Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
Yritykset eivät havaitse eivätkä ratkaise kyberuhkia riittävän nopeasti
https://etn.fi/index.php/13-news/14684-yritykset-eivaet-havaitse-eivaetkae-ratkaise-kyberuhkia-riittaevaen-nopeasti
Tietoturvayhtiö Palo Alto Networks on julkistanut uuden The State of Cloud Native Security 2023 -raporttinsa, johon haastateltiin yli 2 500 korkeantason johtajaa ympäri maailmaa. Raportin mukaan 90 prosenttia yrityksistä ei kykene ratkomaan uhkia riittävän nopeasti.
Pandemian aikana tapahtuneen hybridityön lisääntyminen sai organisaatiot laajentamaan pilvipalvelujen käyttöä yli 25 prosentilla. Tämän seurauksena DevOps-tiimejä painostetaan toimittamaan tuotantokoodia huippunopeasti, mikä tekee sovellusten suojauksesta monimutkaisempaa ja asettaa tietoturvaorganisaatioille paineita pysyä vauhdissa mukana.
Jopa 90 prosenttia kyselyyn vastanneista organisaatioista sanoi, että he eivät pysty havaitsemaan, hillitsemään ja ratkaisemaan kyberuhkia tunnin sisällä. Suurin osa ilmoitti heikosta tietoturvasta ja uskoo, että heidän on parannettava taustalla olevia toimintojaan, kuten useiden pilvipalveluiden seurantaa, eri käyttäjätilien johdonmukaisempaa hallintaa sekä poikkeuksellisten tapahtumien reagointia ja tutkintaa.
Kun vastaajilta kysyttiin pilvipalveluihin siirtymisen haasteista, he vastasivat samalla tavalla kuin vuoden 2020 raporttiin eli kamppailu jatkuu kattavan tietoturvan, vaatimustenmukaisuuden ja teknisen monimutkaisuuden kanssa. Suuri enemmistö (78 %) organisaatioista ilmoitti jakaneensa vastuun pilviturvallisuudesta yksittäisille tiimeille, mutta lähes puolet (47 %) sanoi, että suurin osa heidän työntekijöistään ei ymmärrä tietoturvavastuutaan.
Kun pilveen rakennetaan lisää sovelluksia valmiiden ohjelmistojen avulla, on olemassa riski, että kehitysprosessin haavoittuvuudet voivat myöhemmin vaarantaa koko sovelluksen. Siksi yhä useammat yritykset kannustavat syvempään sitoutumiseen sovelluskehittäjien ja tietoturvatyökalujen ja -tiimien välillä. Peräti 81 prosenttia vastaajista sanoi, että heillä on tietoturva-ammattilaisia DevOps-tiimissään.
Tomi Engdahl says:
Europe, America fear Twitter job cuts mean it can’t protect users https://www.theregister.com/2023/03/08/eu_us_regulators_concerned_twitter/
“While the reasons the EU and the US Federal Trade Commission (FTC) have been DMing with Musk differ slightly, both come down to the same basic concern: Regulators don’t seem confident that Twitter can fulfill its responsibilities to users and the law with so few people steering the ship.”
Tomi Engdahl says:
OSV and the Vulnerability Life Cycle
https://security.googleblog.com/2023/03/osv-and-vulnerability-life-cycle.html
“In 2021, we announced the launch of OSV, a database of open source vulnerabilities built partially from vulnerabilities found through Googles OSS-Fuzz program. In this blog post, well cover how these tools help maintainers track vulnerabilities from discovery to remediation, and how to use OSV together with other SBOM and VEX standards.”
Tomi Engdahl says:
https://www.securityweek.com/tsa-requires-aviation-sector-to-enhance-cybersecurity-resilience/
Tomi Engdahl says:
Mistakes by Threat Actors Lead to Disruption, Not Just Better Blocking
https://www.securityweek.com/mistakes-by-threat-actors-lead-to-disruption-not-just-better-blocking/
Threat actors really only stop when their infrastructure is disrupted and their flow of funds disappears.
Many CISOs and security professionals respond to threats with the same phrase, “I don’t care who is attacking me, I just want it to stop.” They deploy an array of security tools to better block attacks and they hope the malicious actors will go elsewhere. Does this actually work? Some mature security teams have mature detection and intelligence programs that place a serialized code on the bottom of their SOC and intelligence reports that ultimately accumulate to a dollar loss prevention number. But very few enterprises can actually do this effectively. Threat actors really only stop when their infrastructure is disrupted and their flow of funds disappears, and this normally can only be achieved through the activities of U.S. law enforcement and intelligence agencies and major commercial data hosting providers.
The national security community requires context to be provided by the private sector. Full context can range from IP of victims and attackers, date/time, registration emails to VPS, phishing emails, victim emails, website hosting information, phone numbers associated with infrastructure, profile names, account names, other emails of attackers, and forum stylometric attributes and content for starters. Historically, service providers have been the source of data for government organizations, but victim organizations often have observations that can also greatly assist in creating a complete picture of an attacker. As proven by major takedowns, adversaries are not infallible. They make mistakes, and the correlation of data across service providers, victims, and the cyber industry is key to ensuring they pay for those mistakes.
From a service provider perspective, adversary mistakes often consist of using a provider located in the same country, or a close ally, of their targets. This error is becoming less frequent as attackers move to “bullet-proof” hosting for infrastructure. In many cases, the security operations and incident response teams of victims might not even be aware of the mistakes they have uncovered during the course of their investigations. The errors come in many flavors, including:
Obfuscation Errors
Regardless of their sophistication, attackers will attempt to hide their true point of presence on the internet.
Infrastructure Re-use
Securely obtaining infrastructure is both hard and expensive. For most attackers that are financially motivated, if they can re-use elements of their infrastructure, they can increase their profits.
Ego
Behind every attack is a human, and many threat actors have big egos. In addition to monetizing their operations through ransomware, selling stolen data, or disseminating disinformation, some actors like the thrill of a victory. But, they make mistakes that show their hand. In these instances when ego has taken over, attackers feel like they have already won and therefore can be caught when their guard is down.
