promotes Community Collaboration to Protect the Internet
https://www.icann.org/news/announcement-2019-02-22-en
The Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure.
In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems.
Tomi Engdahl says:
Facebook Says ‘Clear History’ Feature Ready This Year
https://www.securityweek.com/facebook-says-clear-history-feature-ready-year
Facebook’s feature allowing users to erase all their data is set to be released this year, many months after it was announced by the leading social network.
David Wehner, Facebook’s chief financial officer, said in comments Tuesday at a Morgan Stanley technology conference that the company is planning to roll out the feature that was announced last May amid heightened scrutiny over Facebook’s privacy.
Tomi Engdahl says:
Why Not Always Multi-Factor Authentication?
https://www.securityweek.com/why-not-always-multi-factor-authentication
According to a survey of 2,600 IT professionals conducted by security awareness training firm KnowBe4, only 38 percent of large companies use multi-factor authentication (MFA) while a whopping 62 percent of small to midsize companies don’t. MFA, which requires more than one method of authentication to verify identity, may not be the sexiest thing around, but with it in place, organizations can make it that much harder for attackers to accomplish their goals. So, why isn’t it more ubiquitous?
Perhaps the issue stems from the fact that some people tend to choose the path of least resistance. Or perhaps it stems from a belief that MFA isn’t the fastest, easiest, and most convenient solution to implement and use. While it’s true that there’s no turnkey MFA solution to fit every organization, it’s not necessarily true that it should be viewed as yet another difficult security control that needs to be folded into existing security stacks.
More Is More
It’s also important for IT security teams to understand the slight, but potentially significant difference between MFA and two-factor (2FA) authentication.
But why stop at two factors? The convenience and relative time savings of 2FA may be better than nothing, but are they worth the risk? Especially considering that most, if not all breaches today involve an adversary compromising user credentials and using them to gain access to an organization’s network and sensitive assets.
Among several large-scale examples of 2FA failing is the recent Reddit one. Back in June, Reddit found that an attacker had compromised several employee accounts through its cloud and source-code hosting providers. At the time, the company had been using basic SMS-based 2FA authentication
This form of 2FA is simple, cheap, and user-friendly, which is why it’s so widely used; however, the downside is that it’s also extremely vulnerable to SMS intercepts, which was the main attack vector used in the Reddit breach.
Tomi Engdahl says:
When brands violate customer trust, it’s tough to win it back
https://techcrunch.com/2019/02/27/when-brands-violate-customer-trust-its-tough-to-win-it-back/
Trust is a fundamental building block of any healthy relationship, whether that’s between individuals or companies and customers. If you can’t trust the company you are doing business with to do the right thing by you, it’s hard to continue the relationship. Too often, we have seen this trust broken when it comes to data sharing.
Tomi Engdahl says:
http://themillenniumreport.com/2014/08/1984-vs-2014-george-orwell-was-an-optimist/
https://quotefancy.com/quote/1048761/Tom-Clancy-I-know-I-m-paranoid-but-am-I-paranoid-enough
Tomi Engdahl says:
Open source software breaches surge in the past 12 months
A simple lack of time is blamed for a lack of security governance in open-source projects.
https://www.zdnet.com/article/open-source-software-breaches-surge-in-the-past-12-months/
Security breaches related to open-source security projects are on the rise and a lack of time being made available to developers to resolve vulnerabilities is believed to be to blame.
According to Sonatype’s DevSecOps Community Survey, in which over 5,500 IT professionals were asked to give their opinion on today’s open-source projects and the community’s security stance, open-source breaches have increased by 71 percent over the last five years.
Tomi Engdahl says:
W3C approves WebAuthn as the web standard for password-free logins
https://venturebeat.com/2019/03/04/w3c-approves-webauthn-as-the-web-standard-for-password-free-logins/
The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. First announced by the W3C and the FIDO Alliance in November 2015, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Yubico.
Tomi Engdahl says:
Better Security Not Sole Factor for Improved Breach Detection Times: FireEye
https://www.securityweek.com/better-security-not-sole-factor-improved-breach-detection-times-fireeye
Organizations are getting better at detecting breaches, but the positive trend observed last year has been attributed by experts not only to improved cybersecurity capabilities, but also an increase in the number of attacks that are quickly detected by victims.
