What are the top cyber trends to watch out for in 2019? Here’s what I have been hearing and reading:
First I present a new information security term: Virtual Security = Manufacturers claim that their products are secure. but in reality they are not.
New APT groups, and more regulations around data privacy, 2019 is set to be another big year in the cybersecurity space. Security is hard and getting harder in 2019. Good operational security is non trivial. Next generation dark markets are making cybercrime easier than ever before.
Gartner expects that the security market is expected to grow 8.7% in 2019 and hit $124 billion. Global spending on security products and services closed in 2018 in excess of $114 billion, marking a 12.4% increase from 2017.
A New Year’s Resolution: Security is Broken…Let’s Fix It. There are three strategies that show real promise for defending against tomorrow’s threats: Deploy Deception, Leverage Threat Intelligence, Think Proactively. Plan Now for Emerging Threats. Defending against these threats will require two things. The first is understanding the economic drivers of the criminal community, and the second is to adopt strategies and solutions that address and disrupt those drivers. Getting in front of the cyber-threat paradigm requires organizations to rethink their security strategies in 2019.
Many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, but when – and when they will finally find the hack has happened. For example it Marriott disclosed a four-year-long breach involving the personal and financial information of 500 million guests. Anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.
In today’s world, attackers intentionally look normal to evade automated defenses. With the rise of ransomware, fileless and non-malware attacks, it’s harder than ever to protect your endpoints with confidence. To prevent this, threat hunting has emerged as an essential process for organizations to preempt destructive attacks. This process is a proactive approach to cybersecurity that identifies gaps in defenses and stops attacks before they go too deep. The adversary is hunting for your security gaps…why aren’t you?
Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Attackers scan those systems for vulnerabilities actively in 2019. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late. Measure how good is your security. Data protection tools have been developed to measure the maturity of data protection issues in organization.
CEOs should ask the following questions about potential cybersecurity threats:
How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
How can my business create long-term resiliency to minimize our cybersecurity risks?
What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?
What can CEOs do to mitigate cybersecurity threats?
How Well Are You Protecting Your Brand from Digital Risk? Having a website is just the baseline for existing in digital world. Companies of all sizes are actively using social media to engage with customers and build loyalty for their brand. The Internet is an essential tool to grow your business, but it also poses digital risks to your brand reputation and integrity. Bad actors can spoof social media profiles of your company or brands. Cyber criminals will register and use web domains extremely similar to your actual domain names. Malicious apps that impersonate brands may use spyware to steal information from users. You might need to develop a brand protection program in 2019. Digital risk from brand exposure can lead to reputation damage, loss of intellectual property and customer trust and, ultimately, loss in revenue. This is what the brand managers need to think about in 2019. Successful hacking campaigns used to be all about keeping under the radar. But, for some, making a big splash is now now more important than lurking in the shadows.
Today, cybersecurity is moving beyond the financial impact to concerns over public safety, national security, and even cyberwarfare. The tech industry is becoming more worried about a cyberwar arms race. Microsoft boss thinks that cyber war cannot be won. High impact cyber attacks often affect the electricity network, water supply, financial markets, hospitals, and military families. Preparations for various cyber attacks in different sectors vary greatly. Energy and finance are the most advanced. We should all keep in mind two things: The proliferation of cyberweapons is already happening and arms control of cyberweapons hasn’t caught up. “Cyber is so wide that states alone cannot be sufficient in providing security” It seems also that authoritarian forces are trying to claw back control and even re-purposing the web in ways that undermine democracy.
It would be good for the company to be able to manage risks, prepare for major disruptions, and plan and practice recovery. Risk management requires the company to detect the attack itself. A large coordinated attack could attack our elections, our press, our telecommunications, our banks, and our military. According to a new report on digital freedom, authoritarian forces are clawing back control and even re-purposing the web in ways that undermine democracy. Tim Cook says that tech firms should prepare for ‘inevitable’ regulation.
We need to build cyber resilience to our networked systems. Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. “Cybersecurity, infrastructure security, is not a competitive advantage,” Bradford Willke, a top official in DHS’s Cybersecurity and Infrastructure Security Agency. If a good product or company fails because of a breach that could have been thwarted by sharing threat information, “there’s something that we’ve all lost.”
Did you remember to test the security? Every developer team should know how to code securely and how to test security. This kind of basic hygiene with information security creates the basis for genuinely intact applications. The basic thing for the tester in terms of data security is user identification and access, securing stability, encryption, firewalls, intruder detection, anonymization of information. All these things can be tested with different techniques, tools and methods. It is a good idea to ask a security professional if you do not know how to do this.
You will see many big data beaches also in 2019. Cybersecurity headlines in recent years have been dominated by companies losing money by being hacked and leaking the data of millions of customers. 2018 was again a banner year for breaches, check for example list of Biggest cyber security breaches 2018. In 2018 the mantra became “another day, another data breach.” 2018 has been the year par excellence for data protection, when data leaks, exfiltrations, and abuses have made headlines all over the world. Some companies have worked on improving their security, but overall there has not been so much activity going on that it would considerably change the situation for better in 2019. And against this backdrop of increased awareness about the challenges that working with sensitive data can entail, there is one regulation that has come to the fore: the GDPR (General Data Protection Regulation), which has been mandatory since May 25 this year.
How much are the first fines for GDPR infringement? It remains to be seen in 2019 as sanctions on big 2018 leaks start to appear. Infringement of GDPR regulation can incur fines of up to 4% of a company’s annual global turnover, or up to €20 million. The economic sanctions that we have seen so far in 2018 have clearly relatively conservative compared to the highest possible penalties, but with the recent spate of high profile data leaks – Marriott, British Airways, Quora – it won’t be long before harsher fines start to appear. Remember that by having appropriate protection for the personal data that your company manages, you can avoid sanctions.
IoT malware and email hacks are on the rise again. Blackmail demand claims will continue unfortunately also in 2019 and will become more innovative. In 2018 we first saw blackmail extortion with claims to have nailed you watching porn and the sender infected your computer by hacking your account or placing malware. All sorts of variants exist. There was also Spammed Bomb Threat Hoax that demands Bitcoin.Then there has been a New Extortion Email Threatens to Send a Hitman Unless You Pay $4,000 in bitcoin. As long as ransoms are paid and relatively easy attacks, such as phishing campaigns, are successful, bad actors will continue to use these techniques.
The number of attacks using IoT hardware is increasing in 2019. IoT is still insecure. As the number of IoT devices, such as smart home network monitoring systems, increase, the threat is constantly increasing. According to Nokia report IoT botnet operations accounted for 78 percent of malware detection events in the communications service provider (CSP) networks in 2018.
Many IoT protocols are still implemented without proper security. The CoAP protocol is the next big thing for DDoS attacks. Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attack. That is because most of today’s CoAP implementations forgo using hardened security modes for a “NoSec” security mode that keeps the protocol light, but also vulnerable to DDoS abuse.
Mirai botnet has been active since 2016. And several followers to it are still active. Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms. And you will not get rid of the new variations of it in 2019. Latest example is With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit. Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices. Miori is just one of the many Mirai offshoots. There is another very similar variant called Shinoa.
