Cyber security trends 2019

What are the top cyber trends to watch out for in 2019? Here’s what I have been hearing and reading:

First I present a new information security term: Virtual Security = Manufacturers claim that their products are secure. but in reality they are not.

New APT groups, and more regulations around data privacy, 2019 is set to be another big year in the cybersecurity space. Security is hard and getting harder in 2019. Good operational security is non trivial. Next generation dark markets are making cybercrime easier than ever before.

Gartner expects that the security market is expected to grow 8.7% in 2019 and hit $124 billion. Global spending on security products and services closed in 2018 in excess of $114 billion, marking a 12.4% increase from 2017.

A New Year’s Resolution: Security is Broken…Let’s Fix It. There are three strategies that show real promise for defending against tomorrow’s threats: Deploy Deception, Leverage Threat Intelligence, Think Proactively. Plan Now for Emerging Threats. Defending against these threats will require two things. The first is understanding the economic drivers of the criminal community, and the second is to adopt strategies and solutions that address and disrupt those drivers. Getting in front of the cyber-threat paradigm requires organizations to rethink their security strategies in 2019.

Many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, but when – and when they will finally find the hack has happened. For example it Marriott disclosed a four-year-long breach involving the personal and financial information of 500 million guests. Anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.

In today’s world, attackers intentionally look normal to evade automated defenses. With the rise of ransomware, fileless and non-malware attacks, it’s harder than ever to protect your endpoints with confidence. To prevent this, threat hunting has emerged as an essential process for organizations to preempt destructive attacks. This process is a proactive approach to cybersecurity that identifies gaps in defenses and stops attacks before they go too deep. The adversary is hunting for your security gaps…why aren’t you?

Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Attackers scan those systems for vulnerabilities actively in 2019. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late. Measure how good is your security. Data protection tools have been developed to measure the maturity of data protection issues in organization.

CEOs should ask the following questions about potential cybersecurity threats:
How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
How can my business create long-term resiliency to minimize our cybersecurity risks?
What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?
What can CEOs do to mitigate cybersecurity threats?

How Well Are You Protecting Your Brand from Digital Risk? Having a website is just the baseline for existing in digital world. Companies of all sizes are actively using social media to engage with customers and build loyalty for their brand. The Internet is an essential tool to grow your business, but it also poses digital risks to your brand reputation and integrity. Bad actors can spoof social media profiles of your company or brands. Cyber criminals will register and use web domains extremely similar to your actual domain names. Malicious apps that impersonate brands may use spyware to steal information from users. You might need to develop a brand protection program in 2019. Digital risk from brand exposure can lead to reputation damage, loss of intellectual property and customer trust and, ultimately, loss in revenue. This is what the brand managers need to think about in 2019. Successful hacking campaigns used to be all about keeping under the radar. But, for some, making a big splash is now now more important than lurking in the shadows.

Today, cybersecurity is moving beyond the financial impact to concerns over public safety, national security, and even cyberwarfare. The tech industry is becoming more worried about a cyberwar arms race. Microsoft boss thinks that cyber war cannot be won. High impact cyber attacks often affect the electricity network, water supply, financial markets, hospitals, and military families. Preparations for various cyber attacks in different sectors vary greatly. Energy and finance are the most advanced. We should all keep in mind two things: The proliferation of cyberweapons is already happening and arms control of cyberweapons hasn’t caught up. “Cyber is so wide that states alone cannot be sufficient in providing security” It seems also that authoritarian forces are trying to claw back control and even re-purposing the web in ways that undermine democracy.

It would be good for the company to be able to manage risks, prepare for major disruptions, and plan and practice recovery. Risk management requires the company to detect the attack itself. A large coordinated attack could attack our elections, our press, our telecommunications, our banks, and our military. According to a new report on digital freedom, authoritarian forces are clawing back control and even re-purposing the web in ways that undermine democracy. Tim Cook says that tech firms should prepare for ‘inevitable’ regulation.

We need to build cyber resilience to our networked systems. Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. “Cybersecurity, infrastructure security, is not a competitive advantage,” Bradford Willke, a top official in DHS’s Cybersecurity and Infrastructure Security Agency. If a good product or company fails because of a breach that could have been thwarted by sharing threat information, “there’s something that we’ve all lost.”

Up to 350 million voters across the EU are expected to take to the polls in May 2019, to elect 705 Members of European Parliament (MEPs). With threat actors already meddling in the elections process in various countries, including in the United States, interference is expected in next year’s European process as well.

Did you remember to test the security? Every developer team should know how to code securely and how to test security. This kind of basic hygiene with information security creates the basis for genuinely intact applications. The basic thing for the tester in terms of data security is user identification and access, securing stability, encryption, firewalls, intruder detection, anonymization of information. All these things can be tested with different techniques, tools and methods. It is a good idea to ask a security professional if you do not know how to do this.

You will see many big data beaches also in 2019. Cybersecurity headlines in recent years have been dominated by companies losing money by being hacked and leaking the data of millions of customers. 2018 was again a banner year for breaches, check for example list of Biggest cyber security breaches 2018. In 2018 the mantra became “another day, another data breach.” 2018 has been the year par excellence for data protection, when data leaks, exfiltrations, and abuses have made headlines all over the world. Some companies have worked on improving their security, but overall there has not been so much activity going on that it would considerably change the situation for better in 2019. And against this backdrop of increased awareness about the challenges that working with sensitive data can entail, there is one regulation that has come to the fore: the GDPR (General Data Protection Regulation), which has been mandatory since May 25 this year.

How much are the first fines for GDPR infringement? It remains to be seen in 2019 as sanctions on big 2018 leaks start to appear. Infringement of GDPR regulation can incur fines of up to 4% of a company’s annual global turnover, or up to €20 million. The economic sanctions that we have seen so far in 2018 have clearly relatively conservative compared to the highest possible penalties, but with the recent spate of high profile data leaks – Marriott, British Airways, Quora – it won’t be long before harsher fines start to appear. Remember that by having appropriate protection for the personal data that your company manages, you can avoid sanctions.

IoT malware and email hacks are on the rise again. Blackmail demand claims will continue unfortunately also in 2019 and will become more innovative. In 2018 we first saw blackmail extortion with claims to have nailed you watching porn and the sender infected your computer by hacking your account or placing malware. All sorts of variants exist. There was also Spammed Bomb Threat Hoax that demands Bitcoin.Then there has been a New Extortion Email Threatens to Send a Hitman Unless You Pay $4,000 in bitcoin. As long as ransoms are paid and relatively easy attacks, such as phishing campaigns, are successful, bad actors will continue to use these techniques.

The number of attacks using IoT hardware is increasing in 2019. IoT is still insecure. As the number of IoT devices, such as smart home network monitoring systems, increase, the threat is constantly increasing. According to Nokia report IoT botnet operations accounted for 78 percent of malware detection events in the communications service provider (CSP) networks in 2018.

Many IoT protocols are still implemented without proper security. The CoAP protocol is the next big thing for DDoS attacks. Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attack. That is because most of today’s CoAP implementations forgo using hardened security modes for a “NoSec” security mode that keeps the protocol light, but also vulnerable to DDoS abuse.

Mirai botnet has been active since 2016. And several followers to it are still active. Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms. And you will not get rid of the new variations of it in 2019. Latest example is With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit. Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices. Miori is just one of the many Mirai offshoots. There is another very similar variant called Shinoa.

Regulating cyber security features on networked devices seems to be on rise. Germany proposes router security guidelines. It would like to regulate what kind of routers are sold and installed across the country. California became the first state with an Internet of Things cybersecurity law: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means less generic default credentials for a hacker to guess. In Finland security label created by FICORA’s Cybersecurity Center promises that will make it easy for consumers to identify a sufficiently secure devices in 2019.