Tomi Engdahl says:
Cisco Publishes Annual CISO Benchmark Study
https://www.securityweek.com/cisco-publishes-annual-ciso-benchmark-study
A new survey of senior security leader attitudes and practices concentrates on ‘anticipating the unknowns’. It’s a clever choice of words. ‘Anticipating’ implies getting ahead of and being prepared for the unknowns — which is different and more accurate than the more usual use of the word as simply ‘expecting’ the unknowns. This is the task of the security leader: to be prepared for the unknown rather than to wait for and respond to the unknown.
The results are a mixed bag, giving slightly improving responses over a similar survey last year in some areas, and slightly deteriorating in others. For example, moving security to the cloud allows greater staff efficiency (up from 92% to 93%); and provides more effective security than on-prem solutions (up from 91% to 93%).
Each of these questions shows a decline in reliance over the last year — and in terms of this survey, quite dramatic declines. Reliance on ML is down from 77% to 67%; on AI from 74% to 66%; and automation from 83% to 75%. These three subjects are the holy cow of contemporary cybersecurity — dozens of start-up vendors focus on machine learning solutions, while nearly all existing vendors have developed or are developing ML-based solutions.
https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/1963786/2019CISOBenchmarkReportCiscoCybersecuritySeries.pdf
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/tietojen-kalastelu-lisaantyy-haittaohjelmien-maara-laskee-6759944
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/9129-pilvi-ja-kannykka-ovat-yritysten-tietoturvan-heikoimmat-lenkit
Tomi Engdahl says:
‘This collaboration is absolutely critical going forward’… One positive thing about Meltdown CPU hole? At least it put aside tech rivalries…
Execs, experts hope this cooperation continues to hold for the next big bug
https://www.theregister.co.uk/2019/02/15/vulnerability_experts_blab/
A panel of eggheads from Intel, the US government, and academia held court this week to figure how they can keep the likes of El Reg from spoiling their next major bug reveal.
The group met at the Churchill Club in San Francisco to reflect on 2018′s big security story – the Spectre-Meltdown CPU flaws – and ponder how it could be better handled going forward. Although chip designers were alerted to the vulnerabilities around June 2017, and operating system developers soon after, an action plan for disclosure was still being formulated the week before they hoped to public on Tuesday, January 9, 2018. The Reg blew the lid off it on January 2, after hearing no response from vendors, forcing timetables to be torn up.
Tomi Engdahl says:
2019 Global Threat Report Shows It Takes Innovation and Speed to Win Against Adversaries
https://www.crowdstrike.com/blog/2019-global-threat-report-shows-it-takes-innovation-and-speed-to-win-against-adversaries/
The report also makes clear — in spite of some impressive indictments against several named nation-state actors — their activities show no signs of diminishing. Throughout 2018, eCrime and nation-state adversaries collectively upped their game. A few examples:
In diplomatic channels and the media, several nation-states gave lip-service to curbing their clandestine cyber activities, but behind the scenes, they doubled down on their cyber espionage operations — combining those efforts with further forays into destructive attacks and financially motivated fraud.
eCrime actors demonstrated new-found flexibility, forming and breaking alliances and quickly changing tactics mid-campaign to achieve their objectives. The shifting currents of the underground economy — including the availability of new TTPs-for-hire and the fluctuating value of Bitcoin — were all contributing factors.
We also witnessed an increased focus on “Big Game Hunting,” where eCrime actors combine targeted intrusions with ransomware to extract big payoffs from large enterprise organizations.
https://app.cdn.lookbookhq.com/lbhq-production/10339/content/original/9dd0e31a-c9c0-4e1c-aea1-f35d3e930f3d/CrowdStrike_GTR_2019_.pdf
Tomi Engdahl says:
Ryuk, Exploring the Human Connection
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-exploring-the-human-connection/
Within Cyber Threat intelligence research, a popular approach is to model the characteristics of an attack using The Diamond Model of Intrusion Analysis. This model relates four basic elements of an intrusion: adversary, capabilities, infrastructure and victim.