Regulating cyber security features on networked devices seems to be on rise. Germany proposes router security guidelines. It would like to regulate what kind of routers are sold and installed across the country. California became the first state with an Internet of Things cybersecurity law: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means less generic default credentials for a hacker to guess. In Finland security label created by FICORA’s Cybersecurity Center promises that will make it easy for consumers to identify a sufficiently secure devices in 2019.
Ransomware attack will continue in 2019. Hospital cybersecurity seems to be a pressing problem in 2019. The healthcare industry’s accelerating adoption of sophisticated networks, connected devices and digital records has revolutionized clinical operations and patient care but has also left modern hospitals acutely vulnerable to cyber attack. Recent high-profile hacks have brought these mounting threats sharply into focus. One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over year 2018. There is a number of technological, cultural and regulatory issues that complicate healthcare cybersecurity.
DNS system is still full of “ugly hacks” that keep it running. Malicious actors have found innovative ways to take down the DNS and the landscape growing more problematical. Hopefully it will get robust in 2019. Vendors of DNS software, as well as large public DNS providers, are going to remove certain workarounds on February 1st, 2019, otherwise known as DNS Flag Day. Don’t Let DNS Flag Day Become Your DNS Doomsday. The result of this “line in the sand” means that all domains hosted on these poorly coded DNS servers will fail to resolve correctly across all the recursive resolvers built by and run by the consortium. So your SPF, DKIM, DMARC, most TXT and PTR records will fail. This will be a very bad day for anyone who doesn’t take time to address this issue BEFORE February 1st, 2019.
TLS 1.3 was published as of August 2018. It has been over eight years since the last major encryption protocol update. With the HTTP/2 protocol update in late 2015, and now TLS 1.3 in 2018, encrypted connections are now more secure and faster than ever. With OpenSSL 1.1.1 library many applications can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. Add this to list of existing TLS ecosystem woes. Malicious sites will increasingly use SSL certificates to look legitimate.
Remember to update your PHP version early in 2019. PHP 5.6 support and security updates have ended. PHP 5. is still widely used in many web services. FICORA’s Cybersecurity Center recommends giving up the use of old PHP versions, especially for services that are publicly available on the Internet. Currently the latest version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Currently the latest PHP version is 7.3. Each version is actively developed for two years, after which security updates are offered for one year. Because the new PHP7 is not fully compatible with the old PHP5, so many sites need also updates to the site PHP code. If you can’t for some reason update PHP version, special attention should be paid to the security of the server and its environment.
Cloud security is still a problem for many organizations in 2019. The 2018 Cloud Security Spotlight Report noted that 84% of respondents claim traditional security solutions either don’t work at all or have limited functionality in the cloud. Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security (62%). Lack of staff resources and expertise to manage cloud security seems to be the largest barrier to cloud adoption for many companies. Many clouds are nowadays relatively secure, but Are You Using Them Securely? It’s time to stop obsessing over unsubstantiated cloud security worries and start focusing more on new approaches to cloud control. It is time to better manage your cloud deployments in 2019.
The Cybersecurity Industry Doesn’t Have Artificial Intelligence Right Yet. AI in security will be talked on in 2019. 2018 was The Year Machine Intelligence Arrived in Cybersecurity. “Intelligence” is a word heavily freighted in cybersecurity technology because it covers a wide variety of techniques and product: Expert systems, machine learning, deep learning, and artificial intelligence are all represented in the whole, with each being used and promoted by different vendors and service organizations. Antivirus protection is one of the tasks to which companies are applying intelligence. The vast majority of intelligence being used in security is “machine learning” rather than “artificial intelligence.” The application of artificial intelligence (AI) via the implementation of machine learning (ML) is the fastest growing area of cybersecurity, but it seems Artificial Intelligence in Cybersecurity is Not Delivering on its Promise at least yet. What has been largely missing from this assertion is independent verification that the theoretical benefits promoted by ML vendors translate to actual benefits in use. Also cyber-criminals start to use AI to make better attacks.
Machine learning can reduce the usefulness of CAPTCHA. Machine learning model breaks CAPTCHA systems on 33 highly visited websites very quickly.
Destructive malware has been employed by adversaries for years. Destructive targeted attacks have a critical impact on businesses, causing the loss of data or crippling business operations. NotPetya and Wannacry affected several companies around the world. OlympicDestroyer affected the Olympic Games organization.
Old destructive attacks can persist for a long time. Wannacry is not dead when 2019 starts. Eighteen months after the initial outbreak of the WannaCry Ransomware infection, the malware continues to rear its head on thousands, if not hundreds of thousands, of infected computers. The kill switch has been activates so the ransomware component would not activate, but the infection continues to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live.
Spectre and Meltdown vulnerabilities that were found in 2017 and became public the beginning of 2018 will continue. I have been following this saga since I reported it first in Finland at Uusiteknologia.fi on-line magazine. Spectre-like variations continued to be discovered, just as academics predicted at the start of 2018. Intel and other processor manufacturers have worked on fixed, but there has been numerous new vulnerability variation reported over the year on the same theme, latest published in late 2018. Is Spectre making a comeback? I expect you will not get rid of new variations on this vulnerability theme in 2019. There are still many side channel flaws to be found on modern processors.
USB security is still fundamentally broken in 2019. USB drives are a security threat to process control systems because USB drives can cause serious disruption to process facilities through unsecure or malicious files. USB-borne malware continues to present a major threat to industrial control systems (ICS) nearly a decade after the Stuxnet attacks on Iran’s nuclear infrastructure first highlighted the danger.
The air gap is low-tech but still has value as a barrier against cyber attacks. But air gaps, once a valuable barrier against cyberattacks, are disappearing from industrial control systems. As smart shipping and other network-connected industrial control systems (ICS) grow, the air gap loses value as a barrier against cyber attacks. The use of air gaps has eroded or disappeared altogether, thanks to increasingly intertwined OT (operational technology) and IT (information technology). Also air gaps can’t protect against “an ill-informed person’s actions,” as was the case with the notorious 2010 Stuxnet attack on Iran’s nuclear facilities.
There are still major problems cyber security in industrial system. Major problems in industrial cyber security are inadequate software updates, the following non-upgraded systems, and common usage ids for updating. While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading.
Perimeter-less security is hot in 2019. You can’t build anymore well defined perimeters around all of your systems. Welcome to a World of Zero Trust. Zero Trust Privilege approach is based on six fundamental elements: Verify Who, Contextualize the Privileged Access Request, Establish a Secure Admin Environment, Grant Least Privilege, Audit Everything, Apply Adaptive Security Controls.
Can You Mitigate Against Mission Impossible? Most probably you can’t. Focus on the Countless Manageable Vulnerabilities That You Can Control and Protect Against Them. Cybersecurity risks need help from contracts and insurance beyond technologies, policies, and people. Pretending cybersecurity risks aren’t there isn’t on any list of best practices.
Credential abuse is at the core of many hacks in 2019. Usually the easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity. Equipped with the right credentials, cyber adversaries and malicious insiders can wreak havoc on an organization’s network, exfiltrate sensitive data, or even siphon off funds — all while concealing their malicious activities from threat detection solutions.