Threat actors are concerned about return on investment (ROI) just like any ordinary business. They need a system of repeatability, division of labor, and scale that allows them to maximize margins. With these processes, attackers make mistakes that allow enterprises to understand how to defend better. Threat intelligence and incident response teams should have a flexible “outside the firewall” investigative capability. Such capabilities can scale with a business’ operational tempo and are critical to providing stakeholders with timely and relevant answers to their questions.
Tomi Engdahl says:
Politico:
TikTok announces Project Clover, its plan to charm European regulators, including keeping more users’ data on servers in Europe and allowing a security audit
TikTok launches ‘Project Clover’ charm offensive to fend off European bans
https://www.politico.eu/article/tiktok-pitches-data-security-plan-to-fend-off-european-bans/
Social media firm sends top executives to European capitals to present data localization plan to assuage security fears.
Tomi Engdahl says:
Resurssien puute on kyberturvan isoin haaste
https://etn.fi/index.php/13-news/14687-resurssien-puute-on-kyberturvan-isoin-haaste
Yhä useammin kuulee uutisia, joiden mukaan organisaatiot eivät aina edes havaitse mahdollisia kyberuhkia. Fortinetin maajohtaja Mikael Markkulan mukaan tarvitaan uusia malleja SOC-tiimien toimintaan ja koulutusta, jotta resurssien ja henkilöstön vajeeseen voidaan tarttua.
- Teknologialla ei yksin voida paikata kyberturvallisuustaitojen puutetta. Olemme sitoutuneet tarjoamaan palveluja välittömän tuen tarjoamiseksi ja investoimme alan johtavaan koulutuslaitokseen, jotta kyberturvallisuuden osaamisvaje saataisiin kurotuksi umpeen. Teknologiaa, palveluja ja koulutusta yhdistelemällä SOC-toimintojen on mahdollista tarjota parempaa suojaa organisaatioilleen, Markkula uskoo.
Ongelma on sekä vakava että akuutti. Fortinetin viime vuonna julkistetun Cybersecurity Skills Gap -raportin mukaan puolet maailman johtajista pitää kyberturvallisuuden työpaikkoja haastavina täyttää. Lisäksi 42 prosentilla organisaatioista on edelleen tarve kyberturvallisuusanalyytikoille. Tutkimuksessa mainitaan myös neljän organisaation viidestä joutuneen vähintään yhden tietoturvaloukkauksen kohteeksi, koska niillä ei ole ollut tarvittavaa kyberturvallisuusosaamista ja ‑ymmärrystä.
Fortinet onkin lisäämässä muun muassa syventävän teknisen koulutuksen tarjontaa. Yhtiön tavoitteena on tarjota kyberturvallisuuskoulutusta miljoonalle ihmiselle vuoteen 2026 mennessä. Koulutukselle on kysyntää alalla, jossa ChatGPT:n kaltaiset ilmiöt haastavat vanhoja toimintamalleja.
Kommentti sivulla:
“Kyse ei ole resurssien puutteesta, vaan kannustimien puutteesta. Resursseja löytyy aivan varmasti, jos nostetaan piittaamattomuuden ja laiminlyöntien sanktiot riittävälle tasolle. Jos yrityksen johdolla olisi tiedossa, että tietoturvan laiminlyöminen tietää jopa kymmenen vuoden vapausrangaistusta, olen aivan varma, että resursseja alkaa löytyä. Kyse on lähes pelkästään siitä, että yrityksille on halvempaa maksaa satunnaisia (ja suhteellisen harvinaisia) sakkoja, kuin huolehtia velvollisuuksistaan. Kyse on puhtaasti todennäköisyyksien matematiikasta, mistä päättäjät eivät ymmärrä yhtään mitään.”
Yritykset eivät havaitse eivätkä ratkaise kyberuhkia riittävän nopeasti
https://etn.fi/index.php/13-news/14684-yritykset-eivaet-havaitse-eivaetkae-ratkaise-kyberuhkia-riittaevaen-nopeasti
Tietoturvayhtiö Palo Alto Networks on julkistanut uuden The State of Cloud Native Security 2023 -raporttinsa, johon haastateltiin yli 2 500 korkeantason johtajaa ympäri maailmaa. Raportin mukaan 90 prosenttia yrityksistä ei kykene ratkomaan uhkia riittävän nopeasti.
Pandemian aikana tapahtuneen hybridityön lisääntyminen sai organisaatiot laajentamaan pilvipalvelujen käyttöä yli 25 prosentilla. Tämän seurauksena DevOps-tiimejä painostetaan toimittamaan tuotantokoodia huippunopeasti, mikä tekee sovellusten suojauksesta monimutkaisempaa ja asettaa tietoturvaorganisaatioille paineita pysyä vauhdissa mukana.
Jopa 90 prosenttia kyselyyn vastanneista organisaatioista sanoi, että he eivät pysty havaitsemaan, hillitsemään ja ratkaisemaan kyberuhkia tunnin sisällä. Suurin osa ilmoitti heikosta tietoturvasta ja uskoo, että heidän on parannettava taustalla olevia toimintojaan, kuten useiden pilvipalveluiden seurantaa, eri käyttäjätilien johdonmukaisempaa hallintaa sekä poikkeuksellisten tapahtumien reagointia ja tutkintaa.
Kun vastaajilta kysyttiin pilvipalveluihin siirtymisen haasteista, he vastasivat samalla tavalla kuin vuoden 2020 raporttiin eli kamppailu jatkuu kattavan tietoturvan, vaatimustenmukaisuuden ja teknisen monimutkaisuuden kanssa. Suuri enemmistö (78 %) organisaatioista ilmoitti jakaneensa vastuun pilviturvallisuudesta yksittäisille tiimeille, mutta lähes puolet (47 %) sanoi, että suurin osa heidän työntekijöistään ei ymmärrä tietoturvavastuutaan.