Ransomware attack will continue in 2019. Hospital cybersecurity seems to be a pressing problem in 2019. The healthcare industry’s accelerating adoption of sophisticated networks, connected devices and digital records has revolutionized clinical operations and patient care but has also left modern hospitals acutely vulnerable to cyber attack. Recent high-profile hacks have brought these mounting threats sharply into focus. One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over year 2018. There is a number of technological, cultural and regulatory issues that complicate healthcare cybersecurity.


DNS system is still full of “ugly hacks” that keep it running. Malicious actors have found innovative ways to take down the DNS and the landscape growing more problematical. Hopefully it will get robust in 2019. Vendors of DNS software, as well as large public DNS providers, are going to remove certain workarounds on February 1st, 2019, otherwise known as DNS Flag Day. Don’t Let DNS Flag Day Become Your DNS Doomsday. The result of this “line in the sand” means that all domains hosted on these poorly coded DNS servers will fail to resolve correctly across all the recursive resolvers built by and run by the consortium. So your SPF, DKIM, DMARC, most TXT and PTR records will fail. This will be a very bad day for anyone who doesn’t take time to address this issue BEFORE February 1st, 2019.

TLS 1.3 was published as of August 2018. It has been over eight years since the last major encryption protocol update. With the HTTP/2 protocol update in late 2015, and now TLS 1.3 in 2018, encrypted connections are now more secure and faster than ever. With OpenSSL 1.1.1 library many applications can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. Add this to list of existing TLS ecosystem woes. Malicious sites will increasingly use SSL certificates to look legitimate.

Remember to update your PHP version early in 2019. PHP 5.6 support and security updates have ended. PHP 5. is still widely used in many web services. FICORA’s Cybersecurity Center recommends giving up the use of old PHP versions, especially for services that are publicly available on the Internet. Currently the latest version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Currently the latest PHP version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Because the new PHP7 is not fully compatible with the old PHP5, so many sites need also updates to the site PHP code. If you can’t for some reason update PHP version, special attention should be paid to the security of the server and its environment.

Cloud security is still a problem for many organizations in 2019. The 2018 Cloud Security Spotlight Report noted that 84% of respondents claim traditional security solutions either don’t work at all or have limited functionality in the cloud. Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security (62%). Lack of staff resources and expertise to manage cloud security seems to be the largest barrier to cloud adoption for many companies. Many clouds are nowadays relatively secure, but Are You Using Them Securely? It’s time to stop obsessing over unsubstantiated cloud security worries and start focusing more on new approaches to cloud control. It is time to better manage your cloud deployments in 2019.

The Cybersecurity Industry Doesn’t Have Artificial Intelligence Right Yet. AI in security will be talked on in 2019. 2018 was The Year Machine Intelligence Arrived in Cybersecurity. “Intelligence” is a word heavily freighted in cybersecurity technology because it covers a wide variety of techniques and product: Expert systems, machine learning, deep learning, and artificial intelligence are all represented in the whole, with each being used and promoted by different vendors and service organizations. Antivirus protection is one of the tasks to which companies are applying intelligence. The vast majority of intelligence being used in security is “machine learning” rather than “artificial intelligence.” The application of artificial intelligence (AI) via the implementation of machine learning (ML) is the fastest growing area of cybersecurity, but it seems Artificial Intelligence in Cybersecurity is Not Delivering on its Promise at least yet. What has been largely missing from this assertion is independent verification that the theoretical benefits promoted by ML vendors translate to actual benefits in use. Also cyber-criminals start to use AI to make better attacks.

Machine learning can reduce the usefulness of CAPTCHA. Machine learning model breaks CAPTCHA systems on 33 highly visited websites very quickly.

Destructive malware has been employed by adversaries for years. Destructive targeted attacks have a critical impact on businesses, causing the loss of data or crippling business operations. NotPetya and Wannacry affected several companies around the world. OlympicDestroyer affected the Olympic Games organization.

Old destructive attacks can persist for a long time. Wannacry is not dead when 2019 starts. Eighteen months after the initial outbreak of the WannaCry Ransomware infection, the malware continues to rear its head on thousands, if not hundreds of thousands, of infected computers. The kill switch has been activates so the ransomware component would not activate, but the infection continues to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live.

Spectre and Meltdown vulnerabilities that were found in 2017 and became public the beginning of 2018 will continue. I have been following this saga since I reported it first in Finland at Uusiteknologia.fi on-line magazine. Spectre-like variations continued to be discovered, just as academics predicted at the start of 2018. Intel and other processor manufacturers have worked on fixed, but there has been numerous new vulnerability variation reported over the year on the same theme, latest published in late 2018. Is Spectre making a comeback? I expect you will not get rid of new variations on this vulnerability theme in 2019. There are still many side channel flaws to be found on modern processors.

USB security is still fundamentally broken in 2019. USB drives are a security threat to process control systems because USB drives can cause serious disruption to process facilities through unsecure or malicious files. USB-borne malware continues to present a major threat to industrial control systems (ICS) nearly a decade after the Stuxnet attacks on Iran’s nuclear infrastructure first highlighted the danger.

The air gap is low-tech but still has value as a barrier against cyber attacks. But air gaps, once a valuable barrier against cyberattacks, are disappearing from industrial control systems. As smart shipping and other network-connected industrial control systems (ICS) grow, the air gap loses value as a barrier against cyber attacks. The use of air gaps has eroded or disappeared altogether, thanks to increasingly intertwined OT (operational technology) and IT (information technology). Also air gaps can’t protect against “an ill-informed person’s actions,” as was the case with the notorious 2010 Stuxnet attack on Iran’s nuclear facilities.

There are still major problems cyber security in industrial system. Major problems in industrial cyber security are inadequate software updates, the following non-upgraded systems, and common usage ids for updating. While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading.

Perimeter-less security is hot in 2019. You can’t build anymore well defined perimeters around all of your systems. Welcome to a World of Zero Trust. Zero Trust Privilege approach is based on six fundamental elements: Verify Who, Contextualize the Privileged Access Request, Establish a Secure Admin Environment, Grant Least Privilege, Audit Everything, Apply Adaptive Security Controls.

Can You Mitigate Against Mission Impossible? Most probably you can’t. Focus on the Countless Manageable Vulnerabilities That You Can Control and Protect Against Them. Cybersecurity risks need help from contracts and insurance beyond technologies, policies, and people. Pretending cybersecurity risks aren’t there isn’t on any list of best practices.

Credential abuse is at the core of many hacks in 2019. Usually the easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity. Equipped with the right credentials, cyber adversaries and malicious insiders can wreak havoc on an organization’s network, exfiltrate sensitive data, or even siphon off funds — all while concealing their malicious activities from threat detection solutions.

Good database security planning is essential for protecting a company’s most important assets because if attackers can shut companies out of their own data can quickly cripple an organization. Leaked data can also become costly with costs of data leak itself, regulatory costs (including GDPR fines) and bad reputation that can affect revenue for a long time.

Just on the end of 2018 there was reports on SQLite vulnerabilities. Magellan is a number of vulnerabilities that exist in SQLite that were able to successfully implement remote code execution in Chromium browsers (already fidex). This vulnerability can have a wide range of influence in 2019 because SQLite is widely used in all modern mainstream operating systems and software. There is potential that Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers. I expect to see reports against attacks against many different systems and system users failing to secure their systems.

DevSecOps is having a positive impact on security, but the state of security still has a long way to go as over 13 percent of applications contain at least one critical vulnerability. According to Veracode’s State of Software Security (SOSS) report, 87.5 percent of Java applications, 92 percent of C++ applications, and 85.7 percent of .NET application contain at least one vulnerability. Even with a stronger focus on security in 2019, most software will still riddled with security vulnerabilities.