For the Ryuk case described above the model can be applied as follows: “An Adversary, cyber-criminal(s), have a capability (Ryuk Ransomware) that is being spread via a TrickBot infection Infrastructure targeting specific victims.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2019/03/05/f-secure-mittasi-tarkemmin-verkkojen-hyokkaykset/
Tomi Engdahl says:
Lähes kaikki verkkohyökkäykset koneiden käsialaa
http://www.etn.fi/index.php/13-news/9168-lahes-kaikki-verkkohyokkaykset-koneiden-kasialaa
Tomi Engdahl says:
New VMware Firewall Focuses on Known Good Behavior
https://www.securityweek.com/new-vmware-firewall-focuses-known-good-behavior
VMware on Tuesday announced the launch of a new internal firewall solution designed to reduce an organization’s attack surface by focusing on known good behavior rather than attempting to chase potential threats.
The new VMware Service-defined Firewall aims to protect apps, data and users by locking down known good behavior both at host and network level.
VMware says that while other companies have tried this approach – focusing on known good behavior – getting a complete understanding of every application has been difficult to achieve.
VMware Service-Defined FirewallShrink the application attack surface with a new approach to firewalling
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/solutions/vmw-service-defined-firewall-solution-overview.pdf
Tomi Engdahl says:
BlackBerry Cylance Unveils Behavioral Analytics Solution
https://www.securityweek.com/blackberry-cylance-unveils-behavioral-analytics-solution
BlackBerry Cylance, the company that resulted from BlackBerry’s acquisition of Cylance, on Tuesday introduced CylancePERSONA, a proactive endpoint behavioral analytics solution.
The new solution, which expands the capabilities of the Cylance native AI platform, is designed to protect organizations against attacks involving stolen credentials and user impersonation by combining continuous biometric behavior and user conduct monitoring.
Tomi Engdahl says:
Break the Daily Routine with Prioritization and Focus
https://www.securityweek.com/break-daily-routine-prioritization-and-focus
With Context to Understand and Prioritize Security Data and Alerts You Can Stay Focused on What Matters Most
As a security professional, wouldn’t it be great to be able to focus on one thing at a time and know you’re focused on the right things to protect the organization? Often, the day begins with a set of system notifications pointing us in the direction of alerts to triage or incidents to resolve. Unfortunately, these “priority” notifications are usually determined by global risk scores, not scores specific to your organization. Global scores cannot instill the level of confidence you need to make sure you’re focusing your resources on the right tasks.
Tomi Engdahl says:
Microsoft Sees 250% Phishing Increase, Malware Decline by 34%
https://www.bleepingcomputer.com/news/security/microsoft-sees-250-percent-phishing-increase-malware-decline-by-34-percent/
Phishing attacks have seen an impressive 250% increase between January and December 2018, with attackers moving to multiple points of attacks during the same campaign, switching between URLs, domains, and servers when sending e-mails and hosting phishing forms.
As a side note, Microsoft saw “an increase in the use of compromised accounts to further distribute malicious emails both inside and outside an organization.”
Tomi Engdahl says:
Securing Digital Convergence
https://www.securityweek.com/securing-digital-convergence
Hyperconnected Digital Environments Are Raising the Stakes for Security Teams Even Higher
Network ecosystems are converging
But rather than networks being comprised of a disparate and distributed set of individual networking components, they are being woven together into a single, hypermeshed fabric. 5G, SD-WAN, Edge computing, the cloud, and IoT devices are now being blended together to allow workflows, applications, and other transactions to flow through and between each of these ecosystems.
Complicating the issue further, these complex private IT networks are being blended with other networks, such as OT, public infrastructures, and even competing/complementary entities in order to accelerate response time and to deliver a complete solution to customers. This emerging hyperconnected digital environment raises the stakes for security teams even higher.
Security needs to address speed and interconnectivity
Securing these new digital business demands revolve around two foundational requirements: speed and interconnectivity. Unfortunately for many organizations, many of these new networking environments have been secured using separate security solutions that cannot address either of these new requirements. This has happened for a number of reasons:
• Existing security tools or essential functionalities are not available on every platform, thereby limiting interconnectivity
• Traditional perimeter security tools cannot meet the speed or complex networking requirements of today’s digital business
• Poor planning prevented the security team from implementing a holistic strategy
- Lines of business are designing and even deploying new environments, and security teams are not consulted until the end
- Cloud SecOps and DevOps are not part of the central IT/Security team
- Each new area was handled piecemeal, as an individual project rather than as part of a larger security strategy
One of the biggest barriers to having an effective security framework in place is that security leadership failed to recognize that these different environments would begin to converge, or they missed the implications that this would have on their security infrastructure
Tomi Engdahl says:
Prioritization is applicable to any use case within a Security Operations Center. Here’s just a quick look at three.