Tomi Engdahl says:
https://tatusuosittelee.fi/oma-valvontakamera-vai-vartiointiliike-kumpi-kannattaa/?utm_source=facebook&utm_medium=social&utm_campaign=012-003-valvontakamera-vai-vartiointiliike&fbclid=IwAR16lSupoyxaXAgvUn0PlpEgP7T7DeNw4YMWiYtB9krOzlEqJtJMH0s9dEY
Tomi Engdahl says:
Employees Are Feeding Sensitive Biz Data to ChatGPT, Raising Security Fears
More than 4% of employees have put sensitive corporate data into the large language model, raising concerns that its popularity may result in massive leaks of proprietary information.
https://www.darkreading.com/risk/employees-feeding-sensitive-business-data-chatgpt-raising-security-fears
Tomi Engdahl says:
Biden administration wants to hold companies liable for bad cybersecurity
Amid an onslaught of cyberespionage and ransomware, Biden calls on tech to step up.
https://arstechnica.com/information-technology/2023/03/biden-administration-wants-to-hold-companies-liable-for-bad-cybersecurity/
Tomi Engdahl says:
How To Build Resilience Into Chips
324
Shares
facebook sharing button 49twitter sharing button 9linkedin sharing button 233sharethis sharing button
Heterogeneous designs, customization, and increasing complexity open doors for hardware errors.
https://semiengineering.com/how-to-build-resilience-into-chips/
Tomi Engdahl says:
Chinese companies banned from buying US tech rent it instead https://www.theregister.com/2023/03/10/chinese_clouds_rent_banned_tech/
Chinese companies named by the US as prohibited from acquiring certain technologies are reportedly renting them instead from local cloud providers. The Financial Times reports (paywalled) that prohibited companies easily circumvent bans as Chinese clouds happily rent their hardware. Also, that Nvidia’s A100 GPUs are seeing high demand from local AI outfits that can’t buy their own. Some Chinese clouds, the organ adds, have seen customers whose identities are masked by shell companies sign up for rented GPUs. Such customers are often AI businesses a field in which the inability to access GPUs, or being forced to use older products, can be a severe impediment to success
Tomi Engdahl says:
cURL, the omnipresent data tool, is getting a 25th birthday party this month https://arstechnica.com/information-technology/2023/03/curl-the-omnipresent-data-tool-is-getting-a-25th-birthday-party-this-month/
When you first start messing with the command line, it can feel like there’s an impermeable wall between the local space you’re messing around in and the greater Internet. On your side, you’ve got your commands and files, and beyond the wall, there are servers, images, APIs, webpages, and more bits of useful, ever-changing data. One of the most popular ways through that wall has been cURL, or “client URL,” which turns 25 this month. The cURL tool started as a way for programmer Daniel Stenberg to let Internet Chat Relay users quickly fetch currency exchange rates while still inside their chat window. As detailed in an archived history of the project, it was originally built off an existing command-line tool, httpget, built by Rafael Sagula. A 1.0 version was released in 1997, then changed names to urlget by 2.0, as it had added in GOPHER, FTP, and other protocols. By 1998, the tool could upload as well as download, and so version 4.0 was named cURL
Tomi Engdahl says:
European Parliament agrees cybersecurity requirements for EU bodies https://www.euractiv.com/section/cybersecurity/news/european-parliament-agrees-cybersecurity-requirements-for-eu-bodies/
The European Parliaments Industry committee voted Thursday (9 March) in favour of MEP Henna Virkkunens draft report proposing introducing common cybersecurity standards across EU institutions, paving the way for starting trilogue negotiations. The draft law is the EU version of the revised Networks and Information Security Directive (NIS2), which introduced cybersecurity requirements at the national level for entities that play an essential role in the functioning of society. It aims to institute a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union. This legislation responds to growing cybersecurity concerns, triggered mainly by the increasing digitisation of public bodies, administrative procedures and the under-preparedness of EU bodies to deal with potential attacks
Tomi Engdahl says:
TikTok “a loaded gun” says NSA
https://www.malwarebytes.com/blog/news/2023/03/tiktok-closer-to-getting-banned-because-it-could-use-data-to-influence-opinions
America’s TikTok-addicted youth is playing with a “loaded gun”
according to General Paul Nakasone, Director of the National Security Agency (NSA). Speaking at a US Senate hearing on Wednesday, the general said “one third of Americans get their news from TikTok”, adding “one sixth of American youth say they’re constantly on TikTok.
That’s a loaded gun.” TikTok is an immensely popular social media platform that allows users to create, share, and discover, short video clips. It’s enjoyed explosive growth since it first appeared in 2017, and now it claims to have 1 billion users, an estimated 100 million of them in the US. Unique among major social media apps, TikTok is owned by a Chinese company Bytedance. Due to its ties with China and the ruling Chinese Communist Party (CCP), the platform has been under a national security review by the governments Committee on Foreign Investment in the US, or CFIUS, and will soon be banned on federal devices
Tomi Engdahl says:
What happens if you ‘cover up’ a ransomware infection? For Blackbaud, a $3m charge https://www.theregister.com/2023/03/10/sec_blackbaud_3m_penalty/
Blackbaud has agreed to pay $3 million to settle charges that it made misleading disclosures about a 2020 ransomware infection in which crooks stole more than a million files on around 13,000 of the cloud software slinger’s customers. According to America’s financial watchdog, the SEC, Blackbaud will cough up the cash – without admitting or denying the regulator’s findings – and will cease and desist from committing any further violations
Tomi Engdahl says:
EU watchdog: Online child abuse draft law creates illusion of legality https://www.euractiv.com/section/law-enforcement/news/eu-watchdog-online-child-abuse-draft-law-creates-illusion-of-legality/
The European Data Protection Supervisor (EDPS), the authority responsible for advising EU institutions on privacy matters, took an outspoken, critical stance on the draft law in a joint opinion with the European Data Protection Board. When the European Commission published the proposal to fight the dissemination of Child Sexual Abuse Material (CSAM) in May, it was criticised as the legislation includes the possibility for judges to issue detection orders for interpersonal communication services. Based on the proposal, if a judicial authority finds a significant risk of a messaging app or email service being used to disseminate CSAM, it will have the power to request the relevant providers to put in place a tool to scan communications to detect suspicious content automatically
Tomi Engdahl says:
Common WhatsApp scams and how to avoid them https://www.welivesecurity.com/2023/03/10/common-whatsapp-scams-how-avoid/