Misconfigured server infrastructure is often considered one of the most significant causes of data breaches within the IT industry. This human error phenomenon is usually unintentional, but it can have catastrophic consequences regarding the exposure of sensitive personal information as well as potentially damaging the reputation of your business.Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security.


4 mobile security threats that companies must fight in 2019: Cryptojacking, Data breaches, Insecure networks and Social engineering attacks. Also Mobile Spear phishing campaigns will form the cornerstone for targeted attacks on organizations. The Wi-Fi attack vector isn’t going away any time soon, despite 5G hype. I don’t expect the assault on mobile to slow down as according to Gartner’s Market Guide to Mobile Threat Defense, 42 million mobile malware attacks take place each year.

Google says that Android 9 Brings Significant Security Advancements. Google has focused on aspects such as platform hardening, anti-exploitation, hardware-backed security. There are also new protections for the Application Sandbox.

Ultrasonic Tracking are Beacons on the Rise. It is an inaudible sound with encoded data that can be used on a listening device with suitable application to receive information that could be just about anything. There are numerous scenarios in which ultrasonic tracking beacons can be surreptitiously used and misused.

PUAs are being weaponized. PUA is the acronym for “Potentially Unwanted Application.” This is a general category used by all vendors to tag particular applications that can be misused by malicious people. Recently, an active campaign was spotted in the well-known Emotet Banking Trojan, which makes use of Freeware system tools but with an obscure purpose.

Microsoft has officially announced ‘Windows Sandbox’ for running applications in isolation. Microsoft’s coming ‘Windows Sandbox’ feature is a lightweight virtual machine that allow users to run potentially suspicious software in isolation. Windows 10 19H1 Build 18305 adds support for a new sandbox feature for isolating potentially suspicious apps, plus several other new security fixes.

It seems that Security Teams Need to Maintain Packet-level Visibility Into All Traffic Flowing Across Their Networks. The most destructive disaster is the one you do not see coming. While there is no evacuating cyberspace to avoid a storm of hackers, prior warning gives security teams a chance to stop cybercriminals before they can wreak havoc and make off with sensitive customer data or company secrets. There is an all too common adage that it is not a question of if a company will be hacked, but when they will find the hack. The realities of the cyberspace make it too difficult to reliably keep hackers out of corporate networks. That is not to say security teams should give up, but rather that they need to shift their goals.

Is 5G Technology a Blessing or a Curse for Security? Depends Who You Ask. It is best to Prepare for the Coming 5G Security ThreatsBut do we understand the 5G security threats to come? Most probably not, because it seems that the general understanding of 5G is pretty shallow for very many organizations. Many countries are not comfortable with the Chinese building its 5G network.

Somewhat quietly over the past couple of years there has been a flurry of breakthroughs in biometric technology (especially face and fingerprint recognition). New Boom in Facial Recognition Tech Prompts Privacy Alarms. Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn. Now facial recognition appears to be on the verge of blossoming commercially. There is potential risk that Surveillance Inhibits Freedom of Expression.

Old outdated encryption technologies refuse to die.  MD5 and SHA-1 are still used in 2018 and their use does not seen to end in 2019. The current state of cryptanalysis against MD5 and SHA-1 allows for collisions, but not for pre-images. Still, it’s really bad form to accept these algorithms for any purpose.

Law is trying to weaken encryption in some countries. A newly enacted law rushed through Australia’s parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals. “I think it’s detrimental to Australian and world security,” said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM. It could be a be a boon to the criminal underworld by undermining the technical integrity of the internet, hurting digital security and user privacy. We need good encryption in 2019 to keep Internet safe.

The payment card industry is thinking about security standards such as EMV 3D Secure and emerging technologies such as contactless payments.

The use of bug bounty programs to find security vulnerabilities in software and services is increasing.In January, the EU starts running Bug Bounties on Free and Open Source Software where European Commission to start offering bug bounties on 14 Free Software projects like Notepad++ and VLC that the EU institutions rely on. Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program

You might need a password manager in 2019 more than you needed it now. If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember and sometimes are easily hackable. Nobody likes passwords but they’re a fact of life. How do you make them better? You need a password manager. Some examples for proposed alternatives to passwords include biometric identification, disposable passwords, certificate-based systems and FIDO2 USB sticks.

You might also need two-factor authentication can save you from hackers. If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts and it usually (when implemented well) only adds a few extra seconds to your day.

Two factor authentication has been considered as best practice for some time, but even that alone might not be enough in 2019. Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.

Two factor authentication can be hacked. Phishing Attempts That Bypass 2FA are here to stay. As we try to up our security game, the bad guys up their tactics too. Amnesty.org shared an interesting write up about phishing attacks that are bypassing 2FA. If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account as Hackers Bypass Gmail 2FA at Scale. Although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message. Some users likely need to switch to a more robust methods.

Keep in mind that your phone number can be a key for a hacker to many of your services. You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.

 

810 Comments

  1. Tomi Engdahl says:

    Digital transformation needs a solid cybersecurity plan
    https://www.controleng.com/articles/digital-transformation-plans-need-cybersecurity/

    Companies looking towards a digital transformation need cybersecurity and they need everyone–not just IT–to take responsibility to make it work.

    There are seven key categories/vectors a user should look at:

    Network security
    Workstation hardening
    User account management
    Patch and security management
    Physical and perimeter security
    Security monitoring
    Data management

    Once that assessment comes out there should be a report looking at what issues should be addressed first; that is the beginning of the journey toward a more secure environment.

    “Most users will be ready to start immediately after doing an assessment,” Gorskie said.

    Reply
  2. Tomi Engdahl says:

    What today links Gmail, Google Drive, YouTube, Facebook, Instagram – apart from being run by monopolistic personal data harvesters?
    They all fell over, fears of massive DDoS denied
    https://www.theregister.co.uk/2019/03/13/google_facebook_outage/

    Both Google and Facebook suffered outages Wednesday, with the Chocolate Factory leading the way and seemingly fixing its issues just as Zuck’s network became decidedly antisocial.

    Reply
  3. Tomi Engdahl says:

    Breaking Down the Incident Notification Requirements in the EU’s NIS Directive
    https://securityintelligence.com/breaking-down-the-incident-notification-requirements-in-the-eus-nis-directive/

    European Union (EU)’s NIS Directive; a legislation that sets a range of network and information security requirements to augment IT security across all EU member states. While the directive covers a few different domains, including preparedness, cross-EU collaboration and incident response (IR), one of its main pillars focuses on breach notification requirements.

    Regulations Versus Directives

    The NIS Directive is a different type of legal act compared to, say, the General Data Protection Regulation (GDPR). The latter is immediately applicable and enforceable by law in all member states. A directive is somewhat different.

    This legal status reveals one of the possible issues with a directive: Whereas a regulation is direct law, a directive needs to be transposed into local laws by each member state.

    Variance in Incident Notification Definitions

    One of the articles in the NIS Directive that has received a lot of attention is Article 14, which outlines requirements for security and incident notification. It stipulates that member states must ensure that OES notify the national competent authority and the national computer security incident response team (CSIRT) in case of an incident that significantly impacts the continuity of an essential service. This is not entirely new — depending on the type of activity or sector, there are already requirements for incident reporting in Europe, including Article 13a of the Telecom Framework Directive.

    Reply
  4. Tomi Engdahl says:

    Why BEC scams are thriving in anonymity
    https://www.itproportal.com/features/why-bec-scams-are-thriving-in-anonymity/

    The rise of Business Email Compromise (BEC) scams is a trend that should concern every organisation. These attacks are incredibly effective, increasingly easy for hackers to employ, and have the potential to deliver much higher returns than traditional email phishing activities.