1. Vulnerability management. Prioritization can help you determine which vulnerabilities you need to address and in what order. For example, as you investigate a vulnerability related to a specific adversary campaign and indicators of compromise (IOCs), you check internal data and events. If some of those IOCs have been seen in your organization’s SIEM or ticketing system, the vulnerability is a high priority. A vulnerability that has related threats and IOCs, but those threats have not been known to target your organization’s specific industry, should be watched but is a lower priority. A vulnerability with no known adversaries using it or associated IOCs, may indicate it is not being exploited in the real world yet and can be deprioritized for now.
2. Threat hunting. With the ability to automatically prioritize threat intelligence, you can determine what to hunt for within the environment. You can start an investigation by importing the highest-risk IOCs associated with an adversary or high-profile intrusion and then run selected operations to pull in supplemental data points. You can also compare indicators across the infrastructure with internal log data to find additional connections. As new data and learnings are added to the central repository, intelligence is continuously reprioritized to support ongoing threat hunting.
3. Spear phishing. Prioritization can help you quickly make sense of suspicious emails. Comparing indicators from emails that have been forward to the security team for analysis against data in the repository, reveals high-risk emails which should be prioritized for further investigation and low-risk emails which can be categorized as noise. You can query to identify all the spear phish recipients and then overlap those findings with vulnerability scan results to determine the scope and help accelerate response and containment.
Source: https://www.securityweek.com/break-daily-routine-prioritization-and-focus
Tomi Engdahl says:
Pilvi ja kännykkä ovat yritysten tietoturvan heikoimmat lenkit
http://etn.fi/index.php?option=com_content&view=article&id=9129&via=n&datum=2019-02-25_12:31:49&mottagare=30929
Tomi Engdahl says:
How to make people sit up and use 2-factor auth: Show ‘em a vid reusing a toothbrush to scrub a toilet – then compare it to password reuse
Education, education, education is key to security
https://www.theregister.co.uk/2019/03/06/password_two_factor_auth_security/
Despite multi-factor authentication being on hand to protect online accounts and other logins from hijackings by miscreants for more than a decade now, people still aren’t using it. Today, a pair of academics revealed potential reasons why there is limited uptake.
Spoiler alert: it’s because, apparently, there isn’t enough focus on clearly explaining the actual need for this extra layer of account security.
Tomi Engdahl says:
How to keep your flock of users secure: Let them know exactly who and where the wolves are
Rather than talk about generic threats, go through some examples with people
https://www.theregister.co.uk/2019/03/06/secure_your_users/
When it comes to getting your users up to speed with cyber-security, the best approach is to give it to them straight. Practicalities over jargon. Specific examples of threats are very persuasive, rather than simply insisting people enable a firewall and malware scanner, check regularly for updates, and avoid clicking on any suspicious attachments and links.
Tomi Engdahl says:
RSAC 2019: TLS Markets Flourish on the Dark Web
https://threatpost.com/tls-markets-fdark-web/142310/
The certificates are often paired with ancillary products, like Google-indexed “aged” domains, after-sale support, web design services and even integration with a range of payment processors.
SAN FRANCISCO – Thriving marketplaces for TLS certificates have emerged on the Dark Web, which are hawking the certs both as individual goods and packaged with an array of malware and other ancillary services.
Tomi Engdahl says:
Organizations Not Positioned for Success in Tackling Cyber Demands: Deloitte
https://www.securityweek.com/organizations-not-positioned-success-tackling-cyber-demands-deloitte
Report Shows Major Disconnect Between Cybersecurity and Cyber Everywhere in Digital Transformation
In order to survive and thrive in the future, companies around the world are adopting digital transformation as part of the fourth industrial revolution. It is leading to a new ‘cyber everywhere’ environment where digital technology encompasses the business, its employees, its workspaces, its production facilities and the products it makes — and, of course, the Internet.