With more than two billion users, WhatsApp offers a vast pool of potential targets for scammers. To make things more complicated, fraudsters arent known for resting on their laurels instead, theyre learning new and sophisticated social engineering skills to entrap us in their trickery. The app is used by so many people of different ages and backgrounds and in such diverse contexts that staying alert for dangers becomes increasingly important. And because anyone who knows your phone number can send you a message on WhatsApp, it is also easy for scammers to reach their targets. To put it bluntly, all WhatsApp users are at risk of being scammed. The fraudsters arent often looking for specific users it is mostly a case of trial and error. Typically, theyll use their strategies against a number of people, hoping to lure some of them. And too often, they do succeed: authorities all over the world have received reports of fraud on the order of millions of dollars. Lets now review a few fraudulent schemes that prey on WhatsApp users
Tomi Engdahl says:
Medusa ransomware gang picks up steam as it targets companies worldwide https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-worldwide/
A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands. The Medusa operation started in June 2021 but had relatively low activity, with few victims. However, in 2023 the ransomware gang increased in activity and launched a ‘Medusa Blog’ used to leak data for victims who refused to pay a ransom. Due to the commonly used name, there has been some confusing reporting about this ransomware family, with many thinking it’s the same as MedusaLocker. However, the Medusa and MedusaLocker ransomware operations are entirely different
Tomi Engdahl says:
Age Verification Mandates Would Undermine Anonymity Online https://www.eff.org/deeplinks/2023/03/age-verification-mandates-would-undermine-anonymity-online
Age verification systems are surveillance systems. Mandatory age verification, and with it, mandatory identity verification, is the wrong approach to protecting young people online. It would force websites to require visitors to prove their age by submitting information such as government-issued identification. This scheme would lead us further towards an internet where our private data is collected and sold by default. The tens of millions of Americans who do not have government-issued identification may lose access to much of the internet. And anonymous access to the web could cease to exist.
Age verification laws dont just impact young people. Its necessary to confirm the age of all website visitors, in order to keep out one select age group. Once information is shared to verify age, theres no way for a website visitor to be certain that the data theyre handing over is not going to be retained and used by the website, or further shared or even sold
Tomi Engdahl says:
The Cyber Battle: Why We Need More Women to Win it https://securityintelligence.com/cyber-battle-why-more-women-needed/
It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity or as the UN says, leaving nobody behind becomes difficult to realize. In 2021, women made up 24% of the global cybersecurity industry. Do we need to be concerned with the gender diversity gap?
Yes simply, it is the right thing to do
Tomi Engdahl says:
Five reasons not to use desktop messengers https://www.kaspersky.com/blog/dangers-of-desktop-messengers/47453/
Many companies, especially small ones, dont use specialized systems like Slack or Microsoft Teams for communication among employees, and instead use ordinary messengers such as WhatsApp, Telegram, and Signal. And whereas people mainly prefer the mobile versions for personal use, when it comes to work needs, many install desktop applications without giving much thought to how secure they are. In our recent post on vulnerabilities in the desktop version of Signal, we wrote that the best advice would be not to use the desktop version of Signal (and desktop versions of messengers in general). But since its not immediately obvious why, here we explain in some detail the flaws of desktop messengers in terms of cybersecurity
Tomi Engdahl says:
White House Budget Plan Seeks to Boost Cybersecurity Spending
https://www.securityweek.com/white-house-budget-plan-seeks-to-boost-cybersecurity-spending/
President Biden’s new $6.9 trillion budget proposal for 2024 shows that the administration wants to increase cybersecurity spending.
Tomi Engdahl says:
Blackbaud Fined $3M For ‘Misleading Disclosures’ About 2020 Ransomware Attack
https://www.securityweek.com/blackbaud-fined-3m-for-misleading-disclosures-about-2020-ransomware-attack/
Blackbaud has been slapped with a $3 million civil penalty by the SEC for “making misleading disclosures” about a 2020 ransomware attack that impacted more than 13,000 customers.
Tomi Engdahl says:
Pushers of insecure software in Biden’s crosshairs https://www.theregister.com/2023/03/03/us_national_cybersecurity_strategy/
The long-awaited National Cybersecurity Strategy calls for adopting minimum security standards for critical infrastructure owners and operators, and holding software companies liable for security flaws in their products. It also says the US plans to use “all instruments of national power to disrupt and dismantle threat actors” that threaten US and public safety. Highlights by Krebsonsecurity:
https://krebsonsecurity.com/2023/03/highlights-from-the-new-u-s-cybersecurity-strategy/
Tomi Engdahl says:
The EU’s new Cyber Resilience Act is about to tell us how to code https://berthub.eu/articles/posts/eu-cra-secure-coding-solution/
The extremely short version: The EU is going to task a standardisation body to write a document that tells everyone marketing products and software in the EU how to code securely. This to further the EU Essential Cybersecurity Requirements. For critical software and products, EU notified bodies (which until now have mostly done physical equipment and process certifications) will do audits to determine if code and products adhere to this standard. And if not, there could be huge fines
Tomi Engdahl says:
Outlook app to get built-in Microsoft 365 MFA on Android, iOS https://www.bleepingcomputer.com/news/microsoft/outlook-app-to-get-built-in-microsoft-365-mfa-on-android-ios/
Microsoft will soon fast-track multi-factor authentication (MFA) adoption for its Microsoft 365 cloud productivity platform by adding MFA capabilities to the Outlook email client. The company says in a new Microsoft 365 roadmap entry that users will be able to complete MFA requests for Microsoft 365 apps directly in the Outlook app via a new feature dubbed Authenticator Lite. With Authenticator Lite, users will be able to log into their work or school account via Outlook with an extra layer of security. The feature will be available in Outlook mobile apps for iOS and Android devices, and it will likely require users to enter a code or approve a notification after entering their password
Tomi Engdahl says:
CISA joins forces with Women in CyberSecurity to break up the boy’s club https://www.theregister.com/2023/03/13/cisa_joins_forces_with_women/
Cybersecurity and Infrastructure Security Agency’s director Jen Easterly has been outspoken in her drive to bring more women into the security industry, and this year for International Women’s Day her agency formalized that pledge by announcing a partnership with nonprofit Women in CyberSecurity (WiCyS). The US department of Homeland Security agency and WiCyS signed a memorandum of understanding on Wednesday to help raise awareness of job opportunities for women in cybersecurity and build “a pipeline for the next generation of women” able to fill those roles, the agency said
Tomi Engdahl says:
Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms
https://www.securityweek.com/counting-ics-vulnerabilities-examining-variations-in-numbers-reported-by-security-firms/
Reports published by various industrial cybersecurity companies provide different numbers on ICS vulnerabilities — here’s why.