Good database security planning is essential for protecting a company’s most important assets because if attackers can shut companies out of their own data can quickly cripple an organization. Leaked data can also become costly with costs of data leak itself, regulatory costs (including GDPR fines) and bad reputation that can affect revenue for a long time.
Just on the end of 2018 there was reports on SQLite vulnerabilities. Magellan is a number of vulnerabilities that exist in SQLite that were able to successfully implement remote code execution in Chromium browsers (already fidex). This vulnerability can have a wide range of influence in 2019 because SQLite is widely used in all modern mainstream operating systems and software. There is potential that Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers. I expect to see reports against attacks against many different systems and system users failing to secure their systems.
DevSecOps is having a positive impact on security, but the state of security still has a long way to go as over 13 percent of applications contain at least one critical vulnerability. According to Veracode’s State of Software Security (SOSS) report, 87.5 percent of Java applications, 92 percent of C++ applications, and 85.7 percent of .NET application contain at least one vulnerability. Even with a stronger focus on security in 2019, most software will still riddled with security vulnerabilities.
Misconfigured server infrastructure is often considered one of the most significant causes of data breaches within the IT industry. This human error phenomenon is usually unintentional, but it can have catastrophic consequences regarding the exposure of sensitive personal information as well as potentially damaging the reputation of your business.Misconfiguration of the cloud platform took the top spot in this year’s survey as the single biggest threat to cloud security.
4 mobile security threats that companies must fight in 2019: Cryptojacking, Data breaches, Insecure networks and Social engineering attacks. Also Mobile Spear phishing campaigns will form the cornerstone for targeted attacks on organizations. The Wi-Fi attack vector isn’t going away any time soon, despite 5G hype. I don’t expect the assault on mobile to slow down as according to Gartner’s Market Guide to Mobile Threat Defense, 42 million mobile malware attacks take place each year.
Google says that Android 9 Brings Significant Security Advancements. Google has focused on aspects such as platform hardening, anti-exploitation, hardware-backed security. There are also new protections for the Application Sandbox.
Ultrasonic Tracking are Beacons on the Rise. It is an inaudible sound with encoded data that can be used on a listening device with suitable application to receive information that could be just about anything. There are numerous scenarios in which ultrasonic tracking beacons can be surreptitiously used and misused.
PUAs are being weaponized. PUA is the acronym for “Potentially Unwanted Application.” This is a general category used by all vendors to tag particular applications that can be misused by malicious people. Recently, an active campaign was spotted in the well-known Emotet Banking Trojan, which makes use of Freeware system tools but with an obscure purpose.
Microsoft has officially announced ‘Windows Sandbox’ for running applications in isolation. Microsoft’s coming ‘Windows Sandbox’ feature is a lightweight virtual machine that allow users to run potentially suspicious software in isolation. Windows 10 19H1 Build 18305 adds support for a new sandbox feature for isolating potentially suspicious apps, plus several other new security fixes.
It seems that Security Teams Need to Maintain Packet-level Visibility Into All Traffic Flowing Across Their Networks. The most destructive disaster is the one you do not see coming. While there is no evacuating cyberspace to avoid a storm of hackers, prior warning gives security teams a chance to stop cybercriminals before they can wreak havoc and make off with sensitive customer data or company secrets. There is an all too common adage that it is not a question of if a company will be hacked, but when they will find the hack. The realities of the cyberspace make it too difficult to reliably keep hackers out of corporate networks. That is not to say security teams should give up, but rather that they need to shift their goals.
Is 5G Technology a Blessing or a Curse for Security? Depends Who You Ask. It is best to Prepare for the Coming 5G Security Threats. But do we understand the 5G security threats to come? Most probably not, because it seems that the general understanding of 5G is pretty shallow for very many organizations. Many countries are not comfortable with the Chinese building its 5G network.
Somewhat quietly over the past couple of years there has been a flurry of breakthroughs in biometric technology (especially face and fingerprint recognition). New Boom in Facial Recognition Tech Prompts Privacy Alarms. Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn. Now facial recognition appears to be on the verge of blossoming commercially. There is potential risk that Surveillance Inhibits Freedom of Expression.
Old outdated encryption technologies refuse to die. MD5 and SHA-1 are still used in 2018 and their use does not seen to end in 2019. The current state of cryptanalysis against MD5 and SHA-1 allows for collisions, but not for pre-images. Still, it’s really bad form to accept these algorithms for any purpose.
Law is trying to weaken encryption in some countries. A newly enacted law rushed through Australia’s parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals. “I think it’s detrimental to Australian and world security,” said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM. It could be a be a boon to the criminal underworld by undermining the technical integrity of the internet, hurting digital security and user privacy. We need good encryption in 2019 to keep Internet safe.
The payment card industry is thinking about security standards such as EMV 3D Secure and emerging technologies such as contactless payments.
The use of bug bounty programs to find security vulnerabilities in software and services is increasing.In January, the EU starts running Bug Bounties on Free and Open Source Software where European Commission to start offering bug bounties on 14 Free Software projects like Notepad++ and VLC that the EU institutions rely on. Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program.
You might need a password manager in 2019 more than you needed it now. If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember and sometimes are easily hackable. Nobody likes passwords but they’re a fact of life. How do you make them better? You need a password manager. Some examples for proposed alternatives to passwords include biometric identification, disposable passwords, certificate-based systems and FIDO2 USB sticks.
You might also need two-factor authentication can save you from hackers. If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts and it usually (when implemented well) only adds a few extra seconds to your day.
Two factor authentication has been considered as best practice for some time, but even that alone might not be enough in 2019. Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.
Two factor authentication can be hacked. Phishing Attempts That Bypass 2FA are here to stay. As we try to up our security game, the bad guys up their tactics too. Amnesty.org shared an interesting write up about phishing attacks that are bypassing 2FA. If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account as Hackers Bypass Gmail 2FA at Scale. Although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message. Some users likely need to switch to a more robust methods.
Keep in mind that your phone number can be a key for a hacker to many of your services. You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.
810 Comments
Tomi Engdahl says:
A glitch is breaking all Firefox extensions
https://techcrunch.com/2019/05/03/a-glitch-is-breaking-all-firefox-extensions/?tpcc=ECFB2019
Did you just open Firefox only to find all of your extensions disabled and/or otherwise not working?
You’re not alone, and it’s nothing you did.
Reports are pouring in of a glitch that has spontaneously disabled effectively all Firefox extensions.
the sudden failure is due to a code signing certificate built into the browser that expired
Getting extensions back for everyone is going to require Mozilla to issue a patch.
Tomi Engdahl says:
Hacker takes over 29 IoT botnets
https://www.zdnet.com/article/hacker-takes-over-29-iot-botnets/
Hacker “Subby” brute-forces the backends of 29 IoT botnets that were using weak or default credentials
For the past few weeks, a threat actor who goes online by the name of “Subby” has taken over the IoT DDoS botnets of 29 other hackers, ZDNet has learned.
The hacker exploited the fact that some botnet operators had used weak or default credentials to secure the backend panels of their command and control (C&C) servers.