The result, suggests Irfan Saif, cyber innovation leader and principal in Deloitte Risk and Financial Advisory at Deloitte & Touche LLP, is that “With finite budgets and resources, and lack of prioritization by executive management, organizations are going to be tested to keep up with the cyber demands of digital transformation.”
One encouraging result from the survey is that 43% of surveyed CISOs indicate that they report directly to the CEO. The security reporting structure remains a contentious issue. Traditionally CISOs have reported to the CIO; but as cybersecurity has become both more important and more complex, there is an increasing demand that it should be stand-alone.
Tomi Engdahl says:
Edge Intelligence Grabs the Spotlight at Embedded World
https://www.eetimes.com/document.asp?doc_id=1334405
Nothing is beyond the limits of our imagination anymore, and what we are used to seeing in spy movies needs a massive upgrade, in order to go beyond what is now considered the norm. This was evident at Embedded World 2019, where the focus was edge intelligence and internet of things (IoT) security.
Tomi Engdahl says:
Cyberattacks to watch for in 2019
A new report examines eight key threat areas.
https://www.zdnet.com/article/cyberattacks-to-watch-for-in-2019/?utm_source=hs_email&utm_medium=email&utm_content=70526488&_hsenc=p2ANqtz-_NMsPWe0iyMqhn5LEemHgybQNFborsYsoLpJKe6Rcx6xIlWd27cQaQr1pmAhvnY0jhI7j-QgJmFlYSIzKHBImdlv7LpTvvVcRp7ndLJ50Fhv7zUvU&_hsmi=70526488
Tomi Engdahl says:
Cybercrime is increasing and more costly for organizations
https://www.zdnet.com/article/cybercrime-is-increasing-and-more-costly-for-organizations/
New report says companies need to protect against people-based attacks and deploy tools to limit information loss and business disruption.
Tomi Engdahl says:
Protection Poker: An agile game for mitigating risk
https://opensource.com/article/19/3/protection-poker-agile-security-game?sc_cid=7016000000127ECAAY
This game builds risk mitigation into your workflow before iteration planning to decrease security threats.
Tomi Engdahl says:
VERKKORIKOLLISUUS YLEISTYY – KUINKA HYVIN TIETOTURVA ON HUOMIOITU OMASSA YRITYKSESSÄSI?
https://www.dna.fi/yrityksille/kyberrikollisuus-muuttuu-rajummaksi-opas?utm_source=facebook&utm_medium=whitepaper&utm_term=tietoturva&utm_campaign=sisaltomarkkinointi&utm_content=kyberrikollisuus_muuttuu_rajummaksi_opas
Tomi Engdahl says:
‘The goal is to automate us’: welcome to the age of surveillance capitalism
https://www.theguardian.com/technology/2019/jan/20/shoshana-zuboff-age-of-surveillance-capitalism-google-facebook?CMP=fb_gu
Shoshana Zuboff’s new book is a chilling exposé of the business model that underpins the digital world. Observer tech columnist John Naughton explains the importance of Zuboff’s work and asks the author 10 key questions
Tomi Engdahl says:
Suomalaisten pk-yritysten on valmistauduttava kyberuhkiin
https://www.dna.fi/yrityksille/blogi/-/blogs/suomalaisten-pk-yritysten-on-valmistauduttava-kyberuhkiin?utm_source=facebook&utm_medium=artikkeli&utm_term=tietoturva&utm_campaign=tietoturvapalvelut&utm_content=suomalaisten_pk_yritysten_on_valmistauduttava_kyberuhkiin
Tomi Engdahl says:
Study shows programmers will take the easy way out and not implement proper password security
https://www.zdnet.com/article/study-shows-programmers-will-take-the-easy-way-out-and-not-implement-proper-password-security/
A student or a programmer hired from Freelancer.com? Doesn’t really matter. Both don’t know that many things about password security.
Freelance developers need to be explicitly told to write code that stores passwords in a safe and secure manner, a recent study has revealed.
In an experiment that involved 43 programmers hired via the Freelancer.com platform, University of Bonn academics have discovered that developers tend to take the easy way out and write code that stores user passwords in an unsafe manner.
For their study, the German academics asked a group of 260 Java programmers to write a user registration system for a fake social network.
Of the 260 developers, only 43 took up the job, which involved using technologies such as Java, JSF, Hibernate, and PostgreSQL to create the user registration component.