Reports published in the past couple of months by various industrial cybersecurity companies provide different numbers when it comes to the vulnerabilities discovered in industrial control system (ICS) products in 2022. SecurityWeek has analyzed the methodologies used by these companies in an effort to understand the discrepancies in numbers and trends.
Some companies have reported seeing an increase in the number of ICS vulnerabilities, while others claim there has been a drop. However, looking at their methodologies helps clear up any confusion and shows that the contradictory trends result from the use of different sources and different methods of counting security holes.
SecurityWeek’s analysis of the various reports shows that the number of ICS vulnerabilities has continued to grow, which is not surprising considering that security researchers are increasingly interested in this field and vendors are also stepping up their game and finding more flaws. But let’s take a look at why some headlines might suggest differently.
In its recent ICS/OT Cybersecurity Year in Review report, industrial cybersecurity firm Dragos reported seeing 2,170 CVEs in 2022, which represents a 27% increase compared to the previous year.
Dragos has reported the highest number of ICS vulnerabilities, which is explained by the fact that the company is tracking more sources than any other vendor. Its sources include advisories from the Cybersecurity and Infrastructure Security Agency (CISA), Germany’s CERT@VDE and Japan’s JP-CERT, as well as advisories from individual vendors and raw data from NIST. The company’s own researchers have also discovered vulnerabilities, which are included in the count.
While other ICS/OT security firms may not use as many data sources, they still reported seeing an increase in the number of vulnerabilities.
SynSaber, which only counts vulnerabilities from CISA’s ICS advisories, cataloged 1,342 vulnerabilities in 2022, compared to 1,191 in 2021 — excluding ICS medical vulnerabilities covered by CISA advisories.
Claroty recently reported that XIoT vulnerabilities were trending down in the past three quarters, with 819 issues disclosed in H2 2021, 747 in H1 2022, and 688 in H2 2022. However, these numbers include not just ICS/OT vulnerabilities, but also some medical, IT and IoT issues, as well as flaws affecting multiple types of products.
When it comes to ICS/OT vulnerabilities alone, Claroty cataloged a total of 940 in 2022, up from 826 in 2021.
IBM recently reported that for the first time in two years, the number of ICS vulnerabilities has decreased, from 715 in 2021 to 457 in 2022. The numbers are far lower compared to what other vendors have reported.
Tomi Engdahl says:
ChatGPT Integrated Into Cybersecurity Products as Industry Tests Its Capabilities
https://www.securityweek.com/chatgpt-integrated-into-cybersecurity-products-as-industry-tests-its-capabilities/
ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.
Tomi Engdahl says:
Cybercrime Losses Exceeded $10 Billion in 2022: FBI
https://www.securityweek.com/cybercrime-losses-exceeded-10-billion-in-2022-fbi/
The FBI received more than 800,000 cybercrime-related complaints in 2022, with losses totaling over $10 billion.
The FBI received more than 800,000 cybercrime-related complaints in 2022, with losses totaling over $10 billion, the agency’s Internet Crime Complaint Center (IC3) revealed in its latest report.
The IC3’s 2022 Internet Crime Report shows that while the number of complaints was smaller compared to 2021, losses increased from $6.9 billion to $10.3 billion. In the past five years, the agency received a total of 3.26 million complaints for $27.6 billion in losses.
The top five types of cyber-related crimes in 2022 were phishing (300k complaints), personal data breach (58k complaints), non-payment/non-delivery scams (51k), extortion (39k), and tech support scams (32k).
More than 21,000 complaints were related to business email compromise (BEC) attacks, with $2.7 billion in losses.
The IC3’s Recovery Asset Team (RAT) has managed to help many victims of BEC attacks recover their funds. The agency said that it has had a 73% success rate to date, with $433 million frozen of a total of $590 million reported losses.
In 2022, investment scams exceeded BEC in terms of losses, with $3.31 billion reported — there was a 127% increase compared to 2021. A significant chunk of the total was blamed on cryptocurrency investment fraud, which increased from $907 million in 2021 to $2.57 billion in 2022.
As for ransomware attacks, the FBI received more than 2,300 complaints last year, with adjusted losses reaching more than $34 million. Over 800 of these complaints came from organizations across 14 of the 16 critical infrastructure sectors. The most targeted, with over 100 incidents each, were the healthcare, critical manufacturing, government facilities, and IT sectors.
The ransomware operations most commonly seen targeting critical infrastructure were LockBit, BlackCat, and Hive — Hive was recently disrupted by law enforcement.
Tomi Engdahl says:
Management & Strategy
NMFTA Appoints Cybersecurity Director to Help Protect Trucking Industry
https://www.securityweek.com/nmfta-appoints-cybersecurity-director-to-help-protect-trucking-industry/
NMFTA appoints Antwan Banks as director of enterprise security as the organization shifts focus to end-to-end security for the trucking industry.
The National Motor Freight Traffic Association (NMFTA) has appointed Antwan Banks as its director of enterprise security as the organization shifts focus to end-to-end security for the trucking industry.
The NMFTA told SecurityWeek that this is a newly created position. Banks will lead the organization’s cybersecurity practice, and work with its partners and members to ensure the safety and security of the supply chain in the United States.