    The worst part of all this is that BEC attacks are only reported a fraction of the time, allowing them to thrive in anonymity. Indeed, I don’t believe many businesses realise the full extent of the problem. It’s the reason we need to get better at raising awareness.

    Reply
  5. Tomi Engdahl says:

    Enabling a safe digital advertising ecosystem
    https://blog.google/products/ads/enabling-safe-digital-advertising-ecosystem/

    Dozens of new ads policies to take down billions of bad ads

    Reply
  6. Tomi Engdahl says:

    Understanding IT security
    https://www.redhat.com/en/topics/security

    The old ways of doing IT and cybersecurity—monolithically, inflexibly—have an expiration date. That’s because the way businesses do their work is changing. Digital transformation demands an integrated security program. Think of it as security that is built in, rather than bolted on.

    Reply
  7. Tomi Engdahl says:

    The Missing Security Primer for Bare Metal Cloud Services
    https://eclypsium.com/2019/01/26/the-missing-security-primer-for-bare-metal-cloud-services/

    Organizations are increasingly looking to move their IT infrastructure to the cloud. With the rise of bare-metal cloud offerings, organizations can easily scale up their operations in the cloud while retaining the confidence of having dedicated hardware.

    Background: BMC, IPMI, and Out-of-Band Server Management

    BMCs have become standard components for most servers and provide management capabilities via the Intelligent Platform Management Interface (IPMI). The BMC is a highly privileged component designed to enable out-of-band management of the server. This could include initial provisioning or an operating system reinstall from a remote management console without the need to physically attach a monitor, keyboard, and installation media to the server.

    In addition to external-facing LAN and serial channels, IPMI defines what is known as the “system interfaces,” which are communication channels within the server platform itself to allow software running on the host processor to talk to the BMC. This includes KCS (keyboard controller style), SMIC (system management interface chip), BT (block transfer), and SSIF (SMBus system interface). Additionally, IPMB (intelligent platform management bus/bridge) channels can allow multiple BMCs to communicate when more than one BMC is present.

    Beyond Bare-Metal: Firmware Threats to Virtualization and Cloud Services

    These system interfaces and IPMB channels open the door for threats to move from Internet-facing services to the underlying firmware of the host device. This is because, unlike LAN/serial channels, they are session-less. Session-less channels, such as the system interface/IPMB channels, do not provide a method for authentication.

    As a result, malware can potentially send malicious IPMI commands over system interfaces from the host without the commands being authenticated.

    Reply
  8. Tomi Engdahl says:

    Analyzing WordPress Remote Code Execution Vulnerabilities CVE-2019-8942 and CVE-2019-8943
    https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-wordpress-remote-code-execution-vulnerabilities-cve-2019-8942-and-cve-2019-8943/

    Reply
  9. Tomi Engdahl says:

    VMware Service-Defined Firewall
    Shrink the application attack surface with a new approach to firewalling
    https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/solutions/vmw-service-defined-firewall-solution-overview.pdf

    Reply
  10. Tomi Engdahl says:

    NINTH ANNUAL COST OF CYBERCRIME STUDY
    UNLOCKING THE VALUE OF IMPROVED CYBERSECURITY PROTECTION
    https://www.accenture.com/t20190305T185301Z__w__/us-en/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#

    The ninth annual cost of cybercrime study helps to quantify the economic cost of cyberattacks by analyzing trends in malicious activities over time.By better understanding the impact associated with cybercrime, organizations can determine the right amount of investment in cybersecurity.

    In an ever-changing digital landscape, it is vital to keep pace with the trends in cyber threats. We found that cyberattacks are changing due to:• Evolving targets: Information theft is the most expensive and fastest rising consequence of cybercrime—but data is not the only target. Core systems, such as industrial control systems, are being hacked ina powerful move to disrupt and destroy.• Evolving impact: While data remains a target, theft is not always the outcome. A new wave of cyberattacks sees data no longer simply being copied but being destroyed—or changed—which breeds distrust. Attacking data integrity is the next frontier.• Evolving techniques: Cybercriminals are adapting their attack methods. They are using the human layer—the weakest link—as a path to attacks, through increased phishing and malicious insiders. Other techniques, such as those employed by nation-state attacks totarget commercial businesses, are changing the nature of recovery, with insurance companies trying to classify cyberattacks as an “actof war” iss

    THE IMPACT OF CYBERATTACKS IS RISINGThe rapid growth of information loss over the last three years is a worrying trend. New regulations, such as GDPR and CCPA, aim to hold organizations and their executives more accountable for the protection of information assets and in terms of using customer data responsibly. Future incidents of information loss (theft) could add significantly to the financial impact of these attacks as regulators start to impose fines. The cost of business disruption—including diminished employee productivity and business process failures that happen after a cyberattack—continues to rise at a steady rate

    IMPROVING CYBERSECURITY PROTECTIONWhat’s in the chart? • Malware is the most expensive attack type for organizations. The figure (in parenthesis) indicates the cost for malware attacks has increased by 11 percent over the year and is now an average of US$2.6 million annually for organizations.• Similarly, the cost of malicious insider attacks has increased by 15 percent over the year and is now an average of US$1.6 million annually for an organization. • Adding the individual cost for each type of cyberattack gives us the total cost of cybercrime to an organization in 2018 (US$13.0 million).THE IMPACT OF CYBERATTACKS IS RISINGThe rapid growth of information loss over the last three years is a worrying trend. New regulations, such as GDPR and CCPA, aim to hold organizations and their executives more accountable for the protection of information assets and in terms of using customer data responsibly. Future incidents of information loss (theft) could add significantly to the financial impact of these attacks as regulators start to impose fines. The cost of business disruption—including diminished employee productivity and business process failures that happen after a cyberattack—continues to rise at a steady rate (see Figure 7).Malware, Web-based attacks, and denial-of-service attacks are the main contributing factors to revenue loss.

    Reply
  11. Tomi Engdahl says:

    Pelkkä strategia ei suojaa kyberiskuilta – puolustukseen tarvitaan rahaa
    https://www.tivi.fi/CIO/pelkka-strategia-ei-suojaa-kyberiskuilta-puolustukseen-tarvitaan-rahaa-6760863

    Reply
  12. Tomi Engdahl says:

    How to Prepare Your Digital Life for Your Death
    https://uk.pcmag.com/gallery/120067/how-to-prepare-your-digital-life-for-your-death

    Death is inevitable. Don’t make it harder on those you leave behind. Here’s how to let loved ones ma

    Reply
  13. Tomi Engdahl says:

    Don’t Throw Out That Old USB Drive Until You Do This
    https://www.tomsguide.com/us/how-to-delete-usb-drive,news-29630.html

    Before you toss out, give away or sell that old USB memory stick, make sure you’ve properly erased your files. A new study finds that two-thirds of used USB thumb drives still had the previous owner’s data on them, even though attempts had often been made to delete the files.

    Reply
  14. Tomi Engdahl says:

    EU Adopts New Response Protocol for Major Cyberattacks
    https://www.securityweek.com/eu-adopts-new-response-protocol-major-cyberattacks

    Europol on Monday announced the adoption of a new protocol for how law enforcement authorities in the European Union and beyond will respond to major cross-border cyberattacks.

    The new EU Law Enforcement Emergency Response Protocol should prove useful in case of major attacks such as the ones involving WannaCry and NotPetya malware, which in 2017 hit hundreds of thousands of systems around the world and caused significant losses for many organizations.

    The new protocol, adopted by the Council of the EU, is part of the EU’s Blueprint for Coordinated Response to Large-Scale Cross-Border Cybersecurity Incidents and Crises, and it will be implemented by Europol’s European Cybercrime Centre (EC3). It focuses on rapid assessment, sharing of information, and coordination of the international aspects of an investigation.