“A large percentage of botnet operators are simply following tutorials which have spread around in the community or are accessible on YouTube to set up their botnet,”
author of the Kepler IoT botnet, who admitted to having built the botnet following a tutorial and using random exploits he downloaded from the ExploitDB website.
Most IoT botnets today are built in a similar manner, by hackers, most of who are teenagers without any technical skills.
Tomi Engdahl says:
https://semiengineering.com/week-in-review-iot-security-auto-43/
AppRiver reports that in a survey of executives at small to medium-size businesses, 55% of the respondents said they would pay a ransom to hackers to retrieve their stolen data. Among professionals at larger SMBs, 74% said they “definitely would pay ransom at almost any price” to get their data back or prevent it from being stolen.
Most SMBs would pay a hacker a ransom to get their stolen data back
https://www.techrepublic.com/article/most-smbs-would-pay-a-hacker-a-ransom-to-get-their-stolen-data-back/
Social media apps and websites are the biggest potential threat vectors to businesses, according to an AppRiver report.
Tomi Engdahl says:
2020 Campaign Staffers Being Trained to Handle Cyber Threats
https://www.securityweek.com/2020-campaign-staffers-being-trained-handle-cyber-threats
While candidates were focused on campaigning in 2016, Russians were carrying out a devastating cyber operation that changed the landscape of American politics, with aftershocks continuing well into Donald Trump’s presidency.
And it all started with the click of a tempting email and a typed-in password.
Whether presidential campaigns have learned from the cyberattacks is a critical question ahead as the 2020 election approaches. Preventing the attacks won’t be easy or cheap.
“If you are the Pentagon or the NSA, you have the most skilled adversaries in the world trying to get in but you also have some of the most skilled people working defense,” said Robby Mook, who ran Hillary Clinton’s campaign in 2016. “Campaigns are facing similar adversaries, and they don’t have similar resources and virtually no expertise.”
Tomi Engdahl says:
Diverse threat factors seen driving cities’ physical, ICT security resilience spending to $335 billion by 2024
https://www.cablinginstall.com/articles/2019/04/abi-cities-resilience-spending-ict.html?cmpid=&utm_source=enl&utm_medium=email&utm_campaign=cim_data_center_newsletter&utm_content=2019-05-06&eid=289644432&bid=2435950
City governments worldwide are becoming increasingly aware of the importance of making their cities able to withstand or recover quickly from a range of predictable and unpredictable disasters and catastrophes, driving global public spending on urban resilience projects from US$97 billion in 2019 to US$335 billion in 2024, according to a new report from ABI Research.
Tomi Engdahl says:
‘Deep fake’ videos that can make anyone say anything worry U.S. intelligence agencies
http://www.fox5ny.com/news/deep-fake-videos-intelligence-agencies
Tomi Engdahl says:
What Does Big Tech Know About You? Basically Everything
BY ANGELA MOSCARITOLO 5 FEB 2019, 10 A.M.
https://uk.pcmag.com/news/119486/what-does-big-tech-know-about-you-basically-everything
Security Baron examined the privacy policies of Facebook, Google, Apple, Twitter, Amazon, and Microsoft and put together a handy infographic showing the types of data each company admits to collecting.
Tomi Engdahl says:
The big dangers of Big Tech: Is it too late for regulation?
https://www.kcrw.com/news/shows/to-the-point/the-big-dangers-of-big-tech-is-it-too-late-for-regulation
Tomi Engdahl says:
Will DDOS Attack Break the Servers…?
https://pentestmag.com/will-ddos-attack-break-the-servers/
Distributed Denial of Service in a Nutshell.
Distributed Denial of Service (DDoS) attacks are designed to interrupt a website’s availability. The objective of a DDoS attack is to prevent legitimate users from accessing a website.
DoS Assault Types
1. Application layer attacks can be either DoS or DDoS threats that seek to overload a server by sending a large number of requests requiring resource-intensive handling and processing.
2. Network layer attacks are almost always DDoS assaults set up to clog the “pipelines” connecting your network. Attack vectors in this category include UDP flood, SYN flood, NTP amplification and DNS amplification attacks, and more.
How do I protect myself?
Protecting against DOS attacks can be pretty simple. Victims can block the attacker’s IP address at firewall or ISP level, depending on the severity of the attack.
Security tools and enterprise products are in exist which can block ICMP or SYN attacks.
DDOS attacks are far harder to guard against, and there are various methods. One of these involve having the ISP trash all incoming traffic to the webserver, legitimate or not. This can help save and secure you client’s personal information.
Other ways are to use SYN cookies or HTTP reverse proxies, depending on the different type of attack.
Tomi Engdahl says:
Escape Cupertino, Return to Redmond! A Hands-On Practical Guide
https://blog.paessler.com/escape-cupertino-return-to-redmond-a-hands-on-practice-guide
Here’s how you get all those cool admin and dev tools like WSL, Chocolatey or OpenSSH running on your Windows 10 machine.
Tomi Engdahl says:
The Mathematics of (Hacking) Passwords
https://www.scientificamerican.com/article/the-mathematics-of-hacking-passwords/
The science and art of password setting and cracking continues to evolve, as does the war between password users and abusers
Tomi Engdahl says:
HacktheBox Irked: Walkthrough
https://thehackingtutorials.com/hackthebox-irked-walkthrough/
Tomi Engdahl says:
The WannaCry Security Legacy and What’s to Come
https://threatpost.com/the-wannacry-security-legacy-and-whats-to-come/144607/
May 12 will mark the second anniversary of the WannaCry ransomware cryptoworm attack. It was a troubling time: During the four-day long ordeal, the cryptoworm infected more than 300,000 endpoints among 200,000 separate victims throughout 150 countries. It propagated rapidly through the EternalBlue exploit — an exploit that took advantage of a flaw in Windows’ Server Message Block protocol.
Those who were hit by the WannaCry ransomware found themselves in great pains.
Slower, more cautious approaches to patching quickly gave way to aggressive approaches. Others also examined not only how they protected their data from attack, defensively, but made certain that it was also recoverable. Additionally, many organizations upped their employee security awareness training investment so that fewer employees would be susceptible to clicking on a phishing link.
These are all good and necessary steps: But will they be enough to defend against future attacks? Before answering that, let’s take a look at how malware has evolved over the years:
Experimental: The first wave of malware, such as the Creeper Worm and the ANIMAL Trojan were experimental. That is, they were designed to propagate, and the damage they wrought (if any) was incidental to their propagation.
Destructive: Over time, malware authors were no longer satisfied with simply creating malware that propagated successfully. It had to do something. Unfortunately, that something became increasingly destructive. The PC-Write Trojan, released in 1986, was a malware that once installed erased users files. While this was a malicious act, there wasn’t any personal financial gain sought by the malware authors.
Disruptive: The next generation of malware was more “disruptive” attacks. These included worms, such as Code Red, Sasser and Blaster. These worm outbreaks disrupted business and aggravated users. These attacks, also, were not meant to be monetized by the malware writers.
Mass Ransomware: With the next generation of malware came the weaponization of attacks into full-fledged profit centers, such as WannaCry. These ransomware attacks cast a wide net, were intended to be monetized and left a deep, broad impact. To borrow a military analogy, these attacks are more carpet bombing than strategic strikes.