“As you can imagine, this is increasingly important as we digitize the [less-than-truckload (LTL)] fleets with a collaborative approach to open-source API’s to replace all of the current manual and paper processes,” an NMFTA representative explained. “Under the guidance of our CTO, John Talieri, the Digital LTL team, our Cybersecurity team, and our product development team are focused on the digital transformation of our industry.”
Tomi Engdahl says:
Cybercrime
Defeating the Deepfake Danger
https://www.securityweek.com/defeating-the-deepfake-danger/
Deepfakes are becoming increasingly popular with cybercriminals, and as these technologies become even easier to use, organizations must become even more vigilant.
Tomi Engdahl says:
Mistakes by Threat Actors Lead to Disruption, Not Just Better Blocking
https://www.securityweek.com/mistakes-by-threat-actors-lead-to-disruption-not-just-better-blocking/
Threat actors really only stop when their infrastructure is disrupted and their flow of funds disappears.
Many CISOs and security professionals respond to threats with the same phrase, “I don’t care who is attacking me, I just want it to stop.” They deploy an array of security tools to better block attacks and they hope the malicious actors will go elsewhere. Does this actually work? Some mature security teams have mature detection and intelligence programs that place a serialized code on the bottom of their SOC and intelligence reports that ultimately accumulate to a dollar loss prevention number. But very few enterprises can actually do this effectively. Threat actors really only stop when their infrastructure is disrupted and their flow of funds disappears, and this normally can only be achieved through the activities of U.S. law enforcement and intelligence agencies and major commercial data hosting providers.
The national security community requires context to be provided by the private sector. Full context can range from IP of victims and attackers, date/time, registration emails to VPS, phishing emails, victim emails, website hosting information, phone numbers associated with infrastructure, profile names, account names, other emails of attackers, and forum stylometric attributes and content for starters. Historically, service providers have been the source of data for government organizations, but victim organizations often have observations that can also greatly assist in creating a complete picture of an attacker. As proven by major takedowns, adversaries are not infallible. They make mistakes, and the correlation of data across service providers, victims, and the cyber industry is key to ensuring they pay for those mistakes.
From a service provider perspective, adversary mistakes often consist of using a provider located in the same country, or a close ally, of their targets. This error is becoming less frequent as attackers move to “bullet-proof” hosting for infrastructure. In many cases, the security operations and incident response teams of victims might not even be aware of the mistakes they have uncovered during the course of their investigations. The errors come in many flavors, including:
Tomi Engdahl says:
Toimialojen kybervarautuminen hyvää perustasoa https://www.huoltovarmuuskeskus.fi/a/toimialojen-kybervarautuminen-hyvaa-perustasoa
Yritysten kybervarautuminen Suomessa on keskimäärin hyvää perustasoa, selviää tuoreesta Kansallisen kyberturvallisuuden kypsyystason selvityksestä. Tietoisuus kyberuhkista ja varautumisen merkityksestä on parantunut. Keskeisiä haasteita ovat pula kyberturvallisuuden osaajista sekä puutteet kumppaniverkoston hallinnassa. Vaihtelua varautumisen tasossa eri toimialojen välillä ja toimialojen sisällä eri yritysten välillä on runsaasti. Positiivista on, että tietoisuus kybervarautumisen merkityksestä on yrityksissä selvästi kasvanut verrattuna edelliseen, vuonna 2020 toteutettuun selvitykseen.
Parhaiten varautumisen hoitavissa yrityksissä kyberturvallisuuden kehittäminen on osa koko yrityksen strategiaa ja johtamista ja kommunikaatio kyberturvallisuusvastaavien sekä organisaation ylimmän johdon välillä on jatkuvaa ja sujuvaa
Tomi Engdahl says:
FBI reveals that more money is lost to investment fraud than ransomware and business email compromise https://www.bitdefender.com/blog/hotforsecurity/fbi-reveals-that-more-money-is-lost-to-investment-fraud-than-ransomware-and-business-email-compromise-combined/
The latest annual FBI report on the state of cybercrime has shown a massive increase in the amount of money stolen through investment scams. In fact, after seven years of dominating the charts, businesss email compromise (BEC) has been knocked off its pole position in the list of losses reported to the Internet Crime Complaint Center (IC3) by investment fraud complaints, which have more than doubled from
$1.45 billion in 2021 to a staggering $3.31 billion in 2022. By comparison, business email compromise (which itself overshadows the
$34.3 million losses caused by often headline-grabbing ransomware
attacks) accounted for a still astonishing $2.7 billion
Tomi Engdahl says:
UK refreshes national security plan to stop more of China’s secret-stealing cyber-tricks https://www.theregister.com/2023/03/14/uk_integrated_review_refresh/
Britain’s domestic intelligence service MI5 will oversee a new agency tasked with helping local organizations combat Chinese cyber-spies and other threats. UK Prime Minister Rishi Sunak on Monday announced the National Protective Security Agency (NPSA) as part of a refresh of the government’s security strategy known as the “Integrated Review”.
According to MI5, the NPSA will provide cyber security training and advice to businesses, schools, and nonprofit organizations while working with the police to boost “protections against terrorist attacks”. The NPSA will also collaborate with other government agencies including the National Cyber Security Centre and the National Counter Terrorism Security Office to provide “holistic protective security advice”
Tomi Engdahl says:
Exclusive: India plans new security testing for smartphones, crackdown on pre-installed apps https://www.reuters.com/technology/india-plans-new-security-testing-smartphones-crackdown-pre-installed-apps-2023-03-14/
India plans to force smartphone makers to allow removal of pre-installed apps and mandate screening of major operating system updates under proposed new security rules, according to two people and a government document seen by Reuters. The new rules, details of which have not been previously reported, could extend launch timelines in the world’s No.2 smartphone market and lead to losses in business from pre-installed apps for players including Samsung, Xiaomi, Vivo, and Apple
Tomi Engdahl says:
Breaking Down a Cyberattack, One Kill Chain Step at a Time https://securityintelligence.com/articles/breaking-down-cyberattack-kill-chain-steps/
In todays wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions.
The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). This article will walk you through the kill chain of this specific attack twice.