    Reply
  15. Tomi Engdahl says:

    Why Phone Numbers Stink As Identity Proof
    https://krebsonsecurity.com/2019/03/why-phone-numbers-stink-as-identity-proof/

    Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

    Reply
  16. Tomi Engdahl says:

    The Internet is at risk: why is ICANN pushing for the use of DNSSEC?
    https://www.pandasecurity.com/mediacenter/news/icann-urges-dnssec-use/

    In the world of cybersecurity, there’s a concept that is well known to most experts: man in the middle. This, generally speaking, is when an intruder places himself between two elements in order to deceive the user.

    The expression is usually applied to DNS attacks. In this kind of attack, the cybercriminal attacks a domain’s DNS in order to change the address to which it redirects. This kind of DNS attack can take a user to a malicious website, when in fact, they believed they were visiting a trustworthy site. This method can be used to harm users’ cybersecurity in many ways, but the most common is to steal passwords.

    Reply
  17. Tomi Engdahl says:

    The Biggest Stories From RSAC 2019: What Scares the Cybersecurity Experts?
    https://securityintelligence.com/the-biggest-stories-from-rsac-2019-what-scares-the-cybersecurity-experts/

    In the business expo, presentations and in conversations with CISOs, there was a very real sense that the industry is moving away from distributed security solutions and products. Security leaders and vendors are increasingly realizing the risks of deploying too many standalone solutions that don’t talk to each other. It’s costly and it doesn’t create better security results for many organizations. The industry is beginning to emphasize the value of a single-pane-of-glass approach.

    Reply
  18. Tomi Engdahl says:

    IPv6 unmasking via UPnP
    https://blog.talosintelligence.com/2019/03/ipv6-unmasking-via-upnp.html

    With tools such as ZMap and Masscan and general higher bandwidth availability, exhaustive internet-wide scans of full IPv4 address space have become the norm after it was once impractical. Projects like Shodan and Scans.io aggregate and publish frequently updated datasets of scan results for public analysis, giving researchers greater insight into the current state of the internet.

    While IPv4 is the norm, the use of IPv6 is on the rise. However, there’s been very little analysis on the most recent version of the internet protocol because it’s impossible to run exhaustive scans given the size of the address space. We need to deploy novel techniques to enumerate active IPv6 hosts.

    In the following post, we’ll present a technique that uses the properties of the Universal Plug and Play (UPnP) protocol to get specific IPv4 hosts to divulge their IPv6 address.

    Reply
  19. Tomi Engdahl says:

    Google Open Sources Sandboxed API
    https://www.securityweek.com/google-open-sources-sandboxed-api
    https://security.googleblog.com/2019/03/open-sourcing-sandboxed-api.html

    Reply
  20. Tomi Engdahl says:

    http://www.etn.fi/index.php/13-news/9235-androidin-virustutkat-ovat-surkeita
    https://www.av-comparatives.org/tests/android-test-2019-250-apps/

    Reply
  21. Tomi Engdahl says:

    Uncovering the Data Security Triad
    https://www.securityweek.com/uncovering-data-security-triad

    This multi-dimensional risk requires a holistic, data-centric approach to security, one focused on protecting the data itself at all points in its lifecycle rather than concentrating efforts only on its perimeter of surrounding networks, applications, or servers. Organizations must ensure data is secured at all times by:

    1. Securing Data at Rest on the file system, database, or storage technology

    2. Securing Data in Transit as it moves through the network

    3. Securing Data in Use, while the data is being used or processed

    Together, these elements form the Data Security Triad, representing the trifecta of protection required to ensure data is secure throughout its entire lifecycle.

    At the core of this protection strategy is encryption. Encryption renders data useless to an attacker, making it unreadable and therefore removing its value. Thus, encryption is able to undermine the attackers’ purpose – stealing assets of value – and makes the target infinitely less appealing.

    Experience tells us that if there is data of value at stake, attackers will find a way to find and reach it – we can’t just lock the front door; every point of entry needs to be protected. Consequently, limiting encryption to only a portion of the Data Security Triad is a dangerous oversight. It is critical to protect data at rest, in transit, and in use.

    Reply
  22. Tomi Engdahl says:

    The 8 vital questions we need to address about international cybersecurity
    https://www.weforum.org/agenda/2019/03/the-8-vital-questions-we-need-to-address-about-international-cyber-power-and-security/

    This article is part of the World Economic Forum’s Geostrategy platform

    States have used cyber means to kick-start their own economic development by plundering the intellectual property and national innovation of other states.

    The threat and opportunity of cyber operations

    Critical infrastructure

    The growth of cybersecurity

    The complications of assessing state cyber power

    What to do?

    We need a more active international participation in the debate about the true nature of cyber power, as occurred with nuclear power 60 years ago. The questions we might ask are:

    How dangerous are cyber instruments, really?
    How might deterrence work in the context of cyber?
    Do we need new arms control agreements and a non-proliferation regime?
    Do we need increased and swifter public attribution?
    What are the norms of behaviour, the confidence-building measures and the de-escalation channels?
    Can we develop practical incentives for states to adopt reasonable doctrines of restraint that respect the basic tenets of proportionality, necessity and distinction as enshrined in existing international law?
    Can a shared interest in tackling cyber-crime bring states closer together? And can states be incentivised to take collective action against non-state actors?

    Reply
  23. Tomi Engdahl says:

    Is That Vulnerability Critical? Judging the Severity of Threats With Threat Intelligence
    https://www.recordedfuture.com/judging-threat-severity/

    Over 16,500 known security vulnerabilities were cataloged in 2018. That’s more than 45 a day. Who can keep up?

    Managing vulnerabilities continues to be a thorn in the side of security operations for any organization. But taking a “patch everything, everywhere” approach is impossible to do in a timely way and at scale — and as digital footprints grow larger, the problem will only become more complex. The best approach to managing vulnerabilities is to prioritize them based on the actual threat they pose. And the best way to get the context needed to prioritize what to patch and what to ignore is with fast, accurate, and easy-to-use threat intelligence.

    Reply
  24. Tomi Engdahl says:

    https://www.wired.com/story/cambridge-analytica-facebook-privacy-awakening/

    Reply
  25. Tomi Engdahl says:

    Critical Flaw in Swiss Internet Voting System
    https://www.schneier.com/blog/archives/2019/03/critical_flaw_i.html

    Researchers have found a critical flaw in the Swiss Internet voting system. I was going to write an essay about how this demonstrates that Internet voting is a stupid idea and should never be attempted — and that this system in particular should never be deployed, even if the found flaw is fixed

    You might be thinking, “Well, what is the big deal? If you don’t trust the people administering an election, you can’t trust the election’s outcome, right?” Not really: we design election systems so that multiple, uncoordinated people all act as checks and balances on each other. To suborn a well-run election takes massive coordination at many polling- and counting-places, as well as independent scrutineers from different political parties, as well as outside observers, etc.

    A critical flaw in Switzerland’s e-voting system is a microcosm of everything wrong with e-voting, security practice, and auditing firms
    https://boingboing.net/2019/03/13/principal-agent-problems.html

    Switzerland is about to have a national election with electronic voting, overseen by Swiss Post; e-voting is a terrible idea and the general consensus among security experts who don’t work for e-voting vendors is that it shouldn’t be attempted, but if you put out an RFP for magic beans, someone will always show up to sell you magic beans, whether or not magic beans exist.

    Swiss Post contracted with Barcelona firm Scytl to build the system, then consulted with outside security experts and KPMG to audit the system, and then announced a bug-bounty program that would allow people who promised to only disclose defects on Swiss Post’s terms to look at some of the source code.