Researchers said developers took three days to submit their work, and that they had to ask 18 of the 43 to resubmit their code to include a password security system when they first sent a project that stored passwords in plaintext.
Of the 18 who had to resubmit their code, 15 developers were part of the group that were never told the user registration system needed to store password securely, showing that developers don’t inherently think about security when writing code.
Of the secure password storage systems developers chose to implement for this study, only the last two, PBKDF2 and Bcrypt, are considered secure.
8 – Base64
10 – MD5
1 – SHA-1
3 – 3DES
3 – AES
5 – SHA-256
1 – HMAC/SHA1
5 – PBKDF2
7 – Bcrypt
Furthermore, only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application’s database is made harder to crack with the addition of a random data factor.
Tomi Engdahl says:
Cybercrime is increasing and more costly for organizations
https://www.zdnet.com/article/cybercrime-is-increasing-and-more-costly-for-organizations/
New report says companies need to protect against people-based attacks and deploy tools to limit information loss and business disruption.
The average cost of cybercrime for an organization has increased $1.4 million over the past year, to $13.0 million, and the average number of security breaches in the last year rose by 11 percent from 130 to 145.
Tomi Engdahl says:
https://www.tivi.fi/CIO/tassa-3-tapaa-pitaa-kyberiskujen-vahingot-aisoissa-6760589
Tomi Engdahl says:
Internet of Termites
https://www.alienvault.com/blogs/labs-research/internet-of-termites
Termite is a tool used to connect together chains of machines on a network. You can run Termite on a surprising number of platforms including mobile devices, routers, servers and desktops.
That means it can be used used to bounce a connection between multiple machines, to maintain a connection that otherwise wouldn’t be possible
Termite is a useful networking and penetration testing tool, but we’re seeing it used in attacks to enable access to machines too. There has been little reporting on Termite, beyond a brief mention in a report by Kaspersky of an earlier version of Termite called “EarthWorm”. Below, we’ve provided an outline on some of the attackers we’re seeing deploying Termite.
Termite popped up on our radar when we were reviewing malicious binaries compiled to run on IoT architectures. Termite is available for a range of different operating systems and architectures including x86 ARM, PowerPC, Motorola, SPARC and Renesas.
Tomi Engdahl says:
https://www.tivi.fi/CIO/pelkka-strategia-ei-suojaa-kyberiskuilta-puolustukseen-tarvitaan-rahaa-6760863
Less than a fifth of FTSE 350 companies understand impact of cyber threats
https://financefeeds.com/less-fifth-ftse-350-companies-understand-impact-cyber-threats/
The Government’s Cyber Governance Health Check shows that 16% of FTSE 350 boards have a comprehensive understanding of the impact of loss or disruption associated with cyber threats.
The UK Government has earlier today published the latest FTSE 350 Cyber Governance Health Check report, indicating that UK Boards of biggest firms must do more to be cyber aware.
The 2018 Health Check concludes that boards are making progress in acknowledging, understanding and responding to cyber threats, with a positive trend towards improved governance throughout the areas covered by the Health Check. However, there remains room for improvement, particularly in assessing and dealing with risks in the supply chain, and testing incident response plans to ensure they are and continue to be fit for purpose.
However, only a minority of businesses (16%) report that their board has a comprehensive understanding of the impact of loss or disruption associated with cyber threats on the types of impact tested in the 2018 Health Check, i.e. customers, share price and reputation.
Tomi Engdahl says:
From Fileless Techniques to Using Steganography: Examining Powload’s Evolution
https://blog.trendmicro.com/trendlabs-security-intelligence/from-fileless-techniques-to-using-steganography-examining-powloads-evolution/
Tomi Engdahl says:
Kiinalaisteknologia huolestuttaa yhä – EU:n uusi kyberturvalaki
https://www.uusiteknologia.fi/2019/03/12/kiinalaisteknologia-huolestuttaa-yha-eun-uusi-kyberturvalaki/
Tomi Engdahl says:
How to get Ahead of Vulnerabilities and Protect your Enterprise Business
https://blog.trendmicro.com/how-to-get-ahead-of-vulnerabilities-and-protect-your-enterprise-business/
Security vulnerabilities are popping up all the time, and can put any business that uses technological assets at risk. In a nutshell, vulnerabilities represent the ideal opportunity for malicious actors to break into systems and wreak all types of havoc. From data theft to information compromise and beyond, vulnerabilities are a particularly pertinent issue for today’s enterprises.