User Targeted/Stealthy Malware: In the current generation of malware, we are seeing more targeted attacks — strategic strikes if you will. And by targeted, I mean down to the single user. These attacks are quite the opposite of the earlier generations of attacks — they don’t want to be noticed at all. These attacks, when successful, are therefore far less noisy and are far more difficult to spot. They are typically meant to gain access for snooping and stealing valuable intellectual property or other regulated data.
What does this mean for the future of security?
Tomi Engdahl says:
Who’s Afraid of the Dark? Hype Versus Reality on the Dark Web
https://www.recordedfuture.com/dark-web-reality/
The collection of onion sites that is sometimes called the dark web is often portrayed as a vast and mysterious part of the internet. In reality, the number of onion sites is tiny compared to the size of the surface web. Our count of live reachable onion site domains comes to less than 0.005% of the number of surface-web site domains. Out of about 55,000 onion domains that we found, only around 8,400 onion domains had a live site (15%). The popular iceberg metaphor that describes the relationship of the surface web and dark web is upside down.
These onion sites are disorganized and unreliable. Scams are prevalent
We observed that 86% of onion sites have English as their primary language, with the next two most common being Russian with 2.8% and German with 1.6%.
The idea of a dark web that is hidden and mysterious is more likely an extrapolation of a tiny portion of these onion sites — a set of invitation-only and unpublicized communities buried in the most shadowy corners of this part of the internet. On the surface web, popular websites will attract inbound link counts in the millions or more.
Tomi Engdahl says:
Securing satellites: The new space race
https://www.helpnetsecurity.com/2019/05/09/securing-satellites/
A decade ago, it would have cost you a billion dollars to deploy a satellite into space. Fast forward ten years and you can now have your own personal satellite floating in orbit for around $50,000. 3D printed Rocket Labs, SpaceX and others have revolutionized and industrialized the Space Race.
To date more than 1000 CubeSats have been successfully deployed in orbit by universities, private companies and others for a variety of tasks including Earth observation, weather monitoring, radio transponder communications, biological experiments, and interplanetary missions, among others.
But for all the benefits of CubeSat and the various successes of the individual satellite missions, there are also reasons for concern.
Satellites are vulnerable
Satellites are basically very expensive IoT devices. Unfortunately, like IoT devices here on the ground, they suffer from a lack of security and are vulnerable to being hacked and compromised. Typically, satellite engineers aren’t thinking about security, resulting in glaring vulnerabilities. There are no mandated security standards that must be met before a satellite is launched.
Many satellites run on Linux and communicate over commonly hacked channels including VHF, UHF and S Band. Some satellite communication transmissions are not encrypted. This lack of security is leaving the door wide open for a potential satellite attack.
Securing satellites
So how do we better secure our satellites? That question is currently up for debate. It obviously begins when the satellite is being built. Security can no longer be an afterthought.
Modernizing communication between the ground and satellites must be addressed. The use of encryption is gaining traction and some have even called for a “No Encryption, No Fly” rule to be adopted.
One thing is for certain: the escalating risks surrounding satellite vulnerabilities are simply too great to ignore any longer.
Tomi Engdahl says:
Types of backup and five backup mistakes to avoid
What are the main types of backup operations and how can you avoid the sinking feeling that comes with the realization that you may not get your data back?
https://www.welivesecurity.com/2019/05/10/types-backup-mistakes-avoid/
Tomi Engdahl says:
How scammers made ad fraud a billion-dollar criminal industry
https://www.cyberscoop.com/how-scammers-made-ad-fraud-a-billion-dollar-criminal-industry/
Whoever came up with “thieves rob banks because that’s where all the money is” needs to add “digital advertising” to the updated version of the adage.
Criminals simply don’t need to go through all the trouble of stealing money from well-fortified financial institutions when they can just trick advertisers into directly lining their pockets. With internet ad revenue totaling more than $100 billion in 2018, scammers are following that line of money: ad fraud is set to cost the industry as much as $44 billion annually by 2022.
But the problem has ramifications for more than just the digital advertising market.
Tomi Engdahl says:
Analysis Report (AR19-133A)
Microsoft Office 365 Security Observations
https://www.us-cert.gov/ncas/analysis-reports/AR19-133A
As the number of organizations migrating email services to Microsoft Office 365 (O365) and other cloud services increases, the use of third-party companies that move organizations to the cloud is also increasing. Organizations and their third-party partners need to be aware of the risks involved in transitioning to O365 and other cloud services.
This Analysis Report provides information on these risks as well as on cloud services configuration vulnerabilities; this report also includes recommendations for mitigating these risks and vulnerabilities.
Tomi Engdahl says:
Practical Ways to Reduce Ransomware Impact: Actions You Can Take Today
https://blogs.cisco.com/security/practical-ways-to-reduce-ransomware-impact-actions-you-can-take-today
Tomi Engdahl says:
ThreatList: Top 5 Most Dangerous Attachment Types
https://threatpost.com/threatlist-top-5-most-dangerous-attachment-types/144635/
From ZIP attachments spreading Gandcrab, to DOC files distributing Trickbot, researchers tracked five widescale spam campaigns in 2019 that have made use of malicious attachments.
ZIP Files Spreading GandCrab
DOC/XLSM Files Delivering Trickbot
PDF Files Used in Amex Phishing
PDF Files Used For ‘Winner Scam’
ISO and IMG Delivering AgentTesla
Spam Campaigns Evolving
Spam campaigns continue to adopt new tactics that make them harder to spot – and the usage of new types of attachments, such as the ISO image file described above – only makes it easier for attackers to deceive their victims.
Tomi Engdahl says:
Verizon Data Breach Report: Espionage, C-Suite and Cloud Attacks on the Rise
https://threatpost.com/verizon-dbir-espionage-c-suite-cloud/144486/
Cloud misconfigurations, business email compromise (BEC) and intellectual property theft are all up in the Verizon DBIR 2019 from last year.
Tomi Engdahl says:
An Ode to CISOs: How Real-World Risks Became Cyber Threats
https://www.securityweek.com/ode-cisos-how-real-world-risks-became-cyber-threats
the most significant threats facing organizations across every sector are now virtual. That’s according to the World Economic Forum’s 2019 Global Risks Report, which named cyber-attack the greatest non-environmental danger to mankind, ahead of even war and terrorism. Advanced cyber-criminals have already managed to disrupt the Ukrainian power grid, attempt to impact the U.S. presidential election, and cost the global business community billions of dollars. By launching novel attacks on a daily basis, these criminals are consistently bypassing legacy security tools that use predefined rules and signatures to detect only ‘known’ threats.