First, well take the perspective of the attacker, and then well outline the prevention strategies organizations can take at each step of the chain
Tomi Engdahl says:
ChatGPT and large language models: what’s the risk?
https://www.ncsc.gov.uk/blog-post/chatgpt-and-large-language-models-whats-the-risk
Large language models (LLMs) and AI chatbots have captured the world’s interest, ignited by the release of ChatGPT in late 2022 and the ease of querying it provides. It’s now one of the fastest growing consumer applications ever, and its popularity is leading many competitors to develop their own services and models, or to rapidly deploy those that theyve been developing internally. As with any emerging technology, there’s always concern around what this means for security. This blog considers some cyber security aspects of ChatGPT and LLMs more generally in the near term
Tomi Engdahl says:
Edward Graham / Nextgov:
CISA launches a pilot program to warn critical infrastructure owners with “internet-accessible vulnerabilities commonly associated with known ransomware actors” — The new pilot program will enable “timely risk reduction” by alerting critical infrastructure owners and operators …
More: CISA, CISA, Qualys Security Blog, Infosecurity, and Risky Business News
CISA Launches Ransomware Warning Pilot for Critical Infrastructure
https://www.nextgov.com/cybersecurity/2023/03/cisa-launches-ransomware-warning-pilot-critical-infrastructure/383963/
The new pilot program will enable “timely risk reduction” by alerting critical infrastructure owners and operators of vulnerabilities within their systems that are susceptible to ransomware attacks.
The Cybersecurity and Infrastructure Security Agency publicly announced on Monday that it has established a pilot program to identify vulnerabilities within critical infrastructure systems that are known to be exploited by ransomware groups and threat actors.
According to CISA, the ransomware vulnerability warning pilot—or RVWP—will “identify organizations with internet-accessible vulnerabilities commonly associated with known ransomware actors by using existing services, data sources, technologies and authorities, including our free Cyber Hygiene Vulnerability Scanning service.”
The RVWP first began on Jan. 30, when CISA contacted 93 organizations “identified as running instances of Microsoft Exchange Service with a vulnerability called ‘ProxyNotShell,’ which has been widely exploited by ransomware actors.”
“This initial round of notifications demonstrated the effectiveness of this model in enabling timely risk reduction as we further scale the RVWP to additional vulnerabilities and organizations,” CISA said.
The pilot program was created in response to the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, a 2022 law that required CISA “to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments” to the agency. CISA said the RVWP would be “coordinated by and aligned with the Joint Ransomware Task Force,” an interagency body that was also established by CIRCIA.
Tomi Engdahl says:
Georgia Gee / Slate:
A list of over a dozen US stadiums using facial recognition for testing, security, entry, analyzing fans’ feelings, ticketing, concessions, or other use cases — “Your face is your ticket,” goes the motto of A.I. startup Wicket. “Your face is your credential,” says Alcatraz AI, another vendor.
Here Are the Stadiums That Are Keeping Track of Your Face
It isn’t just Madison Square Garden.
https://slate.com/technology/2023/03/madison-square-garden-facial-recognition-stadiums-list.html
Tomi Engdahl says:
How the Best CISOs Drive Operational Resilience
https://www.securityweek.com/how-the-best-cisos-drive-operational-resilience/
Cyberattacks have exposed a myriad of vulnerabilities in our healthcare infrastructure, and will continue to do so as new and innovative medical technologies are developed.
The last three years have been fueled by turbulent change — especially when it comes to an organization’s tech structure. The unanticipated global pandemic drastically accelerated digital transformation (DX) and a borderless workforce, forcing businesses to fast-track projects they had previously scheduled to take years. These years-long projects began to be completed in the matter of months, or even weeks, and propelled the industry forward momentously, but also highlighted that cybersecurity must be interwoven in the fabric of those transformations to build operational resilience.
During this time, cybersecurity transformed into a competitive advantage for organizations, not just a cost center — leading many boards of directors to start paying closer attention to security investments and metrics, and prioritizing results. The unforeseen circumstances of the pandemic, accelerated DX, and flexible work — coupled with geo-political conflict in the Ukraine — prove that CISOs not only need to protect against the increasingly sophisticated attacks of cyber-criminals, but also need to match the speed of innovation with the right security measures. During this transformational period, I have observed that the most agile companies keep cyber resilience top of mind, and the best CISOs in our industry also act as Chief Resilience Officers, putting cyber investments and protections to work to defend their business operations.
Recent events have caused cyberspace to become increasingly hostile, and perhaps no other industry was affected more harshly than healthcare. For healthcare delivery organizations (HDOs), there are no higher stakes when it comes to delivering patient care safely and securely. That’s because ransomware attacks on hospitals are not just white collar crimes with economic effects — these incidents are classified as threat-to-life crimes, as they can hinder HDOs ability to provide patient care, and can even result in the loss of human life.
According to a recent study by Cynerio (PDF), 56% of hospital security leaders say their organization experienced one or more cyberattacks in the past 24 months involving Internet of Medical Things (IoMT) devices. Forty-five percent report adverse impacts on patient care from these attacks, and 53% percent of those (24% in total) report adverse impacts resulting in increased mortality rates. As we now know, cybersecurity in healthcare is patient safety, and goes beyond just data breaches.
Tomi Engdahl says:
ChatGPT and the Growing Threat of Bring Your Own AI to the SOC
https://www.securityweek.com/chatgpt-and-the-growing-threat-of-bring-your-own-ai-to-the-soc/
Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring your own AI (BYO-AI).
Bring your own AI to the SOC is an existing and potentially growing threat to organizational data.
Two new surveys examine what it takes to make a successful SOC. Both surveys stress the need for automation and artificial intelligence (AI) – but one survey raises the additional specter of the growing use of bring your own AI (BYO-AI).
The surveys are from Cybereason and Devo. Cybereason surveyed (PDF) 1,203 security analysts in firms with more than 700 employees, via Censuswide. Devo used Wakefield Research to query 200 IT security professionals specifically from larger organizations with more than $500 million in annual revenue.
Cybereason cites ransomware as a key driver of the need for speed within SOCs – a need that can only be satisfied by increased automation. Forty-nine percent of its respondents reported that ransomware is the most common incident type they must deal with daily. (Forty-six percent selected supply chain attacks.)