    This kind of bug bounty is pretty common, and firms like to assert that they can be trusted to be responsible stewards of bad news about their own products and should have the right to decide who can make truthful disclosures about their mistakes and the defects in their offerings. During the fight over DRM standardization for browsers at the W3C, we pointed out that one side-effect of adding DRM to browsers would be that browser vendors and media companies would acquire a new right to silence security researchers who wanted to make factual statements about security defects in their products.

    trying to craft rules for when it would be OK for companies to decide that users couldn’t know about defects in their products.

    The belief that companies can be trusted with this power defies all logic, but it persists. Someone found Swiss Post’s embrace of the idea too odious to bear, and they leaked the source code that Swiss Post had shared under its nondisclosure terms, and then an international team of some of the world’s top security experts (including some of our favorites, like Matthew Green) set about analyzing that code, and (as every security expert who doesn’t work for an e-voting company has predicted since the beginning of time), they found an incredibly powerful bug that would allow a single untrusted party at Swiss Post to undetectably alter the election results.

    Reply
  26. Tomi Engdahl says:

    Will We See the Rise of Vaporworms and Other New Fileless Attacks in 2019?
    https://securityintelligence.com/will-we-see-the-rise-of-vaporworms-and-other-new-fileless-attacks-in-2019/

    The evolution of the new and difficult-to-detect category of fileless attacks may soon take an insidious turn with the development of what some researchers are calling vaporworms.

    As the name suggests, fileless malware differs from conventional malware in that it doesn’t require a file to be created and saved on a computer. Instead, it leverages scripts or even legitimate running processes to inject itself directly into a device’s memory. But what’s on the horizon for this emerging threat?

    The Threat of Fileless Attacks

    Trend Micro first reported on a fileless payload with wormlike replication capabilities in November 2018. The malware, a fileless version of the Bladabindi backdoor, avoided detection by depositing its payload in the Windows registry, which is a key-value database that exists only in Windows memory. It then created another registry entry that instructed Windows to load it at boot time. Because the entire process took place in memory, it didn’t leave a trail on the infected computer’s hard disk drive.

    Reply
  27. Tomi Engdahl says:

    Exploring the Dark Web
    https://www.youtube.com/watch?v=BN1NU0ivzj8

    Reply
  28. Tomi Engdahl says:

    From Traffic Cop to Fleet Manager, DLP Evolves Beyond the Perimeter
    https://www.securityweek.com/traffic-cop-fleet-manager-dlp-evolves-beyond-perimeter

    Perimeter-based DLP Enforcement Has Increasingly Taken a Backseat to Host-based Implementations

    Harkening back to a time before “cyber” entered a CISO’s daily vocabulary, data leakage prevention (DLP), even after two decades, has adapted new enterprise defense in depth strategies to protect the outbound flow of business data beyond the traditional network perimeter. DLP has broadened to encompass a menagerie of three-letter acronyms, such as information leak prevention (ILP), content monitoring and filtering (CMF), and extrusion prevention system (EPS).

    Reply
  29. Tomi Engdahl says:

    Half of EU businesses attacked in last two years
    https://www.itproportal.com/news/half-of-eu-businesses-attacked-in-last-two-years/

    Attack surfaces are growing thanks to new IoT gadgets, BYOD movement and a general lack of vigilance.

    More than half of businesses in the EU have had their operations disrupted by cyberattacks in the past 24 months, highlighting the size of the problem organisations everywhere are facing.

    Reply
  30. Tomi Engdahl says:

    Who will restore encrypted corporate data? Nobody will
    https://www.kaspersky.com/blog/undecryptable-files/26040/

    As yesterday’s incident with Norway’s Norsk Hydro company shows, the ransomware threat is far from being dead, and not everyone is protected. One possible reason is the common belief that in case of an incident their data can be restored, if not by internal IT specialists, then by some external security experts — or, as a last resort, by the cybercriminals responsible (in exchange for ransom). And oh yes, a lot of companies promise to decrypt data. But sometimes employing such companies is actually worse than to paying cybercriminals.

    Why is it a bad idea to employ companies that give a 100% guarantee of decryption?

    So anyone talking about absolute guarantees of decryption a probably lying. As late as last year, our colleagues identified one such company. As it turned out, the company demanded considerable sums of money from victims for “decryption services” and at the same time negotiated with the attackers to get decryption keys at a discount. As a result, the victims not only paid the attackers, but also funded third-party fraudsters.

    Why you shouldn’t pay

    Paying the extorters seems like the path of least resistance.
    However, the easiest way is not always the best, especially if the stakes are not actually about life and death. First of all, your money will most likely be used to develop even more sophisticated malicious programs (which may target marks like you who have shown they’re willing to pay). Secondly, paying is an unreliable tactic. The hospital was lucky, but in hundreds of cases, attackers simply take the money and never decrypt the files. Sometimes they can’t.

    Why security companies cannot decrypt your data

    Of course, there are companies that are constantly looking for ways to restore encrypted data — including us. However, deciphering information is possible only if the attackers were not professional enough to implement a normal algorithm (or if they simply made a mistake somewhere). When we manage to make a decryption tool, we share it free at https://noransom.kaspersky.com/. But such cases are exceptions, not the rule.

    Reply
  31. Tomi Engdahl says:

    The Business of Organized Cybercrime: Rising Intergang Collaboration in 2018
    https://securityintelligence.com/the-business-of-organized-cybercrime-rising-intergang-collaboration-in-2018/

    Banking Trojans and the gangs that operate them continue to plague banks, individuals and organizations with fraudulent transactions facilitated by malware and social engineering schemes. At last check, cybercrime cost the global economy more than $600 billion in 2017 , and forecasts for 2018 predicted $1.5 trillion in losses.

    No matter how you turn these numbers, they are a burden that keeps growing and encouraging a rife, complex industry of online crime

    Reply
  32. Tomi Engdahl says:

    SilkETW: Because Free Telemetry is … Free!
    https://www.fireeye.com/blog/threat-research/2019/03/silketw-because-free-telemetry-is-free.html

    Over time people have had an on-again, off-again interest in Event Tracing for Windows (ETW). ETW, first introduced in Windows 2000, is a lightweight Kernel level tracing facility that was originally intended for debugging, diagnostics and performance. Gradually, however, defenders realized that ETW provided metrics and data content that was not otherwise available without custom development efforts. Even so, aside from a number of big players in the industry, people have been slow to adopt ETW as a data source for detection and research. The two primary problems with ETW are: the complexities involved in event collection, and the volume of data that is generated. The task of looking through a haystack to find the proverbial needle is not necessarily appealing from an engineering perspective (How do you store the data? How do you process the data? Is the data really valuable? What were we looking for again?).

    Our latest tool, SilkETW, aims to put actionable ETW data in the hands of researches, both on the defensive and offensive side of the industry.

    https://github.com/fireeye/SilkETW

    Reply
  33. Tomi Engdahl says:

    Cyberattacks: Europe gets ready to face crippling online assaults
    https://www.zdnet.com/article/cyber-attacks-europe-gets-ready-to-face-crippling-online-assaults/

    Massive cyberattacks with real-world consequences are no longer unthinkable. Time to get prepared, says Europe.

    Europe is gearing up to deal with the impact of large-scale international cyberattacks.

    “The possibility of a large-scale cyber-attack having serious repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable,” warned Europol, the European Union’s (EU) law enforcement agency, which focuses on terrorism, cybercrime and serious and organised crime.

    Europol pointed to WannaCry and NotPetya ransomware attacks as examples of incidents that showed the existing ways of tackling major cyberattacks were insufficient.