As a consequence, it is, in fact, the CISO who most directly safeguards an organization’s future. However, like a king without a castle, most CISOs lack the security tools necessary to ensure their firms can embrace this future with confidence. With once-physical business concerns rapidly migrating into the CISO’s online domain, organizations must support these CISOs by adopting new approaches — such as AI cyber defenses — that can keep pace. Here are just a few reasons why CISOs across every industry are being impacted
http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf
Tomi Engdahl says:
Exploit kits: spring 2019 review
https://blog.malwarebytes.com/threat-analysis/2019/05/exploit-kits-spring-2019-review/
Tomi Engdahl says:
Spam and phishing in Q1 2019
https://securelist.com/spam-and-phishing-in-q1-2019/90795/
Tomi Engdahl says:
Two Ransomware Recovery Firms Typically Pay Hackers
https://www.darkreading.com/endpoint/two-ransomware-recovery-firms-typically-pay-hackers/d/d-id/1334721
Companies promising the safe return of data sans ransom payment secretly pass Bitcoin to attackers and charge clients added fees.
Tomi Engdahl says:
Tips for Building a Physical Security Plan for Corporate Events
https://www.flashpoint-intel.com/blog/tips-for-building-a-physical-security-plan-for-corporate-events/
Ensuring the safety and success of a corporate event starts with a physical security plan. Regardless of whether the event is an internal function or public gathering, the right plan can make all the difference when it comes to protecting staff, attendees, assets, and infrastructure from unruly guests, criminals, violent protesters, terrorists, and natural disasters, among myriad other threats. Here are some tips for developing an effective physical security plan for your next corporate event
Tomi Engdahl says:
Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers
https://news.slashdot.org/story/19/05/15/1846237/firms-that-promised-high-tech-ransomware-solutions-almost-always-just-pay-the-hackers?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
As ransomware attacks crippled businesses and law enforcement agencies, two U.S. data recovery firms claimed to offer an ethical way out. Instead, they typically paid the ransom and charged victims extra.
The Trade Secret
https://features.propublica.org/ransomware/ransomware-attack-data-recovery-firms-paying-hackers/
Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers
Tomi Engdahl says:
Online Privacy is a Myth
https://pentestmag.com/online-privacy-is-a-myth/
“Is there one myth that you could debunk in cybersecurity?”.
about to sound like a conspiracy theorist…trust me I’m not.
Privacy in today’s world is 100% a myth.
Your communications travel across the open air. Some are encrypted and some are not. This has been happening for a really really long time.
Just because the Fed have rules, doesn’t mean others do. Capturing SIGINT, (Signals intelligence) is not a difficult task with the right equipment. The conversations that you think are private are not private.
Everything you say anywhere can be collected, and can be used to track, stalk, steal, and monitor your activity.
Your Email is Not A Safe Place
Your GPS is Tracking you…Always
Try this one out at home. Open google maps, select a destination and hit go.
Your Browsing History Can’t be Cleared
This one is scary.
Your browsing history is linked to your identity and is nearly never private, even when you’ve gone incognito.
Your IOT Devices Are Cheating On You
Having IOT devices in your apartment administered by other “people” provides third party access to private information such as when you sleep, when you’re away, and when your children might be home alone.
https://www.linkedin.com/pulse/online-privacy-myth-david-evenden
Tomi Engdahl says:
http://www.bbc.com/future/story/20190514-the-global-internet-is-disintegrating-what-comes-next
Russia is the latest country to try to find ways to police its online borders, sparking the end of the internet as we know it.
“This is different,” says Robert Morgus, a senior cybersecurity analyst at the New America Foundation. “Russia’s ambitions are to go further than anyone with the possible exceptions of North Korea and Iran in fracturing the global internet.”
Russia’s approach is a glimpse into the future of internet sovereignty. Today, the countries pursuing digital “Westphalianism” are no longer just the usual authoritarian suspects, and they are doing so at deeper levels than ever before. Their project is aided as much by advances in technology as by growing global misgivings about whether the open internet was ever such a good idea to start with. The new methods raise the possibility not only of countries pulling up their own drawbridges, but of alliances between like-minded countries building on these architectures to establish a parallel internet.
What’s wrong with the open internet?
It’s well known that some countries are unhappy with the Western coalition that has traditionally held sway over internet governance. It’s not just the philosophies espoused by the West that troubles them, but the way those philosophies were baked into the very architecture of the internet, which is rather famously engineered to ensure no one can prevent anyone from sending anything to anyone.
Tomi Engdahl says:
NGOs and academics warn against Deep Packet Inspection
https://edri.org/ngos-and-academics-warn-against-deep-packet-inspection/
Today, on 15 May 2019, European Digital Rights, together with 45 NGOs, academics and companies from 15 countries sent an open letter to European policymakers and regulators warning against the widespread use of privacy-invasive Deep Packet Inspection (DPI) technology in the EU. The letter addresses the ongoing negotiations of Europe’s new net neutrality rules, in which some telecom regulators appear to be pushing for the legalisation of DPI technology.
Tomi Engdahl says:
Program smart devices with a ‘magic wand’
https://blog.arduino.cc/2019/05/15/program-smart-devices-with-a-magic-wand/
Tomi Engdahl says:
A guide to HTTP security headers for better web browser security
https://blog.detectify.com/2019/02/05/guide-http-security-headers-for-better-web-browser-security/
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
IBM report attributes a 95% decline in attacks caused by hacktivist groups since 2015 to the disintegration of Anonymous and sustained law enforcement crackdown
Hacktivist attacks dropped by 95% since 2015
https://www.zdnet.com/article/hacktivist-attacks-dropped-by-95-since-2015/
Hacktivist scene collapses as Anonymous hacker collective dies a slow death.
Tomi Engdahl says:
Famous DDoS Attacks | The Largest DDoS Attacks Of All Time
https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/
Some of the biggest DDoS attacks have made major tech headlines.
Tomi Engdahl says:
A Former Hacker Shares the Most Twisted Things He Did
https://www.vice.com/en_au/article/xw7km4/a-former-hacker-shares-the-most-twisted-things-he-did?utm_source=vicefbus
By 2006, he was on America’s most wanted list. Today, Brett Johnson protects others from the crimes he helped pioneer.
Tomi Engdahl says:
Evaluating threat intelligence sources
https://www.kaspersky.com/blog/evaluating-threat-intelligence/26952/
A new approach is needed
With enterprises increasingly falling victim to advanced and targeted attacks, it’s clear that a successful defense requires new methods. To protect themselves, businesses need to take a proactive approach, constantly adapting their security controls to the ever-changing threat environment. The only way to keep up with these changes is to build an effective threat intelligence program.
Threat intelligence has already become a key component of security operations established by companies of varying sizes across all industries and geographies. Provided in human-readable and machine-readable formats, threat intelligence can support security teams with meaningful information throughout the incident management cycle and inform strategic decision-making.
Tomi Engdahl says:
Hacktivist Attacks Declined 95 Percent Since 2015: IBM
https://www.securityweek.com/hacktivist-attacks-declined-95-percent-2015-ibm
The number of hacktivist attacks that resulted in quantifiable damage to the victim has declined by 95 percent since 2015, according to IBM.
Tomi Engdahl says:
Tenable Updates Free Vulnerability Assessment Solution
https://www.securityweek.com/tenable-updates-free-vulnerability-assessment-solution
Tenable this week announced Nessus Essentials, an expanded version of its free vulnerability assessment solution previously known as Nessus Home.