The problem, however, is not so much the type of incident that needs to be resolved, but the volume received and the time to resolution. More than one-third of the respondents reported receiving between 10,000 and 15,000 alerts every day. Fifty-nine percent of respondents said it takes between two hours to one day to resolve a ransomware incident, while 19% said it takes three to seven days.
Tomi Engdahl says:
Tiffany Kary / Bloomberg:
CIA Deputy Director David Cohen calls for the private sector to “supercharge” the agency’s work in quantum computing, biotech, wireless, chips, and battery tech
CIA Goes to South by Southwest to Look for Technology That Can ‘Supercharge’ Spies
https://www.bloomberg.com/news/articles/2023-03-13/cia-tells-sxsw-that-spy-technology-needs-to-be-supercharged
Agency’s deputy director makes case for collaboration
Wireless technology, quantum computing named as focuses
Tomi Engdahl says:
This Is the New Leader of Russias Infamous Sandworm Hacking Unit https://www.wired.com/story/russia-gru-sandworm-serebriakov/
Evgenii Serebriakov now runs the most aggressive hacking team of Russias GRU military spy agency. To Western intelligence, hes a familiar face. For years, the hacking unit within Russia’s GRU military intelligence agency known as Sandworm has carried out some of the worst cyberattacks in historyblackouts, fake ransomware, data-destroying wormsfrom behind a carefully maintained veil of anonymity. But after half a decade of the spy agency’s botched operations, blown cover stories, and international indictments, perhaps it’s no surprise that pulling the mask off the man leading that highly destructive hacking group today reveals a familiar face.
The commander of Sandworm, the notorious division of the agency’s hacking forces responsible for many of the GRU’s most aggressive campaigns of cyberwar and sabotage, is now an official named Evgenii Serebriakov, according to sources from a Western intelligence service who spoke to WIRED on the condition of anonymity. If that name rings a bell, it may be because Serebriakov was indicted, along with six other GRU agents, after being caught in the midst of a close-range cyberespionage operation in the Netherlands in 2018 that targeted the Organization for the Prohibition of Chemical Weapons in the Hague
Tomi Engdahl says:
Reduce, Reuse, Recycle: Bad Actors Practicing the Three Rs https://www.fortinet.com/blog/threat-research/bad-actors-resurrecting-old-tactics
Malware has a way of grabbing all the attention in the media and keeping companies on their toes. The world watched as wipers were deployed to Ukrainian organizations after the Russian invasion of Ukraine, which marked the beginning of a time of instability that included ransomware and InfoStealers, as well. Adding to the negative cybersecurity load of 2022, the contemporary version of ransomware celebrated its 10-year anniversary. And if that werent enough, our FortiGuard Labs researchers have seen that a cybercriminal, like any sensible businessperson, are big proponents of getting the most out of their resources. You might say theyre practicing the reduce, reuse, recycle principles, but instead of being focused on environmental concerns, theyre retrofitting code to enable more successful criminal outcomes. FortiGuard Labs also investigated a group of Emotet variations to assess their propensity for borrowing and recycling code. According to the research, Emotet has undergone significant diversification, with variants dividing into about six different “species” of malware. Not content to simply automate threats, cyber-attackers aggressively improve upon successful innovations
Tomi Engdahl says:
User forgetfulness drives preference for biometrics over passwords https://www.zdnet.com/article/user-forgetfulness-drives-preference-for-biometrics-over-passwords/
This survey revealed that 51% of people reset their password at least once a month because they could not remember it, including 15% who did so weekly. Instead, 53% believed fingerprint scans were more secure than passwords, while 47% chose facial recognition, revealed an Entrust Cybersecurity Institute study that polled 1,450 respondents across 12 global markets. These included France, the US, and the UK, as well as 400 respondents from four Asia-Pacific cities in Singapore, Australia, Japan, and Indonesia. Interestingly, 41% saw 4- or 6-digit PIN codes as more secure than passwords. Globally, 58% would choose biometrics over passwords at least half the time and 33% would always do so, with 16% saying they would never select biometrics. Amongst those who opted against doing so, a third described biometrics as more cumbersome than passwords, while 22% said their devices did not support this form of authentication. Some 17% pointed to security concerns over biometrics
Tomi Engdahl says:
Common Concerns When Choosing A Fraud Detection Solution https://www.forbes.com/sites/davidbalaban/2023/03/15/common-concerns-when-choosing-a-fraud-detection-solution/
In December 2022, The Nilson Report forecasted that bank card fraud losses in the United States would soar to $165.1 billion over the next ten years. These staggering figures are prompting banks, online stores, insurance companies, telcos, and government agencies to prioritize their customers’ safety. To combat fraudulent transactions, businesses are turning to fraud detection solutions. However, selecting the most suitable security tool requires answering many important questions. Below, I have listed common concerns customers encounter when choosing a fraud detection platform. Failure to take prompt action in the event of a fraudulent transaction can lead to significant losses for the company, negatively affecting reputation and financial stability. With a wide range of anti-fraud solutions available on the market, businesses can find an option that aligns with their specific requirements
Tomi Engdahl says:
OT Cybersecurity Best Practices for SMBs: Communication Channels to Use During Cyber Incident Response https://www.dragos.com/blog/ot-cybersecurity-best-practices-for-smbs-secure-comms-during-incident-response/
This is our monthly blog detailing best practices for operational technology (OT) cybersecurity for under-resourced organizations by Dragos OT-CERT (Operational Technology Cyber Emergency Readiness Team), which provides free resources to help small and medium businesses (SMBs) create or enhance their OT cybersecurity program.
The Category and Practice from the OT-CERT OT Cybersecurity Fundamentals Self-Assessment Survey is noted for each best practice. A ransomware attack or physical incident could render your electronic communications like email and chat unusable, or an adversary could potentially listen in on communications after theyve breached your environment. You should prepare your team and devices in advance in case you require an alternate means to communicate with each other and with third parties. Ideally everyone can use their company devices, but it is also possible that you will have to use personal devices to respond to an incident