    Reply
  34. Tomi Engdahl says:

    Cybersecurity: Don’t let the small stuff cause you big problems
    https://www.zdnet.com/article/cyber-security-dont-let-the-small-stuff-cause-you-big-problems/

    If hospitals don’t take cybersecurity seriously, a series of small issues could be as bad as a major cyberattack like WannaCry, warns NHS Digital chief.

    Reply
  35. Tomi Engdahl says:

    Q&A: Crypto-guru Bruce Schneier on teaching tech to lawmakers, plus privacy failures – and a call to techies to act
    https://www.theregister.co.uk/2019/03/15/qa_bruce_schneier/

    ‘Politicians are reluctant to disrupt the enormous wealth creation machine technology has turned out to be’

    RSA Politicians are, by and large, clueless about technology, and it’s going to be up to engineers and other techies to rectify that, even if it means turning down big pay packets for a while.

    This was the message computer security guru Bruce Schneier gave at last week’s RSA Conference in San Francisco, during a keynote address, and it appeared to strike a chord with listeners. Schneier pointed out that, for lawyers, doing pro bono work was expected and a route to career success. The same could be true for the technology industry, he opined

    Q. Your RSAC keynote highlighted the growing mismatch between public policy and technological development. Why are lawmakers having such problems with the technology sector?

    A. Tech is new. Tech is specialized and hard to understand. Tech moves fast, and is constantly changing. All of that serves to make the tech sector difficult to legislate. And legislators don’t have the expertise on staff to counter industry statements or positions. On top of that, tech is incredibly valuable.

    Lawmakers are reluctant to disrupt the enormous wealth creation machine that technology has turned out to be. They’re more likely to acquiesce to the industry’s demands to leave them alone and unregulated, to innovate as they see fit.

    And finally, some of the very features we might expect government to regulate – such as the rampant surveillance capitalism that has companies collecting so much of our data in order to manipulate us into buying products from their advertisers – are ones that they themselves use when election season rolls around.

    Q. With technology evolving so rapidly, can any government hope to keep up on a legislative level? Or are there core values in law that can be applied?

    A. Technology has reached the point where it moves faster than policy. A hundred years ago, someone could invent the telephone and give legislators and courts decades to work out the laws affecting it before the devices became pervasive.

    Today, technology moves much faster.

    Q. You’ve called for public-interest technologists to help bridge the impasse between policy and government. How would that work exactly?

    Q. Why would tech companies go for this? What’s in it for them?

    A. Largely, the tech companies won’t go for it. The last thing they want are smart legislators, judges, and regulators. They would rather be able to spin their own stories unopposed. But I don’t need the tech companies do to anything; this is a call to tech employees.

    And technologists need to understand how much power they actually have. Even the large tech monopolies that don’t compete with any other company – that treat their users as commodities to be sold – compete with each other for talent.

    Reply
  36. Tomi Engdahl says:

    Q&A – How can organisations defend against insider threats?
    By Matt Lock 2019-03-18T09:00:07Z Security
    https://www.itproportal.com/features/qanda-how-can-organisations-defend-against-insider-threats/

    Even a relatively small-scale breach can still have serious legal and regulatory repercussions for the organisation if the privacy of customers or patients was breached.

    How dangerous are malicious insiders?

    Malicious insiders pose just as much of a threat as external attackers – and indeed can inflict even more damage as they are often harder to detect. Unless the company is equipped with the tools to identify their activity, an opportunistic rogue can easily steal thousands of sensitive and critical files to sell to competitors or to criminals. A disgruntled employee with an axe to grind can also cause serious harm by using their access to commit major acts of sabotage, editing, deleting or leaking large amounts of private and essential data, or interfering with critical systems.

    Alongside the classic case of an opportunistic or resentful employee acting against the company, the insider threat also encompasses the risk of external attackers exploiting stolen login credentials. Armed with a set of login details acquired from a database leak or phishing attack, an intruder can gain instant access to the network and move about as though they were a genuine employee.

    Even a relatively small-scale breach can still have serious legal and regulatory repercussions for the organisation if the privacy of customers or patients was breached. Under the GDPR for example, a company could face heavy fines if it is judged they did not put sufficient measures in place to prevent the breach.

    How difficult is it to successfully spot a rogue insider before it’s too late?

    Unless you are looking for the tell-tale signs of insider activity, it can be almost impossible to spot a rogue before the damage is done.

    What are the tell-tale signs of a malicious insider?

    There are four key signs that can point towards a malicious insider at work:

    Strange file access. An employee that is searching for, viewing or copying data that is not relevant to their job role should be taken as a strong sign of malicious intent. Whether they are planning a data heist or are simply being nosy, this can lead to serious security or privacy issues, particularly where data such as customer or patient records are concerned.
    Accessing, saving or printing large amounts of information. The most dangerous insiders are those with privileged access who are acting within their job role. However, they can still give themselves away by attempting to exfiltrate too much data at once. If a large number of files are saved externally or printed, it could be a sign they are planning to take them to another job or sell them to a third party.
    Unusual activity out of hours. It’s common to find an organisation’s working hours extending well beyond the normal 9-5 these days, with employees often logging in at night or over the weekend. If an individual’s activity shows sudden and drastic changes however, it might be a sign they are trying to cover up illicit activity, or that a criminal is accessing the account with stolen credentials.
    Network ghosts. Organisations often overlook admin tasks such as deleting the accounts of users who have left the company. These ghost accounts can often be accessed by the former employee using their old credentials and are also vulnerable to discovery and exploitation by criminals.

    What can organisations do to mitigate the damage that a rogue employee can inflict?

    Organisations can greatly reduce the potential threat posed by malicious insiders by making sure network access is granted on a least-privilege basis, which means all users only receive access to files and systems relevant for their job roles.

    Reply
  37. Tomi Engdahl says:

    Law enforcement agencies across the EU prepare for major cross-border cyber-attacks
    https://www.europol.europa.eu/newsroom/news/law-enforcement-agencies-across-eu-prepare-for-major-cross-border-cyber-attacks

    The possibility of a large-scale cyber-attack having serious repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable. To prepare for major cross-border cyber-attacks, an EU Law Enforcement Emergency Response Protocol has been adopted by the Council of the European Union. The Protocol gives a central role to Europol’s European Cybercrime Centre (EC3) and is part of the EU Blueprint for Coordinated Response to Large-Scale Cross-Border Cybersecurity Incidents and Crises1. It serves as a tool to support the EU law enforcement authorities in providing immediate response to major cross-border cyber-attacks through rapid assessment, the secure and timely sharing of critical information and effective coordination of the international aspects of their investigations.

    Reply
  38. Tomi Engdahl says:

    What to Do When the Botnet Comes Knocking
    https://hackaday.com/2019/03/21/what-to-do-when-the-botnet-comes-knocking/

    Reply
  39. Tomi Engdahl says:

    How Patch Posture Reporting Improves Security Landscapes
    https://securityintelligence.com/how-patch-posture-reporting-improves-security-landscapes/

    Vulnerability identification and remediation are critical to maintaining a secure environment. Today, most organizations are using one or multiple vulnerability scanning tools to identify vulnerabilities on endpoints such as business critical servers, laptops and desktops. They also have processes in place to apply security patches (provided by platform or application software vendors) to remediate vulnerabilities quickly. However, many security teams remain concerned that their IT infrastructures may still be vulnerable to attacks from newly emerging malware or exploitation vectors (e.g., WannaCry, Petya/NotPetya and Apache Struts), simply because some machines contain vulnerabilities that have not been identified or patched and could be manipulated by these threats.