The tool is targeted to students, professors, and enthusiasts starting their careers in cyber-security, to help them learn about vulnerability assessments.
https://www.tenable.com/products/nessus/nessus-essentials
Tomi Engdahl says:
BLUETOOTH’S COMPLEXITY HAS BECOME A SECURITY RISK
https://www.wired.com/story/bluetooth-complex-security-risk/
BLUETOOTH IS THE invisible glue that binds devices together. Which means that when it has bugs, it affects everything from iPhones and Android devices, to scooters, and even physical authentication keys used to secure other accounts. The order of magnitude can be stunning: The BlueBorne flaw, first disclosed in September 2017, impacted five billion PCs, phones, and IoT units.
As with any computing standard, there’s always the possibility of vulnerabilities in the actual code of the Bluetooth protocol itself, or in its lighter-weight sibling Bluetooth Low Energy. But security researchers say that the big reason Bluetooth bugs come up has more to do with sheer scale of the written standard, development of which is facilitated by the consortium known as the Bluetooth Special Interest Group. Bluetooth offers so many options for deployment that developers don’t necessarily have full mastery of the available choices—which can result in faulty implementations.
Tomi Engdahl says:
Days before elections, EU approves new cyber sanctions regime
https://www.reuters.com/article/us-eu-cyber/days-before-elections-eu-approves-new-cyber-sanctions-regime-idUSKCN1SN1FQ
The European Union will directly penalize computer hackers after governments agreed on Friday a new mechanism to target individuals anywhere in the world, freezing their assets in the bloc and banning them from entry.
The new powers follow a diplomatic push by Britain and the Netherlands — overcoming initial reluctance from Italy — to allow the 28-country bloc to move more quickly against malign cyber attacks that can bring down crucial infrastructure.
“This is decisive action to deter future cyber attacks,” British Foreign Secretary Jeremy Hunt said in a statement.
Tomi Engdahl says:
New research: How effective is basic account hygiene at preventing hijacking
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
Every day, we protect users from hundreds of thousands of account hijacking attempts. Most attacks stem from automated bots with access to third-party password breaches, but we also see phishing and targeted attacks. Earlier this year, we suggested how just five simple steps like adding a recovery phone number can help keep you safe, but we wanted to prove it in practice.
Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.
Google’s automatic, proactive hijacking protection We provide an automatic, proactive layer of security to better protect all our users against account hijacking. Here’s how it works: if we detect a suspicious sign-in attempt (say, from a new location or device), we’ll ask for additional proof that it’s really you. This proof might be confirming you have access to a trusted phone or answering a question where only you know the correct response. If you’ve signed into your phone or set up a recovery phone number, we can provide a similar level of protection to 2-Step Verification via device-based challenges. We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.
Tomi Engdahl says:
Microsoft Confirms Big Password Change For Cloud Users
https://www.forbes.com/sites/daveywinder/2019/05/16/microsoft-confirms-big-password-change-for-cloud-users/#1939bc3c6ac4
Microsoft has finally come to the conclusion that, as far as passwords are concerned, size really does matter after all.
Microsoft’s Identity Division, has announced a long-overdue and very big change in password policy for cloud user accounts in Azure AD. How big? How does 256 characters sound? This comes hot on the heels of Microsoft confirming it intends to replace passwords altogether for Windows 10 users and the scrapping of periodic password expiration within Windows 10 security baseline settings.
“Many of you have been reminding us that we still have a 16-character password limit for accounts created in Azure AD,” Simons says, “while our on-premises Windows AD allows longer passwords and passphrases, we previously didn’t have support for this for cloud user accounts in Azure AD.”
Tomi Engdahl says:
How Decoding Network Traffic Can Save Your Data Bacon
https://threatpost.com/how-decoding-network-traffic-can-save-your-data-bacon/144845/
Here are four things the network sees that could indicate an attack:
Network users attempting to access system they have never historically accessed before
Suspiciously small amounts of traffic going to the same location regularly over a long period of time (this is how the Sony Entertainment breach happened)
Irregular DNS queries in large quantities indicate a Domain Generation Algorithm may be in use by malware or ransomware
Communication to business-critical servers by IoT devices connected on the corporate network
The Network as The Source of Knowledge
With the network leveraged as the most in-depth source of data, it has the perfect capacity to monitor and collect the data taking place across the network. When user behaviors change, the network sees it. The network can also detect when large amounts of data are being taken in large-scale data exfiltration attacks. But attackers don’t steal terabytes of data all at once; instead, they steal small pieces at a time, and these low-and-slow types of attacks often don’t show up on the radar for most intrusion prevention and detection systems. These systems aren’t looking for small amounts of data leaving the network, and as weeks and months go by, more and more data is slowly smuggled out.
Network traffic analytics lets organizations see these types of attacks from inception and alerts businesses to compromise. Additionally, it allows companies and threat hunters alike to leverage the network not only as the heart of the corporate environment, but also as a defensive mechanism as well.
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/9491-rikollisuus-jyllaa-avoimesti-tor-verkossa
Understanding the Usage of Anonymous Onion Services: Empirical Experiments to Study Criminal Activities in the Tor Network
https://tutcris.tut.fi/portal/en/publications/understanding-the-usage-of-anonymous-onion-services(4ed22610-1fce-4683-8436-3e6281c3b2e2).html
Tomi Engdahl says:
https://www.msspalert.com/cybersecurity-guests/tuning-tips-for-alert-fatigue/
Alert fatigue is a real problem in security operations center (SOC) analysts and managed security services providers (MSSPs). This can set in at the worst time, when an analyst checks their tools and sees yet another event, or even another 50-100 events, after they just checked. They click through events looking for the smallest reason they can find to dismiss the event so they won’t need to escalate, or further investigate, the issue.
They’ve been through this before, they can see where the real problems are, and they just want to get rid of these events and continue getting other work done. Unfortunately, as many know, one innocent looking event could put you on the trail of a bad actor in the environment. Each event must be investigated thoroughly to make sure that there is no evidence of an incident.
There are also many articles currently about alert fatigue within cybersecurity. An article from Tripwire describes alert fatigue as a combination of too many false positives as well as a reason to raise the security awareness of your organization. Another article from CSO notes that a large number of organizations deal with too many false positives that overload their analysts. This article goes a step further and advises on several steps that can be taken to help reduce the risk of alert fatigue. These are definitely good steps to help your organization improve its ability to respond to alerts and reduce analyst workload. I recommend reading through and seeing what can be done.
Tuning
I would also add one more step: tuning. This seems obvious, but it is often overlooked. Let me first tell you what I mean by tuning. Tuning is a combination of reducing false positives, working with alerts, and correlating events and trends to ensure greater accuracy. Each of these helps the analyst by refining alerts being looked into. Tuning needs to be a balanced approach that will reduce the number of unnecessary events received and ensure that there are no blind spots an attacker can take advantage of to slip by unnoticed.
What Alerts Do You Care About?
That involves knowing:
where sensitive information is located
how it can be accessed, how it should be accessed (two very different things)
who has access
what traffic is normal on the network
what should be on the endpoints, (the security baseline for endpoints)
and many other variables
Baseline Defines “Normal”
Our baseline gives us what is normal. However, we do not want to alert on something just because it deviates from the baseline. There are many events that will create a deviation that are not malicious in nature. We want alerts that are malicious and are causing a deviation. A dropper was successful, a computer seems to be sending encrypted data through an unapproved channel, etc.