According to current data, more vulnerabilities are coming to light than ever before
Types of vulnerabilities and how they’re used for malicious activity
Before we delve into those strategies, though, it’s worth taking a look at vulnerabilities in action, and understanding how these software flaws can be leveraged by a malicious actor.
As Trend Micro explains in its ebook, “Beat Cybercriminals at Their Own Game: A Guide to Winning the Vulnerability Race and Protecting Your Organization,” there are several types of vulnerabilities, and these different flaws present key challenges for security.
A traditional vulnerability, for example, is a programming error or other type of software issue that hackers can use to sidestep password protection or security measures and gain unauthorized access to legitimate systems. These problems are unfortunately pretty extensive, and new vulnerabilities that can be exploited by cybercriminals are being discovered by security experts all the time.
Where general vulnerabilities typically have security patches or updates available to repair them, this is not the case with zero-day vulnerability. Zero-days are brand new software issues that have only just been identified, and have not yet been patched by vendors. As Trend Micro explained, “that’s because the vendor essentially has zero days to fix the issue, or has chosen not to fix it.”
How to address vulnerabilities in the enterprise
There are several critical approaches today’s businesses and IT teams can take to safeguard their organization from software vulnerabilities.
Pay attention to current security research
Be aware of updates and patches – and prioritize accordingly
The solution here is to establish a prioritized patching process that takes into account:
• The severity of the patched issue. Microsoft and other vendors will rate vulnerabilities according to how critical they are to overall risk. More critical patches should be applied as soon as possible, whereas less critical updates can represent a lower priority.
• Vulnerabilities impacting your enterprise’s particular key software. Similarly, updates for software systems that are used on a daily basis within the enterprise, and provide essential functionality should be prioritized over other updates. A patch for a software that is only intermittently used, or only impacts a small number of users in a single department of the company, for instance, can be put on the back burner.
• Those currently being exploited. It’s important to prioritize patches for vulnerabilities that hackers are currently using to mount attacks.
Beat Cybercriminals at Their Own Game
https://www.trendmicro.com/content/dam/trendmicro/global/en/security-intelligence/breaking-news/trend_micro_vulnerability_research_eBook_2018.pdf
Tomi Engdahl says:
Abusing Bias Part One: Infrastructure
https://posts.specterops.io/abusing-bias-part-one-infrastructure-e0ea74652b6e
The Hitchhiker’s Guide To Initial Access
https://posts.specterops.io/the-hitchhikers-guide-to-initial-access-57b66aa80dd6?gi=7238767cbf7d
Tomi Engdahl says:
NASA’s crap infosec could be ‘significant threat’ to space ops
Inspectors not happy with stagnant security practices
https://www.theregister.co.uk/2019/03/11/nasa_infosec_office_inspector_general_fisma/
NASA’s Office of the Inspector General has once again concluded the American space agency’s tech security practices are “not consistently implemented”.
Confirmation that the US government department’s infosec abilities are not up to scratch was a repeat of last year’s federally mandated security audit, which also found that processes and procedures were below par.
“In sum, we rated NASA’s cybersecurity program at a Level 2 (Defined) for the second year in a row, which falls short of the Level 4 (Managed and Measurable) rating agency cybersecurity programs are required to meet by the Office of Management and Budget in order to be considered effective.”
Two areas were of immediate concern to Morrison’s inspectors: NASA system security plans “contained missing, incomplete, and inaccurate data” and control assessments were not carried out “in a timely manner”, something the auditors described as “an indicator of a continuing control deficiency”.
The OIG’s annual review assessed “61 metrics in five security function areas,” it said, testing “a subset of information systems to determine the maturity of their agency’s information security program.”
Tomi Engdahl says:
Understanding Vulnerability Scoring to Help Measure Risk
https://www.tripwire.com/state-of-security/vulnerability-management/understanding-vulnerability-scoring-risk/
Tomi Engdahl says:
http://ahtoapajalahti.puheenvuoro.uusisuomi.fi/271503-tiedustelulait-ei-massavalvontaa-mutta-riskeja-ja-aukkoja-jaa