    Reply
  40. Tomi Engdahl says:

    Researchers Seek Out Ways to Search IPv6 Space
    https://www.darkreading.com/researchers-seek-out-ways-to-search-ipv6-space/d/d-id/1334213

    Security researchers regularly search IPv4 address space looking for servers with ports exposing vulnerable software. With the massive number of IPv6 addresses, however, they have lost that ability. Can tricks and workarounds save the day?

    To assess the risk from the vulnerability, security professionals and academic researchers began scanning the 4.3 billion addresses on the Internet, looking for unpatched servers vulnerable to the now-infamous Heartbleed flaw. Researchers were not the only ones searching the entire Internet. Within a few days, attacks came from more than 700 different sources, according to a 2014 paper published by a team of researchers from various universities.

    The ability to gain similar intelligence in the future may disappear, however. About a quarter of Internet users currently connect to Google over IPv6, up from 5% four years ago, according to data collected by the search giant. As service providers adopt the next-generation Internet protocol, IPv6 will become more common, and researchers worry that their ability to exhaustively search the network will fail.

    Reply
  41. Tomi Engdahl says:

    Sloppy Hackers Take Down Another Major Company
    https://www.eeweb.com/profile/loucovey/articles/sloppy-hackers-take-down-another-major-company

    Based on FBI estimates, ransomware-based cybercrime will cost companies $11.5 billion this year, up from $325 million in 2015

    A shoutout to Israeli cybersecurity firm CyberHat for the notification in my inbox this week of a fairly significant cyberattack that started Monday and is still ongoing. Let’s start with the news and follow with a rant:

    Norwegian company Norsk Hydro, one of the most significant aluminum producers in the world, was hit Monday morning using a relatively new ransomware, dubbed LockerGoga. This malware, which was discovered by an independent cybersecurity expert in Serbia early this year, seems to be targeting large engineering and manufacturing firms.

    Norsk Hydro has been forced to take its automated systems offline and switch to manual operation until the virus is removed or isolated. A similar attack was initiated on French engineering firm Altran Technologies on Jan. 25.

    “This is a classic ransomware attack; the situation is quite severe,”

    Reply
  42. Tomi Engdahl says:

    Most second-hand thumb drives contain data from past owners
    https://www.welivesecurity.com/2019/03/21/most-second-hand-thumb-drives-contain-data-past-owners-usb/

    Our penchant for plugging in random memory sticks isn’t the only trouble with our USB hygiene, a study shows

    Many computer users don’t take enough precautions when disposing of their USB sticks, leaving a trove of what is often sensitive information about themselves for the drives’ new owners, a study has shown.

    Researchers from the University of Hertfordshire purchased 200 second-hand memory sticks – 100 in the United States, 100 in the United Kingdom – on the open market recently to see how many of them still contained data from previous owners.

    Reply
  43. Tomi Engdahl says:

    Hunting for the True Meaning of Threat Hunting at RSAC 2019
    https://securityintelligence.com/hunting-for-the-true-meaning-of-threat-hunting-at-rsac-2019/

    Don’t Believe the Hype: 3 Common Misconceptions About Threat Hunting

    Let’s be honest: “Threat hunting” certainly has a cool ring to it that draws people in and makes them want to learn more. However, it’s important not to lose sight of the fact that threat hunting is an actual approach to cyber investigations that has been around since long before marketers starting using it as a hook.

    1. Threat Hunting Should Be Fully Automated
    2. Threat Hunting and EDR Are One and the Same
    3. Threat Hunting Is Overly Complicated

    What Is the True Meaning of Cyber Threat Hunting?

    Don’t get me wrong — I am thrilled that threat hunting is gaining steam and vendors are coming up with innovative solutions to contribute to the definition of threat hunting. As a former analyst, I define threat hunting as an in-depth, human-led, investigative process to discover threats to an organization. My definition may vary from most when it comes to how this is conducted, since most definitions emphasize that threat hunting is a totally proactive approach. While I absolutely agree with the importance of proactivity, there aren’t many organizations that can take a solely proactive approach to threat hunting due to constraints related to budget, training and time.

    Reply
  44. Tomi Engdahl says:

    UK businesses could face £1bn bill from DDoS attacks this year
    https://www.itproportal.com/news/ddos-atatcks-could-cost-the-uk-pound1bn/

    Large-scale attacks are getting cheaper to carry out, but the consequences are getting more expensive.

    Distributed Denial of Service (DDoS), a type of cyberattack that can crash a website with an overwhelming amount of fake traffic, are set to cost UK businesses more than £1 billion this year, new research has said.

    A new report by NETSCOUT claims that more than nine in ten (91 per cent) of businesses that suffered a DDoS attack last year also suffered downtime.

    That downtime usually lasts around half an hour, but for the unlucky few (nine per cent, to be exact), it lasted more than four hours.

    The average cost of such a DDoS attack was estimated at more than £140,000.

    “Our research data revealed that around 86 per cent of major UK enterprises questioned were attacked at least once in 2018. 90 per cent of these UK businesses experienced downtime, which averaged 67 minutes for the year, and the downtime costs were estimated at £2,140 per minute,” Anstee said.

    Reply
  45. Tomi Engdahl says:

    Global Security Spend Set to Grow to $133.8 Billion by 2022: IDC
    https://www.securityweek.com/global-security-spend-set-grow-1338-billion-2022-idc

    Global spending on security-related hardware software and services will grow at a compound annual growth rate (CAGR) of 9.2% between 2018 and 2022, to a total of $133.8 billion in 2022. The figures come from the latest Worldwide Semiannual Security Spending Guide compiled by IDC.

    The forecasts are more conservative than Gartner’s August 2018 predictions (for 2018 and 2019). While Gartner forecasts that 2019 global spending will be $124 billion, IDC’s forecast for 2019 is just $103.1 billion. Both companies do agree on one thing — growth in spending on managed security services will continue.

    IDC says it will be the largest technology category in 2019, with firms spending more than $21 billion. “The security landscape is changing rapidly,” comments Martha Vazquez, senior IDC research analyst, Infrastructure Services, “and organizations continue to struggle to maintain their own in-house security solutions and staff. As a result, organizations are turning to managed security service providers (MSSPs).”

    Reply
  46. Tomi Engdahl says:

    How many sites use Certificate Authority Authorization to control which CAs can issue certificates?

    Scott Helme looks at CAA usage.

    Find out more here: https://lnkd.in/gmR864R

    #certificates #encryption #security

    Reply
  47. Tomi Engdahl says:

    Russian hackers are eight times faster than North Korean groups
    https://www.technologyreview.com/the-download/612983/russian-hackers-are-eight-times-faster-than-chinese-and-north-korean-groups/?utm_campaign=site_visitor.unpaid.engagement&utm_medium=tr_social&utm_source=facebook

    Russian hackers are way ahead of the next-fastest state-sponsored hackers, North Korea, who themselves are nearly twice as fast as Chinese groups, according to a new report by US cybersecurity firm Crowdstrike

    Reply
  48. Tomi Engdahl says:

    Law enforcement needs to protect citizens and their data
    https://techcrunch.com/2019/03/20/law-enforcement-needs-to-protect-citizens-and-their-data/

    Governments should not “go dark” on privacy by fighting against encryption

    Reply
  49. Tomi Engdahl says:

    Getting started with DevSecOps
    The open source guide to DevOps security
    https://opensource.com/downloads/devsecops?sc_cid=7016000000127ECAAY

    The journey to DevSecOps begins with empowerment, enablement, and education. This guide will help you get started.

    Reply
  50. Tomi Engdahl says:

    The open source guide to DevOps monitoring tools
    https://opensource.com/downloads/devops-monitoring-guide?sc_cid=7016000000127ECAAY

    This free download for sysadmin observability tools includes analysis of open source monitoring, log aggregation, alerting/visualizations, and distributed tracing tools.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*