Tomi Engdahl says:
Do DDoS attacks originate from Cloud Service Providers?
https://blogs.akamai.com/2019/05/do-ddos-attacks-originate-from-cloud-service-providers.html
Cloud service providers (CSPs) continue to power a growing portion of the greater Internet. According to Cisco, by 2021, 73 percent of cloud workloads are going to be CSP based, which reflects a compound annual growth rate of 27.5 percent from 2016 to 2021.
Unfortunately, CSPs are vulnerable to both Account Takeover (ATO) attacks and free account trial abuses that nefarious botnets exploit to their advantage. Akamai sees in upwards of 30 DDoS attacks per day with CSPs amongst the top traffic sourced ASNs.
The reasons CSPs are gaining traction as an attack source are for the same reasons legitimate businesses look towards them for assistance – they have capacity, flexibility, and an on-demand availability. While they are also affordable, criminals often avoid paying by taking advantage of free trials or hijacking legitimate accounts for their own use.
CSPs account for a significant amount of DDoS traffic
CSPs only account for a small number of the AS sources Akamai Prolexic has been seeing in a given month. While we don’t see many CSPs, when we do, they account for a large amount of traffic across the network, and that traffic is more likely to be involved in DDOS attacks.
And these numbers don’t account for indirect reflectors…
It is important to note that reflection-based DDoS attacks (DNS Reflection, NTP Reflection, CLDAP Reflection, etc.) remain popular with attackers, but in our research we only measure the attacks that were sourced from CSP IPs.
Gaming Industry Particularly Targeted
CSP Peering Isn’t Without Its Risks
Customers that have peering arrangements with CPSs face a significant level DDoS exposure. While it’s true customers with peering arrangements are not at a greater risk than anyone else, the fact is upstream providers and DDoS mitigation specialists, like Akamai Routed Prolexic services, are not in path to protect them creates a noticeable attack surface.
Without active monitoring, alerting, and expert threat researchers to analyze and process attack notifications, these businesses are significantly exposed, because there is no mechanism to proactively mitigate or even notify them.
Tomi Engdahl says:
5 travel security tips for the slightly paranoid
https://www.kaspersky.com/blog/travel-security-five-tips/26964/
1. Never leave your belongings unattended
2. Make sure your devices are encrypted
3. Learn how to find bugs and hidden cameras and fool them
4. Know how to spot a dual-view mirror
5. Use wired mouse and keyboard
Tomi Engdahl says:
DNS Flag Day 2020: DNS servers must support both UDP and TCP queries
Industry group wants to make DNS over TCP support mandatory.
https://www.zdnet.com/article/dns-flag-day-2020-dns-servers-must-support-both-udp-and-tcp-queries/
An industry group of the world’s biggest DNS service providers has agreed on a plan to improve the state of the DNS ecosystem by forcing certain configuration changes upon the smaller server operators that are affecting the speed and performance of the entire internet.
According to this group, starting with February 1, 2020, DNS servers that can’t handle DNS queries over both UDP and TCP may be pushed out of the DNS ecosystem and stop working.
The idea is to get DNS server operators to update their server software and configurations and ensure their servers can handle DNS queries received as either UDP or TCP packets.
DNS Flag Day 2019 — first edition
This concerted industry push is part of a new event called DNS Flag Day, which had its first edition this year, on February 1, 2019.
During this first DNS Flag Day, participants pledged to roll out support for the Extensions to DNS (EDNS) protocol on their DNS servers and lock out any communications with servers that did not run DNS resolvers that were also EDNS compliant.
DNS Flag Day 2020
Now, the same industry group has met again and agreed on a new DNS Flag Day program for next year, and they’ve decided on pushing the entire ecosystem towards enabling support for DNS over TCP.
A 2017 statistic showed that only 3% of all DNS queries were sent via TCP, and the rest being handled via the more insecure UDP protocol.
More DNS Flag Days to come
With DNS Flag Day 2019 being a resounding success, this industry group now plans to hold a similar push every year and slowly force companies to move away from old software or bad configurations.
Tomi Engdahl says:
Security Tip (ST19-002)
Best Practices for Securing Election Systems
https://www.us-cert.gov/ncas/tips/ST19-002
Software and Patch Management
Implementing an enterprise-wide software and patch management program reduces the likelihood of an organization experiencing significant cybersecurity incidents
Log Management
Retaining and adequately securing logs from both network devices and local hosts supports triage and remediation of cybersecurity events. An organization can analyze the logs to determine the impact of cybersecurity events and ascertain whether an incident has occurred.
Centralized Log Management
Organizations should set up centralized log management:
Forward logs from local hosts to a centralized log management server—often referred to as a security information and event management (SIEM) tool. CISA has observed threat actors attempting to delete local logs to remove on-site evidence of their activities. By sending logs to a SIEM tool, an organization can reduce the likelihood of malicious log deletion.
Correlate logs from both network and host security devices. By reviewing logs from multiple sources, an organization can better triage an individual event and determine its impact to the organization as a whole.
Review both centralized and local log management policies to maximize efficiency and retain historical data. CISA recommends that organizations retain critical logs for a minimum of one year, if possible.
Network Segmentation
Organizations can limit the impact of a cybersecurity incident by enforcing network segmentation. Proper network segmentation is an effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network.
Block Suspicious Activity
Many organizations set their security devices to alert on suspicious activity instead of blocking it. When an organization does not block suspicious activity by default, it increases the likelihood of adverse events that allow an adversary to compromise IT resources.
Credential Management
Managing passwords and using strong passwords are important steps in preventing unauthorized access to databases, applications, and other election infrastructure assets. Multi-factor authentication (MFA), in particular, can help prevent adversaries from gaining access to an organization’s assets even if passwords are compromised through phishing attacks or other means.
Establish a Baseline for Host and Network Activity
An organization’s IT personnel are critical in determining what is and is not normal and expected host or network activity. With the appropriate tools, IT personnel are well positioned to determine whether observed anomalous activity warrants further investigation
Network Baseline
Specific metrics should include expected bandwidth usage for
The organization,
Each user (if possible),
Remote access,
Ports,
Protocols, and
File types.
Organizations should consider variables such as the time of day traffic occurs, i.e., remote access is more suspicious occurring at 1 a.m. than during standard business hours.
Including additional metrics—such as the destination of network traffic and the destination Internet Protocol (IP) address’s geographic location—establishes a more detailed baseline.
Once a baseline is established, an organization should review the results to determine if they align with industry best practices. (See Handbook for Elections Infrastructure Security.)
Organizations should compare their baseline traffic with the rules from their boundary firewalls to ensure that the rules are acting as intended and align with industry best practices.
Notice and Consent Banners for Computer Systems
This section identifies recommended elements in computing system notice and consent banners and provides an example banner.
Tomi Engdahl says:
Playing Cat and Mouse: Three Techniques Abused to Avoid Detection
https://blog.yoroi.company/research/playing-cat-and-mouse-three-techniques-abused-to-avoid-detection/
During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks.